The advisory marks the government’s clearest acknowledgment yet that advances in AI are no longer confined to productivity gains but are rapidly translating into offensive cyber capabilities.
Frontier AI and a new threat system
CERT-In said “frontier AI systems indicate a significant increase in cyber capability maturity,” flagging that such models are now able to autonomously identify vulnerabilities in widely used software, and in some cases, plan and execute complex, multi-stage cyberattacks.
According to the advisory, these systems can operate at a speed and scale that previously required coordinated teams of highly skilled human hackers. The concern is not merely theoretical—CERT-In explicitly warned of the potential “weaponisation of security vulnerabilities” by such models.
Among the capabilities highlighted:
- Identification of zero-day vulnerabilities
- Automated and rapid weaponisation of discovered flaws
- Reconnaissance of APIs and cloud infrastructure
- Credential harvesting and social engineering
- AI-generated phishing campaigns
- Autonomous orchestration of multi-stage attacks
Also read: Explained: What is Mythos AI and why it is worrying banks and regulatorsHeightened risk for organizations
The agency assessed that organizations now face a “heightened risk” environment characterized by low-cost, automated reconnaissance and exploitation cycles. This could lead to unauthorized access, service disruptions, data exfiltration, financial fraud, and cascading compromise across interconnected systems.
CERT-In has advised companies to adopt a posture of “elevated alert,” increase the frequency and sophistication of threat detection, and deploy AI-enabled defensive tools to counter AI-driven attacks.
It also stressed the need for a shift toward “zero trust” security frameworks, stronger password protocols, and targeted training for security teams to understand how AI-augmented attackers operate.
Also Read: FM says banks prepared for tech risks, calls for upgrades amid Mythos challengeIndividuals no longer on the sidelines
In a notable shift from earlier advisories focused primarily on institutions, CERT-In underlined that individual users are now “part of the frontline.”
Personal devices, accounts, and digital identities are increasingly vulnerable to AI-driven threats. The advisory warned of the rising risks of impersonation and deepfake attacks, enabled by generative AI systems capable of convincingly mimicking trusted individuals and organizations.
For individuals, CERT-In recommended heightened vigilance and adherence to basic cyber hygiene practices:
- Keep operating systems, browsers, and applications updated
- Avoid downloading unknown apps or files
- Use strong, unique passwords across accounts
- Be cautious of unsolicited emails, messages, and links
- Scrutinize content that appears AI-generated, especially if it mimics trusted sources
- Treat “too good to be true” offers with skepticism
- Regularly back up important data
While the advisory stops short of prescribing restrictions, it reflects growing institutional concern that the same capabilities driving AI innovation could also lower the barrier to sophisticated cybercrime.
