CivilsWisdom.
Updated · Today
Science & Technology May 27, 2026 5 min read Daily brief · #10 of 23

Mythos risk prompts India to test for financial software flaws

India has initiated vulnerability assessments of critical financial and government software systems to evaluate their exposure to Anthropic's advanced AI mod...

GS Paper 3 (Science & Technology Internal Security)

What Happened

  • India has initiated vulnerability assessments of critical financial and government software systems to evaluate their exposure to Anthropic's advanced AI model, Mythos, which possesses autonomous offensive cybersecurity capabilities.
  • Indian technology firms Infosys Ltd. and Tata Consultancy Services (TCS) are conducting tests within secure environments. Infosys is specifically assessing and developing patches for its widely-used Finacle banking platform.
  • India's nodal cybersecurity agency CERT-In (Indian Computer Emergency Response Team) is testing key digital infrastructure including the Aadhaar national identity system and government login platforms.
  • The Finance Ministry has coordinated with the Reserve Bank of India and critical infrastructure protection agencies in what amounts to an emergency audit of digital defences across the banking and financial sector.
  • Neither Infosys nor TCS currently has direct access to Mythos; they are using Claude Opus to identify and model potential attack vectors and develop pre-emptive patches.
  • India's Ministry of External Affairs is in diplomatic negotiations with US officials to obtain controlled, in-country access to Mythos for designated testing, viewing US cooperation as central to infrastructure protection.
  • Mythos has been reported to have identified over 23,000 vulnerabilities and more than 10,000 critical flaws across systems during its initial testing phase. Access is currently restricted to select global organisations under Anthropic's Project Glasswing.

Static Topic Bridges

CERT-In and India's Cybersecurity Architecture

The Indian Computer Emergency Response Team (CERT-In) was established under Section 70B of the Information Technology Act, 2000 (amended 2008). It functions as the national agency for cybersecurity incident response, vulnerability management, and digital threat coordination under the Ministry of Electronics and Information Technology (MeitY). CERT-In issues mandatory reporting requirements for cyber incidents and coordinates with sector-specific CERTs (e.g., IDRBT for banking, NCIIPC for critical infrastructure).

  • CERT-In has powers to direct organisations to report cybersecurity incidents within six hours of detection (2022 Directions).
  • The National Critical Information Infrastructure Protection Centre (NCIIPC), under the National Technical Research Organisation (NTRO), is designated to protect critical information infrastructure (CII) as defined under the IT Act.
  • Critical infrastructure sectors under NCIIPC protection include banking and finance, energy, transport, telecommunications, and government systems — all potentially exposed to AI-assisted cyberattacks.

Connection to this news: CERT-In's active testing of Aadhaar and government login systems for Mythos-class vulnerabilities represents a direct application of its mandate under the IT Act to preemptively secure critical information infrastructure.

Aadhaar and India's Digital Identity Infrastructure

Aadhaar is the world's largest biometric identity programme, administered by the Unique Identification Authority of India (UIDAI) under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. With over 1.4 billion enrolments, it underpins Direct Benefit Transfer (DBT), the Jan Dhan–Aadhaar–Mobile (JAM) trinity, DigiLocker, and a wide range of government service delivery systems. Its authentication APIs process hundreds of millions of transactions annually.

  • UIDAI employs tokenisation, virtual IDs (VID), and limited KYC to reduce biometric data exposure.
  • Any breach of the Aadhaar ecosystem carries systemic risk to DBT flows (₹3.8+ lakh crore annually), financial inclusion infrastructure, and e-governance services.
  • The Supreme Court in K.S. Puttaswamy v. Union of India (2018) upheld the constitutional validity of Aadhaar while restricting its use in the private sector.

Connection to this news: Aadhaar's scale and integration into financial and welfare systems make it a high-priority target in any AI-assisted cyberattack scenario, explaining why CERT-In has prioritised it in Mythos-vulnerability testing.

Dual-Use AI and Offensive Cybersecurity: Emerging Governance Challenges

AI models with autonomous code-generation and vulnerability-exploitation capabilities represent a new class of dual-use technology — systems designed for defensive security research that can also power offensive operations. Historically, states have grappled with dual-use problems in nuclear, chemical, and cyber domains. AI adds a new dimension: rapid scalability, low operational cost, and near-autonomous attack development.

  • The Wassenaar Arrangement (1996) governs export controls on dual-use technologies including intrusion and surveillance tools, but does not yet comprehensively cover AI-based offensive cyber tools.
  • India's National Cyber Security Policy (2013) and the draft National Cyber Security Strategy (2020) identify AI-assisted threats as an emerging challenge.
  • Anthropic's Project Glasswing grants restricted access to Mythos only to vetted organisations (e.g., Cloudflare, Mozilla, Apple, JPMorgan Chase) under strict terms, illustrating private-sector governance of dual-use AI capabilities.

Connection to this news: India's push to negotiate in-country Mythos access reflects the policy imperative of securing critical infrastructure proactively — paralleling how states sought access to offensive-capability intelligence to build defensive countermeasures in earlier dual-use domains.

India's Financial Technology Infrastructure and Systemic Risk

India operates a large and increasingly digitised financial infrastructure: the Unified Payments Interface (UPI) processed over 172 billion transactions in 2024–25, the Aadhaar-enabled Payment System (AePS) reaches rural banking correspondents, and core banking systems like Finacle (Infosys) power hundreds of banks and financial institutions globally. Concentrated systemic dependencies mean a single exploitable vulnerability in widely-used banking software can cascade across the financial sector.

  • Finacle is used by over 100 banks in more than 50 countries, including large public-sector and private banks in India.
  • The Reserve Bank of India's IT Examination Framework requires banks to maintain cyber resilience standards; the RBI Cybersecurity Framework (2016) mandates a Security Operations Centre (SOC) and continuous monitoring.
  • India's Financial Stability and Development Council (FSDC) coordinates systemic risk assessment across regulators (RBI, SEBI, IRDAI, PFRDA).

Connection to this news: Infosys's priority testing of Finacle against Mythos-class attack vectors directly addresses the systemic risk that a vulnerability in widely-deployed banking software could present across India's and the world's financial systems.

Key Facts & Data

  • Mythos: Anthropic's advanced AI model with autonomous vulnerability discovery and exploit development capabilities; reported to have identified 23,000+ vulnerabilities and 10,000+ critical flaws in testing
  • Project Glasswing: Anthropic's restricted-access programme for Mythos; current participants include Cloudflare, Mozilla, Apple, JPMorgan Chase
  • Indian firms testing: Infosys Ltd. (Finacle banking platform) and Tata Consultancy Services (TCS)
  • Government systems under review: Aadhaar (UIDAI), government login platforms, state login systems, service-tax and passport management systems
  • CERT-In: National cybersecurity agency under MeitY; established under Section 70B of IT Act, 2000
  • Current access method: Indian firms are using Claude Opus (not Mythos directly) to model attack vectors and develop patches
  • Diplomatic track: Ministry of External Affairs negotiating controlled in-country Mythos access with US officials
  • Finance Ministry advisory: Banks directed to step up IT security vigilance, safeguard customer data, and protect financial resources
  • Finacle reach: Used by 100+ banks in 50+ countries
  • Policy frameworks relevant: IT Act 2000 (Sec 70B), National Cyber Security Policy 2013, RBI Cybersecurity Framework 2016, Wassenaar Arrangement
On this page
  1. What Happened
  2. Static Topic Bridges
  3. CERT-In and India's Cybersecurity Architecture
  4. Aadhaar and India's Digital Identity Infrastructure
  5. Dual-Use AI and Offensive Cybersecurity: Emerging Governance Challenges
  6. India's Financial Technology Infrastructure and Systemic Risk
  7. Key Facts & Data
Display