With powerful tools like Anthropic’s Claude Mythos and GPT-5.4 Cyber threatening the integrity of cybersecurity systems around the world, India’s apex cybersecurity agency, the Indian Computer Emergency Response Team (CERT-In), has issued a high-severity advisory. The body has urged organisations and Micro, Small, and Medium Enterprises (MSMEs) to strengthen their defences against new cyber threats powered by advanced AI systems.
The advisory discusses how maturing AI capabilities can autonomously discover vulnerabilities, generate exploits, orchestrate multi-stage attacks, and conduct sophisticated social engineering at unprecedented speed and scale, which could be catastrophic to organisations and MSMEs unprepared to tackle such exploits within their network architectures. “Potential impacts include unauthorised access, service disruption, data exfiltration, identity compromise, financial fraud, impersonation, persistent compromise of operational environments, and cascading compromise of interconnected systems and services,” stated CERT-In.
“Keeping pace with frontier Al-driven cyber developments is critical for maintaining cyber resilience. Baseline cybersecurity controls remain critical and should be rigorously enforced,” states the advisory.
Anthropic’s Mythos triggers CERT-In advisory
The alert comes as global concerns over Anthropic’s Mythos (part of the Claude AI family) emerge. Mythos, which is claimed to be a powerful frontier AI model with advanced cybersecurity and code-analysis capabilities, has been restricted by Anthropic over its public release due to the potential for significant risks. However, Anthropic opened up a controlled programme called Project Glasswing to allow a few partners to access the model and find out vulnerabilities.
In India, Finance Minister Nirmala Sitharaman chaired a high-level meeting last week to assess potential threats Mythos could pose to the banking sector. The government is also engaging with Anthropic’s leadership in the US to safeguard critical infrastructure.
CERT-In stated that such powerful AI systems lower the barrier for malicious actors by enabling fast, low-cost, and automated attacks. These kinds of attacks previously required teams of skilled human experts.
What CERT-In is concerned about
According to the advisory, frontier AI models like Mythos can:
– Perform large-scale analysis of software codebases to identify known and zero-day vulnerabilities.
– Accelerate exploit development and proof-of-concept creation
– Conduct automated reconnaissance of networks, APIs, and cloud services
– Enable credential harvesting, privilege escalation, and lateral movement
– Generate highly convincing multilingual phishing and deepfake-based social engineering attacks
– Orchestrate autonomous, adaptive multi-stage cyberattacks
These capabilities could lead to data breaches, financial fraud, service disruptions, and identity theft, posing serious risks, especially to resource-constrained MSMEs.
What the Indian government recommends
The agency has called for immediate enforcement of base cybersecurity controls alongside enhanced monitoring:
For organisations:
- Increase frequency of threat detection, log monitoring, and security reviews
- Tune monitoring tools to flag unusual activity patterns indicative of AI-driven attacks
- Enable DDoS protection and enforce Multi-Factor Authentication (MFA) on all internet-facing systems
- Patch critical vulnerabilities within 24 hours using automated processes
- Preserve logs as per CERT-In 2022 directions and report suspicious incidents promptly
- Treat legacy VPNs and outdated software as high-risk entry points
For MSMEs:
- Regularly update operating systems, browsers, and applications
- Implement strong MFA across accounts and services
- Avoid using unverified AI tools in production environments
- Conduct regular cybersecurity awareness training for employees
- Use strong, unique passwords and secure Wi-Fi (preferably WPA3)
For individual users:
- Verify urgent requests, voice calls, or messages before acting, especially those involving money or sensitive data.
- Avoid downloading files or apps from unverified sources.
- Be cautious of AI-generated phishing emails, fake websites, and deepfakes.
CERT-In warned that while AI offers powerful defensive tools, its dual-use nature demands proactive vigilance. The advisory aims to encourage building national cyber resilience as India’s digital economy grows rapidly.