Palo Alto Networks has warned the new technology will quickly proliferate and could enable hackers to ‘develop autonomous attack agents unlike anything the industry has faced’ © FT montage/Getty Images
Jamie John in London and Akila Quinio in New York
Published
34
Anthropic’s Claude Mythos AI model is driving a surge in software updates, risking exposure of critical national infrastructure to hackers and prompting cyber security chiefs to demand better co-ordination between government and business.
Companies that have access to the San Francisco group’s new tool told the FT joint action “across the public and private sectors” was essential to support hospitals, banks and utilities vulnerable to the threats Mythos uncovered.
“The way I think about this is there is a world pre-Mythos and there is a world post-Mythos,” said Jeetu Patel, president and chief product officer at tech group Cisco, one of the few companies given access to the model.
Anthropic plans to roll Mythos out gradually, following its release to a small group of 40 organisations that are mostly US-based. This includes Amazon and Microsoft as well as large banks such as JPMorgan Chase.
This has led some companies to receive more “patches” — technical fixes that close vulnerabilities found by Mythos.
Bryan Preston, chief financial officer of US bank Fifth Third, told the FT that its technology provider, Microsoft, had rolled out almost 150 software updates since Mythos’s release.
The volume of bugs Anthropic’s model identified could trigger a “flood of patches”, said Haider Pasha, vice-president and chief security officer for Emea at cyber security group Palo Alto Networks. That could challenge businesses that need to keep systems running smoothly, he added.
Anthropic unveiled Mythos earlier this month and touted its ability to detect cyber security flaws faster than humans.
Palo Alto Networks has warned the new technology will quickly proliferate beyond the models built by US tech groups, which have guardrails to prevent malicious use, and could enable hackers to “develop autonomous attack agents unlike anything the industry has faced”.
Pasha said frontier models such as Mythos were notable for their abilities to “chain together vulnerabilities” to bypass security systems.
Cyber security experts have suggested software developers would need to be selective in the updates they released to avoid overwhelming customers.
This week, Anthropic said it was investigating reports that a group of users had gained unauthorised access to Mythos through third parties. Central bankers, financial institutions and regulators have demanded expedited access to Mythos in recent days, but the start-up has declined to provide a timeline.
While many companies were susceptible, critical infrastructure groups were especially attractive targets, said Cisco’s Patel. Such systems often run older software and are seen as higher-value targets.
“The challenge with patching [is] you actually have to bring down your system sometimes and most organisations can’t afford to have downtime, so they do the downtime at scheduled intervals [to] update the systems,” Patel said.

FirstFT Americas, every weekday

The top news stories from the Americas, plus analysis and commentary on the day's biggest global stories
Copyright The Financial Times Limited 2026. All rights reserved.

Comments

Comment guidelines

Please keep comments respectful. Use plain English for our global readership and avoid using phrasing that could be misinterpreted as offensive. By commenting, you agree to abide by our community guidelines and these terms and conditions. We encourage you to report inappropriate comments.

It all sounds a bit Y2K.
I am tired of reading Anthropic’s marketing pitches.
Looking at articles in the FT it feels like 50% of the world economy depends on Anthropic.
We know that AI is deceptive and lies, what is the probability tha the patches include a backdoor for Mythos ?
Sign up at the Hack The Box
Anthropic right now is like Steve Carrell in anchorman bringing a grenade to a fistfight.

WTF Brick, u gonna kill all of us
Medicines and Vaccines are approved by global and local regulators before release.
On balance they are a lot less dangerous.
Time for a World IT Health Organisation.
Except the US would refuse to join.
Trust me, what these companies need is NOT more compliance checkboxes.
One can only hope Mythos is being used to analyse sites like Yandex and WeChat...
Can’t be worse than twitter in the woke days
Will this ultimately lead to better/safer software that is ruthlessly tested against all types of attacks? Or is that way too optimistic?
Theoretically cannot prove that there is a bug free software.
I asked Chinese AI. This is its view:

The fears surrounding Anthropic's "Mythos" model are not imaginary, but its danger isn't quite what the company's marketing might suggest. While the model is genuinely a technical breakthrough in finding software bugs, its claim of being "too dangerous to release" is also a powerful branding move, and a few own-goals have made the situation worse than it needed to be.

:-)
wow, companies want to "closer ties" with a corrupt government to defeat existential threat they can't show you but assure is lurking in the shadows

no country has tried that before
Why does mythos need to be released to the public?
So that Anthropic can make money out of it?
Legacy systems in large corporations and public service networks cannot be updated easily. This unfortunately could be a multiyear process. And yes, the consumer will get very very tired of updating their passwords and getting scam threats.

Do we really need it? Or is it just because?
They need to make cash.

Basically go back to paper and the need disappears s does some of the convenience and the screen addiction.
Our forefathers lived reasonably good lives in the 1950-1990 without all the digital pollution.
software developers would need to be selective in the updates they released to avoid overwhelming customers
What does that even mean? First, updates to most apps are automatic these days so I wouldn't even necessarily know it got updated. Then, I would have no way of telling whether that update fixed 10 bugs or 1000 bugs so I certainly wouldn't be "overwhelmed" by the latter.
Maybe just you. I dont update any applications on my computer.
We're talking about apps that have security implications, which are mainly mobile apps, not desktop apps. On the desktop, that would mostly concern your browser and if you're not regularly updating that, then you're sitting on a massive time bomb.
As a consumer you update because only you get impacted but when it comes to enterprises, they don’t deploy a patch unless it has been tested properly else the entire business may come down or IT may have to field calls from 100s/1000s of employees. A little different scope I think
If you work in IT and have authority over software patching you will be constantly harassed by various business units, all of which care only about their own objectives and they will see their app receiving updates as unacceptable downtime if it is even slightly inconvenient.

There is a massive sea of whiners who can’t handle their app being down for a few hours or their computer restarting. Yes, it’s still like this in 2026.

Many orgs to this day do not patch nearly fast and effective enough to actually minimize risk, and even more never patch their custom applications (only OS and packaged software). Many also fail to patch packaged software.
The same playbook as defense industry uses. Put out what-if's possibilities of attack and sell weapons.
Microsoft, had rolled out almost 150 software updates since Mythos’s release.
Issue seems real to me, not just a mere contract seeking marketing campaign!
Microsoft does about 100 security updates a month, from what I can find online. Would be nice to add that number as a comparison.
Or pharma
(Edited)
You got to be impressed by Mythos/Antroph\c and AI companies marketing team. It looks like Chinese AI such as DeepSeek4 need better marketers - so maybe try to ask the AI - "What would be a really good marketing strategy".

There have been so many dangerous models, including ChatGPT 5.5 which was released a few days ago. Yet the Internet is still working.

But don't forget to buy some tokens (now at 2x or more the price), and scan your system properly :-)
This “marketing” narrative is getting tiresome. When you have third party tech companies blown away by the prowess of a software update it may be time to realize that the top tech minds in the business have slightly better tech acumen than some anonymous internet commentator…
(Edited)
If you were already tired, maybe you should take a break, instead of writing a comment?

Tell me more about the BSD and Firefox exploits after you have enough rest. A few western media getting excited = blown away?

Don't forget to purchase the tokens.
Hardly third party. Most who talk about Mythos have a vested interest in the AI hype.
The internet is working today. Tomorrow may be a different story.
You reckon the Internet will stop working tomorrow?
So white hat hackers will have to retrain? Hardly game changing stuff.