Cisco scans 1.8 billion lines of code in 8 weeks using AI, overhauls vulnerability disclosures

Cisco sings Mythos' praises - but doesn't say how many bugs the model uncovered

Bug hunting has become a whole lot more exciting in recent months with both Anthropic and OpenAI touting their latest models (that also happen to be super-scary exploit machines). On Tuesday, as Anthropic announced a fourfold expansion to its Mythos preview program, Cisco jumped into the fray, praising the transformative power of AI - but without disclosing how many bugs the latest frontier models found. Cisco SVP Anthony Grieco in a Tuesday blog said that the advanced AI systems, including Anthropic's Claude Mythos Preview and OpenAI's GPT 5.5-Cyber, scanned 1.8 billion lines of code in eight weeks looking for vulnerabilities in Cisco products - a task that otherwise would have taken the networking giant's advanced security team eight years to accomplish. However, Grieco, who heads Cisco's security and trust organization, didn't say how many flaws Mythos and other frontier models uncovered, or if they have all been fixed. The company also did not respond to The Register's questions about this. Grieco did say that "speed is only half the story," calling the "real breakthrough" the "scale, quality, and impact" of the models' findings. The 1.8 billion lines of code, written in more than 25 different languages, spanned Cisco's portfolio, we're told. Netzilla paired the models with a "human-guided harness," and achieved a false positive rate of under 3 percent, Grieco wrote. "Rather than focusing on a specific scope for a security evaluation, we can assess entire code bases of a product. It's like switching from a flashlight to a flood light to illuminate a dark room," he said. "Because each finding is validated through a hybrid of AI and human expertise, our engineering teams are receiving actionable intelligence rather than a wall of warnings." Meanwhile, Anthropic on Tuesday said it expanded Project Glasswing to about 150 additional organizations, bringing the total partner count to about 200. Project Glasswing is the AI giant's controlled partner program for giving selected orgs access to Claude Mythos Preview. When it announced the new model and partner program in early April, Anthropic limited the preview to about 50 entities, claiming Mythos is so good at finding and exploiting security holes that all hell would break loose and the zombie apocalypse would hit should the model fall into the wrong hands. Since April, these select government agencies and corporate partners - including Cisco - have been using Mythos to find and fix bugs in their own products. Palo Alto Networks, one of the original Project Glasswing partners, said in May that after spending a month using frontier AI models, including Anthropic's Mythos, to scan more than 130 products across its three platforms, it uncovered 26 CVEs representing 75 underlying security issues. For comparison, the cybersecurity giant said it typically discloses fewer than five CVEs per month. At the time, a company exec forecast "a narrow three-to-five-month window for organizations to outpace the adversary before AI-driven exploits start to become the new norm." The newly expanded Project Glasswing spans more than 15 countries, and, while an Anthropic spokesperson declined to name them or the new partner companies, it's a safe bet that these are likely Western and/or "friendly" nations. So not China and Russia. Rubrik, a data security and management vendor, said that it was among the new Glasswing partners. The expanded list also reportedly includes the Korea Internet and Security Agency (KISA), along with Samsung Electronics, SK hynix, and SK Telecom, among other Korean companies. "The group covers several industries that weren't well-represented in our initial cohort, such as power, water, healthcare, communications, and hardware," according to a Tuesday Anthropic blog. "And many of the new partners are vendors - companies or nonprofits that maintain codebases that are relied upon by lots of other organizations around the world, including governments." Each new partner must meet Anthropic's security requirements before they gain access to Mythos, the company added. ®

8 Years of Security Research in 8 Weeks: Transforming Cybersecurity with AI

In just eight weeks, we scanned 1.8 billion lines of code in over 25 coding languages across the breadth of Cisco's portfolio, a process that would have taken our world-class security research team eight years to complete. We are only getting started. But speed is only half the story. The real breakthrough is scale, quality, and impact. If the average person gained access to a Formula One (F1) car but has only ever ridden a bike, they might be able to make their way along the track, but they are not going to win the race. For decades, cybersecurity has been limited by the pace of manual red teaming and static analysis. A few years ago, efforts like DARPA's AI Cyber Challenge began paving the road for an autonomous defense, and now the arrival of frontier AI models -- like Claude Mythos Preview and GPT 5.5-Cyber -- has handed the industry keys to an F1 car. We are inspired by our time in the driver's seat, and we are eager to share our insights with the goal of helping cyber defenders win. The problem we tackled Quality starts with complete visibility and a signal-to-noise ratio that allows experts to act. Historically, security teams were forced to prioritize, choosing which software modules to assess based on risk profiles, knowing full well that bugs in the "unscanned" areas were simply waiting to be found by an adversary. Furthermore, traditional static analysis tools were notorious for noise, often producing a ratio of one useful finding for every 10,000 warnings. This has forced offensive security teams into a cycle of endless triage. Our approach The difference between chaos and clarity is methodology. We embedded years of the Cisco Advanced Security Initiatives Group's domain knowledge -- test beds, research notes, and prioritization logic -- into a rigorous orchestration harness. The question is no longer whether AI models can find bugs, it's whether you have the architecture to maximize track time. Our focus has and continues to be on quality and impact over mere quantity and noise. But this velocity isn't the result of model power alone. It is the result of the Cisco Foundry Security Spec. The model is the accelerant; the harness is the engine. By testing it across six frontier AI models, we ensured that our Foundry Security Spec provides an independent, model-agnostic framework. It is not tied exclusively to one model; it is locked into a consistent methodology. What we found: Quality over quantity We no longer have to pick and choose what to scan. A common industry critique is that AI will "drown you in noise." We found the opposite. By pairing frontier LLMs with our human-guided harness, we achieved a false positive rate of under 3% in over 1.8 billion lines of code. Rather than focusing on a specific scope for a security evaluation, we can assess entire code bases of a product. It's like switching from a flashlight to a flood light to illuminate a dark room. Because each finding is validated through a hybrid of AI and human expertise, our engineering teams are receiving actionable intelligence rather than a wall of warnings. What this means for industry collaboration Do not mistake volume for value. Yes, more vulnerabilities will be discovered as AI adoption grows. If that is the only metric you are counting you may want to ask yourself if you are capturing the real value of this era. True AI-driven security is measured by actionable precision at scale, not by the count of vulnerabilities alone. Our findings are extensive, thanks to both our ability to scale and the accuracy of our analysis. Your team doesn't have to drown in the noise. For enterprise teams looking to deploy frontier LLMs, we suggest three principles: The future: Designing for resilience We recognize that the transition ahead is complex, and we continue to work to reduce the friction from security operations. We have drastically improved the ability to automate upgrades of our systems through automation and Cisco CX stands ready to help customers assess risk and modernize operational practices. Though the pace of innovation is accelerating, our core values remain the foundation of everything we do. Over the last thirty-five years, Cisco has demonstrated that we walk the walk when it comes to the handling and disclosing of vulnerabilities that affect those who use our solutions. We helped create the very standards the industry uses today for vulnerability disclosure and handling. Regardless of how the threat landscape or the market continues to evolve in the AI era, we will adapt, providing the resources and clarity you need to manage risk effectively. Cybersecurity is both a team sport and a long-term journey. We are here to tip the scale in favor of all defenders, we are in this together, and we will not stop. Join us: * Download the Foundry Security Spec and start your own evaluation. * Read Strengthening the Foundation: A Predictable, Customer focused Response to AI-Accelerated Vulnerability Discovery to learn more about Cisco's new security release model.

Cisco overhauls vulnerability disclosures as AI accelerates bug hunting

Why it matters: New AI models are pouring gasoline on bug discovery, forcing technology and security vendors to rethink how they responsibly disclose the bugs that researchers find in their products before malicious hackers get hold of them. Driving the news: Starting in July, Cisco will start publishing disclosures about security fixes in its products on the first and third Wednesdays of the month. * Those updates are currently monthly, barring any emergency rollouts. What they're saying: "We've got an opportunity to not just move faster in individual-point problems, but really rethink how we're moving from being reactive to proactive in terms of system-hardening," Anthony Grieco, senior vice president and chief security and trust officer at Cisco, told Axios in an exclusive interview. * "This isn't just about keeping pace with an individual thing with an individual threat," he added. "It's about how we're addressing the system-hardening and vulnerabilities at a depth and speed that previously was unattainable." Between the lines: As advanced AI models like Mythos Preview and GPT-5.5-Cyber start to uncover security vulnerabilities at an unprecedented rate, cybersecurity teams are unable to keep up with the pace at which they need to start patching bugs. * Some systems require a total reboot to install a patch -- and others require several tests before an IT or security team is comfortable rolling it out. * Last month, Anthropic said the roughly 50 partners who are using Mythos Preview have already uncovered more than 10,000 high- or critical-severity vulnerabilities across the "most systemically important software in the world." Threat level: Over the last eight weeks, Cisco has used a multi-model AI harness to scan 1.8 billion lines of code over 25 coding languages across its wide-reaching technology portfolio. * Previously, that level of scanning would've taken about eight years to complete, the company said in a blog post. What to watch: Cisco plans to roll out a new product, called Live Protect, that gives customers a temporary shield against the exploitation of newly discovered vulnerabilities while they work to deploy permanent fixes.