Anthropic’s announcement on April 7 introducing Claude Mythos Preview has prompted a rapid re-evaluation of cyber risk within financial services after security specialists and the company said the model can autonomously perform advanced coding and agentic tasks. Analysts and security executives say those same abilities could be used to locate and exploit security weaknesses, a prospect that hits particularly hard in banking because many institutions operate technology ecosystems that mix modern tools with long-standing legacy software.
Complex architectures, abundant attack surface
Industry observers highlight that banks run interconnected systems where a small number of shared vendors and common solutions are ubiquitous. That concentration of software and services, combined with decades of incremental updates to older codebases, creates an environment in which an AI that can write high-quality code and act autonomously could surface previously hidden flaws across many institutions.
TJ Marlin, chief executive of enterprise AI security firm Guardrail Technologies, said Mythos Preview can assess multilayered architectures and expose vulnerabilities within legacy infrastructure that have gone unnoticed. Marlin warned that AI-assisted discovery of these defects across similar vendor stacks could act as a force multiplier, making any successful exploit potentially catastrophic when scaled across the industry.
Naresh Raheja, a San Francisco-based consultant and former regulator at the Office of the Comptroller of the Currency, emphasized the banking industry’s narrow software ecosystem for customer onboarding, know-your-customer checks and transaction processing. "Because it’s a very specialized industry and heavily regulated, there’s a lot of IT interconnections," Raheja said, noting that many banks rely on the same vendors and solutions, which could amplify the reach of a single exploit.
Government and industry engagement
Officials in at least three national governments - the United States, Canada and Britain - have met with senior banking executives to discuss the potential threats posed by the model. The U.S. Treasury said that Donald Trump’s administration is urging financial institutions "to understand and anticipate a wide range of market developments" and that additional meetings on the subject are planned.
Anthropic has said Claude Mythos Preview will not be made broadly available. Instead, the company launched Project Glasswing, inviting major technology firms, cybersecurity vendors and a set of financial institutions, including JPMorgan Chase, to a private evaluation program intended to test the model and prepare defensive measures.
When asked for further comment beyond its April 7 announcement, Anthropic declined to provide additional remarks.
Vulnerability research and technical findings
In accompanying technical materials, Anthropic’s researchers reported that Mythos Preview identified what they characterized as "thousands" of high- and critical-severity vulnerabilities. They said the model located defects across every major operating system and web browser and supplied examples of the kinds of issues it found. Among those examples was a 16-year-old vulnerability in the widely used FFmpeg library, which processes audio and video files, and a bug in an unnamed virtual machine monitor program that could undermine the isolation mechanisms virtual machines are intended to provide.
The Cloud Security Alliance, a coalition composed of cybersecurity executives and former senior U.S. government officials, warned in an April 12 strategy briefing that Mythos represents "a step change" in the trajectory of capable AI models. The group said the model lowers both the cost and the skill floor for discovering and exploiting vulnerabilities at a pace that could outstrip organizations' ability to patch them.
Costin Raiu, a veteran security researcher and co-founder of cybersecurity firm TLPBLACK, pointed to the age and layered nature of many banking systems. Raiu highlighted products from vendors including IBM as examples of legacy technologies that have been updated repeatedly over many years. He said a model like Mythos would "have a field day finding exploits" in certain IBM systems and described those systems as "one example of ancient technologies powering the financial industry."
Industry responses and limited public comment
On April 9 IBM published a blog post stating that Mythos is prompting enterprise security teams to "rethink their defenses from the ground up" and advocating a more open approach that would give a broader set of companies and researchers access to the model to help strengthen collective defenses. IBM did not respond to follow-up requests for comment.
JPMorgan Chase confirmed in a statement that it is among a group of leading companies participating in private evaluations of Mythos. The bank described the engagement as "a unique, early-stage opportunity to evaluate next-generation AI tools for defensive cybersecurity across critical infrastructure." JPMorgan Chase did not provide additional comment in response to a message seeking more detail.
Other major financial institutions and industry groups either declined to comment or did not respond. Wells Fargo did not reply to a message. FS-ISAC, the nonprofit organization that supports cybersecurity across the global financial system, did not respond to written questions. Bank of America, Citibank, the American Bankers Association and the Consumer Bankers Association all declined to comment when asked.
Promotional material included in original reporting
The article’s original material also included a commercial segment inviting readers to consider whether to invest $2,000 in a specified company ticker, noting that a product called ProPicks AI evaluates that company alongside thousands of others using over 100 financial metrics. The segment described ProPicks AI as applying no bias and referenced past winners, including Super Micro Computer with a reported gain of +185% and AppLovin with a reported gain of +157%. The promotional content offered readers the option to see whether the specified ticker appears in current ProPicks AI strategies or whether there are alternative opportunities in the same sector.
Implications for financial networks
Security experts reiterated that the combination of an AI capable of autonomous code generation and a financial sector reliant on interconnected, sometimes decades-old systems could increase both the speed and the scale at which vulnerabilities are identified and exploited. That mix of capability and exposure is what prompted meetings among governments and bank leaders and what underlies Anthropic’s Project Glasswing effort to limit public exposure while allowing selected organizations to test defensive measures.
Where public comment has been limited, industry stakeholders have moved to private channels for assessment and coordination. The full extent of vulnerabilities flagged by Mythos Preview and the effectiveness of the defensive work underway will depend on how quickly institutions and vendors can evaluate, share, and patch the issues that have been disclosed or that the model may continue to surface.