India has started stress-testing its government and banking software systems against Anthropic's Mythos AI model, a cybersecurity drill aimed at finding weak spots before attackers do. The tests, which are currently underway, mark the first known instance of a country using a rival's frontier AI model to probe its own critical infrastructure.
Stress testing against an AI adversary
Stress testing isn't new. Organizations routinely simulate attacks to see how their defenses hold up. But throwing an AI model like Mythos into the mix changes the equation. Mythos, developed by Anthropic, is designed to be more capable than earlier models at understanding and generating code. That makes it a potent tool for simulating sophisticated cyberattacks—and for finding vulnerabilities that human testers might miss.
India's approach involves feeding the model details about its government and banking software architectures. Mythos then tries to exploit those systems, probing for weaknesses in encryption, access controls, and data handling. The results help officials decide which patches to prioritize and where to invest in stronger defenses.
Why banking and government systems are the focus
Banking and government software handle some of the most sensitive data in the country—financial records, personal identification, and national security information. A breach in either sector could have cascading effects. That's why India is focusing its stress tests on these two areas first. The tests are not a sign that a specific threat has been detected, but rather a proactive measure to stay ahead of potential attacks.
The choice of Anthropic's model over others is notable. Anthropic has positioned itself as a safety-focused AI company, and its Mythos model is built with guardrails to prevent misuse. India's use of Mythos for defensive purposes aligns with the company's intended applications. Anthropic has not commented on the tests, and no official from the Indian government has provided details on the scope or timeline.
What's at stake
If the stress tests reveal critical vulnerabilities, the consequences could be far-reaching. Government agencies may need to pause digital initiatives to patch systems. Banks could face temporary service disruptions if updates are required. On the flip side, a clean bill of health would bolster confidence in India's digital infrastructure, which has been expanding rapidly through programs like Aadhaar and UPI.
The tests also raise questions about the role of AI in national cybersecurity. Using one company's model to test another's systems blurs the line between competition and collaboration. No decision has been made on whether to make the test results public, and it remains unclear if other nations will follow India's lead.
Unanswered questions
The biggest unknown is how long the stress tests will last and whether they'll expand beyond government and banking software. Officials have not disclosed a deadline for completion, nor have they said which specific systems are being tested. What is clear is that India is betting that an AI adversary is the best way to find its own weaknesses—before someone else does.
