India's CERT In issued an emergency advisory treating AI assisted vulnerability discovery as an elevated threat after Anthropic's Mythos system demonstrated that fewer than 1% of identified vulnerabilities have been patched by maintainers. The agency's warning highlights a…
India's federal cybersecurity agency issued an emergency alert on April 27: treat AI-assisted vulnerability discovery as an elevated threat. CERT-In, the agency, did not wait for a breach to materialize. It moved preemptively, urging organizations to tighten controls on internal security tooling and to treat the window between vulnerability discovery and exploitation as effectively closed. The trigger was Mythos, Anthropic's system for autonomously finding and weaponizing software flaws.
What makes that warning consequential is not Mythos itself. The harder problem, the one that matters for builders, is that fewer than 1 percent of the vulnerabilities Mythos has identified so far have been patched by the code maintainers who own the affected software, according to Anthropic's technical preview. The automated remediation pipeline that would close that gap is technically feasible in controlled environments and remains unreliable at scale. Building that pipeline at scale is the unsolved part. Whoever closes it will be sitting on what several researchers described as the defining security infrastructure opportunity of 2026.
Indian companies are feeling the pressure most acutely. Most large Indian organizations still need 60 to 90 days to deploy a patch across their systems, a timeline CERT-In's April 27 advisory flagged as structurally incompatible with AI-driven exploit generation. Converting a vulnerability into a working exploit now costs under $2,000 in compute and runs in hours, according to Anthropic's Glasswing project page and reporting by the Economic Times. Indian fintechs including One97 Communications, the operator of payments giant Paytm, Razorpay, and Pine Labs have pushed Anthropic directly for access to Mythos, Bloomberg reported. Nasscom, India's technology industry association, separately wrote to Anthropic asking to be included in its proposed defensive program, called Project Glasswing, according to the Economic Times.
The Discord breach sharpened the concern. A small group of unauthorized users gained access to Mythos through a third-party vendor environment on the same day Anthropic announced the system, TechCrunch reported, before most organizations had a chance to assess their exposure.
Bobby Holley, chief technology officer at Mozilla, offered a counterweight. In an interview with The Register, he said all 271 bugs Mythos found in Firefox were of a type an elite human researcher could have located. "We have not seen any bugs that could not have been found by an elite human researcher," Holley said. Patrick Garrity, a researcher at the security firm VulnCheck, put the verified count of actual vulnerabilities — the kind that receive a CVE identifier, the industry standard tracking number — at roughly 40, not the thousands that early coverage implied. A findable bug is not the same as an exploitable one, and a theoretical exploit is not the same as an operational one.
Still, CERT-In did not wait for the academic debate to resolve. The April 27 advisory reflected how quickly the capability has become a policy problem in markets where patch cycles are longest, and how the absence of a reliable automated remediation solution has made that gap a structural liability rather than a theoretical one.