Experts warn cyber threat was already here

Global banks, tech giants and governments were sent scrambling last month to contain the risks posed by Mythos, the Anthropic model said to be so powerful that it has found thousands of previously unknown vulnerabilities in the world’s software infrastructure.

There’s just one problem: the capability they’re worried about is already here.

Cybersecurity experts and artificial intelligence researchers told CNBC that the software vulnerabilities revealed by Mythos can be found using existing models, including those from Anthropic and OpenAI.

“What we are seeing across the industry now is that people are able to reproduce the vulnerabilities found with Mythos through clever orchestration of public models to get very, very similar results,” said Ben Harris, CEO of cybersecurity firm watchTowr Labs.

Mythos has jolted executives and policymakers alike over concern that a perilous new era of AI-enabled cybercrime may be near. Anthropic limited its release to a few American companies including Apple, Amazon, JPMorgan Chase and Palo Alto Networks to reduce the risk that bad actors get their hands on it.

Even with that precaution, the release has prompted the Trump administration to consider new government oversight over future models.

It’s the latest in a string of high-profile launches from Anthropic that have intensified its rivalry with OpenAI as the two AI giants approach their highly anticipated initial public offerings. Weeks after the arrival of Mythos, OpenAI CEO Sam Altman announced GPT-5.5-Cyber, a model specifically tailored for cybersecurity.

OpenAI on Thursday allowed limited access to GPT-5.5-Cyber to vetted cybersecurity teams.

The controlled rollout of Mythos, part of a security measure called Project Glasswing, was to give the corporate world time to gird its cyber defenses against a coming onslaught of attacks from criminal groups and adversarial nations.

“The danger is just some enormous increase in the amount of vulnerabilities, in the amount of breaches, in the financial damage that’s done from ransomware on schools, hospitals, not to mention banks,” Anthropic CEO Dario Amodei said this week at an Anthropic event.

But to those fighting in the trenches of cyber warfare, one of the key capabilities advertised by Anthropic — to find software vulnerabilities at scale — has been around since last year.

“The models that we have right now are powerful enough to detect zero days in a large scale, and this is scary enough,” Klaudia Kloc, CEO of cybersecurity firm Vidoc, told CNBC.

That has been the case for “a couple of months, if not a year,” she said.

The term “zero-day” refers to a previously unknown software flaw that hasn’t been patched, giving attackers a window to exploit it before defenders can respond.

Researchers at Vidoc leaned on a technique…