I found out my employer doesn’t have access to Mythos.
-
Mythos is not great btw. Running it over a bunch of code, it’s similar findings to tools from a few years ago. It’s marketing, essentially. Viral marketing as people doing the marketing are companies and governments.
It’s really good at finding vulns in vibe coded stuff from Claude.. because apparently AI must be both the cause and solution to all life’s problems, like beer.
@GossiTheDog Can you run it on my honeypots to see if it finds anything worthwhile?
(Basically, any repo there that has "honey" or "pot" in the name.)
-
@GossiTheDog My first hot take to “We are not releasing Mythos because it’s too good” was that they were hiding something. Or they needed to convince large companies that it was sooooo good that they better pony up. “You’ve never had coke this pure, not sure it’s safe to sell it to you.”
@bplein @GossiTheDog CISOs suched it up like no tomorrow. Every day I have to listen my bosses how utterly powerful Mythos is and we need some AI tool to counter it.
On the other hand they're surprised that all sorts of low level shit walks through our perimeter. I have to keep repeating we need zero-trust but nothing gets done.
Spending money on shiny expensive AI tool
Implementing free zero-trust policies -
R relay@relay.an.exchange shared this topic
-
@GossiTheDog mythos has found at least one critical vulnerability: the infosec industry is utterly vulnerable to hype, and extremely unlikely to examine the origins or methodology behind vulnerability disclosures that authorities (regardless of their poor reputation) claim are earth-shatteringly critical
@zzt @GossiTheDog anyone who was paying attention already knew that, though. The security circus is nothing new, it's the inevitable result of the primary talent pool for infosec being obnoxious teenage skiddies swapping 31337 h4x0r reputation points in exchange for vulnerabilities of widely varying credibility
-
@zzt @GossiTheDog anyone who was paying attention already knew that, though. The security circus is nothing new, it's the inevitable result of the primary talent pool for infosec being obnoxious teenage skiddies swapping 31337 h4x0r reputation points in exchange for vulnerabilities of widely varying credibility
@zzt @GossiTheDog see also heartbleed and the endless circus brand-and-logo vulnerabilities afterwards, stuff like the grsec nonsense, etc, going back as far as you care to look.
-
@zzt @GossiTheDog anyone who was paying attention already knew that, though. The security circus is nothing new, it's the inevitable result of the primary talent pool for infosec being obnoxious teenage skiddies swapping 31337 h4x0r reputation points in exchange for vulnerabilities of widely varying credibility
-
Mythos is not great btw. Running it over a bunch of code, it’s similar findings to tools from a few years ago. It’s marketing, essentially. Viral marketing as people doing the marketing are companies and governments.
It’s really good at finding vulns in vibe coded stuff from Claude.. because apparently AI must be both the cause and solution to all life’s problems, like beer.
@GossiTheDog
Really not fair to beer
-
@GossiTheDog Beer, and Super Glue.
@krutonium @GossiTheDog but never together
-
Mythos is not great btw. Running it over a bunch of code, it’s similar findings to tools from a few years ago. It’s marketing, essentially. Viral marketing as people doing the marketing are companies and governments.
It’s really good at finding vulns in vibe coded stuff from Claude.. because apparently AI must be both the cause and solution to all life’s problems, like beer.
-
Mythos is not great btw. Running it over a bunch of code, it’s similar findings to tools from a few years ago. It’s marketing, essentially. Viral marketing as people doing the marketing are companies and governments.
It’s really good at finding vulns in vibe coded stuff from Claude.. because apparently AI must be both the cause and solution to all life’s problems, like beer.
@GossiTheDog found the beer baron!
-
E em0nm4stodon@infosec.exchange shared this topic
-
@GossiTheDog@cyberplace.social @Standard_Phil@infosec.exchange @zzt@mas.to Mythos did find that recent ActivityPub vulnerability which is interesting. I’m not trying to shill it or anything I just think it’s interesting
https://w.on-t.work/activitypub/may-2026-vulnerability#the-ellephamt-in-the-room@skydotbit in order for that to be interesting or useful information, there'd need to be some indication that other models, or similarly resourced humans, would be incapable of finding the same vulnerability. All credible evidence so far is akin to my being able to find things in my kid's bedroom that they couldn't: it's not that I'm a magical finding things machine, it's just that they never looked.
-
R relay@relay.infosec.exchange shared this topicR relay@relay.mycrowd.ca shared this topic
-
Mythos is not great btw. Running it over a bunch of code, it’s similar findings to tools from a few years ago. It’s marketing, essentially. Viral marketing as people doing the marketing are companies and governments.
It’s really good at finding vulns in vibe coded stuff from Claude.. because apparently AI must be both the cause and solution to all life’s problems, like beer.
@GossiTheDog We found it really really capable when running in our harness with deterministic bug validation. Did you run it from within claude code?
