Synopsis
Companies are testing their public-facing assets using existing AI models such as Opus 4.7 and GPT 5.5 and have also asked their suppliers to identify possible gaps, executives and consultants told ET. The Data Security Council of India (DSCI), an industry think-tank under software industry body Nasscom, is helping organisations prepare for the challenge.Listen to this article in summarized format
Their concern is over the unprecedented ability attributed to the currently access-restricted artificial intelligence model to discover serious software vulnerabilities, which could enable cyberattacks at scale and potentially cripple critical services.
Companies are testing their public-facing assets using existing AI models such as Opus 4.7 and GPT 5.5 and have also asked their suppliers to identify possible gaps, executives and consultants told ET.
The Data Security Council of India (DSCI), an industry think-tank under software industry body Nasscom, is helping organisations prepare for the challenge. It launched a sandbox environment that they could use for evaluating generative AI models against potential security vulnerabilities and data privacy risks.
“Organisations are actively strengthening their cyber hygiene to prepare for AI-driven threats by reducing attack surfaces, adopting micro-segmentation, improving identity and authentication systems,” DSCI chief executive Vinayak Godse told ET.
Anthropic has stated that it will release the model soon. Experts, who expect it to be available in around six months, say cybercriminals might exploit the vulnerabilities faster than organisations can fix them. They also point to a severe shortage of cybersecurity talent needed to address the fast-evolving threat.
Compounding threats
Anthropic’s latest update on Mythos unveiled last week has alarmed chief information security officers (CISOs) because of the unprecedented speed at which the system is able to identify software vulnerabilities.
Mythos has identified 23,019 vulnerabilities in just one month. Only 97 of these have been patched as it takes 14 days on an average for human cybersecurity professionals to fix each bug.
“The global cybersecurity landscape is evolving at an unprecedented pace, introducing new and elevated risks,” said Srikanth Velamakanni, chief executive at AI services firm Fractal Analytics and chairperson of Nasscom.
“Systems like Mythos demonstrate that releasing highly capable models without stringent safety frameworks can pose serious national security threats. However, attempting to simply contain AI development is not a viable long-term solution; we need proactive, collaborative governance,” he said.
According to researchers, Mythos-capability models from DeepSeek or OpenAI are also expected to hit the market in three to six months.
This could overwhelm conventional cybersecurity infrastructure and expose critical national systems across sectors such as banking, telecom, healthcare, cloud infrastructure and energy networks, experts warn.
Slow cyber preparedness
While the risk is growing at a quick pace, a talent gap, especially in markets like India, is causing a major concern for organisations to ensure cyber preparedness.
“The scale and velocity at which systems like Mythos can detect vulnerabilities fundamentally change the threat landscape for banks,” said the CISO at a large private sector bank. “Earlier, cyberattackers needed weeks or months to identify exploitable weaknesses, now AI models can compress that window into hours.”
He added that the concern is not discovering vulnerabilities, but the widening gap between detection and remediation.
“Banks still rely heavily on manual patch management cycles, legacy infrastructure dependencies and fragmented vendor ecosystems,” he said. “If offensive-grade AI capabilities become commoditised over the next few months, the sector could face a situation where attackers are able to weaponise vulnerabilities faster than institutions can fix them.”
Another CISO with a state-run lender said Indian banks are already operating in an environment with a significant cybersecurity talent shortage.
“Security teams were never designed to handle tens of thousands of vulnerability alerts at machine speed. The real risk is alert fatigue and prioritisation failure, where critical vulnerabilities in internet banking, telecom integrations, or third-party fintech systems remain unpatched because security teams are overwhelmed,” he said.
However, discovering software vulnerabilities does not necessarily mean offenders could cripple the world's digital infrastructure.
“Mythos is currently being tested in a controlled environment and has the capability to craft an attack path which helps in reducing the attack window,” said Sundareshwar Krishnamurthy, partner and India cyber leader at PwC India. “But most enterprises have several safeguards like firewalls, access controls, cryptographic encryptions, etc., which build a layer of safety,” he explained.
“That said, time to large-scale attacks can be dramatically reduced to 30-40 days and that's where cyber teams need to fast-track capabilities on the defensive side,” he said.
