Introduction
There used to be a window between a flaw being disclosed and a working exploit appearing in the wild. That window is now measured in hours. Plan accordingly.
For two decades, the practical defense calendar of an Indian enterprise rested on a comfortable assumption. It was believed that between a vulnerability being publicly disclosed and a working exploit being weaponized by attackers, there would be a window of weeks.
This duration was considered long enough for a standard maintenance cycle. It was long enough for change management committees to meet, for vendors to issue patches, and for customers to deploy them across their infrastructure.
The new generation of AI tooling, with Claude Mythos at the public frontier, has collapsed that window entirely. The patch management process most Indian enterprises have been running for ten years assumed a thirty day window. In the current landscape, that window has been compressed by ninety seven percent. We are no longer defending against human researchers; we are defending against machine speed.
What Mythos Actually Is
To defend against this shift, we must first strip away the marketing and speculation. Claude Mythos Preview, shipped on April 7, 2026, is a frontier general-purpose language model, not one designed specifically for cybersecurity. Its advanced coding and reasoning capabilities proved so effective at finding and exploiting software vulnerabilities that Anthropic chose not to release it publicly. While public coverage has often overdramatized its abilities or dismissed them as hype, the reality is much colder.
Mythos is the first publicly demonstrated AI system that can perform autonomous, multi stage cybersecurity tasks at a level that previously required teams of highly skilled human operators, though it is important to note that these capabilities have been demonstrated against weakly-defended systems in controlled evaluations, not against hardened enterprise networks with live defenders.
Three specific capabilities are now established in the public record. First is autonomous vulnerability discovery in widely deployed software, including operating systems and browsers. Second is the generation of working exploits from those discovered vulnerabilities.
Third is the execution of multi-step network operations. This was most famously demonstrated in a thirty two step infiltration test called "The Last Ones," conducted by the UK's AI Security Institute (AISI), an independent government body inside the Department for Science, Innovation and Technology. Mythos Preview became the first AI model to complete this simulated corporate network attack end to end, doing so in three of ten attempts and averaging twenty two of thirty two steps across all runs. While these capabilities exist in isolation in other tools, Mythos chains them together autonomously. This ability to chain flaws without human intervention is the qualitative shift that defines the current era.
The New Profile of Threat Actors
The concern regarding Mythos is not that the AI is loose on the internet or targeting enterprises unprompted. Its capabilities remain bounded by an operator and a goal. However, any operator who acquires these capabilities gains an asymmetric advantage that the traditional annual VAPT model was never designed to handle.
We currently see three categories of actors. Authorized defensive users represent approximately fifty organizations globally with official access through Project Glasswing, using the model to find flaws in their own stacks before adversaries do. Currently, not one Indian organization is on that list.
Then there are unauthorized users, following reports that controls around these models are not airtight. Finally, there are capability mimics. Even without direct access to Mythos, the publicity around its power accelerates parallel work in adversarial AI, including open weight alternatives and red team fine-tuned models. The threat from this third category grows every month.
The Concentration of Risk in India
This shift matters more for India than for many of its global peers. India runs an unusually concentrated digital public infrastructure. Systems like UPI, the Account Aggregator framework, and DigiLocker mean that the consequences of a single chain of flaws are not localized.
Because these layers are built on top of one another, a compromise can scale to hundreds of millions of users in a way that a more federated economy would not experience. A Mythos class adversary does not need to find one catastrophic flaw in any of these systems. It simply needs to find ordinary, mediocre flaws across them and combine them at speed.
The most dangerous attribute here is not individual discovery but the methodical chaining of bugs. As one Tier 1 bank CISO noted, the worry is not the headline making zero day, but rather the four small bugs in four different applications that, when combined, hand over the keys to the kingdom. This is the exact threat profile that AI accelerates.
The Lifecycle Collapse
The classical vulnerability lifecycle had six stages, each measured in weeks or longer: discovery, coordinated disclosure, CVE assignment, vendor patch, customer deployment, and finally, exploit appearance.
AI augmented attackers compress this timeline at three specific points. They accelerate discovery, generating new candidates faster than human teams. They accelerate exploit generation, often producing a working version within hours of a disclosure.
Finally, they accelerate chaining, combining multiple smaller flaws into a single attack path that previously would have taken weeks of human creativity to construct.
Before vs. Now: A Strategic Comparison
| Practice | Traditional Posture | The Mythos Era |
|---|---|---|
| Disclosure to Exploit | Weeks | Hours |
| Critical Patch SLA | 30 Days | 24 Hours |
| Testing Cadence | Annual / Periodic | Continuous |
| Attack Complexity | Single Vector | Multi Stage / Cross Layer |
| Operating Speed | Human Speed | Machine Speed |
| Asset Discovery | Annual Reconciliation | Live External Mapping |
Breaking Old Habits
Four specific calendar habits no longer survive contact with this new lifecycle. First is the reliance on annual penetration testing as the sole offensive validation. A test surface that is sampled annually but changes weekly creates a massive window of vulnerability.
Second is the monthly patch cycle for internet facing assets. A thirty day SLA is now a documented compliance gap rather than a risk management strategy. Third is the quarterly board review without an event driven escalation path. Significant threat shifts now happen every six weeks.
Finally, the use of static asset registers is a liability. Asset lists drift faster than they are documented, and a static register is merely a list of what you believe you own, rather than what is actually exposed.
The Security Calendar That Replaces Them
To survive, the defensive posture must change from a scheduled cadence to a continuous loop. This requires three core disciplines:
1. Patch Discipline at Speed
A twenty-four-hour patch loop on critical findings is non-negotiable. This loop must be rehearsed before it is needed, as an untested patch loop is not a functioning control.
2. Attack Surface Compression
The most reliable way to reduce risk is to shrink the attack surface. The fewer internet facing things an organization owns, the fewer things an autonomous attacker can probe.
3. Continuous Chain Objective Testing
Annual posture is not a defense. Organizations must move toward continuous posture, anchored by a CERT In empanelled partner and a rehearsed rapid patch loop. Testing must be scoped across customer facing, integration, and operations layers to find the combinations that single application testing will always miss.
Conclusion: The New Gravity
Mythos is not an isolated event; it is the new gravity of the cybersecurity world. The defensive posture that survives the next five years will not be the one that defeats a specific AI model. It will be the one that survives a category of attackers whose advantages are speed, scale, and autonomous chaining.
The vulnerability lifecycle has been compressed beyond recognition. What once moved in weeks now moves in hours. Defenders who internalize this shift and build their programs around speed and continuous pressure testing will be the ones who succeed.
Time is no longer a resource any defender can afford to spend the way they used to. Building a posture of machine speed resilience is now the primary mission.
FAQ:
1. What is Claude Mythos Preview and why is it a cybersecurity milestone?
Claude Mythos Preview is Anthropic's general-purpose AI model, released April 7, 2026, capable of autonomously discovering and exploiting software vulnerabilities at a scale no prior model achieved. It remains restricted to roughly fifty organizations via Project Glasswing due to its security implications.
2. Why does AI-powered cyberattack pose a greater risk to Indian enterprises than global peers?
India's layered digital infrastructure, UPI, Account Aggregator, and DigiLocker, means chaining a few ordinary vulnerabilities can compromise hundreds of millions of users simultaneously. No other economy carries this concentration of risk across a single interconnected stack.
3. What is Project Glasswing and what does India's absence from it mean?
Project Glasswing is Anthropic's controlled early access program giving fifty organizations the ability to find and fix vulnerabilities before attackers do. With no Indian organization currently included, Indian enterprises receive no early warning and must build independent continuous defense programs.
4. What immediate steps should Indian CISOs take to defend against AI-powered cyber threats?
Three actions are critical: reduce the critical patch cycle for internet facing assets to twenty four hours, replace static asset registers with a live external attack surface scan, and move from annual VAPT to continuous security testing with a CERT-In empanelled partner.
