Bruce Schneier was in Luxembourg on Tuesday to give a masterclass to mark Clusil’s 30th anniversary. The Minister for the Economy, Lex Delles (DP) found time to chat with the leading authority on cybersecurity. Let’s hope he had time to ask him in depth about the ‘Mythos phenomenon’ and its potential implications.

Let’s rewind. In early April, a blunder by an engineer at Anthropic granted access for the first time to Mythos, a new generation of artificial intelligence. What makes it unique is its ability to detect previously unknown security flaws in code at an industrial scale. In particular, the AI discovered a 27-year-old flaw in OpenBSD, a computer system considered one of the most secure in the world. It also identified a vulnerability in FFmpeg, a software component widely used for video processing. The most worrying thing is that this section of code had already been analysed millions of times by traditional automated tools without anyone detecting the problem.

According to data provided by industry stakeholders, Mythos achieves an 83.1% success rate in replicating vulnerabilities, compared with 66.6% for the previous generation. Even more worrying is that the model is capable of chaining together several distinct vulnerabilities on its own to construct complex attacks without human intervention, including mechanisms for sandbox evasion or privilege escalation up to ‘root’ level.

Anthropic is putting $100m on the table

If the engineer had been given a real dressing-down—one that could have been heard all the way to the Vatican—Anthropic would have had to launch a massive PR campaign in the face of the global panic that had gripped the experts. Imagine if this AI were ‘cloned’ and fell into the hands of malicious hackers? They could test any technological system in the world and exploit every vulnerability to steal data, cripple systems or get their hands on billions of dollars.

The company behind Claude – the tool that is gradually overtaking ChatGPT and Gemini – has launched an exclusive initiative, ‘Project Glasswing’, to enable Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks to identify vulnerabilities in their respective code and address any issues. Since then, around 40 other companies have gained access to Mythos, for which Anthropic will offer up to $100m in tokens, before, in 90 days’ time, disclosing all the vulnerabilities discovered.

For our visiting expert in Luxembourg, this was and remains nothing more than a public relations exercise: it is possible to achieve the same results using older models or those considered less effective than Mythos. This may be good news or bad news, depending on one’s perspective. But the fundamental problem lies elsewhere: artificial intelligence drastically reduces the time between discovery and exploitation. What specialists call the ‘time-to-exploit’ is plummeting. Whereas it used to take several days to turn a vulnerability into an operational weapon, less than an hour is now sufficient. The cost of producing a functional ‘zero-day’ exploit is also said to have fallen below $2,000.

A change of scale

A technological divide is widening between the tech giants capable of defending themselves at the speed of machines and financial institutions that continue to patch their systems at a human pace. For Luxembourg, the threat extends far beyond the IT sphere: it is becoming systemic. For years, banking cybersecurity has relied on a kind of implicit balance. As attackers advanced, so did the defenders. Vulnerabilities existed, but discovering, exploiting and then fixing them took time. That balance is now disappearing.

The launch in April 2026 of Anthropic’s Claude Mythos Preview model marks a turning point that many industry experts now describe as a ‘Manhattan Moment for cybersecurity’, in reference to the secret US programme that led to the creation of the atomic bomb during the Second World War and thus to a sudden game-changer and the creation of a major strategic imbalance.

The shift in scale is dramatic. The phenomenon is sometimes summed up by a phrase that has now become common in specialist circles: the ‘Cobol renaissance’. Legacy systems remain central to many critical financial infrastructures, but experts capable of maintaining them are becoming extremely rare. Meanwhile, AI models are learning to analyse and exploit these ageing architectures with increasing efficiency.

This is precisely what makes the situation particularly sensitive for Luxembourg. The Luxembourg financial centre has a structure that is unique in Europe. It combines the presence of major international systemic banks with a dense network of private banks, specialist funds, financial service providers and much smaller intermediaries. This duality creates a risk of contagion that is rarely discussed publicly. A breach at a medium-sized institution would probably not remain confined to that single player. Connections to interbank networks, payment infrastructures, settlement platforms and SWIFT flows create deep interdependencies with the entire European financial system. In this context, the weak link becomes a systemic risk.

Two other, less obvious issues

The other issue, which is still largely absent from public debate, concerns the strategic lifespan of financial data. So-called ‘harvest now, decrypt later’ strategies involve stealing encrypted data today in order to decrypt it later using future computing capabilities, particularly quantum computing. For a financial centre such as Luxembourg, where certain asset, tax or transaction data retains strategic value for ten, fifteen or twenty years, the nature of the threat changes. A breach today could have repercussions several decades down the line.

The US authorities appear to have already taken this paradigm shift on board. The emergency meetings held in early April 2026 between Scott Bessent, the US Treasury Secretary, and Jerome Powell, Chair of the US Federal Reserve, alongside several Wall Street executives, reflect growing concern over the industrialisation of cyberattacks through AI. This pressure is likely to spread rapidly to European regulators, notably the European Central Bank and the European Securities and Markets Authority. Traditional patching timescales may become increasingly unacceptable in the face of attacks capable of evolving within minutes. This development could also profoundly alter risk governance within financial institutions.

Until now, fully automating patches has often been seen as too risky. In the future, the risk could be the opposite: that of not automating quickly enough. The operational cost of a failed automatic patch could now be deemed lower than the risk of leaving a vulnerability open for 24 hours. This also implies a radical re-evaluation of traditional approaches to cybersecurity. Periodic audits, monthly scans and annual exposure reviews are increasingly seen as incompatible with models capable of exploiting vulnerabilities almost instantly. The sector is gradually shifting towards a ‘Continuous Threat Exposure Management’ (CTEM) approach, in which exposure validation becomes permanent, automated and continuously monitored.

In response to this acceleration, some players are already turning to technologies designed to withstand not only AI but also future quantum capabilities. Companies such as QNu Labs are developing solutions based on quantum key distribution, quantum random number generation or post-quantum cryptography, aimed at protecting existing infrastructure without having to rebuild it from scratch. However, these solutions remain costly and complex to deploy. For many smaller players, immediate measures mainly involve compensatory mechanisms: strict network micro-segmentation, strengthening of application firewalls, accelerated isolation of critical systems and a drastic reduction in attack surfaces.

This is probably the real warning for Luxembourg’s financial sector. For a long time, cybersecurity was viewed as a budgetary, regulatory or technical issue. With offensive AI, it is becoming a matter of industrial speed. Those capable of responding at the speed of machines will likely continue to hold their own. The others risk entering a zone of structural vulnerability where every delay in correction becomes an exploitable window of opportunity almost immediately. In this environment, cybersecurity ceases to be an IT issue. It becomes a prerequisite for financial stability.