So my home router, all my iot devices attached to it from printers to projectors, not to mention custom stacks like Lutron. BLE based locks, car key fobs.
All of these technically could have zero day vulnerabilities and people/companies who made it don't have the resources to buy 20000$ of tokens to go debug them... Maybe they don't care but if they do, what if they can't afford such models or get access in time.
I would like to know how can someone like me defend against them?
> don't have the resources to buy 20000$ of tokens to go debug them
$20,000 - how many developers do these hardware companies have that they need to spend that much? Claude Team Premium is US$125/mo for a seat and even cheaper if you buy annually...
That's for OpenBSD, typical IoT firmware is tiny by comparison: a few init.rc scripts, some cron jobs, a php-cgi web UI, and glue code with hardcoded API keys. The total lines of code are orders of magnitude smaller, so the audit surface and expected cost are too.
Running a "too advanced" harness against a Claude Code subscription gets your organization banned, even if it's a shell wrapper over claude -p. You probably can't reproduce this research with a fixed-price subscription.
Going to be interesting to see how much more downward pressure gets placed on OSS projects (as already alluded to) and what the norm response becomes and what that space evolves into.
Also, assuming something like "0day becomes cheap" it will be interesting to see how this drives discovery->exploit timeframes and scope. I would assume since time is precious you would be inclined to go balls out in terms of impact and scope.
Strong agreement. I include https://roost.tools in this category of necessary efforts. A strong privacy law would be great, but a more political thing, though there is much we can do as technologists.
I think AI bug scanning is a good thing, it will ensure almost all high severity get caught before entering prod. There can certainly be downsides but I am personally all for it.
Only if everyone runs it. The attacker just needs to find one vulnerable system; the defender must protect them all. Obviously given that the tool exists, the defender must run it, but it's not at all clear to me that the existence of the tool different all favours defence.
13 comments
All of these technically could have zero day vulnerabilities and people/companies who made it don't have the resources to buy 20000$ of tokens to go debug them... Maybe they don't care but if they do, what if they can't afford such models or get access in time.
I would like to know how can someone like me defend against them?
> I would like to know how can someone like me defend against them?
You could take the Galactica approach - de-network everything you can.
> don't have the resources to buy 20000$ of tokens to go debug them
$20,000 - how many developers do these hardware companies have that they need to spend that much? Claude Team Premium is US$125/mo for a seat and even cheaper if you buy annually...
[1] "Across a thousand runs through our scaffold, the total cost was under $20,000 and found several dozen more findings.", https://red.anthropic.com/2026/mythos-preview/
claude -p. You probably can't reproduce this research with a fixed-price subscription.and Related:
System Card: Claude Mythos Preview [pdf]
https://news.ycombinator.com/item?id=47679258
Assessing Claude Mythos Preview's cybersecurity capabilities
https://news.ycombinator.com/item?id=47679155)
Also, assuming something like "0day becomes cheap" it will be interesting to see how this drives discovery->exploit timeframes and scope. I would assume since time is precious you would be inclined to go balls out in terms of impact and scope.