Companies given early access to Anthropic’s Mythos model under Project Glasswing told ET that the biggest cybersecurity risk is now speed of response, not just uncovering software flaws as the window between finding a vulnerability and exploiting it is shrinking so rapidly that most enterprises may not have enough time to patch systems before attackers strike.
“Historically, the security industry has relied on the time and skill required to turn a discovered bug into a working exploit to give defenders a meaningful grace period,” said Philippa Cogswell, managing partner, JAPAC, Palo Alto Networks Unit 42. “Mythos proves that assumption no longer holds.”
This is critical for Indian companies that typically take as many as three months to put up their defences. Mythos can turn a flaw into a working attack in minutes; most Indian companies still take 60–90 days to fix systems, creating what experts call a “kill zone.” No Indian companies were included in Project Glasswing, which gave 40 US companies early access to the model to test their systems for flaws and protect them.
Global security firms, including Palo Alto Networks and Check Point Software Technologies, tested Mythos as part of Project Glasswing. These companies told ET that they have been forced to change how they think about cybersecurity.
Companies that tested Mythos said it could find tens of thousands of vulnerabilities, compared with roughly 500 found by Anthropic’s previous model, Opus 4.6, a 20-fold jump in one generation. It built working exploits for more than half of what it found and succeeded in breaching defences at the first attempt in 83 out of 100 cases.
The problem goes beyond volume, said Sundar Balasubramanian, managing director, India and South Asia, Check Point Software Technologies.
“Issues that appear statistically insignificant in testing become operationally unavoidable once systems process millions of transactions,” he said. “The goal is not to patch everything but to reduce exposure fast.”
The nature of attacks is also changing.
“Attacks are becoming democratised and industrialised, moving from bespoke operations to repeatable, automated pipelines,” he said.
The access gap will not last long, but that is not good news.
“Within six months, these capabilities will be commonplace across other major AI labs, Chinese models, and open source,” noted Cogswell. “Organisations still thinking of vulnerability management as a discrete programme rather than a continuous operational function are already behind.”
The cost of mounting an attack has also fallen. Converting a vulnerability into a working exploit once took skilled researchers weeks. It now takes under a day and costs less than $2,000.
“The patch cycle is no longer a process of inefficiency--it is a strategic vulnerability,” said Arjun Nagulapally, CTO, AionOS. “Adversaries close the loop in hours. Indian IT teams close it in months. The gap isn’t just a risk, it’s a kill zone.”
Mythos turns a discovered flaw into a working attack in minutes, he added. Many companies are still building cyber defences around the assumption that they will have days or weeks to respond.
Banking and telecom carry the most risk, Nagulapally said. Both run on old systems that are hard to patch without disrupting services.
Mythos, said to be the most powerful AI model developed to date, is expected to expose deep-seated vulnerabilities in the infrastructure of companies globally. Anthropic has held back a wider launch due to this fear while giving early access to the group cited above.
ET reported last week that Nasscom, representing India’s technology companies, has written to Anthropic, asking that they be included in Project Glasswing and be given access to Mythos to build cyber resilience since their code is used by companies across the globe. The Ministry of Electronics and Information Technology (MeitY) is also reportedly in discussions with Anthropic executives in the US on giving early access to Indian companies.
Tech policy analyst Subimal Bhattacharjee said India’s security frameworks were not built for such speed of response.
“When frontier AI models can autonomously discover and chain zero-day vulnerabilities within hours, India’s CERT-In advisory cycles and manual patch-response workflows become fundamentally mismatched to the threat environment,” he said. He said the larger risk is a coordinated attack across power, railways, telecom, and banking, all of which run on ageing infrastructure.
CERT-In on April 27 issued a high-severity advisory on the Mythos AI model, warning that its advanced capabilities could enable automated, rapid and large-scale cyberattacks, particularly putting Indian MSMEs and banking systems at risk. The agency urged organisations to strengthen defences against AI-driven reconnaissance, vulnerability exploitation and social engineering attacks.
CERT-In or Indian Computer Emergency Response Team is the cybersecurity nodal agency.
The emerging gap will be between organisations that still treat security as a pre-deployment checkpoint and those that treat it as a continuous feedback loop operating at machine speed, said Balasubramanian.
“AI can multiply the output of the talent that exists,” said Nagulapally. “The window to use AI as a force multiplier rather than face it as an adversarial force is measured in quarters, not years.”
“Historically, the security industry has relied on the time and skill required to turn a discovered bug into a working exploit to give defenders a meaningful grace period,” said Philippa Cogswell, managing partner, JAPAC, Palo Alto Networks Unit 42. “Mythos proves that assumption no longer holds.”
This is critical for Indian companies that typically take as many as three months to put up their defences. Mythos can turn a flaw into a working attack in minutes; most Indian companies still take 60–90 days to fix systems, creating what experts call a “kill zone.” No Indian companies were included in Project Glasswing, which gave 40 US companies early access to the model to test their systems for flaws and protect them.
Global security firms, including Palo Alto Networks and Check Point Software Technologies, tested Mythos as part of Project Glasswing. These companies told ET that they have been forced to change how they think about cybersecurity.
Companies that tested Mythos said it could find tens of thousands of vulnerabilities, compared with roughly 500 found by Anthropic’s previous model, Opus 4.6, a 20-fold jump in one generation. It built working exploits for more than half of what it found and succeeded in breaching defences at the first attempt in 83 out of 100 cases.
The problem goes beyond volume, said Sundar Balasubramanian, managing director, India and South Asia, Check Point Software Technologies.
“Issues that appear statistically insignificant in testing become operationally unavoidable once systems process millions of transactions,” he said. “The goal is not to patch everything but to reduce exposure fast.”
The nature of attacks is also changing.
“Attacks are becoming democratised and industrialised, moving from bespoke operations to repeatable, automated pipelines,” he said.
The access gap will not last long, but that is not good news.
“Within six months, these capabilities will be commonplace across other major AI labs, Chinese models, and open source,” noted Cogswell. “Organisations still thinking of vulnerability management as a discrete programme rather than a continuous operational function are already behind.”
The cost of mounting an attack has also fallen. Converting a vulnerability into a working exploit once took skilled researchers weeks. It now takes under a day and costs less than $2,000.
“The patch cycle is no longer a process of inefficiency--it is a strategic vulnerability,” said Arjun Nagulapally, CTO, AionOS. “Adversaries close the loop in hours. Indian IT teams close it in months. The gap isn’t just a risk, it’s a kill zone.”
Mythos turns a discovered flaw into a working attack in minutes, he added. Many companies are still building cyber defences around the assumption that they will have days or weeks to respond.
Banking and telecom carry the most risk, Nagulapally said. Both run on old systems that are hard to patch without disrupting services.
Mythos, said to be the most powerful AI model developed to date, is expected to expose deep-seated vulnerabilities in the infrastructure of companies globally. Anthropic has held back a wider launch due to this fear while giving early access to the group cited above.
ET reported last week that Nasscom, representing India’s technology companies, has written to Anthropic, asking that they be included in Project Glasswing and be given access to Mythos to build cyber resilience since their code is used by companies across the globe. The Ministry of Electronics and Information Technology (MeitY) is also reportedly in discussions with Anthropic executives in the US on giving early access to Indian companies.
Tech policy analyst Subimal Bhattacharjee said India’s security frameworks were not built for such speed of response.
“When frontier AI models can autonomously discover and chain zero-day vulnerabilities within hours, India’s CERT-In advisory cycles and manual patch-response workflows become fundamentally mismatched to the threat environment,” he said. He said the larger risk is a coordinated attack across power, railways, telecom, and banking, all of which run on ageing infrastructure.
CERT-In on April 27 issued a high-severity advisory on the Mythos AI model, warning that its advanced capabilities could enable automated, rapid and large-scale cyberattacks, particularly putting Indian MSMEs and banking systems at risk. The agency urged organisations to strengthen defences against AI-driven reconnaissance, vulnerability exploitation and social engineering attacks.
CERT-In or Indian Computer Emergency Response Team is the cybersecurity nodal agency.
The emerging gap will be between organisations that still treat security as a pre-deployment checkpoint and those that treat it as a continuous feedback loop operating at machine speed, said Balasubramanian.
“AI can multiply the output of the talent that exists,” said Nagulapally. “The window to use AI as a force multiplier rather than face it as an adversarial force is measured in quarters, not years.”