On the 7th of April 2026, Anthropic announced Project Glasswing around the Claude Mythos Preview, a frontier model it says is capable of identifying and exploiting zero-day vulnerabilities across every major operating system and web browser. Anthropic has said Mythos has already found thousands of high- and critical-severity vulnerabilities, that it will not be made generally available, and that access is being limited to a controlled defensive programme involving major technology firms, cybersecurity vendors and a small number of additional organisations that maintain critical software infrastructure. Anthropic has also committed up to $100 million in usage credits and $4 million in donations to open-source security organisations as part of that effort.
Why do I think this is important?
Mythos is evidence that the economics of cyber offence and defence are changing, and changing fast. Anthropic’s own technical write-up says non-experts were able to obtain working remote-code-execution exploits overnight, while the UK AI Security Institute found that Mythos was the first model to complete a full 32-step simulated corporate network attack, doing so in 3 out of 10 runs and solving 73% of expert-level capture-the-flag tasks. At the same time, AISI also cautioned that its test ranges were easier than real enterprise environments because they lacked active defenders and defensive tooling.
For banks, critical infrastructure operators and governments, the implication is now that legacy has moved from being an efficiency problem to being a machine-searchable attack surface. The Bank for International Settlements has already noted that fragmented IT infrastructure and legacy systems remain the leading challenge for banks trying to build sound risk data aggregation and reporting. The Bank of England has likewise warned that operational resilience is weakened not only by firm-level weaknesses, but by interconnectedness, complexity, opacity, common vulnerabilities and dependence on shared providers.
In this new world, progressive modernisation is no longer a nice-to-have transformation agenda. It is the practical programme for staying governable when machines can inspect, chain and exploit weaknesses faster than committees can schedule another steering meeting.
So what does this mean for the banks?
Mythos and Glasswing do not just tell us something about one unreleased model. They tell us that the old world is over. The old world was that defenders could live with patch latency, fragile interfaces, duplicated data, manual controls and sprawling legacy estates because the scarcity of elite human attackers bought time.
That margin is now shrinking, and shrinking fast.
What replaces it is a new paradigm in which AI is both threat and deterrent, and in which the future core system must be thinner, more observable, more modular, more testable, easier to update and replace, and more governable than the estates many institutions still carry today.
A watershed moment, with some caveats
There is always a danger in overreacting to the headlines and an equal danger in waving them away as publicity hype. Something we have often done when it comes to emerging technologies in the past.
In general, the high-confidence middle ground is probably now clearer than either extreme. But in this case, I think we should keep a close eye on the ball and act with an elelemt of haste. Anthropic’s public materials, Reuters’ reporting, and AISI’s independent evaluation all point in the same direction.
There is no denying that frontier models have crossed into a new class of cyber capability.
Anthropic says Mythos can autonomously identify and exploit zero-day vulnerabilities in major operating systems and browsers, including a 27-year-old bug in OpenBSD, and that expert validators agreed with the model’s severity assessment in 89% of 198 manually reviewed reports. AISI separately found substantial improvement on both isolated cyber tasks and multi-step attack simulations.
At the same time, the same sources provide good reasons for caution. AISI explicitly says it cannot conclude from its tests that Mythos would reliably compromise well-defended enterprise environments, because its ranges lacked active defenders, monitoring tools and penalties for noisy behaviour. The Guardian has also highlighted scepticism from some observers about the scale of Anthropic’s claims and whether selective disclosure by a model vendor can ever be entirely disentangled from strategic positioning.
I am sure you would agree that those are fair objections.
But they do not cancel the significance of the model.
They simply stop us from making lazy claims that the machine can now effortlessly break any bank on demand.
Maybe the most interesting part of the official record is not actually the most sensational. It is the deployment model. Project Glasswing is not a public launch. It is a gated security coalition. Anthropic says launch partners include Amazon Web Services, Apple, Microsoft, CrowdStrike, Palo Alto Networks and JPMorgan Chase, alongside others, with another 40-plus infrastructure-maintaining organisations receiving access. Anthropic says it does not plan to make Mythos generally available and instead wants to learn from a defensive preview, while testing safeguards on less capable models such as Opus 4.7.
I would say that is not the behaviour of a company treating the model as just another product release. It is the behaviour of a company that believes cyber capability has become deployment-gating.
That said, the governance picture is already getting messy. Reuters reported on 21 April that unauthorised users had apparently gained access to Mythos through a third-party vendor environment. Even if the reported misuse was not for offensive cyber purposes, the episode is revealing. If the core question is whether the institutions building and distributing powerful models can reliably contain them, then “restricted release” is not a control in itself. It is merely the start of a control stack. And that control stack must extend across vendors, access management, environment segregation, monitoring, logging, legal controls and incident response.
Table: What Mythos appears to change:
Signal
What the evidence shows
What it does not yet prove
Strategic meaning
Vulnerability discovery
Anthropic says Mythos found thousands of high- and critical-severity vulnerabilities; AISI found strong performance on expert cyber tasks
That all findings would survive production-grade validation at scale
Vulnerability discovery is moving from scarce expert craft to machine-scale search
Exploit development
Anthropic says Mythos wrote sophisticated exploits, sometimes fully autonomously, and enabled non-experts to generate working exploits overnight
That it can reliably defeat hardened enterprise environments without operator support
The time between bug discovery and weaponisation is compressing
Multi-step attack capability
AISI found Mythos completed a 32-step corporate attack simulation end-to-end in 3/10 runs
That it can reproduce this against active defenders in live environments
Cyber risk is shifting from isolated tricks to longer attack chains
Defensive value
Project Glasswing is explicitly structured as a defensive coalition to find and fix weaknesses in critical software
That defenders will adopt quickly enough to offset diffusion of similar capability elsewhere
AI is becoming an infrastructure defence tool, not just a productivity tool
Deployment stance
Anthropic restricted access and is testing safeguards on less capable models before broad release
That containment and safeguard methods are already mature
Security now constrains go-to-market for frontier models
The table above synthesises Anthropic’s official materials, AISI’s evaluation and Reuters’ reporting.
The new paradigm where AI is both burglar and guard dog
For years, most boardroom conversations about AI in cyber were still basically automation conversations.
Slightly smarter phishing detection.
Slightly faster triage.
Slightly better anomaly spotting.
Mythos suggests we are moving from AI as a support tool to AI as an operational actor in the security contest itself. In Anthropic’s language, frontier models have reached the level where they can surpass all but the most skilled humans at finding and exploiting vulnerabilities. In reality, the window between discovery and exploitation has collapsed from months to minutes.
That is the new paradigm in one sentence. The same system class that helps a defender scan code bases, reason across dependencies, black-box test binaries and harden endpoints also reduces the labour, time and specialist knowledge needed to mount an attack. AI does not repeal the old truths of cyber.
Identity still matters.
Segmentation still matters.
Patching still matters.
But it changes the gradient. It makes weakness cheaper to find, easier to chain and faster to operationalise. The result is a world in which weakly defended legacy estates stop being merely inconvenient and start becoming economically irresistible targets.
The defensive side of this story is just as important, and it is where too many reactions become one-eyed. Anthropic’s whole rationale for Glasswing is that these models can be turned towards critical software defence before similar capabilities proliferate more widely. AISI and the National Cyber Security Centre have made the same point. In the open letter from UK ministers to business leaders on 15 April 2026, the message was blunt. AI cyber capabilities are accelerating, but the practical response remains disciplined governance and getting the basics right. In other words, there is no shortcut. The machine helps, but it does not absolve.
The real strategic implication is that security now needs the same progressive modernisation logic that banking transformation has needed for years. The future core is not simply cloud-native. It is AI-aware. It is instrumented for policy enforcement, software provenance, identity-rich access control, machine-readable logging and continuous testing.
If attackers can use increasingly autonomous systems to explore your estate, your estate must become easier to observe, isolate, patch, fail over and prove secure. Black boxes are becoming too expensive to keep.
The relationship that matters is no longer just “bank buys AI” or “regulator supervises bank”. It is now a denser network of dependencies involving model providers, cloud providers, software suppliers, open-source components, legacy infrastructure, regulators and incident responders.
Why legacy has become the weak flank
The easiest mistake to make here is to talk about “legacy” as though it only means old mainframes.
It does not.
Legacy is any technology estate whose control model no longer matches the speed, complexity and threat profile of the environment around it. That can include a 30-year-old core platform. It can also include a six-week-old digital stack built with poor observability, weak asset inventory, brittle middleware, over-privileged service accounts and a procurement trail no one can properly reconstruct.
I often tell banking executives that your legacy is anything you have put in production, even if it was yesterday.
The point is not age.
The point is governability.
What Mythos exposes so sharply is that governability has become a security property. The BIS said in 2023 that fragmented IT infrastructure and legacy systems remained the leading challenge for sound risk data aggregation and reporting in banks. The Bank of England has since argued that operational resilience at system level is undermined by interconnectedness, complexity, opacity, concentration and common vulnerabilities. The European Central Bank has made the same wider point from a financial-stability angle, warning that cyberattacks can affect the financial system through operational, financial and confidence channels, especially when critical providers or infrastructures are disrupted.
Seen through that lens, Mythos is not really a story about an AI model at all.
It is a story about old floorboards meeting a new pressure test.
Anthropic says Mythos found vulnerabilities that had been sitting unnoticed for decades. That should sober anyone who still thinks a patch-heavy, exception-rich estate can be left to muddle through because it has “worked so far”. What worked so far was the old attack economics. That is the thing that is changing.
What progressive modernisation now means
If Mythos is the accelerant, progressive modernisation is still the firebreak. The answer is not a panicked call to replace everything at once, because big-bang fear rarely produces anything except fresh wreckage. The answer is to modernise with the discipline of a security programme, not the vanity of a kitchen showroom refit.
Progress beats perfection.
Pragmatism beats panic.
And in this new environment, those are defensive doctrine.
1:- The first shift is architectural. Institutions need a thinner, clearer core and stronger seams around it. The money-moving heart of the organisation should be made smaller, more deterministic and easier to observe, not buried under custom logic and decades of side effects. Around that core, channels, orchestration, AI services, fraud tools, onboarding, payments adapters and partner capabilities should connect through governed interfaces with strong logging and identity. None of the official sources use the phrase “thin core”, but DORA’s focus on ICT risk management and third-party oversight, the Bank of England’s focus on operational resilience, and NIST’s secure software guidance all point towards the same practical conclusion that systems that cannot be cleanly seen, segmented and evidenced are systems that will become hard to defend.
2:- The second shift is operational. Security can no longer be periodic. If capabilities are continuing to improve with more inference compute, and frontier model cyber capabilities are doubling faster than previously envisaged, then annual assurance cycles are simply too slow. Vulnerability discovery, asset inventory, attack-path analysis, privileged-access review and evidence collection need to become closer to continuous functions.
That does not mean removing humans.
It means moving humans up a level, from manually checking endless lists to governing the machines that do the checking.
3:- The third shift is governance. The Bank of England told Parliament in April 2026 that firms remain accountable for AI use under existing rules and that systemic attention should focus on four channels: AI in banks’ and insurers’ core decision-making, AI in financial markets, operational risk from AI service providers, and changing external cyber risk. That is a useful framing because it drags AI governance out of the innovation lab and into the centre of the enterprise. The board now needs a joined-up view across architecture, model risk, cyber, outsourcing, resilience and business continuity. If those conversations remain split between separate silos, the estate will modernise in fragments and fail in aggregate.
So what is the bank after Mythos?
Mythos does not make the argument for progressive modernisation obsolete. It sharpens it. What Anthropic, and the early reaction from supervisors show is that AI has started to change the economics of both cyber offence and cyber defence. When that happens, complexity, opacity, slow patch cycles, fragmented data and brittle integration stop being merely expensive. They become liabilities that machines can search, reason across and exploit at scale.
The partner model changes next
If the third shift is governance, the next, and forth shift is the partner model. The most revealing thing about Project Glasswing is not just what Mythos can do. It is how Anthropic has chosen to deploy it. As already mentioned, access has been limited to a defensive coalition and to a small group of organisations that build or maintain critical software infrastructure, with Anthropic saying it does not plan to make Mythos generally available.
To me, that looks more like risk-gated deployment than the ordinary product distribution we have seen with past models.
As we already know, unauthorised users gained access through a third-party vendor environment, which makes a clear point that in the AI era, the partner chain is no longer a side issue. It is part of the critical control stack.
Supervisors have identified operational risks in relation to AI service providers as one of the main channels of AI-related financial stability risk, alongside banks’ and insurers’ core decision-making, and the changing cyber threat environment. Meanwhile European Insurance and Occupational Pensions Authority explains that DORA’s oversight regime is meant to address systemic and concentration risks arising from the financial sector’s reliance on a limited number of critical ICT providers.
In other words, your partner strategy must now be part of your core strategy. Who hosts your models, who brokers access, who owns the logs, who controls the egress, who can see the prompts, who can update the guardrails, and who can revoke access have become board-level design choices.
That should change the focus of every bank conversation about ecosystem strategy. For years, some institutions treated partnerships as a growth topic, a distribution topic, or a speed-to-market topic. They still are those things, but no longer only those things. In a world where a restricted frontier cyber model can leak through a vendor environment, and where regulators are already worrying about AI service-provider dependency, your partner estate is part of your operating resilience posture.
Best of breed is not dead
This is where I would push back against the lazy conclusion that best-of-breed ISVs are finished. They are not. What is dying is the older, much sloppier version of that idea, the one that says a bank can simply pick the nicest product in each box, stitch the boxes together, and assume the architecture will somehow take care of itself. The Bank for International Settlements has already warned that banks’ legacy IT may not be adaptable enough for new technology, that integrating new tools with legacy can add fresh layers of complexity, and that vendor lock-in and lack of transparency in proprietary technology or models are real risks. That is the real problem with old-style best of breed. It often bought product quality at the price of estate complexity.
My view is not that the ISVs disappear.
It is that the weak middle gets squeezed.
When frontier model capability is advancing this quickly, with AISI reporting that the length of cyber tasks models can complete unassisted is doubling roughly every eight months, categories built on shallow workflow logic, brittle point integration, or cosmetic interface value start to look exposed. At the same time, supervisors are turning their attention to opacity, concentration and third-party dependency rather than just feature lists. In that environment, providers with thin differentiation will struggle, while specialist providers with genuine domain depth, open architecture, strong evidence trails and clean control models should remain valuable.
So, from my perspective, best of breed survives, but the bar changes.
In the Glasswing era, “best” no longer means the prettiest demo or the broadest sales deck. It means a provider that can fit inside a governed operating model. It means clear APIs and event hooks, explainable decisioning, upgradeable platforms, good model governance, good software-development discipline, and a commercial structure that does not leave the bank trapped inside someone else’s opaque stack. National Institute of Standards and Technology describes secure software development as something that has to be integrated into the SDLC rather than tacked on later, and DORA adds a regulatory lens on resilience and oversight of critical external providers. Put those together and the shape of the winner becomes clearer.
The future belongs to composable capability providers, not to closed mini-monoliths with an AI badge glued on the front.
We should all be getting tired of hearing “AI enabled” or “AI at the core”.
That also means the build, buy or consume question that I discuss at length in my book gets harder, not easier.
In an AI-accelerated market, what looks generic today may become strategically important tomorrow, while what feels unique now may be automated into commodity surprisingly quickly. That is precisely why banks need discipline.
Build where the capability genuinely defines the proposition.
Buy where maturity, safety and standardisation matter more than invention.
Consume where external specialists are structurally better.
But do not confuse a row of vendor logos with an architecture. It is still possible to buy your way into a shiny new legacy stack, just faster than before.
The future bank is not one giant model
The seductive mistake here is to imagine the bank of the future as one giant AGI brain humming away in the basement, improvising credit, payments, reconciliation and customer service from a single foundation model.
That is neat in theory and reckless in practice.
The Bank of England’s Financial Policy Committee has been explicit that there is still little evidence of the financial system using more advanced AI in ways that would present systemic risk today, and one reason is firms’ own concern that advanced systems still lack enough interpretability and predictability for core financial decisions. The same committee also noted that agentic AI could create risks across several channels at once, from payments to markets to operational dependencies.
Regulators are not saying “do not use AI.”
They are saying, in effect, “do not let probabilistic systems become ungoverned sources of financial truth.”
That is why I do not think the future platform of a bank will be a layered AI model in the sense most people mean it.
It will be a banking platform with AI layered across it, sometimes deeply, but still anchored by deterministic systems of record, controlled write authority, evidence, and explainable financial state.
The outer layers can become increasingly intelligent.
Customer engagement will become conversational and agentic.
Service workflows will also become agentic.
Fraud, security, operations, coding, testing and controls will all become heavily assisted by models.
But the centre still needs to know what happened, when, why, under which rule, and who or what was authorised to make it happen.
As such, AI will become the bank’s nervous system, not its substitute for a spine. It should help the bank see more, reason faster, route work better, test more thoroughly, spot control failures earlier and take bounded action where the rules are clear. But it should not be allowed to turn postings, contractual commitments or regulatory evidence into vibes. The less interpretable and less predictable the model, the more important the deterministic centre becomes. That is the opposite of redundancy for the thin-core argument. It is its strongest justification yet.
What an AI-native banking platform actually looks like
If you strip away the hype, the architecture that makes sense is not magic or mysterious. At the centre sits a compact financial substrate, the place where accounts, agreements, balances, state transitions and postings are recorded with clear responsibility. Around that sits a mesh of domain platforms and service capabilities for onboarding, payments, fraud, KYC, AML, servicing, collections, CRM, reporting, document handling and so on. Across the estate sits an API and event fabric, because a bank that cannot expose clean commands and publish trustworthy events will not be able to support either ecosystem participation or safe agentic behaviour. Above that sits the AI layer, the reasoning, orchestration, copilots, agents, test automation, code generation, vulnerability discovery, service assistance and decision support. Around all of it sits the control plane, identity, logging, software provenance, model governance, vendor oversight, operational resilience and audit evidence.
In a house, you do not pour the concrete slab out of machine learning and then hope the wiring figures itself out. You pour the slab, put the beams where they belong, run the wiring cleanly, label the fuse box, and then add the smart layer on top if it actually improves life. Banking is no different. AI can become the thermostat, the alarm system, the lighting control, the camera network and a very competent assistant who notices the leak early. But it should not become the floor joists. The bank that gets this right will not look less modern. It will look more adult.
I am not saying AI has no place near the core. It absolutely does. AI can enrich it, observe it, test it, protect it and help orchestrate what happens around it. But at the centre of a bank, where money moves and obligations are created, the system must remain deterministic, factual and explainable. The core cannot hallucinate.
What leaders should do before the market does it for them
Name your systems of record and your write authorities. If a bank cannot say clearly where customer truth lives, where product truth lives, where balance-affecting truth lives, and which interfaces are allowed to write to each, then it is not ready for agentic AI. It is barely ready for Tuesday.
Re-run your vendor strategy with harsher criteria. Ask not just whether a provider has features, but whether it can be operated safely in an AI-rich bank. Can it expose events cleanly? Can it support evidence and provenance? Can it be upgraded without archaeology? Does it create concentration or lock-in risk? Can its own AI be governed?
Shorten your security and assurance loops now. Anthropic’s own security research and AISI’s evaluations both suggest the window between discovery and exploitation is compressing. That means better asset inventory, faster patching, stronger identity control, fuller logging, better segmentation, rehearsed response, and active use of current frontier models for defensive work before more capable ones become commonplace.
Treat secure software and modernisation as one programme. NIST’s SSDF is useful here because it frames secure development as an organisational capability, not a scanner bolted on at the end. In banking terms, that means modernisation choices should be judged partly by whether they reduce the volume of manual triage, hidden dependencies, one-off custom code and opaque operational workarounds. If the new stack is just the old stack with better branding, you have not modernised. You have redecorated the leak.
Move AI governance out of the innovation sandbox and into enterprise management. My message is that AI touches core decision-making, markets, service-provider risk and cyber risk. This should be seen as one management problem viewed from different angles. The banks that cope best will be the ones where architecture, cyber, model risk, procurement, operations and business leadership are looking at the same estate map, not arguing over different slices of it.
Why this is the moment to rip out the core
What makes Mythos and Glasswing so useful for your narrative is that they shift the conversation from abstract digital ambition to hard, current pressure. This is a frontier model that Anthropic says can find and exploit high-severity vulnerabilities at scale, that AISI says materially improves on prior frontier cyber capability, and that has already triggered a scramble among banks and supervisors to understand the implications. It has also exposed the awkward truth that even restricted release does not settle the question of control. That is why the old world is over. The old world said banks could live with legacy drag, patch latency and integration sprawl because the attack side still relied on scarcity of elite human labour. That bargain looks weaker by the month.
That is also why this is such a strong moment for Rip Out the Core.
My book is not selling fantasy.
It is not promising that one vendor, one platform or one big-bang programme will save the day.
It is offering something much more credible and, in this market, much more valuable.
It gives a practical way to think about modernising a bank progressively, capability by capability, while keeping the institution running, choosing partners with intent, shrinking the core to what really belongs there, and preparing the bank for a platform future rather than another generation of duct tape. In the Mythos era, that stops sounding like transformation theory and starts sounding like operational common sense.
So no, the book’s core message is not dead. It is early. The sharper version of the argument now goes like this: AI will not remove the need for platforms, partner ecosystems or disciplined architecture. It will make all three more important. Platforms without AI will feel slow. AI without platforms will be dangerous. Legacy without either will become indefensible. That is the real reason to stop mopping the floor, fix the leak, and rip out the core.
