What is the story about?
For thousands of students waiting to challenge their CBSE examination results, the re-evaluation portal was supposed to be a gateway to answers. Instead, reports of cyberattacks on the platform turned the spotlight on a much larger issue of data security and cyber vulnerability. An inherent question is: what happens when critical public-facing websites come under attack?
At first glance, the incident appears to be another case of a public-facing website struggling under pressure. But cybersecurity experts say attacks on critical platforms are rarely just about downtime. They can expose weaknesses in infrastructure, data governance and incident response that persist long after services are restored.
The episode also arrives at a pivotal moment for India. As the country expands digital services across education, healthcare, banking and governance, organisations are handling unprecedented volumes of personal data. At the same time, a new generation of AI-powered cybersecurity tools is emerging, promising to identify vulnerabilities faster than human teams ever could.
The debate, experts say, is no longer simply about keeping websites online. It is about ensuring that the systems underpinning India's digital future remain resilient when attacks inevitably occur.
Malcolm Gomes, the chief operating officer at Privy by IDfy, said the attacks on the CBSE re-evaluation portal began almost immediately after the platform went live.
"The CBSE re-evaluation portal had been live for less than 24 hours when the first attack hit," Gomes said.
The platform reportedly received around 1.5 million hits within minutes of launch, followed by more than one lakh unauthorised attempts to access files. A separate manipulation of the payment gateway allegedly caused application fees displayed to students to fluctuate dramatically, ranging from Re 1 to as much as Rs 68,000.
The following day, the platform reportedly faced a denial-of-service attack involving nearly 3.8 million packets during peak traffic hours, when tens of thousands of students were attempting to access the system.
While such attacks often appear sudden, cybersecurity professionals say the conditions that enable them are usually established much earlier.
Government and educational portals frequently rely on a complex web of cloud infrastructure, third-party vendors, payment gateways, APIs and legacy systems. Every integration increases functionality, but it can also introduce new attack surfaces if security controls are not consistently maintained.
"A denial-of-service attack, for example, relies largely on volume rather than complexity," Gomes said.
Education platforms have become increasingly attractive targets for attackers because they combine high user traffic with valuable personal information. Examination boards and admissions systems often store names, addresses, academic records, payment details, identity documents and, in many cases, data relating to minors.
Unlike banks or large technology companies, educational institutions have historically had fewer cybersecurity resources, making them appealing targets for both opportunistic attackers and more sophisticated threat actors.
Once an attack occurs, organisations typically move into crisis-management mode. Services are restored, technical teams investigate the incident and forensic specialists attempt to determine how the attack occurred.
In the CBSE case, experts from IIT Madras, IIT Kanpur and the Digital Infrastructure Corporation of India were reportedly brought in to examine the incident.
But restoring a website is often only the beginning.
Cybersecurity investigations usually focus on three key questions: how attackers gained access, whether any data was exposed, and what needs to change to prevent a repeat incident.
"The data, however, remains," Gomes said.
That distinction matters because educational platforms increasingly hold information that carries long-term privacy implications. Academic records, Aadhaar-linked identities, parental information and financial transaction data can remain valuable to attackers long after a breach occurs.
Under India's Digital Personal Data Protection framework, children's data is subject to heightened safeguards. Experts say this means cyber incidents can no longer be viewed purely as technical failures. They are increasingly questions of governance, accountability and compliance.
India has faced similar concerns before. Government websites have been defaced through SQL injection attacks, recruitment databases have reportedly been targeted, and personal information linked to examination candidates has periodically surfaced online.
"The attack methods change. The underlying gap does not," Gomes said.
Manish Chachada, COO and co-founder at Cyble, said incidents like the one involving CBSE highlight a broader reality facing organisations today.
"In today's digital-first environment, any organisation, whether a government body or a private company, can become a target for cyberattacks," Chachada said.
According to him, attackers often exploit software vulnerabilities, weak security configurations, compromised credentials or use denial-of-service attacks to overwhelm infrastructure. Even when sensitive information is not stolen, such incidents can reveal weaknesses that require immediate attention.
"Even when attackers fail to gain access to sensitive information, such incidents often reveal areas that require stronger security measures and faster response mechanisms," Chachada said.
The conversation becomes even more complex with the rise of AI-powered cybersecurity systems.
Anthropic recently expanded Project Glasswing, a cybersecurity initiative built around its advanced Mythos AI model, to roughly 150 additional organisations across more than 15 countries, including India. The company says early participants have already used the technology to identify more than 10,000 high- or critical-severity software vulnerabilities.
For cybersecurity teams, the appeal is obvious. Vulnerability discovery has traditionally been labour-intensive, requiring analysts to manually review code, investigate suspicious behaviour and assess risks. AI systems can dramatically accelerate that process.
But experts caution that AI is not a magic solution.
"Artificial intelligence does not take sides. It amplifies the capabilities of whoever uses it first," Gomes said.
That warning reflects a growing concern across the cybersecurity industry. The same technologies that help defenders identify vulnerabilities and monitor threats can also help attackers automate reconnaissance, discover weaknesses and scale malicious campaigns more efficiently.
Researchers increasingly describe cybersecurity as an AI arms race, where both attackers and defenders have access to increasingly capable tools. The advantage often comes down to who identifies vulnerabilities first and how quickly organisations can respond.
"The question is not whether AI strengthens the wall. The question is whether organisations have built a wall worth strengthening," Gomes said.
He argues that cybersecurity and data governance are rapidly converging. Understanding what data exists within an organisation, where it came from, who can access it and how it is being used is becoming just as important as traditional security controls.
An AI system trained on poorly classified or poorly governed data, he warned, can itself become an expanded attack surface.
Chachada shares a similar view.
"Advanced AI models such as the latest from Anthropic have opened new doors for both malicious and legitimate use within the realm of cybersecurity," he said.
According to Chachada, AI can support real-time threat detection, predictive risk assessment, automated incident response and continuous monitoring. Yet the same capabilities can be exploited by threat actors to automate vulnerability discovery and accelerate increasingly sophisticated attacks.
"AI is not an inherent threat or solution, but rather serves as an amplifier of existing forces," Chachada said.
The lesson from the CBSE breach scare, experts argue, extends far beyond a single portal.
For students, the disruption may ultimately be remembered as a temporary inconvenience. For cybersecurity professionals, however, it serves as a reminder that as public services become increasingly digital, cyberattacks are no longer a question of if, but when.
The challenge facing institutions is therefore shifting from simply preventing breaches to building systems resilient enough to withstand them. In that environment, AI tools such as Mythos may become indispensable. But even the most advanced technology cannot compensate for weak governance, poor security practices or inadequate oversight.
The future of cybersecurity may be powered by AI. Whether it succeeds will depend on how well organisations prepare for that future today.
At first glance, the incident appears to be another case of a public-facing website struggling under pressure. But cybersecurity experts say attacks on critical platforms are rarely just about downtime. They can expose weaknesses in infrastructure, data governance and incident response that persist long after services are restored.
The episode also arrives at a pivotal moment for India. As the country expands digital services across education, healthcare, banking and governance, organisations are handling unprecedented volumes of personal data. At the same time, a new generation of AI-powered cybersecurity tools is emerging, promising to identify vulnerabilities faster than human teams ever could.
The debate, experts say, is no longer simply about keeping websites online. It is about ensuring that the systems underpinning India's digital future remain resilient when attacks inevitably occur.
When a portal becomes a target
Malcolm Gomes, the chief operating officer at Privy by IDfy, said the attacks on the CBSE re-evaluation portal began almost immediately after the platform went live.
"The CBSE re-evaluation portal had been live for less than 24 hours when the first attack hit," Gomes said.
The platform reportedly received around 1.5 million hits within minutes of launch, followed by more than one lakh unauthorised attempts to access files. A separate manipulation of the payment gateway allegedly caused application fees displayed to students to fluctuate dramatically, ranging from Re 1 to as much as Rs 68,000.
The following day, the platform reportedly faced a denial-of-service attack involving nearly 3.8 million packets during peak traffic hours, when tens of thousands of students were attempting to access the system.
While such attacks often appear sudden, cybersecurity professionals say the conditions that enable them are usually established much earlier.
Government and educational portals frequently rely on a complex web of cloud infrastructure, third-party vendors, payment gateways, APIs and legacy systems. Every integration increases functionality, but it can also introduce new attack surfaces if security controls are not consistently maintained.
"A denial-of-service attack, for example, relies largely on volume rather than complexity," Gomes said.
Education platforms have become increasingly attractive targets for attackers because they combine high user traffic with valuable personal information. Examination boards and admissions systems often store names, addresses, academic records, payment details, identity documents and, in many cases, data relating to minors.
Unlike banks or large technology companies, educational institutions have historically had fewer cybersecurity resources, making them appealing targets for both opportunistic attackers and more sophisticated threat actors.
The headlines fade, the consequences don't
Once an attack occurs, organisations typically move into crisis-management mode. Services are restored, technical teams investigate the incident and forensic specialists attempt to determine how the attack occurred.
In the CBSE case, experts from IIT Madras, IIT Kanpur and the Digital Infrastructure Corporation of India were reportedly brought in to examine the incident.
But restoring a website is often only the beginning.
Cybersecurity investigations usually focus on three key questions: how attackers gained access, whether any data was exposed, and what needs to change to prevent a repeat incident.
"The data, however, remains," Gomes said.
That distinction matters because educational platforms increasingly hold information that carries long-term privacy implications. Academic records, Aadhaar-linked identities, parental information and financial transaction data can remain valuable to attackers long after a breach occurs.
Under India's Digital Personal Data Protection framework, children's data is subject to heightened safeguards. Experts say this means cyber incidents can no longer be viewed purely as technical failures. They are increasingly questions of governance, accountability and compliance.
India has faced similar concerns before. Government websites have been defaced through SQL injection attacks, recruitment databases have reportedly been targeted, and personal information linked to examination candidates has periodically surfaced online.
"The attack methods change. The underlying gap does not," Gomes said.
Manish Chachada, COO and co-founder at Cyble, said incidents like the one involving CBSE highlight a broader reality facing organisations today.
"In today's digital-first environment, any organisation, whether a government body or a private company, can become a target for cyberattacks," Chachada said.
According to him, attackers often exploit software vulnerabilities, weak security configurations, compromised credentials or use denial-of-service attacks to overwhelm infrastructure. Even when sensitive information is not stolen, such incidents can reveal weaknesses that require immediate attention.
"Even when attackers fail to gain access to sensitive information, such incidents often reveal areas that require stronger security measures and faster response mechanisms," Chachada said.
Can Mythos AI strengthen the wall?
The conversation becomes even more complex with the rise of AI-powered cybersecurity systems.
Anthropic recently expanded Project Glasswing, a cybersecurity initiative built around its advanced Mythos AI model, to roughly 150 additional organisations across more than 15 countries, including India. The company says early participants have already used the technology to identify more than 10,000 high- or critical-severity software vulnerabilities.
For cybersecurity teams, the appeal is obvious. Vulnerability discovery has traditionally been labour-intensive, requiring analysts to manually review code, investigate suspicious behaviour and assess risks. AI systems can dramatically accelerate that process.
But experts caution that AI is not a magic solution.
"Artificial intelligence does not take sides. It amplifies the capabilities of whoever uses it first," Gomes said.
That warning reflects a growing concern across the cybersecurity industry. The same technologies that help defenders identify vulnerabilities and monitor threats can also help attackers automate reconnaissance, discover weaknesses and scale malicious campaigns more efficiently.
Researchers increasingly describe cybersecurity as an AI arms race, where both attackers and defenders have access to increasingly capable tools. The advantage often comes down to who identifies vulnerabilities first and how quickly organisations can respond.
"The question is not whether AI strengthens the wall. The question is whether organisations have built a wall worth strengthening," Gomes said.
He argues that cybersecurity and data governance are rapidly converging. Understanding what data exists within an organisation, where it came from, who can access it and how it is being used is becoming just as important as traditional security controls.
An AI system trained on poorly classified or poorly governed data, he warned, can itself become an expanded attack surface.
Chachada shares a similar view.
"Advanced AI models such as the latest from Anthropic have opened new doors for both malicious and legitimate use within the realm of cybersecurity," he said.
According to Chachada, AI can support real-time threat detection, predictive risk assessment, automated incident response and continuous monitoring. Yet the same capabilities can be exploited by threat actors to automate vulnerability discovery and accelerate increasingly sophisticated attacks.
"AI is not an inherent threat or solution, but rather serves as an amplifier of existing forces," Chachada said.
The lesson from the CBSE breach scare, experts argue, extends far beyond a single portal.
For students, the disruption may ultimately be remembered as a temporary inconvenience. For cybersecurity professionals, however, it serves as a reminder that as public services become increasingly digital, cyberattacks are no longer a question of if, but when.
The challenge facing institutions is therefore shifting from simply preventing breaches to building systems resilient enough to withstand them. In that environment, AI tools such as Mythos may become indispensable. But even the most advanced technology cannot compensate for weak governance, poor security practices or inadequate oversight.
The future of cybersecurity may be powered by AI. Whether it succeeds will depend on how well organisations prepare for that future today.
