India Uses Open-Source AI to Hunt Cyber Flaws

Cert-In has developed an indigenous AI-powered testing platform to identify vulnerabilities in critical public-sector systems.

Topics

  • India’s national cybersecurity agency has begun using an indigenous testing platform and open-source artificial intelligence models to identify vulnerabilities in systems operated by major public-sector financial institutions.

    The closed trial platform was developed by the Indian Computer Emergency Response Team, known as Cert-In, over the past six months as the government prepares for cyber risks posed by increasingly capable AI systems.

    “What we’re doing to prepare ourselves against AI risks is Cert-In’s own sandbox for such vulnerabilities,” Electronics and Information Technology Secretary S. Krishnan said at the launch of the Digital Threat Report 2025–26 in New Delhi on Monday, 13 July.

    Krishnan said the agency was using open-source and other AI models to find and patch weaknesses in widely used systems while access to Anthropic’s more capable Claude Mythos models remained restricted.

    Anthropic describes Mythos as its most capable model for cybersecurity and biology research. The company says Mythos Preview and about 50 partners identified more than 10,000 high- or critical-severity vulnerabilities in widely used software. Access to Mythos 5 remains limited to selected organisations under a trusted-access program.

    Cert-In Director General Sanjay Bahl said the agency was working with large public-sector financial institutions to test their systems for vulnerabilities that AI could uncover and exploit.

    “We are actively monitoring the impact that AI can have on critical sectors,” Bahl said. The objective was to strengthen public infrastructure so that India would be better prepared when it gained access to more advanced models, he added.

    The initiative comes as AI compresses the time needed to discover and weaponize software flaws. Cert-In has warned that threat actors are using AI to automate vulnerability discovery, accelerate reconnaissance, generate malware and conduct more targeted phishing attacks.

    Anthropic’s own testing illustrates the change. In one experiment, Mythos Preview developed proof-of-concept attacks for 18 of 21 recently patched Windows vulnerabilities within six hours. It also produced eight full privilege-escalation exploits, reducing work that once required specialist teams and substantial time to a process costing a few thousand dollars.

    The Digital Threat Report, produced by Cert-In, the Computer Security Incident Response Team in Finance and cybersecurity company SISA, identifies what it calls “AI asymmetry” as a major risk for banks and financial institutions.

    Tasks that once demanded specialist teams, substantial resources and weeks of work can increasingly be performed at machine speed by less sophisticated attackers, the report said. 

    Six of seven emerging threats identified in last year’s edition have already developed into established attack methods.

    Those threats include credential theft, social engineering, supply-chain compromise and cloud exploitation. Attacks are also becoming harder to distinguish from legitimate activity because they can appear as approved payments, genuine user sessions or ordinary business workflows.

    The sandbox gives Cert-In a way to test how readily available AI models perform against Indian systems while the most capable models remain out of reach. It may not match Mythos in speed or capability, but it allows the agency to begin finding and closing vulnerabilities rather than waiting for access to frontier tools, analysts said.

    Topics

    More Like This

    You must to post a comment.

    First time here? : Comment on articles and get access to many more articles.