Frontier AI Only Defends Those Who Hold the Source Code
Table of Contents
In an age of frontier AI that finds vulnerabilities on its own, what an ordinary company can actually do today
The landscape around security AI shifted sharply over the past few weeks.
With Mythos, a model that autonomously finds vulnerabilities, Anthropic and its partners had surfaced more than 10,000 serious flaws. Then, right after launching its top-tier Fable 5 and Mythos 5 models on June 9, the U.S. government invoked export controls. Both models were barred from any foreign national, and because the directive's scope was so broad, they ended up suspended for every user worldwide. Since the controls apply equally to allied countries, a company in Japan cannot legally use them today either.
The rights and wrongs of it aside, what caught our attention—Pentacon Research's attention—was a quieter question hidden underneath the noise.
Under what conditions does this power actually work?
Only those who hold the source code get protected by frontier AI
Look closely, and Mythos's wins share one clear trait: a premise that the source code is in hand.
Mythos was built, from the ground up, to reason over source code. It reads the code, hypothesizes "this looks exploitable," runs the program to confirm, and produces a report complete with reproduction steps. Line up how Glasswing's partners use it, and every case has the same character:
- Scanning their own codebases for vulnerabilities
- Vetting code before release so flaws never appear in the first place
- Rebuilding legacy code in memory-safe languages
Every one of these only works when the source is already in your hands. The actual targets bear this out too: open-source projects, a 27-year-old bug in OpenBSD, cryptography libraries—all things whose insides (the code) could be read.
Anthropic itself draws the line plainly: this is not the same as black-box testing over the internet (probing from the outside without knowing the internals). Mythos, they say, shows its true strength with high-information inputs like source code.
For the record: the absence of source doesn't reduce AI-assisted attacks to zero. Binary analysis and inferring behavior from the outside remain on the table. Even so, the proven, strongest territory is unmistakably the side where the source is visible.
In other words, the defensive power of this frontier AI comes with a large precondition attached: being able to get the source.
But most of the code your company runs is held by someone else
Now bring it back to the reality of an ordinary company.
If you tried to turn this power on your own defense, you would have to feed the source code of every piece of software you use into the AI. A moment's thought, though, makes it clear: that is all but impossible.
Modern systems don't run on code you wrote from scratch alone.
- Packaged products and SaaS you purchased
- Systems built and delivered by contractors and outsourcers
- A vast number of open-source dependencies
The source for these is not in your hands. Contractually, organizationally, and in sheer volume, you cannot bring all of it under your watch right now. Glasswing worked because marquee enterprises and the open-source community handed over their own code. An ordinary company doesn't even have access to the third-party code it would need to hand over.
Applying source-level AI analysis to the parts you developed in-house is, of course, valuable. But that's only a slice of your total attack surface. The least-visible part—the part run by others—is the genuinely scary one, and it's exactly where white-box methods can't reach.
So: measure whether you can be attacked from the outside
How, then, do you defend what you can't reach? Flip the perspective.
Attackers don't have your source code either. What they see is only what's visible from the outside—exposed servers, open ports, the versions of the products you run, misconfigurations. That's where they strike.
So put the defense on the same footing. Take the attacker's "outside view" and grasp how exposed to attack you are right now. Done this way, even assets whose source you don't hold—a contractor's system, a product you bought—can be measured as an externally visible attack surface.
And here's the crucial part: the attack surface never sits still. New servers come up, new vulnerabilities are published every day, settings drift before you notice. A "once-a-year assessment" leaves the other 364 days undefended. So it has to be measured continuously, not just once. That is the core of CTEM (Continuous Threat Exposure Management: continuously grasping your attack surface, prioritizing, and closing it down).
And AI is exactly where it earns its keep here. Discovery of what's visible from the outside, done by reliable means rather than guesswork. The judgment of whether a finding is genuinely dangerous, and should be fixed right now, done with AI. The outer territory that frontier AI itself set apart as "a different thing"—that is precisely where steady, continuous work pays off.
What we're building
The idea of grasping and managing whether you can be attacked from the outside, using AI, continuously—taking that and turning it directly into a product—is PentaTrail, built by Pentacon Research.
Let us answer one thing in advance. "If you've gone all-in on AI too, aren't you finished the moment that AI gets pulled?" The AI PentaTrail uses is a generally available, commercial model that anyone can use—not the top-tier offensive model that was just restricted. If anything, we think this episode made the need for practical, within-reach security AI unmistakably clear.
Frontier AI reads your source and protects your company only if you're among the few organizations that can hand that source over. For the vast majority, the practical option is to keep measuring your own attack surface from the outside. If you're curious, take a look at your own company's "externally visible attack surface."
Sources
- Anthropic: Expanding Project Glasswing (partners scanning their own codebases / 10,000+ in total)
- Anthropic: Project Glasswing — An initial update (1,000+ open-source projects / Mythos's own vulnerability count)
- Help Net Security: Anthropic project Glasswing update
- IEEE Spectrum: Claude Mythos Preview Exposes Hidden Code Flaws
- Fortune: Anthropic disables Fable and Mythos AI models following U.S. government export ban
- Al Jazeera: US export ban on Anthropic's AI models further strains alliances
Visualize your attack surface with PentaTrail/CTEM
From discovery to vulnerability validation and remediation — all powered by the CTEM framework.
Get Started