Continuous Operational Resilience in the Age of Frontier AI

From the Office of the Chief Information Security Officer, Smartstream Technologies

Smartstream is evolving its security posture under DORA as AI reshapes the threat landscape

Earlier this year, Anthropic announced Project Glasswing, the trusted-organisation programme behind Claude Mythos, a frontier AI model demonstrated to autonomously discover previously unknown software vulnerabilities at a scale and pace not previously achievable. For the financial services sector, that capability cuts both ways: it accelerates legitimate security research, and it puts unprecedented pressure on the defender’s clock. Vulnerabilities once discoverable only through sustained human research can now be surfaced, and potentially weaponised, in hours rather than months.

That shift coincides with the Digital Operational Resilience Act (DORA) taking full effect across the European financial sector. DORA does not treat resilience as a project. It treats it as a continuous obligation across five interlocking pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. The standard of “good” rises with the threat landscape, and the threat landscape just changed.

DORA’s drafters anticipated a world where threats evolve faster than annual audit cycles. The regime is deliberately built around continuous monitoring, continuous testing and continuous third-party oversight, not periodic certification. AI-augmented vulnerability discovery validates that design choice. A point-in-time assessment is obsolete by the time it is filed.

For Smartstream and our financial-services clients, the operative question is no longer “are we compliant?” but “are we compliant today, and can we prove it tomorrow?” Our security and engineering programmes are organised around answering yes to both.

The industry now has a name for what AI-driven discovery enables at scale: Vulnpocalypse, a flood of vulnerabilities arriving faster than traditional remediation cycles can absorb them. Smartstream is embracing a containment strategy as the deliberate answer to this scenario: where patching cannot outpace discovery, containment must. Resilience in this era is engineered into the architecture, not assumed from perimeter defence alone.

“Compliance is the floor. Containment is the bet. Resilience is the discipline.”

Smartstream has a clear strategy for the Mythos-era threat landscape. Not every element is in full production today, and we are honest about that, execution is a continuous discipline, not a finish line. The direction is set, and the operating cadence is in place. Six principles anchor the strategy, each mapping to a DORA pillar:

1. AI-augmented threat awareness. Our strategy integrates frontier AI capabilities, including large language model-based code analysis, into vulnerability discovery and into AI-based threat modelling. The deployment is underway and the intent is unambiguous: surface the contextual logic flaws and novel exploitation patterns that signature- and rule-based scanners do not detect, ahead of adversaries discovering them through the same techniques. This is “AI on AI”, the defensive answer to an adversary class that is now itself AI-powered.
2. Continuous Threat Exposure Management. Our strategy moves beyond CVSS-only scoring to a composite risk model that combines intrinsic severity, real-world exploit prediction, exposure-chain context, identity exposure and asset criticality. The intent is to direct remediation effort first at the small subset of findings that are genuinely exploitable in our environment, not at the long tail of theoretically severe but practically unreachable issues.
3. An AI Secure SDLC. Secure design review, code scanning and dependency analysis sit inside every product release cycle. AI-specific practices, including LLM-based code scanning on critical code, structured assessment of AI-generated code, AI-augmented threat modelling, and agent-based remediation with a human in the loop, are being established as permanent components of the development lifecycle, not periodic activities.
4. Defence-in-depth with adaptive controls. Every control layer, from endpoint to cloud, ingests live threat intelligence and adapts at threat speed, not patch-cycle speed. Shadow AI visibility and Data Loss Prevention controls extend the same posture to generative AI usage and data-egress paths. A 24/7 managed security operations capability layers human oversight on automated containment. The working assumption is breach. The discipline is to contain it.
5. Transparent disclosure and shared responsibility. DORA’s incident-reporting and information-sharing pillars require timely, structured communication with clients and regulators. Our commitment is unambiguous: where a vulnerability or incident materially affects the products and services we deliver, we disclose promptly, with affected-asset detail, an exploitability assessment and a committed remediation timeline. That commitment holds regardless of how the issue was discovered, including findings surfaced by AI-assisted research.
6. Tested resilience – not assumed resilience. We exercise continuity, disaster recovery and incident response on a routine cadence, not certified once and shelved. Independent penetration testing, scenario-driven response drills and backup-restore validation give us, our clients and our regulators evidence that the controls described above behave as designed under pressure. Recovery objectives are defined, measured against, and reviewed.

Two near-term execution milestones extend the strategy: VulnOps, a consolidated remediation pipeline that unifies findings across our scanning estate into a single risk-prioritised backlog with composite scoring that reflects exploit likelihood and real-world reachability alongside intrinsic severity, and agent-based patch generation with a human-in-the-loop that compresses time from discovery to fix. The North Star is unchanged: compliance is the floor, containment is the bet, resilience is the discipline. That is precisely what DORA’s framework and the Vulnpocalypse-era threat landscape demand.

The financial sector’s collective security posture is only as strong as its weakest interconnection. Smartstream’s proactive investment in AI-aware security capabilities is not a competitive marketing point. It is our share of a shared obligation. We will continue to evolve our programme, communicate openly about material findings, and engage with industry information-sharing communities, where doing so strengthens the ecosystem we all rely on.

For our clients, the practical takeaway is this: the controls protecting your Smartstream-delivered services are designed to keep pace with the threats AI is now putting on the table. DORA is the floor of that commitment. The threat landscape is the ceiling. We intend to operate well above the floor.