Finance survived the quantum threat by preparing early. Mythos won't make it so easy

Everything old is new again. Several years ago cybersecurity teams across the world, ranging from the NSA down to small fintech startups, were faced by a novel threat that seemed straight out of science fiction.

A technology was being developed that would make the encryption that secures every digital asset from your emails to bank details as easy to solve as the word jumble on a children’s menu.

The world mobilized and countered this threat, new forms of encryption were developed and even though the technology in question has still yet to be developed the world’s experts are sure that there is no threat.

That problem was quantum cryptography, something that was the talk of the entire security industry just a few years ago and now is barely a murmur.

The emergence of Anthropic's Claude Mythos model has put a new item on the agenda of everyone who runs business-critical technology.

The model, released under a restricted program called Project Glasswing, has reportedly identified thousands of high-severity software flaws across every major operating system and browser.

Anthropic's own framing was unusually stark: the same capability that makes the model valuable for defense could, if it proliferates beyond trusted hands, cause serious harm to economies and public safety.

For businesses that sit anywhere in the financial ecosystem, from payment providers to core banking platforms to merchants moving large transaction volumes, this is not an abstract concern.

It is a question about the software stack you run, the suppliers you depend on, and the assumptions you make about how long a vulnerability can sit undiscovered before someone weaponizes it. It is also a story that we’ve heard before, and that gives us an idea on how to solve it.

What is actually new here

Vulnerability research has always been an asymmetric game. Defenders have to be right everywhere, and attackers only have to be right once. Despite how difficult this is there are thankfully few major leaks and exploits, especially in banking and finance.

Frontier AI -the new models that haven’t been deployed to the general public yet- could change the economics of that asymmetry. A model that can read, reason about and chain together flaws in codebases at machine speed compresses the time between discovery and exploitation, and it lowers the skill floor for anyone who wants to try.

That shift has not been lost on policymakers. At the IMF and World Bank spring meetings this month, senior figures treated AI-enabled cyber risk as an active financial stability concern rather than a future one.

IMF managing director Kristalina Georgieva told CBS News that the world currently does not have the tools to protect the international monetary system against cyber risks at this scale, and warned that the risks have been growing exponentially.

The business technology implication is straightforward. Legacy components that have survived in production for a decade or more were, in effect, protected by obscurity and the high cost of exploitation.

That protection is weakening. Technical debt that was tolerable a year ago is now a live exposure, particularly where institutions share common cloud providers, open-source libraries or standards.

The quantum playbook shows this problem is solvable

If the AI conversation feels overwhelming, there is a recent precedent worth studying. Several years before large-scale quantum computers existed, the financial sector started preparing for them.

The Bank for International Settlements, working with the Banque de France and the Deutsche Bundesbank, launched Project Leap to test whether central bank communications could be re-encrypted using post-quantum algorithms.

A later phase expanded the work to include Swift, the Bank of Italy and Nexi, applying quantum-resistant signatures inside an operational payment system. The substance of Project Leap matters, but the shape of it matters more.

Central banks, payment network operators, commercial infrastructure providers and standards bodies coordinated around a threat that had not materialized and, on some estimates, still will not for another decade or more.

They built hybrid schemes, tested interoperability and published their findings so that other institutions could follow. Similar work has been standardizing post-quantum cryptography through NIST, which published its first finalized PQC standards in 2024, giving the rest of the industry a reference point to migrate against.

There are two lessons here. The first is that financial infrastructure is capable of rallying around a novel, pre-emergent threat when the case is made clearly and the technical groundwork is laid in public. The second is that the work is slow, unglamorous and begins years before the threat lands.

Businesses that waited for a confirmed quantum break before budgeting for crypto agility would be years behind the curve. The same will be true of AI-enabled cyber capability, with one important difference: the timeline is measured in months and quarters, not decades.

What this changes for business technology leaders

The immediate question for CIOs and CISOs is less about Mythos itself, which remains inside a controlled access program, and more about what comes next.

Anthropic has been unusually open about the risk; other labs may not be, and capability of a similar order is likely to become more widely available over the next year. Planning should assume that the offensive side of this technology proliferates before regulation catches up.

Three practical shifts tend to follow from that assumption. Vulnerability management becomes a continuous, AI-assisted process rather than a quarterly exercise, because human-paced patching cannot keep up with machine-paced discovery.

Third-party risk assessment has to account for the security posture of AI model providers and the platforms that host them, not only traditional software vendors. And red-team testing has to include adversaries equipped with frontier-level reasoning, rather than the tooling that was state of the art eighteen months ago.

At the same time, responsible deployment of these models on the defensive side is arguably the single biggest opportunity the sector has had in a decade. The partners inside Project Glasswing are already using Mythos to find and patch long-standing flaws in widely deployed code.

That work, scaled across the financial supply chain, could shift the balance back towards defenders in a way that traditional tools never managed.

Accountability has to travel with capability

The final lesson from the quantum effort is cultural. The institutions that led Project Leap did so because they treated resilience as a shared obligation rather than a competitive differentiator. The AI moment calls for the same instinct. Regulation will arrive, and it should, but it will lag capability for the foreseeable future.

In the meantime, the businesses that come out of this period intact will be the ones that took accountability seriously while the rules were still being written. Capability is abundant. Accountability, for now, is the scarce resource.

We've featured the best ransomware protection.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit