ASEAN Beat | Security | Southeast Asia

AI Moves Fast. Southeast Asia’s Cybersecurity Policy Doesn’t.

Anthropic’s Mythos Preview exposes a widening gap between accelerating AI-enabled threats and Southeast Asia’s capacity to respond — and the window to act is closing.

A vulnerability in a security-hardened operating system — the kind used to run firewalls and protect critical government infrastructure — went undetected for nearly three decades. Anthropic’s red team testing revealed that Mythos Preview, the most capable AI model the company has ever built, found a 27-year-old vulnerability autonomously within hours.

That speed points to a broader shift in cybersecurity: the discovery of software vulnerabilities is now accelerating at a pace that many cybersecurity actors can no longer realistically match. In Southeast Asia, where cyber capabilities remain uneven and coordination across borders is limited, available evidence suggests that gap carries particular weight.

In an effort to secure global critical software, Anthropic announced “Project Glasswing,” its newest cybersecurity initiative that brings together major private sector actors, including Apple, Amazon Web Services, Google, and JPMorgan Chase. Notably absent from the coalition are governments, particularly those in Southeast Asia. The defensive benefits of Mythos-level vulnerability discovery are currently being extended only to these private sector partners, leaving out important state actors such as ASEAN member states that urgently need this capability to adapt and protect their own regional cyber architecture. 

Anthropic has acknowledged that models like Mythos can already match or even exceed most human experts in identifying software vulnerabilities. As these capabilities spread, the concern is not only that offensive tools will become more powerful, but that the speed of exploitation may increasingly outpace the ability of some states to respond — especially those still developing their cyber resilience. 

Not an Imminent Threat, It’s Already Here

In early 2026, Check Point Research documented Operation TrueChaos — a zero-day exploitation campaign targeting Southeast Asian government networks, which was attributed to a Chinese-linked threat actor. The operation didn’t require sophisticated individual targeting — compromising a single server was enough to push malware across dozens of connected government agencies simultaneously. 

Imagine that same operation supercharged by Mythos-level autonomous capability.

In regions such as Southeast Asia, global technology accelerates at an unprecedented rate, pushing member states to rapidly digitalize across all sectors of their economies. This rapid digital expansion has widened the attack surface — leaving vulnerable servers connected to both private enterprises and government establishments open to exploitation, as the TrueChaos incident demonstrates. According to the 2025/2026 INTERPOL Asia and South Pacific Cyber Threat Assessment Report, there is an alarming rise of AI-enabled deepfake scams and industrial-scale scam operations, with threat actors exploiting cybersecurity vulnerabilities through ransomware attacks, financial fraud, business email compromise (BEC), data breaches, and widespread infostealer malware campaigns. Given the heightened cyber-enabled criminal operations in the region, documented threat assessments and widespread adoption of newer technologies indicate that these financial scams are increasingly supercharged by AI tools. Half of these affected countries’ reported financial losses range from USD 10,000 to USD 100 million. This stands in stark contrast to the $40 billion in estimated yearly revenue of cyber-enabled scam operations across the region.

These persistent cyberattacks have long marred the region. With rapid economic growth and digitalization, ASEAN has adopted strategic frameworks on a five-year cycle to address ever-evolving cyber-related incidents in the region. Notably, the ASEAN Cybersecurity Cooperation Strategy (ACCS) 2021-2025 framework focused on cybercrimes, a majority of which are financial scams executed through phishing and ransomware. This framework also covered state-sponsored and Advanced Persistent Threats (APTs), which is a big concern in the region, with nation-state actors targeting government systems leveraging security gaps to execute cyber espionage........

© The Diplomat