Banks panicked over an Anthropic AI that supposedly opens a new chapter in cybercrime.
Outside researchers say the chapter started about a year ago, and you don't need Anthropic's newest model to write it. That gap between the panic and the on-the-ground reality is what investors are now trying to size up.
Last month, Anthropic's "Mythos" model rattled the corporate world after the company said it had found thousands of unknown software flaws in widely used systems.
Anthropic limited access to a few major U.S. companies, including Apple, Amazon, JPMorgan Chase, and Palo Alto Networks. The Trump administration responded by floating new federal oversight of frontier AI.
OpenAI followed with GPT-5.5-Cyber, a security-focused model that started rolling out to vetted teams on Thursday. Both companies are eyeing IPOs, and the cyber pitch is shaping up to be a key differentiator.
Cybersecurity firms told CNBC the Mythos panic is overdone, with cheaper, older AI models, including Anthropic's own and OpenAI's, able to find the same flaws when used together in the right way.
The technique is called orchestration, and it works by splitting code into smaller chunks while a fleet of smaller models cross-checks the results.
Vidoc CEO Klaudia Kloc said her team reproduced Mythos-style discoveries using older Anthropic and OpenAI models. Aisle, another firm, said it got similar results by running cheaper models in parallel.
"A thousand adequate detectives searching everywhere will find more bugs than one brilliant detective who has to guess where to look," Aisle's Stanislav Fort wrote in a blog post.
Anthropic does not really dispute that. A spokesperson pointed to a February post showing the widely available Claude Opus 4.6 had already found more than 500 high-severity flaws in open-source software.
What sets Mythos apart, per Anthropic, is the ability to take the next step and write the working code that exploits a flaw with little or no human input.
watchTowr CEO Ben Harris said the past few weeks of conversations with banks, insurers, and regulators have felt like "hysteria." The catch is that hackers tied to North Korea, China, and Russia already know how to do this work, with or without Anthropic.
Mayer Brown partner Justin Herring, a former New York financial regulator, said the new AI is great at finding holes and not yet helpful at fixing them. He called vulnerability management "the great Sisyphean task of cybersecurity."
Anthropic limited the Mythos rollout under a program it calls Project Glasswing, meant to give defenders time to prepare. The downside is that the wider cybersecurity industry can't yet test Mythos directly.
Until they can, the advantage in this round goes to offense.
