The Zombie Hacker and the Machine
Valentina Palmiotti — known in the community as Chompie — just had one of the best performances of her career at Pwn2Own Berlin. She hacked an Nvidia-linked system for $20,000 on day one, then went straight back to her hotel room and worked through the night to crack a Linux-based system for another $50,000.
She called it “zombie hacker mode.” Twelve hours of research, testing, and caffeine. “It’s not healthy,” she laughed. But it worked.
Here’s the twist: she thinks it might have been her last shot.
“I competed in Pwn2Own this year because I thought it might be my last chance,” she told BBC News. Not because she’s retiring. Because AI is getting that good.
What Is Claude Mythos, Exactly?
Claude Mythos is Anthropic’s most powerful security-focused AI model — and it’s not available to the public. Anthropic claims Mythos has already identified 1,600 vulnerabilities across hundreds of software programs. That number is striking enough that Anthropic has restricted access to select governments and cybersecurity institutions only.
That’s not a product launch. That’s a controlled detonation.
The concern isn’t just that Mythos is powerful. It’s that the gap between what it can do and what a skilled human can do in the same timeframe is closing — fast. Chompie, who is among the best in the world at this, sees it clearly. She’s currently in a “sweet spot” where AI tools like Claude Code help her move faster. But models like Mythos and GPT 5.5 Cyber represent something different: not an assistant, but a competitor.
Two Hackers, Two Takes on the Future
Not everyone reads the same signal the same way. Orange Tsai — the Taiwan-based researcher who led his team to a $375,000 prize at the same Berlin competition — is more measured.
“AI feels more like a really awesome assistant that helps accelerate my research workflow,” he said. His framing: AI lets him test more ideas without sacrificing sleep. It frees his hands, not his seat at the table.
Both perspectives are honest. And both are probably right — just on different timelines.
Chompie’s view is that the lower-hanging fruit disappears first. Routine vulnerability discovery, the kind that fills most bug bounty programs, gets automated. What remains is elite-level creative research — the stuff Orange Tsai does when he maps “extremely complex hacking pathways” that no model has been trained to anticipate yet.
The middle tier of the market? That’s where the disruption lands hardest.
What This Means for the Bad Guys
It’s the obvious question, and it deserves a direct answer.
Criminal hackers are already using AI to accelerate attacks and, in some cases, find new entry points for ransomware and data breaches. That’s real. But the vast majority of cybercrime still runs on old, simple methods — phishing, social engineering, fake emails that trick employees into clicking the wrong link. No zero-day required.
The arms race at the top of the vulnerability market matters, but it’s not where most attacks happen.
Chompie’s read is ultimately optimistic: AI raises the bar for everyone, and defense stands to gain more than offense. Automated vulnerability discovery at scale means more holes get found and patched before criminals find them. The math tilts toward the defenders — if, and this is the critical if, the most powerful tools reach the good guys first.
The Access Problem Is the Real Story
Anthropic restricting Mythos to governments and institutions isn’t just a safety decision. It’s a strategic one — and it shapes who benefits from this shift.
If elite defenders get Mythos-level tools before criminal networks do, the window for patching vulnerabilities widens. If that access leaks or gets replicated by less careful actors, the calculus flips. Chompie made this point directly: responsible release isn’t just ethics, it’s operational security for the entire internet.
Pwn2Own itself awarded nearly $1.3 million this year across 47 newly discovered attack methods — all responsibly disclosed to the affected companies. That pipeline of human-led discovery has real value. The question is how long it stays human-led.
The Trend Signal
Here’s what’s actually shifting in the AI tools ecosystem:
AI is moving from assistant to autonomous agent in high-skill domains. Cybersecurity is just the most visible example because the stakes are measurable — prize money, disclosed vulnerabilities, documented exploits.
The pattern will repeat. Legal research. Medical diagnosis. Financial modeling. Anywhere that expertise has been the moat, AI is now the rising water.
For now, the best humans still win. But “for now” is doing a lot of work in that sentence.
Observe Smarter
The Pwn2Own story isn’t really about hacking. It’s about what happens when AI tools cross the threshold from productivity multiplier to genuine peer — and how quickly the definition of “elite” has to move to stay ahead of it.
Chompie is already thinking about what comes next. The rest of us probably should be too.
Comments (0) No comments yet
Want to join this discussion? Login or Register.
No comments yet. Be the first to share your thoughts!