Anthropic’s Mythos AI Now in India via Project Glasswing

AI company Anthropic has expanded access to its cybersecurity AI model, Mythos, to approximately 150 organizations across India as part of ‘Project Glasswing’. This initiative aims to proactively identify and fix critical zero-day vulnerabilities before attackers can exploit them, marking a significant development in India’s cybersecurity landscape.

Project Glasswing pairs the closed Claude Mythos Preview model with participating organizations across more than 15 countries. The model, designed specifically to detect software security flaws, was initially under tight restrictions following early testing due to concerns about its potential for rapid vulnerability surfacing and misuse.

Initially, Project Glasswing was limited to about 50 partner organizations, including major tech firms like Amazon, Google, Microsoft, Apple, and NVIDIA. Cybersecurity companies such as CrowdStrike and Palo Alto Networks, along with the UK’s AI Security Institute, were also early participants. By late May, these users had leveraged Mythos to identify over 10,000 serious security vulnerabilities, Anthropic reported.

The latest expansion extends Mythos access to organizations in Australia, Canada, France, Germany, Italy, Switzerland, the Netherlands, Spain, Belgium, Sweden, Japan, New Zealand, and South Korea, in addition to India. Anthropic is strategically positioning Mythos as a critical cybersecurity tool for governments, critical infrastructure operators, and key institutions globally, despite ongoing concerns regarding its powerful vulnerability identification capabilities.

India Assesses AI Cybersecurity Risks

Amid these concerns, India intensified efforts to identify software vulnerabilities. Reports indicated India was testing key financial and government software, including Aadhaar and login platforms, against the Mythos AI model. Major tech firms like Infosys and Tata Consultancy Services conducted controlled security tests.

Since these organizations did not have direct access to Mythos, they utilized Anthropic’s Claude Opus 4.7 for identifying and fixing vulnerabilities. Concurrently, the central government is reportedly advocating for the sovereign hosting of the Claude AI model within India. This push stems from jurisdictional, compliance, and national security concerns surrounding foreign-hosted infrastructure, particularly for sensitive sectors like banking, telecom, and critical infrastructure.

Anthropic has engaged in discussions with officials from India’s finance ministry, the Ministry of Electronics and Information Technology (MeitY), and the Indian Computer Emergency Response Team (CERT-In) regarding access to the Mythos model. These meetings underscore the nation’s proactive approach to understanding and mitigating potential risks associated with advanced AI cybersecurity tools.

Regulatory Response and Guidelines

In May, the Securities and Exchange Board of India (SEBI) established a task force named ‘cyber-suraksha.ai’ specifically to assess cybersecurity risks posed by Mythos. This group is tasked with developing a unified mitigation framework, facilitating threat intelligence sharing, improving vulnerability management, and strengthening response playbooks for regulated entities.

SEBI expressed concerns that AI-based vulnerability tools like Mythos could heighten risk exposure and raise issues regarding data confidentiality and output reliability. Following consultations, the regulator issued comprehensive cybersecurity guidelines. These directives included immediate patching, AI-based vulnerability assessments, stronger vendor coordination, stricter API controls, enhanced monitoring, zero-trust frameworks, and onboarding onto market security platforms, along with long-term AI-based threat detection plans.

The Indian Centre was also reportedly in discussions with the United States and Anthropic to explore mechanisms for Indian companies to access Mythos while safeguarding critical infrastructure. Finance Minister Nirmala Sitharaman had previously flagged the risks associated with the model, prompting high-level meetings.

These meetings involved Sitharaman, IT Minister Ashwini Vaishnaw, representatives from banks, the Reserve Bank of India (RBI), MeitY, and the National Payments Corporation of India (NPCI). The discussions focused on strengthening cybersecurity defenses and coordination, with banks specifically directed to report cyber incidents quickly and collaborate with CERT-In and other agencies.

The Reserve Bank of India is also actively reviewing the risks presented by Mythos. This review is being conducted in coordination with global regulators and domestic stakeholders, indicating a comprehensive and multi-faceted approach to addressing the implications of advanced AI in cybersecurity.