Anthropic Mythos AI discovers thousands of zero-day vulnerabilities while the Federal Reserve and Treasury gather bank CEOs to discuss cyber risks.

      TL;DR: Anthropic's Claude Mythos Preview has identified thousands of zero-day vulnerabilities in major operating systems and browsers, prompting the Federal Reserve chair and Treasury secretary to meet with bank executives. The company warns there is a six-to-twelve month window for addressing these weaknesses before adversaries can replicate the technology.

      Anthropic has developed an AI model that uncovered thousands of zero-day vulnerabilities in all major operating systems and web browsers. In response, the chairs of the Federal Reserve and Treasury held discussions with bank CEOs regarding the implications. The company cautions that there is a six-to-twelve month timeframe to rectify these issues before adversaries create models capable of similar discoveries. The cybersecurity sector has suggested that this threat has been present for a while, making both perspectives valid.

      The model in question, Claude Mythos Preview, has not been made public yet. During controlled tests, it outperformed nearly all but the most proficient humans in detecting and exploiting software vulnerabilities, uncovering flaws that had been unidentified for years, such as a 27-year-old bug in OpenBSD and a 17-year-old remote code execution vulnerability in FreeBSD. Anthropic CEO Dario Amodei referred to this period as a "moment of danger," warning of a significant increase in vulnerabilities, breaches, and the financial damages from ransomware affecting not only banks but also schools and hospitals.

      The discovery: Mozilla launched Firefox 150, addressing 271 security vulnerabilities flagged by Mythos in a single assessment. This number is notable not due to Firefox's inherent insecurity but because a human team had not previously uncovered these issues, which accumulated over years of development and serve as potential entry points for attackers equipped with the right tools. Mythos identified all 271 vulnerabilities in just one scan.

      The capabilities of the model raise a vital question that the cybersecurity industry must now tackle: what occurs when the cost of discovering vulnerabilities approaches zero? The fundamental economics of cybersecurity rely on the imbalance between attackers, who need to find just one flaw, and defenders, who must secure all vulnerabilities. Mythos diminishes costs on both fronts; defenders can scan their entire codebase for previously unknown flaws, while attackers can replicate this process once they construct or acquire similar models.

      The response: Anthropic opted for a controlled rollout, termed Project Glasswing, giving around 40 tech companies and institutions initial access to Mythos to enhance their systems. Central banks and governments are notably absent from this list, deliberately creating an asymmetry to provide defenders a head start before this capability becomes broadly accessible.

      Financial regulators reacted promptly. Federal Reserve Chairman Jerome Powell and Treasury Secretary Scott Bessent convened a meeting with CEOs of major US banks to address the cyber threats presented by Mythos. The IMF warned about AI-driven cyber risks to the global banking sector. The concern lies not in the potential use of Mythos for direct attacks on banks, but in the ability of adversaries to replicate the superhuman speed of automated vulnerability discovery that Mythos showcases, outside of Anthropic’s responsible disclosure framework.

      Anthropic also delivered financial services agents on the heels of announcing a $1.5 billion partnership on Wall Street, reflecting its dual role as both a warning entity about AI-related cyber threats and a provider of AI products to banks. The partnership with Blackstone and Hellman & Friedman involves around $300 million from Anthropic, aimed at integrating AI into private equity operations.

      The race: Amodei's six-to-twelve month estimate predicts how long it might take Chinese AI companies to create models with similar vulnerability-discovery capabilities. This timeframe is not about whether adversaries will achieve analogous capabilities, but rather when. The controlled distribution of Mythos allows early access companies sufficient time to fix their most critical vulnerabilities ahead of the closing window.

      OpenAI has released GPT-5.4-Cyber for approved security teams, expanding its Trusted Access initiative in direct response to Mythos's findings. The competitive landscape between Anthropic and OpenAI has extended from commercial AI ventures to the realm of cybersecurity, with both companies positioning themselves as guardians of the software infrastructure that they could potentially compromise.

      Researchers have already shown that AI agents developed by Anthropic, Google, and Microsoft can be exploited through prompt injection to extract API keys and tokens, resulting in all three companies paying bounties without making public disclosures. The irony is clear: the AI agents designed to bolster security may themselves be susceptible to attacks that could undermine the very systems they are intended to protect.

      The tension: The cybersecurity community's reaction to the Mythos announcement has ranged from alarm to skepticism. Security researchers highlight that AI-assisted vulnerability discovery has been evolving for years, suggesting that the capabilities exhibited by Mythos, while impressive, represent an acceleration of established trends rather than a radical shift. The risk of AI-driven cyberattacks was flagged by the UK’s National Cyber Security Centre over a year ago. What changes with Mythos is not the existence of the threat, but the clarity of the evidence.

      Anthropic's position is