Banks face a cyber reckoning. Artificial intelligence now spots software flaws faster than ever. Attackers exploit them quicker still. Executives at major institutions know this all too well. The “patch gap”—that delay between discovering a vulnerability and fixing it everywhere—has shrunk to minutes. And it’s keeping C-suites awake.
This isn’t theory. Yahoo Finance detailed how AI tools like Anthropic’s Claude Mythos Preview identify unknown vulnerabilities at scale. Security teams celebrate. Hackers do too. Once a patch drops, it hands attackers a blueprint. They reverse-engineer the fix. Strike unpatched systems. Banks, with vast legacy codebases, struggle to keep up.
CrowdStrike’s data paints the picture starkly. Attacks by AI-enabled adversaries jumped 89% in 2025 versus 2024, per their 2026 Global Threat Report. The average time from initial access to malicious action? Just 29 minutes. eCrime actors hit that mark even faster—down to 27 seconds in extremes. Banks aren’t just targets. They’re systemic linchpins. A breach here ripples outward.
Regulators get it. Treasury Secretary Scott Bessent and Fed Chair Jerome Powell summoned CEOs from Citigroup, Morgan Stanley, Bank of America, Wells Fargo, and Goldman Sachs to Treasury headquarters. JPMorgan’s Jamie Dimon got the invite too, though he skipped it. The message: Anthropic’s Mythos changes everything. As Adaptive Security reported, this wasn’t optional. Banks must harden defenses now.
Claude Mythos: Defender or Double-Edged Sword?
Anthropic didn’t build Mythos for hacking. It emerged anyway. The model autonomously finds zero-days in every major OS and browser, per their red team blog. It writes exploits. Chains them. Project Glasswing limits access to 40 partners—Apple, Google, Nvidia, even JPMorgan—to patch ahead of threats. No public release. Yet.
But warnings spread globally. UK finance leaders sounded alarms as banks prepped for access, according to The Guardian. Bank of England Governor Andrew Bailey flagged major risks. Barclays CEO C.S. Venkatakrishnan called it a systemic threat. Japan’s Financial Services Agency meets MUFG, SMFG, Mizuho, and the Bank of Japan over Mythos fallout, as Reuters noted. ECB plans similar talks.
Why banks first? Legacy systems. Sprawling networks. Shared providers. One unpatched flaw cascades. Customers face fraud spikes, outages, frozen accounts. Institutions brace for breaches that could topple markets.
AI accelerates both sides. Defenders use Mythos to hunt bugs. Attackers mimic it—or grab leaked access. Reports of unauthorized Mythos use surfaced already, via Bloomberg. A contractor spilled to a private forum. The patch gap? It turns fixes into maps. Seal Security’s research shows 94% of CVEs have public fix commits pre-advisory—median 11 days, 30 for criticals, per their release.
Closing the Gap: Banks Race to Adapt
Banks can’t patch manually anymore. Tenable urges prioritizing CISA’s KEV catalog, then EPSS scores, automate everything—as in their blog. CrowdStrike pushes AI-native platforms for machine-speed response. But legacy code lingers. Testing takes days. Deployment? Weeks.
And the numbers worsen. Tenable tracks 201 actively exploited CVEs outside KEV. Google sped Chrome to biweekly milestones to shrink windows. Still not enough. AI floods the pipeline with thousands of flaws yearly.
Executives sweat specifics. Dimon wrote in JPMorgan’s letter: cybersecurity tops risks; AI amplifies it. Bailey: central banks must grasp implications fast. Champagne at IMF: an ‘unknown unknown.’
So banks pivot. Partner with Glasswing. Build AI defenses. But attackers evolve too. 82% of 2025 detections malware-free—credential abuse, trusted paths. AI sharpens that.
The gap narrows. Boards demand answers. Patch or perish. Banks that automate win. Laggards? Exposed. This cyber arms race just armed both sides equally. Finance hangs in the balance.
WebProNews is an iEntry Publication