CERT-In flags 'high-severity risks' from AI-driven cyber threats amid Mythos concerns

Cyber security agency CERT-In has issued a high-severity warning on the rise of artificial intelligence (AI)-driven cyber threats. It said new AI tools are making attacks faster, cheaper and easier to execute.

In its latest advisory titled ‘Defending Against Frontier AI Driven Cyber Risks’, released on April 26, CERT-In said advanced AI systems can independently identify vulnerabilities in widely used software and analyse large volumes of source code.

It added that these tools are capable of executing complex, multi-stage cyberattacks with minimal human intervention. The agency said attackers can combine multiple exploits to break into entire enterprise networks.


The development follows a high-level meeting chaired by Finance Minister Nirmala Sitharaman on Thursday, with commercial banks and other key stakeholders to assess potential cybersecurity risks linked to AI. The government is now stepping up engagement with AI firm Anthropic and the US administration about Mythos to better understand the issue, the Finance minister told ET.

AI accelerating cyberattacks

The agency highlighted that the speed and automation offered by AI are lowering the barrier for cybercriminals. Even less skilled actors can now launch sophisticated attacks. These include credential theft, privilege escalation and movement across systems. In some cases, vulnerabilities can be identified and exploited within hours, it said.

CERT-In also flagged the rise of phishing and impersonation attempts, driven by AI-generated content across languages.

What organisations need to do?

To reduce risk, the agency has asked organisations to closely monitor systems and watch for unusual or rapid activity.

CERT-In has also stressed stronger access controls. It has advised adopting a Zero Trust approach, where every access request is treated as unverified. Multi-factor authentication should be used across critical systems, along with strict access limits, it suggested.

The advisory also emphasised the need for faster patch management, recommending that critical vulnerabilities especially in internet-facing systems be addressed within 24 hours.

Alongside this, CERT-In has emphasised employee awareness. It has asked organisations to train staff to identify AI-driven phishing and scams. Regular cyber drills and updated response plans are also essential, the agency said.

Also Read: Nervous Indian fintechs push Anthropic for access to Mythos

MSMEs to monitor threats

The advisory places special focus on micro, small and medium enterprises (MSMEs), which often lack strong cybersecurity infrastructure.

CERT-In urged these businesses to strengthen their threat detection systems and maintain detailed logs of system activity to support investigations.

Organisations have been asked to maintain updated inventories of their IT assets, regularly review third-party and open-source software dependencies, and ensure that supply chain risks are actively managed.

Individual users, meanwhile, have been urged to exercise caution when dealing with unsolicited messages, links and attachments, verify the authenticity of urgent requests including voice and video calls, and remain alert to deepfake-enabled fraud.

Also Read: Before Mythos goes public, Indian IT also wants access