Check Point Technologies: On vigilance, Mythos and beyond

Getting in front of the man in charge of the product team at one of the most-recognised names in information security at a time when so much is changing in this field offers a rare opportunity. What, exactly, are customers saying about the emergence of Mythos (which has gone from announcement/curtailment/to imminent release, within the short space of a month), and how, exactly, should they be approaching what is almost certainly a permanently changed threat landscape?

The answer is, essentially, that the comfort of complacency is no longer an option.

Steve Giguere is Check Point Software Technologies' Principal AI Security Advocate, and explained that he engages closely with customers and the vendor's product development team. "I talk with people and I take the messages back and make sure our strategy is generally heading in the same direction that the world is moving."

He acknowledged that Mythos (properly, Anthropic Claude Mythos) is very much on the lips and minds of those tasked with infosec. "It's interesting and you've hit the nail on the head there. Mythos is a catalyst for conversation…but it's not always the conversation that people expect and nor does it go in the direction that they maybe want it to go," he confirmed.

The big deal with Mythos is its ability to ferret out vulnerabilities. Independently. Without human oversight. Relentlessly. Anthropic said a scan of a thousand open source projects 'crucial to the internet' saw the AI expose 6,200 high to critical severity flaws, combining with lesser problems for more than 23,000 weaknesses.

As is often the case with those of a certain technical bent, Giguere's eyes light up at the undeniable impressiveness of Anthropic's achievement. After all, this is a LLM sharper than most programmers. And certainly with a keener eye for detail: "Mythos is fascinating particularly to someone who used to work in vulnerability detection back in the day when we did it the hard way," he said.

"We used to talk about time to exploit, time to remediation. We used to reveal statistics that [now  in the harsh light of Mythos' reset of the zero-day concept] were shocking, in the hundreds of days, sometimes even years."

That luxury is permanently relegated, and as Giguere stressed, now seems quaintly indulgent (as an aside, he said the reality of what might be described as an absence of urgency, has led to lingering complacency. Now, automated detection whether by Mythos or anything else like it, means there's no time to wait).

"So, some of the questions I've been getting are, are any of the mitigations we have in place rendered ineffective by Mythos? The answer is actually no, those mitigations still count."

Maybe more than ever, as Giguere goes on to explain. "We need to understand the reason Mythos was released in the way it was; Anthropic was very smart by allowing it to be used for good before a general release. Because, as someone who used to be a developer, goodness knows what bugs I've written 20 years ago that are lurking in systems that Mythos could now expose. So, I think most see Mythos as a big wakeup call. Even we at Check Point are taking it as a wakeup call." He said the grace period afforded by Anthropic is just that; any leap forward in technology tends to act as a herald of more to come, and can't be suppressed thanks to the mechanisms of competition.

The upshot, in plain language, is that the days of getting away with sloppy code, bad configs and missed patches, now belong in the past. There's an entirely new paradigm that says 'better systems are essential', simply because AI means it's not possible to get away with it (and any sleeping dogs of past indiscretion can no longer be left to lie, either).

On that note, Giguere offered up comfort, explaining that while the new LLM represents the sharpest of keen edges, other tools can be applied to pre-emptively head off what Mythos might find. "At Check Point, we've always used machine learning and automation for vulnerability scanning [so we know how effective it is]. Claude Opus 4.7 for example, is amazing at finding flaws. So that's also why, when Mythos was announced we approached it with a research level of curiosity as opposed to fear."

That to some extent answers the real question those charged with infosec are asking right now. What, precisely, should we do? "Yeah, the culture has to change. Having a culture of finding and fixing vulnerabilities as opposed to [an approach where] your vulnerability detection or remediation is theater or whether it's real." Giguere said a commonly prevailing approach of tending to fix the easy issues must now give way to comprehensive, no-stone-left-unturned rigour.

"Suddenly, the [threats] that matter will matter that much more," he stressed.

If it sounds complicated, daunting, even, Giguere said there's further good news. The tools for attack and defence change constantly. AI and especially Mythos are a new frontier. But what doesn't change is principle, and the basic principles of defence hold true. "The fundamentals of defense in depth will protect you."

Along with using tools like Claude Opus, and in due course, Mythos, to find any lurking issues before the hackers do.