Synopsis
Indian enterprises could be facing a structural cybersecurity risk after the release of the advanced AI model Mythos by Anthropic. As Mythos begins finding software vulnerabilities in hours, far faster than companies can fix them, experts said this could leave systems exposed, especially in sectors like banking and telecom that rely on older systems.A spokesperson at HDFC Bank, India's largest private sector bank by assets and market capitalisation, told ET, "We are engaged with the Data Security Council of India to evaluate risks and impact. We can confirm being in touch with the Anthropic team."
As only a few enterprises have been given early access and none of the Indian vendors are in the list, experts warned this could overwhelm security teams and expose risks. Meanwhile, after the US, governments in Canada and the UK too have taken cognisance of Mythos and are calling for meetings to assess its impact. Alarm bells are also going off for the $260 billion Indian IT industry which could face disruption.
Mythos, whose public release has been held back over safety concerns, has demonstrated the ability to uncover deep and previously undetected flaws in large codebases.
“In Indian enterprises, where patch cycles can run 60 to 90 days, the gap between discovery and response is becoming a strategic vulnerability,” said Arjun Nagulapally, CTO of AionOS. “Adversaries can now move from finding a flaw to exploiting it in hours, while enterprise response still takes weeks.”
Nagulapally said the scale of detection could overwhelm enterprises, especially in sectors such as banking and telecom that rely heavily on legacy systems.
The shift is already visible in enterprise environments, according to Cdr Raj Shastrakar (retd), director and head of Unit 42, India and SAAR at Palo Alto Networks. “Attackers can now exploit vulnerabilities within minutes of discovery, with some incidents progressing from initial access to data exfiltration in under an hour, and in extreme cases as little as 25 minutes,” Shastrakar said, adding that traditional step-by-step security processes are no longer sufficient.
The concerns are not limited to India. Financial regulators in the UK and Canada have begun urgent discussions with banks, insurers, and exchanges to assess risks from the model’s ability to expose critical vulnerabilities in core systems. Similar conversations are underway in the US, pointing to growing global concern over the systemic impact of such AI capabilities.
Kailash Nadh, CTO at Zerodha, said companies are already using such models internally for security reviews. “We have been tracking the cybersecurity capabilities of LLMs actively for a while and have also been using them for internal security reviews and audits effectively. Nothing about Mythos yet,” he said. He added that while India’s market regulator, the Securities and Exchange Board of India, already has an extensive cybersecurity framework, LLM-specific risks have not yet been formally addressed.
The implications are now extending beyond cybersecurity into the core of India’s $250-billion IT services industry. A report by Kotak Institutional Equities said Mythos represents a “step-jump” in AI capability across software engineering tasks and could create near to medium-term disruption risks for IT services, especially in application development-heavy segments.
Kotak warned that such gains could translate into a 3-3.5% annual growth headwind for the sector, as automation reduces effort and pricing in traditional services.
A note by Motilal Oswal Financial Services said tools like Mythos could compress effort in manual-heavy areas such as testing and vulnerability assessment, while also identifying bugs that have remained undetected for 10 to 20 years.
“This is deflationary in the short term, but creates opportunities in the medium term,” said Pareekh Jain, CEO, EIIRTrend. “Around 15-20% of cybersecurity services revenue for Indian IT firms could be exposed to compression over the next two to three years.”
He said the most exposed segment is vulnerability assessment and penetration testing, where a large share of work can be automated. “What compresses is manual, labour-intensive work. What expands is demand for AI security, threat intelligence, and securing AI systems,” Jain said, adding that pricing will shift towards outcome-based and platform-led models.
Beyond enterprises, experts warned the risks could extend to national systems.
“India’s cybersecurity frameworks were built around human-speed threats and are becoming mismatched to an environment where AI can identify and exploit vulnerabilities in hours,” said tech policy analyst Subimal Bhattacharjee.
He said the concern is not limited to individual breaches, but the possibility of simultaneous exposure across interdependent critical infrastructure systems. Bhattacharjee added that existing regulatory frameworks assume a time gap between discovery and exploitation, a buffer that AI is rapidly eliminating, even as patch cycles continue to stretch into weeks and months.
