Within the underbelly of critical infrastructures, a new reality crystallises: software vulnerabilities, once the slow prey of skilled hackers over weeks, are now identified, weaponised, and deployed at machine speed. This is no hypothetical future... it is the present, inaugurated by Claude Mythos, Anthropic's frontier AI model, whose autonomous cybersecurity capabilities represent not an incremental shift but a structural rupture in how digital security is understood, defended and threatened. For a nation racing to digitise public services, expand its startup ecosystem, and secure strategic infrastructure, the implications demand more than technical attention -- they require a recalibration of policy, preparedness, and public discourse.Why
Mythos Changes EverythingMythos is distinct not merely for writing code or parsing documentation, but for its ability to autonomously chain low-severity flaws into high-impact attacks, achieving a 72 per cent success rate against audited systems like Firefox's JavaScript engine. Contrast this with its predecessor, Opus 4.6, which managed only two successful exploits in the same environment. This is not simply doing tasks faster; it is the removal of the human bottleneck, transforming a specialised craft into an automated industrial process.
For Indian enterprises relying on legacy or open-source software -- the very marrow of our digital public infrastructure -- the assumption that 'security through obscurity' or complexity offers protection has dissolved. AI cuts through that haze at machine speed, and the adversary is no longer just a nation-state; it could be a well-resourced criminal group or a lone actor with an open-weight model.Most unsettlingly, Anthropic's evaluation reveals Mythos identified a 27-year-old integer overflow in OpenBSD and a 16-year-old bug in FFmpeg -- flaws that survived decades of expert scrutiny and automated fuzzing. If AI can surface vulnerabilities persisting through years of human review in hardened codebases, the notion of 'secure by default' must evolve.
Why India Cannot Ignore The Mythos WarningFor India, where government portals, banking interfaces, and critical infrastructure run on software stacks not comprehensively audited in years, this is no abstract concern. It suggests that proactive, AI-assisted scanning of all shipped software must become routine, not exceptional. The Centre's push for a National Cyber Security Strategy gains urgency as the window between discovery and exploitation collapses from an average of 63 days in 2016 to potentially hours today.
Crucially, these offensive capabilities were not the result of explicit adversarial training. Anthropic states they emerged as downstream consequences of general improvements in code understanding, reasoning, and autonomy. This matters profoundly; similar capabilities will likely appear in any sufficiently scaled model, regardless of vendor safety policies or ethical guidelines. The diffusion curve is accelerating: the time between a frontier model's release and comparable open-weight alternatives has shrunk from 16 months during the GPT-4 era to approximately 61 days today.
Govt Warns Indian Firms And MSMEs To Stay Alert As Mythos AI Cyber Risk Grows
What begins as a restricted, aligned capability in Anthropic's Project Glasswing can appear in less-governed contexts within months. For Indian policymakers, this compresses the timeline for defensive adaptation and raises difficult questions about regulating capabilities that are inherently dual-use and rapidly replicable.The risk is not confined to external threats. Approved or shadow AI agents running inside enterprise perimeters -- with access to filesystems, networks, and credentials -- represent a novel internal attack surface traditional tools cannot monitor. An autonomous agent pursuing a legitimate task, like debugging code or optimising database queries, could inadvertently exfiltrate data, pivot laterally, or escalate privileges using authorized access. Research cataloguing over 1,77,000 MCP tools shows routine agent integration across production APIs and code execution environments in Indian tech firms. Anthropic documented Mythos attempting memory extraction after a minimal user nudge, illustrating how easily well-intentioned deployment crosses into unintended behaviour.
This demands a rethinking of enterprise security architecture: sandbox isolation, network egress filtering, and credential proxying for AI agents must move from optional best practice to mandatory control.Yet, framing this solely as threat would miss the defensive opportunity. The same capabilities enabling offensive exploitation can be harnessed for vulnerability discovery and patch verification -- if organisations integrate AI scanning into their software development lifecycle before adversaries do. There is a narrow, critical window where defenders with early access to Mythos-class tools can harden systems ahead of the open-weight diffusion curve. Project Glasswing partners, including select global software vendors, receive early access precisely to 'help secure the world's most critical software'.
Why India Must Prepare For AI Cyber ThreatsFor India's burgeoning cybersecurity startup ecosystem and public-sector digital agencies, this is a strategic choice: wait for threats to materialise and react, or proactively embed AI-assisted security auditing into the fabric of software development and infrastructure management. The latter path demands investment, yes, but also a cultural shift -- from viewing security as a compliance checkbox to treating it as a continuous, intelligence-driven practice.What complicates this calculus is that standard cybersecurity benchmarks are no longer adequate measures of capability. Mythos scored 100 per cent on Cybench, covering binary exploitation, reverse engineering and web exploitation, effectively saturating the benchmark. When objective metrics lose discriminatory power, the field shifts toward harder, less replayable real-world tasks. For Indian security leaders, benchmark scores from vendor brochures should be treated with skepticism. Empirical testing against one's own codebases and infrastructure -- red-teaming with AI-assisted tools-- becomes a more reliable gauge of resilience. It also underscores the importance of threat intelligence sharing: when vulnerabilities are discovered at machine speed, collective defense through coordinated disclosure and patching gains new strategic value.Ultimately, the greatest organisational risk may not be the AI model itself, but inconsistent security hygiene. While Mythos captures headlines, the most exploitable weaknesses in Indian enterprises remain stale credentials, unpatched systems, fragmented telemetry, and poor asset visibility. AI amplifies existing vulnerabilities; it does not create fundamentally new attack surfaces. Strengthening these fundamentals yields disproportionate defensive ROI. Before investing in AI-specific defenses, a sober audit of foundational controls -- multi-factor authentication, least-privilege access, continuous monitoring -- remains the highest-leverage action against AI-accelerated threats. This is not glamorous work, but it is the bedrock upon which any advanced capability must rest.As India navigates its digital transformation, the question is not whether AI-powered cybersecurity tools will reshape the threat landscape—they already have. The question is whether our institutions, enterprises, and policy frameworks can adapt with equal speed and sophistication.
The Race Between AI Attack And DefenseThe race is no longer between human attackers and human defenders; it is between AI-accelerated offense and AI-enabled defense. What hangs in the balance is not merely the security of individual systems, but the trust underpinning India's digital public infrastructure, the competitiveness of its technology sector, and the resilience of its critical services in an era where the next vulnerability may be discovered not by a researcher in a lab, but by an autonomous agent running at 3 a.m. on a server halfway across the world. The time to prepare is not when the breach is announced; it is now, while the window for proactive action remains open, however narrowly.
Brijesh Singh is one of the most senior cyber experts in India, an IPS officer and an author (@brijeshbsingh on X). His latest book on ancient India, “The Cloud Chariot” (Penguin) is out on stands. Views are personal.
/images/ppid_a911dc6a-image-177812257725985189.webp)
/images/ppid_a911dc6a-image-177789502967347732.webp)
/images/ppid_59c68470-image-177796260417725239.webp)
/images/ppid_59c68470-image-177796527830935999.webp)
/images/ppid_59c68470-image-177800756344354108.webp)
/images/ppid_59c68470-image-177796756574666721.webp)
/images/ppid_a911dc6a-image-177806653053027309.webp)
