Chris Merkel 🐀👨🏼‍🍳

@[email protected]
681 Followers
1.2K Following
1,071 Posts

Dad, beautiful nerd, storyteller.

AppSec, CloudSec, DevOps, DFIR, rainbow teaming, recreational hacking and dubious career advice.

By day, I lead teams comprised of the most talented people working in this industry.

Beyond that, I lead and volunteer my time doing career development work across many different venues.

Nerdy stuff I do for fun:
- Malware analysis
- Shodan safari
- Photo and video restoration

Pronounshe/him/his
Threadshttps://www.threads.net/@chris__merkel__cyber
CheetosFlamin' Hot
I just dowhat the rat tells me
Chris Merkel 🐀👨🏼‍🍳5d ago
Chris Merkel 🐀👨🏼‍🍳Jun 3, 2025
Happy Pride, nerds!
Show threadChris Merkel 🐀👨🏼‍🍳6d ago

Anyways, here's the takeaway:

  • Attackers already have what they need to develop exploits rapidly.
  • They're going to steal creds to accomplish this, so unlike your paltry Copilot account, they have infinite resources.
  • Improving patch cycle isn't good enough, you must reduce attack surface.
    • Show threadChris Merkel 🐀👨🏼‍🍳6d ago
    Finally, exploit chaining - the one place where Mythos isn't hype. Here's the thing though, few of the bugs that are getting governments and corporations owned require complex multi-step exploit chaining.
    Show threadChris Merkel 🐀👨🏼‍🍳6d ago
    They move from Firefox exploit dev to Windows, a much harder challenge, but what I take away from this is how capable Sonnet is. Given that sonnet is made available via so many 3rd party delivery models, exploit devs can steal creds on nearly any platform and get windows kernel exploits.
    Show threadChris Merkel 🐀👨🏼‍🍳6d ago
    Exploit variability is one that shines for Mythos. The reason for this is typically defensive signatures are tuned to the precise format of an exploit. This makes them easy to evade by hand, but with Mythos you get different code, which defenders may also attribute to different TAs.
    Show threadChris Merkel 🐀👨🏼‍🍳6d ago
    Next is consistency tests. Mythos solves for PoC in 100% of trials, Opus less than 100%. What this means in the real world simply is that if you want to get an exploit quickly with Opus, you just need parallel and independent agents all working the same problem until someone gets it. It's just an infinite monkey problem.
    Show threadChris Merkel 🐀👨🏼‍🍳6d ago
    The first graph in particular annoys me because the ability to generate multiple variations of a PoC are interesting but not particularly relevant if you're in offsec. If you can get one reliable exploit, it's all you typically need.
    Chris Merkel 🐀👨🏼‍🍳6d ago
    Anthropic's research shows that the Mythos hype is indeed mostly hype. Can it do exploit dev faster, sure, but minutes to hours faster that widely available models. I applaud Anthropic for making this data available. A thread on this, because I want to use illustrations per post. https://red.anthropic.com/2026/n-days/
    N-days \ red.anthropic.com

    Chris Merkel 🐀👨🏼‍🍳Jun 2
    I logged into r/copilot so you don't have to
    Chris Merkel 🐀👨🏼‍🍳Jun 2

    Remembering everyone who was like "LastPass is awful, I'm leaving for $vendor, they know how to do good security". These people never actually explained how they knew the security was better, it was just the same mentality of switching to a different hard drive manufacturer because yours failed.

    Anyhoo:

    https://techcrunch.com/2026/06/02/password-manager-dashlane-says-hackers-stole-some-customers-password-vaults/

    Password manager Dashlane says hackers stole some customers' password vaults | TechCrunch

    The password manager giant said hackers were able to 'brute-force' its two-factor system, allowing them to access customer accounts and download their password vaults.

    TechCrunch