Banning Mythos represents a basic misunderstanding of AI cybersecurity
It’s now uncontroversial that LLMs are powerful substrates for automating defensive and offensive cybersecurity. When a model is released, the policy and frontier AI community has to decide who will benefit more, and from which release form factor, and that decision does not stay contained to cybersecurity. A harsher regulatory regime around releases, more guardrails, and interventions like the downgrading of cyber-related queries to weaker models all reach past security and into the larger question of how open or closed an ecosystem we are choosing to build, with downstream consequences for the ability of startups, of non-AI companies, and of independent researchers to innovate on behalf of defenders. All of the evidence we have at this point points toward defenders benefiting more from these models, and toward those consequences not being worth paying.
Defenders were already losing
Consider the relative positions of attacker and defender. Long before modern AI, defenders were already in a terrible position. My experience across a long career in this industry is that whenever a company I worked for ran an internal penetration test or hired external testers, those testers achieved their objectives to an alarming degree, and the field has grown almost cynical about it. Everyone in cybersecurity knows we are at a structural disadvantage. Every organization sits on a mountain of accumulated risk and security technical debt, and that debt is incendiary material; a dedicated team of attackers can come and burn the whole thing down.
This is also why practitioners are so exhausted by alerts that fall short of being confirmed exposures or breaches. There is so much work to do that there is no time to address anything beyond the most obvious risks, and so the sandhill remains, growing, year after year.
More zero-days isn’t giving attackers more advantages
Attackers occupy the correspondingly advantageous position, and they are generally able to breach networks when they choose to. The arrival of AI tooling has not, at least so far, produced a surge in attacker success beyond the already too high baseline, and that absence makes sense. If attackers were truly bottlenecked on the supply of zero-days and novel access, we would expect a dam-breaking effect in observed breaches by now. Many intrusions go unobserved, of course, but it is hard to persist on a victim network and accomplish anything without occasionally being seen, and we would be looking at a much larger tip of the iceberg in attacker activity than we are. To me, and I think to most people who are genuine domain experts engaged in actual cybersecurity practice, the sky not falling due to AI is unsurprising.
The promise of AI is to finally advantage defenders
The great hope of frontier AI is that it could finally invert this. Attackers have held the advantage since the birth of the internet, and the promise of these models is that for every one human security engineer we might eventually field a hundred agents that find and fix bugs in code, identify misconfigurations and exposures, work alongside people to remediate them, and in time remediate them autonomously.
Realizing that will take an enormous amount of innovation, and frontier large language models are only one ingredient. The hard, unglamorous work lives at the application layer: how do we build systems that take the most advanced underlying capabilities and turn them into reliable defensive labor at scale. The honest answer is that we get there by opening frontier models to as wide and as diverse a constituency of defenders as possible. The junior, mid-level, and senior security engineers inside the thousands of CISO organizations around the world. The open source enthusiasts and the pink-haired attendees of DEF CON. The graduate students and professors publishing in this area, much as the graduate students and professors of an earlier generation did the foundational work on fuzzing and on formal-methods-based automatic exploit generation and vulnerability research. You do not get that flywheel from a locked-down model.
How we got the Mythos ban
I think the path to this outcome, which I regard as a disastrous one, runs through the present makeup of the AI policy conversation. I have moonlighted in AI security policy meetings since ChatGPT shipped in 2022, and have observed an ecosystem of character types.
There is the sharp Georgetown graduate who works for a national security think tank in Washington, with a background in international policy and game theory, who has never done hands-on cybersecurity and reasons about it in the abstract; these people are genuinely brilliant and a pleasure to talk to.
There is the frontier-lab AI safety constituency, focused on the coarse-grained claim that scaling laws will deliver catastrophic cyber capabilities, and likewise largely untouched by the actual practice of defending or attacking systems.
There is the AI luminary, whose deep fluency in machine learning buys a kind of currency that licenses them to opine on cybersecurity despite having thought very little about it and holding only a toy model of how the domain works.
And there are a few (too few) people I admire deeply who carry real cybersecurity backgrounds into these rooms, and who, predictably, tend to treat most of what I have said above as obvious.
The problem is not that anyone should be evicted from these conversations, which sit upstream of decisions like the Mythos ban. The problem is one of distribution, and the fix is to inject far more people with deep, practical cybersecurity backgrounds into the rooms where the framings and metaphors get set.
What the History Tells Us
We already know what overregulation of a dual-use technology costs, because we have lived it. We saw it in the crypto wars of the 1990s, and we have seen the pattern repeat across the history of dual-use security automation, whether the artifact in question was Metasploit, fuzzing, or Kali Linux. Each time, the same fear was raised, and each time the dual-use-benefits-defenders argument won, because it was the correct one. There may well come a day when it makes sense to lock down a frontier model, and if the evidence ever points that way I will personally say so. But that decision has to be made on evidence, and right now the evidence points strongly toward openness.
Acknowledgements: I want to acknowledge Chris Rohlf, who isn’t responsible for the argument above, but convinced me of its basic shape over the last few years.
Great post as always. "the evidence points strongly toward openness" - do you consider this true in the context of social engineering? Much less measurable and harder to study, so curious for your gut take.
Agree on all of this. The Dario:Mudge ratio in these discussions needs rebalancing.