Anthropic’s Mythos alarms

Anthropic’s Mythos model has set off a rush inside Washington and Wall Street after tests showed it could find and exploit software flaws on its own. (anthropic.com) Mythos is not a public chatbot release. Anthropic said on April 7 it would keep the model inside Project Glasswing, a restricted program for launch partners including Amazon Web Services, Apple, Google, JPMorganChase, Microsoft and Palo Alto Networks. (anthropic.com) In cybersecurity terms, a vulnerability is a hidden weakness in code, and an exploit is the working break-in method built from that weakness. The UK AI Security Institute said Mythos, when given network access in controlled tests, could carry out multi-stage attacks on vulnerable networks and autonomously discover and exploit flaws that would take human professionals days. (aisi.gov.uk) The same institute said Mythos succeeded on 73% of expert-level capture-the-flag tasks, a standard security test in which systems are probed for hidden weaknesses. It also said no model could complete those expert tasks before April 2025. (aisi.gov.uk) Anthropic says the model’s gains come from stronger coding and reasoning, not from being built only for hacking. In its system card, the company called Mythos its “most capable frontier model to date” and said that jump in capability was the reason it would not make the system generally available. (anthropic.com) That decision pulled governments and banks into the story almost immediately. The New York Times reported on April 17 that federal agencies had requested access to Mythos because Anthropic says it can rapidly identify, and potentially create, new cyberthreats. (nytimes.com) CNBC reported that Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell met major U.S. bank chief executives in Washington during the week of April 6 to discuss cyber risks tied to Mythos. Bloomberg also reported that Wall Street banks began testing the model internally as U.S. officials urged them to use it to detect vulnerabilities. (cnbc.com) (finance.yahoo.com) Anthropic is framing the rollout as a defensive race. The company said it has extended access to more than 40 additional organizations that build or maintain critical software infrastructure, and committed up to $100 million in usage credits plus $4 million in donations to open-source security groups. (anthropic.com) The company is also testing a softer path to broader deployment. On April 16, Anthropic released Claude Opus 4.7 as its generally available model and said it is less capable in cyber tasks than Mythos, with automatic systems to detect and block prohibited or high-risk cybersecurity requests. (anthropic.com) Outside experts are not all describing the risk in the same way. Scientific American reported on April 17 that cybersecurity specialists broadly agree Mythos marks a real capability increase, while some dispute the most alarming claims and argue the practical danger depends on access controls and how quickly defenders patch what the model finds. (scientificamerican.com) For now, the central fact is simple: Anthropic built a model it says is too capable to release widely, and regulators, banks and security agencies are now trying to see it before someone else builds the same thing with fewer limits. (anthropic.com 1) (anthropic.com 2)