I was on ABC News recently discussing why banks are on alert as new AI systems like Anthropic’s Claude Mythos raise cybersecurity concerns.
What struck me most is how quickly the conversation has shifted. This is no longer a hypothetical risk or something we are planning for in the future. Financial institutions and regulators are reacting in real time to what AI is already capable of doing.
From my perspective, we are still underestimating how fast this is moving.
AI is not just making attackers more efficient. Systems like Claude Mythos represent a step change in how cyberattacks can be developed, scaled, and executed. Capabilities that once required highly skilled operators can now be assisted or accelerated by AI. In some cases, they can be generated entirely.
That changes the equation.
It increases the number of potential attackers, reduces the effort required to launch sophisticated campaigns, and compresses the time between discovering a vulnerability and exploiting it.
But what concerns me even more is not just the rise of AI-powered cyber threats, it’s where those threats are actually operating.
Most organizations are still defending their infrastructure as if that is where the primary risk lives. They are investing heavily in network security, endpoint protection, and backend monitoring. Those layers are important, but they are not where many modern attacks are happening anymore.
Today, a significant portion of risk exists inside the browser and mobile applications, at the digital experience layer where users interact directly with a company’s website or app. That is where sensitive data is entered. That is where scripts execute. That is where behavior can be manipulated in real time.
And for many organizations, it remains largely invisible.
Modern web and mobile environments are incredibly dynamic. They rely on a mix of first-party code and a growing number of third-party technologies, including analytics tools, tag managers, and external scripts. These components are constantly changing, often without full visibility or control from the organization itself.
Even in a well-managed environment, this creates complexity.
In a compromised environment, it creates opportunity.
This is not a new issue, but AI systems like Anthropic’s Claude Mythos amplify it in ways that are difficult to ignore. Instead of manually probing for weaknesses, attackers can now continuously test for vulnerabilities, refine their approach, and focus on high-value user flows like authentication and payment pages. They can adapt in real time and operate at a scale that was not previously possible.
What was once a blind spot is now an increasingly attractive attack surface.
This is one of the reasons banks are paying such close attention. Financial institutions operate complex digital ecosystems with high-value data and strict regulatory requirements. When AI-driven cybersecurity threats intersect with that environment, the potential impact is significant.
The response we are seeing from the financial sector is not overreaction. It is recognition.Recognition that the threat model has changed.
One of the points I emphasized in the interview is something I continue to see across industries: You cannot secure what you cannot see.
If you do not have visibility into what is happening inside the browser or mobile application at runtime, you are relying on assumptions. You are assuming scripts behave as expected. You are assuming data is handled correctly. You are assuming nothing has changed between tests or audits.
Those assumptions are becoming increasingly risky in a world shaped by AI.
Traditional approaches to cybersecurity and compliance were built around periodic validation. Scan the environment, run an audit, and generate a report. That model no longer reflects how applications behave or how attackers operate.
AI accelerates everything. Attacks are continuous. Adaptation is continuous. Exploitation is continuous. Security needs to be as well.
That means moving toward continuous visibility, continuous monitoring, and continuous validation of what is actually happening in production. Not what should be happening, but what is happening.
We are at the beginning of this shift, not the end.
There will be more AI systems beyond Mythos. They will become more capable, more accessible, and more integrated into both offensive and defensive workflows. The pace of change will not slow down.
Organizations that adapt will rethink where they focus their defenses. They will prioritize the digital experience layer, close critical visibility gaps, and treat real-time validation as a core requirement. Those that do not will find themselves reacting to threats they never saw.
AI is not introducing entirely new categories of cybersecurity risk, it’s exposing and accelerating the ones that have been there all along.
The question is not whether AI will be used in cyberattacks. It already is.
The real question is whether your organization is prepared for what that actually means.
I encourage you to check out my recent interview on ABC News and to request a demo to have a conversation with the Feroot team.
