ECB Orders Banks to Patch Faster as AI Model Mythos Finds Zero-Days at 83% Success Rate

ECB Tells Banks: Patch Faster or Get Breached by AI

The European Central Bank (ECB) is summoning banks on Tuesday to address a new class of cybersecurity threats: AI models that find and exploit software vulnerabilities faster than any human team. The trigger is Anthropic's Claude Mythos Preview, a frontier AI that has already identified thousands of zero-day flaws across major operating systems and browsers.

ECB Executive Board member Frank Elderson told the Financial Times: "There is a whole range of issues on cyber security that we have been engaging on with the banks for years which are all still valid, but given the progress in AI, they need to be dealt with faster."

Mythos: 83% First-Attempt Exploit Rate

Mythos is not a hypothetical threat. In controlled testing, the model produced working exploits on its first attempt more than 83% of the time, often outperforming human cybersecurity specialists. Only 40 to 50 organizations have access through Anthropic's Project Glasswing—including Amazon, Microsoft, Google, Nvidia, CrowdStrike, Palo Alto Networks, and JPMorgan Chase. No European bank is on the list.

Anthropic warns that adversaries could replicate this capability within six to twelve months. The ECB's Elderson is blunt: European banks cannot use their lack of access as an excuse. Malicious actors will soon have equivalent technology.

The Patch Window Has Collapsed

Traditional patch cycles—weeks or months—are now lethal. Elderson explained that AI models can reverse-engineer software fixes within minutes of their release. Once a vendor publishes a patch, an AI can analyze the diff, understand the vulnerability, and generate an exploit almost instantly. Banks must patch within hours, not days.

Palo Alto Networks reports that advanced AI models are discovering vulnerabilities at seven times the usual rate. The firm warns the industry has only three to five months of defensive buffer remaining.

Regulatory Scramble: DORA and the Access Gap

The ECB's intervention falls under the Digital Operational Resilience Act (DORA), the EU's cybersecurity law for financial services. DORA requires banks to manage IT risk, test resilience, and report incidents. But the regulation was drafted before AI models like Mythos existed.

Euro-area finance ministers have demanded Mythos access. European Commissioner Valdis Dombrovskis confirmed on 4 May that the EU is in talks with Anthropic about testing companies and banks. Those talks have stalled, according to Spanish officials in mid-May.

Mistral AI Offers European Alternative

French AI startup Mistral AI is in discussions with European banks to deploy its own cybersecurity model, designed to identify vulnerabilities like Mythos. CEO Arthur Mensch frames it as technological sovereignty. Mistral already works with HSBC and BNP Paribas. The model is still under development with no confirmed release date.

What Developers Should Do Now

If you work on banking or financial software, your current patch process is likely too slow. Here's a concrete example of how to accelerate: use a CI pipeline that automatically applies security patches to staging environments within one hour of release.

# Example GitLab CI job for rapid patch deployment
security-patch:
  stage: deploy
  script:
    - apt-get update && apt-get upgrade -y
    - kubectl apply -f k8s/patched-deployment.yaml
  only:
    - schedules
  when: manual

But manual approval is still too slow. Instead, automate with a webhook that triggers on CVE publication:

#!/bin/bash
# Triggered by CVE feed webhook
PACKAGE="$1"
VERSION="$2"
if apt-cache show $PACKAGE | grep -q "Version: $VERSION"; then
    apt-get install --only-upgrade $PACKAGE -y
    systemctl restart affected-service
fi

European banks must also monitor for shared findings from Project Glasswing partners. Anthropic now allows partners to share findings beyond the program, which may help close the information gap.

The Bottom Line

AI-driven vulnerability discovery is no longer theoretical. Mythos achieves 83% first-attempt exploit success. The patch window has collapsed to minutes. European banks are locked out of the best tool, but regulators demand they fix problems they cannot fully see. Developers must shorten patch cycles to hours, automate deployments, and prepare for a wave of AI-powered attacks.

Editor's Take

Honestly, I've been skeptical of AI hype in security, but the Mythos numbers are hard to ignore. 83% first-attempt exploit rate is insane. I've seen human red teams take days to write a working exploit for a zero-day. The fact that Anthropic is restricting access to only 40-50 orgs tells me this is real—they're scared of the damage a public release would cause. My prediction: within 12 months, we'll see a copycat model leak on GitHub, and then all hell breaks loose. Banks better have their patching pipelines ready.