An AI model quietly scanning the world’s most widely used software and finding bugs that human experts missed for over a decade. That’s not science fiction — that’s what Anthropic’s Claude Mythos is reportedly doing right now. And for India’s massive IT industry and government systems, the implications are enormous.
What Exactly Is Claude Mythos?
Anthropic’s next AI model, Mythos, has one especially remarkable feature: it can identify security flaws deep within intricate software codebases. Not new software, but core technologies that power millions of servers and PCs worldwide, such as the Linux kernel, OpenBSD, and FFMPEG.
These are not simple tools. Most web servers, cloud infrastructure, and Android phones worldwide are powered only by Linux. The whole digital world takes notice when an AI model begins to reveal flaws in these systems that were previously undetected.
The dual nature of the discussion around Mythos is what makes it so unique: it may be the most potent security scanner in the world, assisting defenders in fixing serious flaws before attackers take advantage of them. However, if made public, it may also serve as a guide for hackers searching for precisely those same weaknesses.
Project Glasswing: A Race Against Time
Anthropic made a deliberate choice to grant early access to a controlled group and utilize that opportunity to correct the model’s findings before releasing Mythos to the general public. Project Glasswing is the name of such a project.
What is known about it is as follows:
- Early access to Mythos is granted to a group of forty businesses and open-source maintainers.
- A $100 million budget has been pledged by Anthropic to support the endeavor.
- The objective is to find vulnerabilities in popular software codebases and fix them before the model is made public.
- Anthropic has already acknowledged discovering flaws in the Linux kernel, OpenBSD, and FFMPEG—vulnerabilities that have been around for years without being noticed.
It’s a unique strategy. The majority of AI features are disclosed and made available with comparatively little time for ecosystem preparation. In contrast, Anthropic is making use of the pre-release time as a required hardening period.
Anthropic was referred to as a “responsible” participant for this strategy by Vinayak Godse, CEO of the Data Security Council of India (DSCI) under Nasscom. He is correct, but being responsible does not imply that there is no risk.
Why Indian IT Firms Are Nervous
The unsettling truth is that Anthropic has not yet released a list of Glasswing consortium participants that includes any Indian companies.
There are several reasons why that is important. The worldwide software supply chain is intricately linked to Indian IT firms, particularly the big ones like Infosys, TCS, Wipro, and HCL. They create, integrate, and manage intricate technological stacks for customers in the banking, healthcare, logistics, and government sectors globally. Every custom layer created on top of the underlying operating systems and libraries that such stacks rely on is vulnerable.
Citing its financial reporting quiet time, Infosys declined to comment on whether it was a Glasswing partner after announcing a relationship with Anthropic at the AI Impact Summit. That makes sense. However, the industry’s general unease is also reflected in the quiet.
LLM deployment company co-founder Pawan Prabhat Shorthills AI did a good job of framing the problem: Glasswing may be used to fix the shared infrastructure (Linux, OpenBSD, and open-source libraries). However, the custom code that Indian systems integrators create for customers? They are solely accountable for that.
He stated, “The more pertinent question is whether Indian firms are investing enough in their own security posture on top of that shared infrastructure.” To put it another way, even if Glasswing fixes the foundation, you still have an issue if the floors, walls, and roof you erected on top of it leak.
The Govt. Systems Problem: A Particularly Soft Target
The story of government IT is different, and perhaps more worrisome. India’s political structures are not all the same. There are significant differences in security preparation amongst departments, ministries, and state governments. Certain systems are kept up to date. Others rely on outdated code that hasn’t undergone a thorough examination in a long time.
“Government systems like Aadhaar and GST run on older codebases,” stated Srinivas Padmanabhuni, CTO at AI testing company AiEnsured. Mythos has already proven to be able to identify weaknesses in these sorts of systems that have been undetected for decades.
That is not a theoretical issue. Over a billion Indians’ biometric and identification data are stored in Aadhaar. Every day, massive amounts of financial transaction data are processed by GST systems. It is difficult to overestimate the harm that may result from a significant vulnerability in either, particularly if it is found and used by a hostile actor before it is patched.
The SaaS and Product Ecosystem: A Tsunami Warning
Beyond government and IT services, India’s expanding product and SaaS ecosystem is a third group with significant stakes.
In Bengaluru, Hyderabad, Pune, and other locations, India has developed a sizable cluster of software product firms that provide anything from deep-tech industrial software to B2B SaaS platforms. Many of these businesses compete directly with multinational firms and sell to foreign customers.
“Imagine if this model is available for everyone to use, what happens to the entire SaaS plus deep-tech product ecosystem across the globe?” Godse said. The issue is not limited to computer software; it also affects physical systems, such as IoT devices in smart buildings and industries, and SCADA systems used in manufacturing and utilities.
“It’s an entire tsunami coming in,” Godse said.
The Bigger Question: Are Bugs Sparse or Dense?
At the center of all of this is a technical disagreement about how concerned everyone should be.
Do software flaws occur seldom in otherwise secure code? Or are they thick, which means that there can be an endless number of defects concealed in intricate codebases, just waiting to be discovered by anyone (or whatever) who searches hard enough?
Anthropic researcher Nicholas Carlini discussed this during a presentation in March in which he showed that the current publicly accessible model, Claude Opus, not even Mythos, detected defects at a rate that he described as “shockingly” good. “In the transitional period between now and then, things probably are very bad,” he said in a gloomy assessment of the near future.
The issue facing India’s IT sector is this moment of transformation. Although patches are still being created, Mythos will ultimately be made available to the public. Additionally, anything that identifies weaknesses in defenders may, in the wrong hands, be used to identify targets.
What Indian Firms Should Actually Do
The honest answer is that waiting for Glasswing to cover everything is not a strategy. Here’s what forward-looking firms should be doing:
- Audit your custom code now. Glasswing will help patch the open-source foundation, but proprietary codebases are your own responsibility.
- Engage with CERT-In proactively. If you haven’t already built a relationship with India’s cybersecurity response team, now is the time.
- Invest in AI-powered security tooling. Mythos will eventually be public. Using similar capabilities defensively — before attackers get access — is a genuine competitive advantage.
- Have an honest internal conversation about legacy systems. If you’re running code written ten years ago that hasn’t been seriously reviewed, assume it has vulnerabilities.
The Bottom Line
A very novel type of tool is Claude Mythos. AI has the ability to scan large codebases for the first time and find vulnerabilities that people have overlooked for ten years or more. Anthropic’s attempt to ethically use this power is Project Glasswing, which aims to fix before becoming public.
However, India’s government processes, IT sector, and expanding product ecosystem are mostly observing that endeavor from the outside. The fixes will still be helpful, though. It does imply that India is solely responsible for resolving the aspects of its digital infrastructure that Glasswing does not address.
Nicholas Carlini, an anthropologist, expressed optimism that “the defenders win in the long term.” However, “long term” is crucial. India will need to take this moment seriously, not merely observe it, in order to go from here to there without causing major harm along the way.
Also Read: Microsoft Copilot Is “For Entertainment Only”
We recommend checking this detailed guide for more clarity: IT industry, Govt. examine cybersecurity implications of Anthropic’s Mythos model