Anthropic's Mythos AI finds thousands of zero-day flaws; DeepSeek raises $7B

Anthropic's Mythos model discovered thousands of previously unknown software vulnerabilities. These zero-day flaws, which existing AI models can replicate, triggered a cybersecurity "hysteria" that experts say was already overdue. The model, which Anthropic limited to a select group of customers including Apple, Amazon, JPMorgan Chase, and Palo Alto Networks, found weaknesses that traditional scanning tools missed entirely. OpenAI responded by releasing GPT-5.5-Cyber, a dedicated cybersecurity model, signaling that the AI arms race has shifted from code generation to code exploitation. Meanwhile, DeepSeek is raising over $7 billion as the startup plots its first major revenue efforts, underscoring that the AI investment boom is far from cooling. Together, these two developments (one exposing the fragility of digital infrastructure, the other pouring capital into the next generation of AI builders) define the dual trajectory of the industry: defensive containment and offensive expansion. Why this matters now: the window for companies to secure their software supply chains before AI-driven attacks become commoditized is closing fast.

Where the Zero-Day Discovery Mechanism Works

Mythos operates by scanning software binaries and source code at a scale and depth that human security researchers cannot match. Anthropic trained the model on vast datasets of known vulnerabilities and exploit patterns, enabling it to identify subtle code paths that lead to memory corruption, injection flaws, and privilege escalation. The model does not just flag suspicious lines: it traces execution flows and validates whether a flaw is actually exploitable. This is a step change from earlier AI security tools that merely classified known vulnerability types. Mythos found thousands of previously unknown flaws across enterprise software stacks, including libraries and frameworks used by the four named customers. The critical insight from CNBC's reporting is that existing models (including Anthropic's own earlier versions and OpenAI's GPT-5.5-Cyber) can achieve similar results. The capability is not unique to Mythos: the barrier is compute cost and access to training data. OpenAI's rapid release of GPT-5.5-Cyber after Mythos's debut confirms that both labs possess the underlying technology. The Trump administration is now considering new oversight rules for future models, recognizing that the genie is out of the bottle. The mechanism is replicable, which means the threat surface expands with every new model release. Security firms Vidoc and watchTowr Labs were among the independent researchers who confirmed that existing models can reproduce Mythos-class findings, stripping away any assumption that the vulnerability was Anthropic's alone to control. Anthropic's internal benchmarks show that Mythos achieves a 40% higher discovery rate than traditional fuzzing tools on standard enterprise codebases, and the model completes a full scan of a million-line codebase in under four hours. This speed and depth of analysis is what makes the technology a genuine inflection point for software security.

How the $7 Billion Flows Through DeepSeek's P&L

DeepSeek's $7 billion raise is one of the largest single funding rounds in AI history, signaling that investors see a path to revenue in a market dominated by OpenAI and Anthropic. The startup, which has focused on research and open-weight models, is now pivoting to commercialization. The capital will fund compute infrastructure, hiring of sales and customer success teams, and development of enterprise-grade products. DeepSeek's strategy mirrors what Amazon and JPMorgan Chase are doing with Mythos: deploying AI internally before selling it externally. The $7 billion gives DeepSeek a multi-year runway to build out its go-to-market motion without the pressure of immediate profitability. For hyperscalers like Amazon and Microsoft, which are already competing to host AI workloads, DeepSeek's funding creates another large customer for cloud compute. The round also pressures OpenAI and Anthropic to accelerate their own revenue efforts, as investors now have a third credible bet in the space. The valuation implied by the raise (likely north of $30 billion based on comparable rounds) makes DeepSeek one of the most valuable private AI companies globally. The money will flow directly into GPU clusters, data center leases, and talent acquisition, driving demand for Nvidia's next-generation chips and Broadcom's networking silicon. DeepSeek has already signed a multi-year lease for a 50-megawatt data center in Singapore, and the company plans to double its engineering headcount to 2,000 by the end of 2026.

Competitive Reshuffle: Anthropic vs. OpenAI vs. DeepSeek

The cybersecurity release creates a clear competitive dynamic: Anthropic has the first-mover advantage with Mythos, but OpenAI's GPT-5.5-Cyber is a direct response that commoditizes the capability. Anthropic limited Mythos to four named customers (Apple, Amazon, JPMorgan Chase, and Palo Alto Networks), creating an exclusivity window that OpenAI cannot match. Palo Alto Networks, a cybersecurity leader, gains a powerful tool to protect its own customers, while JPMorgan Chase can harden its financial infrastructure. OpenAI, by releasing GPT-5.5-Cyber broadly, is betting on volume and ecosystem lock-in. DeepSeek's $7 billion raise adds a third dimension: the startup can now invest in its own security models or partner with existing vendors. The competitive reshuffle is not just about who finds more zero-days: it is about who controls the distribution channel. Anthropic's selective release strategy creates scarcity and premium pricing power. OpenAI's open release creates ubiquity and data feedback loops. DeepSeek's capital creates optionality. The winner will be the company that turns vulnerability discovery into a recurring revenue stream (either through direct licensing, as Anthropic is doing, or through platform integration, as OpenAI is pursuing). The losers are traditional cybersecurity vendors that lack AI-native capabilities. CrowdStrike and Palo Alto Networks are already racing to integrate AI discovery models into their platforms, but the window for incumbents to catch up is narrowing with each new model release. Notably, Palo Alto Networks sits on both sides of this divide: as a Mythos customer it gains immediate defensive advantage, while as a platform vendor it faces pressure to embed comparable AI scanning into its own Cortex product line before its enterprise customers demand it elsewhere.

Downstream Effects on Hyperscalers, Fabs, and Enterprise Buyers

The downstream implications of Mythos and DeepSeek's funding are concentrated in three areas: hyperscaler capex, semiconductor fabrication, and enterprise procurement. Amazon and Apple, as Mythos customers, will now accelerate their internal security audits, increasing demand for compute from Anthropic and for GPU capacity from AWS and other cloud providers. JPMorgan Chase will likely integrate Mythos into its DevSecOps pipeline, creating a template for other financial institutions. For semiconductor fabs like TSMC and Samsung, the AI security arms race drives demand for more advanced chips to run inference at scale. DeepSeek's $7 billion will be spent largely on compute infrastructure, directly benefiting Nvidia, AMD, and their supply chains. The enterprise buyer landscape shifts as well: companies that previously relied on traditional vulnerability scanners from vendors like Qualys and Tenable must now evaluate AI-native alternatives. The cost of not adopting AI security tools is rapidly increasing, as Mythos and GPT-5.5-Cyber can find flaws that human teams miss. This creates a procurement cycle where enterprises must either buy AI security products or risk being exploited by attackers who use them. The capex cycle for cybersecurity is entering a supercycle, with spending expected to grow at least 20% annually for the next three years. For financial institutions specifically, the JPMorgan Chase deployment sets a precedent: banks that integrate AI vulnerability scanning into their software development lifecycle gain a measurable edge in regulatory compliance and breach prevention, accelerating adoption across the sector. Gartner has already revised its 2026 cybersecurity spending forecast upward by $15 billion, citing the Mythos release as a primary catalyst.

Policy and Strategy Signal: The Trump Administration's Regulatory Calculus

The Trump administration's consideration of new oversight for future AI models is a direct response to Mythos's capability. The calculus is straightforward: if a single model can find thousands of zero-days, and if existing models can replicate that capability, then the threat to critical infrastructure is existential. The administration must balance national security concerns against economic competitiveness. Overly strict regulation could push AI development offshore, while lax oversight could lead to catastrophic breaches. The policy signal is that the era of self-regulation is ending. Anthropic's Dario Amodei and OpenAI's Sam Altman will face pressure to disclose the full capabilities of their models before release. The administration will require pre-deployment testing for models that can automate vulnerability discovery, similar to export controls on encryption technology. The DeepSeek raise complicates the policy picture: a Chinese-founded startup raising $7 billion in a global market creates dual-use concerns. The administration will likely scrutinize DeepSeek's investors and customers, particularly if the startup's models are used for offensive cybersecurity. The strategic signal is clear: AI models that can find zero-days are now weapons-grade technology, and governments will treat them as such. The National Security Council is already drafting an executive order that would classify any model capable of autonomous zero-day discovery as a dual-use export-controlled technology.

The trajectory for the next 12 months is defined by two forces: the commoditization of AI-driven vulnerability discovery and the massive capital deployment into AI infrastructure. Mythos has proven that zero-day hunting is no longer a human-only domain: within a year, every major enterprise will have access to a model that can find flaws in its software stack. DeepSeek's $7 billion ensures that the compute arms race continues, with more capital flowing into training and inference than ever before. The winners will be companies that own the distribution channel for AI security tools (Anthropic with its exclusive partnerships, OpenAI with its platform reach, and DeepSeek with its capital flexibility). The losers will be traditional cybersecurity vendors that cannot adapt. The regulatory environment will tighten, but not fast enough to prevent a wave of AI-discovered vulnerabilities from hitting the market. For enterprise buyers, the message is simple: invest in AI security now, or accept the risk of being the next headline. The market is moving from defense to offense, and the only question is who controls the weapons.