You may have heard of Anthropic's Mythos platform in the news lately. This was hyped as super AI for rapidly finding cybersecurity vulnerabilities in software. Using AI to bug hunt is not a new thing and most people now realize that Mythos wasn't some revolutionary change but just another tool in an existing line of tools.
Mythos, and other tools like it, work mainly by scanning the source code of software packages looking for flaws in how it was written. We've been doing code scanning, or Static Application Security Testing (SAST), for years. We've lined up pretty extensive processes as part of software development that check the code along the way for flaws. This found the more obvious flaws in the code but left more complex ones to be exploited. We'd find a few more of these using dynamic testing and hands-on penetration testing. Using AI has allowed bug hunters to find more complex and harder to find bugs in their code, though.
Before you start your best Chicken Little impression, let's cover a few more things.
First, most flaws that are exploited in the world are not new and novel bugs. They are well-known and unpatched holes in running systems. These aren't even always flaws in code, but often flaws in configuration. We have so much buggy software running in the wild that most attackers don't need to spend crazy AI money finding new flaws. They will just exploit the ones that are free to find and use and have been there for weeks, months, or even years. Remember this when you cancel that software update or continue using software after the vendor has stopped supporting it. All those risks you accept, either deliberately or negligently, are the bugs that most attackers are going after.
We have yet to tackle the cyber hygiene problem. Attackers are cheap and lazy. They will go after the easiest wins. Contrary to media portrayal, they aren't out there trying to one-up each other in skills.
Second, even when AI does return a list of bugs, they shouldn't be taken at face value. Everything needs to be verified by knowledgeable and experienced humans. A very open and visible example of this is with the tool cURL. You may not have heard of it before, but you have used it. It programmatically fetches website data for further processing. It's a key component to many software packages that internet with the web and integral to many open source projects. The author has been very vocal about AI's impact on his ability to find and fix bugs. He had to dramatically change his bug reporting process to account for a deluge of AI slop reported nonsense.
Being a prominent open source developer, he was given early access to Mythos to find bugs in his code. He accepted the offer and was told Mythos found 5 bugs in his code. Only 5. In 176,000 lines of code. Of course, he had been very security conscious over the years and has employed numerous other means of finding bugs in his code, so maybe that shouldn't be unexpected. However, when they reviewed the list of bugs, they pared it down to only one of any significance. Three were design choices that were thoroughly documented and one was considered a non-security bug.
So, perhaps the processes that we have in place already are adequate... if we use them. Again, cyber hygiene comes into play. Perhaps we only have the mass of security vulnerabilities because we haven't been looking for them before. We call that "tech debt". If we are planning to pay back this tech debt using AI, the cost of repayment just skyrocketed.
Bottom line: before we start looking to AI to fix all our problems, let's make sure we've tidied up our house first. So much of what we expect from AI can mostly be accomplished by simple, and less costly, cyber hygiene work.
References:
https://www.reuters.com/business/fears-unfettered-hacking-spurred-by-anthropics-mythos-ai-model-overstated-2026-05-20/
https://this.weekinsecurity.com/ai-can-find-bugs-and-flaws-but-do-not-forget-the-cybersecurity-basics/
https://www.securityweek.com/googles-surge-in-chrome-vulnerability-discoveries-likely-driven-by-ai/
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/
