As Claude Mythos sharpens AI-led vulnerability discovery, financial services face a harder test of whether governance, recovery, and trust can move at machine speed.
Intel’s former CEO, Andy Grove’s famous warning, Only the Paranoid Survive, was meant for businesses navigating strategic inflection points. But in the age of artificial intelligence, paranoia no longer belongs only to corporations or chief executives. It has become a lived experience, the tone, context, and mood of the current age we live in.
AI is making institutions operate in a state of perpetual alert. It is creating a mindset of “fear is the place where we find comfort”, meaning our comfort zones, as individuals or as corporations, are done and dusted. They no longer exist. That evolutionary mindset is what separates leaders from laggards. There is a deeper sense that something fundamental is shifting beneath familiar terrain. What looked secure yesterday may become exposed tomorrow. What passed as modern a decade ago may now carry a dated tag. What we once called digital transformation may only have been the beginning of a more difficult test.
A zero-day vulnerability captures that anxiety well. It is a flaw that exists before defenders know it exists, often before a patch or clean response window is available. In banking, that makes the risk more pronounced because a hidden software weakness is not only a technology problem. It can quickly become a threat to payments, customer access, transaction integrity, and trust itself.
That thought takes me back to a pleasant sunny day in Chennai, roughly 22 years ago (circa 2004), when I met N Vittal to interview him, as Dataquest bestowed on him the Lifetime Achievement Award. Vittal was already a towering figure in India’s technology and governance journey. He had helped shape India’s early IT and telecom policy architecture, and as Central Vigilance Commissioner (CVC), he had pushed computerisation in banking to bring speed and transparency into financial systems. In that 2004 Dataquest profile, the story noted that the CVC had directed banks in 1998 to computerise at least 70% of their operations by 2001, and that by the end of 2004, almost 80% of Indian banks had adopted IT in some form. But the main insight was not only Vittal’s technocratic conviction. It was his philosophy of time.
Vittal told me during the interview that the early onset of diabetes made him realise the value of time, almost as an “early intimation to mortality.” He believed in achieving more with the time available, pushing personal setbacks into the background, and carrying an overall positive attitude as a way of life.
That reflection feels strangely relevant today.
Human beings face mortality. Institutions face obsolescence. Technologies, too, have a shelf life. They rise, solve one generation of problems, and then gradually become vulnerable to the next. Indian banking has lived through that cycle. More than two decades ago, the question was whether banks could computerise fast enough. Today, the question is very different – can they defend, patch, govern, and recover fast enough in an age where AI can accelerate the discovery of vulnerabilities?
What Mythos has changed
Anthropic’s Project Glasswing has brought together a group of technology and security organisations to use Claude Mythos Preview for defensive cybersecurity work. Anthropic says Mythos is an unreleased frontier model that has shown a sharp improvement in finding and exploiting software vulnerabilities, and that Project Glasswing is meant to put such capability to work for defence.
The claim is not modest. Anthropic says Mythos has already found thousands of high-severity vulnerabilities, including some in major operating systems and web browsers. It also says selected partners will use Mythos Preview to scan and secure first-party and open-source systems. That is where Anthropic’s Claude Mythos Preview enters the banking conversation.
That makes Mythos more than another AI product. It is an indication that the economics of cyber risk may be changing. If vulnerability discovery becomes faster, cheaper, and more automated, then the time available for institutions to respond also compresses.
According to news reports, Anthropic is expected to brief the Financial Stability Board (FSB), the global body that monitors risks to the financial system, on cyber vulnerabilities identified by Claude Mythos. The move is understood to follow a request linked to Bank of England Governor Andrew Bailey, who also chairs the FSB. That makes the issue larger than a model capability debate. If an AI system can identify hidden weaknesses across banking infrastructure, especially in institutions still dependent on legacy technology, regulators will have to ask whether such tools could also amplify cyberattack capability and create risks that spill into financial stability.
For financial services, this is the real issue. Mythos is not only about whether AI can find flaws. It is about whether banks, non-banking financial companies (NBFCs), fintech platforms, payment networks, and their technology partners can respond at the same speed at which exposure is discovered.
The question is no longer – are we secure?
The question now is – how quickly do we know where we are exposed, who owns that risk, what can be fixed, what must be contained, and whether essential services can continue while all this is happening? Shall we reimagine production environments for a “never normal”?
The end of the old cadence
For years, cyber resilience in many institutions followed a recognisable pattern. There were vulnerability assessment and penetration testing (VAPT) cycles, audits, red-team exercises, compliance reviews, patch windows, and board updates. This cadence made sense when threats moved closer to human speed.
Mythos-class AI challenges that cadence. Let’s check with some experts for their take on this.
Sharda Tickoo, Country Manager for India & SAARC at Trend Micro, says that the idea of periodic reviews has become outdated in an AI-driven threat environment. According to her, leading organisations are already moving towards continuous threat exposure management because attacks no longer wait for the next audit cycle.
Her point is important because it changes the CIO’s mental model. Security cannot remain a scheduled event. It must become a continuously operating intelligence function that maps assets, watches exposures, prioritises exploitability, and moves remediation closer to real time.
Munjal Kamdar, Partner at Deloitte India, makes a distinction between speed and velocity. Speed is about doing something faster. Velocity is about continuously scanning across applications, networks, databases, data layers, and business systems. In his view, organisations should assume they are no longer being scanned occasionally by hackers, but continuously by adversarial systems.
He cites a telling comparison. In one example shared by him, an existing AI model produced two working exploits on an application, while Mythos produced 181. In vulnerability discovery, the earlier model found about 175 cases, while Mythos found 595. The exact numbers matter less than the direction they point to – the defender’s window is shrinking.
Rohan Gupta, VP Cloud, Security & DevOps at R Systems, puts it bluntly. Mythos-class AI flips the clock for defenders. For many Indian banks and NBFCs, security reviews are still tied to quarterly VAPT cycles, annual red-team exercises, and audits triggered by regulatory reviews or incidents. That model assumed a human-paced attacker. An AI-assisted attacker can read code, spot a flaw, and construct an exploit path in hours. That does not mean every institution is defenceless. But it does mean the review cycle has to give way to a live view of exposure.
India’s layered banking reality
The Indian financial system has digitised at extraordinary scale. But scale brings complexity, and complexity creates exposure.
A typical financial institution today may run legacy core banking systems alongside application programming interface (API) gateways, cloud workloads, mobile banking apps, real-time payment integrations, card systems, ATM networks, vendor-operated platforms, identity systems, and fintech partnerships. Some institutions may also be connected to account aggregation rails, open banking flows, outsourced operations, and third-party software supply chains.
This is not one system. It is a living ecosystem.
Reflecting on this thought, Kiran Gopinath, Chief Innovation Officer at Sahamati, says Indian financial institutions operate some of the most complex and high-scale digital environments in the world. Legacy systems now coexist with API-driven architectures, payment systems, cloud-native services, mobile ecosystems, fintech integrations, and emerging AI workflows. Defending this at AI speed, he says, is not only a technology challenge. It is an architectural and operational challenge.
That is a valid point worth probing. The weak point may not always be the bank’s core system. It may sit inside an API, a misconfigured cloud service, an over-permissioned identity, a forgotten dependency, a third-party integration, or a vendor-managed platform.
Rohan Gupta describes the challenge in operational terms. A mid-sized Indian bank could have an old core running on a mainframe or AIX stack, an API layer feeding Unified Payments Interface (UPI), Immediate Payment Service (IMPS), Aadhaar Enabled Payment System (AePS), and Bharat Bill Payment System (BBPS) rails, a separate cloud-native environment for mobile and internet banking, and a long list of vendor-run systems for cards, ATMs, know-your-customer (KYC), and customer service. Each layer may have its own owner, patch cycle, maintenance window, and risk posture.
In that environment, defending at AI speed is not just a matter of buying another tool. It begins with asset inventory, software bills of materials, identity control, and ownership. You cannot patch what you have not mapped. You cannot govern what you cannot see. You cannot secure what you have not authenticated.
The honest answer: not yet, not all
The uncomfortable question is whether Indian financial institutions can really defend at AI speed.
Kishan Sundar, Senior Vice President and Chief Technology Officer at Maveric Systems, offers the most direct answer – not yet, not all of them. His concern is not that Indian institutions lack capability. It is that their technology estates are too varied, layered, and distributed to be secured through older models of testing and remediation.
He underscores the point that the shift must go beyond frequency. Traditional security relied heavily on black-box assessments – bring in a red team, simulate an attack, generate a report, and then fix the gaps. That model assumes the environment remains relatively stable between tests. But every code change, API update, cloud configuration, and integration can alter the risk posture.
His answer is to embed security into every change. That means moving closer to white-box testing, continuous visibility, and risk assessment inside the software development and deployment process itself. In his words, the CIO’s mandate is no longer “test and fix.” It is to ensure that security is built into every change before it ships.
Akshay Sivananda, CISO at Saviynt, extends this point to technical debt. No industry, he says, is immune to legacy on-premise technology, end-of-life components, or insecure dependencies that have accumulated inside the digital ecosystem. The practical first step is to understand the issues, assess the attack surface, identify which weaknesses can become real exploits, and apply immediate risk mitigation while building a longer-term remediation plan. His warning on software supply chains is particularly relevant. As AI generates more code across development teams, organisations must validate the components that make up their software bill of materials (SBOM), and continuously scan for new supply-chain threats. This cannot remain a periodic exercise. It has to become part of the software development pipeline.
A necessary reality check
There is also a danger in overstating the Mythos moment.
Hitesh Dharmdasani, CTO, AnexGATE, and Founder & CEO, NetSenseCyberSecurity, offers a counterpoint. He says that there is no single model for dealing with threats. Financial institutions will still need periodic reviews, patching after disclosure, secure design, threat modelling, and continuous reduction of the attack surface.
His point is that Mythos-class AI may accelerate vulnerability discovery by using prior patterns and identifying similar weaknesses, but truly novel exploit creation remains more complex. That does not reduce the seriousness of the moment. It keeps the debate grounded.
So clearly, this is not a doomsday story. It is a preparedness story. It will provoke financial institutions to come out of their hubris and ask uncomfortable questions.
Even Munjal Kamdar cautions against viewing Mythos only through fear. AI-based cyber defence is also evolving. OpenAI’s Daybreak, for instance, is positioned as a cyber defence initiative that combines models, Codex Security, and partners to help defenders review code, validate fixes, analyse systems, and move faster from discovery to remediation.In other words, AI is not only the accelerant of risk. It is also becoming a defensive instrument. Like what they say: AI for security and security for AI
The institutions that benefit will be those that use AI to improve triage, code review, configuration checks, exploit prediction, patch coordination, and response orchestration. The institutions that suffer will be those that treat AI-led cyber risk as a future concern while continuing to operate on old timelines.
From vulnerability count to business impact
One of the biggest traps in cybersecurity is to count everything and understand too little.
Aditya Gandhi, Vice President – Technology, Publicis Sapient India, points to the latent vulnerability problem. Many old weaknesses have been sitting inside software ecosystems for years because nobody had the time, incentive, or capability to find them. AI changes that because it can surface patterns that were previously too complex, too buried, or too costly to detect.
But the future of resilience cannot depend only on how many vulnerabilities an institution identifies. It will depend on how quickly it can identify the few exposures that can disrupt payments, digital channels, core banking services, customer access, or data integrity.
That is the shift from vulnerability management to exposure management. The priority is not every flaw. The priority is the flaw that can become a business event.
As Sharda Tickoo points out, traditional patching cycles can stretch across weeks, sometimes even months. That timeline becomes difficult to sustain in a world where Mythos-class tools can surface large numbers of vulnerabilities far faster. This is especially important in banking, where immediate patching may not always be possible. Core systems cannot always be changed overnight. Payment systems cannot be casually interrupted. Vendor fixes may take time. Regulatory processes and change windows may slow action. In such cases, compensating controls, containment, monitoring, isolation, and virtual patching become critical to resilience.
The human attack surface
Mythos AI also sits inside a larger AI-risk environment.
Aditya Gandhi flags the thought that AI is lowering the barrier for attackers. Tools inspired by generative AI can support phishing, social engineering, malware development, reconnaissance, and attack automation. The danger is not only that elite attackers become more powerful. It is also that less-skilled attackers gain access to capabilities that once required specialist expertise.
The human attack surface is changing too. Traditional phishing training told employees to look for poor grammar, odd phrasing, spelling mistakes, or suspicious formatting. That advice is no longer enough when AI can produce convincing, personalised, grammatically correct messages at scale.
Deepfakes add another layer. Voice and video can no longer be treated as reliable signals by default. Banks will need stronger controls around authentication, high-value transaction approval, executive impersonation risk, and privileged access. Even well-trained employees can be vulnerable when deception is personalised and delivered with precision.
As banks adopt AI agents internally, the attack surface expands again. These agents may not simply generate text or summarise documents. They may access databases, trigger workflows, call internal tools, retrieve customer information, or act across connected systems. That makes permissions, identity, and oversight critical. Prompt injection, excessive access rights, insecure tool use, weak data boundaries, and poor audit trails can quickly turn an AI productivity layer into a security risk. Agentic systems must therefore be governed like any other system with operational access: with least privilege, continuous monitoring, testing, logging, data controls, and clear accountability.
The irony is hard to miss. AI can help banks defend themselves. But every new AI workflow can also become a new path of exposure.
The boardroom question
The most important change is not technical. It is organisational.
Cybersecurity in financial services can no longer sit only inside the CISO’s office. When systems at risk include payment rails, customer deposits, lending platforms, digital identity, customer access, and transaction integrity, a breach is no longer merely a technology event. It is an operational resilience event.
The Reserve Bank of India (RBI) had already warned as far back as 2016 that the number, frequency, and impact of cyber incidents had increased, especially in the financial sector, and that banks needed a robust cyber security and resilience framework with continuous preparedness. It also emphasised detection, response, recovery, and containment, and called for board and top management awareness of cyber risk.
CERT-In’s six-hour reporting rule also points in the same direction – cyber incidents are now time-sensitive governance events, not slow-moving back-office matters.
Kishan Sundar says the line between a technology failure and a financial stability incident has collapsed. If a cyberattack freezes payments, locks customers out of accounts, or cascades across interconnected institutions, the issue moves beyond IT. It belongs in the boardroom, the risk committee, and the operational resilience framework.
Munjal Kamdar makes a similar argument. AI-driven cyber threats affect resilience, financial loss, service continuity, regulatory compliance, and customer servicing. Response teams must therefore include not only the CISO, but also other stakeholders like the CIO, CTO, CRO, CFO, and SBU leaders.
Kiran Gopinath brings the issue squarely into the boardroom. The real question is no longer only whether an institution can prevent an attack. It is whether the institution can continue to operate safely, protect trust, and serve customers when parts of its digital environment are under sustained stress or partial compromise.
That seems to be the language of financial stability.
The new measure of resilience
In the pre-AI world, many institutions measured cyber resilience through mean time to detect, mean time to respond, audit closure, vulnerability counts, and compliance status. These measures still matter. But they are no longer sufficient.
Rohan Gupta says that if Mythos-class capability compresses the window from disclosure to working exploit from weeks to hours, the right question is whether UPI throughput, settlement windows, ATM availability, or mobile banking access can continue while an active attack is being contained.
That is a different measure of resilience. It is not just about restoring IT systems after an incident. It is about maintaining trust while the institution is under pressure.
Akshay Sivananda says organisations must not only test technical recovery. They must also test the resilience of business processes. That distinction matters because a bank can restore servers and still fail customers. It can recover applications and still breach regulatory obligations. It can patch systems and still lose trust.
The new resilience test will ask harder questions. Can a bank isolate a compromised component without bringing down a critical service? Can it revoke risky access in minutes? Can it switch to fallback processes without confusion? Can it communicate clearly with customers, regulators, and partners? Can it continue operations when some part of the digital estate is suspect?
In the AI era, resilience is not a SharePoint document. It is something like a gym workout leading to muscle memory.
What banks must do next
The immediate agenda is not mysterious, but it is difficult. Based on the insights and experts Dataquest spoke to, here is what banks need to prioritise.
First, banks must know what they have. Asset visibility, software bills of materials, dependency mapping, identity governance, API inventory, and third-party exposure management must become foundational. Without this, AI-speed defence is impossible.
Second, security must move closer to software development and change management. Every code change, API update, cloud deployment, and AI agent integration should carry security testing, exposure analysis, and approval discipline. DevSecOps cannot remain a slogan.
Third, institutions need AI-assisted defence, but with governance. AI can help triage vulnerabilities, detect exploit paths, validate patches, analyse code quality, prioritise risk, and reduce human error. But AI tools themselves must be controlled, monitored, and audited.
Fourth, banks need compensating controls for the real world. Not every vulnerability can be patched immediately. Virtual patching, segmentation, runtime protection, endpoint rules, identity restrictions, and isolation playbooks will matter.
Fifth, third-party and supply-chain risk must move from procurement paperwork to operational reality. If a vendor system, open-source library, or integration layer can affect critical services, it must be part of the institution’s resilience map.
Finally, the ownership model must change. Cyber resilience should be jointly owned by technology, risk, operations, compliance, finance, and the board. The CISO may lead the security function, but the institution owns the consequence.
The value of time
Let’s go back in time to why N Vittal’s memory matters.
Two decades ago, Indian banking’s technology challenge was about bringing speed, transparency, and discipline into systems that were still weighed down by manual processes and exploitable delays. Computerisation was seen as the answer to one generation of institutional vulnerability.
Today, AI has exposed the vulnerability of that very digital foundation.
This does not mean the foundation has failed. It means every foundation ages. Every system accumulates assumptions. Every architecture carries yesterday’s decisions into tomorrow’s threat landscape.
Andy Grove’s paranoia was not fear for its own sake. It was a way of staying awake at the edge of change. Vittal’s philosophy of time was not about anxiety. It was about urgency, purpose, and the discipline to act before time runs out.
Financial services now need both instincts. The paranoia to see that AI has changed the cyber clock, and the discipline to use the time that remains well.
Claude Mythos may be remembered as a cybersecurity milestone, or as one more moment in the long race between attack and defence. But for banking, its deeper message is simpler. In a world where machines can find weaknesses faster than institutions can process committee notes, resilience can no longer be periodic, siloed, or ceremonial.
It has to become continuous. It has to become operational. And above all, it has to move at the speed of trust. And that TRUST is the currency now.
Originally Published in DataQuest
