Claude Mythos: AI Model Exposing Corporate Network Vulnerabilities Alarms UK and US Regulators
British financial regulators have called an emergency meeting on Anthropic's Claude Mythos model. Participants—including the Bank of England, FCA, Treasury, and NCSC—will discuss the risks of the model independently hunting for vulnerabilities in critical IT systems. The model ran a full simulation of a corporate network in the AISI cyber-range, earning it the title of the most capable cyber model according to authorities.
Testing at the AI Security Institute
UK AI Minister Kanishka Narayan confirmed: Mythos is the first model to fully master navigation through a simulated corporate network. At AISI, established for independent AI evaluation, it uncovered vulnerabilities without any operator intervention. Regulators have already responded to the discoveries, though details haven't been disclosed.
Testing included:
- Autonomous scanning of network segments.
- Identification of zero-day vulnerabilities in IT infrastructure.
- Simulation of real-world attack and defense scenarios.
This sets Mythos apart from its predecessors, which needed prompts to navigate.
US Reaction: Similar Measures
The US acted first: last week, Treasury Secretary Scott Bessent and Fed Chair Jerome Powell gathered bankers from Citigroup, Goldman Sachs, and Morgan Stanley. The task—to test Mythos on their own systems before it falls into malicious hands. Anthropic has postponed the public release, limiting access through the Project Glasswing program for defensive cybersecurity applications.
The model has already uncovered thousands of serious vulnerabilities in:
- Operating systems.
- Browsers.
- Common software.
Expert Views and Skepticism
Not everyone shares the alarm. AI researcher Gary Marcus questioned Anthropic's claims, suggesting it's marketing hype. MP Danny Kruger called for close collaboration with developers rather than relying solely on enforcement agencies.
Mythos is evolving from a company tool to a focus of G7 coordination. Two meetings in one week underscore the shift: AI in cybersecurity demands international regulation.
Key Points
- Mythos independently navigates corporate networks in the cyber-range, outpacing previous models.
- UK and US regulators are testing it on critical infrastructure to minimize risks.
- Anthropic has restricted access, focusing on defensive uses.
- The model uncovered thousands of vulnerabilities in OSes, browsers, and software.
- Discussions are paving the way for new rules on releasing powerful cyber-AI.
Regulatory Outlook
These events signal a move toward stricter controls. The Cross Market Operational Resilience Group, including banks, insurers, and exchanges, will evaluate risks under Duncan MacKinnon's leadership. For developers, this means striking a balance between innovation and security: a public Mythos release is only feasible after verification.
For mid- and senior-level developers, key technical aspects stand out. Mythos shows advanced capabilities in autonomous red teaming—simulating attacks without human input. This involves chain-of-thought reasoning for analyzing network protocols, parsing logs, and generating exploits based on spotted weaknesses.
— Editorial Team
No comments yet.