4 min readApr 27, 2026 06:31 AM IST First published on: Apr 27, 2026 at 06:19 AM ISTFor the almost three decades that I have worked in the domain, cybersecurity operated on a reassuring asymmetry: Attackers needed extraordinary skill, time, and patience to find and exploit software vulnerabilities, while defenders, though perpetually behind, could at least count on that human bottleneck to slow the threat. Claude Mythos Preview, Anthropic’s frontier AI model announced on April 7, has shattered that assumption.In controlled evaluations, Mythos Preview could execute multi-stage attacks on susceptible networks and discover and exploit vulnerabilities autonomously, tasks that would take human professionals days of work. Mythos has a fundamentally different architecture from its predecessors, enabling it to chain multiple small vulnerabilities into a single devastating attack, reconstruct source code from deployed software to find exploitable weaknesses, and, once inside a network, automatically map systems, move laterally, and build custom tools to extract data — all within hours.AdvertisementEngineers with no formal security training can ask Mythos to find remote code execution vulnerabilities overnight and wake the following morning to a complete, working exploit. The democratisation of offensive capability, once exclusive to nation-state actors and elite hacker collectives, is now a prompt away.Anthropic’s response is Project Glasswing, a controlled, invitation-only consortium of roughly 50 organisations, including AWS, Microsoft, Google, Apple, and CrowdStrike, given access to Mythos Preview for defensive security work. Over the past few weeks, Anthropic used Claude Mythos Preview to identify thousands of zero-day vulnerabilities in every major operating system and web browser, along with other important pieces of software. The intent is to get defenders ahead of the curve before Mythos-class capabilities reach less scrupulous hands.The logic is sound in principle. But the execution reveals a structural tension at the heart of modern technology governance: Cybersecurity is no longer centred solely on defending systems against enemies but is increasingly about managing AI systems, collapsing the long-standing gap between those who can discover and those who can exploit vulnerabilities. Glasswing addresses the top of this threat pyramid, widely-used software maintained by well-funded companies, but leaves the vast underbelly of custom, legacy, and underfunded systems essentially untouched. Project Glasswing, in its current structure, is a form of digital partnership, but a deeply unequal one. This new digital divide is not about access to technology but access to the tools that secure it.AdvertisementCritics have questioned how much of Mythos’s projected danger is clever marketing. Anthropic is simultaneously the creator of the threat and the curator of its solution — a conflict of interest that deserves scrutiny, even if independent evaluations confirm the threat is largely genuine.you may likeFor India, the implications are urgent and underappreciated. The Fintech Association for Consumer Empowerment (FACE) has urged members to reinforce cyber defences and adopt continuous vulnerability solutions and zero-day vulnerability intelligence in response to Mythos’s capabilities. This is a start, but it barely scratches the surface. India runs enormous volumes of financial, governmental, and civic transactions on software that are old. When Mythos-level tools start finding zero-days in old codebases, Indian institutions will be exposed to vulnerabilities they cannot quickly patch, while the average time-to-exploit now sits under 20 hours. Critically, Project Glasswing does not cover the thousands of custom applications built by Indian banks, government departments, state utilities, and telecom companies. CERT-In and the Ministry of Electronics and Information Technology need to urgently pursue AI-assisted security audits of domestic critical infrastructure as a first step.What Mythos and Glasswing together announce is a new epoch. Cybersecurity, AI governance, and crisis management no longer exist as separate disciplines. They must be integrated into one framework of digital risk governance capable of addressing autonomous, probabilistic, and high-impact systems. Glasswing is a possible, necessary first step, but clearly not a sufficient one.The writer is a defence and tech policy adviser and author of The Digital Decades: On 30 years of the internet in India