Experts say Mythos is not a threat; instead, it is exposing how vulnerable enterprises already are
ADVERTISEMENT
When Finance Minister Nirmala Sitharaman recently chaired a high-level meeting with IT Minister Ashwini Vaishnaw, banking executives, regulators, and officials from the BFSI sector to discuss emerging AI-led cybersecurity risks, it marked a shift in how policymakers are beginning to view the next phase of cyber threats. Days later, the Securities and Exchange Board of India (SEBI) also issued an advisory warning regulated entities about advanced AI-driven vulnerability discovery tools and the risks they could pose to digital infrastructure.
At the centre of the conversation is Anthropic’s Mythos—an AI system capable of analysing large codebases, identifying vulnerabilities, and reasoning through exploit paths at unprecedented speed and scale.
But cybersecurity firms say Mythos itself is not the real story. The larger concern is that enterprises are entering a phase where the time between vulnerability discovery and exploitation could collapse dramatically, while many organisations still struggle with delayed patching cycles, excessive permissions, fragmented incident response systems, and weak cyber hygiene.
But cybersecurity firms say Mythos itself is not the real story. The larger concern is that enterprises are entering a phase where the time between vulnerability discovery and exploitation could collapse dramatically, while many organisations still struggle with delayed patching cycles, excessive permissions, fragmented incident response systems, and weak cyber hygiene.
“The AI capabilities introduced by Anthropic’s Claude Mythos aren’t new, they’re just faster and more scalable,” says Parag Khurana, Country Manager for India at Barracuda Networks. “Advances in AI models accelerate AI-enabled threats and compress the time between vulnerability discovery and exploitation.”
India’s enterprise attack surface is already expanding rapidly
The timing of these concerns is significant because cyberattacks targeting Indian enterprises are already rising sharply, and the financial and operational impact of cyberattacks is already visible across Indian enterprises.
In 2023, Sun Pharma disclosed that a ransomware attack had disrupted operations, breached internal file systems, and stolen company and personal data, with the company warning of revenue losses and additional remediation expenses as business systems were isolated during recovery.
More recently, Jaguar Land Rover’s operations and supply chain faced severe disruption following a cyberattack that forced the automaker to shut down critical systems and halt production across facilities in the UK, India, Brazil, Slovakia, and China. The company later disclosed quarterly losses of nearly £485 million following the incident, while industry estimates suggested the broader economic impact could run into billions of pounds due to prolonged production outages and supply chain disruption.
According to cybersecurity firm Indusface’s State of Application Security – India H1 2025 Report, over 4.26 billion cyberattacks were blocked across Indian applications in the first half of 2025 alone, with attacks rising 15% year-on-year. Each monitored site faced an average of 4.1 million attacks during the six-month period.
The report found that APIs are becoming the biggest attack surface for enterprises. API attacks in India surged 126% year-on-year, while DDoS attacks targeting APIs rose 388% per site. More than 1.36 billion API attacks were recorded in H1 2025 alone.
The BFSI sector emerged as one of the most heavily targeted industries. Indusface’s BFS-specific report found that banking and financial services applications faced more than 742 million attacks in H1 2025, while attacks per BFS site rose 51% compared to the previous year. Around 77% of attacks specifically attempted to exploit vulnerabilities, and 95% of BFS websites faced bot-driven attacks targeting logins and transactions.
At the same time, DDoS attacks on BFS APIs surged 518%, while DDoS attacks on websites spiked 172% during periods of geopolitical tension.
Those numbers matter because experts believe AI-assisted offensive tooling could make these attacks even easier to execute at scale.
“What changes now is accessibility and speed”
Cybersecurity experts caution against treating Mythos as a singular breakthrough.
Sujatha Iyer, Head of AI Security, Zoho, says many offensive cybersecurity capabilities already existed through combinations of smaller open-source models, offensive tooling, and highly skilled attackers.
“What changes now is accessibility and speed,” says Iyer. Earlier, AI systems could handle narrower tasks such as vulnerability detection or identifying exploit pathways individually. Mythos-class systems, however, can process significantly larger contexts and reason across broader portions of a codebase, dependency structures, and exploit paths simultaneously.
“The concern is that it lowers the entry barrier,” Iyer says. “Earlier, only highly skilled attackers could perform such analysis at scale. Now even lower-skilled attackers may eventually gain access to such capabilities.”
That reduction in barriers could have major consequences for enterprises already struggling to respond to vulnerabilities quickly enough. Indusface’s report found that nearly 40% of Indian enterprises admitted they lacked the resources to continuously respond to vulnerabilities, while one-third of high-severity vulnerabilities in India remained unpatched for over six months.
The concern for enterprises is not simply that AI systems can identify vulnerabilities faster. It is that attackers may eventually be able to operationalise exploitation before organisations can patch systems.
Attackers already have the advantage
For Sanjay Katkar, Joint Managing Director at Quick Heal Technologies, enterprises are already struggling to keep pace with the speed and scale of modern attacks.
“When we started in the 1990s, we used to see threats in a few hundreds in a month. Today, the threats are in lakhs per day, unique threats per day,” Katkar says. “It is no longer about certain spikes in attacks. It is steady, ongoing, continuous attacks that are automated.”
Katkar says attackers are no longer operating as isolated hackers. Cybercrime has evolved into an organised ecosystem where specialised groups separately focus on vulnerability discovery, exploit generation, phishing infrastructure, and deepfake creation before combining capabilities into coordinated campaigns.
Modern AI systems are accelerating that transition. Earlier phishing campaigns were easier to identify because of spelling mistakes or suspicious formatting. Now, AI-assisted phishing campaigns can generate convincing emails, deepfake audio, synthetic video, and realistic impersonation attempts that are becoming increasingly difficult to distinguish from genuine communications.
The World Economic Forum’s Global Cybersecurity Outlook 2026 report reflects similar concerns. The report says AI is “supercharging the cyber arms race,” with 87% of respondents identifying AI-related vulnerabilities as the fastest-growing cyber risk in 2025.
Katkar says enterprises continue to suffer from operational gaps despite investing heavily in cybersecurity tools. “People are sitting on the alerts,” he says. “Once the attack goes to the level where people like us get involved, the alerts were already there. They never took action.” He emphasises
That operational lag is becoming increasingly expensive. According to recent industry data, the majority of Indian firms hit by ransomware attacks in 2025 paid over ₹12 crore on average to recover operations.
Cyber hygiene is becoming a survival issue
The concern among cybersecurity firms is that enterprises are still treating cybersecurity largely as a compliance exercise rather than an operational resilience problem.
Barracuda’s Khurana says the basics remain critical even as AI-driven attacks evolve. “Core security starts with basic hygiene and maintenance, such as increasing the frequency of vulnerability scanning and keeping software up to date,” he says. “Consider automating the patching process for added speed, prioritising the most critical bugs first.”
He adds that enterprises also need to reduce their attack surfaces by tightening permissions, segmenting networks, improving authentication systems, and testing backup and recovery processes more frequently. “It is important to remember that security risks are broader than just vulnerabilities,” Khurana says. “They include identity, misconfigurations, social engineering, legacy systems, and operational complexity.”
That issue is becoming particularly relevant as enterprises rapidly deploy AI systems internally.
The next cybersecurity challenge may be machine identities
One of the biggest structural risks emerging from enterprise AI adoption is the rise of non-human identities.
“Now you’re not only managing human identities,” says Zoho's Iyer. “You’re managing non-human entities like agents, service accounts, and autonomous systems that may have access to databases, tools, and workflows.”
As enterprises deploy AI agents across operations, the number of machine-to-machine interactions inside enterprise systems is expected to grow sharply. Every AI agent, API connection, service account, or autonomous workflow potentially becomes another attack surface.
“The biggest mistake enterprises make is giving excessive permissions because configuring granular access is tedious,” Iyer says. “But if those accounts get compromised, the damage becomes massive.”
Mythos is a warning signal, not the root problem
For now, Mythos remains more symbolic than singular. The capabilities worrying enterprises and regulators are already emerging across the wider AI ecosystem.
What Mythos has effectively done is expose how fragile enterprise cybersecurity operations may already be. That, experts say, is why regulators are escalating discussions now rather than waiting for a major AI-assisted cyber incident to force action later.
As Katkar puts it, “Mythos is going to come and show you a mirror.”