US banks scramble to plug Mythos-found cyber holes at $25 per million tokens
TL;DR:
- Anthropic’s Mythos model is uncovering several hundred to thousands of low-to-moderate IT vulnerabilities at the US banks running it, forcing patching at speeds the sector has not previously had to operate at — days, not weeks.
- JPMorgan, Goldman Sachs, Citigroup, Bank of America and Morgan Stanley have access via “Project Glasswing” plus around 40 partner organisations; smaller banks are leaning on shared findings rather than direct access.
- Mythos costs $25 (£19.50) per million input tokens and $125 (£97) per million output tokens — five times more expensive than Anthropic’s regular top model Opus 4.7 — making cost itself a barrier for mid-sized banks.
The pattern from the largest US lenders: Mythos is “expert at chaining together lower-risk vulnerabilities into a high-risk vulnerability”, according to multiple sources, and especially effective against legacy code and end-of-support software — the bulk of banking IT estates. Anthropic’s CEO Mike Krieger has said pricing balances safety with funding the business; Anthropic is offering $100 million (£77.9m) in credits to Glasswing partners to soften the cost shock.
What banks are actually changing
The operational impact is captured by a single line from CrowdStrike’s Adam Meyers, who described needing “a solid entire weekend” with his team to figure out how to use the model effectively before they even started bug-hunting. Banks are now treating rapid AI-led vulnerability testing as “the new normal” — a continuous rather than scheduled activity. The increased workload may also mean more frequent maintenance outages, although banks are trying to manage that to minimise customer disruption.
UK read-across is now direct
The Bank of England’s Prudential Regulation Authority warned last week of “significant disruption” from this exact class of model, and BaFin in Germany separately announced targeted “IT spotlight” inspections of financial firms on Tuesday. UK banks have not yet been publicly named as Glasswing partners, but Anthropic has said it aims to expand access to UK and European banks — meaning the patching-cadence pressure visible at JPM and Goldman is about to be policy reality at Lloyds, NatWest, Barclays and HSBC. UK regulator framing of “operational resilience” under the joint FCA/BoE rules from 2022 now reads less like a compliance overlay and more like the architecture banks need to weather Mythos-style discovery cycles.
The cost problem for mid-sized banks
The barrier to entry is now economic, not technical. With direct Mythos costs five times Opus 4.7, mid-tier UK banks and building societies will not be able to run continuous AI-led security testing on the same cadence as the global majors. Anthropic’s lower-tier Claude Security product, available to a wider set of organisations, partly addresses this — but the implicit gap is that smaller firms will rely on threat-sharing from larger banks, which is exactly how risk has propagated in past crises.
Looking forward
Expect the FCA and Bank of England to push UK banks toward formal disclosure of AI-driven vulnerability management programmes in their next operational resilience cycles, mirroring BaFin’s inspection-led approach. The competitive dynamic is also worth watching: OpenAI on Monday launched a rival “Trusted Access for Cyber” programme with European customers including Sophos and BBVA, suggesting the duopoly in defensive cyber AI will not last long.