surveillance security cameras

NIST is overhauling how it manages the National Vulnerability Database (NVD) and switching to a risk-based model that prioritizes “enrichment” of only the most critical CVE-numbered security vulnerabilities.

“This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025,” the National Institute of Standards and Technology said. “We don’t expect this trend to let up anytime soon.”

OPIS

A two-year struggle and a new approach

NIST has been struggling to update NVD’s CVE entries with relevant information – descriptions, severity (CVSS) scores, known affected software configurations, etc. – for over two years.

The problem was acknowledged in early 2024 and despite occasional optimistic updates, it’s now become clear that the veritable onslaught of CVE-numbered security issues is too much for NVD’s analysts to tackle.

“We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions. Therefore, we are instituting a new approach,” NIST announced.

“All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria above will be categorized as ‘Not Scheduled.’ This will allow us to focus on CVEs with the greatest potential for widespread impact.”

The new NVD CVE processing workflow (Source: NIST)

From now on, the CVE entries that will be prioritized for enrichment will fall into one of three categories:

They’ve already been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog
Affect software used within the (US) federal government
Affect critical software (as defined by Executive Order 14028):
- Identity, credential, and access management (ICAM) systems
- Operating systems, hypervisors, and container environments
- Web browsers
- Endpoint security software
- Network control software
- Network protection products
- Network monitoring and configuration tools
- Operational monitoring and analysis software
- Remote scanning software
- Remote access and configuration management tools
- Backup/recovery and remote storage software
- Open source and government-developed software that falls into one of the above categories
- In specific cases, libraries, packages, and modules that are integrated into and necessary for the operation of the software that falls into one of the above categories

NIST will also stop routinely adding their own separated severity score to the entries and will rely on the one provided by CVE Numbering Authorities, and will not enrich CVEs with an NVD publish date earlier than March 1, 2026.

Users will be able to ask, via email, that NIST’s analysts enrich specific high-impact unscheduled CVEs or provide a separate severity score, but it remains to be seen how quickly these requests will be reviewed and acted upon.

With LLMs increasingly being used for vulnerability discovery and Anthropic and OpenAI sharing Claude Mythos and GPT-5.4-Cyber with vetted security researchers and teams, the flood of CVE submissions will only grow stronger.

By taking some of the pressure off its analysts, NIST hopes to buy itself time to build better automated tools that can handle that volume.

CVE Program’s problems

NIST’s announcement comes amid renewed uncertainty around the CVE Program, which is the foundation on which the NVD is built.

Run by MITRE and largely funded by the US Department of Homeland Security, nearly collapsed last year when its federal funding contract was about to expire, prompting CISA to step in at the last minute and triggering efforts to establish an independent CVE Foundation.

CVE Program board member Katie Noble recently warned that the surge in AI-fueled vulnerability reports is straining the program, and that it needs to evolve to keep up and continue to be relevant.

Nuno Rodrigues Carvalho, Head of Sector for Incident and Vulnerability Services at EU’s cybersecurity agency ENISA, told Help Net Security that a global common good service of this importance should not depend excessively on a potential “single point of failure,” whether financial, institutional, or operational, and that a stronger model would preserve the integrity of the shared CVE backbone while distributing responsibilities across trusted actors that can contribute capacity, services, and operational support.

ENISA, he said, is ready to contribute to the program while continuing to build European vulnerability services capacity in parallel.

The agency is currently in the process of becoming a top-level root CVE Numbering Authority for the CVE Program, which will allow it to influence its operation and evolution.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

from Help Net Security https://ift.tt/pk6TFGK

Software teams building agentic AI workflows have been pushing frontier models toward longer, unsupervised task runs. Claude Opus 4.7, now generally available from Anthropic, is aimed squarely at that demand, with particular gains in software engineering, multimodal processing, and the kind of instruction fidelity that matters when a model is running tasks autonomously over multiple steps.

Claude Opus 4.7

Opus 4.7 is available across all Claude products and the API, Amazon Bedrock, Google Cloud’s Vertex AI, and Microsoft Foundry. Pricing remains the same as Opus 4.6: $5 per million input tokens and $25 per million output tokens.

What changed from Opus 4.6

Opus 4.7 is a notable improvement on Opus 4.6 in advanced software engineering, with particular gains on the most difficult tasks. The model handles complex, long-running tasks with rigor and consistency, pays precise attention to instructions, and devises ways to verify its own outputs before reporting back.

On the vision side, the upgrade is significant. Opus 4.7 can accept images up to 2,576 pixels on the long edge, approximately 3.75 megapixels, more than three times as many as prior Claude models.

That increase supports use cases including computer-use agents reading dense screenshots, data extractions from complex diagrams, and work that needs pixel-perfect references

The higher resolution is a model-level change, meaning images sent to the API are automatically processed at greater fidelity; users who do not need the extra detail can downsample images before sending to control token costs.

Instruction-following behavior has also shifted in ways that require attention from teams migrating existing deployments. Where previous models interpreted instructions loosely or skipped parts entirely, Opus 4.7 takes the instructions literally. Users should re-tune their prompts and harnesses accordingly.

Opus 4.7 is also better at using file system-based memory. It remembers important notes across long, multi-session work, and uses them to move on to new tasks that, as a result, need less up-front context.

Cybersecurity controls and the Cyber Verification Program

The release carries specific policy weight tied to Anthropic’s earlier work on AI and cybersecurity risk. Opus 4.7 is the first model on which Anthropic is testing new cyber safeguards on a less capable model before moving toward a broader release of Mythos-class models.

Its cyber capabilities are not as advanced as those of Mythos Preview; during training, Anthropic experimented with efforts to differentially reduce these capabilities.

Opus 4.7 ships with safeguards that automatically detect and block requests indicating prohibited or high-risk cybersecurity uses. What Anthropic learns from real-world deployment of these safeguards will inform its eventual goal of a broad release of Mythos-class models.

Security professionals who wish to use Opus 4.7 for legitimate cybersecurity purposes, such as vulnerability research, penetration testing, and red-teaming, are invited to join Anthropic’s new Cyber Verification Program.

Safety profile

Opus 4.7 shows a similar safety profile to Opus 4.6, with low rates of concerning behavior such as deception, sycophancy, and cooperation with misuse.

On some measures, including honesty and resistance to malicious prompt injection attacks, Opus 4.7 is an improvement on Opus 4.6. In others, such as its tendency to give overly detailed harm-reduction advice on controlled substances, Opus 4.7 is modestly weaker.

Anthropic’s alignment assessment concluded that the model is “largely well-aligned and trustworthy, though not fully ideal in its behavior.” Mythos Preview remains the best-aligned model Anthropic has trained according to its evaluations. anthropic Full safety evaluations are covered in the Claude Opus 4.7 System Card.

Migration considerations

Teams upgrading from Opus 4.6 should expect changes in token consumption. Opus 4.7 uses an updated tokenizer that improves how the model processes text, with the same input mapping to more tokens, roughly 1.0 to 1.35 times depending on content type. Opus 4.7 also thinks more at higher effort levels, particularly on later turns in agentic settings, which improves reliability on hard problems but produces more output tokens.

Anthropic says the net effect has been favorable in internal testing on a coding evaluation, with token usage improved across all effort levels. A migration guide is available at the Claude Platform documentation site.

from Help Net Security https://ift.tt/8sIyMjK

We may earn a commission from links on this page.

When you buy a Samsung Galaxy phone, you're not just getting the standard, stock Android experience as far as software goes: You're also getting One UI, Samsung's own take on Android, complete with its own visual look, AI features, and other tweaks. One UI means you get access to settings on a Galaxy handset that aren't available on other Android phones—you can apply customizations and controls you won't find on a handset from Nothing or Google. Whether you're thinking of buying a Galaxy phone and want to know what the benefits are, or you already own a Samsung handset and want to make sure you're exploring everything it has to offer, here are some of my favorite settings exclusive to One UI.

Adjust your Galaxy's color balance

Several other Android phones offer some basic tweaks for the color balance of the display, but Samsung goes above and beyond to give you more control. If you tap Display > Screen mode from Settings, you can adjust white balance with a slider, and switch between Vivid and Natural modes.

Tap Advanced settings, and you can apply changes that are even more granular. You get separate sliders for the red, green, and blue color channels, and another slider to adjust the vividness of the screen. Keep your eyes on the preview pictures at the top to see the effects of your changes.

Customize your Galaxy's side button

Side button customization. Credit: Lifehacker

The main side or power button on Galaxy phones can be remapped if you don't want to stick with the default configuration, which is a double press to launch the camera and a long press to launch Google Gemini. (Note you can't customize a single press, which will either lock or unlock your handset.)

From Settings, choose Advanced features > Side button, then pick either Double press or Long press. You have a lot of options for a double press: everything from the flashlight and magnifier, to the Samsung Voice Recorder or any other app of your choice. For a long press, you can switch to a different digital assistant, or have a long press turn off the phone instead. By default, you need to press and hold both the side button and the volume down button to power off a Samsung Galaxy handset, so switching to a long press can be more convenient.

Set up the Edge panel on your Galaxy

The Edge panel that's available on Samsung phones is a real superpower for One UI. It's a pop-up shortcut box that gives you quick access to apps, contacts, and features on your phone, and it can work as well as the Windows taskbar or the macOS dock.

You can set up and customize the Edge panel from Settings by heading to Display > Edge panels. The options here let you change the appearance and position of the panel, and switch between the type of panel you want: Choose from Apps, People, Tasks, Weather, Tools, Clipboard, or Reminder. To customize the actual shortcuts on the Edge panel, open it with a swipe from the side of the screen, then tap the pen icon at the bottom. You can make sure your most-used apps and shortcuts are always readily available.

Boost your Galaxy's available RAM

RAM Plus settings. Credit: Lifehacker

Samsung Galaxy phones come with a feature called RAM Plus that borrows part of your handset's storage and uses it as temporary RAM—which should mean launching and switching between apps happens more quickly. You can find the feature and change how much storage it uses by selecting Device care > Memory > RAM Plus from Settings.

Use multi window mode on your Galaxy

One UI has a multi-window mode that turns Android into a more desktop-like operating system, and it can be helpful on phones with larger screens when you need to get a couple of apps up side by side. You can configure the feature by opening Settings and picking Advanced features > Multi window.

To actually get apps up alongside each other, swipe up from the bottom of the screen into the center of the display to see your recently opened apps. Tap any of the app icons at the top of the carousel, then choose Open in split screen view. You then get to pick a second app to share the display with the first one.

Automatically restart your Galaxy

Auto restart options. Credit: Lifehacker

If you open Settings and select Device care > Auto optimization, you'll see an option labeled Auto restart. If you enable this, your phone will restart when it's not being used to "keep it running in the best condition" (Samsung's words). You can opt to Restart when needed or Restart on a schedule. These regular restarts can help in clearing out the memory and temporary file cache on your phone, which can in turn optimize performance. As the information on screen tells you, restarts will only happen when the screen is off, you're not actively using your phone, the battery level is about 30 percent, and the SIM card lock feature is off.

Apply 'Intelligent Wi-Fi' to your Galaxy

One UI on Galaxy phones doesn't just offer wifi—it offers "Intelligent Wi-Fi," which means it uses AI to optimize your connection as much as possible. Tasks where latency is crucial (such as video calls) get prioritized, and if the phone thinks you'll get better performance on a cellular connection, it will automatically switch to this instead.

To find the options, open Settings and select Connections > Wi-Fi. Then you need to tap the three dots up in the top right corner, choose Intelligent Wi-Fi from the menu, and you're then able to switch on the features you want to make use of. There's also a secret wifi monitoring tool hidden away here.

from Lifehacker https://ift.tt/Ups73JN

We may earn a commission from links on this page.

Ever since our house flooded in the middle of the night (though thankfully before we fell asleep), my wife and I have been diligent about setting up water alarms all over the house, so we'll receive crucial warning the moment something leaks or backs up.

Well, the other night, the alarm under the kitchen sink went off while the dishwasher was running—and, sure enough, there was water gushing out of the sink drain. Luckily, I was able to turn off the water and clean everything up before it totally ruined my cabinets and floors. I started my investigation into the problem, and about three seconds later, it was obvious: My sink drain had a huge gap in it:

The ginormous hole in my corroded kitchen drain pipe. Credit: Jeff Somers

It was actually kind of amazing—a chunk of pipe was just gone, and what was left was as fragile as tissue paper. I called a few plumbers, but no one could get to me for a few days (plumbers have a very narrow definition of the word “emergency”). I was faced with the prospect of not being able to use my kitchen sink or dishwasher for a while, or risk further damage to my house.

But I had another option: A quick fix with an epoxy putty.

Epoxy putty is an easy, water-resistant solution to leaks

J-B Weld 8277 WaterWeld Epoxy Putty Stick - 2 oz.

$6.17 at Amazon

PC Products - 45593 PC-Plumbing Epoxy Putty, 4oz Stick, Gray (45596) (Pack of 1)

Oatey 31274 Stick Fix-It Multi-Purpose Epoxy Putty, 1.33 oz, White

Loctite Epoxy Multi Purpose Repair Putty , 2 oz Stick, 1 Pack

Epoxy putties all work generally the same: They contain a resin and a hardening agent, and when these clay-like materials are combined, a chemical reaction quickly hardens them into whatever shape you work them into. There are a few major brands to choose from, including J-B WaterWeld, PC-Plumbing Epoxy Putty, Oatey Stick Fix-It, and Loctite Epoxy Putty. I happened to have some WaterWeld on hand, so that’s what I used to save my kitchen, but any of these products will probably work as well.

How to quickly patch a leak with epoxy putty

The process is pretty straightforward: First, you pinch off as much putty as you think you’ll need (wear gloves—this stuff can irritate your skin):

The two parts of an epoxy putty ready to be combined. Credit: Jeff Somers

Knead the meaterial together, mixing the resin and the hardener until it’s all one color:

Kneading the putty together is oddly satisfying. Credit: Jeff Somers

Now apply the putty to your leak. In my case, I used pretty much the whole package to encapsulate the massive hole in my kitchen drain:

My masterful putty repair kept the kitchen in business until the plumber arrived. Credit: Jeff Somers

Different products will have different working times and hardening times. WaterWeld takes about 25 minutes to set, so you need to work relatively quickly. Luckily, temporary plumbing repairs don’t need to be pretty. I just rolled it onto the drain, pressed it into place, and worked the edges to create a seal. It's important to note that epoxy putty products like this are intended for low-pressure repairs; while they can probably plug pinhole leaks in high-pressure pipes, a repair of this size wouldn't have worked if under any sort of intense water pressure.

WaterWeld cures in about an hour, so after waiting it out, I went ran the water in the sink for a while to test it—and not a drop came out. Then I ran the dishwasher with my water alarm in place, and experienced zero problems. The putty repair held for the three days it took a plumber to show up (to add insult to injury, he wasn’t even impressed with my brilliant temporary fix). In the meantime, we were able to use the kitchen normally without risking further water damage. For a product that costs about $7, that’s not bad.

from Lifehacker https://ift.tt/h9uvpRG

If you use Google Chrome, listen up: You may be running malicious extensions without even knowing it. As reported by The Hacker News, cybersecurity researchers with Socket's Threat Research Team have identified 108 extensions available in Google Chrome that steal login credentials, user IDs, and browsing data. All 108 extensions route that information back to servers controlled by a single operator, despite these extensions being published by five different developers (GameGen, InterAlt, Rodeo Games, SideGames, and Yana Project). These extensions collectively have around 20,000 installations, which isn't a massive pool of targets considering Chrome's 3.62 billion users, but is still a concern given the number of extensions involved in this coordinated scheme.

Socket's team identified that there are some key categories these extensions are published under: Telegram sidebar clients, which display a working Telegram chat interface in the browser; slot machine and Keno games, which offer a playable gambling experience; YouTube and TikTok "enhancers;" page utility extensions; and one text translation tool. All extensions appear to offer the services advertised in the Chrome Web Store, all the while running malicious programs under the surface.

Users who install the Telegram client may get a functioning chat experience, but underneath, the extension is stealing that user's Telegram Web sessions every 15 seconds, which leaks all messages, contacts, and linked accounts. 54 of the extensions steal your Google account identity when you click the "sign-in" option, which leaks your email, name, and profile picture to the operator. (Notably, the scheme does not grant the operator access to your Google account.) Forty-five of the extensions have a backdoor that can open any URL the operator wants in your browser. Seventy-eight of the extensions can inject HTML code into your browser. Five extensions can remove YouTube and TikTok security measure in order to inject gambling ads and overlays onto the sites. And when you sign up for the text translation tool, it sends your email and full name to the server, as well as anything you translate with the extension.

How to protect yourself from these malicious extensions

The first thing you should do is check to see whether you have any of these extensions running in your browser. Some of the more popular extensions identified here include "Telegram Multi-account," "Black Beard Slot Machine," "Page Locker," and "InterAlt," but you can find a complete list of the extensions, including their Chrome Extension IDs, on Socket's report here.

If you used Telegram Multi-account, Socket recommends logging out of all Telegram Web sessions using the Telegram app. You can find the option from Settings > Devices > Terminate all other sessions. If you signed into any of these extensions with your Google account, assume your identity was exposed, and review your third-party app permissions here. Unfortunately, if you used Text Translation with your email, your name and email address were exposed.

Going forward, exercise extreme caution before installing new extensions in your browser. While the Chrome Web Store should only contain "safe" extensions, malicious programs find their way onto the marketplace. Always carefully review each listing before installing the extension: If the extension requires sensitive information, lacks many reviews, or the listing is poorly constructed, it's best to avoid it entirely.

from Lifehacker https://ift.tt/AykEZ4j

The aptly named Binge is a new app for iPhones, iPads, and Macs that has set its sights on Letterboxd. Like that popular movie-centric social media platform, Binge gives you a way to track what you've watched and what you want to watch. But whereas Letterboxd sticks mostly to movies, Binge covers both movies and TV shows, and adds "jump scare warnings," an innovative feature Letterboxd can't match (though in testing it out, I experienced mixed results).

Keeping tabs on my viewing is something I very much need help with, and while I've had a Letterboxd account for a while, I don't log into it or update my viewing history very often. Because it offers one spot to track both movies and TV, I decided to give Binge a try—and despite the aforementioned issues with its standout feature, I mostly liked what I found.

Use Binge to track both movies and TV shows

You don't need to sign up for an account to use Binge, but if you do, you can sync your activity in the app across multiple Apple devices. As far as the interface goes, you've got three tabs for checking out new and trending content—Discover, Movies, and Shows. The final tab is the Library, where your viewing is logged.

The tracking is really simple: You can mark movies or TV shows as watched or that you'd like to watch in the future; for shows, you can also log how many episodes you've got through. This is all then sifted into a timeline on your Library page. (One non-Letterboxd feature I enjoy is the I do like the option to pick a selection at random from your want-to-watch list—a good bet for those times when you just can't decide what to wathc.)

Binge offers a clean and simple layout. Credit: Lifehacker

Overall, Binge is simpler than Letterboxd, which crams in so many options—marking something as watched, rating it, adding it to lists, and sharing it with others—into the same pop-up window; while that app offers more to do, it also feels cluttered. Binge provides just the basics, which is a plus for a low-effort media tracker like me.

The same goes for the built-in search: It's much more comprehensive on Letterboxd, where you can really dig down into search categories like genre, year of release, and cast and crew members. Binge offers a more straightforward keyword search for matching titles or people associated with a title.

Still, Binge is impressive in terms of how much information it presents for each movie or TV show. As well as cast and crew lists, you've got trailers, ratings from across the web, awards and nominations, information on which streaming app you need to watch something, and a parents guide that flags up anything that's frightening, violent, or otherwise adult in nature.

You get plenty of information about each title. Credit: Lifehacker

The Library tab is well done, sorting everything in an easy to follow way, though you can create collections for movies and shows if you want to organize them more deliberately. I like the idea of the Your Next Watch section, which recommends titles based on what you've already seen, and it turned up some interesting picks for me.

You can customize a lot of the interface inside Binge, so if there are features you're not really interested in—like reviews of a movie or lists of how many awards it's picked up—you can disable them with a tap. It's also possible to tone down some of the effects, like parallax and shimmer, that are applied by default.

THe jump scare tracker is a great idea, but it didn't quite work for me

I'm not much of a fan of horror or violence—I really don't like being scared or grossed out—which can make watching movies tricky. Some of the most critically acclaimed and popular flicks come with these elements included, and so I find myself wanting to watch them while also worrying about being traumatized.

Binge provides a solution for this in the form of jump scare warnings: Many title pages offer a timeline showing when the jumps are coming, and details of what happens (so beware spoilers). There's a timer you can start when you begin watching that will ostensibly deliver a jump scare alert to your phone as a "Live Activity" before the scary scene hits. However, while the timeline screen was straightforward enough, I couldn't get the Live Activity notifications to pop up consistently—the app seemed to lose track of what it was tracking and when, and there's no way to manually adjust the time elapsed once you've already started a movie or TV show. Still, the jump scare timeline on its own is useful. The scares are sorted into minor and major categories, and if you don't mind getting advance warnings about a plot point or two, then they're handy to have if you want to know when to cover your eyes.

A jump scare timeline. Credit: Lifehacker

Unfortunately, jump scare charts aren't available for every movie. In browsing, I found that films like The Invisible Man (2020) and Prometheus (2012) offer them, but they're missing on older fare such as Silence of the Lambs (1991) and Single White Female (1992). I'm not sure where Binge is getting its data from (possibly WhenJumpScare), but it's not guaranteed for every film.

The other downside: Jump scares are a paid extra in Binge. You'll need to sign up for a monthly ($1.99), yearly ($17.99), or lifetime ($49.99) package to get them. The subscription also unlocks several other features, like episode ratings graphs, the ability to set custom movie posters (also a paid feature on Letterboxd), and reminders for upcoming movies and shows.

The app includes recommendations too. Credit: Lifehacker

The app also scores highly for its data import and export tools. You can load in existing information from your accounts on Trakt, Letterboxd, and iMDb, and export everything you've logged in a JSON file to use elsewhere. You can also sync activity with Trakt, though that's another premium feature.

Binge is a worthy Letterboxd alternative

While hardened film nerds are still going to prefer Letterboxd—not least for the baked-in community and sharing features—Binge is a worthy alternative for the rest of us. You can get up and running in just a few minutes, everything is neatly laid out and easy to parse, and there are numerous cool touches spread throughout. It might finally get me to more faithfully track my media consumption.

from Lifehacker https://ift.tt/YniqWbU

Could Claude Mythos Preview, Anthropic’s latest large language model, be leveraged for fully automated cyber attacks?

The UK government’s AI Security Institute (AISI) tested its capability to successfully engage in capture-the-flag (CTF) challenges and multi-step attack scenarios, and found that that while its cybersecurity capabilities exceed those of previously available models, it can’t reliably execute autonomous attacks on hardened networks.

Claude Mythos attack capabilities limits

What is Claude Mythos Preview?

Anthropic introduced Claude Mythos Preview to the public earlier this month, and stated that the LLM is exceptionally good at discovering previously overlooked and difficult-to-detect bugs and vulnerabilities in operating systems, software, web applications, and cryptography libraries.

Given its effectiveness, the model will not be publicly released, as malicious actors could leverage it to discover zero-day vulnerabilities and develop exploits for both novel and known-but-unpatched weaknesses.

Instead, Anthropic launched Project Glasswing, a selective program giving major technology, cybersecurity, and financial organizations early access to the model. Joining them are the Linux Foundation and 40 organizations that build or maintain critical software infrastructure, all working to secure the world’s most important software before comparable AI tools reach wider audiences.

Claude Mythos: Cyber attack capabilities and current limits

What Claude Mythos Preview means for cybersecurity is being hotly debated online and offline. The results of tests performed by the AI Security Institute offer more insight on what dangers cybersecurity defenders may soon face.

The model is good at solving capture-the-flag (CTF) challenges, which are aimed at identifying and exploiting weaknesses in target systems, AISI researchers found.

“On expert-level tasks — which no model could complete before April 2025 — Mythos Preview succeeds 73% of the time,” they shared.

When it comes to more complex attacks, it’s less effective.

“Real-world cyber-attacks require chaining dozens of steps together across multiple hosts and network segments — sustained operations that take human experts many hours, days, or weeks to complete,” AISI noted.

“As a first step towards measuring this, we built ‘The Last Ones’ (TLO): a 32-step corporate network attack simulation spanning initial reconnaissance through to full network takeover, which we estimate to require humans 20 hours to complete. Claude Mythos Preview is the first model to solve TLO from start to finish, in 3 out of its 10 attempts.”

That said, three successes out of ten attempts tells only part of the story: the test environment was, by the researchers’ own admission, an easier target than most real-world networks: there were no active defenders, no defensive tooling, no consequences for tripping alerts.

“This means we cannot say for sure whether Mythos Preview would be able to attack well-defended systems,” the researchers said.

Still, the model can autonomously navigate an attack on a small, poorly defended system once someone gets it through the door (i.e., initial access is achieved by attackers).

“This highlights the importance of cybersecurity basics, such as regular application of security updates, robust access controls, security configuration, and comprehensive logging,” they opined, and pointed organizations towards UK National Cyber Security Centre’s advice on how cyber defenders should use AI to their own advantage.

Advice for AI-assisted defense

Anthropic’s researchers also advised defenders to use available AI models to strengthen defenses. They should use them for vulnerability discovery, analysis of cloud environments for misconfigurations, to help accelerate migrations from legacy systems to more secure ones, automate parts of incident respones, and more.

Mythos Preview’s ability to write n-day exploits autonomously means that patch cycles will have to be shortened, as well. “Software users and administrators will need to drive down the time-to-deploy for security updates, including by tightening the patching enforcement window, enabling auto-update wherever possible, and treating dependency bumps that carry CVE fixes as urgent, rather than routine maintenance,” Anthropic warned.

A paper recently released by the Cloud Security Alliance, written with the input of cybersecurity experts and the wider cybersecurity community, provides more specific guidance for Chief Information Security Officers on how to adapt their organization’s security program to this emerging threat landscape.