Last month, US Treasury Secretary Scott Bessent called an emergency meeting in Washington. The guests were the chief executives of Bank of America, Citi, and Wells Fargo. Federal Reserve Chair Jerome Powell was in the room.
The subject was a new AI model from Anthropic called Mythos Preview. The message was stark. Mythos can find security weaknesses in hours it takes human researchers years to locate.
In controlled testing, Mythos found a vulnerability in FFmpeg, a widely-used video encoding tool. It had survived five million automated security scans over 16 years. Next, it found a 27-year-old bug in OpenBSD, an operating system designed to be difficult to hack. Then it found critical vulnerabilities in every major operating system and browser currently in use.
If bad actors got access to Mythos, they could exploit vulnerabilities inside the banks’ own systems.
Anthropic had already concluded the same thing. The company won’t release Mythos publicly. Instead, it has built Project Glasswing. It’s a consortium of 40+ major technology companies given controlled access to find and patch vulnerabilities before attackers get equivalent capability.
JPMorgan Chase is the one major bank already inside Glasswing. US giants Microsoft, Apple, Amazon, Google, Cisco and The Linux Foundation are also included. SAP, a European company, is not.
Those US firms are scanning their own codebases. That includes Windows, macOS, iOS, Android, Chrome, the Linux kernel. They are patching what they find. The infrastructure layer that runs the world’s technology is being systematically hardened.
SAP runs the financial, operational and supply chain backbone of thousands of global organisations. It is a separate application layer, that sits on top of that infrastructure layer. Nobody in Glasswing has a mandate to scan it.
The floor is being reinforced. The building sitting on it is not.
For SAP customers, this creates three distinct exposure gaps. Understanding them suddenly matters a great deal.
The Discovery Gap
This is the time between a vulnerability existing in your system and someone finding it. Before Mythos, you could measure that gap in years or decades. The FFmpeg bug sat undiscovered for 16 years. The OpenBSD vulnerability for 27. Human security researchers, however skilled, are finite. They miss things.
Mythos compresses discovery from years to hours. When Mythos-level capability becomes more available, and it will, attackers will have it too. SAP’s absence from Glasswing means the platform is not being systematically scanned by defenders right now.
“Mythos compresses discovery of software bugs from years to hours
The Patch Gap
This is the time between a vulnerability being identified and SAP issuing a fix. SAP currently operates a monthly security patch cycle. That’s a cadence designed for a world where finding critical vulnerabilities took months of expert human research. Mythos has made that world obsolete.
Could SAP accelerate? SAP’s codebase is vast. It comprises decades of accumulated code across S/4HANA, NetWeaver, SuccessFactors, Ariba, and more. Finding a vulnerability is one thing. Developing, testing, and issuing a patch across that estate at speed is another. Even well-resourced, open-source projects are struggling with the volume of vulnerabilities Mythos-level tools will generate. SAP faces the same problem at greater scale with greater commercial complexity.
SAP’s best near-term options are to build internal AI-powered scanning capability now, using currently available tools, to get ahead of their own codebase before Mythos-level capability proliferates. They can be more transparent with customers about what they are finding and on what timeline. Neither fully closes the Patch Gap in the short term. Both are better than the alternative.
The Implementation Gap
This is the gap clients own. It is the time between SAP issuing a patch and a specific customer successfully applying it. In complex SAP environments, and most large enterprise SAP environments are complex, you can measure that gap in months. Testing, change control, business disruption concerns, legacy system dependencies. Each adds time. Together, they create an exposure window that has always existed but has never mattered quite this much.
For SAP customers, this is where the risk lives right now. Not in the abstract threat of Mythos. In three questions. How far behind are you on patches? How long does it take your organisation to apply them? Does anyone in your business know the honest answer?
Most organisations do not have a partner who can answer that question with precision. They should.
It requires people who know SAP, work onshore and embedded, and have a track record of delivering at speed in complex environments where patch backlogs accumulate. Pivot has delivered in 40 days what incumbents said would take months.
Pivot will tell you the truth about what we find. If your exposure window is six months, you need to know that. Not a softened version of it. Not a roadmap that makes the problem sound manageable. The position.
The Discovery Gap and the Patch Gap are outside your control. The implementation gap is not. That is where to start.
Pivot will help you close the Implementation Gap.
Image courtesy of Wikipedia
