On April 23, 2026, India's Finance Minister Nirmala Sitharaman sat down with the heads of major banks, the RBI, NPCI, and CERT-In. The topic was a single AI model: Claude Mythos. The Ministry of Finance later called the threat "unprecedented." Banks were told to be on high alert, share threat data in real time, and report any incident fast.

If you run security at an Indian bank, fintech, or insurance firm, this is one of the most important warnings of the year. This post breaks down what is going on. In plain English. No hype. No panic. Just what BFSI leaders need to know and do.

Short on time? Jump to what BFSI security leaders should do next.

What is Claude Mythos?

Claude Mythos is a new AI model built by Anthropic. The full name is Claude Mythos Preview. It has not been released to the public.

In tests, Mythos was able to:

  • Find software bugs that no one knew were there.
  • Write code that uses those bugs to break in.
  • Chain many small bugs into one big attack.

The UK AI Security Institute ran it on hard hacking tests. Mythos scored 73 percent on expert-level tasks. That is a big jump over older models. Anthropic decided the model was too risky for open release. They kept it under tight control instead.

What is Project Glasswing?

Anthropic launched Project Glasswing as the safe way to use Mythos. It is a small group of trusted firms — about 40 of them. Names include AWS, Microsoft, Google, Apple, Cisco, NVIDIA, Palo Alto Networks, JPMorgan Chase, and the Linux Foundation. They use Mythos to find and fix bugs in critical software before bad actors get the same power.

So far, no Indian company is part of the group. India is in talks with the US and Anthropic to get fair access. This gap is part of why the government is worried. The defenders abroad have a head start. Indian banks do not.

Why India Sounded the Alarm

The Mythos warning is not a small advisory. It came from the top.

At the April 23 meeting, the Finance Minister called the threat "as big as war." She asked for cybersecurity frameworks to become "far more versatile." Strong words. Not the usual tone.

A few facts make the worry real:

  1. NPCI, which runs UPI, has asked for early access to Mythos. They want to test UPI's own code for day-zero risks before someone else finds them.
  2. The RBI is running its own checks with banks and global regulators.
  3. The Indian Banks' Association has been told to lead a coordinated response.
  4. The Indian Express has reported that Mythos may already have been accessed by people it was not meant for.

The last point is the scariest. Once a powerful tool leaks, it spreads.

Why BFSI Faces the Highest Risk

Banks, fintechs, and insurers are not just another sector. They sit on top of three weak spots.

1. Old code. Many core banking systems are 10, 20, even 30 years old. Mythos has already shown it can find bugs that are 16 and 27 years old in widely used software. Old code is its hunting ground.

2. Many connections. A modern bank links to dozens of partners, payment networks, and vendors. Each link is a door. AI can map and test every door at once.

3. High value. Money and data sit inside. Both are worth a lot. Attackers will spend more effort here than anywhere else.

Add one more problem. Indian banks face strict rules. Change is slow. Approvals take time. Attackers face none of that. Our cybersecurity for fintechs page goes deeper into the regulatory pressure side.

Diagram showing how Claude Mythos discovers software bugs, chains them into a single exploit chain, targets an Indian bank's core banking and UPI rails, and how an AI SOC defends at machine speed
How a Mythos-class attack reaches a bank — and what stops it.

The Real Shift Is Speed, Not Skill

Cybersecurity used to reward deep skill. The best hackers and the best defenders were rare. Both sides had to spend weeks on each task. That gap is closing fast.

Mythos can find a serious bug in hours. It can write a working exploit in the same session. What once took a small team a month now takes one AI agent a single day. The window from "bug found" to "bank breached" is shrinking.

Most bank security setups today are slow by design. Alerts come in. People look at them. People decide what to act on. People take the action. That chain works for a human attacker. It breaks against an AI one.

The New Attacks to Plan For

When Mythos-class AI spreads, here is what BFSI teams should expect.

Faster zero-days. A zero-day is a flaw no one has spotted yet. AI can find them at scale. Older systems will see the most.

Smarter phishing. AI can copy your CEO's writing style, study your internal terms, and craft emails that look real. Spam filters will miss many of them.

Longer attack chains. A single small bug used to be safe to ignore. AI can stitch ten small bugs into one full break-in.

SOC overload. Your security team already gets too many alerts. AI-driven attacks will multiply the noise. Real signals will get buried. This is the problem we built Autopilot to solve.

What the Government Has Asked Banks to Do

The Centre has set out clear early steps. Indian banks have been told to:

  • Share threat data with CERT-In in real time.
  • Coordinate through the Indian Banks' Association.
  • Hire stronger cyber talent. Partner with advanced security firms.
  • Report every cyber incident fast. No delays.
  • Maintain close contact with the RBI and NPCI.

The Finance Ministry and RBI have said Indian banking systems are still safe today. The push is to stay safe tomorrow.

What BFSI Security Leaders Should Do Next

Government rules are a floor. The smart banks will go further. Here is a simple plan.

1. Cut alert noise before you add more tools

Most SOCs are drowning. Adding more dashboards adds more noise. Adding more rules adds more false positives. Start by cutting volume.

Ask: What share of our alerts result in real action? If it is below 5 percent, the SOC has a noise problem. Fix that first.

2. Move from human-speed to machine-speed response

If attackers use AI, manual review chains will not keep up. Look at where humans are still doing routine work. Triage. Log review. Tab-switching between tools. Replace those steps with AI agents that act in real time. Keep humans in charge of judgment calls and big decisions. This is the design idea behind an autonomous AI SOC.

3. Run attacks on yourself, every day

Yearly pentests are not enough now. AI can run thousands of attack paths in parallel. Your defence has to be tested at the same pace. Use red-team AI agents. Run them against your own stack. See what breaks. Patch fast.

4. Track response time, not just detection rate

Detection without action is useless. Track three numbers each month:

  • Time to detect.
  • Time to respond.
  • Time to contain.

Aim to cut all three. The shorter they get, the less an AI-driven attack can do.

5. Build for change

Threats will keep changing. Your security stack should learn and adapt. Static rules will age out fast. Ask vendors how their tools update with new threats. If the answer is "we push new rules every few months," that is too slow. Continuous monitoring matters more than ever — see our guide to continuous compliance monitoring for how the same idea applies to controls and evidence.

Where SecurityPulse AI Fits In

We have been working with BFSI security teams across India and globally for months now. The pattern is the same in almost every conversation. They do not need more dashboards. They do not need a fifth SIEM. They need less noise, faster decisions, and real-time response.

That is what we built SecurityPulse AI for. The platform sorts alerts the way a senior analyst would. It investigates threats on its own. It takes action in real time on the routine ones. It hands the hard calls to your team with full context, so they can decide in minutes instead of hours.

If your bank, NBFC, or insurer is rethinking its security, compliance, SOC, or GRC for the AI era — including compliance readiness for RBI guidelines and global frameworks — we would be glad to talk.

The Bottom Line

Claude Mythos is not the end of bank security. It is a preview of what is coming next. The same AI that helps attackers will also help defenders. The race is about who builds faster.

Indian banks have a choice today. Wait for the first AI-driven breach and react. Or start building machine-speed defence now. The Finance Minister's words were strong for a reason. The threat is real, but it is not unbeatable. Banks that move early will lead the next decade of BFSI security. The ones that wait will pay the bill, in money, in trust, and in time.

Start with one question this week: where in your security stack is a human still doing work that AI could do faster? Find one place. Fix it. Then move to the next. The future of cyber defence is AI versus AI. India can be ready.

If this resonates, we'd love to show you how it works. Book a free consultation and we'll walk you through what RunWay deploys and how Autopilot manages it for your BFSI environment.

Sources

  1. Anthropic. "Project Glasswing: Securing critical software for the AI era." anthropic.com
  2. Anthropic Frontier Red Team. "Claude Mythos Preview."
  3. Business Standard. "Why Indian govt is warning banks against Anthropic's Claude Mythos AI." April 2026.
  4. The420.in. "Mythos AI Threat Looms: India's Banks on High Alert." April 25, 2026.
  5. Let's Data Science. "India Flags Mythos AI Cyber Risk to Banks." April 2026.
  6. Analytics Insight. "India Pushes US for Mythos AI Access." April 2026.
  7. NBC News. "Anthropic Project Glasswing: Mythos Preview gets limited release."
  8. The Conversation. "Claude Mythos and Project Glasswing: why an AI superhacker has the tech world on alert."

SecurityPulse — AI Cybersecurity for businesses that can't afford to get it wrong.