Claude Mythos Arrives in Japan — Three Megabanks Gain Access, GPT-5.5 Catches Up in Two Weeks (TBS Cross Dig × Agentic Sec)

TBS Cross Dig × 1on1 Tech · May 14, 2026

Sho Nakatani (Agentic Sec CEO) · 06:14 "Mythos's ability to detect vulnerabilities has improved steadily — but its ability to demonstrate vulnerabilities has improved dramatically. Mythos auto-generates the attack, Mythos tunes the attack steps, and the attack succeeds."

A May 14, 2026 episode of the TBS Cross Dig series "1on1 Tech," around 32 minutes. The host and AI security expert Sho Nakatani (CEO of Agentic Sec) discuss the news that three Japanese megabanks (MUFG, Mizuho, SMBC) are about to gain access to Anthropic Claude Mythos. The conversation covers the automation of cyberattacks, GPT-5.5 catching up to Mythos within two weeks, and the widening gap between attackers (28% of vulnerabilities attackable on day one) and defenders (55–75 days to patch).

About a month after Anthropic announced Claude Mythos , on May 14, 2026, the TBS Cross Dig series "1on1 Tech" invited AI security expert Sho Nakatani (CEO of Agentic Sec, formerly at DeNA and Toyota) for a 32-minute conversation organized around news that Japan's three megabanks (MUFG, Mizuho, SMBC) are about to gain Mythos access.

This program is a follow-up to MEMEX's Project Glasswing announcement piece. Glasswing is the "make the world's software safer" initiative Anthropic launched in 2025, limited to twelve partner organizations including Microsoft and Google — the prehistory of Mythos's access restrictions. Nakatani notes that even at that time there was concern that "Japan can't access this — is that all right?" One year on, Japan has finally opened the door.

As a complement to MEMEX's Dario trilogy (Davos → Pentagon) and the Anthropic 80x growth episode in the same series, this piece is worth reading through a Japan-domestic cyber-defense lens. Nakatani, who holds the distinction of being "the first in the world to achieve fully automated initial intrusion via an AI agent," puts forward the most technical question of all: "is Mythos's automated exploit-demonstration capability real?"

The significance of access for the three megabanks

The core of the news: MUFG, Mizuho, and SMBC are about to gain Mythos access. Inside Anthropic's restrictive policy of "limited to 40–50 organizations — U.S. government agencies, financial institutions, and cloud providers," this is the first opening of the door to Japanese companies.

Nakatani's assessment: "We should view this as a genuinely positive development." He adds caveats: "Is it really enough for just the three megabanks? Finance should expand further, and what about other critical infrastructure — power, rail? And even outside critical infrastructure, do we not want priority access for companies whose cyber-incident damage would disproportionately harm Japanese citizens?"

Why finance got priority, per Nakatani: "Financially motivated attacks have increased markedly in recent years. Ransomware is the obvious example — break into a company, shut down its operations, demand payment to restore them. Cyberattacks have become a money-making enterprise, so finance is a natural target."

Nakatani's strategic point: "To keep expanding access, we need to give Anthropic and the U.S. a reason — through a kind of barter — to be glad they gave Japan access. Bluntly: the companies that gain access need to feed back to Anthropic what they tried and what came out of it. The government and the companies with access should work on this together." Access acquisition has two structural constraints: (1) it cannot be a one-shot event and must keep expanding; (2) it won't expand unless Japan keeps providing the U.S. side with value.

Is Mythos's cyber capability real? — From detection to demonstration

The most technically important section is where Nakatani separates Mythos's vulnerability capabilities along two axes. "The ability to detect vulnerabilities has improved steadily, but the ability to demonstrate vulnerabilities has improved dramatically."

Vulnerability detection (find): workable since 2024, though AI hallucinations produced many false positives and required human checking. In 2025, AI harnesses (model + surrounding software + human checking) spread and accuracy improved
Vulnerability demonstration (exploit): the ability to actually make the attack work — building the exploit, setting up the trigger conditions. "Previously this required an extremely high-level human cybersecurity expert"; Mythos has achieved automation

Nakatani's observation: "Looking at X posts from people with Mythos preview access, you can find several reports where Mythos auto-generated the attack, Mythos tuned the attack steps, and the attack succeeded." Consistent with the rise in Anthropic's official Cybench and Cybergym benchmark scores (0.67 → 0.83).

Nakatani's industry observation: "Once Mythos came out, the switch flipped immediately. We feel it in conversations with our customers (the defenders). Before, experts knew AI could find security vulnerabilities, but for customers it stayed at the level of a talking point. After Mythos, the discussion turned serious."

GPT-5.5 catches up to Mythos in two weeks

A particularly notable development in this episode is that Mythos's lead wobbled within two weeks. Mythos was announced in early April 2026 (68.6% correct in CTF format). Roughly two weeks later, OpenAI shipped GPT-5.5 at 71.4% on CTF — equivalent performance within margin of error.

Nakatani's assessment: "Mythos is impressive, but GPT-5.5 is equally impressive. This isn't specific to Anthropic — the level of models is rising across the industry as a whole." That is, Mythos doesn't carry a secret sauce. The hypothesis is firming up: cybersecurity capability is a natural consequence of broader AI model improvement.

That said, per the U.K. AI Security Institute (AISI) announcement on the morning of May 14, Mythos has continued to version up: on simulated corporate-network attacks, "6 of 10 succeed" (initially 3 of 10), and on industrial systems (air-gapped from the internet), "0 of 10 → 3 of 10." Nakatani's assessment: "Going from 0 to anything above 1 is huge. It means doing what couldn't be done."

Dario had said on CBS that "they'll catch up in roughly six months." Nakatani's framing: "GPT-5.5 caught up in 16 days. We're nowhere near done — everyone is building this." This is an important corollary to Dario's Davos optimism and the "scientist-led AI company" thesis: Anthropic isn't special — the whole industry is evolving in the same direction.

28% attackable on day one vs. 55–75 days to patch — the gap is widening

Late in the program, Nakatani presents numbers that expose the fundamental defensive problem of the AI era.

Attacker acceleration: AI has dramatically compressed "the time from when an attacker sees vulnerability information to when they can mount an attack." "28% of vulnerabilities can be attacked on day one. Roughly 55% can be attacked within 7 days." These are the numbers when attackers use Mythos / GPT-5.5-class models.

Defender lag: "The time it takes for a company to patch a vulnerability has historically been around 55 to 75 days."

Nakatani's calm conclusion: "The gap is opening enormously. The world where humans do the verification can no longer keep up. With attackers using AI, defenders also have to automate with software."

An "assume breach" defense strategy

Nakatani's defensive recommendations are technically concrete. He organizes them along two axes: "not getting breached" and "limiting damage even after being breached."

Not getting breached: instead of defending each individual piece of software, automatically inventory all software in use across the company. The moment vulnerability information appears in the wild, automatically determine "this system could be affected"; then verify whether "an actual attack path exists" via vulnerability assessment and penetration testing.

Limiting damage after a breach: a configuration "where breach of the first system doesn't connect to other business systems" — microsegmentation — plus reducing the attack surface (the surface available to be attacked). Examples: "never connect a web server to the internal network," "don't accidentally expose internal systems to the outside."

The non-technical complement: cyber insurance. A mechanism for paying out when a cyberattack damages the business. "Combine technology and business to raise overall cyber defense" is the framing.

Chinese actors + AI agents — the reality of fully automated attacks

An important corroborating point discussed on the program is the report Anthropic itself published in 2025: "a Chinese actor used fully automated AI agents to mount attacks." This is a case Anthropic observed: AI agents executed and succeeded in attacks without high-level human cybersecurity experts present — an early example of automated attacks in the AI era.

Nakatani's geopolitical concern: "Looking at where attacks against Japan tend to come from, China is one of the most frequent sources, alongside others like Russia. There is concern among cybersecurity experts about China possessing higher-capability AI models." This intersects, at the Japan-domestic level, with the AI-governance dialogue (model misbehaviors / autonomous weapons / non-state actors) discussed at the May 2026 U.S.-China summit in Beijing.

Editorial Notes — structural choices for Japanese cyber defense

Three points MEMEX extracts from this episode:

(1) The moment Anthropic-Japan government cooperation got underway — the first instance of Japan securing, through diplomatic effort, "upper-tier access" to a U.S. AI model. After the three megabanks, the continuing question is expansion to critical infrastructure (power, rail) and broader Japanese industry. Per Nakatani's point, this is sustained only by a barter strategy — Japan continuing to feed back meaningful information to the U.S. side.

(2) Early collapse of the "Mythos as sole leader" myth — with GPT-5.5 reaching equivalent performance in two weeks, cyberattack capability is no longer Anthropic-specific but an industry-wide issue. This suggests Project Glasswing's restricted-access model may stop working as frontier-model competition intensifies. The moment Chinese players reach equivalent performance, access restrictions themselves become moot.

(3) A defensive paradigm shift to "assume breach" — the gap between attackers (28% on day one) and defenders (55–75 days) essentially abandons the traditional "don't let them in" defense. Microsegmentation, attack-surface reduction, cyber insurance, automated defense products — all the concrete measures Nakatani proposes are built on the assumption of breach. This requires fundamental reallocation of security budgets at Japanese companies.

MEMEX positions this program as an independent evaluation by a Japanese cybersecurity expert. Nakatani's distinction — "first in the world to achieve fully automated initial intrusion via an AI agent" — gives concrete shape to the worry that Chinese actors with equivalent capability could target Japanese companies. A reference point for connecting U.S.-side movements (Dario's Pentagon clash, Glasswing, the Pentagon seven-contractor deal) with the Japan-side defense choices (acquiring access, the megabanks going first, expansion across industry).

Related Resources

Project Glasswing announcement — Anthropic — the prehistory of Mythos's access restrictions
From Davos optimism to Pentagon confrontation — Dario Amodei, January–February 2026 — Anthropic's Red Lines philosophy
Claude's 80x growth hits AI infrastructure limits — SpaceX as Anthropic's lifeline — same TBS Cross Dig series, aired the next day
U.S.-China summit, May 2026, Beijing — AI chips and "3B" — geopolitics of AI governance dialogue
After the Pentagon cut Anthropic, the contracts flowed to the same investor base — the U.S. side's cyber response structure
Dario Amodei profile