Mastodawn

I find it interesting that the cyber LLMs like GPT-5.4-Cyber* and Mythos** corroborate this. They are not particularly trained to identify vulnerabilities. They are (more or less) fine-tuned versions of general purpose models that remove the cyber refusals. In other words, they are simply excellent developers learning security on the job.

* "..we are fine-tuning our models specifically to enable defensive cybersecurity use cases, starting today with a variant of GPT‑5.4 trained to be cyber-permissive: GPT‑5.4‑Cyber." https://openai.com/index/scaling-trusted-access-for-cyber-defense/

** "We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy. " https://red.anthropic.com/2026/mythos-preview/

#cybersecurity #hiring #mythos #gpt54cyber #openai #anthropic

Trusted access for the next era of cyber defense

OpenAI expands its Trusted Access for Cyber program, introducing GPT-5.4-Cyber to vetted defenders and strengthening safeguards as AI cybersecurity capabilities advance.

OpenAI

Show thread

Vinoth (Datacenter security)4d ago

To be an effective security engineer, you need both systems expertise and security expertise. However, for most complex systems (Eg: Mobile, servers, PCs), it is a lot easier and quicker to train a systems expert in security than a security expert in systems. There are some exceptions, of course, such as cryptanalysis and formal methods. You will know when you have an exception case.

#cybersecurity #hiring #mythos #gpt54cyber #openai #anthropic

Vinoth (Datacenter security)4d ago

A security hiring strategy that I preach and practice: If the choice is between an (a) expert in the system we are securing with little to no security expertise and (b) a security expert with little to no system expertise - choose (a).

#cybersecurity #hiring #mythos #gpt54cyber

Vinoth (Datacenter security)Apr 1

Codex has been open source since the beginning. Turns out no one has cloned it and destroyed OpenAI's moat. Just saying.

https://github.com/openai/codex

GitHub - openai/codex: Lightweight coding agent that runs in your terminal

Lightweight coding agent that runs in your terminal - openai/codex

GitHub

Show thread

Vinoth (Datacenter security)Mar 9

Defenders naturally have that context. Attackers usually don't. As a result, defenders agents will be better at identifying these harder class of vulnerabilities.

Show thread

Vinoth (Datacenter security)Mar 9

What remains are the harder class of vulnerabilities, those that emerge at module boundaries, from incorrect assumptions between components or from complex system-level behavior rather than a single piece of code. Finding those requires deep context, how the system is designed, what assumptions were made, how different pieces interact across the stack.

Show thread

Vinoth (Datacenter security)Mar 9

The era of "stupid bugs" resulting in vulnerabilities is over. Those bugs will get found and fixed faster. The attack surface will shift away from obvious implementation mistakes towards more subtle issues.

Vinoth (Datacenter security)Mar 9

Codex security is in research preview:
https://openai.com/index/codex-security-now-in-research-preview/

My intuition is that such vulnerability hunting agents are net positive for defenders.

Codex Security: now in research preview

Codex Security is an AI application security agent that analyzes project context to detect, validate, and patch complex vulnerabilities with higher confidence and less noise.

Vinoth (Datacenter security)Feb 5