Anthropic's Mythos Raises Alarms Across Global Banking

Anthropic announced the new model Claude Mythos on April 7, describing it in an April 7 company note as a "watershed moment for cybersecurity" and saying it had already found "thousands of high-severity vulnerabilities" across major operating systems and web browsers, per reporting in Economic Times and Reuters. Reporting by Reuters and Bloomberg says the model is the company's "most capable yet for coding and agentic tasks," with capabilities that security experts warn could lower the skill barrier for sophisticated exploits. Multiple jurisdictions convened meetings: India held a high-level session chaired by Finance Minister Nirmala Sitharaman, per Economic Times, and U.S., U.K., Canadian and Australian officials met with banks to discuss the risk, according to Reuters and Bloomberg. Anthropic has provided restricted early access under an initiative reported as "Project Glasswing," granting preview access and usage credits to selected technology and security partners, per Economic Times. The Wall Street Journal reports Anthropic is investigating a claim of unauthorized access to Mythos via a third-party contractor, and Cybernews and other outlets report small groups on Discord gained uninvited access.

Per public reporting, Claude Mythos is being positioned as significantly stronger at software engineering, vulnerability discovery and agentic tasks than prior models, with third-party metrics cited in coverage, for example, ARK Invest highlighted a 93.9% score on SWE-bench Verified and 83.1% on CyberGym in Yahoo Finance coverage. Reuters quoted cybersecurity practitioners who said the model can "look across a very complex architecture," surfacing latent weaknesses in legacy systems that are common across banks. Reporting from multiple outlets also notes Anthropic's approach of tightly controlled previews rather than broad public release.

Editorial analysis: Industry context: Companies and regulators are treating Claude Mythos differently from a conventional model release because the combination of high-level coding, automated reasoning and agentic capability compresses what skilled human attackers can do. Observed patterns in similar transitions show that capability-plus-access friction is the central control point for risk management, which is why firms and governments are prioritizing access controls and red-team testing.

Reporting emphasizes the systemic angle: banks run interconnected stacks that mix modern tooling with decades-old code and vendor integrations, which experts told Reuters amplifies exposure. Cloud Security Alliance and other specialists quoted in coverage warn that models like Claude Mythos can lower the expertise bar for finding and operationalizing exploits, increasing the potential speed and scale of attacks. Central bank statements cited by Bloomberg, including the Reserve Bank of Australia saying it is "engaging with peer regulators, government and regulated entities," reflect concern about systemic resilience rather than single-institution incidents.

Editorial analysis: For practitioners: Security teams should interpret the current response as an acceleration of practices already emerging in the sector: wider use of threat modeling for machine-assisted exploits, prioritization of attack-surface reduction for legacy integrations, and expansion of adversarial testing that simulates AI-augmented attack chains. These are industry-level observations, not assertions about any single firm's internal plans.

• •Whether Anthropic's investigation into reported unauthorized access produces a public finding, and whether regulators seek evidence or mandate disclosure, per Wall Street Journal and Cybernews reports.
• •Adoption and scope of "Project Glasswing" testers and whether government agencies obtain access under new arrangements, per Economic Times and Reuters coverage.
• •Changes in vendor and third-party risk assessments at banks, especially for shared onboarding and transaction systems that multiple institutions use, as highlighted by experts quoted in Reuters.
• •Emergence of new tooling or commercial offerings positioned as defenses against AI-assisted exploitation, which some market commentators cited by Yahoo Finance and Reuters say could see greater demand.

Editorial analysis: Observers will also watch precedent-setting regulatory and disclosure actions because those responses can shape corporate risk budgets and incident-response playbooks across the financial sector.

In sum, multiple reputable outlets report that Claude Mythos has prompted unusually visible regulator and industry attention because of its combination of advanced coding and agentic capabilities, controlled preview access, third-party performance claims, and at least one reported unauthorized-access investigation. The coverage combines direct company statements, expert commentary and central bank/finance ministry engagement; interpretation in this note is labeled as editorial where applicable.