Over the last couple months, you've

probably seen headlines that look

something like this mythos. It's

entirely too dangerous. And even just

last month, Mosilla posted this blog

post that said, "The zero days are

numbered." And more so, they even write,

"Defenders finally have a chance to win

decisively." Very, very funny. First

off, you can't say a chance to, which

means that you it's not guaranteed. And

then use a word that means, "Hey, it's

guaranteed." No, like really like look

at this. Often without wavering or doubt

like this. This is [laughter]

it. You might win decisively. What are

you doing, Mo? This is just silly. That

means for the last little bit, it's been

kind of difficult to figure out what the

heck is actually going on. Is Mythos

really the thing that's going to end all

and be all of security, or is it

actually going to be just another model

release? Yeah, things get slightly

better, but nothing that's just going to

blow your socks off. Just looking at the

marketing, it's probably going to be the

greatest thing that has ever existed

ever. Just saying. Going out on a hunch

here. But today, an amazing article

comes out called a mythos finds a curl

vulnerability. Daniel Stenberg is

probably best known for the library

curl. You've probably used it several

several times, and if not, your AI agent

is pounding it away, but also he is

known for this article. The I in LLM

stands for intelligence where he kind of

bemons the state of security. This is

what's going on. is security projects

are being inundated with really slop

level PRs and security bugs that are

just absolutely denying the attention of

maintainers. We called a denial of

attention attack kind of unique and he

was one of the first people to really

write strongly against this saying how

just annoying and just awful this AI

revolution has been. This of course was

on January 2nd, 2024. Fast forward about

2 years later on January 26, 2026 and

Curl finally says, "You know what? our

paid for bug pounty program. It just has

to go away. Honestly, the level of slop

is just absolutely distracting and we

can get nothing done. And then of

course, three months later, April 22nd,

2026, which uh is only one day after the

defenders have a chance to win

decisively, Daniel writes this article.

High quality chaos. No more AI slop.

Meaning that the actual PRs and things

have gone up significantly in quality

and he can now finally rely on these AI

assisted security reports. And this has

largely been a lot of people's

experience. Like if you were any sort of

serious programmer, 2024 AI was

effectively useless. There were a few

cases where it's actually pretty sweet,

but besides for that, it was largely

ineffective. Now, today, there's

actually some use cases, and it actually

is pretty dang good at finding security.

I've heard from many, many, many of

security researchers that are actively

employed at small to large companies

saying, "Hey, this thing's actually gone

from completely useless to very useful."

And now to this Mythos finds a curl

vulnerability. I am very excited about

the article being written right here

about Mythos and curl because this is

going to be somebody who's gone through

all the proper cycles recognizing when

AI first came on the scene that it had a

huge amount of gaps and it's largely not

that useful. And now today it's improved

and there's actually like some good

utility that can be drawn from it. And

since curl is approximately 178,000

lines of C, I mean Mythos must have a

heyday in it. Well, I've read the

article and I have a lot to yap about.

We got I mean this is there's some juice

in here, people. But of course, before

we get started, the bag. Hey, is that

HTTP? Get that out of here. That's not

how we order coffee. We order coffee via

ssh terminal.shop. Yeah. You want a real

experience? You want real coffee? You

want awesome subscriptions so you never

have to remember again? Oh, you want

exclusive blends with exclusive coffee

and exclusive content? Then check out

Cron. You don't know what SSH is?

>> Well, maybe the coffee is not for you.

>> All right. So, Mythos finds a curl

vulnerability. Yes, a singular one. That

might be a little disappointing to some

of you. I think right away your hearts

probably dropped a little bit. Back in

April 2026, Anthropic caused a lot of

media noise when they concluded that

their new AI model, Mythos, is too

dangerously good at finding security

flaws in source code. Apparently, Mythos

was so good at this that Anthropic would

not release this model to the public

yet, but instead trickle it out to a

select few companies for a while to

allow a few good ones to get a head

start and fix most of the pressing

problems first before the general

populace would get their hands on it. By

the way, I do agree with Daniel's little

question mark here. I'm not really sure

why just a few people, you know, like

the few good ones. Like, I don't know

what that says about a lot of these

companies. a lot of companies just out

there just completely vulnerable because

Anthropic won't share. Okay, kind of. I

mean, cool, I guess. So, as part of

Project Glasswing, which is anthropics

reach out with Mythos saying, "Hey,

these certain companies and these

certain open source projects get early

access." So, as part of the glasswing

outreach, Curl was contacted and Daniel

had the offer, hey, would you like to

use Mythos to go through your curl

library? Of course, he was excited about

it, but then uh you know, some weeks

went by and nobody reached out again.

And then eventually someone reached out

and just said, "Hey, we're not going to

give it to you, but we will analyze curl

for you. Do you want us to do that?" To

me, the distinction isn't that

important. It's not that I would have a

lot of time to explore lots of different

prompts and doing deep dive adventures.

Anyways, getting the tool to generate

the first proper scan and analysis would

be great. Whoever did it, I happily

accepted this offer. Honestly, kind of

the best of both worlds, right? You got

the person that's been using this model

a whole bunch to be able to go and do

the scan for you on your codebase. You

don't have to do a bunch of the

learning. You don't have to set up a

bunch of harnesses. Ideally, they

probably have things that are more

advanced than say I would have to begin

with. Right before we kind of proceed,

there's a little bit of a backstory you

have to understand about Curl. Curl's

been around for a very, very long time.

And so, they have a fairly extensive

suite of tests. They also just have a

whole bunch of other tools that they

run. And this is kind of this screenshot

that Daniel provides which means that

they have code style. They have band

functions. There's certain functions in

C which you can just shoot your foot a

lot easier than others. I'm thinking of

stir copy versus stir end copy.

Obviously human review bot reviews no

binary blobs no get force push a bunch

of other stuff in here that's actually

pretty important. And putting that all

together it has led curl down a route in

which has had very few vulnerabilities

kind of disclosed. And when I say few, I

mean they've had a couple hundred CVEes

total. So you can imagine that on May

6th, 2026, when they received the Mythos

report, they were probably pretty

excited because what are the chances

that 176,000 lines of C code doesn't

have quite a few bugs lurking around in

it. They've had 573 separate individuals

commit to CURL over its lifetime, which

means that it's not even just one

person's thought process, but just a

huge amount of people that have

committed over a long period of time.

All right, so we're almost done with

this story and then we'll get to the

yapping. The report concluded it found

five confirmed security vulnerabilities.

Now, this is a pretty classic AISM.

Whenever AI has confidence, it's going

to tell you like there's there's

something amazingly magical about the

fact that even if something is wrong,

the AI is so dang confident in being

incorrect. It's honestly a skill I could

learn a lot from. So, after a couple

hours of investigation, this is what

Daniel says. We had trimmed the list

down and were left with one confirmed

vulnerability. The other four were three

false positives and the fourth we deemed

just a bug. The single confirmed

vulnerability is going to end up as a

severity low CVE planned to get

published in sync with our pending next

curl release in 8.21.0

in late June. The flaw is not going to

make anyone gasp for breath. So in other

words, it's nothing that's like super

important important enough for them to

do some sort of outofband release.

They're just like, "Hey, next time we

release, hey, sometime in the future,

don't even worry about it. That's how

much we're concerned about it. So at

some point we will go out and we will we

will fix it in public. No one rush in.

Hey, no need to rush in. A side effect

of the Mythos report is that it found

about 20 bugs that were described nicely

with very low false positive rates. And

so that actually is something that just

generally was a pretty good deal for

Daniel. Curl is certainly getting better

thanks to this report, but counted by

the volume of issues found all the

previous AI tools we have used have

resulted in larger bug fix amounts. Now

this is where things kind of get funny.

The reality is is that curl has been

using AI now to kind of do a lot of

analysis on its code and it's able to

find more and more bugs. Even though in

the beginning Daniel was very very very

hesitant about AI, they have since

changed their tune as AI has improved

and since then they've been able to find

a large amount of bugs which means that

when mythos ran it actually found very

few bugs. Now I want you to think about

that for a second. What does that mean

to you? Before I give my conclusion,

let's read Daniel's conclusion first. My

personal conclusion can however not end

up with anything else than that the big

hype around this model so far was

primarily marketing. I see no evidence

that this setup finds issues to any

particular higher or more advanced

degree than other tools have done before

Mythos. Maybe this model is a little bit

better. But even if it is, it is not

better to a degree that seems to make a

significant dent in code analyzing. Any

prefaces with the following? This is

just one source code repository and

maybe it is much better on other things.

I can only tell and comment on what it

found here. all the AI tools that they

have already been testing out. All the

security researchers that have helped

make CURL a better product. All the

stuff that came before it effectively

did most of the cleaning to where when

mythos was unleashed on this product,

there wasn't the same kind of like just,

you know, headline making outcome.

Instead, it's just like, oh yeah, that

was a bug. Oh yeah, it's not like all

that severe. Yeah, they they they found

some extra additional stuff. And he

further concludes with this. These were

absolutely not the last bugs to find or

report. Just while I was writing the

drafts for this blog post, we have

received more reports from security

researchers about suspected problems.

The AI tools will improve further and

researchers can find new and different

ways to prompt the existing AIS to make

them find more. We have not reached the

end of this yet. In other words, even

after Mythos, there's still just people

maybe empowered with security tools or

not finding more vulnerabilities. So, is

this the end? Can we definitively say

the zero days are numbered? Defenders

finally have a chance to win decisively?

No. I don't think we can say those

things. Do I think that the field of

security is going to be complicated?

Sure. It's going to be pretty dang

complicated. And I think as these tools

get more and more advanced and we're

able to run faster, not only does it

allow the defenders to, you know,

effectively have a better castle, if you

will, it also allows the offenders to

come at it in a much more aggressive

way. So, is this the end? No. Are we

going to are we like spiraling towards a

security doomsday situation? No, I don't

think we are. And for me, this is kind

of the cold water that needed to be

poured on the hype because it's really

difficult to understand because it's one

thing that if someone there's all these

Twitter users like, "Oh my gosh, because

you may you probably remember this back

in the day when Jippy 35 came out and so

many people are like, dude, your jobs

are over software engineers. Jippy 35 is

amazing." And you use it and you're

like, "Dude, what the hell are you even

talking about?" Like, yeah, that's cool,

but what? And so the nice part is that

because I could use it, I could actually

see the effects. But with Mythos, it's

kind of like the monster you don't get

to see. They're like, "Dude, just trust

me, bro. What's behind that door is

insane. It's so insane." And then you

got Mozilla like, "Dude, defenders have

a chance at winning definitively." Like,

those are crazy claims. Those are claims

that just feel pretty outlandish. I have

a particularly hard time believing any

of it. So, when I read this stuff, I

just realize like, yeah, okay, sure, it

could very well be better. And I assume

it's better. It's significantly larger,

right? It's all the latest and greatest

stuff, and it's a harness that's been

designed to do security stuff. So, one

would hope that it's actually pretty

good, but it's not something incredibly

special, something that has never been

seen before. It's just an iteration on

the things we already have. And yeah,

maybe the harness is a bit better. maybe

how they have the thing set up can go a

little bit longer, a little bit deeper

with all the different projects.

Therefore, you'll get better results,

but it's not something that's completely

out of reach of other tools. I love that

conclusion because it a it goes in the

face of Mozilla's just ridiculous uh

statement of the zero days are numbered.

Like, that is an absurd statement to

make. Like, there's there's just no more

security problems. You don't even have

to worry about security problems when

you got Mythos, baby. like

like what what are we doing here?

Mozzilla. Absolutely absurd. But more

so, it just shows that there's still a

lot of human ingenuity and creativity

that is needed to be able to control and

drive these things to be able to find

new bugs. It's not just simply like,

hey, just fire and forget. it still

requires people to be actively in the

loop because even Mythos reported five

critical vulnerabilities and it ended

with one actual vulnerability. So again,

I feel like I've been saying this a

whole lot lately. There is still so much

room for expertise in our field and I

just feel that more than ever because

everybody can move so fast now, but

people don't actually know what they're

doing. It's not like the intelligence of

the average intelligence of a person has

risen. No, just the more you offload has

risen, that is it. So, yeah, mythos is

probably better. I just assume it's

better. But by the degree that it's so

dangerous they can't even release in

public, probably not. Honestly, probably

not. Open AAI has this kind of behind a

identification wall that you can get

access to a more security focused model.

You could probably get a lot of the same

things that you can go get with Mythos

right now from it. So, yeah, it's

probably just a small addition better.

But I will say I am a little tired of

this marketing like this. The the

non-stop marketing towards developers is

ridiculous because I mean let's just

face it. We're kind of the cash cow of

these models. Like the people the people

keeping afloat these models are all of

us token users. I mean that should be

pretty obvious because Jensen over here

says he'd be deeply alarmed if his

$500,000 a year engineer is not spending

a minimum of $250,000

on tokens a year. Hon, our world could

be so much better if Sam and Daario

weren't competing for who's going to be

the first trillionaire with AI. Like

that's just what we're saying that we

are the pawns in the situation and

they're just trying to compete with it.

And of course, that's why you see these

absurd tweets. That's why two years ago,

never forget hashtag Sam tweeted a

picture of the Death Star saying, "Hey,

we have a big announcement tomorrow.

Death Star [laughter]

AGI achieved." And now look at us.

That's two years later. It's still the

same crap going on. We're still seeing

the same headlines. We're the target

market, people. I just wanted to say all

these things. I wanted to read this

article because I honestly thought

Daniel brought some really great

perspective, which was, hey, these tools

are really fantastic. They've helped us

close several several several bugs and

actually even also closed out a bunch of

CVEes. We've really liked it. It's gone

from the I in LLM stands for

intelligence to, hey, this crap sucks

to, oh, hey, actually, no, it's starting

to get pretty dang good. all over the

course of 2 years. That's all I got for

you. Hey, this is a good article,

Daniel. I really liked it.