HDFC Bank, India’s largest private sector bank, is shifting from reactive patching to what it calls “secure software manufacturing”, embedding AI-led controls into development and threat detection as cyber risks evolve. CIO Ramesh Laksminarayanan tells Kshipra Petkar how the bank is responding to the rapid rise of advanced AI models.
From an industry perspective, how do you see what’s happening with AI right now?
If you look at it from an industry perspective, this is a new type of opportunity that is coming. It’s not something to look at only from a risk angle. AI models are becoming intelligent by the hour. Over the last three to five months, the growth has taken a different trajectory because of the complex models that are coming in.
It started with ChatGPT and OpenAI, then others came in, then you had the Chinese model DeepSeek shaking up the market. Now Anthropic’s Claude has started taking the lead. The leadership and the leaderboards are changing very rapidly. It’s not like one company is saying, “I have the market.” That’s the good part. But because of the sophistication of these models — especially multi-agent capabilities — the risk dimension has changed.
What is different about the Mythos model?
Mythos is an extension of the Claude models. It’s not built specifically for security, but because of the way it operates, it has major implications for security. While working on it, they found that it could identify vulnerabilities never discovered by humans. Zero-day vulnerabilities are usually found by ethical hackers or testers manually reviewing code. This was the first time a machine could find them at that speed.
The second issue is sequencing. Earlier, attacks were sequential. You would find one vulnerability, patch it, then move to the next layer. Now the model can look across firewall, server, database and software simultaneously and sequence vulnerabilities together. It’s like a number lock — earlier someone tried one digit at a time. Now all combinations are being evaluated in parallel. That’s the risk.
How are governments responding?
In India, discussions are happening at multiple levels. There is coordination between CERT-In, regulators and industry forums. Eventually, RBI may come out with an advisory to tighten patching and infrastructure review. It’s not about banning models. It’s about controlled deployment and ensuring the ecosystem is protected.
What is HDFC Bank doing specifically?
The risks are no different for us. But we have taken several steps.
First, a lot of our development has moved in-house. Around 1,500 of our technology staff focus on development. When you build your own software, you can secure it at the manufacturing stage itself. Security cannot be done after buying a product. We are bringing AI into our DevOps pipeline so that code gets scanned while it is being built. Second, we are reviewing patching strategies and infrastructure more rigorously. We are looking at zero-day vulnerabilities and asking third-party vendors to do the same.
Third, we are strengthening our red teams — ethical hackers who simulate attacks. Cybersecurity today requires deep engineering talent, not just policy-driven oversight. Fourth, we are accelerating zero trust architecture and micro-segmentation. Every packet entering the network is treated as untrusted. Even if someone gets in, their movement is restricted. Fifth, we are upgrading our Security Operations Centre (SOC). Traditional SOCs monitor and react. We are bringing AI capabilities so that suspicious traffic can be blocked immediately.
How important is talent in this environment?
Talent is critical. The person who can hack the system may not manage 100 people — but that person could be your most important resource. We are building what we call a security factory — recruiting specialised talent, going to colleges early and creating different career paths for engineers.