Anthropic Mythos AI Finds Zero-Days, Fed Calls Bank CEOs
2 min readAnthropic has built an AI model that found thousands of zero-day vulnerabilities in every major operating system and browser, and the Federal Reserve chair just got on the phone with the country’s biggest banks about it. The company says there is a six to twelve month window to patch the flaws before adversaries build models that can do the same thing.
What Mythos Actually Does
Claude Mythos Preview is an unreleased Anthropic frontier model with a coding and vulnerability discovery capability that surpasses all but the most skilled human researchers. In controlled testing, it uncovered software flaws that had gone undetected for decades, including a 27 year old bug in OpenBSD and a 17 year old remote code execution flaw in FreeBSD. According to The Next Web, Mozilla shipped Firefox 150 with fixes for 271 vulnerabilities Mythos identified in a single evaluation run.
The Fed Picks Up the Phone
Federal Reserve Chair Jerome Powell and Treasury Secretary Scott Bessent convened a meeting this week with CEOs from JPMorgan Chase, Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley to discuss the risk. The IMF echoed the warning, flagging AI powered cyber threats to the global banking system. The concern is not Mythos itself. It is the capability Mythos demonstrates, automated discovery of vulnerabilities at superhuman speed, which adversaries will eventually replicate without Anthropic’s responsible disclosure practices.
Anthropic CEO Dario Amodei described the current period as a “moment of danger” and warned of “some enormous increase in the amount of vulnerabilities, in the amount of breaches, in the financial damage that’s done from ransomware on schools, hospitals, not to mention banks.”
Project Glasswing and the Six Month Race
To buy time, Anthropic launched Project Glasswing, a controlled rollout giving roughly 40 technology companies and institutions early access to Mythos so they can scan and patch their own codebases. The list pointedly excludes most central banks and foreign governments. The asymmetry is intentional, designed to give defenders a head start before models of comparable capability spread outside the West.
OpenAI has already responded with GPT 5.4 Cyber for vetted security teams, signaling that the competitive front between the major AI labs has expanded from coding assistants and chatbots into national scale cybersecurity. The unresolved question is whether twelve months is enough time to patch decades of accumulated software debt before adversaries close the gap.