India's Cyber Defenses Were Built for a Slower Enemy
Frontier AI is collapsing the gap between vulnerability discovery and exploitation, and India's financial and payments infrastructure is directly in the frame.
News
- Tata Electronics, ASML Sign Pact for India’s First 300mm Chip Fab
- Anthropic, Gates Foundation Commit $200 Million for AI in Health, Education
- Mittal Sets Decade-Long Plan for Airtel Control
- Zoho Backs ONDC’s Small Business Push
- AI Could Add $500 Billion to India’s Economy by 2030, Says IBM-IndiaAI Study
- HCLTech, Red Hat Partner to Build Enterprise AI Infrastructure
Image Credit- Chetan Jha/ MIT Sloan Management Review India
Key Takeaways
01
Frontier AI models are collapsing the time between vulnerability discovery and exploitation, making India’s 60–69 day average patch cycle a structural liability, not a process gap.
02
Offensive cyber capability is becoming cheaper and more accessible, amplifying a threat landscape where India already recorded 265 million detections in 2025.
03
Runtime defense and the assumed-breach model are no longer advanced-practice options. For institutions with legacy infrastructure complexity, they are the new baseline.
When Anthropic announced Claude Mythos Preview, India’s banking regulator did not wait for a threat briefing. Within weeks, Finance Minister Nirmala Sitharaman convened a high-level meeting with senior bankers, regulators, and technology officials. The State Bank of India placed its systems on heightened alert. Discussions inside the Reserve Bank of India and the National Payments Corporation of India expanded rapidly around preparedness and access mechanisms.
That response signals something the cybersecurity industry has been reluctant to state plainly. The concern is not that AI can scan code faster; traditional tools have done that for years. The concern is that Mythos, by Anthropic’s own technical disclosure, can independently reason through attack paths across large, complex systems, chain vulnerabilities, bypass hardened protections, and generate exploits that previously required weeks of work from elite security researchers. India’s financial infrastructure is sprawling, deeply interconnected, and carries the weight of one of the world’s largest real-time payments networks, making it precisely the kind of environment where that capability becomes dangerous.
The question India’s security leaders now face is not whether this threat is real. It is whether the remediation frameworks, regulatory postures, and board-level risk frameworks built over the last decade are calibrated for a threat environment that moves this fast.
India’s Remediation Gap Is Now Structurally Unbridgeable
India’s banking system runs on complexity. Legacy core banking systems sit alongside modern API layers, UPI infrastructure, cloud workloads, and hundreds of third-party software dependencies. That architecture was built for scale, not speed of response.
The problem Mythos introduces is not volume. It is tempo.
“The most significant shift Mythos introduces is autonomous discovery of vulnerabilities across an attack surface at a scale and speed no human team or traditional tool can match,” says Sharda Tickoo, Country Manager for India and SAARC at Trend Micro. “Conventional security tools largely look for recognized patterns and flag anomalies within defined parameters. Mythos goes further. It can analyze complex codebases, reason about logic flaws, chain seemingly unrelated vulnerabilities, and identify exploitable paths that would take a skilled human researcher days or weeks to uncover.”
“The average organization already takes around 60 to 69 days to patch a critical vulnerability,” Tickoo adds. “Mythos-like discovery could surface thousands of flaws in hours. That gap is not bridgeable through engineering headcount.”
Anthropic’s technical disclosure documented exploits across browser engines, Linux kernel environments, enterprise infrastructure stacks, and cryptographic libraries, the same categories that underpin India’s core financial plumbing. In one example, Mythos identified and exploited a 17-year-old FreeBSD vulnerability that allowed remote root access. In another, it chained multiple Linux kernel vulnerabilities to bypass hardened protections. These are not hypothetical attack surfaces. They are the foundations on which Indian banks, payment processors, and fintech platforms operate every day.
The structural implication is direct: Indian financial institutions cannot patch their way out of this. The discovery-to-exploitation timeline is collapsing faster than remediation workflows can keep up with.
“The average organization takes 60 to 69 days to patch a critical vulnerability. Mythos-like discovery could surface thousands of flaws in hours. That gap is not bridgeable through engineering headcount.” — Sharda Tickoo, Country Manager India & SAARC, Trend Micro |
Cheaper Offensive Capability Meets India’s Already High-Volume Threat Landscape
For most of cybersecurity’s history, advanced offensive capability required scarce human expertise, long research cycles, and significant resources. That scarcity was, in practice, a form of protection.
Mythos dismantles it.
“It is not hype, and it is not just a faster bug finder,” says Vrajesh Bhavsar, CEO of Operant AI.
“Traditional offensive security required significant human expertise, time, and resources,” he continues. “Finding a zero-day vulnerability in a critical system could take a skilled team weeks. Mythos compresses that to near-zero. What was once expensive, slow, and limited to well-resourced threat actors becomes dramatically more accessible. The barrier to entry for a high-impact cyberattack drops.”
The economic logic matters for India. India recorded 265.52 million cyber threat detections across more than 8 million endpoints in 2025, according to the India Cyber Threat Report 2026, compiled by Quick Heal Technologies. Threats are already driven by automation and AI-assisted phishing. When the cost of generating a high-impact exploit falls to near zero, the existing volume of lower-sophistication attacks gains a far more dangerous upper tier.
“Threats are increasingly driven by automation, AI-assisted phishing, and identity compromise,” says Dr. Sanjay Katkar, Joint Managing Director at Quick Heal Technologies. “When combined with advanced AI capabilities, this creates a scenario where vulnerabilities can be discovered, weaponized, and deployed in near real time.”
One detail went largely unreported after Anthropic’s announcement: Indian institutions were absent from the first Project Glasswing access cohort, the controlled initiative through which Anthropic is providing restricted access to Mythos for defensive research. The frameworks, detection methods, and defensive tooling being built within that cohort will shape the next generation of AI security architecture. India’s absence from that table is not a symbolic oversight. It is a capability gap with a compounding timeline.
That is not an organizational failure. It is the predictable output of structures designed for a more stable world — where disruption was the exception and stability was the default assumption. That assumption is now broken. Instability is the baseline.
RESEARCH HIGHLIGHT India Cyber Threat Report 2026, published by Quick Heal Technologies, analyzed detections across more than 8 million endpoints nationwide, recording 265.52 million threat detections across 2025. The report identifies automation and AI-assisted phishing as the primary drivers of India’s expanding threat volume — establishing the baseline against which Mythos-class capability must be assessed. |
Runtime Defense Is the Requirement, Not a Future Investment
Security strategy in India has historically centered on perimeter defense and scheduled remediation. That model assumed attackers moved slowly enough to be caught, contained, and patched against.
That assumption no longer holds.
“For decades, the cybersecurity industry was built around a single operating assumption: find the problem, then fix it,” says Bhavsar. “That model is breaking down because the time between ‘found it’ and ‘someone is already using it against you’ has shrunk to almost nothing.”
The response emerging among security leaders involves two concrete shifts. The first is virtual patching: deploying security rules at the network and endpoint layer to intercept exploit attempts in real time, without waiting for a vendor patch or scheduled maintenance window. For Indian banks operating on legacy infrastructure, where touching underlying code carries significant operational risk, virtual patching is not a workaround. It is the only realistic near-term defense.
The second is the assumed-breach model. Anand Jude Kannabiran, vice president for Asia at Delinea, frames it directly: “The speed of software patching will need to decrease from days or months to hours or minutes.” Rather than treating breach as a failure to be prevented, organizations design containment, monitoring, and response capability as primary defenses, not secondary ones.
Kannabiran is careful not to overstate the immediate threat. “Not all vulnerabilities or defects found are exploitable, and mitigation techniques can provide workarounds for others,” he says. “The fundamental approach here is defense in depth.”
Parag Khurana, country manager for India at Barracuda Networks, cautions against narrowing the Mythos debate to vulnerability management alone. “Security risks are broader than just vulnerabilities. They include identity, misconfigurations, social engineering, legacy systems, and operational complexity.” Phishing-resistant authentication, network segmentation, and incident-response testing remain foundational, but they now operate within a threat environment that moves faster than the frameworks were designed to handle.
Bhavsar argues the implications extend well beyond financial institutions. “Hospitals running AI on diagnostic systems, power operators using AI for grid management, telecoms with AI embedded in network infrastructure, all of them are operating on the assumption that their AI does what it is configured to do,” he says. “Mythos proves that assumption is no longer reliable.” The challenge, he adds, cannot be anticipated in advance. “You cannot scan for a capability that appeared without warning inside a system you built.”
“The time between ‘found it’ and ‘someone is already using it against you’ has shrunk to almost nothing. The find-it, fix-it model is breaking down.” — Vrajesh Bhavsar, CEO, Operant AI |
C-Suite | AI-driven cyber risk is now an operational business risk, not a technology department concern. The SBI and RBI responses to Mythos demonstrate that regulators are treating it as systemic. The immediate priority: establish whether your current remediation timelines are measured in days or hours, and if that answer hasn’t changed in the last six months, it needs to. |
CISOs & Technology Leaders | Existing vulnerability management workflows were designed for a slower threat tempo. Two capabilities need immediate assessment: whether virtual patching is deployed at sufficient coverage across legacy infrastructure, and whether runtime monitoring can detect behavioral anomalies without relying on prior threat signatures. Mythos-class models iterate and adapt. Static detection libraries will not keep pace. |
Boards & Risk Committees | India’s absence from Anthropic’s Project Glasswing cohort should be a board-level question, not a technical footnote. The governance frameworks and detection standards being shaped inside that initiative will define the compliance landscape for the next decade. Indian institutions not engaged in those conversations will inherit standards they had no role in designing. |
The deeper shift Mythos represents is not a new category of threat. It is the removal of the expertise barrier that previously limited who could generate one. India enters that environment with significant infrastructure complexity, a cyber threat volume already among the highest globally, and a regulatory system still calibrating its response.
Executives caution against alarm. “From what has been revealed so far, Mythos does not represent the level of threat where the global financial system is systematically targeted,” says Kannabiran.
But the direction is clear. “The frameworks, standards, and tools being built to address Mythos-class threats will define the next decade of cybersecurity,” says Bhavsar. “India has every reason, and increasingly the capability, to be at that table, not just as an adopter of global frameworks but as an architect of them.”
