India Issues Cyber Red Alert Over AI Bug-Finding Threat

India's Securities and Exchange Board (SEBI) has issued an urgent cybersecurity advisory to all participants in the nation's equities markets, warning them to immediately reassess their information security systems amid fears that Anthropic's Mythos bug-finding AI could trigger a wave of cyberattacks. The regulator is urging market players to develop new defensive strategies and reinforce fundamental cyber hygiene before AI-powered vulnerability discovery tools fuel mass exploitation campaigns.

The directive marks one of the most significant regulatory responses globally to the emerging threat of AI models capable of autonomously identifying software vulnerabilities — a development that cybersecurity experts have long warned could dramatically shift the balance of power toward attackers.

Key Takeaways

• SEBI has advised all Indian securities market participants to revisit their cybersecurity posture immediately
• The alert specifically references Anthropic's Mythos, an AI model designed to discover software bugs and vulnerabilities
• Market players are urged to develop new defensive strategies beyond current security frameworks
• The directive emphasizes mastering 'cyber-basics' as a first line of defense
• India's securities market — valued at over $4 trillion — represents a high-value target for potential AI-powered attacks
• The move signals growing regulatory awareness of AI's dual-use potential in cybersecurity

Why Anthropic's Mythos Has Regulators Worried

Mythos represents a new class of AI systems purpose-built to identify software vulnerabilities at scale. Unlike traditional automated scanning tools that rely on known vulnerability signatures, Mythos leverages advanced reasoning capabilities to discover novel security flaws — the kind that human researchers might take weeks or months to uncover.

The concern is straightforward: if a sophisticated AI can find bugs faster and more comprehensively than human security researchers, the same capability in malicious hands could supercharge cyberattack campaigns. What previously required skilled hackers spending days probing systems could potentially be accomplished in minutes.

Anthropic has positioned Mythos as a defensive tool, designed to help organizations find and patch vulnerabilities before attackers exploit them. However, SEBI's advisory suggests regulators are not willing to wait and see whether the technology stays confined to defensive applications.

The dual-use nature of vulnerability discovery AI creates a fundamental dilemma. Every improvement in bug-finding capability simultaneously enhances both defensive and offensive potential — a dynamic that distinguishes AI security tools from most other technological advances.

SEBI's Directive Targets Cyber Fundamentals

Rather than prescribing specific technical countermeasures against AI-powered threats, SEBI's advisory takes a pragmatic approach by emphasizing foundational security practices. The regulator recognizes that many market participants still have gaps in basic cybersecurity hygiene — gaps that AI-powered attack tools would exploit with ruthless efficiency.

The advisory reportedly urges market participants to focus on several core areas:

• Patch management: Ensuring all systems run current software versions with known vulnerabilities addressed
• Access controls: Implementing strict authentication and authorization protocols across all market-facing systems
• Network segmentation: Isolating critical trading and settlement infrastructure from broader corporate networks
• Incident response planning: Developing and testing playbooks specifically for AI-augmented attack scenarios
• Continuous monitoring: Deploying real-time threat detection systems capable of identifying automated probing patterns
• Employee training: Updating security awareness programs to address AI-enabled social engineering and phishing

This 'back to basics' approach reflects a hard truth in cybersecurity: most successful breaches still exploit fundamental weaknesses rather than sophisticated zero-day vulnerabilities. AI-powered tools simply make finding and exploiting those weaknesses faster and cheaper.

India's $4 Trillion Market Faces Elevated Risk

India's securities market presents a particularly attractive target for cybercriminals. The National Stock Exchange (NSE) and Bombay Stock Exchange (BSE) collectively handle billions of dollars in daily trading volume, and the broader Indian financial ecosystem has undergone rapid digitization in recent years.

This digital transformation, while boosting market access and efficiency, has also expanded the attack surface considerably. Compared to mature Western markets like the NYSE or London Stock Exchange, some Indian market participants — particularly smaller brokerages and regional players — may have less robust cybersecurity infrastructure.

SEBI's concern is amplified by India's position as one of the world's fastest-growing major economies. The nation's securities market capitalization crossed $4 trillion in 2023, making it the 5th largest globally. A successful cyberattack on market infrastructure could have cascading effects across the entire financial system.

The timing of the advisory is also notable. India has seen a significant increase in retail investor participation since 2020, with over 130 million demat accounts now active. Each of these accounts represents a potential target for credential theft, account takeover, or fraudulent transactions — attacks that AI-powered tools could execute at unprecedented scale.

How AI Is Reshaping the Cybersecurity Landscape

SEBI's response to Mythos reflects a broader global reckoning with AI's impact on cybersecurity. The technology is simultaneously the greatest threat and the most promising defense — a paradox that regulators, enterprises, and security professionals are struggling to navigate.

On the offensive side, AI models are already being used to generate convincing phishing emails, create deepfake voice and video for social engineering, and automate the discovery of software vulnerabilities. Tools like Mythos represent the next evolution: AI systems that can reason about code and system architecture to identify flaws that pattern-matching tools would miss.

On the defensive side, AI-powered security platforms from companies like CrowdStrike, Palo Alto Networks, and SentinelOne are increasingly using machine learning to detect anomalous behavior, predict attack patterns, and automate incident response. The global AI cybersecurity market is projected to reach $60 billion by 2028, up from approximately $22 billion in 2023.

The critical question is whether defensive AI can keep pace with offensive AI. Unlike traditional cybersecurity — where defenders could build walls and wait for attackers to try breaking through — the AI era demands proactive, adaptive defense strategies that evolve as fast as the threats themselves.

Global Regulators Begin to Take Notice

SEBI's advisory places India among a growing number of jurisdictions grappling with AI-powered cyber threats to financial infrastructure. The U.S. Securities and Exchange Commission (SEC) has similarly emphasized cybersecurity requirements for market participants, though it has not yet issued specific guidance referencing AI vulnerability discovery tools.

The European Union's Digital Operational Resilience Act (DORA), which took effect in January 2025, requires financial entities to implement comprehensive ICT risk management frameworks — a regulation that implicitly addresses AI-powered threats without naming specific tools or models.

Other regulatory bodies watching this space closely include:

• The Financial Conduct Authority (FCA) in the United Kingdom
• The Monetary Authority of Singapore (MAS), which has published AI governance frameworks
• The Australian Securities and Investments Commission (ASIC)
• Japan's Financial Services Agency (FSA)

SEBI's willingness to name a specific AI model — Mythos — in its advisory is unusual among financial regulators, who typically prefer technology-neutral language. This specificity suggests SEBI views the threat as immediate rather than theoretical.

What This Means for Businesses and Developers

The implications of SEBI's advisory extend well beyond India's borders and the securities industry. Any organization running internet-facing infrastructure should consider the possibility that AI-powered vulnerability discovery tools — whether Mythos or similar systems — could be used to probe their defenses.

For software developers, the message is clear: the window between vulnerability introduction and exploitation is shrinking. AI bug-finding tools can scan codebases and deployed applications far faster than traditional methods, meaning security must be built into the development process rather than bolted on afterward.

For enterprise security teams, the advisory underscores the need for continuous security assessment rather than periodic penetration testing. If AI can find vulnerabilities in minutes, annual or quarterly security audits are woefully insufficient.

For AI companies like Anthropic, OpenAI, Google, and others developing powerful reasoning models, SEBI's response illustrates the regulatory scrutiny that dual-use AI capabilities will attract. Responsible disclosure frameworks and access controls for vulnerability discovery tools will become increasingly important as these capabilities mature.

Looking Ahead: The Arms Race Accelerates

SEBI's red alert represents an early skirmish in what promises to be a prolonged arms race between AI-powered attack and defense capabilities. As models grow more capable, the speed and sophistication of both vulnerability discovery and exploitation will increase dramatically.

Several developments to watch in the coming months include whether other national regulators issue similar advisories referencing specific AI models, how Anthropic responds to the regulatory scrutiny of Mythos, and whether the securities industry develops sector-specific AI defense standards.

The broader trajectory is unmistakable. AI is fundamentally altering the cybersecurity equation, and organizations that fail to adapt their defenses to this new reality will find themselves increasingly exposed. SEBI's advisory may be addressed to Indian market participants, but its underlying message resonates globally: the time to prepare for AI-powered cyber threats is not tomorrow — it is right now.

For financial markets in particular, where milliseconds can mean millions and trust is the foundation of the entire system, the stakes could not be higher. The question is no longer whether AI will transform cybersecurity, but whether defenders can move fast enough to stay ahead.