CERT-In flags ‘high-severity’ AI cyber risks amid Claude Mythos concerns

The Indian Computer Emergency Response Team (CERT-In), the cybersecurity regulatory body of India, has released a 'high-severity' advisory regarding imminent cyber threats associated with emerging and advanced Artificial Intelligence (AI) systems.

According to CERT-In’s latest alert (CIAD-2026-0020), dated April 26, 2026, the new generation of AI models, i.e. the 'frontier AI' models such as Claude Mythos and GPT 5.5, have now acquired the ability to conduct autonomous vulnerability discovery, exploit development, reconnaissance, and multi-stage attacks without any human assistance.

AI is accelerating cyberattacks

Add Zee Business as a Preferred Source

According to the advisory, these AI systems can analyse vast codebases to detect both known and zero-day vulnerabilities, significantly reducing the time needed to launch attacks. They can also automate credential harvesting, simulate full-scale enterprise breaches and generate highly convincing phishing content in multiple languages.

CERT-In warned that such capabilities could lower the entry barrier for cybercriminals, enabling faster, cheaper and more scalable attacks across sectors.

Key risks and potential impact

Increased susceptibility to cyber attacks was observed by the agency, particularly large-scale cyber campaigns targeting inadequately protected systems. Possible consequences may be:

• Unauthorised system entry
• Breach of information security and data exfiltration
• Identity theft and impersonation
• Financial fraud
• Disruption of service
• Persistent threat to critical infrastructure

The advisory also cautioned that interconnected digital systems could face cascading failures if attacks are not contained quickly.

Organisations urged to adopt 'Zero Trust' and rapid patching

In this regard, CERT-In has urged companies to adopt the Zero Trust Network Architecture (ZTNA) model, which considers all requests for access untrustworthy by default. The following actions were stressed:

• Mandatory multi-factor authentication (MFA)
• Network microsegmentation
• Effective and strict management of internet-facing system
• Identity verification via hardware means

CERT-In warned that critical flaws must be fixed within 24 hours, as AI-enabled hackers can exploit vulnerabilities just hours after their discovery.

Focus on cyber hygiene and preparedness

The advisory underlined the importance of strong cyber hygiene practices, including:

• Performing regular software updates and patches
• Creation of secure backups according to the 3-2-1 principle
• Elimination of redundant services and use of default credentials
• Implementation of up-to-date endpoint security solutions

It also urged organisations to strengthen incident response plans, conduct AI-focused cyber drills and maintain readiness for simultaneous large-scale cyber incidents.

Special guidance for MSMEs and individuals

Recognising resource constraints, CERT-In advised MSMEs to adopt cost-effective measures such as enabling automatic updates, using MFA, and relying on managed security services.

For individuals, the agency warned of rising AI-enabled phishing, deepfake scams and impersonation attempts. Users are advised to verify suspicious communications, avoid untrusted downloads, use strong passwords, and enable MFA wherever possible.

‘Dual-use’ nature of AI raises concern

While acknowledging the benefits of AI in strengthening cyber defence, CERT-In cautioned that its dual-use nature makes it equally powerful for malicious actors.

The agency urged all stakeholders to stay alert, continuously monitor systems and report suspicious activity promptly, as AI-driven cyber threats are expected to grow in sophistication and scale in the near future.