The Mythos Harness: Moving Beyond 'Speed' in AI Security
Recent findings from Project Glasswing—specifically Cloudflare’s experience with the Mythos model—highlight a shift in how security teams approach AI-driven vulnerability discovery. The consensus among experts is that throwing a large, general-purpose model at a repository is ineffective. Instead, success lies in a "harness" architecture that breaks complex tasks into discrete, specialized agentic steps.
Panelists emphasized that this is not a "new" paradigm but rather the application of established engineering principles (like microservices) to AI. The most effective approach involves:
- Purpose-Built Agents: Using small, focused models for specific tasks rather than one monolithic model.
- Validation Loops: Using a secondary model to perform QA on the output of the first, ensuring that identified vulnerabilities are actual, exploitable bugs rather than hallucinations.
- Architecture over Speed: While many leaders focus on "patching faster," the panel argued that the real value of AI tools is in hardening architecture. If a system is designed to be resilient, the time between disclosure and patching becomes less critical.
The Persistence of Human Error in Supply Chains
The discussion of a recent CISA contractor leak—where cloud keys and credentials were left in a public GitHub repository—served as a case study in the failure of governance. The panel noted that such incidents are rarely the result of a single person’s mistake but rather a systemic failure where security controls were either too burdensome or poorly integrated.
Key insights on supply chain security included:
- Friction as the Enemy: When security controls are too difficult to use, developers will inevitably find workarounds. Effective governance must be seamless.
- Defense in Depth: Even if a credential is leaked, robust internal controls (like network segmentation or impossible-travel detection) should prevent a total system compromise.
- The Myth of 'Secret' Code: The panel dismissed concerns about source code leaks for platforms like GitHub, noting that Git itself is open-source. If a system’s security relies entirely on the secrecy of its source code, the system is fundamentally brittle.
Historical Context: L0pht Day and the Cycle of Security
Reflecting on the 28th anniversary of L0pht Day, the panel observed a cyclical nature in cybersecurity. Many of the issues discussed in 1998—inadequate security measures, poor credential management, and the tension between convenience and safety—remain the primary challenges today. The panel concluded that while the "instrument" (AI) has changed, the underlying need for skilled human operators and rigorous cyber hygiene has not. We are essentially relitigating the same security battles with new technology.
Key Takeaways
- Build a Harness: Never point an LLM at a codebase and expect results. Orchestrate specialized agents to perform discrete, verifiable tasks.
- Validate Everything: Use a secondary model or manual review to verify AI-generated proof-of-concepts; do not trust the output blindly.
- Focus on Architecture: Prioritize making exploitation difficult over simply trying to patch faster.
- Reduce Friction: If your security controls are so difficult that people work around them, you have a governance failure, not just a user error.
- Assume Breach: Design systems with the expectation that credentials will eventually be leaked; rely on compensating controls like network-level monitoring.
Notable Quotes
- "The harness is the most important thing, which honestly, in IT the harness is always the most important thing, even during manual vulnerability discovery." — Dustin “EvilMog” Heywood
- "We don't hire one person to do everything across the board. You don't employ an agent to do everything across the board. We have to have focused models to produce the output that help us versus just give us a bunch of noise." — Curtis Pitts
- "All AI is just really fast human inside the network. So we need to, you know, teach them or at least control them properly." — Kimmie Farrington