The American AI company, Anthropic, has recently announced that its newest model, Claude Mythos, surpasses all but the most skilled humans at finding and exploiting software vulnerabilities. It claims that the model has uncovered thousands of vulnerabilities in “every major operating system and web browser” and “the fallout — for economies, public safety, and national security — could be severe”.
Unlike typical AI launches, the company has restricted public access to Mythos, choosing instead to ship it under a defence cybersecurity initiative called Project Glasswing, which constitutes a consortium of major US technology companies and partners.
Frontier AI labs have consistently leveraged fear as marketing, yet the underlying capability shift is genuine, and the short-term disruption is unavoidable. India’s task is neither to dismiss the alarm nor to buy into the hype, but to build cybersecurity resilience at every layer — cyber hygiene, organisational tooling, and legal reform alike.
There are a few things to unpack here.
First, the irony here is hard to miss. Anthropic has raised the alarm, restricted access to the tool, and is now selling access to the protection it claims the tool provides, all while gaining brownie points for “showing restraint” and “being a responsible player”. Despite being designated a supply-chain risk by the Pentagon, the White House has held discussions with the Anthropic CEO, with the National Security Agency reportedly using Mythos’s preview model, signalling a thaw in relations.
Second, it is also possible that access to Glasswing was restricted to a handful of US companies due to limitations in scaling Anthropic’s available inference compute capacity. Opting for a limited release for select critical codebases offers more control on the demand, while also prioritising critical digital infrastructure that underpins much of the internet.
Third, experts differ on the severity of the danger the model poses. Red Hat’s analysis reveals that many of the vulnerabilities the model uncovers impact functionality and disrupt performance; it doesn’t necessarily expose an exploitable vulnerability. They claim that many of them would be classified as low risk within their product ecosystem. Cisco and CrowdStrike reported that Mythos helped their systems find vulnerabilities faster.
Meanwhile, other frontier AI labs are not far behind. For instance, OpenAI has released its top-performing cybersecurity model under its “Trusted Access for Cyber” programme to a group of verified security researchers and companies. Open weight models are typically a few months behind frontier AI models and will eventually broaden access to similar capabilities, though with a time lag. The risk is that the same models used for defensive operations can also be used offensively, making it harder to restrict their access to malicious actors.
However, as Ben Thompson of the Stratechery newsletter fame pointed out, whether the current generation of models poses as severe a threat as claimed, future models will get there. Given the capabilities Generative AI was already showing, this may not so much be a step change break from the past as much as an anticipated shift and improvement long in the making. The scale of vulnerabilities exposed is likely to cause short-term disruptions across industries but will lead to more resilient infrastructure in the long term.
All of this reinforces the urgent need for cyber-readiness and resilient infrastructure against industrial-scale threats, where the marginal cost of imposing harm is steeply decreasing. From individual hygiene to legal architecture, the response has to be layered.
For individuals, basic cyber hygiene is critical for protecting their devices, networks, and data. This includes using unique, strong passwords managed with a password manager, enabling multi-factor authentication, regularly installing software updates, and backing up data.
Most organisations will not have immediate access to Mythos via Project Glasswing, and the goal is to reduce the capability gap between themselves and such “elite defenders”. Adopting open-weight AI pipelines for defensive purposes, and developing human expertise to contextualise, triage, and prioritise the abundant noise that AI-revealed gaps can be, is essential.
The Government of India is reportedly in talks with Anthropic. This is a welcome initiative and must be leveraged to assess security threats to critical infrastructure, such as power, telecoms, and financial platforms. The resilience of India’s Digital Public Infrastructure (DPI) should be prioritised in such proactive endeavours.
The current Indian legal framework — governed by rigid six-hour CERT-In reporting mandates and conditional Section 79 Safe Harbour — is functionally incompatible with the “Mythos Era”. The law must pivot from penalising discovery to incentivising remediation. Companies must be granted a legal safe harbour while they undergo AI-driven patching. Further, organisations such as CERT-IN and pillars of the AI mission, like the AI Safety Institute, need strengthening and capacity-building support.
The writers are researchers in technology geopolitics at the Takshashila Institution, Bengaluru. Views are personal
