r/mainframe

​

So there's been a lot of noise lately about Anthropic's Claude Mythos model being able to "read COBOL" and hack bank mainframes. Headlines are screaming. Bank CEOs are in emergency meetings. Cybersecurity vendors are rubbing their hands together.

I want to push back on basically all of it — because I think the entire conversation is technically confused, and the industry is about to spend billions fixing the wrong thing. Again.

Let's Start With the "AI Can Read COBOL and Hack Banks" Claim

Here's the thing nobody seems to be saying out loud: COBOL isn't exposed to the outside world.

Bank mainframes run compiled object code on z/OS. There's no scenario where an attacker reaches in from the internet, pulls out COBOL source, and "compromises" it. The source isn't sitting there. The attack surface isn't the language — it's the interfaces sitting in front of the COBOL.

So when the media says "Mythos can read COBOL and figure out how to compromise it" — that's not really how any of this works. What Mythos can actually do is:

Analyse publicly available COBOL modules and documentation

Read API specs, SWIFT/ACH protocol documentation, and infer what the underlying logic does

Perform smarter black-box fuzzing against exposed interfaces

Map inter-system dependencies to find cascade failure points

The attack isn't reading the binary. It's reasoning about what the system does based on observable behaviour and public information, then crafting inputs that exploit logical flaws. That's a real threat — but it's a threat to the middleware and API layer, not to COBOL itself.

Okay So If the Code Isn't the Problem, Why Is Everyone Trying to Fix the Code?

Great question. Here's why:

Auditors and regulators think in terms of code review. PCI-DSS pushes toward source-level audit. That's the framework, so that's what gets measured.

Vendors selling COBOL modernization tools have a very obvious financial interest in framing the problem as "fix or replace the COBOL." Funny how that works.

Executives can see a migration roadmap in a board presentation. "We hardened the perimeter architecture" is harder to put a number on.

Liability optics — after a breach, "we reviewed and patched the code" looks better in an incident report than "we improved our network segmentation."

But here's the uncomfortable truth: you could rewrite every line of COBOL in modern Go or Java tomorrow, and if the architecture isn't fixed, the same vulnerabilities exist. A settlement timing gap between a mainframe batch job and a real-time API gateway is a design problem, not a language problem.

Has a Mainframe Actually Ever Been Directly Hacked?

Barely. And the pattern in every confirmed case is identical.

Equifax 2017 — 147 million Americans' data stolen. Entry point: an unpatched Apache Struts vulnerability in a consumer web app. Attackers then moved laterally through shared identity stores until they reached mainframe-integrated systems. The mainframe wasn't the door. It was the destination.

JPMorgan Chase 2014 — 76 million households exposed. Same story: external system compromised first, lateral movement from there.

Logica/Nordea Sweden 2012 — The most technically interesting case. A hacker actually did get shell access to an IBM z/OS mainframe. How? By compromising another server first, then hopping machine to machine through shared network segments until reaching the mainframe. It remains one of the only confirmed direct mainframe breaches ever documented.

The pattern is clear: nobody kicks down the mainframe's front door because it doesn't have one. They find a window in the house next door and walk through the connecting corridor.

So Here's The Unpopular Part

If security were the primary criterion for infrastructure investment decisions — which it arguably should be for banks — mainframes would be winning every conversation.

Think about what mainframes actually get right:

Pervasive encryption at rest and in transit — by default, not bolted on later

RACF: granular access control baked into the OS at the hardware level

Dedicated crypto silicon — not software crypto, actual hardware

No lateral movement possible within the mainframe itself

Every transaction logged with zero gaps, by design

Now think about what "modern" cloud-native distributed systems get wrong:

Every microservice is an attack surface

Every API endpoint is a door

Every third-party npm package is a potential supply chain attack (hi, Log4Shell)

Kubernetes misconfigurations expose production data routinely

The complexity that makes modern systems "flexible" is exactly what makes them a nightmare to secure

The industry spent 20 years running away from mainframes toward microservices, cloud-native, and distributed architectures — in the name of modernisation. Meanwhile cloud breaches happen daily, and the average cost of a cloud breach in 2024 exceeded $4.8 million.

The mainframe quietly processes $10 trillion in transactions daily. With almost zero confirmed direct breach incidents in its entire history.

Why Doesn't Anyone Say This Out Loud?

Because there's a trillion-dollar cloud industry whose entire narrative depends on "legacy bad, cloud good."

Because mainframe skills are scarce and expensive — it's easier to sell "rewrite in React" than train z/OS engineers.

Because "legacy" is a pejorative that drives decisions more than actual threat modelling does.

The smartest banks actually run both — mainframe as the trusted, hardened core for transactions and records, with modern systems strictly at the presentation layer, tightly isolated. The ones that got breached are the ones that let those two worlds bleed into each other without proper controls.

TL;DR

Mythos can't "hack COBOL" directly — COBOL isn't exposed

Every real mainframe-adjacent breach came through modern systems, not the mainframe

Fixing COBOL code addresses the wrong problem — the architecture around it is the risk

Mainframes are arguably the most secure production infrastructure ever built

The industry is about to spend billions on the wrong fix because vendors, regulators, and executives are all incentivised toward the wrong answer

The fancy new systems are the vulnerability. The 50-year-old mainframe is quietly doing its job.

Curious if anyone in the r/sysadmin or r/mainframe community has actually worked on z/OS security and wants to weigh in. Am I missing something here, or is this as backwards as it looks from the outside?

Tags: #mainframe #cybersecurity #COBOL #zOS #banking #infosec #IBM #cloudcomputing #techdebt

I'm fresher and 2025 grad and I got offer letter from Accenture

And the stream training is on mainframe.

Is it good stream?

Should I continue or not?

Is there good career in future?

Last week at work, I was introduced on how the IMS guys here inquiry about any possible existing maintenance (PTF, APAR, ...) for installed software. I have no documentation. I searched the internet for references and found some.

What the guys are doing is not what I would have imagined. They do a Receive JCL toward IBM using a PTF id, zone ID and/or FMID they already know is needed for a specific product name. They had inquiry IBM's site to find that out. And they browsed some CSI file to find out the rest of the info.

However, I want to know how to do an SMP/E JCL inquiry about any possible maintenance if the only thing you know is the product name.

There are no single CSI file. There are tons of CSI files arranged per products. So unless you know which CSI file is used for any maintenance of any specific product name, you are screwed. That is why I thought of inquiring only with the product name but I cannot find the proper information/documentation on how to do this.

The only JCL I have is the one the guys were using and is set up to do a Receive, using a specific CSI library and instream data to have IBM sending us the package.

What they are doing is similar to do reverse engineering but I want to do it the proper way: tell me if there any kind of maintenance to do on any specific product and then from there, I can start <guessing> which CSI library is related to THEN do a Receive.

P.S.: I once tried to manually consult some of their Web tools like the maintenance matrix on IBM site but winded up on an out of date matrix for one software, Also their PTF finder using product name was not even recognizing the product names I was giving it.

Hi everyone,
I'm running into a persistent NAT3009 error (Last transaction backed out) in a Natural batch program running under z/OS.
(Note: I am quite new to this environment and English is not my native language, so I am using a translator to write this post. I appreciate your patience!)
Context of the Job:
• What it does: The program extracts data from an Adabas database and writes it into sequential Workfiles.
• Execution time: It runs for approximately 4.5 hours before failing.
What I've already tried:

1. JCL Level: I suspected a z/OS timeout, so I tried setting MAXCL=0 because a Sr. Dev told me to try that, but the job still terminates with the same error after 4.5 hours.
2. Code Level: I tried adding an END TRANSACTION (ET) logic inside the processing loop every 1,000 records, but the NAT3009 error still occurs.
   The Issue:
   Since neither MAXCL=0 nor the periodic ET solved the problem, I suspect this might be related to Adabas limits being exceeded before the program can even commit, or maybe a massive FIND statement is overloading the Hold Queue right at the start.
   My Questions:
3. What Adabas/Natural parameters should I ask our DBA to check?
4. Since this is a pure data extraction to Workfiles, what is the best practice to avoid opening a transaction logic at all? Is there a specific way to force a read-only mode that doesn't put records in the Hold Queue?
   Any insights, troubleshooting tips, or best practices would be highly appreciated.
   Thanks in advance for your help!

PSBGEN LANG=PLI,PSBNAME=TESTTRAN,CMPAT=YES

END

For an online IMS transaction, if my PSB looks like above, will the IMS pass the IOPCB pointer to my procedure automatically? It’s a very minimal skeleton PLI program just for testing, however it keeps crashing with S0C4.

TESTTRAN: PROC(IOPCB_PTR) OPTIONS(MAIN);

DCL IOPCB_PTR ALIGNED POINTER;

&#x200B;

Hi everyone,

I’m currently working in Mainframe technology with 2+ years of experience, mainly on JCL, COBOL, DB2, VSAM, and other related mainframe tools. Along with this, I also have good knowledge of AWS services and basic DevOps tools and concepts.

Recently, I’ve been thinking a lot about career growth and future opportunities. I would like to hear honest suggestions from experienced people in the industry.

Is continuing in Mainframe a good long-term career option in today’s market?

Or would it be better to switch towards Cloud/DevOps or another modern technology stack while I still have time?

Would really appreciate guidance from people who have faced similar situations or transitioned from Mainframe to other technologies.

Thanks in advance!

Hey r/mainframe,

CS student here. Just finished a Theory of Programming Languages project

where I built a lexical analyzer for a hybrid language called PyCOBOL —

it combines COBOL's structure (DIVISIONS, SECTIONS, PIC clauses, COBOL

keywords) with Python's control flow syntax.

My professor was impressed but said "go get a review from a real COBOL

developer" — which honestly felt impossible since I'm a student in

Pakistan with zero industry connections lol.

The lexer recognizes:

- All 4 COBOL DIVISIONS and major SECTIONS

- PIC clauses with format validation

- COBOL keywords (DISPLAY, MOVE, COMPUTE, STOP RUN etc.)

- Python keywords simultaneously (hybrid design)

- Lexical errors (unclosed strings, invalid PIC chars, unknown characters)

- Builds a symbol table with scope tracking

It's definitely a prototype and not anywhere near real COBOL standards

— I know we're missing column rules, COPY statements, REDEFINES and a

lot more. But the question for someone experienced is basically:

"Does this make sense as a lexical approach? What's the most wrong thing

about how we modeled COBOL tokens?"

Even one sentence from someone who's actually touched a mainframe would

genuinely help. Happy to share the GitHub link or a quick demo video.

Thanks for reading 🙏

With AI picking up fast, even mainframe roles don’t feel as “safe” as they used to.

Curious—what can we do to stay relevant and not get easily replaced?

Are we upskilling, moving to cloud, or doubling down on core tech like CICS and REXX?

23 years back when I started in mainframe at my first job, lot of my friends said Mainframe is dying and won't be around after 5 years. Most of those friends who were in java, .net etc lost their jobs multiple time and had to hunt for other jobs multiple times in their career. But luckily I was able to job switch on my own terms and job was pretty much stable all through out these 23 years. Even now I get tons of emails on new job opportunities in Mainframe. I got opportunities to work as manager and QA but I keep coming back to work as developer as that is what gives me most joy.

Looking back, I think it was a good decision to stay put. Eager to know what your story is. Only gripe about Mainframe is that I haven't seen many jobs that offer over $150,000 in mainframe where as in Java and .NET its quite common to get above $200,000 for experienced developers.

Gartner VP Analyst Alessandro Galimberti told The Register that some VMware users running 500-700 Linux VMs are finding IBM mainframe cheaper than Broadcom's Cloud Foundation stack. The TCO math can work, HA, DR, and data synchronization are built into the platform.

But the business case only covers hardware and software costs.

It doesn't cover operational costs. And on mainframe, the operational costs are almost entirely human.

VMware administrators who move arrive without RACF knowledge, JCL knowledge, ISPF muscle memory, or any understanding of why the change management process asks for a business owner at 3:47 AM.

Three things every organization needs before they migrate, and the container question nobody is asking yet.

Happy to answer questions from anyone considering the move.

We run an environment with both Unisys and IBM Z/OS platforms. I have ONE person who is crosstraining from the IBM side into the Unisys side to help with Ops and data interchange (MQ and MFT). If I were to need to replace this person up here in Washington state, how hard do think that would be to find someone to do that?

This isn't a post rooted in an actual job search, I'm a mobile developer who has worked in banking for quite some time. I'm researching this particular field because it's interesting and appears to reward technologists who enjoy data work and an aptitude for firefighting lol.

Mainframe work seems concentrated within banking, and Charlotte is a good location for banking. Is there a concentration of work in Charlotte? (Not asking anyone to submit their own physical locations, just asking the crowd of professionals if that city has a reputation for being a good place for mainframe careers). Thanks.

In my experience, from mostly windows, a CA issued certificate usually has 3 elements – leaf, intermediate, and root. (I know, there is also a private key element)

I am currently dealing with a Linux JDBC client connection into mainframe ZOS DB2 port using AT-TLS (CDC) and the thing I am having difficulty confirming is which of the 3 elements of the certificate needs to be in the JDBC client trust store.

AI is as always confidently saying: that the mainframe only presents the leaf, and therefore the trust store on the client side needs to contain the intermediate and root certificate.

This is important when we later need to renew the certificate, because that means, that if the intermediate and root certificate doesn’t change, the client trust store, doesn’t need to be updated, and the server can freely switch to the new certificate.

But I cannot find confirmation, that this is how it is supposed to be done; can anyone help me find a source?

More details: IBM CDC replication engine uses source and target concepts where there are plenty of descriptions of certificate requirements, however this isn’t about encryption between IBM CDC source and target agents, it is about source agent connection to the source database, which in this case is a ZOS DB2 database.

ibm cdc replication engine db2 zos remote source (linux)

Hey do you know any Discords servers for Hercules390 emulator or Mainframe users? I found System Z Enthusiasts, but invite link is expired 😞

Anyone have a solution that works well with windows environment