New Delhi: When Anthropic announced its most advanced artificial intelligence model on 7 April, India was not on the list of countries with access.
Claude Mythos, a model designed to find flaws in computer code, was deemed too risky for public release because of fears about the threat to traditional software security.
Instead, Anthropic gave access to a set of US technology companies to use it for defensive cybersecurity. No Indian bank, government agency, or technology company made the cut.
Since then, finance minister Nirmala Sitharaman has called a meeting with bank heads, the Ministry of Electronics and Information Technology has opened talks with Anthropic, and India’s nodal cybersecurity agency has issued an advisory on the cybersecurity risks of AI systems.
ThePrint explains what Mythos can do, the risks India is exposed to without access, and why it is rattling policy-makers.
Also Read: AI model Claude Mythos has alarmed the US. Why India must act now
What is Claude Mythos
Claude Mythos Preview is Anthropic’s most capable general-purpose artificial intelligence model to date.
It was not built as a cyberattack tool. Anthropic designed it to work with vast, complex codebases in ways previous models could not — to read and understand software at a depth that surpasses all but the most skilled human researchers.
It is precisely those capabilities, however, that make it a significant security concern. Experts say the tool holds a potentially unprecedented ability to identify cybersecurity vulnerabilities and devise ways to exploit them.
The banking sector is particularly spooked. Finance ministers, central bankers and financiers have expressed fears that the powerful new AI model could undermine the security of financial systems.
In testing, Mythos fully autonomously identified and exploited a 17-year-old remote code execution vulnerability, a type of flaw that allows an attacker to run their own code on a system from a distance, in FreeBSD, an open source Unix-like operating system used in servers and networking infrastructure.
The vulnerability allows anyone to gain root access, meaning full administrative control over a system, on a machine running Network File System, a protocol used to share files across computers on a network, with no human involvement after the initial prompt.
It also found a 27-year-old bug in OpenBSD, a security-focused open source operating system widely used in firewalls and critical infrastructure, and a 16-year-old flaw in FFmpeg, an open source software library used to process and play audio and video files across billions of devices and platforms.
In total, Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and every major web browser.
A zero-day vulnerability is a flaw unknown even to the software’s own developers. Whoever finds it first holds a complete advantage.
What makes Mythos different from earlier security tools is that it does not search for known patterns. It reads and understands code, finds individual bugs, connects them, and builds an attack pathway. That process used to take a team of human researchers days or weeks.
What Anthropic did
With growing cybersecurity concerns, Anthropic chose not to have a public launch of Mythos. Instead, it gave early access through an initiative called Project Glasswing to 12 named launch partners, as well as over 40 additional organisations that build or maintain critical software infrastructure.
They include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks.
Anthropic committed $100 million in model usage credits to the initiative.
The reasoning was direct: According to a report from Axios, Anthropic has privately warned top government officials that Mythos makes large-scale cyberattacks significantly more likely this year.
Already, there have been reports of a breach. Bloomberg reported on April 21 that a group of unauthorised users gained access to Mythos through a third-party vendor environment on the day the model was announced.
Anthropic said it found no evidence that the activity impacted its own systems beyond that vendor environment.
India’s response
India, too, has expressed its concerns about Mythos.
On 23 April, Finance Minister Nirmala Sitharaman held a meeting with Union Minister for Electronics and Information Technology Ashwini Vaishnaw, bank leaders, and other stakeholders to evaluate cybersecurity risks.
Officials from the Reserve Bank of India, the country’s central bank, and the Department of Financial Services were also present.
Sitharaman warned the threat is “unprecedented” and said the challenge “is coming in the name of Mythos, about which not much is known”.
Banks were told to secure their information technology infrastructure. The Indian Banks’ Association, an industry body representing banks, was asked to create a mechanism to respond to cyber threats.
Department of Financial Services secretary M. Nagaraju called Mythos “a threat and opportunity for the financial technology ecosystem”.
A senior Ministry of Electronics and Information Technology official confirmed the government is in active conversation with Anthropic for possible access.
On 26 April, the Indian Computer Emergency Response Team, or CERT-In, the government’s nodal agency for responding to cybersecurity incidents, issued a high-severity advisory directly citing frontier artificial intelligence models, warning organisations to treat every newly disclosed vulnerability as exploitable within hours, not weeks.
It called for increased monitoring, multi-factor authentication, a security method that requires more than one form of verification to access a system, on internet-facing systems, and critical patches, or software updates that fix security flaws, applied within 24 hours of release.
The access gap
No Indian company features among the named Project Glasswing partners. No Indian bank, government agency, or telecom operator has been admitted to the programme, giving defenders early access to Mythos.
Kazim Rizvi, founder of policy think tank The Dialogue, told ThePrint this is where the concern sits.
“A Mythos-class system does not need to find one catastrophic flaw in Aadhaar. It needs to find mediocre flaws across Aadhaar and the account aggregator, and it can do that in hours,” he said.
India’s digital public infrastructure forms a web of financial and identity systems that hundreds of millions of citizens depend on.
‘A Mythos-class system doesn’t need to find one catastrophic flaw in Aadhaar. It needs to find mediocre flaws across Aadhaar & account aggregator, & it can do that in hours,’ says Kazim Rizvi, founder of policy think tank The Dialogue.
It includes Aadhaar; the Unified Payments Interface, a real-time payment system; an account aggregator framework that allows individuals to securely share their financial data between institutions; and the Ayushman Bharat Digital Mission, a digital health records system. The Unified Payments Interface alone processes over 18 billion financial transactions a month.
Rizvi said the architecture underlying all of it was not designed to account for a system like Mythos. “These security architectures did not cater for something that can invalidate every assumption in that model simultaneously,” he said.
He added that the payment ecosystem is particularly exposed.
“A Mythos-class model could map the structure of application programming interfaces, which are the rules that allow different software systems to communicate with each other, across multiple payment platforms, identify weaknesses in authentication flows or rate-limiting mechanisms, which control how many requests a system accepts in a given time, and combine these into multi-stage exploit pathways,” he told ThePrint.
Rizvi called Indian industry’s exclusion from Project Glasswing “a security and sovereignty concern”.
He said the Ministry of External Affairs, the Ministry of Home Affairs, and the Prime Minister’s Office need to engage with both the US government and Anthropic to seek access.
He also recommended a coordinated security audit of critical infrastructure across financial services and telecom, and said the government’s newly constituted artificial intelligence governance bodies should formally assess the implications of AI-driven vulnerability discovery for India’s digital ecosystem.
What the industry says
What evaluators found
The United Kingdom’s AI Security Institute ran independent evaluations of Mythos Preview.
On expert-level capture-the-flag challenges — competitive cybersecurity tests where a system must identify and exploit vulnerabilities — that no model could complete before April 2025, Mythos now succeeds 73 percent of the time.
It also became the first model to complete the institute’s 32-step corporate network attack simulation from start to finish, a task estimated to take human professionals 20 hours.
(The Cloud Security Alliance, a global cybersecurity organisation, noted in its April 2026 briefing that defenders still operate patch cycles and detection systems built for human-speed threats, and that the mean time from vulnerability disclosure to confirmed exploitation has fallen to less than one day in 2026, down from 2.3 years in 2019.
India’s public sector banks and government departments do not operate on these timelines. That is the gap Sitharaman’s meeting, CERT-In’s advisory, and both experts are working around, from outside a programme they have no access to yet.
(Edited by Sugita Katyal)
Also Read: When AI stereotypes, it doesn’t guess, it defaults