India Seeks Access to Anthropic's Mythos AI Amid Serious Cybersecurity Concerns

An AI model capable of identifying tens of thousands of software vulnerabilities - and exploiting them - has prompted India's government to simultaneously pursue access to it and build defences against it. The Centre is in active talks with the United States to secure access to Anthropic's Mythos AI model for Indian companies, while directing financial regulators, banks, and critical infrastructure agencies to accelerate their cybersecurity preparations. The dual-track response reflects the unusual nature of a technology that functions both as a security asset and a potential threat.

What Mythos Does - and Why It Alarms Regulators

Mythos belongs to Anthropic's Claude family of AI models, designed for advanced reasoning and coding. What separates it from earlier models is its demonstrated ability to operate across the full cybersecurity spectrum - locating vulnerabilities in complex systems and, critically, exploiting them. Anthropic itself described the model in an April 7 note as a "watershed moment for cybersecurity," reporting that it had already identified thousands of high-severity vulnerabilities across major operating systems and web browsers, and that it could outperform humans in certain hacking tasks.

Earlier testing by companies with early access found that Mythos can identify tens of thousands of vulnerabilities, compared with approximately 500 detected by Anthropic's previous model, Opus 4.6. That is a nearly twentyfold increase within a single model generation - a jump that has unsettled regulators in multiple countries. Officials cited by the Financial Times described the model as representing a "fundamental change in the playing field," warning that it could chain together vulnerabilities at a speed and scale that exceeds human ability to respond. For sectors like banking, where legacy infrastructure is common and cyber incidents can rapidly spill into market disruptions, the risks are acute.

India's Government Response: Access and Defence in Parallel

Finance Minister Nirmala Sitharaman convened a high-level review of the Mythos situation before the government's current position took shape. Speaking publicly, she flagged that the cybersecurity challenges linked to the model could be significant and require close attention. The Ministry of Electronics and IT is now actively engaging with the US government, with Anthropic, and with companies involved in early testing.

On the defensive side, the government has directed the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC) to move quickly to protect critical infrastructure - power grids, telecom networks, and banking channels among them. Last week, Sitharaman asked the Indian Banks' Association to develop a coordinated mechanism for responding rapidly to threats linked to the model, and directed banks to strengthen their cybersecurity systems in partnership with specialised agencies and experts.

The logic is not contradictory. Access to a tool capable of finding vulnerabilities at scale is precisely what organisations need to find and fix their own weaknesses before adversaries exploit them. The risk is that the same tool, in the wrong hands or without adequate governance, accelerates attacks faster than defences can be built.

Indian Firms Left Out of Early Trials - For Now

Under its Project Glasswing initiative, Anthropic extended early access to approximately 40 companies to test Mythos's vulnerability detection and remediation capabilities. The list was heavily weighted towards US firms; no Indian company was included. Industry body Nasscom wrote to Anthropic seeking inclusion of Indian firms in the programme, making the case that Indian software companies support systems worldwide and that their participation would strengthen global cybersecurity resilience.

The bilateral talks between India and the US aim, in part, to address that exclusion. The government is evaluating both the mechanisms and logistical dimensions of enabling access for Indian companies while ensuring that critical systems remain protected. Importantly, the Centre is also thinking beyond Mythos: it is considering a broader policy framework to govern access as more companies develop AI models with comparable high-capability profiles, and has signalled it does not want to create a regime that advantages any single company over others.

The Wider Policy Question Advanced AI Now Forces

Mythos poses, in concentrated form, a question that advanced AI increasingly raises for governments everywhere: how do you govern a technology whose benefits and dangers are inseparable? A model that can find vulnerabilities that have persisted for decades - Anthropic confirmed this in its April note - is genuinely valuable for national security and infrastructure hardening. The same model, operating autonomously or in adversarial hands, compresses the time available to respond to any attack to near zero.

India's response so far - pursue access, build defences, develop policy - is a reasonable initial posture. The harder work lies ahead: establishing who within India can access Mythos, under what conditions, with what oversight, and how liability is assigned when high-capability AI is involved in a security failure. These are not questions the technology industry alone can answer. They require clear regulatory frameworks, and the window to build them is narrow.