The UK government has issued urgent warnings to businesses after Anthropic’s new AI model discovered thousands of previously unknown high-severity vulnerabilities across every major operating system and web browser. The model, called Claude Mythos Preview, has prompted emergency meetings between Bank of England officials and major banks while the AI Security Institute confirmed the technology represents “a step up” over previous models in cyber threat capability.
Anthropic restricted Mythos’s release to a limited group of technology and financial partners through Project Glasswing after determining the model posed unprecedented cybersecurity risks. According to the company, over 99 percent of the vulnerabilities identified by Mythos remain unpatched, some having gone undetected for decades.
The Model That Made Regulators Panic
UK AI Security Institute testing confirmed Mythos can execute multi-stage attacks on vulnerable networks and discover exploits autonomously which are tasks that typically require days of work from human professionals. On expert-level capture-the-flag challenges that no model could complete before April 2025, Mythos succeeds 73 percent of the time, according to AISI researchers.
But the AISI evaluation comes with a significant caveat that Anthropic’s marketing has glossed over. The testing environment lacked active defences, monitoring or incident response capabilities. “We cannot say for sure whether Mythos Preview would be able to attack well-defended systems,” AISI researchers stated. In other words, the model excels against sitting targets but remains untested against real enterprise security.
Ciaran Martin, former head of the National Cyber Security Centre and now Professor at Oxford’s Blavatnik School of Government, offered a measured take on the findings. “The AISI report has brought much needed rigorous realism to the frenzy,” Martin said. “It shows that the hacking capabilities of AI are speeding up even more rapidly than previously thought.”
Treasury Secretary Summons Wall Street
US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened Wall Street executives including Goldman Sachs CEO David Solomon and Bank of America CEO Brian Moynihan to discuss Mythos’s implications for financial system stability. Goldman Sachs confirmed it has access to the model and is working with Anthropic to strengthen security controls.
Bank of England Governor Andrew Bailey has warned of potential systemic cyber risks while UK authorities are coordinating responses through the Cross Market Operational Resilience Group. The unprecedented regulatory response reflects genuine concern that AI-driven vulnerability discovery now outpaces the ability of defenders to patch systems.
“Organizations are already struggling to keep up with patching across both IT and OT environments and AI is only accelerating that gap,” said cybersecurity expert Jennifer Fry to Fortune. “As vulnerability discovery and exploit development move faster, the idea that you can remediate everything in time just doesn’t hold.”
What Companies Should Do This Week
The UK’s guidance to businesses echoes familiar themes: patch systems, monitor networks, prepare incident response plans. The difference is urgency. Mythos’s ability to write n-day exploits autonomously means patch cycles must be shortened significantly, according to Anthropic’s own advisory.
“Software users and administrators will need to drive down the time-to-deploy for security updates including by tightening the patching enforcement window, enabling auto-update wherever possible and treating dependency bumps that carry CVE fixes as urgent, rather than routine maintenance,” Anthropic warned.
The company is providing $100 million in Mythos usage credits to Project Glasswing participants and donating $4 million to open-source security efforts. The initiative includes the Linux Foundation and 40 organisations that build critical software infrastructure, all working to identify and fix vulnerabilities before similar AI tools reach wider audiences.
Anthropic estimates the window for defensive action may be limited. Security expert Alex Stamos, formerly of Facebook and Yahoo, told Platformer that “we only have something like six months before the open-weight models catch up to the foundation models in bug finding.” That timeline puts the entire discussion of controlled release into a different context, the capabilities will proliferate regardless of any single company’s restrictions.
References
- UK AI Security Institute: Our evaluation of Claude Mythos Preview’s cyber capabilities
- UK warns businesses to address cyber risks amid Anthropic AI panic
- Anthropic’s Mythos finds software flaws faster than companies can fix them
- Why Anthropic’s new model has cybersecurity experts rattled
- Anthropic’s Mythos model sparks cybersecurity concerns
- Testing reveals Claude Mythos’s offensive capabilities and limits
- UK banks get their Mythos briefing within days
This post is also available in:
Svenska
Related News
Most Dangerous Cyberattack Techniques in 2026: Insights from SANS
SANS Institute researchers made an unprecedented disclosure at RSAC 2026: artificial intelligence features in every single one of this year's five most dangerous new attack…
March 26, 2026 