Originally published on CoreProse KB-incidents
Two of the world’s most advanced large language models—Anthropic’s Mythos and OpenAI’s GPT‑5.5—are arriving in enterprises as governments warn that generative AI is reshaping state‑backed hacking.[1] Researchers see these systems as part of a “perfect storm” of new cyber risk, not just productivity tools.[1]
For security leaders, the trade‑off is stark:
- Huge upside from agentic coders that plan work, operate tools, and ship code.[2]
- Huge downside if those same abilities help automate intrusions at scale.
⚡ This article cuts through the hype to unpack what Mythos‑ and GPT‑5.5‑class models change for offensive security—and what defenders must do now.[1][2]
1. Why “hacking‑capable” LLMs are triggering new alarms
Security researchers group Mythos and GPT‑5.5 as frontier models that materially shift the cyber threat landscape, especially when layered onto already fragile infrastructure.[1] Concerns are based on real attacker activity, not pure speculation.
OpenAI explicitly optimizes GPT‑5.5 for:
- Agentic coding and complex computer use.
- Multi‑step planning and end‑to‑end task completion.[2]
The same capabilities that power “build an ETL tool” can also support:
- Enumerating exposed services.
- Planting backdoors.
- Automating data exfiltration.[2]
📊 Public reporting already shows APT groups from China, Russia, Iran, and North Korea using generative AI for:
- Technical reconnaissance.
- Malware and loader development.
- Social engineering and influence operations.[3]
For critical infrastructure, AI‑enhanced attackers can:[4]
- Process massive telemetry streams.
- Auto‑organize asset inventories.
- Generate customized malware variants quickly.
💡 By branding these systems as “agents” that “carry more of the work,” vendors implicitly raise the hardest question: where is the line between legitimate workflow automation and plug‑and‑play orchestration of advanced intrusions?[1][2]
2. Inside Mythos and GPT‑5.5: capabilities, safeguards, and realistic hacking risk
OpenAI describes GPT‑5.5 as its “smartest and most intuitive” model so far, with notable gains in:[2]
- Agentic coding and computer use.
- Knowledge work and early scientific research.
- Speed and cost for complex development tasks versus GPT‑5.4.
Mythos is less documented, but is routinely mentioned alongside GPT‑5.5 when experts discuss frontier systems that heighten cyber risk, making “Mythos‑class” shorthand for highly capable, agentic, dual‑use models.[1]
📊 Both providers emphasize upgraded safeguards. GPT‑5.5’s system card highlights:[2]
- Hardened controls for agentic behaviors.
- Testing for advanced cybersecurity capabilities.
- Extensive pre‑release red teaming.
These measures try to block direct requests for exploits or malware.
⚠️ Offensive security experts counter that guardrails mostly constrain what the model will say, not what it can do.[6] Skilled operators can:[6][1]
- Request “defensive” code and flip it to offensive use.
- Decompose an attack into harmless‑looking subtasks.
- Use the model for architecture reasoning while writing the final exploit themselves.
Risk spikes when three elements combine:[2][3]
- Strong coding ability.
- Broad tool access (shells, browsers, cloud consoles).
- Continuous action loops and self‑correction.
Then, the model becomes a potential execution engine, not just a chat assistant.
💼 Security teams should therefore treat Mythos‑ and GPT‑5.5‑class systems as semi‑autonomous operators whose actions need:[6]
- Principle‑of‑least‑privilege access.
- Strong sandboxing and rate‑limits.
- Full logging, auditing, and human oversight—similar to human admins.
3. How APTs and criminals can weaponize frontier LLMs in practice
Existing reporting shows APT groups already using generative models across the attack lifecycle:[3]
- Recon: target research, tech‑stack mapping, OSINT triage.
- Initial access: phishing content and lure generation.
- Exploitation: malware authoring and loader debugging.
- Operations: managing infrastructure and victims at scale.
As these actors reach frontier LLMs, each step becomes more automated, scalable, and adaptive.
For critical and industrial control systems (ICS), adversaries are learning to use AI to:[4]
- Interpret mixed IT/OT telemetry.
- Map complex operational environments.
- Explore non‑obvious access paths into ICS networks.
📊 Agentic coding models are particularly worrying for ICS because they can help generate:[2][3]
- Malware tuned to specific PLCs or HMIs.
- Polymorphic payloads that keep evading signatures.[3]
- Automated troubleshooting of failed infections (“why didn’t this loader run on host X?”).[2]
AI also lets smaller groups punch above their weight by:[4]
- Organizing asset data and target lists.
- Triaging logs and crash reports.
- Automating infrastructure setup and maintenance.
In social engineering, powerful language models make it easier to craft:[3]
- Highly tailored spear‑phishing campaigns.
- Multilingual lures adapted to local norms.
- Long‑form narratives that mix real details with compelling fabrications.
💡 Outcome: a mid‑tier ransomware crew can now:[3][4]
- Generate custom lures instead of buying generic kits.
- Debug bespoke loaders using GPT‑5.5‑style agents.
- Manage larger victim sets more systematically—without a big dev team.
4. The military AI arms race: Pentagon bets, Anthropic’s exclusion, and classified data
While attackers experiment, militaries are rushing to operationalize frontier AI. The Pentagon has signed agreements with seven tech firms—including OpenAI, Google, Microsoft, and SpaceX—to bring advanced AI into classified U.S. defense networks.[5] Frontier LLMs will increasingly support:
- Intelligence analysis and fusion.
- Planning and battle management support.
- Back‑office and logistics automation.
Anthropic was excluded from this initiative after disputes over military AI safeguards and data‑security concerns, despite Claude’s safety reputation and prior DoD deployment.[5][7]
📊 U.S. defense officials are also preparing to let AI vendors train LLMs directly on classified data—intelligence reports, assessments, war plans—prompting warnings that mishandling could become “the largest intelligence disaster in American history.”[7][8]
Experts stress that:[8]
- Training on secrets does not guarantee secrecy.
- Model weights can be attacked, copied, or probed.
- Fragments of training data can sometimes be reconstructed or leaked.
⚠️ Critics note the paradox: the Pentagon labeled Anthropic a “supply chain risk” while preparing to entrust other vendors with classified training data—even though LLMs are known to surface pieces of their training corpora under adversarial pressure.[7][5][8]
For enterprises, the lesson is clear: if militaries with classified networks struggle to govern LLM supply chains and training data, “plug it into the SIEM and see what happens” is an unacceptable deployment strategy.
5. Building secure deployments: red teaming, governance, and ethics by design
Given these risks, secure deployment matters as much as raw capability. LLM red teaming is becoming a core discipline: systematically attacking models with adversarial prompts to expose behaviors such as:[6]
- PII leakage.
- Misinformation and targeted manipulation.
- Bias, hate speech, and harmful guidance.
Effective programs:[6]
- Model realistic attacker objectives.
- Test both single‑turn and multi‑turn jailbreaks.
- Drive fixes at both the model level and application layer (filters, access controls, human review).
💡 Some firms run recurring “hire the LLM to break policy” exercises, where blue‑teamers try to co‑opt internal agents. Every successful jailbreak becomes a new rule, detector, or escalation path.
On governance, investors and practitioners promote frameworks like the E.T.H.I.C.S. checklist, emphasizing:[9][10]
- Explainability and transparency.
- Harm mitigation and inclusivity.
- Strong security and accountability by design.
E.T.H.I.C.S. requires that high‑impact AI decisions stay contestable, with:[9]
- Clear documentation of model roles and limits.
- Human ability to appeal or override outputs.
- Special scrutiny for critical infrastructure and defense use cases.
💼 For organizations piloting Mythos‑ or GPT‑5.5‑class models, a pragmatic approach is to:[6][9][1]
- Assume dual‑use by default.
- Quantify failure modes via structured, ongoing red teaming.
- Wrap deployments in ethics‑oriented governance that makes misuse harder, costlier, and more detectable.
Conclusion: Dual‑use infrastructure demands dual‑track defenses
Mythos‑ and GPT‑5.5‑class models are not autonomous super‑hackers, but they are powerful force multipliers for sophisticated operators—including APTs, criminals, and militaries.[1][2][3] As agencies embed them in classified workflows and enterprises upgrade them from copilots to agents, the attack surface grows faster than traditional controls.
⚠️ The safest stance is to treat frontier LLMs as dual‑use infrastructure. That means:[6][9]
- Investing early in rigorous red teaming and continuous testing.
- Adopting frameworks like E.T.H.I.C.S. to keep ethics and security central.
- Demanding vendor transparency on safeguards, data use, and known failure modes.
If you are evaluating Mythos, GPT‑5.5, or similar systems, start by mapping how an APT could subvert your intended workflows. Then assemble a cross‑functional team—security, engineering, legal, and product—to design adversarial exercises and governance processes before production rollout. Organizations that learn to deploy these models securely and responsibly now will capture their benefits without inheriting their most dangerous liabilities.[1][2][9]
About CoreProse: Research-first AI content generation with verified citations. Zero hallucinations.
Top comments (0)