Australia’s major banks are quietly ramping up their defences as anxiety builds as a new generation of artificial intelligence tools threatens to change cybersecurity forever.
At the centre of their concern is Mythos, a powerful AI model developed by Anthropic. Unlike traditional security tools, Mythos is designed to hunt down unknown and long‑standing vulnerabilities. Vulnerabilities and other kinds of weaknesses attackers normally only dream of finding. The fear among banks isn’t hypothetical these tools will dramatically shorten the time between a flaw existing and it being actively exploited.
Anthropic itself has acknowledged the risk. Earlier this month, the company confirmed it would not publicly release Mythos, citing the danger it posed to global organisations including financial systems if misused. According to the company, the model is capable of identifying previously unknown security flaws so effectively that releasing it without safeguards would be irresponsible.
That decision alone tells Australian businesses the story of how serious the threat is.
Limited Access, Growing Pressure
A small group of American organisations worldwide have been allowed to see Mythos in action under a tightly controlled initiative known as Project Glasswing. So far, access has been granted to around 40 US companies, these include Amazon, Microsoft and Google.
No Australian Business or Australian banks aren’t on that list — but they want to be.
National Australia Bank has been working closely with technology partners that do have access, hoping to indirectly assess Mythos’ capabilities. NAB executive Patrick Wright said the bank is keeping a close eye on how rapidly AI‑driven threats are evolving.
“NAB has longstanding, deep relationships with a range of technology partners, including those involved in Glasswing,” he said.
“Given the growing scrutiny around AI, we’re investing significant time and effort in monitoring new developments and associated risks and opportunities.”
Of course globally, competition for early access is intense. So far only a handful of financial institutions, including JPMorgan and Morgan Stanley, have been granted previews. Leaving others concerned they could be caught unprepared.
Anthropic has indicated it plans to expand Project Glasswing to include Australian banks, thus allowing them to patch weaknesses before similar tools reach criminal groups. At this time Anthropic has not committed to a timeline.
Faster Attacks — But Also Faster Defence
The arrival of tools like Mythos cuts both ways.
On one hand, AI driven attacks dramatically accelerate the speed at which any/all systems can be compromised. On the other, the same technology will allow defenders to find and fix weaknesses at machine speed, but only if they are prepared.
Westpac chief information security officer Richard Johnson said this shift is already forcing banks to rethink their security posture.
“We’re engaging with our technology partners and the broader security ecosystem to understand how models like Anthropic’s Mythos are being applied, particularly in identifying and addressing vulnerabilities,” he said.
“We see this as an opportunity to strengthen the security of widely used products and services in ways that benefit organisations globally.”
Commonwealth Bank, which is a shareholder in Anthropic, declined to expand on an earlier statement that it was “closely monitoring developments with our strategic partners in this fast‑evolving space”.
Mythos Has Already Shown What’s Possible
The anxiety isn’t theoretical. Mythos has already demonstrated its power.
Earlier this month, the AI identified a critical vulnerability in OpenBSD. OpenBSD is an operating system widely used in critical infrastructure. The flaw had existed for 27 years and would have allowed an attacker to crash any affected system.
It also uncovered:
- A 16‑year‑old vulnerability in widely used video encoding tool – FFmpeg
- Numerous flaws in the Linux operating system, which underpins most of the world’s servers
What makes Mythos truly dangerous and at the same time powerful, is its ability to chain multiple low‑level vulnerabilities together. This combination creates entirely new attack paths that traditional tools would miss.
As more sophisticated AI models emerge, including the numerous open‑source versions being developed overseas. Combined with the exponential rise in SAAS Software worldwide, the scale and speed of this problem is going to increase.
“Minutes Now, When We Used to Have Days”
Cybersecurity adviser Alastair MacGibbon, who previously advised former prime minister Malcolm Turnbull, believes larger banks will eventually gain access to tools like Mythos, but even so, smaller institutions may be left exposed.
“Banks can’t just keep doing business as usual. You’ve got minutes now, when we used to have days — so you’ve got to be automated,” he said.
MacGibbon argues that boards need to start asking different questions, especially around prioritisation.
“A problem with these tools is they find so many things, and you can be inundated — it’s almost like an alarm going off every couple of seconds. So how do I prioritise, and change my way of working?”
AI Already Breaking Through Defences
Don’t be mistaken, Banks already have a large AI department and are already using AI‑based attack tools to test their security. One example is Aether AI, which runs automated attacks designed to expose gaps in enterprise defences.
According to Aether AI co‑founder Jamieson O’Reilly, the results are confronting.
“There hasn’t yet been an organisation that we’ve worked with where our attack AI didn’t find something that was at least a medium to high criticality,” he said.
“We have been able to point this at a government agency or a financial institution and bypass millions of dollars of security spend with $5 in tokens.”
Over just one quarter, the company ran 3000 hours of AI‑driven attacks across government and enterprise environments, identifying 5846 vulnerabilities across 37 organisations.
The problem, O’Reilly says, is that many of these weaknesses were always there, just hidden.
“There are hidden vulnerabilities in underlying application code that no one was able to find because security tools were doing their job,” he said.
“But now AI can be so creative. It does find a way to bypass some of these security controls. Then it’s like a kid in a candy store because it’s now got free range to all these hidden things that existed for so long.”
From Periodic Security to Continuous Defence
PwC cybersecurity lead Robert Di Pietro believes Mythos represents a fundamental shift rather than a failure of past efforts.
“Australian banks, particularly larger banks, are already fairly strong in this area of vulnerability management and patch management capabilities: they certainly are not under‑invested in cybersecurity capability,” he said.
The challenge, he argues, is speed.
“The big question is: are they optimised for speed? We’re moving into a world where cyber risk management goes from periodic to continuous.”
The Bottom Line
AI models like Mythos signal a completely new era in cybersecurity, one where unknown flaws surface instantly. Attackers move faster than ever and manual processes simply won’t keep up.
As for bank and any organisation running critical systems, the message is clear:
defensive automation, agility, continuous monitoring and rapid response are no longer optional.