Anthropic built an AI model so good at finding software vulnerabilities that it scared members of Congress. The company’s Claude Mythos, an advanced and unreleased model, was demonstrated to the House Homeland Security Committee in a closed-door session on May 13-14, showing how it could identify weaknesses capable of compromising private bank accounts.

Rep. Andrew Garbarino, who chairs the committee, came away from the demonstration with serious concerns about what AI-powered cyberattacks could mean for financial institutions. The model has already uncovered thousands of high-severity vulnerabilities, including zero-days across major operating systems and browsers.

What Mythos actually does

Mythos excels at chaining lower-risk vulnerabilities into higher-impact threats, turning individually minor software flaws into devastating attack sequences.

The model hasn’t been released publicly. Anthropic has instead kept it under wraps while granting limited access through a program called Project Glasswing, launched in April 2026. The initiative offers select US banks and technology firms the ability to use Mythos for defensive purposes. Partners in the program include JPMorgan Chase and Apple, with usage credits reaching up to $100 million.

No evidence suggests Mythos has been used offensively against actual bank accounts. Its operations have been confined to vulnerability discovery in controlled environments.

Banks and regulators are already scrambling

The vulnerabilities Mythos identified demanded response timelines that made traditional patching schedules look quaint. Some required fixes in just days, a dramatic compression from the weeks or months that banks typically take to address software flaws.

US banks have accelerated their patching efforts in response. The Federal Reserve convened emergency meetings with major banking CEOs in April 2026 to discuss the systemic risks that Mythos had surfaced.

What this means for investors

The broader question is whether Mythos creates more risk than it mitigates. Anthropic is positioning the model as a defensive tool, letting banks find their own weaknesses before adversaries do.

Notably absent from all the coverage and discussion around Mythos is any mention of cryptocurrency or blockchain protocols. The focus has been entirely on traditional banking infrastructure.

The risk investors should watch is regulatory. Congress doesn’t hold closed-door AI demonstrations and walk away without wanting to do something about it. Garbarino’s concerns could translate into new oversight requirements for AI capabilities in cybersecurity, new disclosure mandates for banks regarding AI-discovered vulnerabilities, or restrictions on how models like Mythos can be shared and deployed.