Why Cybersecurity's Moat Isn't What We Thought It Was

Anthropic’s Mythos made headlines for autonomously finding decades-old vulnerabilities in FreeBSD and OpenBSD. But researchers at AISLE quickly discovered something revealing: smaller, open-source models could reproduce much of Mythos’s work when pointed at the same code. Eight out of eight detected the FreeBSD exploit that had survived 27 years of human review.

This isn’t about undermining Mythos’s achievement — it’s about understanding what makes AI cybersecurity capabilities actually valuable. The breakthrough wasn’t the model’s raw intelligence, but the system built around it: the scaffolding that systematically searches codebases, the expertise that guides where to look, and the framework that validates findings. When researchers gave smaller models the same focused guidance, they found similar vulnerabilities.

This reveals something important about AI capabilities in security work. The advantage doesn’t scale smoothly with model size or cost. Instead, it’s “jagged” — heavily dependent on the expertise and systems that direct the AI’s attention. A thousand-dollar model with the right guidance can outperform a million-dollar model scanning randomly. The real moat isn’t the neural network; it’s the accumulated security knowledge that shapes how and where it searches.

For security teams, this means the playing field is more level than it first appeared. Organizations don’t need access to the most expensive AI models to find critical vulnerabilities — they need people who understand systems well enough to ask the right questions. The democratization of these capabilities also means that both defenders and attackers will have similar tools, making the human expertise that guides them even more valuable.

The broader lesson extends beyond cybersecurity. As AI capabilities become more commoditized, competitive advantage increasingly lies in the systems, processes, and domain knowledge that make AI tools effective rather than in the models themselves.