SANS Critical Advisory: BugBusters - AI Vulnerability Discovery Hype versus Reality

The SANS Critical Advisory webcast tackled the growing hype surrounding Anthropic’s new Mythos model and its alleged ability to automatically discover and exploit software vulnerabilities. Industry leaders, including the U.S. Treasury and the Federal Reserve, have convened emergency meetings, while over 450 CISOs and regulators in the UK and Europe are issuing alerts, underscoring the urgency of the issue.

Ed Scotas and his team presented a hands‑on demonstration of AI‑enabled source‑assisted penetration testing, a workflow that begins with feeding source code to a large language model, then iteratively filtering hallucinations, generating exploit code, and validating attacks in a test harness. In fifteen months, the SANS team uncovered multiple critical flaws—authentication bypasses, IDOR, race conditions—that traditional testing missed, illustrating the practical power of current models despite their limitations.

Key technical points highlighted include the model’s context‑window constraints, the need to focus on the 20 % of code that houses most vulnerabilities, and the importance of human oversight to verify findings. The presenters also warned about legal pitfalls, such as violating NDAs when uploading proprietary code to third‑party models, and emphasized that the methodology applies across different LLMs, whether hosted or run locally.

The session concludes that AI‑driven vulnerability discovery is not a mythic apocalypse but a transformative capability that will reshape security testing, compliance, and risk management. Organizations must adopt robust policies, invest in AI‑augmented testing tools, and train staff to interpret model outputs responsibly, lest they fall behind regulators and adversaries alike.