U.S. banks with access to Anthropic’s Mythos AI are racing to remediate a broad set of IT weaknesses the tool has surfaced, accelerating software upgrades and emergency repairs and forcing institutions to consider the potential for increased customer disruption. Several sources with direct knowledge of the work said the largest lenders that can run Mythos are now uncovering issues the model reveals, and are communicating their findings to smaller banks that do not have direct access so those institutions can prepare.
Security specialists and banking executives say Mythos presents serious challenges to the industry’s legacy technology. "This is a wake-up call because cyber risk is moving to machine speed, while much of bank defense still operates at human speed," said Nitin Seth, co-founder & CEO of Incedo, a data, digital, and AI services firm. "It also breaks a long-standing assumption in banking security - that vulnerabilities can remain hidden for extended periods before they are discovered and weaponized."
As Wall Street banks test Mythos, they report the model is particularly adept at linking together lower-risk vulnerabilities into chains that become high-risk exposures. Sources said that capability is driving an urgent program of checks to ensure software is up to date. One source at a major bank described an accelerated cadence of fixes, and another person familiar with the findings confirmed that banks are moving faster than they previously would have.
Sources described Mythos as especially effective at probing both proprietary and open-source code, putting pressure on institutions to upgrade aging technology that may be at the end of its official software support. The model is surfacing anywhere from several hundred to thousands of vulnerabilities, most of which are ranked low to moderate, according to a source with knowledge of the assessments. The volume of findings and the speed at which they must be addressed is disrupting banks’ typical remediation timetables, with some patches being applied in days rather than the weeks that might previously have been allowed.
The spike in required fixes could lead banks to take systems offline more frequently to perform upgrades and patching, two people familiar with the situation said. Both sources emphasized, however, that banks are seeking to schedule such work in ways intended to minimize disruption to customers.
One person involved in the testing described the rapid evaluation of AI tools like Mythos as the new operating normal, adding that continuous, iterative testing will likely become part of security practices going forward.
Barriers for smaller institutions
Cost and computing requirements are limiting access to Mythos. Smaller banks generally lack the processing power necessary to run the model and face steep technology costs to do so, according to one person close to the matter. Despite those constraints, the largest banks have been sharing the data they extract with smaller firms to help them prepare and respond.
Like other generative AI products, Claude Mythos Preview is priced by the number of tokens it consumes. Anthropic has published pricing that charges $25 per million input tokens and $125 per million output tokens - five times the output cost - for the Mythos Preview, according to the material cited by sources. Anthropic has also said it would provide $100 million in credits to Glasswing partners and other Mythos customers to "cover substantial usage throughout this research preview."
Anthropic has released recommendations aimed at helping companies shore up defenses even if they do not have direct access to Mythos, and the company noted that another program, Claude Security, which can scan for vulnerabilities, is available to a wider set of organizations. Anthropic declined to comment on banks' specific findings tied to Mythos.
Responses from security teams and partners
Adam Meyers, who leads counter adversary operations at CrowdStrike and is part of Project Glasswing, described the early days of working with Mythos as requiring intensive setup. Within days of gaining access, Meyers said he and his team spent "a solid entire weekend trying to figure out how to best use this thing before we even started looking for bugs." He added that the model necessitated building "a whole methodology and a whole set of capabilities" to use it effectively and recalled his initial reaction: "oh boy."
A senior bank regulatory official characterized Mythos as meeting expectations for power and speed, noting that it is "extremely adept at quickly connecting the dots to highlight vulnerabilities that may have taken humans much longer to tie together."
Consultants caution that institutions without direct access should still protect their systems. Bernard Montel, Tenable’s EMEA Technical Director and Security Strategist, said while many sectors face cyber risk, "the backbone of the banking sector is technology, that is the difference," meaning that disruptions in banks can hit core business operations.
Access and partnerships
Anthropic initially limited access to Mythos to partners in its Project Glasswing initiative and roughly 40 additional organizations. JPMorgan Chase was a publicly named launch partner, and Goldman Sachs, Citigroup, Bank of America and Morgan Stanley are among the large banks reported to have access. Participants in that group have been working through the vulnerabilities Mythos identifies and sharing insights to help other institutions respond.
Within the banks, teams performing these assessments have had to accelerate workflows and create new playbooks for remediation. Sources said that the model’s ability to chain lower-risk weaknesses into more serious combined vulnerabilities is one of the disruptive forces driving faster patching cycles.
Operational and market implications
The emergence of machine-driven discovery of vulnerabilities has led to fresh regulatory and policymaker attention, and the model’s findings have prompted warnings from security experts. Banks are balancing the need for rapid remediation with operational continuity concerns, and in many cases are attempting to sequence upgrades and patching so as to limit customer-facing disruption.
Anthropic’s leader Mike Krieger said the company considered both safety and business needs when setting prices for its AI. He described pricing as needing to be low enough to encourage usage while also being "funding the business," and added, "We want to maximize the amount of aligned tokens flowing into the world."
For institutions that cannot run Mythos today, vendors and consulting firms recommend following Anthropic’s published guidance and employing other available scanning tools to detect and remediate vulnerabilities.
What banks are confronting
- Mythos is surfacing large volumes of vulnerabilities across proprietary and open-source codebases, many ranked low to moderate, but in aggregate able to form higher-risk exploit chains.
- Fixes that once were performed on multi-week schedules are being accelerated to days in some instances, increasing demands on security and IT teams.
- Smaller banks lack direct access to the tool and the processing resources to run it, relying instead on findings shared by larger institutions and guidance from Anthropic and other vendors.
As the financial sector adjusts to a new pace of vulnerability discovery, institutions are organizing around continuous testing and rapid remediation to close gaps identified by machine-speed tools.