Anthropic's Mythos AI Triggers White House Emergency Task Force as Patch Crisis Widens

Anthropic quietly shipped Claude Mythos Preview on April 7, billing it as the first AI model whose vulnerability-hunting skills rival elite human red teams. According to IBM, the system scoured decades-old codebases and surfaced flaws "hiding in plain sight" across every major OS, browser, and financial stack. Fortune reports that in restricted demos Mythos produced working exploit chains for 198 flaws that had already survived multiple human audits. The model’s secret sauce appears to be a hybrid of symbolic reasoning and large-scale fuzzing that runs continuously on Anthropic’s internal clusters. Yet Tom’s Hardware notes the headline claim of "thousands of zero-days" is based on only 198 hand-reviewed cases; the rest are still unverified. Even so, Anthropic says the raw hit rate is high enough that it has paused open release and is granting access only to a 15-company consortium dubbed Project Glasswing, whose charter is to patch—not publish—what Mythos finds.

Security veterans greeted Mythos with a collective shrug-at-scale. As Fortune quotes one CISO: "We’ve never had a problem finding vulnerabilities. We find them every day. We actually have a pile of them that we just don’t fix." CSO Online frames the panic as misplaced: the industry can discover flaws faster than ever, but mean time to patch hovers around 60–90 days, and fixing legacy dependencies often takes quarters, not weeks. Control Risks adds that most enterprises still triage by CVSS score, leaving medium-severity bugs to linger indefinitely. Mythos simply magnifies this backlog, turning a steady drip into a firehose. The result is a structural mismatch between discovery velocity and remediation capacity.

Bloomberg AI reports the White House convened an emergency task force within three days of Anthropic’s announcement. The group includes DHS, NSA, CISA, and Treasury officials plus the Office of the National Cyber Director. Regulators told Bloomberg the model’s open release is "off the table for now" while they assess whether the flaw backlog constitutes a critical infrastructure risk. Treasury specifically worries that banks running older COBOL cores can’t patch at Mythos speed without breaking regulatory reporting windows. The task force meets again in two weeks to decide if Anthropic must legally throttle disclosure rates or share findings only through classified channels.

Behind closed doors, bank CISOs now debate whether to outsource patching to third-party firms that specialize in emergency code surgery. Goldman Sachs and JPMorgan have already floated the idea of a joint venture that would hire hundreds of contractors to chew through Mythos reports faster than internal teams can manage. Smaller brokerages don’t have that luxury. One regional bank CTO told Bloomberg they’re "looking at a six-month queue" just to triage the first batch of findings. The FDIC quietly reminded institutions that any patch touching core banking systems triggers a 30-day regulatory notice period — effectively capping how fast fixes can ship.

Project Glasswing’s charter now includes a new clause: members must submit monthly remediation metrics to the White House task force. Anthropic itself is building a "patch heat map" dashboard that ranks companies by backlog size and estimated fix time. Early drafts show some Fortune 500 firms sitting on more than 1200 unpatched medium-severity flaws. The model’s next update, already in training, will reportedly flag exploitable chains instead of individual bugs — a move likely to make the backlog look even worse. Anthropic hasn’t said when (or if) it will resume broader access, but insiders whisper the bar will be proof that a company can patch within 30 days or less. Until then, Mythos stays locked inside the glass house.