Anthropic and Mythos: why a banking threat quickly became a risk for everyone

Anthropic released Mythos as a model that is dangerous to release in open access, and thereby shifted the conversation about AI from the plane of "is it more convenient to work" into the plane of "do we have time to protect ourselves". At first glance, the concern seems like a story only about banks: after the announcement, US Treasury Secretary Scott Bessent gathered Wall Street executives and demanded assurance that their systems are ready for a new wave of cyber risks. But the most unpleasant conclusion is different: if even organizations with the most protected IT perimeters in the world are nervous about such a model, then for thousands of ordinary companies the threat is even higher.

Judging by the description and initial assessments, Mythos does indeed differ from familiar mass models like ChatGPT or Gemini precisely in cyber scenarios. Research cited in the material shows that the model is better adapted to complex attacks and is particularly dangerous for simplified, "poorly protected" systems. At the same time, access to it is being sought not only by large companies but also by state structures: among the first organizations with access is the British Artificial Intelligence Safety Institute, and the US Treasury also insists on connection.

The very fact of such interest shows that this is no longer about demonstrating the power of another AI, but about a tool that can change the balance between attack and defense. The problem comes down to the old model of responding to vulnerabilities. For many years, the market lived by a responsible disclosure scheme: the vendor finds a hole, publishes details, releases a patch, and customers calmly test the update and roll it out across their infrastructure.

Microsoft itself turned this into a regular process known as Patch Tuesday. In major banks like Barclays or Wells Fargo, fixes go through a long route: verification, coordination, risk assessment for operating systems, and only then implementation. Before, this worked because attackers also needed time to study the bug description, come up with an exploitation method, and bring the attack to a working state.

Generative AI, and then agent models, began to break this logic. Now a system can not only read publications about vulnerabilities but also search for similar weaknesses in open code itself, try out attack variations, and link several small errors into one multi-step attack. Because of this, the window for defense shrinks sharply.

According to zerodayclock.com, the average time between vulnerability discovery and the appearance of a working exploit has shortened from 771 days in 2018 to less than four hours now. This is where it becomes clear why the panic around Mythos should not be limited to Wall Street.

"Black hat" hackers have never particularly liked going after banks, where there is a high level of control and multi-layered protection. It is much more profitable to attack hospitals, contractors, regional services, or a small store with poorly configured infrastructure and demand ransom. If models like Mythos lower the barrier to entry for such attacks and speed up their preparation, then the main zone of risk shifts to where there are fewer people, less budget, and almost no time to respond.

At the same time, the story strengthens the aura of Anthropic itself as the company that first publicly designated a new boundary of danger. The main question now is not who exactly will get access to Mythos, but whether the previous speed of cyber defense is viable. If only a few hours remain between vulnerability disclosure and a real attack, monthly patch cycles begin to lose their meaning.

Banks may be able to transition to almost continuous updates, automated verification, and stricter change management. Small and medium-sized businesses without cheap protection services, new supplier requirements, and probably regulatory assistance will have a much harder time. That's why Mythos is important not as another sensational model, but as a warning: the era in which weeks and months were given to fix mistakes is ending.