Anthropic Mythos effect: Indian govt asks MSMEs, organisations to brace for AI cyber threats - financialexpress.com

Detailed Analysis

Anthropic's advanced AI model Claude Mythos, developed under the company's Project Glasswing initiative, has triggered a significant national security response from the Indian government, with top officials characterizing the threat it poses to critical infrastructure as comparable in scale to warfare. Finance Minister Nirmala Sitharaman chaired high-level meetings in April 2026 with bank CEOs, IT Minister Ashwini Vaishnaw, and key financial regulators, resulting in the formation of a dedicated risk assessment panel under State Bank of India Chairman C S Setty. Simultaneously, India's Computer Emergency Response Team (CERT-In) issued formal advisories urging MSMEs, banks, and broader organizations to immediately strengthen their cybersecurity postures through measures including robust password protocols, disabling unused network services, maintaining secure backups, updating security software, and restricting unknown connections. The warnings come despite Indian systems remaining secure thus far, with authorities stressing proactive vigilance over reactive defense.

The specific capabilities of Claude Mythos that have alarmed Indian authorities are substantial and largely unprecedented in publicly documented AI systems. The model can autonomously scan large software codebases to detect vulnerabilities — including zero-day exploits and decades-old flaws, such as 27-year-old bugs embedded in operating systems and browsers — with performance exceeding human-level benchmarks. Beyond vulnerability discovery, Mythos is reported to be capable of planning and executing multi-stage cyberattacks, chaining exploits, and compromising entire networks end-to-end with minimal human oversight. Its ability to generate highly convincing phishing campaigns and impersonation attacks across email, voice, and video modalities further amplifies its threat surface. Anthropic itself has restricted the model's release due to misuse risks and has acknowledged an unauthorized breach of the model, a disclosure that appears to have directly precipitated the urgency in India's governmental response.

The Indian financial sector has emerged as a particular focal point of concern. The Reserve Bank of India flagged specific risks to the banking ecosystem, prompting directives for lenders to undertake pre-emptive IT security hardening, enhance data protection frameworks, recruit specialized cybersecurity expertise, and coordinate through the Indian Banks' Association. Sitharaman's framing of the threat as "new and less understood" and her call for "versatile defenses" signals that conventional static cybersecurity frameworks are viewed as inadequate in the face of an AI system capable of dynamically adapting attack strategies. Her calls for international engagement with Anthropic and U.S. authorities, alongside directives to the Ministry of Electronics and Information Technology (MeitY) and industry body Nasscom, indicate India is pursuing a multi-layered response spanning diplomatic, regulatory, and technical channels.

This episode is broadly emblematic of a deepening tension in frontier AI development: the gap between a model's offensive capabilities and society's defensive readiness. Anthropic has positioned itself as a safety-focused lab, and the Claude lineage has been accompanied by extensive published safety research and responsible scaling policies. However, the Mythos situation illustrates that even restrained releases — or in this case, an apparently unauthorized breach — can rapidly externalize risk. The India case may represent one of the first instances of a sovereign government mobilizing cabinet-level resources specifically in response to a named commercial AI model's threat profile, setting a notable precedent for how states may respond to future frontier model deployments. It also underscores the growing pressure on AI developers to coordinate with national governments before, rather than after, the deployment of models with dual-use capabilities of this magnitude.

The broader trajectory this incident reflects is one of accelerating asymmetry between AI-enabled offensive cyber capabilities and traditional institutional defenses, particularly in developing economies where MSMEs often lack the resources to implement sophisticated security infrastructure. CERT-In's explicit acknowledgment that its advisories were calibrated for "resource-limited" small and medium enterprises highlights this structural vulnerability. As AI models grow more capable of autonomous, scalable cyberattack execution, the international community faces mounting pressure to establish governance frameworks — potentially including AI-specific cyber arms control agreements or mandatory disclosure regimes for dual-use capability thresholds — that can keep pace with technological development. India's response to Claude Mythos may serve as an early case study in how nation-states begin to institutionalize AI threat response as a formal domain of national security policy.