What are some of the major findings that have come out from Palo Alto’s perspective by working with Anthropic as part of Project Glasswing?
I think what we found is that with Mythos there is about a 50 per cent improvement in the model’s ability to write code. Now there is no standard for finding vulnerabilities, so I’m going to equate it this way: If you can write better code, hopefully you can find more vulnerabilities. It’s an approximation from my perspective. What I was most intrigued by was that what we could find in the first two to three weeks of using Mythos would have taken researchers maybe a full year’s worth of manual penetration testing.
Second, while it was able to find many vulnerabilities — low, medium, high and critical — the ability of the model to chain multiple vulnerabilities into an attack path was quite interesting in terms of how it was able to do it. I think as we have started using these models more, and of course built the right harnesses around them with our expertise, we’ve seen that we are able to find issues much faster. And then, of course, we were one of the first companies to release software patches generated with the help of Mythos.
What does this mean for customers?
It means there will be a vulnerability deluge that customers will face as they have so many things to patch. And I don’t think it is going to be that easy and straightforward because not every industry can move quickly, especially regulated industries. Let us take the examples of manufacturing and healthcare. In some cases, they can’t even patch their endpoints easily. It’s next to impossible. The second thing is that this creates an opportunity for organisations to address things that may have been on the back burner. Those include getting a zero-trust posture and implementing least-privilege access controls. They were always important but, for a variety of reasons — focus, time and funding — were not the highest priority. Because, in the end, the only way forward is to have real-time controls.
How do you envisage future attacks?
I think future attacks are not going to be merely AI-assisted attacks. They are going to be autonomously run by AI. And that’s clear based on what we are seeing right now. So while patching and security hygiene remain important, eventually you need to get to a point where you have real-time controls, proper posture management, architecture, segmentation — all of those things done correctly. This is because you have to not just be reactive but proactive in how you secure the organisation.
For me, it’s a three-step journey. First, address the vulnerability deluge, which means patching endpoints, applications and infrastructure. Second, elevate your security controls, which are zero-trust posture, secure browsers and endpoint controls. And third, move towards AI-driven security operations so that you can do these things in real time.
How are AI and AI agents amplifying security threats in enterprises?
When these agents are deployed at enterprise-grade scale, your risk will not just amplify, it will mutate. And the reason is because you will have ungoverned agents. The frictionless deployment of agents through low-code platforms, no-code platforms, SaaS platforms and enterprise platforms has triggered a surge of agents. And as they connect to unauthenticated MCP servers, connect via newer protocols such as MCP and A2A, and invoke skills and execute tools at massive scale, these risks will mutate. And new attack vectors will emerge as agents interact with agents in ways that simply don’t exist today.
To manage this massive scale of AI and all the governance risks you have, one needs a centralised control plane and a centralised security plane. So all these AI interactions need to funnel through an AI gateway, where we can build an agent registry, runtime protections, identity protections, institutionalised AI governance, complete end-to-end agent observability and FinOps controls for token management. All of these led us to acquire Portkey because you need this new control layer.
What are some of the major threat vectors impacting enterprises today?
I think from applications having prompt-injection attacks, denial-of-service (DoS) attacks against models, tool misuse and excessive permissions. For example, we had a customer whose marketing team built agents that could go to Salesforce and read records to generate marketing leads. A very simple, noble use case in some sense. Unfortunately, it had one problem. The agent had excessive permissions — it could delete Salesforce records. So all of these are what we call posture issues. There, of course, will be identity threats. When an agent asks permission to do something, the question is: Do I have permission to access that data, all of the data, or only the specific data needed for that task? And that’s the type of control that we are building into the AI gateway. The whole notion is that we want to secure the entire AI footprint without slowing down innovation. Customers today are not looking for a solution for the next six months. And if I don’t have governance, FinOps controls, observability and runtime controls, it is very hard for me to deploy this at scale if I am going to have 100,000 agents in the enterprise.
