As advanced AI models like Claude Mythos accelerate software vulnerability discovery, Indian banks are overhauling their cybersecurity architecture.
Defending Against ‘Claude Mythos’: Indian Banks Shift to Continuous AI Security for ‘Crown Jewel’ Systems
Indian Banks are strengthening their AI governance and cybersecurity architecture as advanced models such as Claude Mythos spotlight how quickly software vulnerabilities can now be discovered and exploited.
“The capability itself isn’t entirely new — the difference lies in orchestration,” said a chief information security officer at a private sector bank. Institutions are recalibrating how resilience is measured, moving away from periodic compliance cycles toward continuous tracking of remediation effectiveness and exposure across critical assets.
At the operational level, banks have expanded AI-enabled security command centres that monitor traffic across digital channels round the clock. These systems map attack attempts by source, system and type, enabling faster isolation of affected environments and continuity through alternate routing.
Compliance Checkboxes
A senior risk officer at a private sector bank said AI-driven attack simulations have significantly reshaped preparedness strategies. Earlier, penetration testing and firewall navigation exercises required extensive manual effort. “Now, scenario-building is faster and more complex, pushing us to strengthen layered controls and containment planning,” he said. Banks are increasing the frequency of simulations to test how quickly compromised systems can be isolated without disrupting core operations.
Technology mapping has also become a priority. Banks are conducting detailed inventories of legacy systems, vendor integrations and embedded open-source components to reduce hidden exposures. Third-party oversight is tightening, particularly where fintech partnerships and outsourced services intersect with core banking infrastructure.
Industry advisers note that banks are increasingly using AI-led red-team exercises to test their digital surfaces. In one case, ethical hackers identified exposed third-party API keys on a bank’s website that could have led to billing or configuration risks. As open banking expands, cybersecurity expectations for non-bank payment players are also set to rise.
Abhinav Bansal, managing director and senior partner at BCG, said the key shift is in risk prioritisation and governance discipline. Banks are identifying “crown jewel” systems — critical databases, payment rails and customer-facing applications — and allocating resources accordingly. Organisations are also revisiting internal AI usage policies to ensure development tools and automation platforms do not create access vulnerabilities.
Segmentation and Layered Defense
Continuous vulnerability discovery tools are now being deployed across cloud environments and public APIs, replacing reliance on periodic reviews.
Bhavik Hathi, managing director and co-lead of the global transaction advisory group at Alvarez & Marsal, highlighted the interconnected nature of banking technology. Core systems operate alongside UPI platforms, underwriting engines and collections software — often across multiple generations of architecture. To mitigate risk, banks are reinforcing network segmentation and restricting lateral access, ensuring breaches in one layer do not cascade across systems.
Chandra Prakash Suryawanshi, managing director at Alvarez & Marsal, said models such as Claude Mythos reduce the effort required to test vulnerabilities but do not fundamentally alter the threat landscape. “The immediate risk areas remain internet-facing applications, remote admin interfaces, cloud consoles, public APIs, staging and test environments, and misconfigured cloud resources,” he said.
Vulnerability Assessment and Penetration Testing (VAPT) exercises are expanding, with red-team simulations incorporating more dynamic attack patterns. The focus is shifting from box-ticking compliance to demonstrable resilience.
Regulatory mandates from the RBI, SEBI and CERT-In have already strengthened cybersecurity across the financial ecosystem, with baseline controls, monitoring frameworks and incident response systems far more mature than a decade ago. However, periodic audits and scheduled patch cycles are proving inadequate in an AI-accelerated threat environment. The shift now is toward continuous threat evaluation, real-time vulnerability detection and faster remediation, supported by virtual patching and layered defences.
How are banks tightening security?
- Expanding 24×7 AI-enabled security command centres
- Running more frequent AI-driven attack simulations
- Deploying continuous vulnerability discovery across cloud and public APIs
- Conducting detailed mapping of legacy systems and vendor integrations
- Ensuring breaches in one layer don’t cascade across the institution
aniltikotekar4sme.com 