Anthropic’s Mythos model exposes many new vulnerabilities. The hype surrounding it suggests that everyone needs to focus on this right now. However, there are still plenty of existing, much “boring” issues to address when it comes to cybersecurity. You could even say that those issues are far more important for most organizations. Cisco Live offered an interesting glimpse into the relationship between the past, present, and future.
Let’s just get right to the point: we’re getting a bit tired of Mythos. Everyone is talking about how much impact this model has and will continue to have. Anthropic itself also regularly stokes the fire with ominous messages. The model is supposedly too dangerous to release, a trick OpenAI also pulled in 2022, six months before the first public version of ChatGPT was released.
To ensure the security model enters the market responsibly, Anthropic founded Project Glasswing. To that end, it invited a select group of suppliers, including Cisco, to jointly oversee the process. This group has since expanded, and with Claude Fable 5, a limited version of Mythos is now available to the general public. However, this new version has been blocked for use by non-Americans through a directive from the American government. The warnings by Anthropic seem to be backfiring spectacularly.
From 8 years to 8 weeks
All of this created, and continues to create, a bit more mystery (or should we say myth) around Mythos. However, it also gave companies like Cisco the opportunity to run their own codebase through Mythos (and OpenAI’s GPT 5.5-Cyber), among other things.
The results of scanning over 1.8 billion lines of code, spanning 25 programming languages and frameworks and Cisco’s entire portfolio, are quite impressive, according to the company’s Chief Security and Trust Officer. According to Anthony Grieco, Cisco completed in 8 weeks what would otherwise have taken teams about 8 years.
Note that this is not solely due to the availability of new models such as Mythos and GPT 5.5-Cyber. Other models can also be used for this purpose, and it is essential to build a robust framework to effectively deploy these models. Otherwise, you end up with a massive jumble of output that is still unusable.
Cisco Foundry Security Spec
To ensure that the 8-week effort doesn’t just yield a pile of useless data, Cisco has built what it calls a “framework” to keep the models’ output in check. This framework is known as Cisco Foundry Security Spec. It is an open specification best viewed as a blueprint for building evaluation systems.
In other words, it’s not so much Mythos or some other trendy, new model that enables organizations to quickly scale up their code security assessments. It’s primarily how these models are deployed that makes the difference. Mythos may be intrinsically better at identifying vulnerabilities—and especially the interdependencies between different vulnerabilities—but without the right vehicle to deploy it, it’s mostly just a way to create extra noise for security teams.
Additionally, so-called security models aren’t necessarily better at detecting vulnerabilities and zero-days than other models. It’s also largely about how much freedom the models are given to delve deeply into the issue. That’s what Drew Hintz, Product Security Lead at OpenAI, also explains during a Cisco Live session we attended. GPT 5.5-Cyber is just as powerful as the standard GPT 5.5. The difference lies, among other things, in the guardrails. GPT 5.5-Cyber is “allowed” to do more than the standard version.
What to do about the old vulnerabilities?
When companies like Cisco talk about a post-Mythos world, it might suggest that we’re leaving the past behind. Nothing could be further from the truth. Post-Mythos is also very much pre-Mythos. That is to say, there are still so many vulnerabilities that organizations need to address—some of which have been present and known within their own environments for decades—that we wonder whether organizations are truly helped by yet another batch of vulnerabilities and potential attack vectors.
Fortunately, at Cisco Live, Cisco isn’t just focused on all that Mythos has to offer. In fact, in several announcements and sessions, the approach was primarily pragmatic and realistic.
Cisco Live Protect
An important announcement that addresses a major security issue for organizations is Live Protect. This new feature, currently available only in NX-OS on Cisco Nexus N9000 devices, is designed to ensure that vulnerabilities can be temporarily mitigated until a patch becomes available with the next update. As soon as Talos (Cisco’s threat intelligence division) signals that action is needed, a protective shield is developed and deployed. All of this happens in real time, so as soon as a vulnerability is discovered, a shield can be quickly deployed.
The temporary nature of Live Protect is important, by the way. Tom Gillis, SVP & GM of Infrastructure & Security at Cisco, takes every opportunity to emphasize this during a session we attended. It is not a permanent solution.
When we hear Gillis and others at Cisco talk about Live Protect, we get the feeling that we’ve heard something similar before. You could view Live Protect as a specific manifestation of the Hypershield architecture that Cisco put together a few years ago. Thanks to eBPF (extended Berkeley Packet Filter), vulnerabilities can be addressed with great precision. This allows you to run programs in the kernel and add security at runtime.
We’re already confident enough to predict the next step in this journey. And we’re not talking about expanding Live Protect to other parts of the portfolio, such as the Catalyst hardware. That’s a given. All hardware capable of delivering the performance required to run Live Protect will get it. However, Cisco must also continue to innovate in the area of runtime security in general, so following Live Protect, we’re also introducing something we call Live Detect. This involves actually detecting attacks at runtime and responding to them immediately.
Cisco IQ for security
A second practical and pragmatic update regarding security during Cisco Live concerned Cisco IQ. We wrote an extensive article about this over six months ago. In a video recorded during Cisco Live EMEA, we also delve into it in some depth together with Carlos Pereira of Cisco, Fellow and Chief Architect of CX at Cisco.
Cisco’s CX division, of which Cisco IQ is, so to speak, the face, focuses primarily on maximizing the value of investments in Cisco. This way, customers get the most out of their licenses and Capex investments, and Cisco, ideally, has satisfied customers who choose Cisco again when it’s time for a refresh.
When it comes to security, Cisco adds quite a bit to Cisco IQ. In our view, the most important announcement here is that of the Resilient Infrastructure Services. These are designed to give organizations insights into where vulnerabilities lie, what they can do about them, and how they can continuously improve their resilience. It’s a way to get the most out of the security Cisco offers. Provided this is done in a clear and organized manner, it can certainly be valuable. It also integrates very well with Cisco Cloud Control. The overview of all assets in Cloud Control fits very well with the overview provided by Cisco IQ. Such an overview is a prerequisite for cybersecurity.
Read also: Cisco Cloud Control brings networking and security together in a single platform
A little less Mythos, a little more realism
The hype surrounding Mythos is understandable in itself and, in part, justified. However, most organizations can gain much more right now by addressing the pre-Mythos challenges. This has only become more important due to rapid developments in AI. All those old vulnerabilities are now coming to light more quickly.
It is therefore good to see that Cisco is also paying close attention to the perhaps less trendy challenges. There are still more than enough of those. With Live Protect, Cisco solves a major problem in theory, namely adding (temporary) protection to infrastructure without requiring an upgrade that involves downtime. The enhancements within Cisco IQ are intended to ensure that security is properly equipped to handle challenges from the past, present, and future. This is more of an operational challenge than a technical one, but no less important for that.