Anthropic built an AI that's great at breaking into software, and doesn’t want to release it. Claude Mythos Preview exists specifically to find and exploit vulnerabilities, and access is locked to a small group of known partners through a program called Project Glasswing. Major companies like Microsoft, Apple, Google, Amazon, Nvidia, Cisco, CrowdStrike, Federal Reserve, and the Linux Foundation are involved in this project.

 

Scott Bessent and Jerome Powell pulled together some of the most powerful names in American banking at Treasury headquarters to talk about what Mythos and models like it mean for the financial system. Citigroup, Morgan Stanley, Bank of America, Wells Fargo, and Goldman were all in the room according to sources who spoke to Bloomberg and the Financial Times. Jamie Dimon was invited but couldn't make it. 

 

Anthropic describes Mythos Preview as its most capable model to date, with a significant jump in coding and security performance over every prior Claude version. In internal and external evaluations, the model autonomously identified thousands of high severity vulnerabilities across every major operating system and browser Anthropic tested, including zero days that had been sitting undetected in production software for decades. To accompany the launch, Anthropic committed up to $100 million in usage credits and $4 million in direct funding through Project Glasswing, available specifically to open source security organizations so they can run Mythos against widely deployed software and close gaps before anyone with bad intentions finds them first.

 

 

In controlled cyber range tests, the model found vulnerabilities together with working exploits, completing full attack simulations that human red teams estimated would take many hours. It found flaws in places where existing automated scanners had run millions of passes and flagged nothing, including in Firefox's JavaScript engine and various multimedia libraries. Fewer than one percent of the vulnerabilities it identified have been fully patched at this point, which gives you a sense of how much ground the security community now has to cover.

 

Most of the infrastructure the crypto industry depends on sits on top of the same Linux and open source stacks that Mythos is now auditing like exchanges, custodians, node operators, rollup sequencers, DeFi backends. The software shared with banks, hospitals, and government systems, turns out to have been carrying serious vulnerabilities for years that nobody caught. A kernel level bug or a flaw in a widely used library isn't an enterprise problem when you're thinking about crypto, but it's a potential entry point into a hot wallet, a key management system, a bridge validator, or an indexing service. Mythos gives defenders a meaningful head start on finding and closing those gaps, but it also surfaces how much risk has been quietly unnoticed.

 

For banks, law firms, and any enterprise with sensitive data, the lesson from Mythos is that proprietary systems are not safe from this. Most critical applications and sensitive datasets run on top of operating systems and open source code, and that software now appears to have been carrying vulnerabilities for decades in some cases. The main risk on an institution's balance sheet might not be a counterparty but its own software stack, and models like Mythos are making this clear.

 

Anthropic framing Mythos as too dangerous to release publicly could just be a marketing stunt. But independent reporting on thousands of real vulnerabilities, bugs with decades of exposure time, and successful end to end attack simulations in controlled environments suggests it’s real. This could be an early version of something much larger, as security researchers broadly expect that within a few years both attackers and defenders will be operating fleets of AI agents 24/7 that test systems continuously, around the clock, at a scale no human team can come close to matching. Systems in both traditional finance and crypto will need AI driven monitoring and response as a baseline and stronger decentralized systems to prevent a single point of failure.