The Anthropic logo is visible in this illustration taken on March 1, 2026. (Credit: Dado Ruvic/Reuters)
Claude Mythos (or simply Mythos), an AI cybersecurity tool launched in April by Anthropic, an American company founded by former members of another major player in the sector, OpenAI (the creator of ChatGPT), has the global banking and financial sector on edge.
Designed for defensive cybersecurity tasks, Mythos’ extensive capabilities — which is not a public chatbot like ChatGPT, Gemini, or DeepSeek — have raised concerns about the security of traditional software, after Anthropic stated in the media that a test version had uncovered "thousands" of major vulnerabilities in "all major operating systems and web browsers" due to its powerful computing capabilities.
"Beyond the danger this poses to the protection of banking and financial data if this tool were to fall into the wrong hands, each vulnerability represents at least several hours or even several days of work for cybersecurity teams and the engineers responsible for fixing them. There is a major risk of bottleneck," explains Hadi Khoury, independent cybersecurity expert.
"But I think the current hype is overshadowing some technical problems that could slow the commercialization of the tool, notably its high consumption of tokens and therefore energy, which greatly affects its cost-benefit ratio," he adds.
Fear-based marketing
In practical terms, a token is a unit of text used to process a request by the AI. It is what the AI reads to generate a response. A sentence is thus an assembly of tokens, which the model analyzes before producing its reply. The more tokens there are, the more calculations — and thus resources — are mobilized by servers and chips, even though the AI architecture can limit the impact. A cybersecurity-focused AI also carries out more complex calculations, further increasing energy usage compared to a classic chatbot.
"At this stage, the investments required to deploy Mythos are theoretically very significant," concludes Khoury. He points out that any AI programmed to read code is potentially capable of posing a cybersecurity risk, even if Mythos is, unlike the other Anthropic AIs — the Claudes — the only one specifically configured for cybersecurity.
The other limitation of Mythos is that it is limited to identifying vulnerabilities, which is just one step in a process that also includes analyzing the vulnerability, checking if it can be exploited, fixing it, validating the fix, and ensuring ongoing monitoring to prevent its recurrence.
"Anthropic’s communication ... assumes it is enough to find a vulnerability to be more secure. In real life, that’s not the case," wrote Rayna Stamboliyska, expert in cybersecurity and digital strategy, in a lengthy article published April 17 on LinkedIn. Accusing the American company of "fear-based marketing," she acknowledges that they are not blind to these limits and have positioned Mythos as an assisted remediation tool as much as a vulnerability discovery tool.
According to AFP and Reuters, access to Mythos is currently limited to a small circle of companies as part of a heavily controlled program called "Project Glasswing." Amazon, Microsoft, Nvidia, and Apple, as well as several large U.S. banks including JPMorgan, Bank of America, Morgan Stanley, Goldman Sachs, and Citigroup are participating — even though Anthropic has publicly confirmed only the first of these five banks so far.
"By involving, from the preview stage, players in an oligopolistic position ... Anthropic is orchestrating artificial scarcity around a tool tied to partnerships. This is not cybersecurity — it’s about building barriers to entry in a market segment," Stamboliyska criticized in a LinkedIn article. She also pointed out that Anthropic acknowledged in its report that the "discovered" vulnerabilities could not be exploited due to existing security measures.
The debate over Mythos gained a new layer after Anthropic announced Tuesday it was investigating unauthorized access to the tool, the third internal security incident for the company in a month. The access apparently occurred in an IT environment used by a subcontractor for model development, and not through customer-facing systems, limiting the potential scope of the incident, according to information obtained by AFP.
Fever worldwide
Even without these incidents, the buzz generated by Mythos’ prowess is palpable in the banking sector, where complex, interconnected, and often decades-old systems remain commonplace. The tool was a prominent topic on the sidelines of last week’s IMF and World Bank spring meetings.
In the United States, Barclays CEO C. S. Venkatakrishnan said last Friday in Washington that Mythos poses a serious threat to the global banking system, and some banks unable to access the model are questioning whether access should be broadened and whether those who can use it have an unfair advantage, according to a source familiar with the situation who spoke to Reuters. The U.S. Treasury has not yet commented on the matter.
In Europe, the president of the German Banking Association and CEO of Deutsche Bank, Christian Sewing, said Monday that banks are in close contact with their European regulators to anticipate the rollout of this tool, while three sources told Reuters on Tuesday that Anthropic plans to soon provide European banks with access to Mythos.
The British government sent an open letter to Anthropic’s leaders on April 15, stating that its AI Security Institute’s tests showed Mythos was "substantially more capable in cyberattacks than any other model we have evaluated so far." Some Asian regulators also said Monday that they are monitoring the situation, while the central banks of Australia and New Zealand said Wednesday that they are watching the launch of Mythos and any risks it might present.
The Banque du Liban (Lebanese central bank) has not yet responded to our inquiries. A major bank operating in Lebanon and the region assured us that it has top cybersecurity capabilities and that both its internal teams and external partners are closely monitoring these developments.
This article was translated from L'Orient-Le Jour.
Qaani: Minimum requirement for Lebanon is a return to pre-war lines