Last week, something happened that has never happened before in the history of cybersecurity.
The U.S. Treasury Secretary and the Chairman of the Federal Reserve personally called an emergency meeting with the CEOs of the largest banks in the country. Not their CISOs. Not their IT directors. The CEOs. Brian Moynihan of Bank of America. Jane Fraser of Citigroup. David Solomon of Goldman Sachs. Ted Pick of Morgan Stanley. Charlie Scharf of Wells Fargo.
The topic was not interest rates. It was not inflation. It was not a looming recession.
It was a single AI model.
What Is Mythos?
On April 7, 2026, Anthropic announced Claude Mythos Preview and an accompanying initiative called Project Glasswing. Mythos is a frontier AI model that, according to Anthropic's own Frontier Red Team, can autonomously discover zero-day vulnerabilities in every major operating system and every major web browser. Not theoretical vulnerabilities. Real, exploitable, previously unknown flaws in the software that powers the entire global internet.
Some of these vulnerabilities had been sitting undetected for over two decades. One bug in OpenBSD, an operating system literally famous for its security hardening, was 27 years old. Another in FFmpeg, one of the most widely used multimedia libraries on the planet, had been hiding for 16 years. The FFmpeg vulnerability traces back to a 2003 commit introducing the H.264 codec and was made exploitable during a 2010 refactor. Automated fuzzers hit the affected code path five million times without catching it. These are codebases that have been audited by thousands of skilled security researchers over many years, and this model found what they all missed.
But discovery is only half the story. What makes Mythos different from anything that came before is its ability to chain vulnerabilities together. Anthropic's Frontier Red Team confirmed that Mythos can autonomously link three, four, or even five separate vulnerabilities into sophisticated end-to-end exploit chains. In one documented case, it wrote a browser exploit that chained four independent bugs, constructed a JIT heap spray, and escaped both the browser renderer sandbox and the operating system sandbox. Autonomously. No human guidance.
The model can identify undisclosed vulnerabilities, write code to exploit them, and chain those exploits together to penetrate complex software, all on its own.
— Logan Graham, Frontier Red Team Lead, Anthropic
That is not an incremental improvement. That is a paradigm shift.
Why the Banking Industry Is Panicking
When Treasury Secretary Scott Bessent and Fed Chair Jerome Powell sat down with Wall Street's most powerful executives on April 8, the message was direct: this technology changes the threat landscape for financial services, and you need to prepare now.
The urgency makes sense when you consider how modern banking works. Every major financial institution runs on a shared technology stack: operating systems, web browsers, cloud platforms, APIs, authentication layers, third-party libraries, and internal applications. A vulnerability in any one of those layers can cascade across the entire system. Banks are not just protecting their own code. They are exposed to every flaw in every piece of software they depend on.
The fear is not just that AI can find bugs. The fear is that AI can find bugs in combinations that no human would ever think to look for, and then weaponize them faster than any human could respond. When the median time from vulnerability disclosure to active exploitation has already dropped from over two years to single-digit hours, adding AI-powered autonomous exploit generation into the mix creates a threat velocity that most organizations are simply not built to handle.
Kevin Hassett, director of the White House National Economic Council, confirmed that Bessent and Powell walked bank leaders through the cyber risks so they understood the full scope of what is coming.
And it is not just the United States. British financial regulators, including the Bank of England, the Financial Conduct Authority, and the Treasury, are now in urgent talks with the National Cyber Security Centre to assess whether Mythos-class capabilities pose a direct threat to IT systems used in UK finance. Banks, insurers, and exchanges will be briefed by regulators within the next two weeks.
This is no longer a technology conversation. It is a financial stability conversation. Governments are treating AI-enhanced cyber threats as systemic risk, the same category as a banking crisis or a sovereign debt default.
The Glasswing Paradox
Anthropic's response to discovering what Mythos could do was, to their credit, to restrict it. They did not release it publicly. Instead, they launched Project Glasswing, giving access to 12 major technology companies and over 40 additional organizations, along with up to $100 million in usage credits and $4 million in direct donations to open-source security organizations. The partners include AWS, Apple, Google, Microsoft, Nvidia, Cisco, CrowdStrike, Palo Alto Networks, JPMorgan Chase, the Linux Foundation, and Broadcom.
The goal is defensive: find the vulnerabilities and patch them before attackers develop models with similar capabilities.
But here is the uncomfortable truth that every security professional needs to internalize: Anthropic is not the only lab building models like this. OpenAI is reportedly developing its own cybersecurity-focused capabilities, and a model internally called "Spud" has completed pre-training, though the exact scope of its offensive security applications remains unclear. And as Charlie Eriksen, a security researcher at Aikido Security, warned:
This technology is moving so fast that it's naive to assume others aren't able to easily replicate similar results, if not already, at least very soon. Anybody with a computer can develop very powerful offensive cyber capabilities in a short amount of time, without needing a lot of expertise in cybersecurity.
— Charlie Eriksen, Security Researcher, Aikido Security
That last part is the part that should scare you. The barrier to entry for sophisticated cyberattacks just collapsed.
What This Means for Every Organization
If the U.S. government is convening emergency meetings with the CEOs of the largest banks in the world over AI-driven cyber risk, what does that tell you about the threat to your organization?
Here is what it tells us:
The Old Model of Security Is Dead
Annual compliance scans and checkbox security audits were already insufficient. In a world where AI can autonomously discover and chain zero-day exploits across your entire technology stack, they are practically useless. You cannot defend against threats that move at machine speed with processes that move at human speed.
Point-in-Time Assessments Are Not Enough
A penetration test from six months ago tells you what your attack surface looked like six months ago. Your attack surface today is different. New services have been deployed. New dependencies have been introduced. New configurations have been pushed. The vulnerabilities that existed last quarter may have been patched, but new ones have taken their place. Attackers are not constrained by your testing schedule, and neither are the AI tools they will soon be armed with.
Shadow IT and Unknown Assets Are Your Biggest Liability
A significant percentage of breaches involve assets the security team did not know existed. Forgotten subdomains, staging environments, exposed APIs, development servers that were supposed to be temporary. These are the exact types of targets that AI-powered reconnaissance will find first, because they are the ones nobody is watching.
Offensive Security Is the Only Honest Assessment
Vulnerability scanners tell you what might be wrong. Penetration testers tell you what is actually exploitable and what the real-world impact would be. In the age of AI-augmented attacks, you need to know not just where your vulnerabilities are, but how they chain together, because that is exactly what your adversaries will be doing.
What You Should Do Right Now
Stay grounded. Do not panic. But do not be complacent either.
Get a Penetration Test
If you have not had a professional penetration test in the last six months, you are operating blind. A real pentest, conducted by experienced offensive security professionals, will show you what an attacker actually sees when they look at your organization. It will identify the vulnerabilities, the misconfigurations, and the attack chains that automated tools miss. This is no longer a "nice to have." It is a survival requirement.
Implement Continuous Attack Surface Monitoring
Your external perimeter is changing constantly. Every deployment, every new SaaS integration, every DNS change creates potential exposure. Continuous monitoring ensures you see what attackers see, in real time, not once a quarter.
Prioritize Remediation, Not Just Detection
Finding vulnerabilities is only valuable if you fix them. The organizations that will survive the AI-augmented threat landscape are the ones that can move from discovery to remediation fastest. That means having a clear process, clear ownership, and clear timelines for patching critical findings.
Assume the Attackers Will Have AI Too
Every capability that Mythos demonstrates on the defensive side will eventually be available on the offensive side. Plan accordingly. Test your defenses against sophisticated, multi-step attack scenarios. Validate that your detection and response capabilities can keep up.
Start Now
Not next quarter. Not after the next board meeting. Now. The window between when these capabilities emerge and when they proliferate is measured in months, not years. The organizations that use this window to harden their defenses will be in a dramatically better position than those that wait.
The Bottom Line
We are entering a new era of cybersecurity. AI models can now find vulnerabilities that survived decades of human review, chain them into sophisticated exploits, and do it all autonomously. The banking industry understands this. The U.S. government understands this. The question is whether you understand it too.
The attackers will be armed with these tools. The only question is whether you will have tested your defenses before they do.
Is Your Organization Ready?
Start monitoring your attack surface today, or talk to us about a penetration test engagement before the next generation of AI-powered threats arrives.
