by Nick Bown BEM CSyP FCIIS FBCS Msyl M.ISRM CITP
AI is an exciting concept. The recent increase in affordable, cloud computing and public data sets means that more people can try creating models to assist with different tasks.
One model which has gathered a lot of public attention is Claude Mythos, a generative AI model which identifies vulnerabilities in software. This has raised concern in some areas of rouge AIs, wielded by hackers and nation states, but how likely is this?
Vulnerabilities have always existed in software and security systems, for as long as both have existed. Usually, this is managed by introducing security controls to either make it hard for attackers to exploit these vulnerabilities or to detect them being exploited and minimise the access to data and systems that can be reached. Whether it’s a castles thick stone walls or the latest intruder prevention system, it’s been a carefully balanced activity for hundreds, of not thousands of years.
Will AI disrupt this? As with many questions around security, the answer is that “It depends”!
What AI Can and Cannot Do
One of generative AIs strengths is the speed it can process data to identify the next possible outcome. And this also its greatest weakness. AI doesn’t “think”; it predicts the most likely possible outcome based on the data it has available. If the data doesn’t match the task at hand or is wrong, the AI model will be unable to make a correct prediction.
In the case of software development and software security flaws, this is a well-known problem with large, accurate data sets. Developers are taught to code in predictable ways, follow similar paths to address problems and often use common frameworks to simplify and speed development. Frameworks for identifying common vulnerabilities and mistakes made are well established and continuous integration, continuous development (CI/CD) platforms often scan and identify vulnerabilities before software is released into common use.
Where Will AI Fit into This Model?
Although Claude Mythos has hit the headlines for identifying vulnerabilities in many common software applications, it’s likely that this will be an outlying event rather than a common event. Flaws which have made it past common CI/CD pipeline software will be patched, new types of flaws identified will be added to training syllabuses and detention rules.
Although Claude Mythos has assisted with identifying software vulnerabilities, we are yet to see AI impact other areas cyber security, such as the much feared “AI hacker”. There are several reasons for this, but the primary ones relate to the lack of good data on hacking and the complexity of the problem. Generative AI models need to be very large so the model can accurately predict the next best outcome. Hacking (and penetration testing) requires a set of very subtle skills, identifying where data is likely to be located, which countermeasures are likely to be located and where users are likely to have bad choices (such as reusing passwords or behaving in a predictable way). With only a relatively small percentage of the population with these skills, and those with them keen to protect their livelihoods) it’s unlikely that there is currently enough data to accurately, and cost efficiently, train a hacking model. The variety of ways that networks and systems can be deployed further complicates things. Every network is configured differently, based on the business needs and budget that it was built to support. Yes, many security professionals like to use certain favoured products or brands, but there are currently sufficient differences to make automated hacking and pen testing a difficult prospect.
Final Thoughts
AI is likely to find a place in the security industry but it’s currently difficult to quantity how much and where. And like any new threat which evolves, new controls and ways of working will emerge to deal with them. It’s a cycle which has ensured across the millennia and will continue long after the current excitement around AI has faded.
We would love to know your thoughts on this! Please get in touch via hello@aisec.org.uk and let’s continue the conversation.
About The Author
Nick Bown is Chief Security Officer at Sycurio, a global SaaS provider of fraud prevention and compliance solutions. With over 30 years in technology and more than 25 years in security leadership roles, he brings deep cross-sector experience to the intersection of cyber security, data protection and risk management. He is one of only a select few professionals worldwide to hold the Register of Chartered Security Professional (CSyP) designation, a gold standard in the field held by senior figures in government, defence and nuclear regulation. He is also a Fellow of the Chartered Institute of Information Security (FCIIS) and a Fellow of the British Computer Society (FBCS).
A two-time winner of the UK CSO 30 Awards, recognised in both 2023 and 2025, Nick is widely regarded as one of the most influential cyber security leaders in the UK. He is a passionate advocate for stronger industry standards and is currently pursuing a Master’s degree in Security Management
