ASEAN Beat | Security | Southeast Asia

AI Moves Fast. Southeast Asia’s Cybersecurity Policy Doesn’t.

Anthropic’s Mythos Preview exposes a widening gap between accelerating AI-enabled threats and Southeast Asia’s capacity to respond — and the window to act is closing.

A vulnerability in a security-hardened operating system — the kind used to run firewalls and protect critical government infrastructure — went undetected for nearly three decades. Anthropic’s red team testing revealed that Mythos Preview, the most capable AI model the company has ever built, found a 27-year-old vulnerability autonomously within hours.

That speed points to a broader shift in cybersecurity: the discovery of software vulnerabilities is now accelerating at a pace that many cybersecurity actors can no longer realistically match. In Southeast Asia, where cyber capabilities remain uneven and coordination across borders is limited, available evidence suggests that gap carries particular weight.

In an effort to secure global critical software, Anthropic announced “Project Glasswing,” its newest cybersecurity initiative that brings together major private sector actors, including Apple, Amazon Web Services, Google, and JPMorgan Chase. Notably absent from the coalition are governments, particularly those in Southeast Asia. The defensive benefits of Mythos-level vulnerability discovery are currently being extended only to these private sector partners, leaving out important state actors such as ASEAN member states that urgently need this capability to adapt and protect their own regional cyber architecture. 

Anthropic has acknowledged that models like Mythos can already match or even exceed most human experts in identifying software vulnerabilities. As these capabilities spread, the concern is not only that offensive tools will become more powerful, but that the speed of exploitation may increasingly outpace the ability of some states to respond — especially those still developing their cyber resilience. 

Not an Imminent Threat, It’s Already Here

In early 2026, Check Point Research documented Operation TrueChaos — a zero-day exploitation campaign targeting Southeast Asian government networks, which was attributed to a Chinese-linked threat actor. The operation didn’t require sophisticated individual targeting — compromising a single server was enough to push malware across dozens of connected government agencies simultaneously. 

Imagine that same operation supercharged by Mythos-level autonomous capability.

In regions such as Southeast Asia, global technology accelerates at an unprecedented rate, pushing member states to rapidly digitalize across all sectors of their economies. This rapid digital expansion has widened the attack surface — leaving vulnerable servers connected to both private enterprises and government establishments open to exploitation, as the TrueChaos incident demonstrates. According to the 2025/2026 INTERPOL Asia and South Pacific Cyber Threat Assessment Report, there is an alarming rise of AI-enabled deepfake scams and industrial-scale scam operations, with threat actors exploiting cybersecurity vulnerabilities through ransomware attacks, financial fraud, business email compromise (BEC), data breaches, and widespread infostealer malware campaigns. Given the heightened cyber-enabled criminal operations in the region, documented threat assessments and widespread adoption of newer technologies indicate that these financial scams are increasingly supercharged by AI tools. Half of these affected countries’ reported financial losses range from USD 10,000 to USD 100 million. This stands in stark contrast to the $40 billion in estimated yearly revenue of cyber-enabled scam operations across the region.

These persistent cyberattacks have long marred the region. With rapid economic growth and digitalization, ASEAN has adopted strategic frameworks on a five-year cycle to address ever-evolving cyber-related incidents in the region. Notably, the ASEAN Cybersecurity Cooperation Strategy (ACCS) 2021-2025 framework focused on cybercrimes, a majority of which are financial scams executed through phishing and ransomware. This framework also covered state-sponsored and Advanced Persistent Threats (APTs), which is a big concern in the region, with nation-state actors targeting government systems leveraging security gaps to execute cyber espionage operations, undermining the national security of ASEAN member states. The ACCS framework also identified significant capacity gaps among member states: a shortage of skilled cybersecurity professionals, weak incident response capabilities, and limited national strategies. Differences in laws and enforcement mechanisms also opened up gaps for aligned mechanism and policy implementation. It made joint investigations difficult and information sharing very slow and inconsistent. 

These gaps reflect the lack of teeth and aligned approach to policy in the ACCS 2021-2025 framework. With the ACCS 2026-2030 still in the works, it is high time to discuss zero-day vulnerabilities in the context of the ASEAN region’s cybersecurity architecture. With the era of AI already here, it is imperative to incorporate such technology into the ASEAN cyber architecture, as it offers increased process efficiency and capabilities to safeguard and protect critical software. However, such capabilities can be readily taken advantage of by malicious cyber actors. Based on current threat trajectories, the Anthropic Mythos incident serves as an ominous warning of what is to come if this kind of technology falls into the wrong hands — and the destructive capabilities that it can cause to nation-states.

What Will Be ASEAN’s Cybersecurity Way Forward?

The Mythos Preview demands concrete and binding action. As one of the most rapidly growing economic regions in the world, the ASEAN region remains a prime target for state-sponsored and criminal cyber operations. Three structural weaknesses magnify this vulnerability: cybersecurity commitments are implemented on a voluntary basis with no binding enforcement mechanisms, there is no centralized authority to enforce standards across member states, and significant capability gaps persist between the region’s most and least cyber-mature members. Addressing these weaknesses is is a matter of regional security.

A prudent step would be prioritizing the operationalization of the ASEAN Regional CERT before the 2026-2030 strategy is formally adopted. A functional regional CERT provides centralized authority absent from ASEAN’s cybersecurity architecture, capable of coordinating real-time threat intelligence sharing, issuing binding incident response protocols, and serving as the region’s first line of defense against AI-enabled attacks, which can be addressed and institutionalized by formal bilateral and multilateral agreements with standardized implementation protocols. The window to influence the 2026-2030 strategy’s scope is now, while Malaysia’s drafting process is still ongoing.

But individual member states cannot wait for regional consensus to act. The Philippines offers a concrete case in point — sitting at mid-tier cyber maturity among ASEAN member states according to the ITU Global Cybersecurity Index, it would be well-served by treating AI-enabled threats as an immediate rather than future concern. A joint Department of Information and Communications Technology (DICT) and Department of National Defense (DND) cyber threat monitoring unit — not a quarterly task force, but a standing operational body — represents a viable and concrete starting point. The TrueChaos operation demonstrated that government networks are already active targets. Mythos raises the ceiling of what those attacks can accomplish. 

Finally, governments are conspicuously absent from the Project Glasswing coalition. As a vulnerable region that is a primary target for cyber-related crimes that can be exponentially destructive because of AI, ASEAN governments may consider formally requesting threat intelligence sharing agreements with Anthropic and Glasswing partners — and incorporating such engagement as a binding rather than voluntary commitment within the 2026-2030 strategy. Adopting this measure will ensure uniform compliance among member states.

The vulnerability Mythos found in hours had hidden in plain sight for nearly three decades. Southeast Asia cannot afford a reactive posture — waiting for threats to arrive before responding to them. The window to act is already closing.

Get to the bottom of the story

Subscribe today and join thousands of diplomats, analysts, policy professionals and business readers who rely on The Diplomat for expert Asia-Pacific coverage.

Get unlimited access to in-depth analysis you won't find anywhere else, from South China Sea tensions to ASEAN diplomacy to India-Pakistan relations. More than 5,000 articles a year.

Unlimited articles and expert analysis

Weekly newsletter with exclusive insights

16-year archive of diplomatic coverage

Ad-free reading on all devices

Support independent journalism

Already have an account? Log in.

A vulnerability in a security-hardened operating system — the kind used to run firewalls and protect critical government infrastructure — went undetected for nearly three decades. Anthropic’s red team testing revealed that Mythos Preview, the most capable AI model the company has ever built, found a 27-year-old vulnerability autonomously within hours.

That speed points to a broader shift in cybersecurity: the discovery of software vulnerabilities is now accelerating at a pace that many cybersecurity actors can no longer realistically match. In Southeast Asia, where cyber capabilities remain uneven and coordination across borders is limited, available evidence suggests that gap carries particular weight.

In an effort to secure global critical software, Anthropic announced “Project Glasswing,” its newest cybersecurity initiative that brings together major private sector actors, including Apple, Amazon Web Services, Google, and JPMorgan Chase. Notably absent from the coalition are governments, particularly those in Southeast Asia. The defensive benefits of Mythos-level vulnerability discovery are currently being extended only to these private sector partners, leaving out important state actors such as ASEAN member states that urgently need this capability to adapt and protect their own regional cyber architecture. 

Anthropic has acknowledged that models like Mythos can already match or even exceed most human experts in identifying software vulnerabilities. As these capabilities spread, the concern is not only that offensive tools will become more powerful, but that the speed of exploitation may increasingly outpace the ability of some states to respond — especially those still developing their cyber resilience. 

Not an Imminent Threat, It’s Already Here

In early 2026, Check Point Research documented Operation TrueChaos — a zero-day exploitation campaign targeting Southeast Asian government networks, which was attributed to a Chinese-linked threat actor. The operation didn’t require sophisticated individual targeting — compromising a single server was enough to push malware across dozens of connected government agencies simultaneously. 

Imagine that same operation supercharged by Mythos-level autonomous capability.

In regions such as Southeast Asia, global technology accelerates at an unprecedented rate, pushing member states to rapidly digitalize across all sectors of their economies. This rapid digital expansion has widened the attack surface — leaving vulnerable servers connected to both private enterprises and government establishments open to exploitation, as the TrueChaos incident demonstrates. According to the 2025/2026 INTERPOL Asia and South Pacific Cyber Threat Assessment Report, there is an alarming rise of AI-enabled deepfake scams and industrial-scale scam operations, with threat actors exploiting cybersecurity vulnerabilities through ransomware attacks, financial fraud, business email compromise (BEC), data breaches, and widespread infostealer malware campaigns. Given the heightened cyber-enabled criminal operations in the region, documented threat assessments and widespread adoption of newer technologies indicate that these financial scams are increasingly supercharged by AI tools. Half of these affected countries’ reported financial losses range from USD 10,000 to USD 100 million. This stands in stark contrast to the $40 billion in estimated yearly revenue of cyber-enabled scam operations across the region.

These persistent cyberattacks have long marred the region. With rapid economic growth and digitalization, ASEAN has adopted strategic frameworks on a five-year cycle to address ever-evolving cyber-related incidents in the region. Notably, the ASEAN Cybersecurity Cooperation Strategy (ACCS) 2021-2025 framework focused on cybercrimes, a majority of which are financial scams executed through phishing and ransomware. This framework also covered state-sponsored and Advanced Persistent Threats (APTs), which is a big concern in the region, with nation-state actors targeting government systems leveraging security gaps to execute cyber espionage operations, undermining the national security of ASEAN member states. The ACCS framework also identified significant capacity gaps among member states: a shortage of skilled cybersecurity professionals, weak incident response capabilities, and limited national strategies. Differences in laws and enforcement mechanisms also opened up gaps for aligned mechanism and policy implementation. It made joint investigations difficult and information sharing very slow and inconsistent. 

These gaps reflect the lack of teeth and aligned approach to policy in the ACCS 2021-2025 framework. With the ACCS 2026-2030 still in the works, it is high time to discuss zero-day vulnerabilities in the context of the ASEAN region’s cybersecurity architecture. With the era of AI already here, it is imperative to incorporate such technology into the ASEAN cyber architecture, as it offers increased process efficiency and capabilities to safeguard and protect critical software. However, such capabilities can be readily taken advantage of by malicious cyber actors. Based on current threat trajectories, the Anthropic Mythos incident serves as an ominous warning of what is to come if this kind of technology falls into the wrong hands — and the destructive capabilities that it can cause to nation-states.

What Will Be ASEAN’s Cybersecurity Way Forward?

The Mythos Preview demands concrete and binding action. As one of the most rapidly growing economic regions in the world, the ASEAN region remains a prime target for state-sponsored and criminal cyber operations. Three structural weaknesses magnify this vulnerability: cybersecurity commitments are implemented on a voluntary basis with no binding enforcement mechanisms, there is no centralized authority to enforce standards across member states, and significant capability gaps persist between the region’s most and least cyber-mature members. Addressing these weaknesses is is a matter of regional security.

A prudent step would be prioritizing the operationalization of the ASEAN Regional CERT before the 2026-2030 strategy is formally adopted. A functional regional CERT provides centralized authority absent from ASEAN’s cybersecurity architecture, capable of coordinating real-time threat intelligence sharing, issuing binding incident response protocols, and serving as the region’s first line of defense against AI-enabled attacks, which can be addressed and institutionalized by formal bilateral and multilateral agreements with standardized implementation protocols. The window to influence the 2026-2030 strategy’s scope is now, while Malaysia’s drafting process is still ongoing.

But individual member states cannot wait for regional consensus to act. The Philippines offers a concrete case in point — sitting at mid-tier cyber maturity among ASEAN member states according to the ITU Global Cybersecurity Index, it would be well-served by treating AI-enabled threats as an immediate rather than future concern. A joint Department of Information and Communications Technology (DICT) and Department of National Defense (DND) cyber threat monitoring unit — not a quarterly task force, but a standing operational body — represents a viable and concrete starting point. The TrueChaos operation demonstrated that government networks are already active targets. Mythos raises the ceiling of what those attacks can accomplish. 

Finally, governments are conspicuously absent from the Project Glasswing coalition. As a vulnerable region that is a primary target for cyber-related crimes that can be exponentially destructive because of AI, ASEAN governments may consider formally requesting threat intelligence sharing agreements with Anthropic and Glasswing partners — and incorporating such engagement as a binding rather than voluntary commitment within the 2026-2030 strategy. Adopting this measure will ensure uniform compliance among member states.

The vulnerability Mythos found in hours had hidden in plain sight for nearly three decades. Southeast Asia cannot afford a reactive posture — waiting for threats to arrive before responding to them. The window to act is already closing.

Joseph De Los Santos is a Defense Researcher at the Department of National Defense of the Philippines. The views expressed in this article are his own and do not represent the official position of the Department of National Defense of the Philippines.

Southeast Asia cybersecurity

© The Diplomat