Depthfirst’s cofounders all have history in AI security, whether with Google DeepMind, Databricks or Block.
Depthfirst
The launch of Anthropic’s AI model Mythos a month ago sent shockwaves through the cybersecurity world. The tech was so advanced, the AI company said, that it had found dozens of severe bugs in critical internet code.
Now, cyber startup Depthfirst says its own AI model has found even more bugs that Mythos missed for just a tenth of the cost, including critical flaws that could affect the majority of people using the web today. Depthfirst CEO Qasim Mithani says that because Depthfirst optimizes its models for one task, it can do for $1,000 what Mythos does for $10,000.
Depthfirst, which raised $80 million at a $580 million valuation in March, is also launching Open Defense Initiative, a program that offers companies and open source developers a total of $5 million in credit to use its artificial intelligence to find bugs in their code. It’s similar in concept to Anthropic’s limited release of Mythos, which it gave to a group of nearly 50 companies (and it’s now expanding). Depthfirst won’t pick and choose who can access its model, but will review applicants, at first limiting it to open source developers whose code is widely used or deployed in critical infrastructure.
“Gating” the technology and limiting it to select partners is “not the right approach,” says Mithani. Ultimately, Mithani says defenders need to use every tool at their disposal to prevent cyber disaster now that hackers also have powerful AI. “If attackers use these models, they can probably get to a similar result that we do,” he says. “So that’s why we’re worried, and that’s why we’re launching this program.”
The launch of Open Defense is part of an age-old cat and mouse game between defenders and attackers that AI is speeding up dramatically. The hope is that AI is so good at finding vulnerabilities at scale that it’ll bring about a net improvement for web security. But cybercriminals are already making hay with AI. On Monday, Google warned a criminal gang was using it to develop a so-called zero-day exploit, a powerful program that targets previously-unknown and unpatched vulnerabilities. Anthropic has discovered that Chinese spies used Claude to launch cyberattacks on tech companies and politicians.
That makes fixing exploitable bugs that much more urgent. Among the bugs Depthfirst discovered was a vulnerability in NGINX, the most widely deployed web server in the world, which helps run nearly two-thirds of the most visited sites on the internet. The flaw had been sitting in NGINX since 2008, Mithani tells Forbes, meaning it was exploitable on any NGINX server over the last 18 years. “Which is the crazy thing about it, because that’s most of the internet.” NGINX maintainer F5 Networks is due to announce a patch later this week, he says.
Kunal Anand, chief product officer at F5, declined to comment on the bug but said he was excited about AI discovering vulnerabilities because it can do so at scale. “It changes the math. Security researchers, engineering teams, open-source maintainers all get better when AI can trace code paths and surface edge cases at a scale no individual or team could match on their own,” he says. “The bugs were always there and now we have better tools to find them.”
Mithani’s models also found a similarly serious flaw in Linux, the open source operating system, which would allow a hacker to execute rogue code on a computer running the software. It hasn’t been patched. The Linux Foundation hadn’t responded to requests for comment.
Depthfirst’s model also found bugs in Google’s Chrome browser. Google confirmed Depthfirst’s findings and that both issues have been patched. They had been rated as “high severity,” as they could have allowed hackers to launch attacks via malicious web pages.
It discovered 12 new flaws that Mythos had missed in FFmpeg too, an open source software for processing video, audio and other multimedia files on the web. The latter is the backbone for many major platforms’ video infrastructure, with Netflix, YouTube, Instagram, Facebook and Spotify among its many users.
Not everyone is convinced that AI will drastically improve internet security. Jean-Baptiste Kempf, who helps maintain FFmpeg, tells Forbes that it’s easy to find bugs in the platform without AI, adding, “Finding vulnerabilities is easy… fixing correctly is hard.”
