Project Kaleidoscope: Community Cyber Defense in the Age of AI

Researchers at UC Berkeley recently showed that Anthropic's Claude Mythos Preview could successfully exploit 157 of 898 software vulnerabilities in an AI evaluation benchmark loaded with a data set of known real-world examples. OpenAI's GPT-5.5 was not far behind, successfully exploiting 120 of 898 known vulnerabilities. This has led to predictions of “bugmaggedon,” the idea that when released to the public, Mythos and similarly powerful models will hand cyberattackers the ability to compromise the digital infrastructure underlying all of modern life faster than defenders can protect it.

Meanwhile, a real-world ransomware attack last month exploited a vulnerability in widely used educational software called Canvas to steal usernames, email addresses, enrollment information and private messages between students and teachers, disrupting classrooms for 30 million users at over 8,000 colleges, universities and K-12 schools worldwide. The educational technology sector already lags behind the largest financial institutions, the federal government, enterprise software companies and other well-resourced players who are racing to patch these kinds of vulnerabilities before bugmageddon materializes. So how do we help to prepare our schools and the many important organizations that form the backbone of our communities?

The capabilities of frontier AI models like Mythos will disproportionately affect organizations that are already least prepared to protect themselves or recover from cyberattacks. “Patch Tuesday” is not a realistic expectation for the small dentist’s office, the food bank, the volunteer fire department, the public school, or the rural electric co-op and water utility. They already operate in a degraded security environment because they frequently lack the budget and/or in-house expertise to implement robust cybersecurity programs. Still, we ask them to fend for themselves against sophisticated cybercriminal gangs and nation-state adversaries who will soon be equipped with even more powerful AI-enabled cyber offense capabilities.

Free tools, tokens and cybersecurity software alone are insufficient to solve a problem that is more about humans than it is about technology. The idea that millions of cyber-poor community organizations will stop snoozing software updates or have the time and resources to train and deploy their own cyber-defense agents ignores the reality on the ground. Hands-on support is imperative to improve cybersecurity outcomes for community-serving organizations. A recent study by the Cyber Readiness Institute found that a water utility working with a human coach was 3 times more likely to complete a cyber resilience program than a utility that tackled the program alone. State governments have realized this and have created teams of cybersecurity volunteers to help cities and schools during cyber emergencies.

Trusted human networks are still the best way to deliver cybersecurity help. In an environment where bugs are found faster than humans can patch them and we rely on AI for cyber defense, access to hands-on cybersecurity expertise is essential.

Luckily, these local support networks exist, and they need to be expanded and scaled. Consider just some of the public service-minded groups already working in communities to help. Members of the Cyber Resilience Corps —including the Consortium of Cybersecurity Clinics; state civilian cyber corps in Wisconsin, Maryland and Ohio; DEFCON Franklin and the CyberPeace Builders — have deployed thousands of knowledgeable cyber volunteers.

Regional Security Operations Centers (RSOCs) in Arizona, Texas, Oregon and several other states provide ongoing cybersecurity support pro bono to public agencies, critical infrastructure and other community organizations. The CyberTrack program in Indiana has reached K-12 school districts, public libraries and municipal governments in the majority of the state’s counties. Specialized nonprofits are stepping up to fill gaps in managed security services for community organizations unable to afford corporate consulting rates. The cyber circuit riders build on a long tradition of federally funded technical assistance for our water systems. And research universities, including Berkeley and Vanderbilt, are bridging research and practice to better understand and replicate what works best.

The task now is to turbo-charge these human-centered initiatives to meet the new reality of AI’s capabilities. Anthropic calls its pre-release regime Project Glasswing, in reference to the glasswing butterfly, which can hide in plain sight.

Let's call this effort Project Kaleidoscope — the swarm of butterflies that we need to defend our communities. Here is a roadmap for how to put it into action:

• Scale up cyber volunteering through existing platforms such as university-based cybersecurity clinics, state-based civilian cyber corps, and corporate volunteering.
• Create and fund shared service hubs, such as RSOCs and managed security services providers (MSSPs), that could provide sustained cybersecurity support to community organizations at below-market cost. These hubs could partner with the frontier AI labs for early access to defensive models and deploy models like the cyber circuit riders to reach their constituencies.
• Develop regional ecosystems and “connective tissue” that link volunteers, shared services and other government-provided resources into long-term support systems.
• Embed cyber knowledge in communities, so organizations strengthen their understanding of cybersecurity and their role in protecting themselves.

Government, academia, industry and civil society all have a role to play, and we can act regardless of whether or how soon federal AI regulation arrives. Cyberattacks on community-serving organizations and critical infrastructure put everyone at risk and reveal our interdependencies. Hospitals need water. Small businesses need childcare. Utilities need city governments, and city governments need nonprofits

A successful cyberattack on one organization has ripple effects across an entire community, and we can’t afford to wait for bugmaggedon to occur. It’s time to include community organizations in our responses and invest in what really works on the ground: people who can help.