CivilsWisdom.
Updated · Today
Polity IR Econ Env S&T Security Geo Social Culture History
Science & Technology April 24, 2026 5 min read Daily brief · #32 of 43

Has Anthropic’s Mythos made the cure worse than the disease?

A frontier AI model named Mythos (developed by Anthropic) has demonstrated the ability to autonomously identify previously unknown software vulnerabilities (...

GS Paper III (Internal Security Science & Technology)

What Happened

  • A frontier AI model named Mythos (developed by Anthropic) has demonstrated the ability to autonomously identify previously unknown software vulnerabilities (zero-day exploits), generate working attack code, chain multiple exploits together, and cover its tracks — all with minimal human input.
  • In benchmark testing, Mythos achieved an 83% success rate in exploit creation on the first attempt, a capability level that qualitatively disrupts the traditional cybersecurity defence model.
  • Anthropic has not released Mythos publicly; access is restricted to vetted organisations under controlled conditions through Project Glasswing, which aims to allow defenders to harden critical systems before models with comparable capabilities spread more widely.
  • In India, concerns have centred on the financial system: the Reserve Bank of India (RBI) is consulting international regulators to assess risks to banking infrastructure, and the National Payments Corporation of India (NPCI) is working with select banks to obtain early access to Mythos for defensive vulnerability identification.
  • A high-level inter-agency meeting — involving banks and technology stakeholders — was convened to assess systemic risk to India's financial infrastructure.
  • The US Cybersecurity and Infrastructure Security Agency (CISA) has itself flagged that it does not have formal access to Mythos, underscoring the access disparity between developers and national security agencies.

Static Topic Bridges

Critical Information Infrastructure refers to computer systems, networks, and databases whose disruption or destruction would have a debilitating impact on national security, economy, public health, or safety.

  • Definition: Section 70(1) of the Information Technology Act, 2000 (as amended in 2008) — "computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety"
  • The appropriate government may, by gazette notification, declare any computer resource to be a Protected System under Section 70
  • Unauthorised access to a Protected System is a criminal offence under Section 70(2): imprisonment up to 10 years
  • Sector coverage of CII in India: Power and energy, banking and financial services, telecom, transport, government IT systems, defence

Connection to this news: If an AI system like Mythos autonomously identifies and exploits zero-day vulnerabilities in banking or power infrastructure, it directly threatens CII assets. India's legal framework under Section 70 classifies such systems as Protected Systems, making their breach a serious criminal matter — but the law addresses human actors, not autonomous AI agents, creating a regulatory gap.

National Critical Information Infrastructure Protection Centre (NCIIPC)

NCIIPC is the national nodal agency for the protection of CII in India.

  • Legal basis: Section 70A of the IT Act, 2000 (amended 2008)
  • Established: January 16, 2014 via gazette notification
  • Organisational placement: Unit of the National Technical Research Organisation (NTRO), under the Prime Minister's Office (PMO)
  • Mandate: Provide threat intelligence, situational awareness, alerts and advisories, and cybersecurity guidance to CII entities; issue Baseline Security Standards (BSS) and sector-specific controls
  • Operations: 24×7 Help Desk for CII incident reporting; works with sectoral Computer Emergency Response Teams (CERTs)
  • Distinct from CERT-In (Indian Computer Emergency Response Team, under MeitY), which handles broader cybersecurity incidents across all sectors

Connection to this news: The RBI and NPCI's proactive engagement with Mythos — seeking early access for defensive purposes — mirrors the defensive logic of NCIIPC's mandate: get ahead of threats before they are widely deployed. NCIIPC's challenge is that Mythos-class AI operates faster than human-paced threat intelligence cycles.

The AI Threat Model — Disrupting the Defender-Attacker Balance

Traditional cybersecurity operated on an asymmetric but manageable model: defenders patch known vulnerabilities; attackers exploit them. The defender had time — usually days to weeks between disclosure and exploitation.

  • AI tools like Mythos compress the attacker's timeline: from vulnerability discovery to working exploit in minutes, not weeks
  • Zero-day vulnerabilities are flaws unknown to the software vendor; no patch exists at time of exploitation
  • The traditional anti-virus/endpoint detection model is reactive — it identifies known attack patterns; AI-generated novel exploits evade signature-based detection
  • Agentic AI threat (AI that can autonomously plan and execute multi-step attack chains) represents a qualitative escalation beyond AI-assisted hacking tools

Connection to this news: The article's framing — "defenders are like anti-virus sellers, helping fix vulnerabilities" but that model is being disrupted — reflects this paradigm shift. Project Glasswing is Anthropic's attempt to restore the defender's advantage by giving them access to Mythos-class capability first, so they can use it to find and fix vulnerabilities before attackers gain similar tools.

National Cyber Security Policy and India's Cybersecurity Architecture

India's overarching cybersecurity policy framework includes:

  • National Cyber Security Policy, 2013: Issued by the Department of Electronics and Information Technology (now MeitY); focuses on securing cyberspace, building capability, and reducing vulnerabilities
  • CERT-In: India's national nodal agency for cybersecurity incident response, under Section 70B of the IT Act; handles all sectors except CII (handled by NCIIPC)
  • National Cyber Coordination Centre (NCCC): Under MeitY; provides real-time situational awareness of cybersecurity threats from internet traffic
  • PM-WANI, Digital India, UPI infrastructure: These are potential high-value targets for AI-enabled cyberattacks given their scale and criticality

Connection to this news: India's cybersecurity architecture was designed in the pre-agentic AI era. The Mythos development signals that India needs to update its cyber doctrine, threat modelling, and inter-agency coordination to address AI-native attack vectors.

Key Facts & Data

  • Mythos exploit creation success rate: 83% on first attempt (benchmark result)
  • Section 70, IT Act 2000: Defines CII and Protected Systems; penalty for unauthorised access: up to 10 years imprisonment
  • Section 70A, IT Act 2000 (amended 2008): Legal basis for NCIIPC
  • NCIIPC established: January 16, 2014; placement: NTRO under PMO
  • Project Glasswing: Anthropic's restricted access programme for defensive use of Mythos
  • India response: RBI consulting international regulators; NPCI working with banks for early Mythos access for defensive vulnerability testing
  • CERT-In: Under Section 70B, IT Act 2000; under MeitY
  • National Cyber Security Policy: 2013 (currently being updated)
  • Sectors designated as CII in India: Power, banking, telecom, transport, defence, government IT
On this page
  1. What Happened
  2. Static Topic Bridges
  3. Critical Information Infrastructure (CII) — Legal Basis in India
  4. National Critical Information Infrastructure Protection Centre (NCIIPC)
  5. The AI Threat Model — Disrupting the Defender-Attacker Balance
  6. National Cyber Security Policy and India's Cybersecurity Architecture
  7. Key Facts & Data
Display