Field Note 1: Claude Mythos and the Adversarial Anticipation Doctrine

On 7 April 2026, Anthropic announced Claude Mythos Preview, a frontier general-purpose language model, and Project Glasswing, a $100 million partner programme to direct the model at defensive cybersecurity work. By 21 April, Bloomberg had reported unauthorised access to Mythos through a third-party vendor environment. By 23 April, India's Finance Minister had convened the regulatory response. By 26 April, CERT-In had issued a high-severity advisory directly citing the model. This Field Note records what those three weeks mean for the practitioner standard set out in AI for Indian Advocates.

The technical fact pattern

Anthropic's Frontier Red Team has reported that Mythos Preview, in pre-release evaluations, autonomously identified thousands of previously unknown high- and critical-severity software vulnerabilities. The list spans every major operating system and every major web browser. Three findings have been singled out by Anthropic's published red-team report.

First, a 27-year-old vulnerability in OpenBSD, an operating system long regarded as one of the most security-hardened defensive baselines in production. Second, a 17-year-old remote code execution flaw in FreeBSD's NFS server, now assigned CVE-2026-4747, that grants an unauthenticated remote attacker complete root control. The model identified the bug, wrote a proof-of-concept exploit, and reproduced it autonomously. Third, a chained four-vulnerability browser exploit that escapes both the renderer and the operating system sandboxes.

Two operational characteristics of the model are material for the bar.

The first is autonomy. Anthropic has reported that engineers without formal security training prompted the model with a single instruction and received working exploits within a single working cycle. The marginal human input required to convert latent risk into operational attack has collapsed.

The second is opacity. Anthropic has stated that over ninety-nine percent of the vulnerabilities Mythos has surfaced remain unpatched, and that public disclosure has been deliberately withheld. The defender does not know which surfaces are exposed. The practitioner advising the defender does not know either. Anthropic has published only cryptographic SHA-3 commitments to demonstrate, in due course, that it possessed the underlying findings on the date of disclosure.

The United Kingdom AI Security Institute, in independent evaluation, has placed Mythos at seventy-three percent on expert-level offensive cybersecurity tasks. The figure is not a marketing claim. It is an external benchmark.

The breach pathway

On 21 April 2026, Bloomberg reported that a small group of unauthorised users in a private online forum had gained access to Mythos on the same day Anthropic announced its limited release. Anthropic confirmed an investigation. The pathway, as reported, was not a direct compromise of Anthropic's core systems. It was a layered cascade through four vendor surfaces.

Vendor Cascade · As Reported

Anthropic was breached because Mercor was breached. Mercor was breached because LiteLLM was breached. LiteLLM was breached because of credentials from Delve.

Anthropic · a third-party contractor with legitimate access to the Mythos environment.

Mercor · an AI feedback and recruitment firm that handled credentials and data for the contractor; reportedly breached by Lapsus$.

LiteLLM · an open-source LLM proxy tool through which the Mercor breach was perpetrated.

Delve · the fourth-party provider whose fake security credentials reportedly compromised LiteLLM.

Four layers. One AI model. The named tool was the last surface to be touched, not the first.

Doctrine III · Fiduciary Confidentiality

Privileged client material does not become safer by being processed through a globally trusted AI provider. It becomes only as safe as the weakest link in that provider's vendor chain. The advocate who cannot map that chain four layers deep cannot, on the post-Mythos record, discharge the duty.

III

The Indian regulatory response

On 23 April 2026, Finance Minister Nirmala Sitharaman, co-chairing with Electronics and Information Technology Minister Ashwini Vaishnaw, convened a high-level meeting with the heads of scheduled commercial banks, the Reserve Bank of India, the National Payments Corporation of India, the Indian Computer Emergency Response Team (CERT-In), and the Department of Financial Services. The Finance Ministry described the threat as unprecedented and called for "a very high degree of vigilance, preparedness and better coordination" across financial institutions and regulators.

The meeting produced four operational directions. Banks were instructed to take all necessary pre-emptive measures to secure IT systems, customer data, and financial assets. A real-time threat-intelligence sharing mechanism between banks and CERT-In was approved. The Indian Banks' Association was tasked with developing a coordinated institutional response across the banking system. Banks were directed to immediately report suspicious cyber activity to CERT-In.

On 26 April 2026, CERT-In issued a high-severity advisory that directly cites Mythos. The advisory's compliance posture is uncompromising. Organisations have been instructed to treat every newly disclosed critical vulnerability as exploitable within hours of disclosure, not weeks; to segment digital architecture into isolated network zones to limit lateral movement; to review, harden, or replace legacy remote-access systems including older VPN appliances; to monitor and restrict outbound traffic to known AI services in order to curb the unsanctioned use of automated tools; to track every software and AI component used across systems and require vendors to meet rigorous security standards; and to train internal security teams to detect how AI-augmented attackers operate, including realistic simulations that account for AI-generated text, voice, and video lures.

Two structural facts deserve the bar's attention.

India · Structural Exclusion

No Indian company features among the named Project Glasswing partners. Access has been confined to AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, NVIDIA, Palo Alto Networks, the Linux Foundation, and a small number of additional firms. India faces the threat surface without any direct domestic seat at the defensive table.

India · Jurisdictional Conflict

NPCI has indicated it wants early access to Mythos to identify zero-day vulnerabilities in India's payment systems before the model proliferates more widely. Mythos, however, runs on servers strictly controlled by Anthropic in the United States. India's 2018 data localisation rules require payment system providers to store all transaction data exclusively on servers within India. The compliance conflict has not been publicly resolved. Practitioners advising payment system operators, NBFCs, and banking technology vendors will be asked, in the coming quarters, to write opinions on it.

Telecommunications operators have followed suit. Bharti Airtel and Vodafone Idea are reviewing the security practices of their network software vendors, including Nokia, Ericsson, and Samsung. The vendor-map exercise, which was prudential a month ago, is now an industry baseline.

Doctrine IV in operation

Adversarial Anticipation, the fourth of the Five Doctrines in the practitioner standard, holds that the advocate must assume adversarial actors operating at the technological frontier and must structure work product to remain coherent under that assumption. Mythos is the operational form of that doctrine's premise.

The doctrine has three concrete consequences for litigation work in 2026.

Verification becomes the surviving line.

Stage 4 of the Supervised Intelligence Method (Verification) is held as Human Only by design. Under Mythos-class capability, this is not a stylistic preference. It is the only point in the workflow that an opposing party, a regulator, or a court cannot challenge as derivative. Pleadings, opinions, and advisories that depend on the integrity of an AI-assisted research pass must be verified against primary sources by a human, in writing, with the verification record retained.

Fiduciary protection extends to the entire vendor chain.

Confidential client material entrusted to AI workflows must be governed by an explicit fiduciary protocol that names the model, the vendor, the data path, and the retention posture. The Mythos cascade demonstrates that the surface of fiduciary risk is the entire vendor chain, not the named tool. An advocate's AI-use protocol that does not map the chain four layers deep is not fit for client work in the post-Mythos environment.

iii

The advocate's intellectual product must remain visibly the advocate's own.

Doctrine I (Cognitive Sovereignty) does not weaken as AI capability rises. It hardens. When opposing counsel can deploy AI of Mythos calibre to interrogate a written submission, the only product that survives that interrogation is one whose framing, doctrinal reconstruction, and strategic judgment are visibly the advocate's. The five canonical stages of the SIM, with three of the five held as Human Only or Human Dominant, are the architecture that produces such a submission.

SIM and ART under these conditions

The Supervised Intelligence Method and the AI Responsibility Test were designed for this. Their arrival in the public technology landscape does not require a redesign of the standard. It requires its disciplined application.

Pattern Expansion, Stage 2 of the SIM, becomes more powerful and therefore more hazardous. The advocate's instinct to push more research through the model must be matched by a correspondingly stronger Verification at Stage 4. The four steps of the ART (Framing Diligence, Supervisory Adequacy, Verification Completeness, Judgment Independence) function as the audit trail that demonstrates, on the face of the file, that the advocate operated to standard.

The CERT-In advisory's "exploitable within hours" timeline maps directly to ART Step 3 (Verification Completeness) when the work product is an advisory, opinion, or compliance protocol. An advisory that takes a week to verify a citation under conditions where critical vulnerabilities are actionable within hours is structurally inadequate. The standard now requires same-cycle verification.

What the practitioner does on Monday

For an advocate advising regulated entities, three concrete steps are immediate.

Workflow · Immediate

Three actions before the next client briefing

Audit the AI tools currently in use against an explicit vendor map. Identify each third-party processor, each data path, each retention point, and follow the chain at least three layers deep. If the map cannot be drawn, the tool is not yet fit for client work.

Formalise a verification record for every AI-assisted research pass. The record need not be elaborate. It must be primary-source-anchored, dated, and retained in the matter file. Under the CERT-In advisory's hours-not-weeks posture, the record is also the timestamp evidence of the practitioner's response cycle.

Prepare a one-page client-facing AI-use protocol that the firm can present to a banking or NBFC client on request. Boards and risk committees will, under the coming RBI cycle, ask for it. The advocate who has the document is engaged. The advocate who does not is replaced.

Doctrine IV · Closing

The threat surface is no longer theoretical.

The doctrine is no longer prophylactic.

The practitioner standard is now the operating standard.

Programme · Founding Practitioners

Apply to the Founding Practitioners cohort

The first cohort of advocates adopting the Supervised Intelligence Method as their operating standard. Limited intake. By application. The Mythos environment is the case for joining.

Learn More →

Advisory · Banking & NBFC

Banking & regulated-entity advisory

For institutional clients seeking a defensible AI-use protocol ahead of the next RBI cycle.

Send Enquiry →