Cloudflare Tumbles 13% as Anthropic’s Mythos AI Rewrites the Cybersecurity Threat Landscape

Cloudflare Tumbles 13% as Anthropic’s Mythos AI Rewrites the Cybersecurity Threat Landscape

QUICK READS

• Cloudflare shares dropped more than 13% on April 10, their steepest single-day fall since May 2024, as Anthropic’s launch of its Claude Mythos Preview AI model stoked fears of disruption across the cybersecurity sector.
• Anthropic announced that Mythos Preview has already identified thousands of previously unknown software vulnerabilities including critical flaws in every major operating system and web browser and is restricting access to roughly 40 partner companies to prevent misuse.
• The broader S&P 500 Software and Services Index is down nearly 26% in 2026, with cybersecurity names Okta, CrowdStrike, and SentinelOne each falling between 4.7% and 7.7% on the same day as Cloudflare’s steepest drop.
• US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an emergency meeting with major Wall Street bank CEOs to assess cybersecurity risks posed by the model, reflecting the seriousness with which regulators are treating its capabilities.
• Analysts at BTIG pushed back on the sell-off, arguing that Mythos effectively signals rising cyber risk that will ultimately drive more demand for cybersecurity vendors, not less.

Anthropic’s most powerful AI model yet has rattled global cybersecurity markets. Cloudflare shed more than 13% in a single session as investors digested what an AI capable of autonomously finding and exploiting software vulnerabilities could mean for traditional security providers and for the safety of critical infrastructure worldwide.

Anthropic officially launched Claude Mythos Preview on April 7, 2026, alongside a new industry cybersecurity initiative called Project Glasswing. The model sits in a new fourth capability tier above Haiku, Sonnet, and Opus, and Anthropic described it as superior to any existing frontier AI model in cyber capabilities. Over the preceding weeks, Mythos Preview identified thousands of zero-day vulnerabilities flaws previously unknown to software developers many of them classified as critical, in every major operating system and every major web browser, as well as a range of other widely used software. A zero-day vulnerability is a security flaw unknown to the software’s developer, giving attackers a window to exploit it before a fix exists. Among the discoveries: a 27-year-old bug in OpenBSD, a 16-year-old vulnerability in video software that survived five million hits from automated testing tools without ever being detected, and a chain of Linux kernel flaws that Mythos autonomously combined to allow escalation from ordinary user access to complete machine control.

Anthropic moved quickly to limit who can access the model. Microsoft, Amazon, Apple, CrowdStrike, Palo Alto Networks, and roughly 40 other companies will be permitted to use Mythos Preview for defensive security work under Project Glasswing, with Anthropic restricting broader access to prevent bad actors from exploiting its capabilities. Cloudflare was not included among the Project Glasswing partners a detail that compounded investor concern about its competitive positioning. Cloudflare, which had previously been seen as a beneficiary of Anthropic’s rise, now faces a different question: if large frontier models can autonomously defend and remediate vulnerabilities in real time, what business value remains for providers offering traditional reactive monitoring and protection layers? That question drove the stock’s 13% slide on April 10, its worst single-session performance in over two years. NET shares had already gained more than 62% in the prior twelve months, making the drawdown a sharp reversal of fortune.

The regulatory response was swift. US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an emergency meeting with major Wall Street bank CEOs to discuss potential cybersecurity threats posed by Mythos. Analysts flagged particular concern for the banking sector, where many core systems run on legacy code that carries inherent security risks and may be slower to update than consumer-facing infrastructure. Raymond James analyst Adam Tindle outlined several risks from the model’s capabilities, including compression of traditional defensive advantages, higher attack complexity, and potential shifts in security architecture spending, noting that defensive approaches based on known vulnerability databases could be pressured as AI enables continuous discovery of unknown exploits that outpace traditional detection methods. Not all analysts shared that bearish read. BTIG said investor reactions were based on an incorrect reading of Mythos’s impact, arguing that Anthropic is effectively giving the world a warning on increased cyber risk from AI a signal that would ultimately drive more demand for cybersecurity vendors, not less. Anthropic itself acknowledged the dual-use nature of the model, noting that the same capabilities that make dangerous in the wrong hands make it invaluable for finding and fixing flaws in critical software, and that defenders need access to these tools before attackers do.

MARKET SNAPSHOT