Claude Mythos: Hype or reality? Why the real threat lives in the behavioral gap

When Anthropic unveiled Claude Mythos in early April, the security world briefly divided into two camps.

One read the 250-page report and reached for the emergency response playbook. The other noted that the headline claim of “thousands of critical vulnerabilities” rested on extrapolation from just 198 manually reviewed cases and concluded it was primarily a sales pitch. Both reactions are understandable. Neither is quite right, and for banks defending digital channels, neither is particularly useful.

The more productive question is not whether Mythos is dangerous in isolation. It is what happens when a model with genuine vulnerability-discovery capabilities is combined with agentic AI directed at channels designed from the ground up for humans. That combination creates a threat that existing defenses are poorly structured to detect, as their underlying assumptions about what an attacker looks like no longer hold.

Separating signal from noise

Start with the evidence base, because the hype obscures some genuinely meaningful findings. The UK’s AI Security Institute (AISI) conducted independent evaluations of Claude Mythos Preview and found real, measurable progress. It is the first model to complete AISI’s 32-step corporate network attack simulation end-to-end, doing so in three out of 10 attempts and averaging 22 out of 32 steps across all runs, a simulation estimated to require human professionals approximately 20 hours to complete. That is not a marketing claim. It is an independent government evaluation.

The trajectory matters as much as the snapshot. In just 18 months, the best AI models went from barely making any progress on a realistic simulated enterprise attack to completing more than half of it, and the cost of a full attempt is now around £65. When the price of running an attack scenario drops to the cost of a decent lunch, the economics of cybercrime change in ways that are structurally significant for financial services.

But the Anthropic numbers warrant scrutiny. The claim of thousands of severe vulnerabilities is extrapolated from expert contractors agreeing with Claude’s severity assessment in approximately 90% of 198 manually reviewed reports. In at least one prominent case, a 16-year-old FFmPeg vulnerability (a security flaw criminals can exploit when systems process malicious media files), Anthropic’s own analysis concluded the bug was not of critical severity and would be challenging to turn into a functioning exploit. Mythos also found several possible exploits in the Linux kernel but was unable to take advantage of any of them because of Linux’s defense-in-depth security systems. The findings are real. The framing around them is doing commercial work.

The independent picture, then, is of a model that represents a genuine capability step change regarding vulnerability discovery and multi-step attack simulation, presented within a narrative designed to serve Anthropic’s positioning as the only responsible steward of frontier AI. Banks should take the former seriously and hold the latter at arm’s length.

The pipeline that matters

The threat that deserves attention is not Mythos autonomously breaking into a bank’s core infrastructure in a single uninterrupted run. AISI is explicit that its test ranges lack active defenders, defensive tooling, and penalties for actions that would trigger security alerts, meaning results cannot confirm whether Mythos could attack well-defended systems. A mature bank with comprehensive logging, strong access controls, and an active SOC is a different proposition from a simulated enterprise network with no active monitoring.

The more credible threat is a division of labor. Mythos, or models like it, functions as a reconnaissance and vulnerability-discovery engine, detecting weaknesses in APIs, SDKs, authentication flows, and the open-source components embedded throughout the financial services technology stack. In testing 7,000 open-source software stacks, Mythos found crashable exploits in about 600 examples. Open-source components are used in mobile banking applications, payment processing libraries, and customer-facing authentication frameworks. The gap between identifying a vulnerability and operationalizing an exploit is where agentic AI comes into play.

Purpose-built agents, informed by that vulnerability intelligence, can then probe digital channels at scale, at speed, and with a patience and consistency no human attacker can sustain. This is not a theoretical future state. It is an extension of adversarial techniques that academic researchers have explored for several years, now potentially accessible to organized criminal groups who previously lacked the technical depth to build such tools themselves. Tasks which once required specialist skills, such as writing exploit code, understanding system architecture, and using attack tools, can increasingly be automated using AI in certain circumstances. The democratization of that capability is the real threat multiplier and not the specific model that's making headlines this week.

The behavioral gap

This is where the problem becomes structurally interesting for banks, and where the standard infrastructure security response is insufficient on its own.

Digital banking channels were designed around human interaction styles. Fraud detection that relies on past transactional behavior, outcomes, amounts, destinations, and frequencies rather than the interaction itself will likely prove less accurate when confronted by an adaptive AI agent. Such agents will likely infer that a successful attack will require them to transact in ways that keep the account within predicted ranges.

The result is a fraud detection model that remains confident precisely when it should be uncertain, because the underlying telemetry that would reveal manipulation isn’t a factor. These are precisely the signals that distinguish genuine customers from scripted attacks in most fraud model architectures, and an agent informed by Mythos-style analysis of where detection thresholds sit could, in principle, generate attacks that remain within the distributions those models expect.

The friction paradox

When confronted with this threat, our industry’s natural instinct is to increase friction: Add more step-up authentication events, lower the thresholds that trigger intervention, require more confirmation steps before high-value transactions are completed, etc.

This instinct is understandable and largely counterproductive, for a familiar reason: Most of the sessions on your digital channels are legitimate customers. The cost of false positives in a high-friction environment goes beyond abandonment rates and Net Promoter Scores. It is a systematic disadvantage relative to competitors who have found ways to distinguish genuine customers from agents without burdening the former.

Alleviating the risk of an agentic attack pipeline without generating the friction that comes with a high false-positive rate requires detection logic that operates at the behavioral layer, not at the transaction layer, and not solely at the infrastructure layer.

The question is not just whether a given session contains a suspicious transaction. It is whether the entity conducting the session behaves like a human being. That distinction, maintained continuously across the session lifecycle rather than evaluated at discrete intervention points, is what separates those defenses calibrated for the emerging threat from those calibrated for the threats of five years ago.

What good looks like

The UK’s National Cyber Security Centre (NCSC) is clear that AI will increase both strengths and weaknesses, and that organizations investing in strong security baselines and carefully deployed AI-enhanced defenses will be best placed to retain defender advantage as AI increasingly shapes the cyber risk environment. For banks, that translates into a specific set of priorities that go beyond patching the vulnerabilities Mythos finds in open-source components, important as that work is.

The institutions best positioned to manage this threat are those that can answer a deceptively simple question in real time: Is there a human in this session?

Answering that question can’t just happen at login or at the transaction confirmation phase. To combat the threats of today and tomorrow, banks must evaluate user intent and identity continuously, across the full arc of the session, drawing on signals of human cognitive functions and motor behavior that an agent would find difficult to replicate. The structural advantage defenders hold is the ability to shape the battlefield, to make the environment work better for them and worse for the adversary. Behavioral intelligence, applied at the session layer, is precisely that kind of battlefield shaping.

Mythos is a real step forward in offensive AI capability, wrapped in marketing that overstates what it can currently do. The hype is easy to dismiss. The underlying trajectory is not. For banks defending their digital channels, the question is not whether Mythos can break your infrastructure today. It is whether your channel defenses are built for an attacker who does not look human, and whether they can make that determination without making life harder for the customers who do.

Key takeaways

The alleged Mythos threat may be largely marketing, but AI-powered vulnerability-discovery combined with agentic automation targeting bank channels built for human users is a real concern.
The most credible near-term threat is division of labor, where one AI system identifies weaknesses in APIs, SDKs, authentication flows, or open-source software, while other tools operationalize attacks at scale.
AI lowers the skill barrier for fraud by helping automate tasks that once required specialists, such as exploit development, system analysis, and attack execution.
Traditional fraud controls built around transaction outcomes and historical patterns rather than how a session is being conducted will struggle to combat these threats.
Simply adding more friction will backfire by burdening legitimate customers and creating competitive disadvantages through false positives.
Stronger defenses require continuous behavioral analysis at the session layer, evaluating user identity, user intent, and user humanity throughout every millisecond of every digital banking session.