Artificial intelligence frequently dominates the headlines, particularly when it comes to the safety and security of software. Recently, the technology giant Anthropic announced that its latest model, Mythos Preview, uncovered more than 23,000 potential vulnerabilities across more than 1,000 open-source software projects.
At first glance, a headline like this can sound deeply alarming. It leaves business leaders wondering if the digital infrastructure they rely upon is a ticking time bomb. However, when we look past the initial shock value of these large numbers, a very different story emerges. It is a story about the critical difference between automated artificial intelligence detection and genuine, actionable security risk.
Looking Closer at the Numbers
While 23,000 potential vulnerabilities sounds like an overwhelming figure, the reality on the ground is far more modest. Of those thousands of flagged issues, only a small fraction have actually been reviewed or confirmed by real-world security teams. So far, vendors have published only 65 security advisories based on the findings.
Why is there such a massive gap between what the artificial intelligence flags and what human experts confirm? The answer lies in two common characteristics of automated tools: false positives and software hallucinations.
Artificial intelligence scanners are designed to be incredibly sensitive. They look for patterns in code that might look slightly unusual and flag them as critical threats, even if those patterns are completely harmless in practice.
The Challenge of Severity Inflation
A perfect example of this can be seen in a recent review involving the widely used Curl project. The artificial intelligence tool originally flagged five high-severity vulnerabilities within the software. However, following careful manual inspection by human experts, those five critical threats were reduced down to just one single, low-severity vulnerability.
This represents an enormous reduction in both volume and urgency. If a security team rushed to fix every single high-severity alert generated by an automated tool without verifying them first, they could easily spend countless hours and thousands of dollars chasing ghosts. This over-reporting adds immense pressure to an already overloaded security ecosystem.
Just Another Tool in the Security Shed
It is also worth noting that finding security flaws in code is not a new phenomenon invented by artificial intelligence. Traditional security tools have been doing this effectively for many years. For context, standard Static Application Security Testing tools discover tens of millions of hardcoded secrets and thousands of vulnerabilities every single year.
Therefore, we should view these new artificial intelligence tools as an evolutionary step rather than a complete revolution. Is an artificial intelligence secure code scanner useful? Absolutely. Can it help identify hidden flaws? Yes, it can be a valuable asset.
However, it does not find every single vulnerability, it does not automatically repair the code, and it regularly creates false alarms. It is simply another tool to complement existing testing methods such as fuzzers, static testing, and dynamic code analysis.
The True Supply Chain Crisis: Underfunded Open-Source Code
Beyond the technical capabilities of these tools, this wave of flagged vulnerabilities exposes a much larger, systemic issue. It does not remove the reality that modern organisations have a massive dependency on technology, which in turn has a massive dependency on open-source code. Because open-source software is free to use, it severely lacks the financial investment required to focus on continuous improvements and robust cyber security.
The findings from Mythos, alongside older automated scanners, simply highlight this foundational flaw: open-source code is absolutely critical for almost all global systems, yet it remains extremely underfunded. While supply chain cyber security is a common talking point, supply chain funding is arguably far more important. Organisations cannot realistically expect consistent maintenance and flawless cyber security on foundational code if nobody is paying for its development.
The issue of insecure, underfunded open-source code is a real threat that businesses must actively consider. Cyber security requires genuine financial commitment. To navigate this landscape safely, businesses need to allocate appropriate financial resources to their defences, ensuring they are utilising the best automated tools alongside the guidance of qualified cyber security experts.
Focus on Practical Protection
For organisations looking to secure their applications and systems, the lesson here is clear: do not let sensational headlines dictate your security strategy. High-quality cyber security is never a matter of ticking a box based on an automated report.
True security resilience comes from a blended approach. Automated tools can provide a helpful starting point, but they must always be paired with expert human analysis. Hand-vetted testing helps ensure that your technical teams are focusing their limited time and budgets on repairing real, verified vulnerabilities that pose a genuine threat to your business data, rather than wading through thousands of artificial intelligence hallucinations.
Building a strong security posture involves implementing comprehensive strategies, keeping software updated, and conducting regular, thorough security assessments.
If you want to ensure your organisation is focusing on real threats rather than automated hype, consider reaching out to the expert team at Vertex Cyber Security. We can work alongside your business to provide tailored solutions and high-quality, practical protections that genuinely enhance your defence against modern cyber attacks.