Current Affairs Topics Quiz Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

IT industry, Govt. examine cybersecurity implications of Anthropic’s Mythos model

April 09, 2026 5 min read Science & Technology Economics GS3 (Science & Technology Internal Security Economy)
On This Page

What Happened

  • Anthropic unveiled Claude Mythos Preview, a powerful AI model capable of autonomously discovering and exploiting software vulnerabilities — including bugs over a decade old — in major operating systems and browsers.
  • The model, as part of Project Glasswing, is being made available exclusively to a curated set of partner organisations (Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks) to identify and patch critical vulnerabilities before malicious actors can exploit them.
  • Mythos Preview found a 27-year-old bug in OpenBSD and a 16-year-old vulnerability in video software that survived over five million hits from automated testing tools without being detected.
  • The model also autonomously chained multiple Linux kernel vulnerabilities to achieve privilege escalation from an ordinary user account to complete machine control.
  • Due to its dual-use risk — the same capabilities could be weaponised for cyberattacks — Anthropic has opted not to make Mythos generally available, citing potential dangers to economies, public safety, and national security.
  • India's IT industry and government are examining the cybersecurity implications, given India's large software services sector and growing digital infrastructure exposure.

Static Topic Bridges

Zero-Day Vulnerabilities and AI-Assisted Exploitation

A zero-day vulnerability is a software flaw unknown to the vendor or without an available patch at the time of discovery. The term "zero-day" refers to the fact that developers have "zero days" to fix a problem that is already being exploited. Historically, zero-days are discovered by human security researchers or criminal actors; AI systems capable of autonomous zero-day discovery represent a qualitative shift in the threat landscape.

  • AI-powered vulnerability scanners can analyse entire codebases at machine speed, far exceeding human review throughput
  • Privilege escalation attacks move from low-privilege to high-privilege system access by chaining multiple vulnerabilities — a technique now automated by Mythos
  • India's CERT-In (Computer Emergency Response Team — India), established under the Information Technology Act, 2000 (Section 70B), is the nodal agency for cybersecurity incident response
  • CERT-In issued controversial mandatory reporting directions in April 2022 (effective June 2022) requiring all entities to report cybersecurity incidents within 6 hours (later debated internationally for being too tight)
  • India's National Cyber Security Policy (2013) — the primary overarching framework — is due for a comprehensive update

Connection to this news: An AI capable of discovering decade-old vulnerabilities at scale fundamentally alters CERT-In's threat environment — reactive patch management is insufficient; proactive AI-aided code auditing becomes critical.

Dual-Use Technology — Governance and Policy Frameworks

Dual-use technology refers to technologies developed for civilian or commercial purposes that can also be applied for military or harmful ends. In cybersecurity, the same tool that finds vulnerabilities for defensive patching can be used offensively. International governance of dual-use tech relies on export controls, multilateral agreements, and responsible disclosure frameworks.

  • Wassenaar Arrangement (1996): Multilateral export control regime covering dual-use technologies including cybersecurity tools; India acceded in 2017
  • Budapest Convention on Cybercrime (2001): First binding international treaty on cybercrime; India has not acceded (remains a matter of policy debate)
  • Responsible Vulnerability Disclosure (RVD) norms require researchers to notify vendors before public release — a practice formalised in CERT-In guidelines
  • India's IT (Amendment) Act, 2008 and Digital Personal Data Protection Act, 2023 are the primary legislative pillars for cyber governance alongside the forthcoming Digital India Act
  • The Mythos model's selective deployment mirrors export control logic applied within the private sector — capability containment through access restriction

Connection to this news: Project Glasswing operationalises a private-sector dual-use governance model: restricting access to a small trusted group while harnessing capability for defence — a template regulators and policymakers globally, including India, are watching closely.

India's IT Sector and Cybersecurity Exposure

India's IT and ITeS sector contributes approximately 7.5% of GDP and employs over 5.4 million professionals directly. India manages software infrastructure for global financial institutions, healthcare systems, and government platforms, making vulnerabilities in widely used open-source software a direct risk to Indian service providers and their clients.

  • India ranks among the top targets globally for cyberattacks, with financial services and government infrastructure being high-value targets
  • Indian Computer Emergency Response Team (CERT-In): Nodal agency under MeitY (Ministry of Electronics and IT) for incident handling, vulnerability coordination, and threat advisories
  • National Cyber Coordination Centre (NCCC): Real-time cybersecurity threat monitoring body under CERT-In
  • India's cybersecurity market was valued at approximately $3.1 billion in 2023 and is projected to grow significantly
  • The PM-WANI (Wi-Fi Access Network Interface) and expanding digital public infrastructure (UPI, Aadhaar, DigiLocker) increase the attack surface that AI-powered vulnerability tools could expose

Connection to this news: The emergence of AI systems that can autonomously discover and exploit old vulnerabilities in major OSes and browsers directly threatens the digital infrastructure underlying India's fintech, e-governance, and IT services sectors — making participation in global cybersecurity coordination frameworks a strategic priority.

AI Frontier Models — Capability vs. Safety Trade-offs

Frontier AI models refer to the most advanced AI systems at the current technological frontier, which often introduce capabilities with unforeseeable risks alongside intended benefits. The governance of frontier models is an emerging area addressed by national AI safety institutes (UK, US, India) and international frameworks.

  • India AI Safety Institute (AISI): India announced plans to establish an AI Safety Institute in 2024, modelled on the UK's AISI (est. 2023), to evaluate frontier model risks
  • Bletchley Declaration (November 2023): 28 countries including India signed a declaration on AI safety at the UK's AI Safety Summit, acknowledging frontier AI risks
  • Seoul AI Safety Summit (May 2024): Continued the Bletchley process; India participates
  • Anthropic's decision to restrict Mythos deployment demonstrates responsible scaling policies (RSPs) — internal commitments by frontier AI labs to limit deployment of dangerous capability levels
  • The IT Act's provisions on hacking offences (Section 66) and cyber terrorism (Section 66F) are the existing criminal law framework but predate AI-era capabilities

Connection to this news: Anthropic's Mythos deployment model — restricted, partner-only, tied to defensive use — is an example of a private-sector RSP in action, and will inform how India's emerging AI governance framework should treat frontier models with dual-use capabilities.

Key Facts & Data

  • Oldest vulnerability found by Mythos Preview: 27-year-old bug in OpenBSD
  • A 16-year-old video software vulnerability survived 5 million+ automated testing attempts before Mythos found it
  • Mythos Preview is not publicly available due to dual-use cybersecurity risk
  • Project Glasswing partners include: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks
  • CERT-In established under IT Act, 2000 (Section 70B); nodal agency: MeitY
  • CERT-In mandatory incident reporting window: 6 hours (post April 2022 directions)
  • Wassenaar Arrangement accession by India: 2017
  • Bletchley Declaration on AI Safety signed by India: November 2023
  • India's IT sector GDP contribution: ~7.5%; direct employment: 5.4 million+
  • India's cybersecurity market: ~$3.1 billion (2023 estimate)