Companies don't need advanced AI to defend against AI-powered hacks

Companies don't need advanced AI to defend against AI-powered hacks

Defending against AI-driven hacking threats doesn't require access to the most advanced models, experts tell Axios.

Why it matters: High token costs and ever-shifting barriers to access make it pretty much impossible for small to medium-sized enterprises to consistently tap the powers of the most advanced U.S. frontier models — even though those companies have much to fear from AI-powered attacks.

Driving the news: The Trump administration shut down access to Anthropic's Mythos 5, before telling the company last week that it could start re-releasing the model to a limited group of government-approved organizations.

  • Also last week, the administration requested OpenAI release its latest model, GPT-5.6, as only a limited preview for now, due to national security concerns.
  • Anthropic is continuing to negotiate Fable 5 access with the U.S. government.

    • The big picture: While access to those frontier models remains uncertain, a range of AI security tools are already rivaling Mythos' and GPT-5.6's ability to find and exploit critical zero-day vulnerabilities.

  • Aisle, an AI security company, discovered six of the 18 recently disclosed vulnerabilities in the wildly popular open-source Curl software library. Meanwhile, Mythos Preview found just one in that batch.

    • The intrigue: Even before Anthropic kickstarted a global conversation about AI-driven hacks, several frontier models were already pretty good at finding software bugs, Phil Venables, a partner at Ballistic Ventures and former Google Cloud CISO, told Axios.

  • Most companies can turn to existing, lower-cost models to start hunting for bugs on their systems now, Venables said.
  • "If you were at a company that panicked because you couldn't get access to Mythos, you just went home to GPT or Claude Opus or Gemini or whatever and ran it against your code base and freaked out anyway because you found a ton of vulnerabilities," he said.

    • Between the lines: Cybersecurity companies have also started building their own multimodal AI harnesses, which use a mix of models to find bugs, write proofs of concept and analyze malware.

  • For example, Aisle takes an agnostic approach to its model stack, combining proprietary models with finely tuned, open‑source models trained on the company's own cybersecurity expertise, Stanislav Fort, the company's founder and chief scientist, told Axios.
  • That harness lets it hunt for bugs in hardened codebases at a fraction of the cost of brute‑force approaches that frontier models rely on.

    • Threat level: At least 1 in 5 cyber incidents last year targeted a company with fewer than 1,000 employees, according to Verizon's 2026 data breach investigations report.

  • About a quarter of those attacks involved a hacker exploiting a vulnerability in a system — the precise issue that security experts say advanced AI models like Mythos and GPT-5.6 could accelerate.
  • But many mid-market companies don't have the resources or investments in their cybersecurity programs to keep up with emerging AI‑powered hacking threats, Morgan Adamski, a principal leader in PwC's cyber, data and technology risk business, told Axios.

    • The bottom line: AI models are likely just going to exacerbate existing problems, experts told Axios, meaning many companies can defend themselves adequately if they double down on the basics.

  • Basic cyber hygiene like building a zero-trust data access policy and updating both identity management protocols and vulnerability management programs are a must, Adamski said.
  • "Whether you have access or not, the bottom line is that the fundamentals are what you should be focusing on," she adds.

    • Go deeper: AI's real cybersecurity threat is what you already know