“Traditionally, the safety trade has relied on the time and talent required to show a found bug right into a working exploit to provide defenders a significant grace interval,” mentioned Philippa Cogswell, managing accomplice, JAPAC, Palo Alto Networks Unit 42. “Mythos proves that assumption now not holds.”
That is essential for Indian corporations that sometimes take as many as three months to place up their defences. Mythos can flip a flaw right into a working assault in minutes; most Indian corporations nonetheless take 60–90 days to repair techniques, creating what consultants name a “kill zone.” No Indian corporations had been included in Venture Glasswing, which gave 40 US corporations early entry to the mannequin to check their techniques for flaws and defend them.
International safety corporations, together with Palo Alto Networks and Test Level Software program Applied sciences, examined Mythos as a part of Venture Glasswing. These corporations informed ET that they’ve been compelled to alter how they give thought to cybersecurity.
Corporations that examined Mythos mentioned it may discover tens of 1000’s of vulnerabilities, in contrast with roughly 500 discovered by Anthropic’s earlier mannequin, Opus 4.6, a 20-fold soar in a single technology. It constructed working exploits for greater than half of what it discovered and succeeded in breaching defences on the first try in 83 out of 100 instances.
The issue goes past quantity, mentioned Sundar Balasubramanian, managing director, India and South Asia, Test Level Software program Applied sciences.
“Points that seem statistically insignificant in testing change into operationally unavoidable as soon as techniques course of tens of millions of transactions,” he mentioned. “The objective is to not patch every little thing however to cut back publicity quick.”
The character of assaults can also be altering.
“Assaults have gotten democratised and industrialised, transferring from bespoke operations to repeatable, automated pipelines,” he mentioned.
The entry hole is not going to final lengthy, however that’s not excellent news.
“Inside six months, these capabilities can be commonplace throughout different main AI labs, Chinese language fashions, and open supply,” famous Cogswell. “Organisations nonetheless considering of vulnerability management as a discrete programme somewhat than a steady operational operate are already behind.”
The price of mounting an assault has additionally fallen. Changing a vulnerability right into a working exploit as soon as took expert researchers weeks. It now takes below a day and prices lower than $2,000.
“The patch cycle is now not a strategy of inefficiency–it is a strategic vulnerability,” mentioned Arjun Nagulapally, CTO, AionOS. “Adversaries shut the loop in hours. Indian IT groups shut it in months. The hole isn’t only a threat, it’s a kill zone.”
Mythos turns a found flaw right into a working assault in minutes, he added. Many corporations are nonetheless constructing cyber defences across the assumption that they may have days or even weeks to reply.
Banking and telecom carry essentially the most threat, Nagulapally mentioned. Each run on previous techniques which might be exhausting to patch with out disrupting companies.
Mythos, mentioned to be essentially the most highly effective AI mannequin developed up to now, is anticipated to show deep-seated vulnerabilities within the infrastructure of corporations globally. Anthropic has held again a wider launch attributable to this worry whereas giving early entry to the group cited above.
ET reported final week that Nasscom, representing India’s expertise corporations, has written to Anthropic, asking that they be included in Venture Glasswing and be given entry to Mythos to construct cyber resilience since their code is utilized by corporations throughout the globe. The Ministry of Electronics and Data Know-how (MeitY) can also be reportedly in discussions with Anthropic executives within the US on giving early entry to Indian corporations.
Tech coverage analyst Subimal Bhattacharjee mentioned India’s safety frameworks weren’t constructed for such pace of response.
“When frontier AI fashions can autonomously uncover and chain zero-day vulnerabilities inside hours, India’s CERT-In advisory cycles and guide patch-response workflows change into basically mismatched to the menace setting,” he mentioned. He mentioned the bigger threat is a coordinated assault throughout energy, railways, telecom, and banking, all of which run on ageing infrastructure.
CERT-In on April 27 issued a high-severity advisory on the Mythos AI mannequin, warning that its superior capabilities may allow automated, fast and large-scale cyberattacks, notably placing Indian MSMEs and banking techniques in danger. The company urged organisations to strengthen defences in opposition to AI-driven reconnaissance, vulnerability exploitation and social engineering assaults.
CERT-In or Indian Laptop Emergency Response Staff is the cybersecurity nodal company.
The rising hole can be between organisations that also deal with safety as a pre-deployment checkpoint and people who deal with it as a steady suggestions loop working at machine pace, mentioned Balasubramanian.
“AI can multiply the output of the expertise that exists,” mentioned Nagulapally. “The window to make use of AI as a pressure multiplier somewhat than face it as an adversarial pressure is measured in quarters, not years.”