India AI Digest — Saturday, May 23, 2026

• Anthropic posted a six-week update on Project Glasswing: more than 10,000 high- and critical-severity vulnerabilities surfaced via Claude Mythos Preview, 1,752 independently assessed at a 90.6% true-positive rate, and the public-beta release of Claude Security to Claude Enterprise customers alongside an expanded Open Source Security Foundation partnership.
• LTIMindtree issued an offer with ~€160M enterprise value to acquire Randstad's tech and consulting services business across France, Germany, Belgium, Luxembourg and Australia, with delivery centres in Romania and Portugal — a unit representing USD 500M+ (€469M) in annual revenue — bundled with a five-year IT services partnership covering Randstad's India Global Capability Center and a strategic talent-MSP arrangement.

---

SECURITY · MODEL CAPABILITY · OPEN SOURCE · May 22, 2026

Anthropic posts Project Glasswing's first results — 10,000+ vulnerabilities, Claude Security enters public beta for Claude Enterprise

Anthropic published an initial update on Project Glasswing on May 22, 2026 — six weeks after the coalition launched. Per Anthropic, partner labs and maintainers using Claude Mythos Preview have surfaced more than 10,000 high- and critical-severity vulnerabilities, of which 6,202 are in over 1,000 open-source projects. 1,752 of those have been independently assessed, with 90.6% confirmed valid. Named partner results: roughly 2,000 bugs identified at Cloudflare (400 high- or critical-severity), 271 in Firefox 150, and a $1.5M fraudulent wire-transfer reportedly prevented by a Mythos-assisted detection at an undisclosed financial institution. Anthropic separately put Claude Security into public beta for Claude Enterprise customers, launched a Cyber Verification Program, and expanded its partnership with the Linux Foundation's Open Source Security Foundation Alpha-Omega project. Anthropic also says 2,100 of the identified bugs were patched with Claude Opus 4.7.

What this means. The April 7 launch positioned Glasswing as a defensive coalition built around a model Anthropic had decided was too dangerous to release. Six weeks in, the substantive question — whether Mythos Preview, in the hands of partners, would surface vulnerabilities at a rate and quality that justified the coalition structure — has a partial answer. The 90.6% independently-assessed validity rate on the 1,752-sample audit is the load-bearing number; without it, the 10,000 headline would read as triage noise. With it, the claim is that frontier-model-driven vulnerability discovery produces an output stream where roughly nine in ten items survive expert review. That is a different operational profile from prior automated discovery tooling, where reviewer load on false positives was the binding constraint.

The release of Claude Security is the other shoe. Glasswing's launch was a private, coalition-gated programme; today it ships an enterprise-tier public beta of Claude Security plus a Cyber Verification Program. The architecture has moved from one model, twelve partners, no public market in April to one programme, expanded partner set, plus an enterprise-beta product channel in May. The skeptical read from April — that Anthropic was building a private market for a capability the rest of the security industry couldn't price-match — would become testable against a price list if and when Anthropic publishes one beyond the Claude Enterprise tier. The sympathetic read — that Mythos-class disclosure had to be gated to avoid arming offence at the same rate as defence — survives this update intact: the open-source patches landed, the CVE pipeline absorbed the disclosures, and the model itself remains unreleased.

What the update does not settle is the offence-defence asymmetry question at the heart of the original framing. Anthropic reports that partners have closed thousands of vulnerabilities and patched 2,100 of them with Claude Opus 4.7. It does not — and structurally cannot — report what adversary use of comparable capability has produced over the same window. The 17-year-old FreeBSD RCE flaw disclosed in April was the kind of finding that, in adversary hands, would have been a strategic asset. The proposition that gated frontier-model vulnerability discovery moves the patch front faster than it moves the attack front is now the operational thesis Glasswing has to defend.

India angle. As at launch, no Indian institution sits in the named partner set or the disclosed maintainer roster. The patches land upstream — kernel, browser engines, language runtimes, the open-source pieces of the IndiaStack reference implementations — so the Indian operational stack inherits the defensive uplift at the speed of its own update cadence. For state-government deployments and the long tail of public-sector software, that cadence has historically been slow; the gap between an upstream patch availability and a deployed patch on a state portal is the substrate the next CERT-In directive cycle will read.

The financial-regulator track is the closer-in story. The April 23 Sitharaman convening that pulled in RBI, MeitY, NPCI, IBA, and DFS was a direct response to Mythos-class capability. SEBI's signalled advisory on AI-driven cyber risk, covered in the May 3 digest, is the most concrete next step but remains a planning instrument rather than a published one. The ISACA 2026 AI Pulse Poll, covered in the May 12 digest, reported that 53% of Indian enterprise respondents do not know how long it would take to halt an AI system after a security incident. That number is the floor against which Indian regulators have to write the rules for AI-assisted vulnerability discovery — both as a defensive tool Indian institutions might consume, and as a dual-use capability they will eventually have to take a position on.

For Indian builders selling into BFSI, the procurement question becomes named. Claude Security, even in enterprise-tier public beta, is a procurement-readable inclusion for buyers already on Claude Enterprise. The Big-Four advisory channel — PwC tied to Anthropic on May 14 (covered in the May 16 digest), KPMG on May 19 (covered in the May 20 digest) — is the distribution layer this product will reach Indian regulated buyers through. The substantive question is whether CERT-In, RBI, and SEBI write advisories that treat AI-assisted vulnerability discovery as a tool to be encouraged inside regulated entities, a capability to be procured under sector-specific controls, or a dual-use technology to be restricted in defined contexts. None of those positions is yet on paper.

Behind the news. Glasswing was announced on April 7 as a coalition of Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, Nvidia, Palo Alto Networks, the Linux Foundation, and Anthropic, with more than 40 critical-software maintainers granted access and $100M in Mythos usage credits committed. Today's update extends the partner roster (Mozilla, Oracle, wolfSSL, XBOW, the UK AI Security Institute now named) and converts the programme from a closed coalition to one with a public commercial face. The arc from sealed-model launch to commercial-product-plus-coalition in six weeks is faster than the original framing suggested it would be.

What to watch. Pricing and access disclosure for Claude Security — specifically whether Anthropic publishes per-seat or per-token rates, and what the Cyber Verification Program's certification structure costs. The price list determines whether independent researchers, regional CERTs, and smaller security vendors gain access to the capability or remain outside the coalition tier.

Source: Anthropic blog post, May 22, 2026. → link

Confidence: high on the announced metrics and the Claude Security public-beta release to Claude Enterprise, sourced from Anthropic's primary post. Lower on the standalone interpretation of the 90.6% validity figure — the audit sample of 1,752 is a fraction of the 10,000 headline, and the sampling methodology is not disclosed.

See also: Anthropic announces Project Glasswing (April 7); SEBI signals AI-risk advisory for market intermediaries (May 3).

---

SERVICES · M&A · ENTERPRISE · May 22, 2026

LTIMindtree offers ~€160M for Randstad's Europe-Australia tech and consulting unit ($500M+ in annual revenue)

LTIMindtree announced on May 22, 2026 an offer to acquire Randstad's Technology and Consulting Services business across France, Germany, Belgium, Luxembourg and Australia, with delivery centres in Romania and Portugal, via wholly owned subsidiary LTIMindtree UK Limited. The acquired business represents USD 500M+ (€469M) in annual revenue. The transaction is bundled with a five-year IT services partnership under which LTM will drive AI-enabled transformation for Randstad's India Global Capability Center, and Randstad will become the strategic talent Managed Service Provider for LTM's global workforce expansion. Closing is subject to customary regulatory approvals and other closing conditions.

What this means. This is the largest stated outbound acquisition in LTIMindtree's history and the most explicit Indian-SI move up the AI-services value chain by inorganic growth in mature markets so far in 2026. The framing — AI-enabled transformation layered over a domain-driven services consolidation — is the standard SI repositioning narrative, but the structure is unusual. LTM is buying a European-and-Australian tech and consulting book that has its own client base and its own delivery footprint, not a stand-alone capability or a single contract. The post-acquisition LTM ends up with materially larger near-shore and on-shore European delivery, a structurally different geographic mix than the prevailing offshore-heavy SI archetype.

The bundled five-year IT-services contract — LTM running AI-enabled transformation inside Randstad's India GCC — is the operating annex. Randstad's India GCC is a captive operation; LTM moving into it as the AI-services partner is a recognisable pattern (the Indian SI selling AI transformation services into a global enterprise's India captive) inside the same envelope as the M&A. The talent-MSP arrangement on the other leg — Randstad managing LTM's global workforce expansion — is the part that materially changes LTM's senior-tier hiring channel for European delivery. Whether this routes hiring further into India or opens a senior-tier leakage channel into European centres is not yet observable, and is one of the variables that determines whether the deal's AI-services thesis lands at India-delivery economics or at Europe-delivery economics.

The transaction sits inside an arc that began visible in early May. The May 17 digest carried the Bloomberg framing of Indian IT services as the structural vulnerability inside India's MSCI re-rating — TCS, Infosys, Wipro, HCLTech, LTIMindtree all named — with the cohort's defence resting on AI-led revenue scaling fast enough to replace volume-led revenue contracting. The LTM-Randstad move is the first large concrete answer that has surfaced in the same cycle: an Indian SI buying, not building, the AI-services footprint that the bear thesis says they need. The trade-off the deal embeds — paying for an existing client book and a geographic delivery base, against the alternative of organic AI-services scaling — is the test case for whether inorganic moves at this scale settle the cohort's repositioning question, or merely defer it to integration risk.

India angle. For LTIMindtree specifically, three implications. First, the deal repositions LTM closer to the geographic footprint of the Big-Four advisory tier — PwC, KPMG, Deloitte, EY — that has been a counterparty to Anthropic and OpenAI in the May enterprise-distribution arc (May 16, May 20 digests covered the PwC and KPMG sides). The competitive frame is no longer Indian-SI-versus-Indian-SI; it is Indian-SI-versus-Big-Four for the same European and Australian enterprise budget, with the same underlying frontier models, on different paper.

Second, the AI-services contract embedded in the Randstad GCC arrangement is the kind of named-counterparty AI engagement that the cohort's investor narrative needs visibility on. LTM has explicitly tied an AI-services revenue line to a named European-domiciled multinational with a five-year horizon. Whether the AI-services contribution from this book is separately disclosed in LTM's quarterly investor reporting — the post-Mindtree-merger disclosure discipline has been variable — is the data point that lets the market test the deal's AI-services thesis against actuals.

Third, for the broader Indian SI cohort, the precedent is the move. The cost of inorganic European and ANZ delivery is anchored at roughly 0.34x the acquired book's annual revenue (~€160M enterprise value against ~€469M annual revenue, cash-free debt-free). Whether this multiple reads as cheap, fair, or distressed depends on the margin profile of the acquired book, which has not been broken out. Whether TCS, Infosys, Wipro, or HCLTech respond with comparable moves over the next two to four quarters will determine whether LTM's bet is read as a cohort-wide repositioning or as a single firm's bolder bet against the same backdrop.

Behind the news. The advisory-channel buildout for the major frontier labs through May — Anthropic tied to PwC on May 14, KPMG on May 19, with Stainless acquired the same week (covered in the May 20 digest) — describes the advisor side of the AI-into-large-enterprise distribution stack consolidating. The LTM-Randstad move describes the SI side beginning to do the same thing inorganically. The two sides are not yet competing for the same engagement-level work; they are competing for adjacent slices of the same enterprise transformation budget. The next question is whether the SI cohort moves toward platform-style ownership of distribution (the Big-Four model, with packaged tools and embedded models) or stays at the engagement-economics tier.

What to watch. LTM's first post-close investor disclosure — specifically, whether it separates AI-services revenue from the acquired Randstad book as a distinct line item. The Bloomberg framing from May 17 makes that line item the data point the bull case for the SI cohort now rests on.

Source: LTIMindtree press release, May 22, 2026. → link. Also: Randstad press release; Business Wire.

Confidence: high on the announced transaction structure and counterparties, sourced from the LTM and Randstad press releases. Lower on the AI-services revenue thesis — the framing is announced; the contract economics are not disclosed.

See also: Bloomberg quantifies India's AI under-positioning (May 17); Anthropic and PwC expand alliance (May 14, in May 16 digest); KPMG and Anthropic global alliance (May 19, in May 20 digest).

---

Position movements