Mythos Goes to Tokyo: Japanese Banks to Get Anthropic’s Vulnerability-Hunting AI
May 13, 2026 – 9:25 am
Image by: Anthropic
MUFG, Mizuho, and SMFG would be the first Japanese institutions added to Anthropic’s restricted Project Glasswing rollout, according to a source familiar with the matter who spoke to Reuters.
Japan’s three megabanks are set to gain access to Claude Mythos, Anthropic’s vulnerability-hunting AI model, within roughly two weeks. This would mark the first time a Japanese company has been granted entry to the restricted preview, previously limited to Anthropic’s American and European partners.
Mitsubishi UFJ Financial Group (MUFG), Mizuho Financial Group (Mizuho), and Sumitomo Mitsui Financial Group (SMFG) were informed of the move during meetings in Tokyo this week with US Treasury Secretary Scott Bessent. They are expected to be onboarded by the end of May.
The arrival of Mythos in Japan is significant, following similar briefings for European and American banks. The model has:
- Discovered thousands of previously unknown zero-day vulnerabilities across major operating systems and web browsers.
- Wrote working exploits, including chains that escape both renderer and operating-system sandboxes in a browser.
Mozilla, for instance, shipped Firefox 150 with fixes for 271 vulnerabilities found by Mythos in a single evaluation pass.
Anthropic has not released the model publicly but runs a controlled rollout under Project Glasswing. So far, twelve named partners have been added, including AWS, Apple, Cisco, Google, JPMorgan Chase, Microsoft, Nvidia, and Palo Alto Networks. Around 40 further institutions have gained access on a case-by-case basis.
Japan’s inclusion comes weeks after the Fed and US Treasury convened American bank chief executives on a cyber-risk briefing. UK regulators also committed to briefing major British banks within days.
In response, Tokyo is forming a working group comprising 36 entities – including major banks, the Bank of Japan, and Japanese units of Anthropic and OpenAI. This group will identify exposures, implement defensive measures, and draft contingency plans for a coordinated patching effort across the Japanese financial system.
For MUFG, Mizuho, and SMFG, the immediate focus is operational. Mythos under Glasswing terms comes with restrictions on output disclosure. The model identifies vulnerabilities within partners’ own systems and drafts remediation; exploits are not published. Mozilla’s experience offers a template: 271 vulnerabilities patched in Firefox 150 after a Mythos sweep, with findings returned to engineers for remediation.