Experts say Mythos is not a threat; instead, it is exposing how vulnerable enterprises already are
The larger concern is that enterprises are entering a phase where the time between vulnerability discovery and exploitation could collapse dramatically, while many organisations still struggle with delayed patching cycles, excessive permissions, fragmented incident response systems, and weak cyber hygiene.
When Finance Minister Nirmala Sitharaman recently chaired a high-level meeting with IT Minister Ashwini Vaishnaw, banking executives, regulators, and officials from the BFSI sector to discuss emerging AI-led cybersecurity risks, it marked a shift in how policymakers are beginning to view the next phase of cyber threats. Days later, the Securities and Exchange Board of India (SEBI) also issued an advisory warning regulated entities about advanced AI-driven vulnerability discovery tools and the risks they could pose to digital infrastructure.
At the centre of the conversation is Anthropic’s Mythos — an AI system capable of analysing large codebases, identifying vulnerabilities, and reasoning through exploit paths at unprecedented speed and scale. But cybersecurity firms say Mythos itself is not the real story. The larger concern is that enterprises are entering a phase where the time between vulnerability discovery and exploitation could collapse dramatically, while many organisations still struggle with delayed patching cycles, excessive permissions, fragmented incident response systems, and weak cyber hygiene.
“The AI capabilities introduced by Anthropic’s Claude Mythos aren’t new, they’re just faster and more scalable,” says Parag Khurana, Country Manager for India at Barracuda Networks. “Advances in AI models accelerate AI-enabled threats and compress the time between vulnerability discovery and exploitation.”
India’s enterprise attack surface is already expanding rapidly
The timing of these concerns is significant because cyberattacks targeting Indian enterprises are already rising sharply, and the financial and operational impact of cyberattacks is already visible across Indian enterprises.
In 2023, Sun Pharma disclosed that a ransomware attack had disrupted operations, breached internal file systems, and stolen company and personal data, with the company warning of revenue losses and additional remediation expenses as business systems were isolated during recovery.
More recently, Jaguar Land Rover’s operations and supply chain faced severe disruption following a cyberattack that forced the automaker to shut down critical systems and halt production across facilities in the UK, India, Brazil, Slovakia, and China. The company later disclosed quarterly losses of nearly £485 million following the incident, while industry estimates suggested the broader economic impact could run into billions of pounds due to prolonged production outages and supply chain disruption.
The report found that APIs are becoming the biggest attack surface for enterprises. API attacks in India surged 126% year-on-year, while DDoS attacks targeting APIs rose 388% per site. More than 1.36 billion API attacks were recorded in H1 2025 alone.
The BFSI sector emerged as one of the most heavily targeted industries. Indusface’s BFS-specific report found that banking and financial services applications faced more than 742 million attacks in H1 2025, while attacks per BFS site rose 51% compared to the previous year. Around 77% of attacks specifically attempted to exploit vulnerabilities, and 95% of BFS websites faced bot-driven attacks targeting logins and transactions.
At the same time, DDoS attacks on BFS APIs surged 518%, while DDoS attacks on websites spiked 172% during periods of geopolitical tension.
Those numbers matter because experts believe AI-assisted offensive tooling could make these attacks even easier to execute at scale.