Analysts Say Mythos Is Not the Threat. Banking's Legacy Debt Is.

Banking has operated on a manageable assumption for decades. Legacy systems are complex, difficult to attack, and expensive to replace, so the risk of not replacing them has been treated as acceptable. Mythos has broken that assumption.

Anthropic's Mythos Preview is a cybersecurity AI model designed to find decades-old vulnerabilities in web browsers, infrastructure, and software.

It succeeded on the first attempt in more than 83% of cases when directed to develop working exploits against flaws it identified in internal testing. What it found in banking, and what analysts are now saying about the sector's exposure, is what matters most for the BFSI sector.

Bain and Company published the most detailed analyst treatment of Mythos and its BFSI implications in April 2026, authored by partners Frank Ford, Andrew Cousins, Syed Ali, and Alexandra Juegelt.

Their central argument is that Mythos is not the real problem, it is a signal that the era of AI-enabled attacks at scale has arrived, and that banking's chronic underinvestment in cybersecurity has created the exact conditions that make AI-enabled attacks maximally effective.

"AI does not create new vulnerabilities," Bain's analysis states. "It exposes existing ones." The chronic underinvestment that boards have tolerated for years has become an immediate and material business risk.

Companies spend only approximately 0.69% of revenue on cybersecurity on average, according to IANS Research cited by Bain. Most currently plan increases of approximately 10% annually.

Bain's view, based on its experience helping large organizations close their cybersecurity gap, is that many will need to increase spending by up to 2x current levels or more.

The FBI's IC3 received more than 1 million complaints in 2025, with reported losses reaching $21 billion, up 26% year on year. IBM puts the average cost of a data breach at $4.4 million globally and $10.22 million in the US, both all-time highs.

For BFSI specifically, Bain identifies the legacy technology problem as the most acute exposure. Banking infrastructure is decades old in many institutions, and Mythos was designed precisely to find vulnerabilities in aged, complex codebases that have survived human review and automated security tests for years.

Anthropic's own research found that Mythos identified thousands of zero-day vulnerabilities across every major operating system and browser, flaws that had survived decades of review.

What Is Happening on the Enterprise Front

Five of the largest US banks including JPMorgan Chase, Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley, have early access to Mythos through Anthropic's Project Glasswing. The enterprise picture Reuters has reported is one of controlled urgency rather than crisis.

Banks with access are using Mythos defensively, scanning their own systems for the vulnerabilities the model is designed to find, and patching before those vulnerabilities can be exploited by adversaries with equivalent capabilities.

Larger institutions are also sharing findings with smaller community banks that do not have the computing resources or budget to operate Mythos themselves, a form of industry-wide defensive coordination that has not been seen at this scale before.

The operational consequence is visible. Reuters reported that banks are being forced to temporarily take systems offline more frequently as they implement patches, with institutions attempting to minimize customer disruption while working through a remediation workload that has increased significantly since Mythos access was granted.

A senior bank regulatory official told Reuters the model has lived up to its reputation. Mythos is "unusually skilled at threading together vulnerabilities that would have taken human analysts far longer to connect."

Adam Meyers at CrowdStrike, which is inside Project Glasswing, described his team's first encounter with the tool in blunt terms: his first reaction was simply "oh boy," and his team spent an entire weekend figuring out how to use it properly before they started looking for bugs.

"This is a wake-up call because cyber risk is moving to machine speed, while much of bank defense still operates at human speed," said Nitin Seth, Co-founder and CEO of Incedo.

What Analysts Say Banks Should Do

Bain's analysis is notable for its clarity on one point: Mythos cannot reliably execute autonomous attacks against organizations with well-hardened defenses. The UK Government's AI Security Institute confirmed this independently.

The controls that constitute strong cybersecurity fundamentals including automated patching, zero trust architecture, anomaly detection, phishing-resistant multifactor authentication, and network segmentation, already provide significant protection against Mythos-class attacks. The problem is that most banks have not built those foundations to the required standard.

Bain recommends four immediate priorities: establishing a dedicated AI threat war room using the same AI tools adversaries will use, strengthening foundational cybersecurity capabilities, addressing urgent risks to operational technology environments where patching is often not possible, and beginning preparation for post-quantum computing risks by 2030.

The broader analyst consensus, reflected in both Bain's report and Reuters' coverage, is that Mythos has changed one thing in banking cybersecurity more than anything else: the risk calculations that previously justified deferring cybersecurity investment are no longer valid.

AI has collapsed the cost and effort of launching sophisticated attacks, making every unpatched legacy system a realistic target rather than a theoretical one.

More than 60% of organizations say geopolitical tensions have already affected their cybersecurity strategies, according to the World Economic Forum's Global Cybersecurity Outlook 2026.

For banking, Mythos has added a second pressure, the recognition that the legacy technology debt accumulated over decades is now the sector's most operationally urgent vulnerability.