Anthropic’s Mythos and cyber risk

Anthropic’s new Mythos model has pushed bank cyber risk from a technical issue into a boardroom and regulatory problem in one week. (reuters.com) Anthropic announced Claude Mythos Preview on April 7 and said it was its “most capable yet” model for coding and agentic work. The company did not release it broadly, instead limiting access through Project Glasswing after saying the model had already found thousands of high-severity vulnerabilities. (anthropic.com) Banks are a focal point because many still run layers of old and new software together, including decades-old core systems that are hard to replace and hard to patch. Reuters reported on April 13 that security experts warned Mythos could help attackers craft more sophisticated campaigns against those legacy environments. (reuters.com) In plain terms, the model is built to read code, test ideas, and trace how one flaw can lead to another, like finding loose boards in a house and then mapping the fastest way through every weak room. Anthropic’s cyber research team said Mythos is “strikingly capable at computer security tasks” and described evaluations in which it identified vulnerabilities across major software systems. (red.anthropic.com) That is why U.S. officials pulled bank chiefs into Washington. Reuters reported Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent meeting with major bank chief executives during the week of April 7 to warn about cyber risks tied to Mythos. (reuters.com) The list of attendees reported by Reuters and CNBC included the chiefs of Citigroup, Morgan Stanley, Bank of America, Wells Fargo and Goldman Sachs. JPMorgan Chase Chief Executive Jamie Dimon was invited but did not attend, while JPMorgan itself was named by Anthropic as a Project Glasswing launch partner. (cnbc.com) Anthropic is framing the model as a defensive tool before it becomes an offensive one in wider circulation. Project Glasswing includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks, and Anthropic said it is committing up to $100 million in usage credits and $4 million in donations to open-source security groups. (anthropic.com) Markets read the same facts more darkly. A MarketMinute commentary published April 14 said investors were repricing cybersecurity companies after Anthropic’s disclosures, arguing that the cost of finding critical software flaws could fall sharply as advanced models improve. (markets.financialcontent.com) That sell-off reflects a new split in the industry: the same model that can help defenders scan code faster can also lower the skill and time needed to build attack chains if it leaks or proliferates. Anthropic said directly that it expects such capabilities to spread and warned the fallout for economies, public safety and national security “could be severe.” (anthropic.com) For banks, the immediate question is not whether Mythos exists but how quickly they can harden old systems before similar tools become easier to access. Anthropic’s decision to keep Mythos inside a small circle for now shows how little margin the industry thinks it has. (reuters.com)