India’s national cybersecurity agency, CERT-In (Indian Computer Emergency Response Team), has issued a high-severity advisory titled "Defending Against Frontier AI Driven Cyber Risks." Published on April 26, 2026, the warning highlights a dangerous evolution in the digital landscape: hackers are now using advanced artificial intelligence to automate complex attacks that previously required teams of skilled human experts.
This government alert follows a high-level meeting chaired by Finance Minister Nirmala Sitharaman, which assessed the systemic risks posed by these emerging technologies to India’s commercial banks and critical infrastructure.
The New Threat: Autonomous Hacking and AI Speed
The advisory notes that "Frontier AI" models have reached a level of maturity where they can independently manage the entire lifecycle of a cyberattack.
-
Independent Vulnerability Discovery: AI systems can now scan massive codebases to find both known and "Zero-Day" vulnerabilities in widely used software.
-
Rapid Weaponization: Vulnerabilities can now be weaponized into functional exploits within hours of being discovered, drastically shrinking the response window for IT teams.
-
Automated Reconnaissance: AI is being used to map out enterprise networks, cloud platforms, and APIs to find the weakest point of entry without human intervention.
-
The "Mythos" Concern: Indian authorities are specifically monitoring the risks associated with highly capable models—like the unreleased "Mythos"—fearing they could be repurposed to paralyze the banking sector.
High-Risk Targets and Impact
CERT-In’s intelligence suggests that no sector is immune, but certain groups are being prioritized by these AI-driven campaigns:
| Target Sector | Threat Level | Primary Risk |
| Banking & Finance | Critical | Financial fraud, identity compromise, and service disruption. |
| MSMEs | High | Data theft and ransomware due to limited security resources. |
| Individuals | Medium | Multilingual phishing, deepfake voice/video scams, and credential theft. |
"Mission Prevention": Mandatory Guidelines for Companies
The agency is urging Indian organizations to abandon "reactive" security in favor of a "prevention-first" architecture.
1. Adopt a "Zero Trust" Strategy
Treat every access request as unverified by default. This includes enforcing Multi-Factor Authentication (MFA) across all critical systems, cloud environments, and remote gateways.
2. The 24-Hour Patch Rule
Because AI can exploit gaps so quickly, CERT-In recommends that critical vulnerabilities in internet-facing systems be patched within 24 hours of a fix becoming available.
3. Behavioral Monitoring
Organizations must adjust their monitoring tools to detect "rapid-fire" activities. AI attacks often move at speeds that standard human-monitored logs might miss.
4. Employee Training on "AI Phishing"
Traditional phishing red flags (like poor grammar) are disappearing. Employees must be trained to identify highly convincing, AI-generated multilingual emails and verify urgent requests through secondary, non-digital channels.
Advice for Individual Users
The government also issued a checklist for citizens to protect themselves from AI-enabled fraud:
-
Verify Video/Voice: If a "relative" or "boss" asks for money via a video call, use a "safe word" or call them back on a known number to ensure it isn't a deepfake.
-
Check Your Identity: Use the official Google Wallet or DigiLocker for Aadhaar and other IDs to ensure your credentials aren't easily harvested from physical copies.
-
Audit Your Accounts: Regularly check for unauthorized login attempts in your email and banking apps.
CERT-In’s message is clear: the era of human-vs-human hacking is ending. To survive the era of AI-driven threats, Indian companies must fight fire with fire by deploying their own automated, AI-enhanced defense systems.
