South Africa’s banking sector is facing a cybersecurity reckoning unlike anything seen before, and it’s all centred on a powerful artificial intelligence model that has forced some of the country’s largest financial institutions to reassess their defensive capabilities. Capitec Bank, the nation’s biggest retail bank by customer count, has formally applied for early access to Anthropic’s Mythos model, marking a significant moment in how local banks are grappling with one of the most sophisticated AI systems ever built.
Speaking this week, Capitec CEO Graham Lee outlined precisely why the stakes feel so high right now. He explained that the window to patch newly discovered vulnerabilities in banking systems is collapsing at an alarming rate. Where defenders once had months—then weeks—to secure their networks before attackers struck, that timeline has shrunk dramatically with Mythos’s arrival. The model’s real danger lies not just in its raw power, but in its ability to identify what Lee called “conflations”—multiple weaknesses that interact with each other—and then automate sophisticated attacks exploiting these overlapping gaps.
This isn’t hype or theoretical conjecture. Anthropic announced the Claude Mythos Preview on 7 April, deliberately restricting access to roughly 40 organisations through its Project Glasswing initiative, alongside versions being rolled out to US federal agencies. The British government’s AI Security Institute tested the model and found it “substantially more capable at cyber offence than any model previously assessed,” according to an open letter released mid-April. That statement alone sent shockwaves through global banking circles.
The access disparity is stark. Major US banks including JPMorgan Chase, Morgan Stanley, Goldman Sachs, Bank of America and Citigroup have confirmed or been reported to have access to Mythos. But across Europe, multiple senior banking and regulatory sources told Reuters last week that they’re unaware of any European financial institution with access to the model yet. South Africa, unfortunately, sits in a similar position to Europe—largely locked out while global competitors race ahead.
South African banks race to understand the Mythos threat
Standard Bank, another heavyweight in the local financial sector, is actively tracking Mythos’s development and working closely with technology partners to understand what it means for the country’s banking infrastructure. The bank’s security team has flagged deep concerns about AI tools that lower the barrier for attackers or dramatically accelerate the discovery and exploitation of vulnerabilities. They’re relying on relationships with top-tier cybersecurity partners, many of whom are directly testing frontier AI-based tools as we speak.
What makes this moment particularly pressing is that the old paradigm of attack and defence symmetry has shifted fundamentally. Historically, when a new cyber weapon emerged, attackers and defenders gained access to it roughly simultaneously. Anthropic has deliberately changed this dynamic by granting defenders earlier access than the rest of the world—a decision Lee praised unambiguously. By giving banks and security teams a head-start, Anthropic has created an asymmetrical advantage for those organisations with access.
But that asymmetry cuts both ways. For institutions locked out of the Mythos access programme, it creates a competitive and security gap that feels increasingly untenable. Some US banks without access have already questioned whether JPMorgan and other early-access recipients received an unfair advantage—a complaint likely to be raised with US Treasury officials in coming weeks.
Check Point’s chief technology officer Jonathan Zanger recently warned that Mythos represents the moment when AI-powered vulnerability discovery transitioned from theoretical threat to operational reality. Frontier models will now allow attackers to identify and exploit weaknesses at a scale, speed and sophistication that was, until recently, exclusively the domain of advanced nation-state actors. The convergence of two trends—the democratisation of sophisticated attack capabilities and the industrialisation of attack pipelines through agentic AI—creates what Zanger called “a dangerous outcome: more attackers executing more sophisticated attacks simultaneously.”
Lee’s assessment of where Capitec stands is sobering but pragmatic. The bank’s strategy, he emphasised, isn’t about reducing headcount through automation—it’s about empowering people. But on the cybersecurity front, the bank is taking no chances, combining work through third-party security providers with direct engagement with model developers themselves. “The nature of the battle has changed completely,” Lee said, capturing the gravity of the moment facing South African banks right now.
Standard Bank, when asked how confident it is that it can modernise and secure systems faster than attacker capabilities evolve, acknowledged both confidence and realism. The bank employs more than 350 dedicated security professionals and partners with leading global cybersecurity firms at the forefront of applying AI to cyber defence. Yet they’re also honest: the pace of change is accelerating, and keeping ahead requires sustained, heavy investment in both cybersecurity infrastructure and technology modernisation, coupled with rapid detection and response capabilities.
The South African Reserve Bank, when approached for comment on Mythos and broader security concerns, declined to elaborate beyond stating it is “monitoring developments related to Anthropic”. That silence speaks volumes about the regulatory uncertainty still surrounding how governments and central banks should respond to frontier AI capabilities deployed in the financial system.
For South African banks scrambling to understand what Mythos means for their defensive posture, the message is clear: the time to act isn’t somewhere in the future—it’s now. Whether through formal access programmes, partnerships with global security firms, or direct engagement with AI developers, local institutions must accelerate their understanding and deployment of defensive AI capabilities before the gap between their defences and attacker capabilities becomes irreversible.