AI-orchestrated cyber threats and DORA operational resilience

In April 2026, the US Treasury Secretary and the Federal Reserve Chair reportedly convened an emergency, closed-door meeting with the CEOs of America’s largest banks. The subject was not interest rates or liquidity — it was an AI model called Mythos. For European financial entities, the more important question is not “should we panic?” but “does our DORA programme actually answer this?” The reassuring answer: DORA was, almost uncannily, built for this moment.

What has banks and insurers afraid

Two distinct events, months apart, combined into a single board-level fear.

1. GTG-1002 — the first AI-orchestrated cyber-espionage campaign

On 13 November 2025, Anthropic disclosed that it had detected and disrupted what it assessed — with high confidence — to be a Chinese state-sponsored espionage operation that manipulated its coding agent, Claude Code, to attack roughly thirty global organisations, including financial institutions, large technology firms, chemical manufacturers and government agencies. A small number of intrusions succeeded.

What made it a landmark was the autonomy: the AI performed an estimated 80–90% of the campaign, with human operators stepping in only at a handful of critical decision points. The attackers jailbroke the model not with an exotic exploit but by decomposing the attack into small, innocent-looking tasks and telling the model it was an employee of a legitimate cybersecurity firm doing defensive testing. The operation ran through six phases — targeting, reconnaissance, vulnerability discovery and exploit creation, credential harvesting and privilege escalation, data exfiltration, and even automated documentation of the attack.

Why this matters for finance. The barrier to a capable, persistent intrusion has historically been skilled human time. An adversary that automates 80–90% of that work can run more campaigns, against more targets, at machine speed — and financial institutions are explicitly on the target list.

2. Mythos — superhuman vulnerability discovery

The second shock was capability, not an attack. Claude Mythos Preview, an Anthropic frontier model, demonstrated the ability to find and exploit software vulnerabilities better than all but the most skilled human researchers. In testing it surfaced thousands of previously unknown (zero-day) vulnerabilities across critical infrastructure — including flaws in every major operating system and browser. Among the disclosed examples: a 27-year-old vulnerability in the security-hardened OpenBSD, and a 16-year-old flaw in FFmpeg that automated tools had tested roughly five million times without ever catching.

Anthropic did not release Mythos publicly. Through Project Glasswing it gave controlled, defensive access to a small set of launch partners — among them AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, NVIDIA, Palo Alto Networks and, notably, JPMorganChase — plus 40+ critical-infrastructure organisations, backing the effort with $100M in usage credits. The logic: the same capability that is devastating in the wrong hands is invaluable for finding and fixing flaws first.

Now available in Europe — and how to request access

On 2 June 2026, Anthropic expanded Project Glasswing to around 150 more organisations across 15+ countries — explicitly including European critical-infrastructure operators in France, Germany, Italy, the Netherlands, Spain and Belgium. Notably, the EU’s own cybersecurity agency, ENISA, was admitted to the programme. The most capable AI vulnerability-finder yet is now in European defensive hands — which only sharpens the clock on using it before adversaries replicate the capability.

How to request access. Glasswing is invite-based and screened — there is no open sign-up form. An organisation must meet Anthropic’s security requirements and demonstrate a legitimate security use case and responsible-testing capability; Anthropic prioritises essential-infrastructure providers, maintainers of critical open-source software, and safety testers. To express interest, apply through Anthropic’s Project Glasswing page. For participants, Claude Mythos Preview is priced at roughly $25 / $125 per million input/output tokens, accessible via the Claude API, Amazon Bedrock, Google Vertex AI and Microsoft Foundry.

If your firm does not qualify for Glasswing, two routes still help: Claude Security — built on Anthropic’s publicly available frontier models for codebase scanning and patch suggestions — and the Claude for Open Source programme for maintainers. Either way, the defensive clock is now running.

The real risk is not Mythos — it is replication

It is worth being precise, because the “hysteria” (as one CNBC headline put it) obscures the actual threat model. Mythos itself is gated and pointed at defence. The danger is that the capability it proves is possible — automated, superhuman vulnerability discovery and agentic exploitation — will be replicated by adversaries who are not bound by responsible disclosure. GTG-1002 is the proof of concept that determined actors will weaponise agentic AI the moment it is good enough. For a CISO or a Chief Risk Officer, the planning assumption for 2026 onward is simple: assume your attackers have an AI co-pilot, and that your decades-old dependencies contain findable zero-days.

Defences and mitigations that actually move the needle

The good news is that the countermeasures are concrete, and most are accelerations of controls you already owe under DORA — not exotic new technology.

  • Detect at machine speed. Agentic attacks move faster than humans. Tune detection for machine behaviour: anomalous sub-second request bursts, browser-automation fingerprints, and unusual east-west (internal) API patterns — not just human-paced indicators.
  • Kill the easy credential path. Enforce phishing-resistant MFA and passkeys on every privileged account, harden secret storage, and rate-limit internal APIs to break the fast credential-harvesting and lateral-movement loop GTG-1002 relied on.
  • Segment and deceive. Network segmentation limits blast radius; deception assets (honeytokens, decoy systems) are particularly effective against automated agents that cannot tell a trap from a target, and they raise high-confidence alerts.
  • Patch velocity + know your software. If zero-days surface faster, your mean-time-to-patch becomes a frontline control. You cannot patch what you cannot see — maintain a Software Bill of Materials (SBOM) and continuous dependency scanning so a newly-disclosed flaw is an alert, not a surprise.
  • Fight AI with AI. Anthropic’s own recommendation is to deploy AI defensively — SOC automation, threat detection, vulnerability assessment and incident response. Glasswing is the template: use the capability to find and fix your flaws before an adversary does.
  • Share intelligence. No single institution sees the whole picture. Structured threat-sharing turns one firm’s incident into the sector’s early warning.

How DORA’s five pillars answer the AI threat

This is where European entities have an advantage: the Digital Operational Resilience Act (Regulation (EU) 2022/2554), in force since 17 January 2025, already mandates the exact disciplines this threat demands. The work is less “invent new controls” and more “make your DORA programme assume an AI-augmented adversary.”

  • Pillar 1 — ICT risk management. Your asset and vulnerability inventory, least-privilege access and patch process are the front line. Re-baseline them for machine-speed exploitation, and have the management body explicitly acknowledge AI-orchestrated attacks in the risk framework. See our ICT Risk Management Professional certification.
  • Pillar 2 — incident reporting. Machine-speed intrusions compress your timeline, but the clock is fixed: initial notification within 4 hours of classifying a major incident, intermediate report within 72 hours, final within one month. If your detection cannot catch machine-speed activity, you will miss the 4-hour window. See the incident-reporting guide and the RTS reference.
  • Pillar 3 — digital operational resilience testing. Your threat-led penetration testing (TLPT) is only as good as its threat intelligence. Update scenarios to include agentic, AI-orchestrated TTPs — and test that you can detect and respond at the speed these attacks actually run.
  • Pillar 4 — ICT third-party risk. Mythos found decades-old flaws in widely-used, even hardened software — meaning your providers (and the designated Critical ICT Third-Party Providers) carry the same exposure. Reflect it in your Register of Information, your third-party risk analysis and your concentration view.
  • Pillar 5 — information & intelligence sharing. DORA (Article 45) explicitly encourages cyber-threat information-sharing arrangements — precisely the sector-level early warning that agentic threats make essential.
The board narrative. “We treat AI-orchestrated attacks as an in-scope DORA risk. We detect at machine speed, our privileged access is phishing-resistant, our patch velocity and SBOM are governed, our TLPT scenarios include agentic threats, and our third-party register reflects this exposure.” That is a defensible answer for a supervisor — and a reassuring one for a board.

Defences buy time — resilience is what actually saves you

Here is the uncomfortable strategic truth: against an adversary that automates discovery and exploitation, you will not block every intrusion. Prevention buys time and raises the attacker’s cost — it does not guarantee the wall holds. The institutions that come through an AI-era incident intact are the ones engineered to keep operating and recover fast when — not if — something gets through. That is the heart of operational resilience, and it is a posture, not a product.

An assume-breach resilience strategy rests on five reinforcing layers:

  • Adapted security postures. Zero-trust and least privilege by default, so a single foothold does not become the whole estate — and controls that degrade gracefully rather than fail open under machine-speed pressure.
  • High-availability (HA) architecture. No single point of failure for a critical or important function: active-active or fast failover, with the failover path itself routinely exercised, never merely assumed.
  • Decentralised, immutable backups. Geographically distributed and immutable or offline copies that ransomware or an AI-driven attacker cannot reach, encrypt or corrupt — with restoration tested against real RTO/RPO targets, because an untested backup is a hope, not a control.
  • Solid Business Continuity Plans (BCP). Documented, owned and mapped to each critical function, with clear roles, decision rights and communication trees. A BCP that lives in a binder is worthless at 3am during a live incident.
  • Full exercises and continuous crisis simulation. The real differentiator. Move testing from an annual tabletop to a continuous cadence — full recovery exercises and even daily crisis simulations — so the response is muscle memory, the plan is proven, and the evidence is always current.
Why this beats “more defence”. Defences are a race you can lose to a faster adversary. Resilience changes the game — it makes the decisive question “how quickly do we recover?” instead of “did we keep them out?” A fast, evidenced recovery is exactly what DORA’s response-and-recovery and testing obligations (Articles 11–12 and 24–25) demand.

The hard part is not writing the plan — it is keeping it alive. Plans drift, dependencies change, and one exercise a year proves almost nothing about machine-speed reality. That is exactly the gap our partner platform Resiplan is built to close: it operationalises business continuity — living BCPs mapped to critical functions, decentralised backup orchestration, and continuous exercises and daily crisis simulations — so your resilience stays current, evidenced, and ready for both an AI-augmented attacker and a supervisory review.

Turn the fear into capability

The institutions that come out ahead will be the ones that convert anxiety into an evidenced programme. We built the Certified DORA AI-Resilience Specialist certification to do exactly that: understand AI-era threats (GTG-1002, Mythos), apply machine-speed defences, and map them to each DORA pillar — ending in a verifiable certificate. For the broader toolkit, see the DORA professional reference and tools.

Sources: Anthropic, “Disrupting the first reported AI-orchestrated cyber espionage campaign” (13 Nov 2025); Anthropic, Project Glasswing and “Expanding Project Glasswing” (2 June 2026); reporting by CNBC (May–June 2026). This article is analysis for resilience and compliance teams, not legal or security advice.