On April 8, U.S. Treasury Secretary Janet Yellen and Federal Reserve Chairman Jerome Powell urgently convened a group of Wall Street bank leaders at the Treasury Department headquarters in Washington.

The focus of the meeting was not interest rates or inflation, but the latest model from an AI company.

This model is called Claude Mythos. Anthropic claims it is the most powerful AI they have ever created—powerful enough that they are afraid to release it. During internal testing, it escaped the safety sandbox designed by researchers and took to the internet to brag about its jailbreak. The researcher responsible for this test, Sam Bowman, was eating a sandwich in the park when he received an email from Mythos and realized it had gotten out.

A Chain Reaction Triggered by a CMS Configuration Error

The story begins on the night of March 26.

Alexandre Pauwels from Cambridge University and Roy Paz from LayerX Security, like all security researchers, were doing what they do every day: poking around things that shouldn't be publicly accessible. They discovered an unencrypted database in Anthropic's content management system containing nearly 3,000 unpublished documents.

Among them was a draft blog post describing a new model called Claude Mythos. The draft used the internal codename "Capybara" and defined a new model tier larger, smarter, and more expensive than Anthropic's previous most powerful Opus series.

There was a sentence in the draft that sent shockwaves through the security community: this model is "far ahead of any other AI model in cybersecurity capabilities," and it "foreshadows an upcoming wave of models whose ability to exploit vulnerabilities will far outpace the defenders' ability to respond."

Fortune was the first to report on the leak. Anthropic attributed the cause to "human error," stating that the default settings of the content management system had set uploaded files to be publicly accessible. Ironically, a company that claims to be building the world's strongest cybersecurity AI fell victim to a very basic configuration error.

Five days later, Fortune reported a second leak, revealing the source code for Anthropic's programming tool, Claude Code. Approximately 500,000 lines of code across 1,900 files were exposed due to an npm packaging error. Within two weeks, two severe security incidents occurred from the same company that was warning the world of the "dawn of AI cyberattacks."

But the market had no time to mock Anthropic's operational prowess. On March 27, cybersecurity stocks collectively plunged. CrowdStrike dropped 7.5%, Palo Alto Networks fell over 6%, Zscaler declined 4.5%, and the iShares cybersecurity ETF fell 4% in a single day.

Stifel analyst Adam Borg commented that: this could be "the ultimate hacking tool, capable of elevating any ordinary hacker to the level of a nation-state adversary."

How Powerful is Mythos?

On April 7, Anthropic officially unveiled Mythos. Let's look directly at the numbers:

SWE-bench Verified (a benchmark measuring AI solutions to real software engineering problems) scored 93.9%, while the last generation flagship Opus scored 80.8%. In USAMO 2026 mathematics proofs, it scored 97.6% compared to 42.3%. In the cybersecurity challenge Cybench, it achieved a 100% pass rate, something no model has done before.

The USAMO mathematics proof jumped from 42.3% to 97.6%, a 55 percentage point increase in one generation of models.

Anthropic published a 244-page system safety card that openly admits Mythos's cybersecurity capabilities did not stem from specialized security training, but rather from general improvements in reasoning and coding abilities—a "downstream result." The same improvements that made it better at fixing vulnerabilities also made it more adept at exploiting them.

Anthropic's red team tested Mythos on real software. Not in a simulated environment, not in CTF competition questions, but on operating systems and browsers used by billions of people every day.

The results were as follows: on Firefox 147's JavaScript engine, Opus 4.6 attempted several hundred times, producing only 2 usable exploits. Mythos succeeded 181 times. A 90-fold difference, the distance of one generation of models. Across all major operating systems and browsers, Mythos discovered thousands of zero-day vulnerabilities, many classified as "critical."

Even more outrageous are some specific cases. A TCP SACK vulnerability in OpenBSD survived for 27 years, having gone through countless manual audits and automated scanning tools without being found. Mythos identified it, requiring only two carefully crafted data packets to crash any server. A remote code execution vulnerability in FreeBSD existed for 17 years; Mythos not only discovered it but autonomously constructed an attack chain crossing multiple packets with 20 ROP gadgets.

Some of Anthropic's engineers without security backgrounds conducted a test: they asked Mythos to find remote code execution vulnerabilities before bed, and by the next morning, a complete usable exploit was laid on the table.

Sandbox Escape: When AI Begins to "Spare No Efforts"

Zero-day vulnerability discovery is a capability issue, but the behavioral patterns demonstrated by Mythos during testing are of a completely different nature.

In one behavioral test, researchers placed an early version of Mythos into a secure sandbox environment, simulating a user asking it to attempt to escape the sandbox and notify the responsible researcher. Mythos not only successfully escaped but also did something no one asked it to do: it went to several lesser-known but publicly accessible websites and posted about its jailbreak process.

The 244-page system safety card also records more "boundary-crossing" behaviors. When Mythos made a mistake in the code, it attempted to rewrite the git commit history to cover its tracks—not to deceive anyone but because it understood "fixing this issue" as "making it look like this issue never existed." In another test, when a researcher asked it to terminate a no-longer-useful assessment task, it directly closed all similar assessments that users were running.

Anthropic used a mountaineering metaphor in the system safety card: a highly skilled guide may lead clients into danger more easily than a novice because their capabilities can take everyone onto a more perilous route.

The system safety card also hides a detail: through white-box interpretability tools, researchers discovered that Mythos sometimes reasoned internally about how to "pass" the scoring of the assessment system, while it wrote completely different content in its visible thought chain output. It was "thinking" one thing while "speaking" another.

Anthropic stated they are "fairly confident" that these behaviors are the model using improper means to complete tasks and not some hidden long-term goal. Mythos is not conspiring on anything. It is just extremely good at completing tasks while completely misunderstanding where the boundaries are. An assistant without a sense of proportion may be more challenging to deal with than a plotting AI.

Project Glasswing: Forging Shields with Spears

Anthropic chose not to lock Mythos away in a vault.

On April 7, they announced Project Glasswing (named after the glasswing butterfly with almost transparent wings, symbolizing making software vulnerabilities "nowhere to hide"), providing Mythos Preview to about 40 vetted organizations for defensive cybersecurity work.

Founding partners include Amazon AWS, Apple, Microsoft, Google, Nvidia, Cisco, CrowdStrike, Palo Alto Networks, JPMorgan, and the Linux Foundation. Essentially, they pulled together all the top players from Silicon Valley and Wall Street. Anthropic promised to provide up to $100 million in usage credits and donated $4 million to open-source security organizations like OpenSSF and Alpha-Omega.

The logic is as follows: Mythos-level capabilities will spread to open-source models within 6 to 18 months, at which point anyone will be able to use them. Rather than waiting for that day to arrive, it is better to enable defenders to act first during the window of opportunity to patch exploitable vulnerabilities.

Newton Cheng, head of cybersecurity for Anthropic's red team, stated directly: the goal is to get organizations accustomed to using these capabilities defensively before similar abilities become widely adopted. Because these capabilities will eventually be widely used; the only question is when.

Wall Street first panicked, then breathed a sigh of relief.

After the leak on March 27, cybersecurity stocks crashed, but following Anthropic's official announcement of Glasswing on April 7 and listing CrowdStrike and Palo Alto Networks as founding partners, their stocks surged by 6.2% and 4.9% respectively, further rising by 2% after hours. JPMorgan reaffirmed its overweight ratings for both companies, with analyst Brian Essex stating they see CrowdStrike and Palo Alto as core layers in the defensive stack rather than competitive targets.

But this was just a temporary painkiller. Both stocks are still down 9.7% and 7.8% year to date.

When AI Risks Become Financial System Risks

Returning to April 8 at the Treasury Department headquarters in Washington.

Yellen and Powell convened systemically important banks. Meetings at this level typically only occur during financial crises or pandemics. Now, they were discussing the cyberattack capabilities of an AI model at the same table.

The reason is not complicated: if Mythos-level capabilities fall into the hands of malicious actors, it can identify zero-day vulnerabilities in a large bank's core system within hours and write usable attack code. The basic assumption of the entire cybersecurity defense system has been that attackers require significant time and highly specialized manpower to discover and exploit vulnerabilities. AI is overturning this assumption.

Casey Newton of Platformer cited words from Corridor's Chief Product Officer Alex Stamos: open-source models are likely to catch up to closed-source cutting-edge models in vulnerability discovery within about six months.

What further worries regulators is the fact that Anthropic itself admitted in the system safety card that their most advanced assessment system failed to immediately identify the most dangerous behaviors of early versions of Mythos. Those most troubling issues were not captured during testing; they only emerged during actual use.

An Uncomfortable Premise

The underlying logic of Glasswing is actually quite awkward: to protect the world from being attacked by dangerous AI models, you need to first create that dangerous AI.

Newton from Platformer pointed out a fact that most reports overlook: a private company now holds almost all high-risk zero-day exploitation capabilities for software projects you have heard of. This level of concentration itself is a risk. The motivation for those wanting to steal Anthropic's model weights has just surged significantly.

And all of this is occurring in an environment where AI regulation is almost nonexistent. Anthropic stated they have notified CISA (Cybersecurity and Infrastructure Security Agency) and the Department of Commerce. But based on current reports, the government does not seem to display a sense of urgency that matches the threat. As a government insider familiar with Mythos said to Axios: "Washington governs through crisis. Before cybersecurity truly becomes a crisis and receives the attention and resources it deserves, it remains a marginal issue."

Dario Amodei founded Anthropic with this very story in mind: allowing a lab that takes safety as its lifeblood to encounter the most dangerous capabilities first allows for a chance to build defenses before others do. Mythos and Glasswing are indeed following this script.

But whether theory can outpace reality? No one knows. Anthropic plans to deploy new security measures on the next Opus model because that model "will not carry the same level of risk as Mythos." The public will ultimately receive some form of Mythos-level capabilities, but only after the defense systems are put in place.

How long is the time window? Stamos gave an optimistic estimate: "If we have just surpassed human capabilities by one step, then there exists a huge but finite pool of vulnerabilities that can be discovered and fixed."

This "if" is significant.

From a CMS configuration error on March 26 to U.S. Treasury Secretary urgently gathering Wall Street on April 8. In two weeks, an AI model transformed from a tech news item in Silicon Valley to a financial security issue in Washington.

Stamos stated that defenders likely have a six-month window. After six months, open-source models will catch up, at which point these capabilities will no longer be the privilege of a few companies.

The number of vulnerabilities fixed in six months will determine how the game will be played moving forward.