New Delhi, May 15 -- Anthropic's announcement of Claude Mythos's capabilities in its preview grabbed the attention of the cybersecurity industry worldwide. Not only did it identify over 2,000 previously unknown software vulnerabilities in seven weeks, but it also found flaws that had survived decades of human security review. The numbers spoke for themselves. Working exploits on the first attempt in over 83% of cases. Successful takeover of a simulated corporate network. Non-experts producing remote-code-execution exploits overnight.
The reaction across Indian boardrooms has been a mixture of alarm and confusion. The question facing all CISOs and CEOs, especially in the BFSI sector, is: Are we safe? The honest answer, for most organisations, is: We don't yet know, and that is a problem that needs immediate solving.
Why the fear is rational, but the panic is not
The launch of Claude Mythos has triggered an unusually strong response from Indian regulators. SEBI's May 5 advisory specifically named the model and led to the creation of the 'cyber-suraksha.ai' task force, a clear sign that the rules of cybersecurity are changing. Coordinated reviews by CERT-In, the Finance Ministry and MeitY reflect how seriously the system views this shift.
However, what is needed is building resilience. The truth is: Even before Mythos, most Indian enterprises were not patching fast enough, ran security operations centres that ignored low-priority alerts, and depended on third-party software whose own vendors had never been required to disclose vulnerabilities proactively. Mythos did not create these gaps. It will simply exploit them faster than any adversary in history.
Solving the access asymmetry
There is a question that India is not asking loud enough. Anthropic's Project Glasswing, the restricted group that gets defensive access to Mythos-class capabilities, currently includes no Indian company, bank, or regulator. Indian companies are expected to defend themselves against threats powered by systems they cannot themselves access or test. India, which powers the world's largest real-time payments ecosystem through UPI and powers critical financial operations globally, cannot afford to remain dependent on security capabilities controlled entirely outside its borders.
A Mythos-ready India: Four moves that cannot wait
India now needs to build a strong national AI cyber-resilience framework. 1. Sovereign Access - It is time for government, regulators and industry to collectively negotiate Indian participation in frontier AI defensive programmes. In parallel, we must accelerate domestic development of AI-led vulnerability discovery and autonomous mitigation capabilities. 2. OEM accountability - The major vulnerabilities identified by Mythos were in third-party software stacks, not in the banks running them. Hence, regulators should mandate that critical software vendors operating in India run Mythos-equivalent testing on their own products and submit independently validated findings. 3. AI-augmented defence as the new baseline - It is time for continuous vulnerability assessment using AI tools, SOAR-integrated SOCs running 24x7 with automated containment, Zero Trust Network Access enforced ruthlessly, and behavioural analytics to move from CISO wish-list to board-mandated baseline within this financial year. 4. Sectoral cyber drills at Y2K scale - Mythos may well be cybersecurity's Y2K moment, and India has handled a challenge like this before. But this time, regulators, banks, exchanges, and enterprises need regular AI-era red-team drills, not occasional tabletop exercises.
What enterprises should do on Monday morning?
Indian enterprises cannot afford to wait for policy to catch up. Their immediate priorities should be to. - Establish a current, accurate software bill of materials for every critical application. - Reduce mean time to patch from weeks to hours, with virtual patching as the interim layer. - Mandate ZTNA across user, device, application, and data layers. - Onboard to the Market SOC where applicable. - Run continuous AI-led VAPT against your own estate before adversaries do. - Include AI model capability as an explicit scenario in your enterprise risk register, signed off at board level.
The optimist's case
It is easy to see Mythos as a warning sign. But it can also become a turning point. The same AI capabilities that can accelerate attacks can also help defenders find vulnerabilities faster, build safer systems, and stay ahead instead of constantly reacting. Anthropic's own framing of Project Glasswing speaks to this: The goal is to put these capabilities in defenders' hands first. India has the engineering talent, the regulatory will and the digital scale to lead this transition rather than follow it. The cost of preparedness is finite. The cost of unpreparedness, in an agentic-AI threat landscape, is not.
Mythos is not the threat. Our unpreparedness is. That is the one thing every Indian boardroom can fix this quarter, and must.
(The author is Srinivas L, Joint Managing Director & Joint CEO, 63SATS Cybertech)
Published by HT Digital Content Services with permission from TechCircle.