Treasury Rushes to Access Anthropic 'Mythos' AI After Warning It Can Hack "Every Major Operating System"

(Zero Hedge) -- The US Treasury Department's technology team is actively seeking access to Anthropic PBC's highly restricted Mythos AI model so it can begin hunting for software vulnerabilities, according to a person familiar with the situation cited by Bloomberg.

Treasury Chief Information Officer Sam Corcos briefed the department's cybersecurity team on the technology last week and has directed efforts to gain access to the model "as soon as this week."

The request comes days after Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell summoned top Wall Street CEOs to an urgent meeting at Treasury headquarters. Executives were warned that Mythos and similar frontier AI models could usher in a new era of heightened cyber risk. Anthropic itself has cautioned that the model may be capable of powering sophisticated cyberattacks unless companies proactively test it against their own systems and build defenses ahead of any wider release.

At the meeting, bank leaders were strongly urged to take the model seriously and use it internally to detect vulnerabilities.

Anthropic introduced Mythos (also referred to as Claude Mythos Preview) as part of its new Project Glasswing initiative. In internal testing, the model demonstrated extraordinary offensive cybersecurity capabilities: it was able to identify and exploit vulnerabilities "in every major operating system and every major web browser when directed by a user to do so." In one documented case, it wrote a web browser exploit that successfully chained together four separate vulnerabilities.

Project Glasswing brings together Amazon Web Services (AWS), Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks to address growing concerns within the cybersecurity community that AI models are now capable of discovering and exploiting vulnerabilities at a faster pace than humans can keep up with.

...

According to the post on Anthropic's website, the model's strong agentic coding and reasoning skills enable it to uncover and exploit security flaws when directed by the user that have existed for years, even decades without detection. Benchmarking results cited by the company suggest a notable performance gap between Mythos Preview and its previous models in cybersecurity-related tasks. -cxtoday.com

In controlled testing against real codebases in isolated containers, the model autonomously identified thousands of zero-day vulnerabilities across every major operating system and every major web browser. The testing used an agentic workflow: file prioritization based on a 5-tier vulnerability likelihood ranking, parallel Claude Code invocations, and secondary validation for severity and exploitability.

These discoveries were achieved at remarkably low cost - many individual zero-day runs cost under $50, with full OpenBSD testing campaigns under $20,000 and Linux kernel N-day exploits under $2,000 each.

Because of the dual-use risks, Anthropic has not released Mythos to the public. Instead, it is being provided on a tightly limited basis through Project Glasswing to a select group of vetted organizations - including major tech companies, cybersecurity firms, JPMorgan Chase, and the Linux Foundation - for defensive purposes only (scanning their own systems to find and patch flaws before attackers can exploit them). Anthropic has committed up to $100 million in usage credits to support these efforts.

Several major financial institutions have already begun internal testing:

The company stated in its Project Glasswing announcement that it has been in "ongoing discussions" with government officials about the model and is "ready to work with local, state, and federal representatives."

The Treasury's push for access is notable because the Pentagon formally designated Anthropic a US supply-chain risk earlier this year following a dispute over how the company's AI technology could be used by the military. The Defense Department gave Anthropic a six-month window to transition its services to another provider. Anthropic is actively fighting the designation in federal court.

Despite this, Corcos - who previously encouraged the use of Anthropic's Claude AI tools inside Treasury before the Pentagon label - is now driving the department's effort to investigate Mythos.