Mythos and the rise of AI-driven cyber threats under DORA

A new age of AI-driven cyber threats

In April 2026, AI developer Anthropic announced the start of Project Glasswing: a pilot programme designed to prepare participating companies for the arrival of Anthropic's new AI model 'Mythos’. According to the developer, the Mythos Preview model has already discovered thousands of 'high-severity vulnerabilities' in virtually every major operating system and web browser.

If these claims are true, it would mean that the emergence of AI-driven cyber threats would present an unprecedented risk to the financial sector, potentially enabling malicious actors to rapidly identify and exploit security vulnerabilities in the software systems of banks and other financial undertakings. Among the companies that received pilot access to Project Glasswing are several major US banks. Jamie Dimon, CEO of JPMorgan, already said that Mythos identified several vulnerabilities that need to be addressed.

This debate has inevitably extended to European actors. The Mythos model, described as too risky to release to the public, sent shockwaves through the Spring meetings of the International Monetary Fund and the World Bank. Andrew Bailey, governor of the Bank of England and chair of the Financial Stability Board of global regulators, named it 'a very serious challenge for us all', and  European Central Bank President Christine Lagarde worried that, should this technology fall into the wrong hands, the consequences could be 'really bad’.

The current state of AI-driven cyber resilience in the European Union

On 17 January 2025, the EU Digital Operational Resilience Act (DORA) became applicable. It creates a single regime for ICT risk management across the European Union financial sector. The recitals highlight the importance of cyber resilience due to the interconnectedness of European financial entities; a localised ICT breach does not merely affect a financial entity in isolation, but can propagate across the broader financial ecosystem, threatening the stability and integrity of the Union's financial system as a whole.

DORA mandates financial entities to identify all sources of ICT risks, not only in relation to their business functions but also in relation to risk exposure to and from other financial entities. Article 13 DORA subsequently requires firms to have the personnel and resources in place to gather information on vulnerabilities, cyberattacks, and their impact on operational resilience. As part of this, the article further requires financial entities to monitor technological developments on a continuous basis and to keep their ICT risk management processes up to date in order to counter the latest forms of cyberattacks.

The rise of AI-driven cyber threats constitutes a new development against which financial undertakings must arm themselves. Not only must they update the necessary governance requirements with respect to these new risks under DORA, but they must also monitor third-party risks. For example, financial entities need to ensure that contracts with third parties to which ICT services supporting critical or important functions have been outsourced contain adequate security measures, tools, and policies that provide an appropriate level of security for the provision of services.

‘One size fits all’-security may become obsolete

With AI-generated threats that are increasingly capable of designing company-specific exploits, many detection capabilities designed to catch traditional threats may become less effective. With the DORA obligation to have in place mechanisms to promptly detect anomalous activities, financial entities will need to closely monitor the current developments regarding Mythos and other AI systems that are capable of threatening their security systems.

Besides the warning announcement, Anthropic also released a list of suggestions for companies seeking to defend their systems against the inevitable rise of AI-threats. For example, they advise companies to review their vulnerability disclosure policies to make sure they account for ‘the scale of bugs that language models may soon reveal’.

Anthropic further notes that the increase in vulnerability discovery will likely correspond with a rise in security incidents. The company warns that most incident response programs are not adequately staffed to handle the expected rise in incidents. Therefore, they advise companies to automate their incident response pipeline. Because of this, companies may need to fundamentally review their implementation of Articles 10 (Detection) and 11 (Response and recovery) of DORA. These new AI-generated exploits may soon no longer be appropriately addressed by traditional cybersecurity software and require AI-assisted detection mechanisms.

To further prepare companies for the latest cyber threats, Article 26 of DORA requires identified financial entities to triennially carry out a simulation by means of ‘threat-led penetration testing’ (TLPT), which mimics the techniques of real-life threat actors perceived as posing a genuine cyber threat. With new threats like Mythos, using an AI model to autonomously chain vulnerabilities within a system may now be part of the required testing capabilities.

For a full overview of the suggestions made by Anthropic, follow this link.

Outlook

Anthropic expects "a difficult time" ahead. According to the company, we have entered a trajectory that may lead to a rapid increase in detected vulnerabilities, until software has been hardened, ironically in large part through code written by these same models.

François-Louis Michaud, head of the European Banking Authority (EBA), has already responded by saying that the risks and opportunities from the new technology were one of EBA’s top priorities. Further guidance from European regulators is therefore only a matter of time. Financial undertakings would do well to get ahead of it by proactively revisiting their DORA governance, incident reporting arrangements and third-party risk framework.