Japan's three megabanks — Mitsubishi UFJ Financial Group, Mizuho Financial Group, and Sumitomo Mitsui Financial Group — are set to receive defensive access to Anthropic's Claude Mythos, the company's vulnerability-hunting frontier model, with onboarding expected by the end of May 2026. The decision was conveyed by US Treasury Secretary Scott Bessent during meetings in Tokyo that wrapped around May 13, and marks the first time Japanese institutions have entered Project Glasswing, Anthropic's restricted preview that had been limited to American and a handful of European partners.
A national working group, not a procurement
The framing is what makes this notable. Rather than a vendor rollout, Japan's Financial Services Agency stood up a 36-entity public-private working group to coordinate the response, pulling in the Bank of Japan, the national cybersecurity office, and Japan Exchange Group alongside the megabanks. Finance Minister Satsuki Katayama characterized the situation created by Mythos-class capability as "a crisis that is already upon us," while Anthropic CEO Dario Amodei has described the moment as a "cyber moment of danger."
That posture reflects what the model reportedly does. In Anthropic's own evaluations, Mythos identified thousands of high-severity, previously unknown vulnerabilities across major operating systems and web browsers, and produced working exploit chains capable of escaping renderer and OS sandboxes — in one reported single evaluation surfacing 271 issues in Firefox alone. Defensive access is the point: banks get to run the model against their own stacks before the same capability proliferates to attackers.
What it signals for security teams
For practitioners, the structural takeaway is that frontier offensive-security capability is now being distributed under a gated, geopolitically managed regime rather than sold openly. Glasswing access is being treated as a strategic asset — extended government-to-government, conveyed by a Treasury Secretary, and wrapped in a national coordination body before a single bank runs a scan.
That carries three near-term implications. First, expect a widening gap between institutions inside programs like Glasswing and everyone else, who face the same exploit-generation capability without early defensive access. Second, financial-sector regulators globally — after the ECB and ESMA reviews and the Bessent–Powell US bank discussions — are converging on Mythos as a systemic cyber-risk category, which means compliance and disclosure obligations are likely to follow. Third, the multi-decade-old bugs these models reportedly surface mean a standing patch backlog is no longer a tolerable steady state for any institution in critical infrastructure.
For enterprise security leaders, the message is concrete: assume the offensive capability exists, assume adversaries will eventually reach parity, and prioritize getting sanctioned defensive runs against your own codebase ahead of that curve.
