What the reports don’t say: when an AI model can write a complete attack exploit overnight, every assumption about financial system cybersecurity needs to be rewritten.
On April 7, 2026, Anthropic unveiled Claude Mythos Preview, an AI model capable of autonomously discovering and writing exploit code for zero-day vulnerabilities across every major operating system and web browser. Unlike any previous AI model launch, Anthropic chose not to release Mythos publicly due to cybersecurity concerns.TechCrunch
Three days later, US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell called an emergency meeting with CEOs of America’s largest banks.Yahoo Finance The real risk lies in the fact that this was not a meeting triggered by financial crisis or economic recession, but by a specific technology product.
Mythos: an unprecedented “vulnerability machine”
In just a few weeks of testing, Mythos Preview discovered thousands of critical zero-day vulnerabilities, including bugs that had existed for decades without being found by humans.Help Net Security The oldest recorded vulnerability was a 27-year-old bug in OpenBSD, an operating system renowned for its security.Tom’s Hardware
But what truly alarmed the financial world was not the vulnerability-finding capability itself, but the next step: when asked to write exploit code from discovered vulnerabilities, Mythos achieved a 72.4% success rate, compared to nearly 0% for Claude Opus 4.6.The Register
That 72.4% figure needs context: before Mythos, writing an exploit from a zero-day vulnerability required top cybersecurity experts working for days or weeks. Mythos fundamentally changes this equation. Engineers at Anthropic — with no cybersecurity expertise — asked Mythos to find a remote code execution (RCE) vulnerability overnight, and received a fully functional exploit by morning.The Register
More notably, Mythos can chain multiple vulnerabilities into complex exploit chains. In one test, the model wrote a browser exploit chain combining 4 vulnerabilities, escaping both the renderer sandbox and the operating system. This is a technique previously achievable only by nation-state attack groups.
An unprecedented emergency meeting
On April 10, 2026, Secretary Bessent and Chair Powell summoned CEOs of America’s largest banks to Treasury headquarters in Washington. Present were the leaders of Citigroup, Morgan Stanley, Bank of America, Wells Fargo, and Goldman Sachs.Yahoo Finance Notably, JPMorgan Chase CEO Jamie Dimon was absent, despite JPMorgan being a Project Glasswing partner.
The meeting’s purpose: ensure banks fully understand the risks from Mythos and similar AI models, and are implementing defensive measures. All parties declined to comment on meeting details.
This was a rare instance where both the Treasury Secretary and Fed Chair jointly summoned banking leaders over a specific technology product. The signal is unmistakable: even those at the helm of the world’s largest financial system are not yet prepared for AI-weaponized security vulnerabilities.
Project Glasswing: defending with AI itself
Recognizing the dual-use risk, Anthropic launched Project Glasswing, providing Mythos Preview access to organizations responsible for critical software infrastructure.Anthropic
Glasswing’s partner list includes 11 leading technology organizations: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.Seeking Alpha An additional 40+ organizations were also granted access.Fortune
Anthropic committed $100 million in usage credits and $4 million in grants for open-source security organizations under Glasswing.Decode The Future
Glasswing’s logic is simple yet profound: if AI can find zero-days faster than humans, the only viable defense is using that same AI to find and patch vulnerabilities before attackers can exploit them. The offense-defense race is no longer human versus human; it is AI versus AI.
The financial system: three core vulnerabilities
Why did the Treasury and Fed react so swiftly? Because the banking system is the most attractive target for cyberattacks, with risk concentrated at three points:
Complex payment infrastructure: SWIFT systems, interbank payment platforms, and core banking software all contain millions of lines of code. These are precisely the types of systems where Mythos excels at finding vulnerabilities.
Exploitation speed exceeds patching capability: When AI can create exploits in minutes, the response time of bank security teams — typically measured in days or weeks — becomes insufficient. AI has compressed the gap between discovery and exploitation to near-zero.
Cascade effects: Many major banks share cloud platforms and third-party software. A single vulnerability in shared infrastructure could impact the entire financial system, not just one bank.
Vietnam: rapid digitization, expanded attack surface
The Mythos story is not just a Wall Street affair. Vietnam is pursuing banking digitization at one of the fastest rates in the region, and that very speed creates a wider attack surface.
Under Directive 02/CT-NHNN dated January 9, 2026, the State Bank of Vietnam designated 2026 as the focal year for digital transformation and information security assurance in banking operations.Vietnam.vn Starting January 1, 2026, all online transactions via Mobile Banking and Internet Banking require biometric authentication.VietnamNet
However, the banking and financial services industry (BFSI) accounts for 71% of all cyberattacks in Vietnam, the highest among all sectors. Vietnam’s cybersecurity market is projected to reach $355 million in 2026, up from $310 million in 2025 — growing quickly (about 14.5% annually) but still tiny relative to the banking system’s scale.Mordor Intelligence
Major banks are integrating AI into operations, risk assessment, customer service, and expanding APIs. Each new integration point is a potential attack vector. With Mythos demonstrating that AI can weaponize vulnerabilities at unprecedented scale, the question for Vietnam’s banking system is not “if” but “how prepared.”
Implications for investors
The Mythos story opens a category of investment risk that markets have not yet fully priced in.
Banking stocks carry the largest weight in the VN-Index. Rising cybersecurity costs will directly impact profit margins in the medium term. But the far greater risk is that a major cybersecurity incident could trigger a collapse of confidence for any bank. The VN-Index rose 1.01% to 1,754 points in the morning session on April 10 amid a global market recovery, but the Mythos story could inject more caution in the sessions ahead, especially for banking stocks.
International cybersecurity stocks, particularly CrowdStrike and Palo Alto Networks — both Glasswing partners — surged on the news. These are direct beneficiaries as demand for AI-powered defense skyrockets.
Long-term perspective: as AI becomes a cyberattack weapon, defense costs for the entire financial system will rise structurally. This is an irreversible trend that needs to be reflected in bank valuations. For Vietnam specifically, where the banking system is preparing for larger foreign capital inflows post-FTSE upgrade (effective September 2026), cybersecurity capability will become a critical evaluation criterion for international investment funds.
Mythos is not an immediate threat — Anthropic maintains tight controls and only grants access through Project Glasswing. But this model is a clear warning signal: the era in which AI can autonomously find and exploit security vulnerabilities at speeds far exceeding human capabilities has begun. Investors who overlook cybersecurity risk in their bank stock analysis are putting themselves at a disadvantage.
