ai-cybersecurity
5 items · chronological order
AISI Evaluation of Claude Mythos Preview's Cyber Capabilities
A UK government lab confirmed Mythos can autonomously execute a 32-step corporate network attack end-to-end, outperforming every tested model including GPT-5, with performance still scaling at the 100M token ceiling. The evaluation tested capability against undefended ranges, so what AISI validated is threat potential, not operational impact against a real defended environment. The structural shift is that government evaluation infrastructure is becoming the third-party verification layer for frontier AI claims, sitting between self-reported lab benchmarks and the market the way FDA trials sit between pharma and prescribers.
AI Is Making Digital Fraud Easier, Faster and Harder to Stop
Breach notifications to victims fell 79% last year while breaches hit a record high — the disclosure regime didn't get repealed, it decayed through underuse. Companies underdisclose, states underenforce, and the cost lands on consumers and small banks while AI defense vendors capture the rents. The structural fix — continuous identity attestation at the rails layer — is the same control plane the agentic enterprise stack needs, which means two demand vectors pointing at the same consolidation.
The 90 Day Disclosure Policy Is Dead
Coordinated disclosure was an information-containment regime, and containment fails when discovery diffuses. Eleven independent researchers landed the same critical bug in six weeks; Copy Fail took roughly an hour of AI-assisted scanning to find; Dirty Frag's embargo collapsed within hours via unrelated rediscovery, with Microsoft Defender confirming in-the-wild exploitation a day later. The offense side has integrated LLMs into exploit pipelines. The defense and policy layer largely has not, and that asymmetry is the actual risk — CVE feeds are now lagging artifacts, and patch-diff intelligence is the signal that matters.
Google Says Criminal Hackers Used A.I. to Find a Major Software Flaw
AI compressed vulnerability discovery to near-zero cost; credentialed access remained the second gate. Google's disclosure of the first criminal AI-enabled zero-day is the empirical confirmation that the offense-side binding constraint has shifted from bug-finding to credential acquisition, which re-rates the IAM stack more cleanly than the AI-security pure-plays. Rob Joyce's "fingerprint at the crime scene" line points to a parallel category in forensic AI-authorship detection that remains structurally unfilled.
Google Says Criminal Hackers Used A.I. to Find a Major Software Flaw
Google's criminal AI zero-day confirms the new attack topology: AI compressed bug discovery to near-zero cost, but the attacker still needed credentials and the patch cycle still ran in days. The asymmetric trade sits in IAM hardening and patch-velocity infrastructure. The AI-security pure-plays are already priced for the headline; the credential layer is what actually moved.