Treasury, Fed Warn Bank CEOs: Anthropic’s Mythos Model Finds Zero-Days Automatically

Target Audience: CISOs, Security Architects, Compliance Officers (Financial Sector)
Category: Threat Intelligence / Regulatory Alert

Executive Summary:
On April 7, 2026, Treasury Secretary Scott Bessent and Fed Chair Jerome Powell convened an emergency closed-door meeting with major bank CEOs over Anthropic’s newly announced Claude Mythos Preview model, which can autonomously identify and exploit zero-day vulnerabilities in major operating systems and browsers . This post breaks down what CISOs need to know: the threat is real, Project Glasswing is underway, and financial institutions must accelerate patching and zero-day response capabilities immediately.

Evidence Tier: Secondary Verified (Sullivan & Cromwell law firm memo based on public disclosures)

The Story That Changes Everything

On April 7, 2026, two of the most powerful financial regulators in the United States—Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell—did something unprecedented. They convened an urgent, closed-door meeting with the CEOs of America’s largest banks.

The topic was not interest rates. Not inflation. Not capital requirements.

It was Anthropic’s new AI model, Claude Mythos Preview .

What Mythos Can Do

According to Anthropic’s own disclosures, Mythos has demonstrated capabilities that security professionals have feared for years: the model can identify previously unknown (zero-day) vulnerabilities in every major operating system and every major web browser—and then, autonomously, develop complete, functional exploits for those vulnerabilities .

Engineers with “no formal security training” asked Mythos to find exploitable vulnerabilities overnight. By morning, the model had delivered not only the vulnerabilities but fully functional exploit code .

These capabilities were not explicitly programmed. They “emerged as a downstream consequence of general improvements in code, reasoning, and autonomy” .

The Scale Is Unprecedented

Anthropic reports that Mythos has already identified thousands of previously unknown, high-severity vulnerabilities. Less than 1% have been repaired .

This is not a theoretical risk. This is a live, ongoing discovery process.

Project Glasswing: The 90-Day Window

Recognizing the danger, Anthropic delayed public release and launched Project Glasswing—a limited-access program giving ~40 organizations that manage critical software infrastructure the ability to use Mythos defensively to find and fix vulnerabilities before malicious actors can exploit them .

Anthropic has committed to a public report within 90 days on what vulnerabilities were found and fixed .

📌 Notably Absent

No confirmed public exploitation of Mythos capabilities by malicious actors has been reported in this window. The threat is currently latent—but the warning from Treasury and the Fed is clear: prepare now.

What CISOs Must Do Now

The Sullivan & Cromwell memo advising bank CEOs outlines immediate priorities that apply to any organization with critical software infrastructure :

1. Prioritize software supply chain risk management – Know what dependencies you have and where zero-days could hide.

2. Accelerate patching processes – The window between vulnerability discovery and exploitation will shrink to hours.

3. Audit authentication and access controls – Assume zero-day exploitation is possible; limit blast radius.

4. Invest in threat-detection capabilities – Traditional signatures will not catch AI-generated exploits.

The Paradox: AI as Defense

Critically, Mythos also represents a defensive breakthrough. The same capabilities that find vulnerabilities can fix them. Project Glasswing is proof of concept for AI-driven proactive security at scale .

Anthropic has announced plans to collaborate with security organizations to produce “practical recommendations for how security practices should evolve in the AI era”—covering vulnerability disclosure, open-source security, secure-by-design practices, and regulated industry standards .

The Bottom Line

When the Treasury Secretary and the Fed Chair bypass normal channels to warn bank CEOs directly about an AI model’s cybersecurity implications, every CISO should take notice.

The age of AI that finds zero-days autonomously is no longer future tense. It is April 2026. It is here.

*Action item: Review your patch management SLAs. Assume zero-day windows will compress to 24 hours or less by Q3 2026. Build AI threat detection into your roadmap now.*

---