Anthropic’s Mythos AI hype over “$20k bug” claim was challenged by Marcus Hutchins in a video shared widely across social media yesterday.

The US-based British malware analyst and cybersecurity researcher, best known for helping stop the global WannaCry ransomware attack, also questioned the broader economics behind AI-driven vulnerability discovery.

His comments follow Anthropic’s announcement of Mythos as a “striking leap” in capability, with the company claiming the model can outperform most humans at identifying and exploiting software vulnerabilities.

Anthropic, the maker of enterprise AI model Claude, said that Mythos is not publicly available and is instead being tested by a limited group of major technology and cybersecurity organizations – a project that is referred to as “Project Glasswing.”

In its Systems Card preview paper Anthropic claimed the model has already identified thousands or previously unknown vulnerabilities across major operating systems, browsers and widely used software.

However, Hutchins questioned some of the flaws Anthropic’s new model has found in the video, as well as the cost Anthropic says it took to find them.

As a case in point he cites Anthropic’s claim about finding a 27-year-old vulnerability in OpenBSD, one of the most security-hardened OSes powering firewalls and critical infrastructure.

The AI maker says that the bug was found for “less than $20,000” in computer costs.

Yet Hutchins says the vulnerability appears to be a “null pointer deference,” a class of bug that usually causes systems to crash rather than enabling the ability to take control of a system.

“The best you can usually get is crashing a process or crashing an operating system," he explained.

The real cost of bug hunting

Hutchins also raised questions about how the reported $20,000 figure was calculated, suggesting that it may not reflect the full cost.

“We don't know exactly how much it costs them, but we know it's close to $20,000 because no one says less than $20,000 when they mean $2, right?”

He added that the number probably reflects API token pricing, rather than the underlying compute costs, and points out that current AI pricing may be influenced by venture capital investment.

He added that it is unclear how these costs would change if pricing reflected actual infrastructure expenses and he speculated that it might be twice as expensive.

“You have all these VCs pouring money into these AI companies to build out infrastructure data centers, purchase GPUs. So we don't actually really know how much a token actually costs in terms of computational power. A lot of this is still being subsidized.”

“Not a fundamental shift in cybersecurity”

Hutchins said the main barrier to finding vulnerabilities is not technical capabilities but economic incentives.

“Bugs aren’t going unpatched because no one can find bugs. It’s because no one is being paid to find bugs."

Marcus Hutchins, malware analyst and cybersecurity researcher.

He added that unless the industry suddenly decided to open source/crowdsource cybersecurity in the same way that they do for free open-source software, then nothing much was going to change.

“Someone is still having to pay money to have their code audited,” he argued – whether the work is done by humans or machines.

Hutchins also reiterated his belief that AI-driven vulnerability discovery does not represent a fundamental shift in cybersecurity and there was no evidence yet that AI systems were more cost-effective than human researchers in terms of value per vulnerability discovered.

He noted that attackers have long relied on techniques such as social engineering and phishing to gain access to systems, often without exploiting software vulnerabilities.

“Attackers have been getting into networks left and right via social engineering, spam, and all of the old techniques.”

Hutchins has form in holding the industry to task when it comes to claims that AI is going to radically change the cybersecurity landscape.

Last autumn, he called out an MIT paper for claiming that 80% of ransomware is powered by AI as being “exaggerated and baseless.” The paper was later pulled from the university’s website.

Hutchins rose to prominence in 2017 after helping stop the global WannaCry ransomware attack by activating a built-in "kill switch" that slowed the outbreak.

---

Unlock more exclusive Cybernews content on YouTube.