Forem: shakti mishra

Mythos and Cyber Models: What does it mean for the future of software?

shakti mishra — Sat, 25 Apr 2026 23:24:05 +0000

Anthropic Made Its Model Worse On Purpose. Here's What That Tells You About the State of AI Security.

In the entire history of commercial AI model releases, no company has intentionally made a model worse on a published benchmark before shipping it to the public.

That changed this month.

Anthropic released Opus 4.7. And if you look at the CyberBench scores, it performs below Opus 4.6 — the model it was supposed to supersede. That regression was not a bug. It was a deliberate product decision, and understanding why they made it is one of the most important things a software architect can do right now.

The reason is a model called Claude Mythos. It is the most capable vulnerability-discovery system ever tested on real-world production software. It found a 27-year-old flaw in OpenBSD — one of the most security-hardened operating systems on the planet. It found a 16-year-old vulnerability in FFmpeg. It chained multiple Linux kernel weaknesses into a working privilege escalation exploit, going from ordinary user access to full machine control.

And then Anthropic looked at those results, looked at the systems the rest of the world runs on, and decided the right thing to do was to restrict access before releasing anything more capable publicly.

That decision is the signal. Everything else in this post explains what it means.

What Claude Mythos Actually Did

Mythos is not a research artifact or a red-team proof of concept. It is a production-grade capability that was released — under the codename Project Glasswing — to a small set of approximately 40 vetted organizations that operate critical software, specifically so they could begin hardening their systems before the model's capabilities became more widely known.

What it demonstrated in controlled environments:

Active zero-day discovery at scale. Mythos does not just match known CVE patterns. It analyzes real systems, identifies previously undocumented vulnerabilities, and produces working proof-of-concept exploit chains. The OpenBSD bug had existed since 1997. It was not obscure legacy code that nobody touched — OpenBSD is actively maintained and specifically designed to be resistant to exactly this kind of analysis. A 27-year-old bug surviving in that environment is not a failure of individual engineers. It is a signal about the limits of human-scale review.

Exploit chaining. Finding a single vulnerability is one thing. Combining multiple weaknesses into a viable attack path is the work that turns a theoretical risk into a real one. Mythos demonstrated the ability to do this across kernel-level Linux vulnerabilities, turning a sequence of low-individually-critical issues into full privilege escalation. This is the kind of chain that typically takes a skilled attacker weeks to construct. The model did it as part of its analysis pass.

Scale that no human team can match. The significance is not any single finding — it is the rate. Human security researchers are bottlenecked by expertise, time, and context-switching. Mythos evaluates thousands of potential attack surfaces in parallel, continuously, without fatigue or prioritization constraints.

OpenAI Is Thinking the Same Thing

Anthropic is not operating in isolation. Within days of Mythos going out to Project Glasswing partners, OpenAI released GPT-5.4-Cyber — a variant of its flagship model fine-tuned specifically for defensive cybersecurity use cases. It is only available to vetted participants in their Trusted Access for Cyber (TAC) program.

The parallel is striking:

Anthropic                              OpenAI
─────────────────────────────────────────────────────
Claude Mythos                          GPT-5.4-Cyber
Project Glasswing (~40 partners)       TAC program (vetted participants)
Restricted pre-release access          Safety-guardrail modifications
                                       for authenticated defenders
Vulnerability discovery & chaining     Binary reverse engineering enabled

GPT-5.4-Cyber goes further in one specific way: it removes many standard safety guardrails for authenticated defenders, including support for binary reverse engineering — a capability that is normally off-limits. OpenAI's Codex Security tool has already contributed to fixing over 3,000 critical and high-severity vulnerabilities.

What this pattern tells you is not that these models are risky in an abstract sense. It is that both of the leading frontier AI labs have independently reached the same conclusion: their models are now powerful enough that unrestricted public access would be a net liability. That is not a marketing stunt. That is not regulatory positioning. That is two organizations treating their own work the way defense contractors treat classified technology.

The Shift That Actually Matters: Human Effort Is No Longer the Limit

For as long as software security has existed as a discipline, there has been a natural rate-limiting factor: human effort.

Finding vulnerabilities required skilled people with time, focus, and domain expertise. Even the most sophisticated state-level adversaries were constrained by how fast their teams could move. The difficulty of exploitation was, itself, a form of defense.

That constraint is gone.

Here is what the new operating environment looks like:

Old model (human-rate-limited):
─────────────────────────────────────────────────────
Attacker → manually analyze codebase
         → weeks/months per target
         → limited to known vulnerability patterns
         → exploitation requires specialists
         → limited parallelism

New model (AI-accelerated):
─────────────────────────────────────────────────────
AI system → continuous automated analysis
          → thousands of targets in parallel
          → identifies novel vulnerability classes
          → generates working exploit chains
          → operates 24/7 without fatigue

The attack surface has not changed. The cost of probing it has dropped by orders of magnitude.

Vulnerability discovery now happens continuously instead of periodically. Exploit development can be partially or fully automated. And as these models become accessible — either through legitimate programs or through underground markets where stripped-down variants already circulate — the population of actors capable of sophisticated attacks expands dramatically.

The Real Problem: The Remediation Gap

Here is the uncomfortable truth that the Mythos story exposes.

Most of the risk in software systems today does not come from vulnerabilities that haven't been found yet. It comes from vulnerabilities that have already been found, are already documented, and have not been patched.

Security teams work against a perpetual backlog. Systems are too fragile to update quickly. Regressions break things when patches go in. Dependency chains make change expensive. This is the normal operational state of almost every engineering organization running at scale.

What AI does is accelerate the discovery side without equally accelerating the remediation side. That asymmetry is the actual risk.

Discovery velocity         ████████████████████████████░░  (AI-accelerated)
Remediation velocity       ████████░░░░░░░░░░░░░░░░░░░░░░  (still human-rate-limited)
                                    ^^^
                            This gap is your attack surface

A system that finds 10,000 previously unknown vulnerabilities in a month is not obviously helpful if your team can patch 200. The remaining 9,800 are now known — potentially to adversaries — and unaddressed. The net effect can be a larger effective attack surface, even though the underlying systems have not changed at all.

This is the design problem that the industry has not solved. Mythos forced the conversation into the open.

The Monoculture Risk Nobody Is Talking About

Individual vulnerabilities are dangerous. Vulnerabilities in software that runs everywhere are catastrophic.

The hidden amplification factor in this story is software monoculture: the same operating systems, the same libraries, the same frameworks are used across millions of production systems globally. A single vulnerability in glibc, OpenSSL, or the Linux kernel is not a bug in one application. It is a bug in the substrate that most of the world's software infrastructure runs on.

When AI accelerates vulnerability discovery in monoculture environments, the impact does not scale linearly — it scales by the number of systems running that codebase.

Traditional single-target exploit:
  1 attacker → 1 target → 1 breach

AI-discovered monoculture exploit:
  1 AI system → 1 vulnerability → millions of targets
                                 (same code, different deployments)

This is how the Mythos findings — an OpenBSD bug, an FFmpeg flaw — become systemic risks rather than isolated incidents. OpenBSD runs in firewalls, embedded systems, and network appliances across critical infrastructure. FFmpeg processes video in applications that touch billions of users. These are not edge cases.

An Unexpected Counterforce

There is one interesting development beginning to emerge from the same forces that created this risk.

As AI reduces the cost of building software, organizations may — over time — begin to build more customized, less standardized systems. When you can generate a bespoke authentication module in minutes instead of weeks, the calculus around using shared libraries changes.

If that shift materializes at scale, it could reduce the blast radius of any single vulnerability. Attackers cannot reuse the same exploit across millions of targets if the targets are no longer running identical code.

The catch is that this benefit only materializes if security practices evolve at the same pace as development. Right now, AI is accelerating development velocity significantly faster than it is accelerating security rigor. The window between "built with AI" and "secured with AI" is where the risk lives.

Where This is Heading: AI vs. AI

The end state of this trajectory is a security landscape that operates entirely differently from today's.

Current state:
  Human attackers ──────────► Human defenders
  (slow, expertise-limited)    (slow, expertise-limited)

Near-term state:
  AI attackers ─────────────► Human defenders
  (fast, scalable)              (slow, expertise-limited)
                    ^^^
              Current danger zone

Future state:
  AI attackers ─────────────► AI defenders
  (fast, scalable)              (fast, scalable)
         └──────────────────────────┘
              Competing feedback loops

We are currently in the second phase — the danger zone. AI-accelerated attack capability is outpacing human-scale defense. The third phase, where AI defense catches up, is coming, but it is not here yet.

The organizations that close that gap fastest will not necessarily have the most capable models. They will have the tightest feedback loop between detection and remediation. Anthropic understood this when they degraded Opus 4.7 on CyberBench. They looked at Mythos's capabilities, understood that making something more capable publicly available was a liability before the defense side had caught up, and made a product decision that cost them a benchmark headline in exchange for reduced near-term risk.

That is the playbook. Build for the loop, not the leaderboard.

What Developers and Architects Should Actually Do Right Now

The model release news cycle will pass. The structural shift it represents will not. Here is how to think about your exposure:

Audit your patch lag. The remediation gap is your real risk surface. How long does it take your organization to go from "CVE published" to "patch deployed in production"? That number tells you more about your actual risk than your perimeter security posture.

Treat your dependency graph as infrastructure. Libraries and shared frameworks are not just technical debt decisions — they are blast radius decisions. Every shared dependency is a vector through which a single discovered vulnerability reaches you. That calculus now needs to include AI-accelerated discovery timelines.

Start thinking about detection-to-remediation as a pipeline, not a process. The organizations that will handle the next phase of AI-accelerated attacks are the ones that have automated the boring parts of remediation so that their human capacity can focus on the genuinely novel cases.

Understand which of your systems run on monoculture infrastructure. OpenBSD, Linux kernel, FFmpeg, OpenSSL, glibc — if your systems touch these, you are exposed to a different risk profile than systems running on more customized stacks. Know which category you are in.

Key Takeaways

The intentional benchmark regression is the story. Anthropic degraded Opus 4.7 on CyberBench specifically because Mythos demonstrated that unrestricted public access to more capable models is a net liability for critical infrastructure. That is an industry-first decision worth understanding deeply.
Human effort is no longer the rate-limiting factor in vulnerability discovery. AI systems can probe attack surfaces at scale, continuously, across thousands of targets — and produce working exploit chains, not just theoretical flags.
The remediation gap is now the primary risk. AI accelerates discovery without equally accelerating patching. The asymmetry between those two velocities is your real attack surface.
Software monoculture amplifies everything. A single AI-discovered vulnerability in shared infrastructure (Linux, OpenSSL, FFmpeg) is not one bug in one system — it's one bug in the foundation of millions of systems simultaneously.
Both Anthropic and OpenAI are now treating their own models like classified defense technology. This is not regulatory theater. It is a calibrated signal that capability has outpaced the defense ecosystem's readiness.

The Question That Should Keep Architects Up at Night

Anthropic made their model worse on purpose because they understood something most of the industry has not caught up to yet: the capability is already here. The question that remains is who gets to use it first, and whether the defense side catches up before the attack side scales.

We like to believe that modern software systems are mature and well understood. They are not. A 27-year-old bug in a deliberately hardened operating system is not an anomaly — it is evidence that complexity has always outpaced our ability to fully audit what we build. AI is not introducing that complexity. It is exposing it.

Here is the question I want to leave you with: If a system like Mythos ran against your production infrastructure today, how long would it take your team to close what it found — and do you have a plan for the gap?

Drop your answer in the comments. I'm particularly curious how organizations with large legacy surface areas are thinking about this.

Credit: The technical analysis in this post is based on insights from Diary of an AI Architect by Anurag Karuparti — a newsletter worth following if you build or operate software at scale.

5 Markdown Files That Tame Non-Deterministic AI in Your Engineering Org

shakti mishra — Fri, 24 Apr 2026 00:08:51 +0000

Your AI Coding Agent Has No Memory. These 5 Files Fix That.

Picture this: two developers on the same team, same repo, same AI coding assistant. One gets perfectly typed TypeScript with tests. The other gets any everywhere and zero test coverage. Same tool. Same codebase. Completely different output.

This is not a bug. It is the default state of AI-assisted engineering when you leave standardization up to individual prompting habits.

One developer's Copilot generates tests for every function. Another skips testing entirely. One team receives code that reuses the shared auth module. Another ends up with a custom, hand-rolled auth flow. One developer's output follows established naming conventions. Another produces code that looks like it came from a completely different codebase.

As AI becomes embedded in software delivery, the real problem is not capability — it is consistency. The rules, workflows, and context that shape good engineering decisions need to live somewhere permanent. Somewhere the model will actually read.

That somewhere is your repository. And the format is five markdown files.

Why Prompting Alone Doesn't Scale

Every engineer prompts differently. That is fine for a solo project. It is a slow disaster for a team.

When everyone relies on personal prompting habits, you get a system where quality varies by individual, standards drift across branches, good decisions made once never get inherited by the next PR, and AI agents context-switch between contributors with no shared memory.

The models are not the bottleneck. Your team's ability to encode engineering judgment into the system around the model is.

GitHub now supports a structured set of repository-level files that give AI coding agents a persistent, shared understanding of how your team works. These files load into context automatically, apply to specific code paths, define specialist roles, and package reusable workflows. They work across GitHub Copilot, Claude Code, Cursor, and Codex.

Here is how each one works — and why it matters.

1. `.github/copilot-instructions.md` — The Always-On Standards Layer

This is your baseline. It applies to every AI interaction in the repo, automatically, without anyone having to remember to include it.

Put broad engineering expectations here: coding conventions, testing requirements, accessibility standards, architectural boundaries, documentation rules, error-handling patterns. If your team wants the AI to always write typed APIs, follow a specific folder structure, or update tests whenever production code changes — this is where that lives.

It is one of the highest-leverage files you can create. Not because it does anything new, but because it makes implicit standards explicit and permanent.

# .github/copilot-instructions.md

## Language and framework
- Use TypeScript with strict mode enabled
- Use Express.js for all API endpoints
- Never use `any` type

## Testing
- Write unit tests for every new function using Jest
- Maintain minimum 80% code coverage

## Error handling
- Use custom error classes from `src/errors/`
- Always return structured error responses with status code and message

## Architecture
- Never import directly from `src/internal/`
- Use the repository pattern for all database access
- All new endpoints must go through the API gateway in `src/gateway/`

Think of it as onboarding documentation that never gets ignored, because the AI reads it every time.

2. `.github/instructions/*.instructions.md` — The Path-Scoped Layer

Most real codebases are not uniform. Your frontend follows different rules than your infrastructure. Your data pipelines need different guardrails than your API layer.

Path-specific instruction files let you apply the right constraints in the right place. Each file uses an applyTo pattern to activate only for matching directories or file types. This is where standardization gets intelligent instead of blunt.

---
applyTo: "src/frontend/**"
---
# Frontend instructions
- Use React functional components with hooks
- Use Tailwind CSS for styling, no inline styles
- All components must be accessible (WCAG 2.1 AA)
- Use React Testing Library for component tests

---
applyTo: "infrastructure/**"
---
# Infrastructure instructions
- Use Bicep for all Azure resource definitions
- Never hardcode secrets, always reference Key Vault
- Tag every resource with `environment` and `team`

You stop treating the repo like a monolith and start giving the AI the right lens for each context. The frontend agent should not be applying infrastructure conventions. Now it will not.

3. `AGENTS.md` — The Repo's Operating Manual

This is the file that tells an autonomous agent how work actually gets done here.

AGENTS.md is an open format for guiding coding agents, originally created by the OpenAI ecosystem. GitHub's Copilot coding agent added support for it in 2025, and the industry has converged around it: GitHub also supports CLAUDE.md and GEMINI.md as equivalent alternatives, depending on your toolchain.

Think of it as operational memory for the repo. What commands should the agent run? How should it test? What should it never touch? How should it title pull requests? What counts as "done"?

Without this file, every autonomous agent starts from scratch. With it, engineering standards become portable across tools and contributors.

# AGENTS.md

## Build and test
- Run `npm run build` before committing
- Run `npm test` and ensure all tests pass
- Run `npm run lint` and fix all warnings

## Pull requests
- Title format: `[AREA] Short description`
- Always include a summary of what changed and why
- Never push directly to `main`

## Off limits
- Do not modify files in `src/generated/`
- Do not update `package-lock.json` manually
- Do not change CI/CD workflows without approval

The distinction from copilot-instructions.md is important. That file sets coding standards. This one sets operating procedure. One shapes what the AI produces. The other shapes how it behaves as an agent.

4. `.github/agents/*.md` — Custom Agent Profiles (The Specialist Layer)

Not every task should go to a general-purpose coding assistant. Sometimes you need a security reviewer who will not touch production code. Sometimes you need an implementation planner. Sometimes you need a refactoring specialist with write access to exactly two directories.

Custom agent files let you define specialist personas with their own instructions, tools, and restrictions. They live in .github/agents/ and can specify which tools the agent is allowed to use — including MCP servers if your setup supports them.

# .github/agents/security-reviewer.md
---
description: "Reviews code for security vulnerabilities"
tools:
  - code_search
  - read_file
---

You are a security reviewer. Your job is to find vulnerabilities.

## Rules
- Flag any use of `eval()`, `innerHTML`, or unsanitized user input
- Check for SQL injection in all database queries
- Verify that all API endpoints require authentication
- You may read code but never modify it
- Output a structured report with severity levels

This is architecturally different from general instructions. General instructions tell every agent how your team works. Custom agents create intentional specialists for jobs that repeat. You define the role once, and any developer on the team can invoke it without reinventing the persona each time.

The repo stops having one AI assistant with inconsistent behavior. It starts having a team of specialists with defined roles.

5. `SKILL.md` — The Reusable Capability Layer

This is where things get genuinely powerful.

A skill is a folder of instructions, scripts, and resources that an agent loads on demand for a specific task. It lives under .github/skills/ and must include a SKILL.md file. GitHub has made the spec an open standard, and skills work across Copilot's coding agent, the CLI, and VS Code agent mode.

The difference between a skill and a custom instruction is that a skill can package a repeatable workflow — not just guidance, but executable steps with associated scripts.

.github/skills/
  debug-ci/
    SKILL.md
    scripts/
      analyze-logs.sh

# SKILL.md
---
name: "debug-ci"
description: "Debug failing GitHub Actions workflows"
---

## Steps
1. Read the failing workflow YAML from `.github/workflows/`
2. Run `scripts/analyze-logs.sh` to extract the error
3. Check if the failure is a flaky test, dependency issue, or config error
4. Suggest a fix with the exact file and line to change
5. If the fix involves a dependency update, run `npm audit` first

You can build skills for anything that happens more than twice: Playwright UI testing, infrastructure code review, proposal drafting, schema validation, changelog generation. The team stops starting from zero on recurring tasks. Good engineering behavior becomes a reusable asset.

How the Layers Stack Together

Here is how the full system looks when all five files are in play:

┌─────────────────────────────────────────────────────┐
│                    Your Repository                   │
│                                                      │
│  ┌──────────────────────────────────────────────┐   │
│  │  copilot-instructions.md                     │   │
│  │  Always-on: coding standards, arch rules     │   │
│  └──────────────────────────────────────────────┘   │
│                                                      │
│  ┌──────────────────────────────────────────────┐   │
│  │  .github/instructions/*.instructions.md      │   │
│  │  Path-scoped: frontend rules, infra rules    │   │
│  └──────────────────────────────────────────────┘   │
│                                                      │
│  ┌──────────────────────────────────────────────┐   │
│  │  AGENTS.md                                   │   │
│  │  Operating manual: build, test, PR rules     │   │
│  └──────────────────────────────────────────────┘   │
│                                                      │
│  ┌──────────────────────────────────────────────┐   │
│  │  .github/agents/*.md                         │   │
│  │  Specialist roles: security, planner, etc.   │   │
│  └──────────────────────────────────────────────┘   │
│                                                      │
│  ┌──────────────────────────────────────────────┐   │
│  │  .github/skills/*/SKILL.md                   │   │
│  │  Reusable workflows: debug-ci, test-ui, etc. │   │
│  └──────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────┘
                          │
                          ▼
         ┌────────────────────────────┐
         │   AI Coding Agent          │
         │   (Copilot / Claude Code / │
         │    Cursor / Codex)         │
         └────────────────────────────┘

Each layer handles a different surface area. Together, they close the gap between what the model can do and what your team needs it to do consistently.

The Shift Most Teams Miss

Most teams reach for more model power when they hit inconsistency problems. A better model will not fix a context problem.

The real insight is this: your AI coding tools are only as consistent as the context they receive. When that context is scattered across Slack threads, tribal knowledge, and individual senior engineers, the AI inherits that chaos. When it lives in structured, version-controlled files, the AI inherits your engineering judgment.

These five files are not markdown clutter. They are the beginning of a standardized interface between your engineering system and the AI agents working inside it.

The best teams will not win because they have access to the smartest model. They will win because they know how to encode their engineering judgment into the system around the model.

And increasingly, that system looks like this:

copilot-instructions.md for the default rules
AGENTS.md for the repo's operating manual
Path-specific files for context-aware standards
Custom agents for specialist roles
SKILL.md for reusable workflows The future of software engineering will not just be written in code. More of it will be written in context.

Key Takeaways

AI coding tools are only as consistent as the context they receive. Without structured repo files, every developer's output diverges based on personal prompting style.
The 5-file system creates layered, version-controlled context — always-on standards, path-scoped rules, operating procedures, specialist personas, and reusable workflows.
AGENTS.md is cross-tool portable. GitHub Copilot, Claude Code, and Gemini all support their own flavor; the concept is converging into an industry standard.
Skills package repeatable workflows, not just instructions. If a task happens more than twice, it should be a skill.
Most teams need more structure before they need more model power. Better context produces more consistent output than a smarter model with no guardrails.

What Are You Doing About This?

Most teams I talk to are one or two steps into this system — they have a rough copilot-instructions.md or a stale AGENTS.md that nobody updates. Very few have all five layers running together.

Which of these files does your team already have in place? And which one would make the biggest difference if you added it tomorrow?

Drop a comment — I'm curious where teams are actually getting value and where they're still fighting entropy.

Credit: The technical insights in this post draw from Diary of an AI Architect by Anurag Karuparti — one of the clearest voices on production agentic AI architecture.

Forem: shakti mishra

Mythos and Cyber Models: What does it mean for the future of software?

Anthropic Made Its Model Worse On Purpose. Here's What That Tells You About the State of AI Security.

What Claude Mythos Actually Did

OpenAI Is Thinking the Same Thing

The Shift That Actually Matters: Human Effort Is No Longer the Limit

The Real Problem: The Remediation Gap

The Monoculture Risk Nobody Is Talking About

An Unexpected Counterforce

Where This is Heading: AI vs. AI

What Developers and Architects Should Actually Do Right Now

Key Takeaways

The Question That Should Keep Architects Up at Night

5 Markdown Files That Tame Non-Deterministic AI in Your Engineering Org

Your AI Coding Agent Has No Memory. These 5 Files Fix That.

Why Prompting Alone Doesn't Scale

1. .github/copilot-instructions.md — The Always-On Standards Layer

2. .github/instructions/*.instructions.md — The Path-Scoped Layer

3. AGENTS.md — The Repo's Operating Manual

4. .github/agents/*.md — Custom Agent Profiles (The Specialist Layer)

5. SKILL.md — The Reusable Capability Layer

How the Layers Stack Together

The Shift Most Teams Miss

Key Takeaways

What Are You Doing About This?

1. `.github/copilot-instructions.md` — The Always-On Standards Layer

2. `.github/instructions/*.instructions.md` — The Path-Scoped Layer

3. `AGENTS.md` — The Repo's Operating Manual

4. `.github/agents/*.md` — Custom Agent Profiles (The Specialist Layer)

5. `SKILL.md` — The Reusable Capability Layer