📝 Episode Summary
Mythos pulled us out of sabbatical. After a few months heads-down on conferences, work, and shipping, the THOR Collective is back with a special episode dedicated to cutting through the Mythos hype cycle. Lauren and Sydney are joined by Trent Lo (aka Surbo), Principal Security Researcher at Marsh and longtime adversary-in-chief from the CenturyLink days. Trent lives on both sides of the fence — offense and defense — which makes him exactly the right person to help us answer the question the whole industry has been screaming about since Anthropic’s announcement: is this real, or is this marketing?
The crew walks through what Mythos and Glasswing actually were (versus the cyber-nuclear-war headlines), where AI genuinely changes the game for attackers, and where defenders still hold the line. The throughline: behaviors still win. AI changes tempo, not fundamentals. There is still a human pointing the tool, and that intent — not the model — is what matters. Trent’s take is measured, grounded, and refreshingly free of doom: nation-states already have this capability and have for a while, the have-and-have-nots gap is going to widen, and the smartest move right now is to get your patching program in order before the wave of AI-found vulnerabilities crests.
Sydney walks through three new HEARTH features — What Can I Hunt, the Coverage Map, and the Context Graph — and recaps ATHF for anyone who missed her SANS AI Summit talk. Lauren teases her Vercel/Context.ai infostealer-to-SaaS hunt guide. Then the conversation pivots to defense at machine scale: how the well-resourced orgs should be thinking, what the under-resourced shops can actually do with Gemma 4 running locally and Copilot bundled in their E5 license, and why vulnerability programs are about to become the most important muscle on the team. We close with a Myth or Signal rapid round (AI SOC replacing analysts? threat hunting copilots? baselining? autonomous pentest? AI-generated malware?) and conference plans for the rest of the year.
⏱️ Episode Breakdown
00:23 – Intro and welcome back from sabbatical
02:06 – Guest intro: Trent Lo (Surbo), Principal Security Researcher at Marsh
04:24 – THOR updates: new HEARTH features and ATHF recap
07:41 – April Dispatch posts: Vercel infostealer-to-SaaS hunt + Mythos Won’t Kill Threat Hunting
10:17 – What Mythos and Glasswing actually were vs. the marketing hype
15:37 – Where humans still win: judgment, intent, and what “agentic” really means
21:43 – What actually worries us about Mythos (hint: it’s the keyboard, not the model)
25:14 – Defense in the open and the widening have-and-have-nots gap
27:52 – Closed source vs. open source post-Mythos, and the CVE explosion problem
34:25 – How defenders can actually use AI: imposter syndrome, IR, and machine-scale hunting
39:56 – Defense at machine scale: resourced vs. under-resourced playbooks
46:46 – What a two-person team should prioritize (spoiler: patch your shit)
51:13 – ⚡ Myth or Signal rapid round
53:41 – Plugs, conferences, and Allbirds becoming an AI company
56:32 – Happy thrunting
🎤 Hosts & Guest
Lauren Proehl (Host) — Manager of the group, cautious optimist, and the person who still has receipts on Trent from CenturyLink days.
Sydney Marrone (Host) — Now officially a manager (welcome to the dark side). Built ATHF, shipped three new HEARTH features this cycle, and is the reason 90% of you have a starting point for agentic threat hunting.
Trent Lo / Surbo (Guest) — Principal Security Researcher at Marsh. Self-described professional hand grenade thrower who also jumps on the grenades.
🔗 Resources & Mentions
April Dispatch Posts
Mythos Won’t Kill Threat Hunting. It’ll Prove We Were Right. by Lauren Proehl & Sydney Marrone — the editorial thesis driving this episode
Hunting the Infostealer-to-SaaS Pipeline by Lauren Proehl — practitioner hunt guide on OAuth abuse and lateral movement via over-permissioned SaaS apps, using the Vercel/Context.ai breach as a case study
Mythos & Glasswing — Primary Sources
Claude Mythos Preview — Anthropic’s technical writeup of the model’s vulnerability discovery capabilities
Project Glasswing — the coordinated disclosure consortium (AWS, Cisco, Google, and others)
Bruce Schneier: On Mythos Preview and Project Glasswing — a healthy counterweight to the breathless coverage
THOR Collective Tools & Frameworks
HEARTH — the community hypothesis library. Three new features: What Can I Hunt (pick your data sources, get matched hypotheses), Coverage Map (HEARTH hypotheses linked to MITRE ATT&CK), and Context Graph (adds threat actors and campaigns to the coverage map to surface gaps). Source on GitHub.
ATHF (Agentic Threat Hunting Framework) — Sydney’s open-source framework. Maturity model from manual to multi-agent, LOCK pattern, MCP server, AI assistant. Drop it into Cursor or Claude Code. Watch Sydney’s SANS AI Summit talk “Designing AI-Assisted Threat Hunting That Remembers” for the walkthrough.
Other Mentions
AISLE — the autonomous vulnerability research team that found 12 of 12 OpenSSL CVEs in January (covered in our January episode), and 5 of 7 in the April release. Their post-Mythos analysis, AI Cybersecurity After Mythos: The Jagged Frontier, is directly relevant to Trent’s point about another company quietly doing this work for less money. Give credit for what AISLE actually did without conflating it with Mythos.
Gemma 4 — Google’s most capable open model, released April 2 under Apache 2.0. Lauren is running it locally. Trent’s tip: jumpstart prompts here before burning real API tokens.
Allbirds → NewBird AI — yes, the shoe company. Sold its footwear assets for $39M and pivoted to GPU-as-a-Service. We’re as confused as you are.
📢 Call to Action
Read the April Mythos post — and pass it to anyone in your org panicking about cyber-nuclear war
Check out the new HEARTH features at hearth.thorcollective.com — start with What Can I Hunt
Fork ATHF on GitHub — start at Level 1 (one hunt in LOCK format) and grow from there
Fix your patching program — the most boring, most important investment you’ll make this year
Run Gemma 4 locally — get your reps in before you burn real API tokens
Catch us on the conference circuit:
Lauren at the CrowdTour in New York
Trent at NCFTA Pittsburgh and Zenith
Antisyphon Threat Hunting Summit — virtual and free, June 17, 2026
Sydney: Avoiding Hunt Amnesia: Building a Memory Your AI Can Use — 12:00 PM ET
Lauren: Fast-track Reports into Ready-Made Hypotheses with AI — 3:00 PM ET
Everyone at Black Hat and DEF CON
Write for THOR Collective — first-time publishers, up-and-coming voices, builders with something to share: come find us
📬 Connect with THOR Collective
🗣️ Social Media
Twitter/X: @THOR_Collective
LinkedIn: THOR Collective
BlueSky: @thorcollective
📧 Contact
Reach out through any social channel for guest post opportunities, collaborations, or to tell us what you’re building.
