内容来源：https://www.wired.com/story/anthropics-mythos-will-force-a-cybersecurity-reckoning-just-not-the-one-you-think/

内容总结：

人工智能公司Anthropic本周发布的新型AI模型Claude Mythos Preview引发行业震动。该公司宣称，该模型标志着网络安全演进的关键转折点，可能对现有软件防御体系构成前所未有的威胁。这一表态迅速在安全界掀起激烈争论：究竟是AI炒作，还是真正的范式变革？

据Anthropic介绍，Mythos Preview具备突破性能力，可自动发现几乎所有操作系统、浏览器及其他软件产品的漏洞，并自主生成有效攻击代码。为此，公司仅通过名为"玻璃翼计划"的联盟，向微软、苹果、谷歌及Linux基金会等数十家组织限时开放该模型。

业内观点呈现两极分化。质疑者认为，现有AI工具已能大幅降低漏洞利用门槛，而Anthropic将新技术渲染为神秘且排他的颠覆性产品，难免存在商业炒作之嫌。云安全公司Edera首席技术官亚历克斯·泽拉则指出："开源社区通常对此类宣称持怀疑态度，但我确实认为这是真实存在的威胁。"

支持者特别关注该模型构建"漏洞攻击链"的能力——即串联多个漏洞实现深度渗透，这种类似"鲁布·戈德堡机械"的复杂攻击方式，过去因需要长期保持大量上下文信息而难以实现。资深安全工程师尼尔斯·普罗沃斯分析称："它虽未根本改变安全问题的本质，但大幅降低了实施高级攻击所需的技术门槛。"

值得注意的是，美国财政部长与美联储主席已召集金融界领袖，专门研讨此类AI模型对网络安全的影响。参与"玻璃翼计划"的思科公司产品负责人杰图·帕特尔评价："这最终将推动防御体系迈向机器级规模，因为攻击已率先实现机器化。"

也有专家呼吁理性看待。安全顾问戴维·奥滕海默比喻道："这好比别人还在用栓动步枪时，有人学会了使用机枪——虽是战术飞跃，但绝非魔法。"前美国网络安全局局长珍·伊斯特利则指出，这或许能推动行业反思："数十年来我们始终在修补本不该存在的漏洞，AI可能帮助我们转向'安全始于设计'的新范式。"

尽管争议持续，多数专家认同：Mythos Preview如同安全领域的"无限猴子定理"，虽不会一夜改变格局，但确实加速了攻击技术的演进速度。正如泽拉所言："有些人会对此感到不安，但游戏规则确实正在改变。"

中文翻译：

人工智能公司Anthropic本周表示，其全新Claude Mythos Preview模型的问世标志着网络安全演进的关键转折点，对现有软件防御策略构成了前所未有的生存威胁。那么，这究竟是人工智能领域的又一次炒作，还是真正的历史转折？

据Anthropic介绍，Mythos Preview已突破能力临界点——能够发现几乎所有操作系统、浏览器及其他软件产品的漏洞，并自主开发可用于攻击的完整漏洞利用方案。鉴于此，该公司目前仅向数十家组织有限开放该模型，包括微软、苹果、谷歌及Linux基金会等，这些机构共同组成了名为"玻璃翼计划"的联盟。尽管关于生成式人工智能将如何影响网络安全的讨论已持续多年，本周的消息仍在业界引发激烈争论：这场变革是否真的来临？实践中的形态又将如何？

部分专家对Anthropic的声明持强烈怀疑态度。他们认为现有AI代理已能帮助用户以史无前例的便捷度和低成本发现并利用漏洞，这种现状正在推动企业改进软件漏洞发现与修复流程，但并未从根本上改变现有范式。此外，Anthropic将最新模型包装成神秘莫测、能力超群且具有排他性的产品，几乎注定能从中获取商业利益，这种营销策略也令人不适。不过，另一些研究人员与实践者赞同Anthropic的评估，并指出该公司已明确表示Mythos Preview只是首个具备此类能力的模型，未来其他模型终将普遍拥有相似能力。

"我通常对此类声明持高度怀疑态度，开源社区也往往如此，但我确实从根本上认为这是真实存在的威胁，"云安全公司Edera首席技术官亚历克斯·曾拉坦言。

曾拉等人特别指出Mythos Preview的一项关键能力具有转折意义。他们认为，生成式AI如今在识别和开发"漏洞利用链"方面愈发强大——这种攻击方式通过连续利用多个漏洞深度渗透目标系统，本质上如同鲁布·戈德堡机械般环环相扣的复杂黑客技术。许多最精密的黑客攻击都采用漏洞利用链，包括无需用户任何交互即可侵入系统的"零点击攻击"。

"我们早已身处这样的世界：企业运行着存在漏洞的软硬件，却难以有效修补。许多公司根本没有能力保护自身基础设施——这种情况至今未有实质改变，"资深安全工程师兼研究员尼尔斯·普罗沃斯指出，"但据我理解，Mythos真正擅长的是发现多阶段漏洞，并能提供漏洞利用实证。这虽未从根本上改变问题本质，却大幅降低了发现和利用这些漏洞所需的技术门槛。"

目前仅向玻璃翼计划参与者有限开放Mythos Preview，这为防御方争取了短暂的先机：他们可以利用该模型查找自身系统弱点，并在攻击者广泛掌握此类能力之前，更全面地思考如何变革软件开发模式、更新周期及补丁应用机制。

行业领袖似乎已注意到这一警示。Anthropic前沿红队负责人洛根·格雷厄姆周二向《连线》透露，在本周公告发布前联系各机构洽谈玻璃翼计划时，通话时间变得越来越短，因为潜在威胁正变得日益明显。

"这是所有模型开发者共同面临的课题。我们的目标只是开启这场对话，"格雷厄姆表示，"让防御方率先掌握Mythos Preview至关重要。"

关注Mythos Preview影响的群体远不止科技公司。彭博社本周报道称，美国财政部长斯科特·贝森特与美联储主席杰罗姆·鲍威尔周二在财政部华盛顿总部召集金融业领袖会议，专门讨论此类模型对网络安全的潜在冲击。

作为玻璃翼计划成员的思科公司总裁兼首席产品官吉图·帕特尔在旧金山HumanX AI大会上向《连线》表示，Mythos Preview"绝对是重大事件"。

"长远来看，你必须确保防御体系达到机器级规模，因为攻击已是机器级规模，"帕特尔强调，"如果有数十亿代理程序攻击我的基础设施，我必须确保能有效防御。Anthropic的举措意义非凡，它创造了对抗恶意行为者的不对称优势。"

不过仍有观点认为这场热潮被过度渲染，不过是整体AI炒作周期中的一朵浪花。"这就像西部片里常见的场景：帐篷布道者高呼末日将至，然后卷走所有人的钱财消失无踪，"资深安全合规顾问戴维·奥滕海默比喻道，"这确实是变革，如同别人还在用栓动步枪时你学会了使用机枪作战，但它并非神秘莫测的魔法。"

也有观点指出，考虑到思维转变需要漫长时间才能渗透所有行业和组织，抓住特定事件或技术进步作为提高认知的契机具有现实意义。此前多次网络安全变革都发生在重大漏洞事件之后：如针对谷歌的极光攻击催生了"零信任"架构的重要性共识，SolarWinds和Log4shell攻击浪潮则推动了"安全设计"软件开发理念的普及。Anthropic主张将Mythos Preview的发布视为更审慎的转折点，因为它仍是未来风险的预警，而非最坏情况的实际演示。

安全专家同时指出，当前时刻为改善软件开发模式缺陷提供了契机。

"数十年来，我们建立了一个庞大的全球产业来防御、检测和应对本不该存在的软件漏洞，"长期从事网络安全实践的前美国网络安全与基础设施安全局局长珍·伊斯特利周三撰文指出。她认为玻璃翼计划可能引领这样的未来："AI帮助我们超越无休止的漏洞防御，转向从一开始就构建更安全的技术。这并非网络安全使命的终结，而是我们所知网络安全形态终结的开端。"

Edera公司的曾拉强调，Mythos Preview并非能一夜改变一切的惊雷，而是朝着"无限猴子在无限打字机上终将打出莎士比亚"的安全版本迈出的又一步。

"如果有一百万名漏洞研究员，他们能发现海量漏洞。但人类并不擅长长时间在脑中保持大量上下文信息，因此发现真正可协同利用的长漏洞链一直很罕见，"她解释道，"Mythos及类似模型将加速攻击者整合漏洞形成协同攻击组合的进程。可能有人会长期对此感到不满，但我确实认为游戏规则已经改变。"

麦克斯韦·泽夫补充报道。

英文来源：

Anthropic said this week that the debut of its new Claude Mythos Preview model marks a critical juncture in the evolution of cybersecurity, representing an unprecedented existential threat to existing software defense strategies. So, is it more AI hype—or a true turning point?
According to Anthropic, Mythos Preview crosses a threshold of capabilities to discover vulnerabilities in virtually any and every operating system, browser, or other software product and autonomously develop working exploits for hacking. With this in mind, the company is only releasing the new model to a few dozen organizations for now—including Microsoft, Apple, Google, and the Linux Foundation—as part of a consortium dubbed Project Glasswing. But after years of speculation about how generative AI could impact cybersecurity, the news this week ignited controversy about whether a reckoning has really arrived and what it might look like in practice.
Some are extremely skeptical of Anthropic's claims. They argue that existing AI agents can already help users find and exploit vulnerabilities much more easily and cheaply than ever before, and that this reality is fueling refinements in how companies discover and patch their software without fundamentally changing the paradigm. And then there's the ick factor that Anthropic will almost certainly benefit financially from positioning its latest model as mysterious, uniquely powerful, and exclusive. Other researchers and practitioners, though, say that they agree with Anthropic's assessment and point out that the company has said Mythos Preview is just the first to achieve capabilities that will ultimately be widely available in other models.
“I typically am very skeptical of these things, and the open source community tends to be very skeptical, but I do fundamentally feel like this is a real threat,” says Alex Zenla, chief technology officer of cloud security firm Edera.
Zenla and others specifically point to one Mythos Preview capability as the pivot point. Generative AI, they say, is now getting more capable at identifying and developing what are known as “exploit chains,” or groups of vulnerabilities that can be exploited in sequence to deeply compromise a target—essentially Rube Goldberg–machine-style hacking. Many of the most sophisticated hacking techniques employ exploit chains, including so called zero-click attacks that compromise a system without requiring any interaction from a user.
“We are already living in the world where companies run vulnerable software, vulnerable hardware, and struggle to patch. Many companies are not capable of securing their infrastructure—that hasn’t really changed from yesterday to today,” says longtime security engineer and researcher Niels Provos. “But from what I understand, Mythos is really good at coming up with multistage vulnerabilities, and then also provides the proof of exploitation. I don’t think it intrinsically changes the problem space, but it changes the required skill level to find these vulnerabilities and exploit them.”
A limited release of Mythos Preview to Project Glasswing participants only gives defenders a small lead time to find weaknesses in their own systems using the model and start to grapple more broadly with how software development, update cycles, and patch adoption needs to change before attackers have widespread access to such capabilities themselves.
Industry leaders seem to be heeding the warning. Anthropic's frontier red team lead, Logan Graham, told WIRED on Tuesday that as the company reached out to organizations about Project Glasswing ahead of this week's announcement, the phone calls got shorter and shorter because the potential threat was becoming more obvious.
“This is an issue that involves all of the model developers. Our goal here is just to kick things off,” Graham said. “It's really important that Mythos Preview gets in the hands of defenders to give a head start.”
The people considering the impacts of Mythos Preview extend far beyond tech firms. Bloomberg reported this week that US Treasury secretary Scott Bessent and Federal Reserve chair Jerome Powell convened a meeting of finance sector leaders at the Treasury’s headquarters in Washington, DC, on Tuesday to discuss the potential impacts of models like Mythos Preview on cybersecurity.
Jeetu Patel, president and chief product officer of Cisco, which is a member of Project Glasswing, told WIRED at the HumanX AI conference in San Francisco that Mythos Preview “is a very, very big deal.”
“In the long run, you want to make sure that your defenses are machine-scale, because the attacks are machine-scale,” Patel said. “If I have billions of agents that are going to be attacking my infrastructure, I need to make sure that I can defend it effectively. What Anthropic did here is a fantastic thing, because it just creates a level of asymmetry against the bad actors.”
Still, some argue that the frenzy is overblown—a splinter of the overall AI hype cycle. “It's every spaghetti Western ever where big-tent preachers say the end is nigh and then skip town with everyone's money,” says longtime security and compliance consultant Davi Ottenheimer. “It's a shift, like learning how to fight with machine guns when others are still using bolt-action rifles, but it's not magical and mystical.”
Some argue, though, that given how long it takes for these mentality shifts to proliferate across all industries and organizations, it can be useful to seize on specific incidents or advances as an opportunity to raise awareness. Other cybersecurity reckonings have come after catastrophic breaches like the Aurora attacks on Google that highlighted the importance of “zero trust” architecture, or the Solarwinds and Log4shell hacking sprees that popularized a “secure by design” approach to software development. Anthropic argues that the debut of Mythos Preview can be used as a more prudent type of inflection point, because it is still a warning of what could be to come, not a real-world demonstration of a worst-case scenario.
Security experts also say that the moment presents an opportunity to address shortcomings in how software is currently developed.
“For decades, we have built an enormous global industry to defend, detect, and respond to ‘vulnerabilities’—flaws and defects in software—that should never have existed in the first place,” Jen Easterly, the longtime cybersecurity practitioner and former US Cybersecurity and Infrastructure Security Agency director, wrote on Wednesday. Project Glasswing, she argues, could usher in “a future in which AI helps us move beyond endlessly defending against flawed software and toward building technology that is more secure from the start. Not the end of cybersecurity as a mission, but the beginning of the end of cybersecurity as we know it.”
Edera's Zenla emphasizes that Mythos Preview is not a lightning bolt that will change everything overnight. Instead, she says, it is another step toward the security version of infinite monkeys at infinite typewriters eventually producing Shakespeare.
“If you get a million vulnerability researchers, they can find a huge number of bugs. But humans are not very good at holding lots of contextual information in their minds for long periods of time, so finding very long chains of vulnerabilities that are actually exploitable together has been rare," she says. “Mythos and models like it will accelerate the pace at which attackers will be able to group vulnerabilities into sets that can work together. Some people are going to be grumpy about it for a long time, but I do think the dynamic has shifted.”
Additional reporting by Maxwell Zeff.