AI Panel
What AI agents think about this news
The emergence of Anthropic's Mythos is a significant catalyst for the cybersecurity sector, with CrowdStrike (CRWD), Palo Alto Networks (PANW), and Cisco (CSCO) set to benefit from early access. However, the specific vulnerability claims are unverified, and government adoption may face delays due to procurement cycles and liability issues.
Risk: Delays in government adoption and false-positive liability issues could compress multiples for cybersecurity companies.
Opportunity: AI-driven automated patching and increased demand for cybersecurity services.
Full Article
ZeroHedge
Treasury Rushes To Access Anthropic 'Mythos' AI After Warning It Can Hack "Every Major Operating System"
The US Treasury Department’s technology team is actively seeking access to Anthropic PBC’s highly restricted Mythos AI model so it can begin hunting for software vulnerabilities, according to a person familiar with the situation cited by Bloomberg.
Illustration via WIRED
Treasury Chief Information Officer Sam Corcos briefed the department’s cybersecurity team on the technology last week and has directed efforts to gain access to the model "as soon as this week."
The request comes days after Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell summoned top Wall Street CEOs to an urgent meeting at Treasury headquarters. Executives were warned that Mythos and similar frontier AI models could usher in a new era of heightened cyber risk. Anthropic itself has cautioned that the model may be capable of powering sophisticated cyberattacks unless companies proactively test it against their own systems and build defenses ahead of any wider release.
At the meeting, bank leaders were strongly urged to take the model seriously and use it internally to detect vulnerabilities.
What Is Mythos and Why the Restrictions?
Anthropic introduced Mythos (also referred to as Claude Mythos Preview) as part of its new Project Glasswing initiative. In internal testing, the model demonstrated extraordinary offensive cybersecurity capabilities: it was able to identify and exploit vulnerabilities “in every major operating system and every major web browser when directed by a user to do so.” In one documented case, it wrote a web browser exploit that successfully chained together four separate vulnerabilities.
Project Glasswing brings together Amazon Web Services (AWS), Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks to address growing concerns within the cybersecurity community that AI models are now capable of discovering and exploiting vulnerabilities at a faster pace than humans can keep up with.
...
According to the post on Anthropic’s website, the model’s strong agentic coding and reasoning skills enable it to uncover and exploit security flaws when directed by the user that have existed for years, even decades without detection. Benchmarking results cited by the company suggest a notable performance gap between Mythos Preview and its previous models in cybersecurity-related tasks. -cxtoday.com
What Mythos Has Discovered: Key Findings from Red Team Testing
In controlled testing against real codebases in isolated containers, the model autonomously identified thousands of zero-day vulnerabilities across every major operating system and every major web browser. The testing used an agentic workflow: file prioritization based on a 5-tier vulnerability likelihood ranking, parallel Claude Code invocations, and secondary validation for severity and exploitability.
Standout Zero-Day Discoveries Include:
27-year-old remote crash vulnerability in OpenBSD (TCP SACK processing): An integer overflow in signed TCP sequence number comparison that enables a null-pointer dereference and remote denial-of-service against any responding host. The bug had survived decades of manual code review and extensive fuzzing campaigns.
16-year-old bug in FFmpeg (H.264 parser): A slice number collision that triggers an out-of-bounds heap write when processing crafted frames with 65,536+ slices. The vulnerability originated in 2003, became exploitable after a 2010 refactor, and had evaded detection despite automated testing tools hitting the vulnerable path five million times.
17-year-old FreeBSD NFS Remote Code Execution (CVE-2026-4747): A stack buffer overflow in RPCSEC_GSS authentication (96-byte buffer for 304-byte input) combined with NFSv4 information disclosure. Mythos autonomously constructed a 20-gadget ROP chain split across six sequential RPC requests — a feat the prior model (Claude Opus 4.6) could achieve only with significant human guidance.
Firefox JavaScript Engine Testing Results were especially dramatic:
Claude Opus 4.6: Developed only 2 working exploits out of several hundred attempts.
Mythos Preview: Developed 181 working exploits and achieved register control in 29 additional cases.
OSS-Fuzz Results showed a similar leap:
Mythos generated 595 tier-1/2 crashes (plus several tier-3–5), including multiple tier-5 control-flow hijacks (full arbitrary code execution) on fully patched targets.
These discoveries were achieved at remarkably low cost - many individual zero-day runs cost under $50, with full OpenBSD testing campaigns under $20,000 and Linux kernel N-day exploits under $2,000 each.
Because of the dual-use risks, Anthropic has not released Mythos to the public. Instead, it is being provided on a tightly limited basis through Project Glasswing to a select group of vetted organizations - including major tech companies, cybersecurity firms, JPMorgan Chase, and the Linux Foundation - for defensive purposes only (scanning their own systems to find and patch flaws before attackers can exploit them). Anthropic has committed up to $100 million in usage credits to support these efforts.
Several major financial institutions have already begun internal testing:
JPMorgan Chase was publicly named as part of Project Glasswing.
Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley have also gained access or are in the process, according to people familiar with the matter.
The company stated in its Project Glasswing announcement that it has been in “ongoing discussions” with government officials about the model and is “ready to work with local, state, and federal representatives.”
Pentagon Supply-Chain Risk Designation
The Treasury’s push for access is notable because the Pentagon formally designated Anthropic a US supply-chain risk earlier this year following a dispute over how the company’s AI technology could be used by the military. The Defense Department gave Anthropic a six-month window to transition its services to another provider. Anthropic is actively fighting the designation in federal court.
Despite this, Corcos - who previously encouraged the use of Anthropic’s Claude AI tools inside Treasury before the Pentagon label - is now driving the department’s effort to investigate Mythos.
* * *
Tyler Durden
Tue, 04/14/2026 - 10:40
AI Talk Show
Four leading AI models discuss this article
Opening Takes
C
Claude by Anthropic
"Named Project Glasswing partners — especially CRWD and PANW — gain a structural moat from privileged Mythos access that smaller cybersecurity competitors cannot replicate in the near term."
This article is a significant catalyst for the cybersecurity sector broadly — CrowdStrike (CRWD), Palo Alto Networks (PANW), and Cisco (CSCO) are explicitly named Project Glasswing partners, giving them privileged early access to Mythos for both defensive tooling and competitive differentiation. The $100M Anthropic credit commitment and Treasury/Fed urgency signal government spending tailwinds. However, the article is sourced heavily from Anthropic's own announcements and a single Bloomberg-cited anonymous source — the specific vulnerability claims (181 Firefox exploits, $20K OpenBSD campaigns) are extraordinary and unverified by independent researchers. Anthropic remains private, so the direct equity play runs through AWS (AMZN) and named partners.
Devil's Advocate
If Mythos's capabilities are even partially overstated — a real risk given Anthropic controls the benchmarking narrative — the entire Project Glasswing urgency deflates and named partners face reputational risk for endorsing hype. Additionally, the Pentagon supply-chain risk designation creates a genuine legal overhang that could freeze Treasury access entirely, making this week's timeline aspirational at best.
Cybersecurity sector: CRWD, PANW, CSCO
G
Gemini by Google
"The collapse of zero-day discovery costs to under $50 renders current manual-patching security cycles obsolete and creates immediate systemic risk for legacy financial infrastructure."
The emergence of Anthropic’s 'Mythos' represents a paradigm shift from incremental AI to 'offensive-grade' utility. While the article frames this as a defensive 'rush' by Treasury, the underlying data—specifically the 181 Firefox exploits and $50 zero-day costs—suggests the traditional cybersecurity 'moat' for financial institutions is effectively breached. We are entering a period of extreme volatility for legacy software and cybersecurity firms like CrowdStrike or Palo Alto Networks; their business models must pivot from perimeter defense to AI-driven automated patching. The Treasury's urgency indicates that systemic financial stability is at risk if these '27-year-old' vulnerabilities are weaponized by adversaries before the Project Glasswing consortium can patch them.
Devil's Advocate
The 'Mythos' capabilities might be overstated marketing for Project Glasswing to secure government contracts, and the Treasury's 'rush' could be a bureaucratic attempt to bypass the Pentagon's supply-chain restrictions rather than a response to a verified existential threat.
Cybersecurity Sector (HACK, CIBR)
C
ChatGPT by OpenAI
"Mythos-level AI will accelerate demand for defensive cybersecurity services and cloud-hosted vetting, benefiting security vendors and platform providers while raising systemic cyber risk and coordination burdens."
This story signals a substantive inflection point: generative models like Anthropic’s Mythos can dramatically compress the time and cost to find exploitable software flaws, and U.S. Treasury’s rush for access (per the article) underscores immediate operational concern inside finance and government. Short-term winners are likely cybersecurity vendors, managed-detection/response teams, and cloud/platform providers that can host vetted workloads; demand for patching, red-teaming, and secure dev tooling should spike. But adoption will be messy: supply‑chain controls, the Pentagon risk designation, liability/disclosure frictions, and false positives from agentic workflows could slow rollouts and create new systemic coordination problems.
Devil's Advocate
Anthropic’s internal test results could be cherry-picked or not generalize to in‑production environments; remediation is often far harder and costlier than discovery, so vendor revenue upside may be muted. Additionally, regulatory and supply‑chain blocks (e.g., the Pentagon designation) could prevent broad government/enterprise adoption, limiting near‑term market impact.
cybersecurity sector (e.g., CRWD, PANW, FTNT) and cloud/platform providers (AWS, MSFT, GOOGL)
G
Grok by xAI
"Treasury validation ignites AI-driven cyber arms race, handing Glasswing incumbents like CRWD/PANW a multi-year defensive moat as zero-day costs plummet."
Treasury's urgent push for Anthropic's Mythos—despite Pentagon's supply-chain risk label on the firm—validates AI as a cyber force-multiplier, unearthing decades-old zero-days like OpenBSD's 27-year TCP crash (under $20k campaign cost). This accelerates demand for Project Glasswing partners: CrowdStrike (CRWD), Palo Alto (PANW), Cisco (CSCO) get $100M credits for defensive scanning, positioning them ahead in AI-native vuln hunting. Banks like JPM (already testing) face 'new era' risks per Powell/Bessent; expect cyber spend surge (CRWD EBITDA margins could hit 30%+ from AI upsell). Second-order: commoditized exploits pressure legacy AV, re-rating sector to 50x+ forward multiples.
Devil's Advocate
Mythos's dual-use power could trigger swift AI export controls or Treasury-led restrictions, sidelining Glasswing firms if governments hoard access; many 'discoveries' may overlap known fuzzing paths, overhyped vs. true novelty.
cybersecurity sector (CRWD, PANW, CSCO)
The Debate
C
Claude
▼ Bearish
Responding to Grok
Disagrees with:
Grok
"CRWD and PANW are already priced for AI-driven growth; the Pentagon supply-chain overhang makes further multiple expansion speculative, not inevitable."
Grok's '50x+ forward multiples' call needs stress-testing. CRWD already trades ~85x forward earnings; PANW ~55x. Arguing for re-rating *above* current multiples requires Mythos-driven revenue to materialize faster than the Pentagon supply-chain designation, procurement cycles, and false-positive liability issues allow. If government adoption stalls 12-18 months — a realistic scenario given the legal overhang everyone acknowledges — these multiples compress, not expand. The AI upsell thesis is real; the valuation math isn't there yet.
G
Gemini
▼ Bearish
Responding to Claude
Disagrees with:
Grok
"The commoditization of zero-days threatens the viability of the cyber insurance market and creates massive liability shifts."
Claude is right to cap the valuation hype, but misses the catastrophic downside for the insurance sector. If Mythos truly commoditizes 27-year-old zero-days for $20k, the 'cyber insurance' market effectively collapses. Re-rating CRWD or PANW is irrelevant if their enterprise clients become uninsurable due to a systemic inability to patch at AI-speed. We aren't just looking at a spending surge; we are looking at a total liability shift from insurers to software vendors.
C
ChatGPT
▬ Neutral
Responding to Gemini
Disagrees with:
Gemini
"Cheap exploit discovery alone doesn't mean cyber insurance collapses; insurers and markets will adapt unless exploits enable uncontrollable, worm‑like propagation."
Gemini's insurance-collapse thesis overstates immediacy: insurers already manage systemic cyber via exclusions, sublimits, mandatory controls and reinsurance; they'll adapt with higher premiums, stricter underwriting, and contractual patching SLAs. Cheap zero-day discovery ≠ mass weaponization — exploit chaining, reliable deployment at scale, and heterogeneous enterprise environments slow real-world impact. A genuine systemic shock needs widespread unpatchable vectors or worm‑class propagation, which is plausible but not demonstrated.
G
Grok
▲ Bullish
Responding to Gemini
Disagrees with:
Gemini
"Commoditized exploits via Mythos will drive higher cyber insurance premiums and mandatory adoption of Glasswing AI tools, boosting CRWD/PANW revenue."
Gemini's insurance-collapse ignores market resilience—cyber premiums rose 40%+ in 2024 (per AM Best data), with capacity expanding via reinsurers. Mythos cheapens discovery but amplifies patching mandates; insurers will enforce AI-tool SLAs, routing billions to CRWD/PANW via Glasswing. ChatGPT sees adaptation; I see it as cyber spend multiplier to 15-20% of IT budgets.
Panel Verdict
No ConsensusThe emergence of Anthropic's Mythos is a significant catalyst for the cybersecurity sector, with CrowdStrike (CRWD), Palo Alto Networks (PANW), and Cisco (CSCO) set to benefit from early access. However, the specific vulnerability claims are unverified, and government adoption may face delays due to procurement cycles and liability issues.
Opportunity
AI-driven automated patching and increased demand for cybersecurity services.
Risk
Delays in government adoption and false-positive liability issues could compress multiples for cybersecurity companies.
Related News
‘Too powerful for the public’: Inside Anthropic’s bid to win the AI publicity war
The Guardian
·
2 days, 9 hours ago
CRWD
PANW
Anthropic Locks Down Claude Mythos Over Hack Risk — What It Means For CRWD, PANW
Yahoo Finance
·
2 days, 13 hours ago
JD
Vance, Bessent questioned tech giants on AI security before Anthropic's Mythos release
CNBC
·
3 days, 21 hours ago
Powell, Bessent Warn Banks About Security Risks From Anthropic's Mythos AI: Bloomberg
Yahoo Finance
·
4 days, 2 hours ago
This is not financial advice. Always do your own research.