AI firm Anthropic has said it will brief leading finance ministries and central banks on vulnerabilities in the global financial system’s cyber defences identified by its Mythos Preview Model. It follows a request from Andrew Bailey, the governor of the Bank of England, for more details about Mythos’s capabilities for members of the Financial Stability Board, which Bailey chairs.
The development demonstrates bankers’ fears that fast-moving AI-driven cyber risks could destabilise the financial system if not managed carefully. But it is not just financial system leaders that have reason to worry. The reason is that AI models such as Mythos have stepped up current cyberattack methods and the resulting challenges.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
The reality is that state-sponsored actors and tools such as Mythos have industrialised the attack life cycle, compressing weeks of tradecraft into seconds. One of the pertinent questions posed for organisations attending the recent Converge event in London, UK, held by cybersecurity specialist Tanium was: “Is your security posture built for yesterday’s threat landscape or today’s?” That is because although attackers are operating at machine speed, defenders are still largely operating with human speed bureaucracy. And the attackers have the advantage because discovering and exploiting vulnerabilities occurs faster than patching and remediation.
The end of ‘Patch Tuesday’
One of the likely outcomes as a result of Mythos is a significant change in software patching regimes. The model of vulnerability management, which emerged from IT service management cycles – first quarterly and then monthly – is probably now broken. We will see new patching regimes being developed, including so-called ‘always-on’ automated patching regimes. Tanium’s description for this fast-moving world is “autonomous IT”, led by real-time intelligence from endpoints.
A move towards what has also been labelled Frontier AI models defines a new regime of intelligent, capable AI systems that can, as another vendor, CrowdStrike, puts it, “reason across complex tasks, analyse software, identify vulnerabilities, accelerate exploit development, and support increasingly sophisticated security workflows.” In this world of Frontier AI, as vulnerabilities are discovered and exploited on shorter timelines, those traditional security approaches that were built on periodic assessments, severity scores, and human-paced response will be less effective.
What defenders will need, CrowdStrike argues, is a new model centred on exploitability, continuous validation of exposure, stronger prevention, cross-domain visibility, decisive response, and governed use of AI. Such a shift also changes what defenders need to do. The challenge is no longer about finding vulnerabilities faster than adversaries. It is about deciding which weaknesses are ‘truly exploitable’, reducing the conditions that turn them into real risk and responding as quickly as attackers can move.
The gap between security disclosure and exploitation
There is a chart from the site ‘zerodayclock.com’ which visibly shows the gap between a security disclosure and its exploitation. In 2018, the median time from a vulnerability being disclosed to the first observed exploit was 771 days. In other words, organisations really had over two years to patch. But by 2023, the exploit window was down to six days. And by 2024, it had dropped to just four hours. By 2025, the majority of exploited vulnerabilities were actually weaponised before they were publicly disclosed.
As ‘zerodayclock.com’ explains, the problem now is that whenever a software vendor releases a security patch, AI can quickly reverse-engineer the patch. In so doing, it can identify the vulnerability it fixes and then generate a working weaponised exploit in minutes. Attacks can begin propagating across the world within hours. But defender organisations need an average of 20 days to test and deploy that same patch. So, as the site puts it, “The act of fixing a vulnerability now accelerates its exploitation. The defence creates the offence. And the offence arrives weeks before the defence can finish deploying.”
How security leaders can make a difference
Given this changed landscape, what chief information security officers (CISOs) and chief information officers (CIOs) must do now is to understand the human imperative. The technology clearly exists. What will define the difference between fast movers and those acting like a deer in the headlights is leadership, culture, and a willingness to act. Tanium has suggested there are two core takeaways for organisations. Firstly, acknowledge that the threat has fundamentally changed and determine your own speed of relevance. Then, secondly, go and do something about it. Don’t just nod along. Take a swing.
