Capitec CEO Graham Lee said on Wednesday that the bank has formally applied for early access to Anthropic’s Mythos model and, after clearing the first hurdle with Amazon Web Services, is now in direct discussions with Anthropic – putting South Africa’s largest retail bank by customer numbers among a growing list of institutions scrambling for access to the most capable – and most contested – AI model yet built.
In an interview with TechCentral on Wednesday, Lee said the window to patch newly discovered vulnerabilities is rapidly collapsing, and that Mythos has changed the shape of the problem rather than merely extended an existing trend.
“There has been a continuous and rapid evolution release to release, but where Mythos really stands out is its ability to identify conflations – multiple weaknesses that play into each other – and then automate an attack on that vulnerability,” Lee said. “The window of opportunity to defend yourself before an exploitation happens is shrinking very significantly. You used to have months, then weeks, to patch your servers for the latest vulnerabilities. That window is shrinking.”
Anthropic announced Claude Mythos Preview on 7 April after the model’s existence was exposed in a late-March content management system leak. The company said it would not release the model publicly, restricting access to about 40 organisations through its Project Glasswing initiative, alongside a version now being rolled out to US federal agencies. The British government said in a 15 April open letter that its AI Security Institute had tested Mythos and found it “substantially more capable at cyber offence than any model we have previously assessed”.
US banks including JPMorgan, Morgan Stanley, Goldman Sachs, Bank of America and Citigroup have confirmed or been reported to have access. Multiple senior banking and regulatory sources in Europe said they were unaware of any European financial institution with access to Mythos yet, according to a Reuters report last week.
South African banks play catch-up
South Africa’s big banks are scrambling to work out what the new model means for their defensive posture, even as most remain on the outside of Anthropic’s restricted programme.
Lee said Capitec’s use of AI internally is focused on making its people more effective rather than reducing headcount, and that the bank’s strategy is “not to reduce headcount”. But he was unambiguous about Mythos’s significance. He praised Anthropic’s decision to grant defenders earlier access to the model than the wider market.
“The same tool that can be used to attack is also the tool that can be used to defend. By and large, if you look over recent history, there’s been symmetry in the timing in which attackers and defenders have got the tool,” he said. “What Anthropic has done is change that to be asymmetrical and give the defenders earlier access than the potential rest of the world. I think that’s a very good thing.”
Read: Anthropic’s Mythos is the cyberthreat every CISO feared
Standard Bank, responding to questions from TechCentral, said it is also actively tracking Mythos’s development based on public information and is “working closely with our technology partners to deepen our understanding as more detail becomes available”.
The bank said it is concerned about the emergence of AI tools that lower the barrier for attackers or accelerate the discovery and exploitation of vulnerabilities, and relies on a “broad ecosystem of top-tier cybersecurity partners, many of whom are directly testing frontier AI-based tools”.
Asked what Anthropic should be doing to give large banks an opportunity to safeguard their systems, Standard Bank said it supports Anthropic’s approach of engaging with regulators, large technology companies and major banks, and that “models with strong cyber capabilities should only be broadly released once risks are well understood and security measures are in place”.
The bank said it employs more than 350 dedicated security professionals and partners with leading global cybersecurity firms, including those at the forefront of applying AI to cyber defence.
The South African Reserve Bank, asked for comment on Mythos and the security concerns being raised, said only that it is “monitoring developments related to Anthropic and will not be commenting further”.
Asymmetric access
Anthropic’s decision to grant early access to a small group of partners is, from a defensive standpoint, a deliberate attempt to give those organisations a head-start over attackers who might eventually obtain similar capabilities from less constrained open-source models. But for institutions on the outside, this asymmetry creates a competitive and security gap.
Some US banks without access have questioned whether there should be broader access to Mythos and whether JPMorgan, which has the model, received an unfair advantage – a topic likely to be raised with the US treasury, Reuters reported last week.
Earlier this month, Check Point chief technology officer Jonathan Zanger warned that Mythos marks the moment AI-powered vulnerability discovery moved from theoretical threat to operational reality. Frontier models, he warned, will allow attackers to identify and exploit vulnerabilities at a scale, speed and sophistication that was until recently the preserve of advanced nation-state actors.
Zanger argued that the convergence of two shifts – the democratisation of advanced attack capabilities and the industrialisation of attack pipelines through agentic AI – produces “a dangerous outcome: more attackers executing more sophisticated attacks, increasing both volume and velocity simultaneously. The time-to-exploit window is collapsing towards zero.”
Standard Bank, asked how confident it was that it could modernise and secure its systems at a pace that exceeds attacker capability, said it is “confident, but also realistic about the pace of change”. The bank said it invests heavily in cybersecurity and technology modernisation and works closely with global partners, focusing on rapid detection and response.
That mirrors the tone Capitec’s Lee struck. Capitec’s approach, he said, will continue to combine working through third-party providers with direct engagement with the model developers themselves.
Read: Hype or not, Mythos is a wake-up call for South African CISOs
“We’ll continue to work with our third-party providers, but also directly on the models, to be able to use them to defend ourselves,” he said. “The nature of the battle has changed completely.” – (c) 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.
