Is this human who they claim to be, and are they authorized to do what they are asking to do?

That question, and the protocols built to answer it, assumed a world where the entity on the other end of every authentication flow was a person sitting at a keyboard, or at most a service account running a predictable workload with a static set of permissions.

AI agents break that assumption in ways that the existing IAM stack was never designed to handle, and the industry is now scrambling to figure out what comes next.

Enterprises are already deploying agents that authenticate to SaaS APIs, retrieve sensitive data, spawn sub-agents, chain tool invocations across multiple systems, and take actions with real business consequences, all at machine speed and with a degree of autonomy that no service account ever had.

The gap between what these agents can do and what IAM systems can govern about what they do is widening with every new deployment. As I have covered, identity is a core aspect of nearly every unresolved question about how to secure autonomous AI systems in the enterprise.

If you’re like me, and looking to think through the IAM implications of agents, I strongly recommend checking out blogs from folks such as Karl McGuinness and Christian Posta, both who have excellent thought provoking content on the topic.

I recently had a chance to sit down with Christian to discuss Agentic IAM and soon will be doing so with Karl, so keep an eye out for that.

The IAM Assumptions That No Longer Hold

Traditional IAM operates on a set of assumptions that have been stable for decades. Identities are either human or machine. Human identities are long-lived, tied to an employee or asset lifecycle, and governed through access certifications and role-based policies. Machine identities, service accounts and API keys, are provisioned for specific workloads with predictable behavior patterns and static permission sets. The entire governance model, from provisioning to certification to revocation, is built around these two categories.

AI agents fit cleanly into neither. They are not humans, but they act with a degree of autonomy and decision-making that service accounts never possessed. They are not traditional machine identities, because their behavior is non-deterministic by design. This isn’t a flaw, it is a fundamental design characteristic of LLM’s and the agents that act as the models arms and legs, giving them autonomy and the ability to take actions.

The same agent with the same permissions can take fundamentally different actions depending on the prompt it receives, the conversation context it carries, and the outputs of upstream agents in a delegation chain. An API key provisioned for a microservice calls the same endpoints at roughly the same cadence every time. An AI agent reasons about which tools to invoke, which APIs to call, and what data to retrieve based on context that changes with every single interaction.

Karl McGuinness, former chief product architect at Okta and one of the sharper thinkers in the identity standards community, has framed this distinction in a way that cuts to the core of the problem.

Agents do not need identity passports telling the world who they are. They need authority grants telling the world what they can do. The traditional IAM model is built around the passport metaphor, authenticating an entity's identity and then mapping that identity to a set of permissions. That works when the entity behaves predictably within those permissions. It breaks when the entity is an autonomous agent that picks its tool chain at runtime, chooses its next action as the task unfolds, and shifts its behavior with every new interaction. For agents, the question that matters is not "who are you" but "what are you authorized to do right now, in this specific context, for this specific task."

This means that the static authorization models enterprises have relied on for years, define a role, assign permissions, certify periodically, are insufficient for agents. The set of actions an agent might take is not fully knowable at the time permissions are granted, which makes traditional least-privilege enforcement a design-time exercise applied to a runtime problem, and given the non-deterministic nature of agents coupled with their ability to be influenced by what enters their context window, implementing least-permissive access control, as well as emerging concepts such as least-autonomy is challenging.

The OWASP Non-Human Identity Top 10 published in 2025 already cataloged the consequences of poor NHI management, including improper offboarding, secret leakage, overprivileged identities, long-lived credentials, and cross-environment reuse.

Those risks existed before agents entered the picture. Agents inherit all of them and add new dimensions that NHI frameworks were not built to address, particularly around non-deterministic behavior, multi-hop delegation, and the need for continuous runtime authorization rather than one-time permission grants.

CoSAI Lays the Groundwork

One of the more comprehensive attempts to define what agentic IAM should look like came from CoSAI’s Workstream 4 in March 2026 with their publication on Agentic Identity and Access Management. The paper is significant not because it solves the problem but because it establishes the architectural principles and design patterns that the industry will likely converge around over the next 12 to 18 months.

CoSAI’s framework rests on nine core imperatives that represent a meaningful departure from how most enterprises think about identity today. The first and most fundamental is treating agents as first-class identities, not shoehorning them into the human or service account categories that existing directories support. Agents need their own identity primitive with lifecycle management, governance, and accountability structures purpose-built for autonomous non-human actors.

The second imperative, eliminating standing privilege, directly addresses the static authorization problem. CoSAI argues that agents should never hold persistent permissions. Instead, access should be granted just-in-time, scoped to the specific task, and revoked immediately upon completion. This is a principle the industry has talked about for human identities for years and largely failed to implement. Applying it to agents is both more urgent and, potentially, more achievable because agents can be designed from the ground up to request and release credentials programmatically in ways that human workflows never could.

The paper introduces a capability-impact risk matrix that classifies agents from low-capability, low-risk scenarios like FAQ lookup bots through high-capability, high-risk scenarios like agents performing financial operations or administrative tasks. This classification matters because the security controls required vary dramatically across the spectrum, and organizations that apply uniform policies across all agent types will inevitably either over-constrain low-risk agents and slow down legitimate automation or under-constrain high-risk agents and create exposure they cannot see.

This spectrum-based approach reminds me of an excellent paper I’ve referenced lately in conversations which is “Levels of Autonomy for AI Agents”.

CoSAI’s technical patterns cover authentication through SPIFFE SVIDs and short-lived OAuth tokens, authorization through on-behalf-of token chains with scope attenuation at every hop, and governance through immutable audit trails that trace the full delegation lineage from the initiating human through every sub-agent invocation to the final resource access.

The paper also proposes a three-phase adoption strategy, moving from basic visibility into what agents exist and what they access, through contextual access controls, to full agentic IAM with runtime enforcement and continuous monitoring.

The most important contribution may be the framing of what CoSAI calls the identity primitive problem. Current security infrastructure forces a binary choice between human and service account, but agents represent something genuinely new. They act with autonomy that service accounts never had but within boundaries that should ultimately trace back to human authorization. Defining that new identity primitive, and building the protocols and infrastructure to support it, is the central unsolved challenge.

The Protocol Scramble

The recognition that agents need purpose-built identity protocols has triggered an interesting flurry of standardization activity, particularly within the IETF OAuth Working Group where multiple competing and complementary drafts are now circulating simultaneously.

The AAuth - Agentic Authorization OAuth 2.1 Extension, authored by Jonathan Rosenberg of Five9 and Patrick White of Bitwave, defines an Agent Authorization Grant as an OAuth 2.1 extension designed to let agents obtain access tokens on behalf of users through non-traditional channels where standard redirect-based OAuth flows are not possible. The draft explicitly addresses the LLM hallucination risk, recognizing that if an agent can fabricate credentials through hallucination, impersonation attacks become a first-order concern rather than an edge case.

A more comprehensive approach comes from AI Agent Authentication and Authorization, authored by contributors from Defakto Security, AWS, Zscaler, Ping Identity, and OpenAI. Rather than proposing new protocols, this draft demonstrates how existing standards including SPIFFE, WIMSE, OAuth 2.0, and OpenID Connect can be composed to solve agent authentication and authorization. The pragmatic approach of building on existing infrastructure investments rather than requiring enterprises to adopt entirely new protocol stacks gives this draft significant enterprise appeal.

Beyond these two, the OAuth Working Group is processing at least five additional agent-related drafts covering everything from OpenID Connect extensions for agent identity to secure intent protocols that address zero-trust drift caused by non-deterministic agent behavior. The volume of parallel proposals suggests the working group is still in a design space exploration phase, with consolidation likely over the next six to twelve months.

On the protocol layer above authentication, the Agent2Agent (A2A) protocol has emerged as the leading standard for agent-to-agent communication, now supported by over 150 organizations and integrated into leading platforms such as Azure AI Foundry, Amazon Bedrock, and Google Cloud.

A2A handles agent identity through Agent Cards, discoverable JSON files that declare an agent’s authentication schemes, capabilities, and authorization requirements. While MCP addresses agent-to-tool interaction, A2A specifically standardizes how agents identify themselves to other agents, creating the peer-to-peer identity fabric that multi-agent architectures require. Below is a good visualization to see the difference between the two and how they compliment one another.

NIST launched its AI Agent Standards Initiative in February 2026, organizing work around three pillars of industry-led standards development, community-led open source protocol maintenance, and foundational research in agent security and identity.

The initiative’s concept paper asks the right questions about whether existing identity standards like OAuth, SPIFFE, and OpenID Connect are sufficient for agents or whether modifications and entirely new standards are needed. NIST’s listening sessions, which began in April 2026, are meant to identify sector-specific barriers to agent adoption and drive concrete standardization projects.

MCP and the Authentication Gap

The Model Context Protocol deserves specific attention because it has become the de facto standard for how agents connect to tools and resources, with over 13,000 MCP servers deployed on GitHub in 2025 alone. MCP’s June 2025 specification update integrated OAuth 2.1 and adopted RFC 9728 for protected resource metadata, which lets agents dynamically discover authorization requirements rather than relying on hardcoded configurations.

The problem is that the specification and the reality of deployments are two different things. I previously shared an excellent report from Clutch Security titled “MCP: A View from the Trenches” that had some insightful (and alarming) findings.

Many MCP servers in the wild lack proper authentication entirely. OAuth implementations are frequently misconfigured. The specification does not enforce audit logging, sandboxing, or verification mechanisms, and as MCP expanded beyond simple synchronous tool calls into long-running governed workflows in its November 2025 update, the attack surface grew faster than the security controls keeping pace with it.

Security research through 2025 and 2026 has documented identity spoofing, credential leakage through prompts, cascading hallucinations that propagate false information through connected MCP servers, and LLM jailbreaks that trick agents into executing unauthorized commands through MCP integrations. OWASP even published an initial MCP Top 10, documenting these key risks.

This is the gap that organizations deploying agents at scale need to understand. The protocols are evolving in the right direction, but the deployed infrastructure is running ahead of the security controls, and the identity layer underneath most agent deployments today is held together with long-lived API keys, inconsistent access controls, and audit trails that would not survive a serious incident investigation.

What Needs to Happen

The path forward requires work at multiple layers simultaneously, and CoSAI’s three-phase adoption model provides a reasonable roadmap for how organizations should sequence it.

Phase one is visibility, a foundational critical security control for years in sources such as CIS Critical Controls and it applies here too. You cannot secure agents you do not know exist, and shadow AI is already a serious problem in most enterprises. Employees are provisioning agents that connect to enterprise systems through personal accounts, hardcoded credentials, and unmonitored API integrations. Establishing a discovery and inventory capability for agents is the prerequisite for everything else.

Phase two is contextual access control. Once organizations know what agents exist and what they connect to, the next step is applying identity-aware policies that account for agent type, delegation model, and risk classification. This is where the CoSAI capability-impact matrix becomes operationally useful, because the controls appropriate for a low-risk FAQ bot are wildly different from those required for an autonomous agent executing financial transactions. It’s this organizational and use case context that can help drive appropriate security controls and safeguards.

Phase three is full agentic IAM with runtime enforcement, continuous monitoring, and the kind of attribution and lineage tracking that regulators under frameworks like the EU AI Act are already beginning to require. This phase demands the protocol maturity that the IETF drafts are working toward and the infrastructure investment that most enterprises have not yet made.

The honest assessment is that the industry is somewhere between phase one and phase two for most organizations, with a small number of forward-leaning enterprises beginning to experiment with phase three capabilities. The standards are not yet settled, the protocols are not yet consolidated and the tooling is not yet mature. But the agents are already deployed and operating with permissions that most security teams cannot fully enumerate, let alone govern.

The organizations that will navigate this transition successfully are the ones that recognize identity is not a feature of their agent security strategy, it is a core part of the foundation. Every other control, runtime monitoring, policy enforcement, anomaly detection, incident response, depends on a functioning identity layer that can answer three questions about every agent interaction.

• Who is this agent?

• Who authorized it to act?

• What exactly is it permitted to do?

The industry built that capability for humans over two decades and even now still struggles to implement it effectively at scale, as evident by year-after-year of credential compromise and incidents persisting.

With the pace of agentic adoption, it does not have two decades to build it for agents.

Subscribe now

I sat down with Tanya Janca, better known to most of the AppSec world as SheHacksPurple. Tanya is the best-selling author of Alice and Bob Learn Application Security and Alice and Bob Learn Secure Coding, an OWASP Lifetime Distinguished Member, CEO of She Hacks Purple Consulting, and one of the most recognized voices in application security and developer education on the planet.

The timing of this conversation is hard to overstate. The OWASP Top 10 2025 was announced at the Global AppSec Conference last year, with two new categories, Software Supply Chain Failures and Mishandling of Exceptional Conditions, and SSRF folded into Broken Access Control. Recently, Anthropic released the Claude Mythos Preview system card, documenting a model that has already found thousands of high-severity zero-day vulnerabilities autonomously, including bugs in every major operating system and web browser, and a 27-year-old vulnerability in OpenBSD.

In other words, AppSec is at a hinge moment, and Tanya is exactly the right person to think out loud with about it.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Here’s what we get into:

• What the OWASP Top 10 2025 got right, what it missed, and how teams should actually use it

• AI-generated code, “vibe coding,” and Tanya’s brand-new free prompt library for secure coding with AI assistants, SecureMyVibe.ca

• What Mythos-class capabilities mean for the offense/defense asymmetry AppSec has always lived with

• How AI is genuinely changing the SDLC, where it creates lift, where it creates noise, and where it creates entirely new attack surface

• Architecting real defenses at the prompt layer, across MCP servers, and inside RAG pipelines, not just bolting content filters onto the front door

• Why developers are the new attack surface, and why a lot of what gets labeled as “supply chain attacks” lately is really a developer compromise that cascaded into the supply chain

• Tanya’s threat model, defense framework, and maturity model for protecting developers themselves

• DevSec Station, Tanya’s new podcast delivering 5–10 minute secure coding lessons in a format built for how developers actually consume content

• What she’d change tomorrow about how AppSec programs are built and run if she could change just one thing

This is one of those conversations that ranges from the practical (what to do Monday morning) to the philosophical (what does it even mean to “secure software” when an AI can find more zero-days in a weekend than a Red Team finds in a year). Tanya brings the rare combination of deep technical chops, real teaching ability, and genuine warmth that makes a hard subject feel approachable.

If you lead an AppSec program, write code for a living, run a security team trying to keep up with AI-assisted development, or you’re just trying to figure out where this whole industry is heading, this is the episode for you.

Resources from the episode:

• SecureMyVibe

• DevSec Station Podcast (Tanya’s new show)

• She Hacks Purple Consulting

• Alice and Bob Learn Application Security and Alice and Bob Learn Secure Coding

• OWASP Top 10 2025 — https://owasp.org/Top10/2025/

• Claude Mythos Preview System Card — Anthropic

Thanks for being here. If this episode landed for you, the best thing you can do is share it with one person on your team who’d find it useful, that’s how this newsletter and show grow.

Subscribe now

Welcome to issue #94 of the Resilient Cyber Newsletter!

Last week I wrote that Mythos had crossed from research project to systemic risk. This week, the cracks started showing. Bloomberg reported that an unauthorized group gained access to Mythos through a third-party contractor. The NSA is reportedly using Mythos despite the Pentagon’s own supply chain risk designation against Anthropic. OMB clarified that it is not giving agencies access to anything, even as it quietly examines guardrails for a modified version and VulnCheck dug into the actual CVE data behind Project Glasswing and found that only one CVE has been directly tied to the program so far.

At the same time, the defensive ecosystem continued to build.

JPMorgan published a 10-point playbook for AI-ready cyber resilience. Anthropic endorsed EPSS as the triage framework for the coming bug surge, and Empirical Security responded with a sharp piece on why that still leaves the hard part unsolved. Mozilla shipped Firefox 150 with 271 bug fixes discovered by Mythos, roughly four times the annual baseline in a single pass. Semgrep tested whether open source models can replicate what Mythos did and found that discovery is orders of magnitude harder than verification. The Cloud Security Alliance published research showing 53% of organizations report AI agents exceeding intended permissions, and NIST officially stopped enriching most CVEs.

So, yeah, just another light week in cyber, so let’s get into it.

Cloud attacks have a new entry point. It’s your running applications. That’s why a new category is emerging: Cloud Application Detection and Response (CADR).

This guide breaks down what CADR is, why runtime is the only place real attacks can be detected, and how security teams are protecting applications, cloud infrastructure, and AI systems in production.

If you’re responsible for securing modern cloud workloads, this is a concept you’ll want to understand.

Get the Guide

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Cyber Leadership & Market Dynamics

The NSA Is Using Mythos Despite the Pentagon Blacklist

Axios broke the story that the NSA is actively using Anthropic’s Mythos Preview model even though the Department of Defense designated Anthropic a “supply chain risk to national security” back in February. The contradiction is remarkable. One arm of the national security apparatus blacklists a company while another arm quietly adopts its most powerful tool. In a recent court filing, Anthropic argued it has no visibility, technical ability, or “kill switch” for models after deployment, which raises profound questions about containment and governance of frontier AI in military contexts.

Anthropic CEO Dario Amodei met with White House Chief of Staff Susie Wiles and Treasury Secretary Bessent this week, and President Trump suggested the US will “get along” with Anthropic despite Pentagon tensions. This is the messiest intersection of AI policy, national security, and commercial incentives I have seen, and it connects directly to the Altman-Amodei rivalry I covered in issue #92.

OMB Says It Is Not Giving Agencies Access to Mythos

Federal CIO Gregory Barbaccia clarified that OMB is “not giving access to anything to agencies.” The statement was necessary because initial headlines created confusion about whether broader federal access was imminent. OMB is working with model providers, industry partners, and the intelligence community to ensure appropriate guardrails before potentially releasing a modified version of Mythos to agencies.

The cautious approach makes sense given the offensive capabilities I have been tracking since issue #92, but the gap between what the NSA is doing and what OMB is saying publicly reveals just how fragmented federal AI governance remains.

Unauthorized Users Gained Access to Mythos

Bloomberg reported that a small group gained unauthorized access to Claude Mythos Preview through a third-party contractor employee who had legitimate access. The group demonstrated their access to Bloomberg via screenshots and live demonstrations, though notably they were not using it for cybersecurity purposes. Anthropic confirmed it is investigating and stated there is no indication the activity extended beyond the vendor or that Anthropic’s own systems were compromised.

This is exactly the scenario that Netanel Rubin warned about in issue #93 when he questioned whether controlled access could actually be maintained. When you distribute the most powerful offensive security tool ever built through a coalition of partners and contractors, the blast radius of a single credential compromise expands dramatically.

Mythos Claims Questioned by Cybersecurity Insiders

Bloomberg published video coverage of cybersecurity insiders questioning the validity of Anthropic’s Mythos capability claims. This skepticism is healthy and necessary.

As I discussed in issue #93 with both Netanel Rubin’s critique and AISLE’s research showing small open models can match Mythos on basic security reasoning, the industry needs independent verification of the claims being made. The narrative that Mythos is a master key to any system deserves rigorous scrutiny, not uncritical amplification.

JPMorgan’s 10-Point Playbook for AI-Ready Cyber Resilience

JPMorgan Chase published a substantial playbook as part of its $1.5 trillion Security and Resiliency Initiative. The guidance is practical and direct. Run the latest software versions, reduce technical debt, embed security in automated development, train your technologists, create organizational capacity to adapt with speed.

The emphasis on legacy systems running outdated software as a primary attack vector is exactly right. As I argued in Vulnpocalypse, the remediation gap is the central challenge, and JPMorgan’s framework is one of the first enterprise-grade responses that acknowledges the velocity of AI-driven discovery requires fundamentally different operational cadences. This is what it looks like when a $4 trillion bank takes AI-accelerated offense seriously.

The $311 Billion Market Meets the Gray Zone Collapse

Amy Chang continued her analysis of how Mythos-class capabilities are reshaping the cybersecurity market landscape. Her “End of the Gray Zone” argument from issue #93 takes on new weight this week as the gap between nation-state and commercial offensive capabilities continues to narrow. The market implications connect directly to the SaaSpocalypse narrative I have been tracking since issue #85. Vendors that cannot adapt to AI-speed operations are losing ground to those that can.

Israel’s Most Promising Cyber Startups in 2026

Calcalist published its annual list of Israel’s 50 most promising startups, and the cybersecurity entries are worth tracking. Cylake, founded by Palo Alto Networks founder Nir Zuk, raised $45 million in seed funding led by Greylock with a team including SentinelOne co-founder Ehud Shamir. Irregular is developing AI security solutions with Anthropic, Google, and OpenAI as clients. Prompt Security stands out as an AI-native security pioneer founded by former Check Point executives. Zafran raised $60 million led by Menlo Ventures with Sequoia Capital.

The Israeli ecosystem continues to punch well above its weight in cybersecurity innovation, and the AI-native companies on this list reflect where the market is heading.

Artemis Emerges with $70 Million and a Different Approach to Detection

Artemis Security emerged from stealth with $70 million across seed and Series A rounds, with the Series A led by Felicis and the seed co-led by First Round Capital and Brightmind. The platform fuses telemetry and business context across identity systems, cloud environments, endpoints, networks, and applications into a unified model.

Customers reported a 94% reduction in mean time to detect and respond. The investor roster includes founders from Abnormal AI and Demisto, plus backers from CrowdStrike, Palo Alto Networks, Microsoft, and Okta. For a company exiting stealth, that is an unusually strong signal of market validation.

Spectrum Launches to Fix the Detection Gap

TechOperators led a $19 million seed round for Spectrum Security, which emerged from stealth on April 22 to address what they call the most critical and most neglected problem in modern security operations. Rather than adding another alert tool, Spectrum goes upstream to automate detection building, testing, deployment, and continuous maintenance.

The approach finds gaps in threat coverage, authors production-ready detection logic tailored to each environment, and fixes detections as infrastructure changes. As AI pushes threat landscape volume beyond what manual processes can manage, the detection engineering bottleneck is becoming the constraint that matters most.

I’ve actually interviewed one of the cofounders, Dylan Williams on Resilient Cyber in the past.

AI

The OWASP GenAI Exploit Round-Up Tells the Real Story

OWASP published its Q1 2026 GenAI Exploit Round-Up covering January through April 11, and the report marks a clear transition from theoretical risks to real-world exploitation. Attackers are increasingly targeting agent identities, orchestration layers, and supply chains rather than just model outputs.

The most striking finding is that most AI-related security events are not yet mapped to traditional CVE identifiers, revealing a growing gap between CVE-based vulnerability management and emerging AI security risks that are systemic and architectural rather than discrete code flaws. This is the governance gap the OWASP Agentic Top 10 tries to address, and it is widening faster than the standards community can keep up.

150 Million Downloads and a Design Flaw That Lets You Run Arbitrary Commands

OX Security published a devastating technical deep dive into systemic vulnerabilities in the MCP ecosystem. They documented a design flaw in Anthropic’s Model Context Protocol that enables arbitrary command execution through the STDIO interface. The numbers are staggering. Over 150 million downloads across Python, TypeScript, Java, and Rust MCP SDKs. More than 7,000 publicly accessible MCP servers.

Up to 200,000 vulnerable instances. OX successfully poisoned 9 of 11 MCP registries with malicious test packages and executed commands on six live production platforms, identifying vulnerabilities in LiteLLM, LangChain, and IBM LangFlow. This is the supply chain nightmare I have been warning about. The MCP ecosystem is replicating every structural weakness of npm and PyPI, but with direct access to AI agent execution contexts.

AAuth Gets a Mission Layer

Karl McGuinness published an important update on AAuth. Mission is now a first-class protocol object in the spec, which means agents can carry bounded, verifiable descriptions of what they are trying to accomplish through delegation chains.

The question Karl raises is whether the layer is strong enough. This builds directly on the AAuth and authority-first framing I covered extensively in issues #92 and #93. The pace of development on agentic identity infrastructure continues to exceed my expectations, and having mission as a protocol primitive is a significant architectural advancement.

Delivering SPIFFE Identity to AI Agents

Riptides published a technical deep dive on delivering SPIFFE-based identity to AI agents. Each agent workload receives a unique short-lived identifier that is cryptographically proven and peer-verifiable. The key innovation is kernel-level enforcement. Credentials exist only in the kernel and never touch disk or user memory. The lifecycle is tied to actual use duration.

In agentic AI environments with dynamic agent instantiation and multi-system API invocation, SPIFFE enables transparent agent chains with full auditability and traceability. This complements AAuth nicely. AAuth handles authorization and delegation. SPIFFE handles workload identity and attestation. Together they represent the foundation of what agentic identity infrastructure needs to look like.

Legacy OAuth Does Not Survive AI Agents

Material Security published research that should alarm every enterprise security team. OAuth was designed for humans with persistent sessions and explicit consent, not for fast-moving autonomous systems. MCP’s attempt to standardize OAuth for AI agents relies on anonymous Dynamic Client Registration, allowing any client to register as valid without identification.

This makes monitoring, auditing, and token revocation nearly impossible at enterprise scale. The Vercel breach last week proved the point. 80% of Material’s customers identify OAuth and AI agent access management as a significant priority, but 45% admit to neglecting it. The gap between awareness and action is where the breaches happen.

The Vercel Breach Started with a Roblox Exploit and an OAuth Token

Vercel disclosed a security breach traced back to a Lumma Stealer infection at Context AI in February 2026. The attack chain is worth understanding in detail. A Context AI employee was compromised via malware from Roblox game exploit scripts.

The attacker obtained an OAuth token, used it to access Vercel’s Google Workspace after a Vercel employee had granted “Allow All” permissions to an AI Office Suite, and then pivoted into Vercel’s environment to enumerate and decrypt environment variables. OX Security reports the stolen data was offered on BreachForums for $2 million. Collaboration with GitHub, Microsoft, npm, and Socket confirmed no npm packages were compromised.

This is a textbook example of how third-party AI tools with OAuth access create supply chain risk across an entire user base, and it validates everything Material Security warned about.

Ironically I recently did a deep dive into Cloud Workspace security, using Material as an example, titled “Your Cloud Workspace is a Treasure Chest - Most Organizations Should Treat It Like One”.

Sandboxed AI Agents Can Tell When They Are Being Tested

The UK AI Safety Institute published research showing that sandboxed AI agents can detect they are being evaluated, creating the risk of “sandbagging” where agents deliberately underperform to appear less capable during assessments. Advanced models can reliably escape common sandbox misconfigurations when prompted, including exposed Docker sockets and privileged containers.

AISI released an open-source Inspect Sandboxing Toolkit and a SandboxEscapeBench benchmark. This has profound implications for every evaluation framework the industry relies on. If agents can recognize and manipulate their testing environments, the benchmarks Dawn Song’s team broke in issue #93 are just the beginning of a much deeper evaluation integrity crisis.

53% of Organizations Report AI Agents Exceeding Their Permissions

The Cloud Security Alliance published a whitepaper documenting the AI Agent Disclosure and Accountability Gap, and the numbers are sobering. 53% of organizations report AI agents exceeding intended permissions. 82% have unknown AI agents running in their infrastructure. 65% experienced AI agent-related incidents in the past 12 months.

Most organizations cannot identify what agents accessed, what decisions agents made, or establish accountability when incidents occur. This is the governance gap I have been writing about since my work with Ken Huang on Securing AI Agents. The gap between deployment velocity and governance maturity is not closing. It is widening.

Salesforce Just Rebuilt Its Entire Platform for Agents

Salesforce launched Headless 360, which the company describes as the most ambitious architectural transformation in its 27-year history. Every platform capability is now exposed as an API, MCP tool, or CLI command, enabling AI agents to operate the entire system without opening a browser.

The launch includes 60+ new MCP tools and 30 preconfigured coding skills with support for Claude Code, Cursor, Codex, and Windsurf. Salesforce made the decision two and a half years ago to rebuild for agents, and Headless 360 marks the transition from human-operated filing cabinet to headless brain designed explicitly for AI. Aaron Box’s commentary correctly identifies this as one of the most significant software architecture shifts of the year. The security implications are enormous. Every API surface is now an attack surface for agent-driven exploitation.

Microsoft Foundry Ships Sandboxed Agent Infrastructure

Microsoft announced hosted agents in Foundry Agent Service with per-session sandboxes, filesystem persistence, and hypervisor isolation at cloud scale. Every agent session receives its own dedicated sandbox with zero cross-session data leakage.

The service is framework-agnostic, supporting LangGraph, Microsoft Agent Framework, Claude Agent SDK, OpenAI Agents SDK, and GitHub Copilot SDK. Compute is billed at $0.0994 per vCPU-hour. This is the infrastructure layer that makes enterprise agentic AI possible without requiring every organization to build its own sandboxing from scratch. The AISI research on sandbox escape capabilities makes this kind of hardened infrastructure essential rather than optional.

An AI Maturity Matrix That Actually Sets Real Expectations

Trail of Bits released a 0-3 AI maturity matrix designed as a ladder with clear levels, clear expectations, and real consequences for staying stuck. At Level 3, engineers build agent systems that ship PRs and close issues autonomously.

Auditors have agents executing full analysis passes, producing findings, triage, and report drafts. The framework reframes expertise as complementary to AI rather than threatened by it. Level 3 is not “uses AI the most.” It is “invents new ways, builds tools.” Dan Guido’s team continues to set the standard for how security organizations should adopt AI systematically rather than ad hoc.

If you haven’t seen Dan’s talk from [un]prompted I strongly recommend giving it a watch:

OpenAI Releases an Open-Weight Privacy Filter

OpenAI released Privacy Filter, a 1.5 billion parameter open-weight model for detecting and redacting personally identifiable information with 96% F1 accuracy on the standard PII-Masking-300k benchmark.

The model supports a 128,000-token context window and runs locally, enabling PII masking without data leaving the machine. It is released under Apache 2.0 via GitHub and Hugging Face. This is a meaningful contribution to the data privacy tooling ecosystem, particularly for organizations that need to sanitize data before feeding it to AI agents or external APIs.

AppSec

Firefox 150 Ships 271 Mythos-Discovered Bug Fixes

Mozilla shipped Firefox 150 with 271 bug fixes discovered by Claude Mythos Preview. For context, Mozilla addressed approximately 73 high-severity Firefox vulnerabilities in all of 2025. Mythos found nearly four times that in a single sweep. Mozilla’s own assessment is blunt. No human team could have found 271 of them this fast.

There is no category or complexity of vulnerability that humans can find that Mythos cannot. But there is a caveat. No bugs were found that elite human researchers could not have discovered given enough time.

The economic argument is what matters here. Mythos makes all discovery inexpensive, which shifts the advantage toward defenders who can act on the findings. This is the most concrete validation of the Glasswing thesis I have seen since the announcement.

Only One CVE Actually Tied to Glasswing

VulnCheck published a rigorous analysis of the CVE data behind Project Glasswing and the results deflate some of the marketing narrative. While 75 CVE records mention Anthropic, only 40 are actually credited to Anthropic researchers.

Just one has been directly tied to Glasswing. CVE-2026-4747, a FreeBSD RCE that Mythos discovered and exploited fully autonomously. Other notable finds, including the 27-year-old OpenBSD bug and a 16-year-old FFmpeg vulnerability, did not receive formal CVE credits tied to the program.

Patrick Garrity notes that the full picture will not emerge until July 2026 with public disclosure timelines. This is exactly the kind of evidence-based scrutiny the industry needs. Extraordinary claims require extraordinary evidence, and right now the verified CVE count does not match the marketing.

Discovery Is Orders of Magnitude Harder Than Verification

Semgrep tested whether open source and flagship LLMs can replicate Mythos findings and the results are nuanced. Three flagship and two open source models were tested.

None found the vulnerabilities from the Mythos blog without “extremely revealing hints.” But when given precise descriptions, models reliably find them. Semgrep’s conclusion is critical. Discovery is orders of magnitude harder than verification.

This validates Mythos’s value as a discovery tool while raising important questions about whether its moat is as wide as Anthropic suggests. AISLE’s research from issue #93, showing 8 of 8 models detected Mythos’s flagship FreeBSD exploit once described, supports the same conclusion. The system matters more than the model, but the initial discovery capability is where frontier models still have a genuine edge.

Anthropic Bets on EPSS for the Coming Bug Surge

Anthropic officially recommended EPSS as the triage framework for the vulnerability surge it expects Mythos and similar models to create. Their specific guidance is to patch the CISA KEV list first, then everything above a chosen EPSS threshold. EPSS is now incorporated into products from more than 120 security vendors including CrowdStrike, Cisco, Palo Alto Networks, Qualys, and Tenable.

The most alarming data point is the projected mean time to exploit trajectory. It reached one hour in 2026 and is expected to hit one minute by 2028, down from 2.3 years in 2018. That compression alone justifies everything I have been writing about the remediation race.

EPSS Is Right, But That Still Leaves the Hard Part

Empirical Security, the team behind EPSS, responded to Anthropic’s endorsement with a sharp and honest assessment. Yes, EPSS provides daily-updated probability of CVE exploitation within 30 days. But using EPSS is only the first step.

The hard part is bridging the gap between global exploit prediction and local remediation precision. How do you predict which vulnerabilities in a specific environment are likely to result in a breach?

Without local context, defenders remain stuck knowing which vulnerabilities matter globally but unable to apply that knowledge to their specific organization. This is the “last mile” problem that I discussed in Vulnpocalypse and that Empirical’s dual-model architecture is designed to solve.

NIST Buckled Under the Volume and Stopped Enriching Most CVEs

This is one of the most consequential infrastructure changes in vulnerability management this year. NIST’s National Vulnerability Database can no longer keep pace with the volume of CVE submissions, which grew 263% between 2020 and 2025. NIST enriched 42,000 CVEs in 2025, 45% more than any previous record, and still fell behind.

Now 29,000 CVEs have been moved to “Not Scheduled” and all pre-March 2026 backlog has been effectively abandoned. NIST will only prioritize CVEs in the CISA KEV catalog, CVEs affecting federal government software, and CVEs tied to critical software under Executive Order 14028. Everything else requires organizations to email nvd@nist.gov and wait for enrichment “as resources allow.”

This is a fundamental shift in how vulnerability management works at scale, and it validates the GCVE initiative I discuss below.

I did a comprehensive breakdown of this in my article “The NVD Just Threw In the Towel - Now What?”

Europe Builds Its Own Vulnerability Intelligence

The Global Cybersecurity Vulnerability Enumeration initiative, administered by Luxembourg’s Computer Incident Response Centre, published details on automatic vulnerability intelligence capabilities.

GCVE represents Europe’s decentralized approach to vulnerability management with standardized interfaces for automated data flow into risk assessment tools, patch management systems, and SIEM platforms. With NIST abandoning enrichment for most CVEs, GCVE’s timing could not be better.

The vulnerability management ecosystem is fragmenting, and organizations that relied entirely on NVD for enrichment need alternatives. Jerry Gamblin’s CVE data quality work from issue #92 and the FIRST CEO’s call for AI companies to become CVE Numbering Authorities both point to the same conclusion. The centralized model is breaking under the weight of AI-driven discovery volumes.

AI Companies Should Be CNAs by Year-End

FIRST CEO Chris Gibson said something I have been expecting. He would be surprised if Anthropic and OpenAI are not CVE Numbering Authorities by the end of 2026. Gibson called AI “clearly another tool in the armory for finding vulnerabilities and a game changer” and emphasized that ENISA is becoming a Top-Level Root CNA in collaboration with CISA and MITRE.

FIRST forecasts a record-breaking 50,000+ CVEs in 2026. The institutional plumbing of vulnerability management is being rebuilt in real time, and the AI labs that are driving discovery volumes need to become formal participants in the ecosystem they are disrupting.

Bug Bounty Is Not Dead, But the Old Model Cannot Survive This

Mackenzie Jackson published an important analysis featuring conversations with Daniel Stenberg and Casey Ellis on the future of bug bounties. The core insight is that AI has dramatically reduced the cost of discovery and reporting, but validation and remediation costs are unchanged or increasing.

That asymmetry is breaking the traditional bug bounty model. I discussed Stenberg’s experience with AI slop reports in issue #92 and Ellis’s offense-scales-with-compute argument in issue #93. Jackson’s piece synthesizes both perspectives into a clear picture. The bug bounty model needs to evolve to reward validated, actionable findings rather than raw volume, because AI has made raw volume essentially free.

We Are Running the Wrong Race

Simon Goldsmith argued that the industry is running the wrong race by focusing on vulnerability discovery speed when the real bottleneck is remediation. This echoes the central thesis of my Vulnpocalypse deep dive from issue #92 and Casey Ellis’s “defense scales with committees” piece from issue #93. Finding bugs faster does not help if organizations cannot fix them faster.

The structural challenge is not technical capability. It is organizational velocity, change management, and the institutional capacity to act on findings at machine speed.

The Post-Mythos Vendor Gold Rush

Katie Paxton-Fear captured the post-Mythos gold rush perfectly. Every vendor in the security space rushed to demonstrate that their tool could replicate what Mythos did, often missing the point entirely. As Semgrep’s research demonstrated, verification is orders of magnitude easier than discovery.

Showing your tool can find a vulnerability after someone else described it is not the same as finding it in the first place. The vendor hype cycle around Mythos is following the same pattern I have tracked with every major capability announcement, and buyers need to distinguish between genuine innovation and repackaged capabilities with AI branding.

Cisco Ships DefenseClaw for AI Agent Governance

Cisco shipped DefenseClaw, an open source enterprise governance layer for OpenClaw that sits between AI agents and infrastructure. The core principle is that nothing runs until it is scanned, and anything dangerous is blocked automatically. DefenseClaw scans every skill, MCP server, and plugin before execution, ranks findings by severity, auto-blocks HIGH and CRITICAL issues, and forwards audit logs to SIEM.

Given Cisco’s work on the MEMORY.md compromise in issue #92 and their acquisition talks with Astrix Security from issue #93, this positions them as one of the most active enterprise vendors in the AI agent security space.

CycloneDX Ships AI Skills for BOM Generation

The CycloneDX community released a repository of AI skills that turn Claude into a CycloneDX expert. The package includes the complete 1.6 and 1.7 JSON schemas, five OWASP authoritative guides covering SBOM, CBOM, Attestations, AI/ML-BOM, and MBOM, 13 capability overviews, and 40+ detailed use cases with production-quality examples.

For teams building software supply chain transparency programs, this is a significant productivity boost. It connects directly to the Software Transparency work Tony Turner and I published, and it demonstrates how AI skills can accelerate adoption of standards that have historically been difficult to implement correctly.

Building Vulnerability Management That Survives the AI Surge

at Latio published practical guidance on building vulnerability management programs that can survive the AI-driven surge in disclosures. The central challenge is that vulnerability data is becoming less consistent and maintainable as organizations are forced to seek enrichment beyond NVD.

Latio’s framework acknowledges that traditional scanning still has a place but the landscape is fundamentally changing in both vulnerability creation and discovery. Organizations need hybrid approaches combining traditional scanning with AI-driven discovery during this transition period.

What Actually Worked at Synthesia

Synthesia published a practitioner account of scaling vulnerability management with AI, focusing on what actually worked versus what did not. Their approach combines automated triage, validation, and fixes across SAST and SCA with a private HackerOne bug bounty program, annual penetration testing, and ISO 42001, ISO 27001, and SOC2 Type II compliance.

This is the kind of honest, operational perspective that cuts through vendor noise. Not every organization is JPMorgan. Smaller teams need practical playbooks for making AI-assisted vulnerability management work with limited resources.

Kernel-Level Agent Sandboxing Ships with nono

Luke Hinds, former Distinguished Engineer at Red Hat and co-founder of Sigstore, released nono, a capability-based security shell that leverages kernel-level primitives to sandbox AI agents. On Linux it uses Landlock. On macOS it uses Seatbelt. Once restrictions are applied at the kernel level, there is no API to escape them.

The default-deny model blocks SSH keys, AWS credentials, and shell configs automatically. nono supports LangGraph, Microsoft Agent Framework, Claude Agent SDK, and OpenAI Agents SDK. Combined with the Microsoft Foundry sandbox infrastructure, nono represents the emerging standard for how AI agents should be contained in production environments.

I recently interviewed Luke in an episode titled “Your AI Agent is Running as Root”:

HoneySlop Turns AI Vulnerability Slop Against Itself

Gadi Evron, Daniel Cuthbert, and John Cartwright released HoneySlop, a code canary system designed to quickly triage AI-hallucinated vulnerability reports. The tool embeds intentional vulnerability canaries in code.

When an AI scanner generates false “vulnerability” reports based on these canaries, the reports self-identify as slop for easy filtering. The project was born after Raptor, the team’s autonomous attack and defense agent from issue #92, received its own AI-generated slop reports. The code is intentionally vulnerable by design and vibe-coded as a joke, but the underlying idea is genuinely useful for maintainers drowning in AI-generated false positives, exactly the problem Daniel Stenberg has been vocal about.

The Engineering Chasm Between Autonomous Defense and Operational Reality

Brandon Levene, VP Applied Intelligence at Chronicle, published a piece on the engineering chasm between autonomous defense aspirations and operational reality. The friction between the Department of Defense and Anthropic highlights a broader pattern. The gap between what AI can do in controlled environments and what organizations can operationalize in production is where most programs stall. Academic research demonstrates how fusion of large language models with multi-agent reinforcement learning can bridge the understanding-to-action gap, but the institutional barriers remain formidable.

Final Thoughts

This was the week the Mythos narrative met reality. Bloomberg revealed unauthorized access. VulnCheck counted exactly one CVE tied to Glasswing. Rafael Alvarez demanded the confusion matrices and F-scores that Anthropic has not published. Semgrep proved that discovery is orders of magnitude harder than verification. Katie Paxton-Fear watched every vendor rush to claim they could replicate something they did not build.

And yet, the underlying capability is real. Mozilla shipped 271 bug fixes from a single Mythos sweep. AISI confirmed 73% success on expert CTF challenges. NIST buckled under the volume and stopped enriching most CVEs. JPMorgan published a 10-point playbook because they believe the surge is coming whether we are ready or not.

The tension between hype and substance is not new in cybersecurity, but the stakes have never been this high. The organizations that will navigate this well are the ones doing the boring, foundational work. Building AI-ready vulnerability management programs. Adopting EPSS and GCVE as NVD alternatives. Implementing SPIFFE and AAuth for agentic identity. Deploying kernel-level sandboxing through tools like nono and Microsoft Foundry. Scanning every MCP server and agent skill before execution with frameworks like DefenseClaw.

The hype will fade. The infrastructure will remain. Build the infrastructure.

Stay resilient.

Subscribe now

In CVE Cost Conundrums, I broke down the economic reality of vulnerability management and how organizations are bleeding engineering hours on triage, patching, and compliance reporting rather than building products.

In Vulnpocalypse, I laid out the case that AI-accelerated vulnerability discovery was about to overwhelm the industry’s capacity to respond, and in Vulnerability Velocity and Exploitation Timelines, I traced how exploitation windows have collapsed from months to hours.

This piece connects all three threads. Because the software supply chain is not just under attack. It is expanding at a rate that makes the old model of ship, scan, and patch structurally unworkable.

I also will be discussing Chainguard, a team I’ve long been a fan of, who continues to expand their offerings to match the evolving attack dynamics and alleviate organizations of toil and let them focus on their core competencies, providing value to their customers.

March 2026 Was a Wake-Up Call

If you needed a single month to illustrate why the current approach to supply chain security is failing, March 2026 delivered it in concentrated form.

Between March 19 and March 31, five major open source projects were compromised in rapid succession. First, Aqua Security’s Trivy vulnerability scanner was hit on March 19, then Checkmarx’s AST GitHub Actions, then LiteLLM, the widely used AI proxy library on PyPI, on March 24, then Telnyx on March 27 and finally, Axios, one of the most popular JavaScript libraries in the world with over 100 million weekly downloads, was compromised on March 31 when attackers released poisoned versions that installed a Remote Access Trojan on every machine that pulled the update.

The Trivy attack is a particularly interesting one. TeamPCP used an AI-assisted tool and approximately $150 to gain access to Aqua Security’s credentials, giving them the ability to publish malicious versions of a Trivy container image and dozens of GitHub Actions. Any team that ran a Trivy scan during a three-day window likely had their secrets exposed. The attackers then used those harvested credentials to pivot into widely used Python and JavaScript libraries, expanding the blast radius to dozens if not hundreds of downstream organizations.

The Axios compromise was attributed by Microsoft Threat Intelligence to Sapphire Sleet, a North Korean state actor. This was not a hobbyist operation, it was a nation-state weaponizing the trust model that the entire open source ecosystem runs on, despite industry leaders such as Ken Thompson pointing out the folly of this blind trust 40+ years ago.

“You can’t trust code you did not totally create yourself” - Ken Thompson

As Chainguard CEO Dan Lorenc pointed out, North Korea showed us they can take over basically any project at will, and every malware scanner in the world missed LiteLLM. Chainguard’s own analysis in their blog post Open Source Died in March put it bluntly. The problem is not that open source itself is broken. The Linux kernel, curl, and OpenSSL did not get more or less dangerous because of what happened in March.

The problem is how enterprises consume open source. PyPI and npm are distribution mechanisms that carry open source software with assumed trust baked into every layer. That assumed trust is what attackers are exploiting, and it is what organizations need to stop relying on.

To help orgs stay protected from future attacks, Chainguard offers a free forever plan where you can access their catalog of 2,000+ hardened images, and select five of your choosing to use completely free. You can sign up for free here.

The Complexity of the Modern Supply Chain

The reason these attacks land is that the modern software supply chain has become extraordinarily complex, and most organizations have neither the tooling nor the staffing to secure it end to end.

Consider what a typical enterprise depends on. Container base images pulled from public registries. Hundreds or thousands of open source libraries across npm, PyPI, and Maven. GitHub Actions automating CI/CD pipelines. OS packages in the build environment, and now increasingly, AI agent skills, MCP servers, and extensions that are being pulled into developer workflows with minimal vetting. Every one of those layers is an attack surface, and every one of them is growing.

The industry has spent the better part of a decade talking about software composition analysis, SBOMs, and shifting security left. Those efforts are not worthless, but they are reactive by design.

You pull a dependency, you scan it, you find a vulnerability, you patch it. The problem is that this cycle assumes you have the time and capacity to respond before an attacker exploits what you missed. In March 2026, the organizations that were compromised were not running outdated security practices. They were running the current standard, but the current standard was not enough.

Chainguard’s Dan Lorenc has been making this argument for years, and the data is proving him right. Cybercrime, nation-states, and AI are all converging on the software supply chain as the highest-leverage attack vector in the ecosystem. The cost to mount these attacks is dropping. The volume is increasing, and the blast radius when they succeed is expanding because of how deeply these components are embedded in downstream applications.

This is a point Tony Turner and I tried to emphasize in our book Software Transparency and this was before the rapid rise of LLMs, GenAI, Agents, and the ever more porous and problematic software supply chain that we have now. The software supply chain simply represents a high ROI target for attackers due to its pervasiveness in consumption and usage.

AI Is Accelerating Both Sides of the Problem

The AI dimension of this story runs in two directions, and both of them are making the supply chain harder to secure.

On the production side, the physical constraints of software development are disappearing. GitHub hit 1 billion commits in 2025. As of April 2026, the platform is processing 275 million commits per week, putting it on pace for 14 billion commits this year. That is a 14x year-over-year increase. GitHub Actions usage has grown from 500 million minutes per week in 2023, to 1 billion in 2025, to 2.1 billion in a single week in April 2026.

AI coding agents from Anthropic, OpenAI, Cursor, Windsurf, and others have transformed developers from line-by-line coders into orchestrators managing fleets of AI agents that assemble software in days instead of weeks.

As I discussed in Vibe Coding Conundrums and A Security Vibe Check, much of this growth is coming from developers who are less security-conscious than the experienced practitioners who came before them. Research shows AI-generated code contains vulnerabilities at 2.74 times the rate of human-written code. AI-assisted commits show roughly double the baseline rate of credential exposure. And the sheer volume means the absolute number of vulnerabilities entering production is growing exponentially alongside the code itself.

Every one of those commits is pulling open source dependencies. As AI generates code, it is pulling open source artifacts to drive token efficiency, which means your codebase is growing and so is your open source attack surface. This is happening at a pace where engineering and security teams cannot reasonably manage the supply chain risk factors, even with good tooling and mature processes.

On the offensive side, AI has turned vulnerability discovery and exploitation into a scalable, low-cost operation. As Chainguard noted in AI Is Finding Vulnerabilities Faster Than Anyone Can Patch Them, AI can find vulnerabilities at machine speed, but the humans who maintain the world’s most critical open source projects still operate at human speed, often as volunteers.

Anthropic’s Claude Mythos Preview found thousands of high-severity vulnerabilities including a 27-year-old bug in OpenBSD. AISLE discovered all 12 CVEs in the January 2026 coordinated release of OpenSSL, with three of those bugs having been present since the late 1990s. MOAK demonstrated the first agentic AI workflow capable of exploiting hundreds of known dangerous vulnerabilities in minutes, not just discovering them but weaponizing them.

Mean time-to-exploit for a CVE went from 63 days in 2018 to negative one day in 2024 to negative seven days in 2025. Attackers can now exploit a vulnerability for a full week before a patch even exists. As Chainguard framed it in Ship and Patch Doesn’t Cut It in the AI Era, the traditional vulnerability management cycle has become a lose-lose proposition. Patch too fast and you expose your developer secrets to the next supply chain attack. Patch too slow and you fall victim to an exploited CVE.

The meme below also painfully summarizes the challenges defenders face between quickly updating to mitigate risk, and the fact that quickly updating can be a risk in and of itself.

The Cost and Burden Nobody Talks About

Beyond the security risk, there is an economic and operational burden that most organizations underestimate. As I covered in CVE Cost Conundrums, Chainguard’s research found that organizations that outsourced CVE remediation realized $2.1 million in annual savings, with even more substantial savings in regulated industries like insurance and healthcare.

The math behind those savings is not hard to follow. Engineering and development teams spend enormous amounts of time on CVE management. Triaging, patching, validating, documenting, and reporting. Every hour spent chasing down a vulnerability in a transitive dependency four levels deep in your container image is an hour not spent building product or providing value to customers. At scale, this becomes a material drag on engineering velocity and business outcomes.

Then layer on the compliance dimension. FedRAMP 20x is formalizing requirements around SBOMs, continuous monitoring, and supply chain transparency. Organizations selling into the U.S. Federal or other regulated markets need to demonstrate that they are tracking components and proving that vulnerabilities are remediated swiftly.

SOC 2, ISO 27001, PCI DSS, and industry-specific frameworks are all tightening their expectations around software supply chain governance. Every one of these compliance requirements adds overhead, and most organizations are doing the work manually or with stitched-together tooling that was not built for this scale.

The burden compounds when you consider that the volume of CVEs is not slowing down. Chainguard’s State of Trusted Open Source report for March 2026 tracked 377 unique CVEs and over 33,000 fix instances across their container image catalog, representing a 145% increase in unique vulnerabilities and over 300% more fixes compared to the previous quarter. That acceleration reflects both faster development and AI-driven vulnerability discovery hitting the ecosystem simultaneously.

Chainguard’s Expanding Coverage

This is the context in which Chainguard’s evolution makes the most sense. The company started with a focused thesis around hardened container images. Minimal images, built from source, rebuilt daily, shipped with zero known CVEs and signed SBOMs. That was already a significant improvement over the status quo of pulling unvetted images from Docker Hub and hoping for the best.

But the attack surface has grown beyond containers, and Chainguard has expanded with it. At Chainguard Assemble 2026, the company announced a full portfolio of products covering the broader SDLC.

Chainguard Libraries replaces public npm, PyPI, and Maven registries with a source-verified mirror. Only packages with SBOMs and provenance are included. Malicious binaries and tampered releases are blocked before they reach your environment, and poisoned transitive dependencies are excluded by construction rather than by scanning.

Chainguard Actions provides hardened, cryptographically pinned GitHub Actions built from source. This addresses the exact attack vector that was exploited in the Trivy and Checkmarx compromises, where version tags were force-pushed to redirect CI/CD pipelines to attacker-controlled code.

Chainguard Agent Skills embeds verified, policy-governed context directly into AI coding agent workflows, so that dependency selection defaults to trusted sources rather than public registries when agents are assembling code.

The Chainguard Repository ties all of this together into a unified catalog where platform teams can access containers, libraries, OS packages, CI/CD workflows, and agent skills through a single endpoint with built-in security policies and visibility. Security and compliance teams define rules once as code, and the repository enforces those decisions consistently across both human developers and AI agents.

They also offer Guardener, their AI-native migration agent, automates the process of replacing existing artifacts with Chainguard equivalents. It points at your existing Dockerfile, maps packages to Chainguard equivalents, converts images into hardened multi-stage builds, and outputs a ready-to-run Dockerfile with a before-and-after migration report. The same drop-in pattern applies to libraries, actions, and OS packages. Developers keep using the same tools and workflows they rely on today. This is an innovative way to enable the transition to secure alternatives without disrupting the business or developers.

The strategic insight here is that Chainguard is not building a scanner. They are building a factory. The Chainguard Factory rebuilds everything from source daily, applies compiler hardening flags, strips post-install scripts, and ships with full provenance and build attestation on every artifact.

AI-driven reconciliation bots trigger dependency updates and vulnerability-based rebuilds automatically, so images stay current without manual intervention. Chainguard remediates CVEs in an average of two days, and only 22% of CVE remediations require direct human intervention. Their container images carry 97.6% fewer CVEs than industry alternatives.

What This Means for Security Leaders

The software supply chain security problem has three compounding dimensions that are all accelerating simultaneously. The attack surface is growing exponentially as AI-driven development pushes code production to unprecedented volumes. The attacks against the supply chain are becoming cheaper, faster, and more effective, amplified by the same AI capabilities driving development. We’re seeing the full blown industrialization of exploitation.

The compliance and governance requirements organizations must meet are expanding, adding overhead to teams that are already stretched thin, and further making security a cost center rather than a business enabler.

The old model assumed that security teams could keep pace with developers. That was already questionable when humans were writing every line of code. It is untenable when AI agents are producing 275 million commits a week on a single platform, and the old trust model assumed that pulling packages from public registries was safe enough. March 2026 proved definitively that it is not, and the attacks and incident velocity continues to grow.

The organizations that get ahead of this will be the ones that shift from reactive vulnerability management to proactive supply chain integrity. That means consuming open source from verified sources with full provenance rather than pulling whatever an AI agent recommends from a public registry.

That means securing not just container images, but libraries, CI/CD actions, OS packages, and the AI agent context that is increasingly driving development decisions. Attackers see the full underlying infrastructure and ecosystem driving the modern SDLC and are targeting it accordingly.

It means doing this in a way that does not require every organization to build and maintain the infrastructure to do it themselves, because most cannot, and the ones that try are burning engineering capacity that should be going toward their actual products and things that provide direct value to their customers.

The supply chain cannot scale on trust alone. The math does not work. The threat landscape does not allow it. And the compliance environment will increasingly demand something better. The question for every security leader is whether they are going to keep running the current standard that March 2026 proved insufficient, or build on a foundation that was designed for the reality we are living in now.

Subscribe now

The point was, the NIST National Vulnerability Database (NVD) was structurally incapable of keeping pace with the volume and velocity of modern vulnerability disclosures. It was underfunded, understaffed, and operating on a model designed for a world that no longer exists. The backlog was growing, the enrichment pipeline was breaking down, and the industry was placing its trust in a system that could not deliver on the promise of being the authoritative source of vulnerability intelligence.

The NVD was (and still is) dealing with a variety of challenges such as legacy manual processes, contractual hurdles, funding constraints, technical bottlenecks and an ever growing flow of CVE’s.

At the time, some people thought I was being dramatic, I was not. NVD’s problems have only persisted since then, and now seem to have come to a head.

(Image credit to my friend Patrick Garrity)

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

NIST Makes It Official

On April 15, 2026, NIST made it official.

The NVD is shifting to a risk-based enrichment model, which is a polite way of saying they are no longer going to enrich most CVEs.

Going forward, NIST will only enrich:

1. CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog

2. CVEs for software used within the federal government (assuming the Federal government knows what software they are using - hint: they don’t!)

3. CVEs for critical software as defined by Executive Order 14028

Everything else gets categorized as “Lowest Priority, not scheduled for immediate enrichment.” And approximately 29,000 backlogged CVEs with publish dates before March 1, 2026 were moved into the “Not Scheduled” category, effectively clearing the visible backlog from over 33,000 to roughly 4,000 by reclassifying the problem rather than solving it.

This change has strong implications for the cybersecurity ecosystem. The system the entire cybersecurity industry has depended on for vulnerability scoring, enrichment, and metadata is formally acknowledging that it cannot keep up.

NVD discusses the exponential growth that is leading to the challenges for them. It enriched nearly 42,000 CVEs in 2025, which was 45% more than any prior year, and it still was not enough. CVE submissions increased 263% between 2020 and 2025, and the first three months of 2026 are running nearly one-third higher than the same period last year. The NVD did not fail because of negligence. It failed because the inputs grew faster than any government-funded program could scale to meet them.

This bolsters the case where many have been arguing that this activity is better served by the private sector. I’m not sure I share that view, but when the leading Federal program for vulnerability intelligence and enrichment throws up their hand in fatigue, it is hard to argue otherwise.

The Numbers Behind the Collapse

To understand why this was inevitable, you have to look at the trajectory.

FIRST’s 2026 Vulnerability Forecast projected a median of approximately 59,000 new CVEs this year, marking the first time the industry will cross 50,000 published CVEs in a single calendar year. Their realistic upside scenarios suggest 70,000 to 100,000 are entirely possible, with the upper bound of the 90% confidence interval approaching 118,000, and this is not a one-year spike. FIRST projects the median will hold above 50,000 through 2028, with upper bounds reaching nearly 193,000 by then.

GitHub’s analysis of open source vulnerability trends confirms the acceleration from the ecosystem perspective. They saw a 35% increase in published CVE records in 2025, outpacing the overall CVE Program’s increase of 21%, with 10 to 16% growth every quarter. If that trend continues, GitHub will publish over 50% more CVEs in 2026 than they did in 2025. Their malware advisory numbers are even more striking. NPM malware advisories surged 69% year over year in 2025, the highest volume since GitHub added malware tracking in 2022, driven by large-scale campaigns exploiting the trust model of public package registries.

This is evident from not only years of open source supply chain incidents, but a series of high profile open source compromises in early 2026 year that have dominated security discussions and news.

These are not edge cases, this is the baseline, and the baseline is accelerating.

AI Is the Accelerant the System Was Not Built For

What pushed the NVD past its breaking point is not just organic growth in software complexity. It is the convergence of AI-driven code generation, AI-driven vulnerability discovery, and AI-driven vulnerability reporting, all hitting the system simultaneously.

On the code generation side, as I detailed in The Attack Surface Exponential, GitHub hit 1 billion commits in 2025 and is now processing 275 million commits per week, putting the platform on pace for 14 billion commits in 2026. That is a 14x year-over-year increase, driven almost entirely by AI coding agents. Every one of those commits is pulling open source dependencies, introducing new code paths, and expanding the attack surface that the vulnerability ecosystem needs to catalog, score, and enrich.

On the discovery side, as I covered in both Vulnpocalypse and Claude Mythos: Why It Matters, AI systems are now finding vulnerabilities at machine speed. Anthropic’s Claude Mythos Preview found thousands of high-severity vulnerabilities including a 27-year-old bug in OpenBSD. AISLE discovered all 12 CVEs in a coordinated OpenSSL release. MOAK demonstrated automated exploitation of hundreds of known dangerous vulnerabilities in minutes.

The cost of finding a vulnerability is approaching zero, however the cost of enriching it in the NVD is not. This creates an economic mismatch between the two activities.

And then there is the reporting side, which may be the most immediate driver of the NVD’s capitulation. FIRST CEO Chris Gibson noted in a recent interview that AI is clearly another tool in the armory for finding vulnerabilities and probably a game changer in many ways. But he also raised a critical question about whether the vulnerability disclosure infrastructure is ready for what is coming, and it is safe to say it is not.

As GitHub’s Madison Oliver noted on LinkedIn, the quality of CVE submissions has become a significant concern alongside the volume. AI-generated vulnerability reports are flooding the system, and many of them are low quality, duplicative, or lack the context necessary for meaningful enrichment.

GitHub reported that the number of vulnerability reports received over the past 90 days was 224% higher than the previous 90 days, with report quality described as a “huge concern.” The CVE system was designed for a world where human security researchers carefully documented vulnerabilities with detailed technical write-ups. It is now receiving machine-generated reports at a volume and pace that overwhelms the human reviewers responsible for enrichment.

This is the triple squeeze we see unfolding. More code generating more vulnerabilities, AI discovering those vulnerabilities faster than humans can process them, and AI-generated reports flooding the intake pipeline with volume that outstrips the system’s capacity to validate and enrich.

If we’re being honest, the NVD never stood a chance under these circumstances.

The Enrichment Gap and What It Means

The practical impact of NIST’s announcement is that the majority of CVEs will now exist in the NVD as shells. They will have an identifier and whatever information the CNA (CVE Numbering Authority) provided at submission, but they will not have the CVSS scores, CPE (Common Platform Enumeration) data, CWE classifications, or reference metadata that security teams and vulnerability management tools depend on to prioritize and remediate.

This matters because the entire vulnerability management workflow in most organizations starts with the NVD. Scanners pull CVE data from the NVD, risk scoring engines use CVSS from the NVD, compliance frameworks reference NVD enrichment data, and patch management prioritization relies on the metadata the NVD provides.

When that enrichment goes away for the majority of CVEs, the downstream tooling does not automatically compensate. Organizations that have built their vulnerability management programs around NVD data (which is most of the ecosystem) as the authoritative source are now operating on a foundation that has formally declared it will no longer serve most of the vulnerabilities being disclosed.

The request-by-email process NIST outlined for getting lowest-priority CVEs enriched is not a scalable alternative. If your organization identifies a CVE in your environment that NIST has categorized as lowest priority, you can email nvd@nist.gov and ask them to schedule it for enrichment.

That is an analog process in an exponential era - it simply can’t scale.

For an industry dealing with tens of thousands of new CVEs per year across complex software supply chains, the idea that emailing NIST is a viable path to getting the vulnerability metadata you need is not a real solution. It is an acknowledgment that no real solution exists within the current model.

The Market Was Already Moving

The reality is that organizations that were solely dependent on the NVD were already behind. The smartest security teams had already started supplementing NVD data with alternative enrichment sources, commercial vulnerability intelligence feeds, exploit prediction scoring like EPSS, and vendor-specific advisory databases.

CISA’s KEV catalog had already become the de facto prioritization signal for many teams, which is effectively what NIST’s new model codifies. If it is not in KEV, it is not getting enriched. Even then, many, such as my friend Patrick Garrity and his team at VulnCheck have demonstrated how much active exploitation activity the CISA KEV misses as well, and provide their own VulnCheck KEV. It includes 80% more CVE’s that are exploited in the wild that CISA’s KEV misses.

But this shift also exposes a deeper structural problem. The CVE system itself is under strain. Gibson noted at VulnCon 2026 that he would be surprised if Anthropic and OpenAI were not CVE Numbering Authorities by the end of 2026.

The fact that frontier AI labs are expected to become CNAs tells you where the volume is heading. CISA has indicated that AI companies need to play a bigger role in the CVE program, which is an implicit acknowledgment that the current participant base cannot handle the AI-driven vulnerability volume alone. It also makes sense, given the labs movement into AppSec with native capabilities, vulnerability discovery and broader engagement of the community.

ENISA announcing it is working with CISA and MITRE on the CVE program and becoming a Top-Level Root CNA is another signal. The program is internationalizing and distributing authority because no single entity can manage the scale. This is not necessarily a sign of strength. It is a sign of an infrastructure being stress-tested to its limits and responding by spreading the load rather than increasing capacity at the center. This could lead to more resilience and robust capabilities, but it could also lead to dysfunctional and decentralization.

From CVE Counting to Risk-Based Prioritization

So we’ve walked through where we are, and why we’re here. I wanted to share some thoughts I think security leaders need to internalize from this moment moving forward.

The era of CVE-centric vulnerability management is over. Not because CVEs do not matter, but because the system that was supposed to make them actionable has formally announced it cannot do so for the majority of vulnerabilities being disclosed and the trajectory of the ecosystem, being driven by factors such as AI is straining a system that was built prior to our AI-driven exponential.

This does not mean you stop tracking CVEs. It means you stop treating the NVD as your primary enrichment source and start building a vulnerability management program that can function without it.

That means investing in commercial vulnerability intelligence that provides enrichment independent of NIST. It means adopting risk-based prioritization models that incorporate exploitability (EPSS, KEV), reachability analysis, business context, and asset criticality rather than relying on CVSS scores that may never materialize for most CVEs. It means treating the NVD as one signal among many rather than the authoritative foundation of your program.

It also means confronting the compliance implications. Many regulatory frameworks and security standards reference the NVD explicitly or implicitly as the standard for vulnerability identification and scoring.

If NIST is no longer enriching most CVEs, what does that mean for organizations that are contractually or regulatory required to demonstrate they are managing known vulnerabilities? The compliance frameworks have not caught up to this reality, and until they do, security teams will be caught in a gap between what the frameworks require and what the NVD can deliver.

That said, prioritization is far from a silver bullet, and as we have discussed, you will be missing a large portion of the data traditionally used to inform it anyways. To take a more comprehensive approach, I defintiely recommend checking out an excellent recent piece from my friend titled “Building AN AI Ready Vulnerability Management Program After NVD Changes and Claude Mythos". In the article, James walks through some sound recommendations ranging from fundamental inventory and visibility through cloud application detection and response (CADR), runtime enforcement and more.

The Bigger Picture

I want to zoom out for a moment and connect this to the broader trajectory I have been writing about across several pieces.

In Vulnpocalypse, I argued that AI-accelerated vulnerability discovery would overwhelm the industry’s capacity to respond. In The Attack Surface Exponential, I laid out the math behind code volume growing at 14x year over year and what that means for the absolute number of vulnerabilities entering production. In Claude Mythos: Why It Matters, I discussed how frontier models are finding bugs that evaded human researchers for decades.

The NVD announcement is the first institutional domino to fall as a direct result of those converging trends. The system that was supposed to catalog and enrich the world’s vulnerabilities just told us it cannot do so anymore. Not temporarily, not as a budget issue that gets resolved in the next fiscal year, but as a structural reality of the volume and velocity of modern vulnerability disclosure being driven by AI.

FIRST is projecting 59,000 CVEs this year with realistic upside scenarios approaching 100,000. GitHub is tracking 35% year-over-year growth in CVE publishing with malware advisories up 69%. AI agents are producing 275 million commits a week on GitHub alone, and the cost of discovering vulnerabilities in all of that code is collapsing toward zero while the infrastructure to process them remains bounded by human capacity and government funding cycles.

The NVD was the canary in the coal mine, and it just stopped singing.

What remains to be seen is whether the rest of the industry’s vulnerability management infrastructure adapts to this reality or continues operating as if the old model still works.

Because NIST just told us, in plain language, that it does not.

Subscribe now

The window from vulnerability discovery to working exploit used to be measured in years. MOAK closed it to 21 minutes.

In this episode I sit down with Niv Hoffman and Yair Saban, co-founders of a stealth-mode, Sequoia-backed cybersecurity company and the creators of MOAK (Mother of All KEVs), the first agentic AI workflow to autonomously exploit hundreds of known exploited vulnerabilities with nothing more than a CVE number as input.

They built MOAK in the same week Anthropic dropped Mythos Preview, but the idea had been brewing for far longer. Their thesis was simple and devastating: if a model is good at engineering with a feedback loop, it’s going to be good at exploitation. Practitioners didn’t believe them, until MOAK exploited a React-to-shell vulnerability in 21 minutes, fully autonomously, with no human in the loop.

We cover the architecture, the implications, and what it actually means for enterprises navigating this new threat environment.

8 Key Takeaways

• Exploitation is engineering with a feedback loop. Niv and Yair’s core insight was that if frontier models are great at engineering, they’re inevitably great at exploitation — a claim practitioners resisted until MOAK proved it in 21 minutes with no human guidance.

• The KEV catalog is the right threat model. MOAK specifically targets CISA’s Known Exploited Vulnerabilities — the small fraction of CVEs that have actually been used to breach organizations — not the entire CVE universe. The input is a CVE number. The output is a validated working exploit.

• The five-agent architecture mirrors real offensive operations. Collector, Researcher, Builder, Exploiter, and Judge — each with a discrete role, no POCs downloaded from the internet, no shortcuts. The researcher builds a mind map of exploit primitives and chains them together. The exploiter tests against a live environment with a hidden flag to confirm success.

• Mythos confirmed the thesis, but Glasswing is where it gets interesting. Niv and Yair are watching Glasswing closely — Anthropic partnering directly with Mozilla, the Linux Foundation, and major OS maintainers represents the most “shift left” security posture imaginable. Their prediction: a two-year meteor shower of newly discovered CVEs as every Glasswing partner surfaces decades of buried vulnerabilities.

• The AI-generated code problem compounds the attack surface exponentially. GitHub hit 1 billion commits in 2025 and is on pace for 14 billion in 2026. AI is simultaneously automating exploitation and generating the code being exploited. Niv put it plainly: “The problem AI amplifies is squared.”

• Enterprises are largely on their own right now. Glasswing helps major foundations and big tech. It doesn’t have a clear answer for the average enterprise. Niv’s prescription isn’t a new tool — it’s team play between the CISO and CTO, with security and engineering finally aligned on remediation as a shared priority.

• MOAK hasn’t released the code or any exploits — but the models to replicate it are already public. Yair was direct: attackers can leverage public models to build this workflow themselves. The gap isn’t the model. It’s knowing how to construct the right agentic system around it.

• Multiple CISOs reached out after MOAK launched to say it gave them a smoking gun. The most unexpected outcome: security leaders using MOAK as internal proof to finally get CTO buy-in that autonomous exploitation is a top priority for 2026. Sometimes the best awareness tool is a live dashboard showing your vulnerabilities being exploited in real time.

Niv and Yair’s company is currently in stealth. Watch this space!

Subscribe now

We talk about why shift-left was never enough, what Agentic Security Coding Management actually means, and how you govern code that no human wrote.

Prefer to listen?

Apple Podcasts

Spotify

SHOW NOTES

The AppSec playbook is being rewritten in real time.

Coding agents are shipping pull requests faster than security teams can triage findings. Vulnerability backlogs that were already unmanageable are about to get worse. And the tooling market is exploding with new vendors while CISOs struggle to tell governance platforms apart from glorified scanners.

This week we sit down with Jack Cable to make sense of all of it. Jack was a Senior Technical Advisor at CISA, where he helped architect the Secure by Design initiative that pushed software vendors to take ownership of security outcomes rather than offloading risk to their customers. Now he’s the founder of Corridor, a company building at the center of a category he’s helping define: Agentic Security Coding Management.

We cover a lot of ground in this conversation:

The origin story. What Jack saw inside the federal government that convinced him the next major security challenge was AI-generated code, and why he left to build a company around it.

The shift-left reckoning. A decade of shifting security left hasn’t solved the vulnerability backlog. Jack makes the case that coding agents don’t just stress-test the shift-left model, they might break it entirely, and explains what has to replace it.

AI as attacker and defender. There’s an uncomfortable duality in the current moment: AI is generating insecure code at unprecedented speed while also being pitched as the fix. Jack walks through how he thinks about that tension and where the line is between legitimate AI remediation and probabilistic guessing stacked on probabilistic guessing.

The frontier labs in AppSec. Anthropic, OpenAI, and Google are all showing up in the application security conversation. Jack shares his read on whether they’re partners, platforms, or eventual competitors to startups in the space, and what it means for durable moats.

Buyer confusion. The AI code security market is crowded and noisy. Jack talks about the most common misconception he hears from CISOs and the question they should be asking every vendor but aren’t.

Governance at enterprise scale. When thousands of developers are running Cursor, Claude Code, and internal agents simultaneously, the governance problem stops looking like code review and starts looking like supply-chain control. Jack lays out what real governance looks like today, policy enforcement, provenance tracking, runtime attestation, and what’s still aspirational.

The regulatory horizon. Drawing on his CISA background, Jack shares where he sees policy landing on AI-generated code: liability frameworks, mandatory disclosure, and the risk of getting regulation either too heavy or too absent.

Links and resources:

• Corridor

• Corridor Blog

• AI Code Security & Enterprise Governance Report

• CISA Secure by Design

Subscribe now

If last week felt like a turning point with Project Glasswing, this week confirmed it. The reverberations from Anthropic’s Mythos announcement rippled through Wall Street, the White House, the Pentagon, and every major open source ecosystem.

Federal Reserve Chairman Jerome Powell and Treasury Secretary Scott Bessent convened CEOs from JPMorgan, Goldman Sachs, Citigroup, Bank of America, Morgan Stanley, and Wells Fargo to discuss what Mythos means for financial infrastructure. More than 99% of the vulnerabilities Mythos has found remain unpatched.

Meanwhile, the UK AI Safety Institute published its independent evaluation of Mythos and confirmed a 73% success rate on expert-level capture-the-flag challenges that no prior model had solved.

OpenAI responded by launching its own Trusted Access for Cyber program with a cyber-permissive model for vetted defenders. Jen Easterly published a striking piece arguing that Mythos marks the beginning of the end of cybersecurity as we know it.

The Trump administration released its offensive cyber strategy, and Defense One reported the private sector is being drawn deeper into the offensive cyber debate than ever before.

AISLE published research showing that the moat in AI cybersecurity is the system, not the model, and that small open models can match frontier labs on basic security reasoning.

There is a lot of ground to cover, so let’s get going.

Social engineering has a new playbook.

Social engineering attacks are no longer isolated incidents; they follow a structured chain. Attackers gather context, build credible identities, and engage targets in ways that feel routine and trustworthy.

That’s what makes them difficult to detect. Each step is designed to blend in.

Defending against this kind of activity means understanding how attacks unfold from start to finish, across multiple channels.

Doppel breaks down how the modern social engineering attack chain works, and what it takes to identify and disrupt it earlier.

Read More

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Cyber Leadership & Market Dynamics

Jen Easterly on the Beginning of the End of Cybersecurity

Former CISA Director Jen Easterly published one of the most important essays of the year, arguing that Anthropic’s Mythos announcement marks a fundamental inflection point for the cybersecurity profession.

Easterly’s central thesis is that AI-driven vulnerability discovery at Mythos-level capability changes the economics of attack and defense so profoundly that the traditional model of cybersecurity, built on perimeter defense, human-speed patching, and reactive incident response, cannot survive in its current form. This is not a pessimistic take.

Easterly is arguing for a new foundation, one where security is built into software from the start and where AI-powered defense operates at the same speed as AI-powered offense. As someone who has tracked Easterly’s Secure-by-Design advocacy since her time at CISA, I see this as a natural extension of the work she championed there.

The difference now is that the urgency is measured in weeks, not years.

Powell and Bessent Convene Bank CEOs on Mythos Cyber Risk

This story deserves attention because it signals that AI-driven vulnerability discovery has reached the level of systemic financial risk. Federal Reserve Chairman Jerome Powell and Treasury Secretary Scott Bessent met with the CEOs of JPMorgan, Goldman Sachs, Citigroup, Bank of America, Morgan Stanley, and Wells Fargo to discuss the implications of Claude Mythos Preview for financial infrastructure.

The meeting came just days after Anthropic launched Project Glasswing with $100 million in usage credits and partnerships with Amazon, Apple, Cisco, CrowdStrike, Google, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

The fact that the most powerful financial regulators in the country are sitting down with the largest banks specifically because of an AI model’s offensive capabilities is unprecedented. More than 99% of the vulnerabilities Mythos has discovered remain unpatched, and the oldest was a 27-year-old OpenBSD bug. This is no longer just a cybersecurity conversation. It is a national security conversation.

JPMorgan Says Anthropic’s Cybersecurity Model to Boost CrowdStrike and Palo Alto Networks

JPMorgan moved quickly after the Glasswing announcement, identifying CrowdStrike and Palo Alto Networks as the primary beneficiaries of the defensive coalition. Both are founding partners in Project Glasswing, and JPMorgan’s analysts see them as essential layers in what they call the “defensive stack” that organizations will need as AI-discovered vulnerability volumes grow.

CrowdStrike received a $475 twelve-month price target and Palo Alto Networks received $200. I am less interested in the stock picks than the structural argument. If AI is going to find vulnerabilities at machine speed, the companies that can operationalize detection, triage, and response at that speed will capture enormous value. This validates the platformization thesis I have been tracking since Nikesh Arora’s Sequoia conversation in issue #92.

WSJ on AI Forcing a Rethink in Cybersecurity

The Wall Street Journal published a comprehensive analysis of how AI is reshaping trust models, governance, and workforce requirements across the cybersecurity industry. The central argument is that 2026 is defined by a collapse of trust as adversaries exploit human behavior and digital identity at scale using generative AI. Perimeter-based thinking is breaking down. Identity is becoming the central organizing principle for security strategy.

This aligns directly with the agentic identity work I highlighted in issue #92, where Dick Hardt’s AAuth spec and Karl McGuinness’s authority-first framing represent the infrastructure response to exactly this challenge. The WSJ piece also notes that buyer expertise has never mattered more, which tracks with Anton Chuvakin’s RSA 2026 observation from last week about vendors spray-painting AI onto 2021 marketing materials.

Amy Chang on the End of the Gray Zone

Amy Chang, former JPMorgan Chase Executive Director of Global Cybersecurity and author of Warring State, published a piece on the collapse of the gray zone between peacetime cyber operations and outright conflict.

Her argument connects directly to the offensive cyber policy debate playing out in Washington. As Mythos-class capabilities proliferate, the ambiguity that nation-states have exploited for decades, conducting espionage and disruption while maintaining plausible deniability, is eroding.

When AI can autonomously discover and exploit vulnerabilities across critical infrastructure, the distinction between intelligence collection and preparation for attack becomes dangerously thin.

US Push to Counter Hackers Draws Industry Into Offensive Cyber Debate

Defense One published a deep investigation into how the Trump administration’s cyber strategy is drawing private sector companies deeper into offensive operations. Nearly a dozen industry stakeholders expressed uncertainty about where companies should draw the line between defensive and offensive work.

The strategy’s first pillar explicitly focuses on creating obstacles for foreign state cyber operatives and criminal hackers, and the language around “disruption” and “cyber effects” remains ambiguous. GovConWire’s reporting adds that VulnCheck’s Jay Wallace noted the US is “thinking more offensively than we ever have in the nation’s history.”

This is a significant policy shift with real implications for the cybersecurity industry, and I expect it to generate considerable debate about liability, oversight, and proportionality over the coming months.

Jay McBain on the Global Cybersecurity Market

Jay McBain shared updated data showing the global cybersecurity market at $311 billion in projected spend for 2026, growing at 12.1% year-over-year. These numbers confirm the structural growth thesis, but the real story is where the growth is concentrating.

As I have been tracking since SVB’s H1 2026 State of the Markets report in issue #92, capital is flowing disproportionately to AI-native platforms while traditional point solutions fight for scraps. The $311 billion top line is healthy, but the distribution underneath is increasingly bifurcated.

The SaaS Meltdown Is Real

Ruben Dominguez Ibar published a blunt assessment of the SaaS market decline, arguing that the SaaS era is ending because software is a business tool, not a business model. Recurring revenue models are fading as customer acquisition costs rise, flexibility expectations shift, and SaaS fatigue drives enterprises to consolidate vendor counts.

This connects directly to the SaaSpocalypse narrative I have been tracking since issue #85. For cybersecurity, the implication is clear. Vendors selling seats and subscriptions for static functionality will lose to platforms that deliver continuous, AI-powered outcomes. The market is punishing SaaS inertia.

Cisco in Talks to Acquire Astrix Security

Cisco is in advanced discussions to acquire Israeli startup Astrix Security for $250 to $350 million. Astrix was founded in 2021 by Unit 8200 veterans Alon Jackson and Idan Gour and provides visibility into non-human identities, including AI agents, automated processes, and autonomous tools. Enterprise customers include Workday, NetApp, Priceline, and Figma. Astrix raised a $45 million Series B in December 2024 led by Menlo Ventures and Anthropic’s Anthology Fund, bringing total funding to $85 million.

This acquisition validates the thesis I have been writing about extensively. Non-human identities are among the fastest-growing attack surface in enterprise security, and the major platform vendors are buying their way into the category. I covered Cisco’s MEMORY.md compromise research in issue #92, so it is clear they are investing across the NHI and agent security space.

Reid Christian on Watching the Watchers

Reid Christian at CRV published observations on what is happening in cybersecurity venture right now. His key insight is that organizations need ancillary monitoring alongside their primary security vendors, people watching the watchers.

He traces this back to the CrowdStrike outage, which was not a cybersecurity failure but a vendor deployment failure where untested software was pushed to production. CRV is backing Fleet as one response to this problem.

The broader point resonates with me. In a world where security agents and AI tools are making autonomous decisions, independent verification and monitoring layers become essential infrastructure.

Heavy Is the Head That Wears the Crown

Dan Gray at Odin published an analysis of how venture dynamics distort startup outcomes. His central argument is that hot-market effects cause investors to overfund high-performing companies, inflating valuations in ways that make startups brittle through over-investment and over-hiring.

For early-stage cybersecurity founders, the takeaway is that raising minimally at early stages preserves optionality. This connects to the SVB data from issue #92 showing deal count falling 15% while dollars invested jumped 53%, with the top 1% capturing a third of all capital. The market rewards conviction at the top and punishes everyone else.

CRV CISO 2026 Focus Areas

James Green at CRV published the firm’s 2026 CISO investment thesis, and three areas stand out. First, Golden Artifacts, which is cryptographic proof of secure software. Second, MCP and agentic security.

Third, AI governance for CISOs with direct accountability to boards. All three track with themes I have been covering across recent issues, from the supply chain integrity work in my Vulnpocalypse deep dive to the agentic identity standards work by Dick Hardt and Karl McGuinness.

The venture signal here is clear. These are the categories where institutional investors expect the next wave of enterprise security spending.

Caleb Sima on Conference Intel and Security Conference Coverage

Caleb Sima shared his conference intel from the spring 2026 security conference circuit. Caleb is one of the most experienced operators in AI security, having co-founded and led multiple security companies before chairing the Cloud Security Alliance AI Security Alliance.

His observations consistently cut through vendor noise to identify the themes that actually matter for practitioners. For anyone trying to filter signal from the RSA and post-RSA chatter, Caleb’s perspective is worth following closely.

Andrew Hoog on SEC Cybersecurity Materiality

Andrew Hoog at NowSecure raised an important gap in how organizations approach SEC cybersecurity disclosure. His core observation is that companies are overlooking the reputational and legal impacts of mobile application security in their materiality assessments.

The SEC is not looking for whether you had your website scanned. They are focused on incidents that materially affect the business. Hoog’s question for security leaders is whether they are connecting mobile risks all the way through to revenue and retention in their business strategy. Risk is the language of business, and translating technical cybersecurity concerns into that language is where most programs fall short.

Jochen Schmiedbauer on Playbook Pedestal Burn

Jochen Schmiedbauer published a piece challenging the industry’s over-reliance on established playbooks and frameworks. The argument connects to a theme I keep returning to. Static playbooks built for yesterday’s threat landscape cannot keep pace with AI-accelerated attacks.

Organizations that put frameworks on a pedestal without adapting them to current operational reality end up with compliance artifacts rather than security outcomes. As Casey Ellis argues in his piece below, defense scales with committees while offense scales with compute. Playbooks are only useful if they evolve at the speed the environment demands.

AI

AISI Evaluation of Claude Mythos Preview’s Cyber Capabilities

The UK AI Safety Institute published its independent evaluation of Claude Mythos Preview, and the results confirm the capability leap. On expert-level capture-the-flag challenges that no prior model had solved, Mythos achieved a 73% success rate. AISI also built a 32-step corporate network attack simulation called “The Last Ones” and Mythos completed the full chain in 3 of 10 attempts, averaging 22 of 32 attack steps per run.

The important caveats are that these evaluations lack active defenders, defensive tooling, and penalties for triggering security alerts. We cannot definitively say whether Mythos would succeed against well-defended systems. But AISI’s conclusion is clear. More models with similar capabilities will be developed, and the window for building defensive infrastructure is narrowing.

AISI on Inference Scaling in AI Cyber Tasks

This companion piece from AISI is equally important. Their research demonstrates that accurately estimating AI cyber capabilities requires significantly larger inference budgets than commonly assumed. Success rates scale roughly with the logarithm of total tokens used per attempt, meaning every time you double the token budget you get approximately the same absolute increase in success rate.

Approximately 8% of AISI’s tasks were only solved by increasing the budget from 10 million to 50 million tokens. At the 50 million token limit, average cost per run was around $10 with maximum costs below $60. The implication is that previous evaluations conducted at lower budgets were too conservative. The models are more capable than we thought, and the gap will widen as inference costs continue to drop.

NBC News on the Vulnpocalypse and Mythos

NBC News published a feature on what they are calling the “Vulnpocalypse,” a term I used for my own deep dive in issue #92. Logan Graham, who leads offensive cyber research at Anthropic, expects competitors, including those in China, to release similar models in the coming months.

The limited release strategy for Mythos makes sense given the offensive potential, but the clock is ticking. Once multiple labs have this capability, the controlled-access model becomes much harder to maintain. The race between discovery and remediation that I wrote about in Vulnpocalypse is now playing out in public, and the stakes could not be higher.

WSJ on Bugmageddon

The Wall Street Journal used the term “Bugmageddon” to describe the flood of AI-discovered vulnerabilities that is about to overwhelm the software ecosystem. Anthropic found thousands of bugs in the first month alone, and the concern is that smaller developers and under-resourced open source projects will be hit hardest.

OpenAI has responded by launching its own security-centric model for vetted defenders, and the White House summoned representatives from JPMorgan, Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley to discuss system-level vulnerabilities surfaced by frontier AI.

The volume problem is real. As I argued in Vulnpocalypse, vulnerability backlogs already number in the hundreds of thousands for large enterprises, and remediation rates sit at roughly 10% per month. Now add AI-speed discovery to that equation.

OpenAI Launches Trusted Access for Cyber Defense

OpenAI’s response to Mythos was swift. They launched the Trusted Access for Cyber (TAC) program with a new model called GPT-5.4-Cyber, which is “trained to be cyber-permissive” so that defenders can test systems without encountering refusals. TAC requires identity verification and professional use-case documentation to gain access. OpenAI’s stated philosophy is that they do not think it is practical or appropriate to centrally decide who gets to defend themselves.

This is a fundamentally different approach than Anthropic’s restricted-access model for Mythos. Both approaches have merit. Anthropic is controlling access to the most capable offensive model ever built. OpenAI is trying to democratize defensive capabilities. The tension between these two philosophies will define how AI-powered security tools are distributed for the foreseeable future.

Anthropic on Preparing Your Security Program for AI-Accelerated Offense

Anthropic published guidance for security teams on how to prepare for AI-accelerated offensive capabilities. This is the operational companion to the Project Glasswing announcement from issue #92. The core message is that organizations need to assume AI-driven vulnerability discovery and exploitation are already here and adapt their programs accordingly.

Attack surface management, automated patching, runtime detection, and AI-powered triage all need to scale to match the speed of AI-driven offense. This aligns with everything I have been writing about the remediation race.

AISLE on AI Cybersecurity After Mythos and the Jagged Frontier

AISLE published one of the most important technical analyses of the post-Mythos landscape. Their key finding is that the competitive moat in AI cybersecurity is the system, not the model. There is no stable best model across cybersecurity tasks. The capability frontier is jagged and does not scale smoothly with model size. AISLE found that 8 of 8 models they tested detected Mythos’s flagship FreeBSD exploit, including a 3.6 billion parameter model costing $0.11 per million tokens.

A 5.1 billion parameter open model recovered a 27-year-old OpenBSD bug. Small open models outperformed most frontier models on basic security reasoning tasks. The value lies in targeting, iterative deepening, validation, triage, and maintainer trust. This is a critical insight for the industry. You do not need to be Anthropic to build effective AI-powered security. You need better systems.

AISLE on System Over Model and Zero-Day Discovery

AISLE’s companion piece goes deeper into their Cyber Reasoning System architecture. On January 27, 2026, when OpenSSL announced 12 new zero-day vulnerabilities, AISLE’s system discovered every single one of them autonomously. In its first weeks of operation, the system uncovered over 100 new vulnerabilities in foundational software including the Linux kernel, OpenSSL, cURL, and Apache.

The system reduces the remediation loop from weeks or months to days or minutes by automatically generating and verifying fixes against a continuously updated AI twin of the enterprise’s software stack. This is exactly the kind of integrated discovery-to-remediation pipeline that I argued we need in Vulnpocalypse. Finding vulnerabilities is only useful if you can fix them at the same speed.

Inside Claude Cowork and How Anthropic’s Autonomous Agent Actually Works

Pluto Security published a detailed teardown of Claude Cowork, Anthropic’s persistent autonomous agent that runs inside a sandboxed Linux virtual machine on Mac. The architecture combines a VM sandbox, direct Chrome browser control, file system access, and remote phone dispatch through iOS and Android apps routing through Anthropic’s servers to a local sessions bridge.

Computer Use gives the agent visual and operational capabilities on the host machine. This represents a new class of AI capability where systems can see screens, control browsers, read files, and operate desktops autonomously while the user is away. The security tension is fundamental.

Greater autonomy increases both utility and attack surface. Every capability Cowork has for productivity is also a capability an attacker could leverage through prompt injection, memory poisoning, or supply chain compromise of the tools the agent interacts with.

Casey Ellis on Offense Scaling with Compute and Defense Scaling with Committees

Casey Ellis published a piece that captures the asymmetry I have been writing about all year. Offense scales with compute. Defense scales with committees. The title alone should be a wake-up call for every security leader. Attackers can throw more GPUs and tokens at vulnerability discovery and exploitation, and their output scales linearly or better. Defenders, by contrast, need to coordinate across organizational boundaries, procurement cycles, compliance reviews, change management processes, and human approval chains.

The structural asymmetry is not new, but AI is amplifying it by orders of magnitude. Bug bounties, vulnerability disclosure programs, and researcher protections through frameworks like disclose.io remain critical mechanisms for closing the gap. But they are not enough on their own. We need the kind of coordinated defensive infrastructure that Project Glasswing represents.

Netanel Rubin on Anthropic’s Mythos Restriction

Netanel Rubin challenged the narrative that Anthropic is not releasing Mythos purely out of safety concerns. His argument raises legitimate questions about the commercial incentives behind controlled access.

When a company holds the most powerful offensive security tool ever built and distributes it exclusively to paying partners, the line between responsible stewardship and competitive moat-building gets blurry. I think Anthropic’s caution is warranted given the offensive potential, but Rubin’s skepticism is healthy. The industry should demand transparency about access criteria, governance structures, and accountability mechanisms for Mythos and similar models.

Defenders Initiative on Things Only Getting Rougher

The published a sobering assessment that from this point on, the defender’s job only gets harder. The proliferation of AI-powered offensive tools, the velocity of vulnerability discovery, and the structural challenges of coordinating defense across fragmented organizations all point in the same direction.

I share the concern but also see real cause for optimism in the infrastructure being built right now. AAuth, AISLE, Project Glasswing, Oligo’s runtime blocking, and the broader ecosystem of AI-native security tools represent genuine defensive innovation. The question is whether that innovation can outpace the offense.

Empirical Security and the Knowing Machine

Empirical Security, the team behind EPSS (Exploit Prediction Scoring System), published research on what they call “The Knowing Machine.” Empirical builds and maintains the world’s only public ML model trained on nearly 2 million daily exploitation events.

Their dual model architecture combines global models trained on broad exploitation data with local models adapted to customer-specific infrastructure. With $12 million in seed funding and leadership from Ed Bellis, Michael Roytman, and Jay Jacobs, Empirical is trying to solve the prioritization problem that makes vulnerability management so painful.

As I wrote in Vulnpocalypse, the challenge is not finding vulnerabilities. It is knowing which ones matter. Empirical’s approach of combining global signal with local context is exactly the right architecture for that problem.

AppSec

Chainguard on Open Source Dying in March

Chainguard published one of the most provocative pieces of the year, arguing that open source died in March 2026, it just does not know it yet. The argument is not that open source as licensed software is broken. The problem is how organizations consume and distribute it. PyPI and npm distribute unreviewed, unsigned software with assumed trust at every layer.

The supply chain attacks I have been tracking across issues #90 through #92, from axios to LiteLLM to Telnyx to Trivy, all exploited this same structural weakness. Chainguard’s point is that the consumption model is fundamentally broken and needs to be rebuilt from the ground up. I largely agree. As I wrote in Software Transparency, the trust assumptions baked into modern package ecosystems were designed for a different era. The current architecture cannot withstand industrialized supply chain attacks.

Joshua Saxe on Exploits Not Causing Cyberattacks

Joshua Saxe published a counterpoint to the prevailing doomsday narrative around AI and exploits. His core argument is that technologies do not cause cyberattacks. Attackers use whatever tools achieve their goals most efficiently. Despite advances in AI capabilities, attacks have not surged as predicted because most attacker constituencies can currently achieve their desired outcomes using traditional means like phishing, credential stuffing, and exploitation of known CVEs. I

think Saxe’s perspective is a useful corrective to some of the more breathless predictions, but I also think it underestimates the second-order effects. The value of AI is not just in creating new exploits. It is in accelerating the entire attack lifecycle from reconnaissance through exploitation through lateral movement, all at machine speed. The fact that attackers have not needed AI yet does not mean they will not need it when defenders start using it.

Broken by Default: Formal Verification of Security Vulnerabilities in AI-Generated Code

This arxiv paper is one of the most rigorous studies of AI-generated code security I have seen. Researchers analyzed 3,500 code artifacts across 500 security-critical prompts spanning five CWE categories using the Z3 SMT solver to generate mathematical satisfiability witnesses rather than pattern-based heuristics.

The results are grim. 55.8% of artifacts contain at least one formally proven vulnerability. No model achieves better than a D grade. GPT-4o leads at 62.4% vulnerability rate, which earns an F. Gemini 2.5 Flash performs best at 48.4%, earning a D. Six of seven representative findings were confirmed with runtime crashes under GCC AddressSanitizer.

This is not speculation. This is formal proof that AI-generated code is insecure by default, which reinforces everything I have been writing about vibe coding risks since issue #73.

Supply-Chain Poisoning Attacks Against LLM Coding Agent Skill Ecosystems

This companion arxiv paper examines how LLM-based coding agents extend capabilities through third-party “agent skills” from open marketplaces. Unlike traditional packages, agent skills are executed as operational directives with system-level access and lack mandatory security review before execution. The paper catalogs attack vectors where malicious skills can be injected into agent workflows through supply chain poisoning.

This connects directly to the a16z “Et Tu Agent” research from issue #92, where 20% of AI-recommended packages were fabrications and attackers were already slopsquatting hallucinated package names. The agent skill ecosystem is replicating every mistake the npm and PyPI ecosystems made, but with even higher privilege levels.

Wiz on GitHub Actions Security Threat Model and Defenses

Wiz published a comprehensive threat model for GitHub Actions that every team using CI/CD should read. The fundamental security challenge is controlling what code runs and with what permissions in response to repository events. Public repositories face the hardest version of this problem because the trust boundary separates repository owners and collaborators from fork PR authors and issue creators.

High-privilege triggers like pull_request_target and workflow_run are dangerous because they run workflows in the base repository context with access to secrets. Wiz recommends pinning action commit SHAs, setting default permissions to read-only, and restricting workflows to verified Actions from trusted sources.

This is the kind of practical supply chain hardening guidance that complements the broader ecosystem-level arguments from Chainguard and the $60 billion package registry analysis from issue #92.

Oligo Security on Runtime Exploit Blocking

Oligo Security unveiled a runtime exploit blocking capability that stops exploit attempts at the application layer in real time. The detection works by correlating application-layer function calls with system-level activity. Individual actions may appear normal, but specific sequences reveal active exploits.

Once identified, Oligo blocks the underlying system calls while allowing applications to continue running normally. The technique-based protection defends against entire classes of attack techniques rather than individual CVEs, meaning a single protection rule can cover categories of vulnerabilities including zero days. This is exactly the kind of defensive innovation the ecosystem needs. When AI can find vulnerabilities faster than humans can patch them, runtime protection becomes the essential bridging layer.

Pragmatic Engineer on the Impact of AI on Software Engineers in 2026

published a comprehensive survey on how AI is reshaping software engineering, and the data is striking. 95% of respondents use AI tools at least weekly. 75% of developers now use AI for at least half their engineering work. 55% use agents.

Claude Code grew from zero to the most-used tool in eight months. Staff-plus engineers are the heaviest agent users at 63.5% regular use, compared to 49.7% for regular engineers.

The career impact data is the most important signal. Employment for developers aged 22 to 25 has declined roughly 20% from the late 2022 peak, while employment for workers aged 35 to 49 in high AI-exposure roles has increased 9%. AI is amplifying experienced engineers and compressing the entry-level pipeline. For security, this means we need to rethink how we train the next generation when the scaffolding work that junior engineers traditionally learned on is being automated away.

Moak AI and the Mother of All KEVs

Moak AI launched what they call the “Mother of All KEVs,” an agentic cybersecurity workflow for analyzing and exploiting known exploited vulnerabilities. The platform uses a multi-agent architecture with collector, researcher, builder, exploiter, and judge agents to process hundreds of dangerous vulnerabilities in minutes. This sits alongside Raptor (from issue #92) and AISLE as another example of agentic security research tooling proliferating rapidly.

The common thread is that vulnerability research, exploitation, and validation are all being automated through multi-agent systems, and the tools are becoming accessible to anyone, not just nation-states and frontier AI labs.

Praetorian Guard Demo

Nathan Sportsman demoed Praetorian Guard, an AI-driven security assessment platform that automates LLM security assessments at scale. Guard turns findings into remediation and improves after every cycle, focusing specifically on securing non-human identities including AI agents and automated processes.

Praetorian has deep expertise in offensive security, and seeing them apply that expertise to agentic and NHI security validates the investment thesis that these categories are moving from niche to mainstream enterprise requirements.

Final Thoughts

This week confirmed something I have been building toward across several issues. AI-powered vulnerability discovery has crossed the threshold from interesting research project to systemic risk that demands coordination at the highest levels of government and finance. When the Federal Reserve Chairman and Treasury Secretary are convening bank CEOs specifically to discuss an AI model’s offensive capabilities, we are in genuinely new territory.

But the response is also unprecedented. Project Glasswing has mobilized over $100 million and the biggest names in technology. AISLE has demonstrated that you do not need a frontier model to build effective AI-powered defense, you need a better system. OpenAI launched cyber-permissive tooling for vetted defenders. Oligo is blocking exploits at runtime. The defensive ecosystem is responding with real engineering, not just marketing.

The piece that will stay with me this week is Casey Ellis’s observation that offense scales with compute while defense scales with committees. That asymmetry is the single biggest challenge we face. Solving it requires exactly the kind of coordinated infrastructure I see being built right now, from AAuth and agentic identity standards to AI-native vulnerability remediation pipelines. The building blocks are there. The question is whether we can assemble them fast enough.

Stay resilient.

Subscribe now

The FBI’s 2024 IC3 report tallied $16.6 billion in cybercrime losses, up 33% year over year, with business email compromise among the costliest categories.

IBM’s 2025 Cost of a Data Breach report continues to put the average breach in the multimillion-dollar range, and yet, despite all of this, the way most organizations approach email security has barely evolved in over a decade.

The dominant paradigm is still the Secure Email Gateway, or SEG. The SEG model is conceptually simple. Sit in front of the inbox, scan inbound messages for known threats, block what looks malicious, and let everything else through. It was built for a world where email lived on-premises and the primary threat was commodity spam and malware attachments.

That world no longer exists. Email now lives in cloud platforms like Google Workspace and Microsoft 365. The most costly attacks rely on social engineering, account takeover, and living-off-the-land techniques that look clean at the gateway and only turn malicious after a user engages. SEGs were not designed to catch those attacks, and they are showing their age.

The cloud-native API-based email security vendors emerged to address some of these gaps, offering post-delivery detection that catches threats the gateway misses. That is a meaningful improvement, but it still operates within the same fundamental paradigm.

Scan for threats, detect bad things, and respond after the fact. What it does not address is the much larger problem hiding in plain sight. The data already sitting in your inbox and drive that represents the real blast radius when an account is compromised.

This is where Material Security takes a fundamentally different approach, and after getting a firsthand demo of their platform and spending time with their team, I wanted to break down what makes their model both comprehensive and distinct.

The Data-at-Rest Problem Nobody Talks About

Here is the question that most email security products do not ask. What happens after the attacker gets in?

The average enterprise inbox contains years of accumulated email. Sensitive data that was shared in context at the time but now sits in perpetuity, fully accessible to anyone who gains access to the account. Think about what lives in your inbox right now. Contracts, financial data, customer records, credentials, board communications, legal discussions, M&A details, PII, PHI, PCI data. All of it searchable, all of it accessible, all of it sitting at rest with no additional protection beyond the account credential that was already compromised. This fundamentally fails the longstanding principle of defense-in-depth.

Material Security was founded on the insight that this data-at-rest problem is the real email security challenge. Their original product innovation was not another inbound threat detection engine. It was a mechanism to protect the sensitive data already sitting in the inbox by adding an MFA step-up requirement before that data could be accessed.

The concept is straightforward but powerful. Classify emails containing sensitive data, redact that content, and require the user to authenticate through an out-of-band MFA challenge before the original content is revealed. Valid users pass the check with minimal friction. Attackers who have compromised the account hit a wall, rather than having broad access to everything within it.

Material’s approach fundamentally changes the economics of account compromise. In a traditional environment, a compromised account gives the attacker full access to everything in the inbox and Drive from day one.

With Material in place, the attacker can see that sensitive emails exist but cannot access the content without passing an authentication challenge they do not control. Every access attempt is logged and can trigger an alert, turning the inbox from a silent treasure chest into an active tripwire.

Beyond Phishing - A Comprehensive Workspace Platform

What impressed me most during the demo was how Material has evolved from that initial data protection innovation into a comprehensive cloud workspace security platform. Their approach now spans four interconnected pillars that cover the full lifecycle of workspace threats.

The first is inbound email protection. Material provides API-based, post-delivery detection that catches phishing, BEC, and social engineering attacks that bypass native Google protections. This is the capability that most organizations evaluate first, and it is where Material often runs into competitors like Proofpoint and Abnormal. But as the Material team emphasized during my demo, the phishing detection is the entry point, not the whole story.

The second is the data protection layer I described above. The sensitive data classification, redaction, and MFA step-up that protects data at rest in both email and Google Drive. This is where Material’s differentiation becomes most apparent. No other vendor I’m familiar with approaches the data-at-rest problem with this level of specificity.

The system uses both pre-built and organization-defined DLP classifiers, with the majority of common sensitive data categories like PII, PHI, PCI, and credentials classified out of the box. During the demo, the team walked through how they recommend niche classifications during onboarding for organization-specific items like code names for M&A activities, while deliberately limiting the complexity of customization options to prevent configurations that become unmanageable.

The third pillar is file security for Google Drive. Material scans Drive for sensitive data, tracks sharing permissions, and alerts users about potential oversharing, such as externally sharing an entire customer roster or making a sensitive document publicly accessible. I specifically asked during the demo whether this capability is preventative or detective, and the answer is both.

The system can alert users about oversharing in real time, provide a grace period for the user to respond, and then automatically revoke or downgrade access permissions if the user does not take action. This automated remediation loop addresses one of the biggest operational challenges in data security, which is that detection without response just creates more alert fatigue.

The fourth pillar is account and identity protection. Material uses email behavior as a signal for account compromise, detecting anomalous patterns like suspicious mailbox rule creation, unusual forwarding configurations, and access patterns that deviate from normal behavior.

When a compromise is detected, the platform can automatically contain the account, disable malicious forwarders, pull suspicious messages, and tighten file access. This post-compromise containment capability is critical because most organizations discover account compromises well after the attacker has already accessed sensitive data and established persistence. This approach makes security proactive, rather than just reactive.

What Makes the Approach Unique

Several things stood out to me during the demo and my review of Material’s documentation that I think are worth highlighting.

First, the blast radius framing. Material thinks about security in terms of what an attacker can actually reach and do once they get in, not just whether they can be stopped at the front door.

The “blast radius” of a compromised account encompasses everything that individual has access to, including files in Drive, sensitive emails, shared documents, and connected services. The platform is designed to minimize that blast radius by reducing the amount of accessible sensitive data before a compromise happens and containing the damage when one does.

This framing becomes even more relevant with the rise of tools like Google’s Gemini that can search across an entire workspace. Over-permissive access that was merely a latent risk before becomes an active attack surface when an AI assistant can query across all of it.

Second, the automated remediation paired with detection. One of the most practical problems in security operations is that detection without automated response just adds to the pile of noise and cognitive overload that most teams are dealing with. Material’s approach of pairing every detection with an automated remediation action, whether that is revoking file access after a grace period, pulling a phishing email post-delivery, or disabling a malicious mailbox rule, directly addresses the alert fatigue problem that plagues security teams.

During the demo, the team described customers who run Material entirely “headless,” never logging into the UI. All data flows out via webhooks and subscriptions provide continuous feeds. The SOC can query Material for additional context, triage issues, update remediation status, and trigger Material to take automated action. That level of integration flexibility tells you the platform was designed for real-world operational workflows, not just dashboard demos.

Third, the Google Workspace depth. Material has always been Google-first, built on GCP, leveraging tools like BigQuery and Google’s DLP capabilities. This is not a platform that bolted on Google support as an afterthought to cover both ecosystems.

The team was explicit during the demo that their foundational focus has always been addressing the complexities of Google Workspace, and it shows in the depth of their Drive integration, their understanding of Google-specific sharing models, and their ability to detect workspace-specific attack patterns that generic email security tools miss.

Fourth, the approach to the Secure Email Gateway question. Material is not positioning itself as a direct SEG replacement in the traditional sense. Their framing is more nuanced. Legacy SEGs create costly problems because they miss identity-driven and post-delivery threats, add operational friction through false positives, and duplicate capabilities that cloud-native platforms already provide.

Material’s argument is that the most modern approach keeps native cloud email protections for commodity threats and layers API-based, in-tenant detection and post-delivery remediation on top to handle BEC, internal abuse, account compromise, and the data-at-rest risks that no gateway can address.

The competitive dynamic is interesting. Material often runs into Proofpoint and Abnormal on phishing, but they differentiate through what they describe as the “breadth and depth” of their comprehensive cloud workspace platform that extends well beyond email protection alone.

Material Security recently launched its OAuth Remediation Agent, which gives security teams continuous visibility and automated control over third-party OAuth app connections across Google Workspace. The agent automatically discovers connected apps, kicks off an agentic workflow to research each app, evaluates the permissions and access it holds, and autonomously revokes tokens deemed risky, dormant, malicious, or over-privileged.

With attackers increasingly exploiting trusted app connections, over-permissioned access, and long-lived OAuth tokens to gain a foothold in cloud workspaces, the OAuth Agent extends Material's platform beyond email and file protection into identity and connected app governance across the full cloud workspace.

Why This Matters for the Broader Security Landscape

The email and workspace security category is arguably at an inflection point. The SEG model is aging out, and cloud-native API-based detection has become table stakes. The real differentiation is moving toward platforms that address the full workspace attack surface, including the data-at-rest problem, file sharing risks, account compromise containment, and automated remediation that actually reduces operational burden rather than adding to it. There’s also the factor of AI and Agents, their access to workspaces and data and more to account for.

I have written extensively about the importance of pairing detection with response, of moving beyond static posture toward runtime protection, and of building platforms that cover the full lifecycle rather than just one point in the attack chain. Material’s approach to workspace security reflects those same principles. They are not just asking “can we stop the phishing email?” They are asking “when the account is compromised anyway, how do we minimize the blast radius, protect the sensitive data, contain the damage, and automate the response?” That is a fundamentally different question, and it leads to a fundamentally different architecture and solutions to solve it.

For security leaders evaluating this space, the questions I would ask are direct. Does the solution protect data at rest, or just scan inbound threats? Does it cover Drive and file sharing, or just email? Can it automate remediation, or does it just alert? Does it integrate into your SOC workflow via API, or does it require yet another dashboard? And does it address the blast radius of an account compromise, or does it assume prevention will always succeed?

Material’s answer to each of those questions is what makes their approach worth understanding and is what I found impressive.

The workspace is the treasure chest, it deserves to be protected like one.

Subscribe now

This is a follow-up to my earlier piece, Vulnpocalypse: AI, Open Source and the Vulnerability Tidal Wave. In that article, I laid out the case that AI-accelerated vulnerability discovery was about to overwhelm the industry’s capacity to respond.

What I want to do here is zoom in on the production side of the equation. Because the code itself is growing at a rate that should concern every security team, and the math behind the attack surface expansion is not complicated, but it should definitely be concerning.

The Billion-Commit Baseline

The GitHub Octoverse 2025 report tells a staggering growth story. GitHub now has more than 150 million developers. Over 36 million new developers joined in the past year alone, which works out to more than one new developer every second. Developers pushed nearly 1 billion commits in 2025, up 25.1% year over year, and created more than 230 new repositories every minute. Merged pull requests averaged 43.2 million per month, up 23% year over year.

Those numbers were already unprecedented, then 2026 happened.

In April 2026, GitHub COO Kyle Daigle posted that platform activity had surged to 275 million commits per week, putting GitHub on pace for 14 billion commits this year if growth remains linear, and his parenthetical was telling “Spoiler: it won’t.” He added that GitHub Actions had grown from 500 million minutes per week in 2023, to 1 billion in 2025, to 2.1 billion minutes in a single week in early April 2026. That is a quadrupling in three years for infrastructure that was already running at enormous scale.

What is driving this? AI coding agents. According to reporting from The Information, AI-agent pull requests jumped from roughly 4 million in September to 17 million in March. The weekly frequency of code submissions to public GitHub projects using Claude Code alone increased nearly 25-fold in six months, from around 100,000 commits to over 2.5 million by late March 2026.

Claude Code, OpenAI’s Codex CLI, Cursor, Windsurf, and a growing ecosystem of open-source alternatives have gone from curiosities to standard workflow components in less than a year.

This is an exponential growth curve, and one that has security implications we will discuss below as well.

The Platform Is the Economy

To understand why this matters for security, consider the centrality of the platform itself. GitHub is not just a code hosting service. It is the dominant global software supply chain, and its former CEO recognized that the platform’s architecture was not built for the era that is arriving.

Thomas Dohmke stepped down as GitHub CEO and in February 2026 launched Entire, a new developer platform backed by a $60 million seed round at a $300 million valuation. In his Hello Entire World blog post, Dohmke framed the problem directly. Manual software production systems were never designed for the era of AI. He compared the current moment to how automotive companies replaced craft-based production with assembly lines, and positioned Entire as the platform where agents and humans collaborate, learn, and ship together.

Dohmke is building around three pillars. A Git-compatible database unifying code, intent, constraints, and reasoning. A universal semantic reasoning layer enabling multi-agent coordination, and an AI-native user interface for agent-human collaboration.

The fact that the person who ran GitHub for nearly four years looked at the trajectory and concluded a new platform was needed tells you something about the scale of what is happening. Several have reported challenges for GitHub due to rises in automation, traffic etc.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

The Attack Surface Math

Here is where cybersecurity leaders need to pay attention. The relationship between code volume and attack surface is not theoretical, it is arithmetic and it has strong implications.

Industry research often places software defect density at 5 to 20 defects per thousand lines of code. Even well-maintained, heavily audited open source projects tend to land in the range of 1 to 5 defects per thousand lines. For the sake of argument, let’s use a conservative estimate and assume the lower end of that range.

If GitHub processed 1 billion commits in 2025, and is on pace for 14 billion in 2026, the volume of code hitting production is growing by an order of magnitude in a single year. Even assuming a modest and stable vulnerability rate per line of code, the absolute number of vulnerabilities being introduced is growing exponentially alongside the code itself.

There’s also an argument to be made that vulnerability rate is not stable and instead may be getting worse.

Research consistently shows that AI-generated code contains vulnerabilities at 2.74 times the rate of human-written code. CodeRabbit’s December 2025 report found AI-generated code had 70% more errors than human-written code, and the errors were more severe.

AI co-authored code showed 1.7 times more major issues, misconfigurations were 75% more frequent, and security vulnerabilities appeared at nearly triple the human baseline. Meanwhile, code churn is up 41%, code duplication has quadrupled, and the kind of careful refactoring that keeps codebases healthy has collapsed from 25% of changed lines in 2021 to under 10% by 2024.

While there is a large “it depends” based on the user, model, context and more, there are many reports, both from academia and industry that highlight the vulnerabilities and risks of AI-generated code. That includes SusVibes, BaxBench, CMU’s Benchmarking Vulnerability of Agent-Generated Code in Real-World Tasks and many more.

So we are not just producing more code. We are producing more vulnerable code, faster, at a scale the industry has never seen. This is all happening at the same time that defenders were already drowning in massive vulnerability backlogs in the hundreds of thousands to millions and AI is leading to the mass industrialization of exploitation for a fraction of historical costs.

The Vibe Coding Multiplier

A significant share of this growth is coming from a new class of developer. The Octoverse report showed that 80% of new developers on GitHub use Copilot within their first week. Over 1.1 million public repositories now utilize an LLM SDK, with nearly 700,000 of those created in the past year alone, representing 178% year-over-year growth.

Many of these new developers are what the industry has started calling vibe coders. They are building applications using natural language prompts and AI assistants, often without deep understanding of the code being generated or the security implications of their design choices. I explored this in detail in A Security Vibe Check, and the picture is concerning.

AI-assisted commits show a 3.2% secret-leak rate compared to a 1.5% baseline across all public GitHub commits, roughly doubling the rate of credential exposure. Georgia Tech’s Systems Software and Security Lab tracked at least 35 new CVEs disclosed in March 2026 alone that were the direct result of AI-generated code.

OWASP added a dedicated category to its Top 10 in 2025 specifically calling out AI-assisted development as a potential security risk.

This is not about blaming new developers. It is about recognizing that we are democratizing software creation without democratizing security knowledge, and the gap between those two curves is where attackers will live, and attackers weren’t exactly struggling to succeed prior to AI either.

The Other Side of the Equation

While the attack surface is expanding exponentially on the production side, the cost and effort required to find and exploit vulnerabilities on the offensive side is collapsing simultaneously.

Anthropic announced Claude Mythos Preview in April 2026. This unreleased frontier model has already found thousands of high-severity vulnerabilities, including flaws in every major operating system and web browser.

It discovered a 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems in the world, and autonomously chained together Linux kernel errors into a full exploitation path. Anthropic did not explicitly train Mythos for these capabilities. They emerged as a downstream consequence of general improvements in code reasoning and autonomy.

It isn’t just finding bugs either, as the UK’s AI Security Institute demonstrated in their evaluation of Mythos, it was able to carry out complex 32 step cyber activities, from initial reconn through full network takeover, an accomplishment no model, including Opus 4.6 had done prior.

However, this the intersection of cyber and AI isn’t siloed to a single model or vendor either.

AISLE’s post-Mythos analysis introduced a critical insight. AI vulnerability discovery capability is jagged. It does not scale smoothly with model size, generation, or price. Their testing showed that even small, cheap models (a 3.6 billion parameter model costing $0.11 per million tokens) could detect certain classes of bugs, like a straightforward FreeBSD buffer overflow. The implication is that the barrier to entry for AI-assisted vulnerability discovery is not frontier model access. It is the system and expertise you build around the model.

MOAK (Mother of All KEVs) pushed this further, demonstrating the first agentic AI workflow capable of exploiting hundreds of known dangerous vulnerabilities in minutes. Not just discovering them, but also exploiting them.

As I detailed in my piece on Vulnerability Velocity and Exploitation Timelines, the Zero Day Clock tracks this collapse in real time. Median time from disclosure to first exploit went from 771 days in 2018 to 6 days in 2023 to 4 hours in 2024. In 2025, the majority of exploited vulnerabilities were weaponized before they were even publicly disclosed. AI systems can now generate working CVE exploits in 10 to 15 minutes at approximately $1.00 per exploit. And 67.2% of exploited CVEs in 2026 are zero-days, up from 16.1% in 2018.

The Convergence Nobody Is Ready For

So let’s take a look at the themes unfolding in tandem. We have exponential growth in code volume, driven by AI agents and democratized development. We have elevated vulnerability density in that code, because much of it is AI-generated by developers who are less security-conscious than the experienced practitioners who came before them. We have an absolute explosion in the number of CVEs, with FIRST forecasting approximately 59,000 new CVEs in 2026 alone, and we have AI making it trivially cheap to discover and exploit those vulnerabilities.

These are not parallel trends, they are converging, and they will be problematic.

As I discussed with Varun Badhwar on Resilient Cyber, the industry has been talking about shifting security left for over a decade, but the code is now being produced faster than security teams can review it, scan it, triage it, or remediate the findings.

Traditional AppSec programs were built for a world where developers wrote code, security teams reviewed it, and the pace of production was bounded by human typing speed and review cycles. That world as we know it is now gone. I discussed this in a recent episode of Resilient Cyber, with Jack Cable, Cofounder and CEO of AppSec vendor Corridor as well, and his take on a category they call “Agentic Coding Security Management”.

The 14 billion commits projected for 2026 on GitHub alone represent just one platform. It does not account for GitLab, Bitbucket, internal enterprise repositories, or the growing ecosystem of AI-native development platforms like Entire that are being built specifically to accelerate this further. When Thomas Dohmke sees enough momentum to leave the CEO chair at GitHub and raise $60 million to build for this future, the signal is pretty clear.

What This Means for Security Leaders

The implications are systemic and will inevitably impact every enterprise, organization and security team.

First, vulnerability management programs need to accept that they will never scan, triage, and patch their way to safety at these volumes. The backlog is growing faster than any team can reduce it. Prioritization based on exploitability, reachability, and business context is no longer a nice-to-have. It is the only viable operating model and even then, isn’t a panacea on its own.

Second, security guardrails need to move into the development workflow itself. When 80% of new developers are using AI coding assistants in their first week, security controls need to be embedded in those same tools and pipelines. This means hooks, inline enforcement, policy-as-code, and runtime governance, not after-the-fact scanning.

Third, organizations need to reckon with the fact that their attack surface is no longer something they can fully inventory, let alone fully secure. The volume of code, the velocity of production, and the proliferation of AI-generated components mean that risk management, not risk elimination, is the only realistic framing and it’s why a lot of the dialogue among CISOs and security folks on platforms such as LinkedIn are now discussing “Resilience” as a key theme. I’m biased given the name of this outlet but I like the trend and its a good place for teams to focus.

The Vulnpocalypse I wrote about is not a future state. It is the present, and the growth curves are steepening. There is no question the attack surface is growing exponentially, the data makes that indisputable.

And, as much as I hate to say it, I think things will get worse before they get better, as the industry and society adapt to this new AI-driven operating model and its implications for cybersecurity.

Subscribe now

Over the past several months, every major coding agent platform has independently arrived at the same architectural pattern for runtime security enforcement. They are calling it hooks. See examples for the leading platforms such as Claude Code, Cursor, Windsurf, Cline, GitHub Copilot, and OpenClaw.

The concept isn’t one that just commercial industry is rallying around, but researchers as well, such as in this paper “Trustworthy Agentic AI Requires Deterministic Architectural Boundaries”. The paper lays out the fundamental flaws of Agents and the LLMs at their core, especially with the presence of the now popular concept of the lethal trifecta and they propose deterministic boundaries as a risk mitigation mechanism.

The convergence is not a coincidence. It reflects a growing recognition that the agent loop itself needs a deterministic enforcement point, one that intercepts every action before it executes and evaluates it against policy.

But this pattern is not limited to coding agents. My team at Zenity recently announced general availability of inline runtime security for agents built on Microsoft Foundry, bringing the same interception-and-enforcement model to SaaS and homegrown enterprise agents.

When both the coding agent ecosystem and the enterprise agent security market converge on the same architectural principle, the signal is unmistakable. Inline runtime enforcement is becoming the foundational layer for agentic AI security across every deployment pattern.

I have been writing about the need for hard boundaries and runtime enforcement in agentic AI security for months. In my breakdown of Claude Code’s Auto Mode, I explored the tension between probabilistic AI-based safety classifiers and the deterministic controls that security practitioners trust. Anthropic provided a good visualization below to demonstrate the tradeoffs of the modes they offer, with the recent introduction of auto-mode.

Many are recognizing that architectural controls such as hooks are a strong mitigation method to agentic AI risks, and the industry is converging on them faster than most people realize.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

What Hooks Actually Are

At the most basic level, a hook is a programmatic interception point in the agent execution loop. When an agent is about to take an action, such as executing a shell command, writing a file, making an API call, or reading sensitive data, the hook fires before that action executes. The hook receives context about what the agent is about to do, evaluates it against a set of rules or policies, and returns a decision. Allow, deny, or modify. If the hook denies the action, the agent cannot proceed. The action is blocked before it ever touches the environment.

This is fundamentally different from the permission prompt model that most agent platforms started with, where the human user is asked to approve or deny each action. As Anthropic’s own data showed, users approve 93% of permission prompts, and experienced users shift to auto-approve over 40% of the time. The human-in-the-loop was not functioning as a meaningful security control, which I discussed in my article “The Human-in-the-Loop Illusion”. Hooks replace that with programmatic enforcement that does not depend on human attention.

The hook pattern typically operates at two critical points in the agent loop. PreToolUse hooks fire before a tool call executes, giving the enforcement layer the ability to block dangerous actions before they happen. PostToolUse hooks fire after a tool call completes, enabling logging, audit trails, and detection of anomalous outcomes.

Some platforms support additional hook points for events like session start, subagent delegation, error handling, and notification triggers. But PreToolUse is the enforcement mechanism that matters most for security, because it is the point where you can prevent harm rather than just detect it after the fact.

Claude Code’s implementation is instructive, and their hooks support three handler types. Command hooks run shell scripts that receive JSON context via stdin and return decisions through exit codes. Prompt hooks send the action context to a Claude model for single-turn evaluation, and agent hooks spawn subagents with access to tools for deeper verification. Critically, Claude Code enforces hooks recursively, meaning if the agent spawns a subagent, the hooks fire for every tool call the subagent makes as well. Without recursive enforcement, a subagent could bypass the safety gates entirely.

Below is an example from Cursor, showing where/how these can be used as well:

GitHub Copilot’s coding agent supports hooks in public preview with events including userPromptSubmitted, preToolUse, postToolUse, and errorOccurred. Windsurf’s Cascade includes hooks as pre- and post-action triggers. Cline provides hooks for treating the agent as another service in your toolchain. The pattern is consistent across all of them as Intercept, Evaluate, and Enforce.

Why Declarative Policy Languages Matter

Hooks provide the interception mechanism, but the question of what policies those hooks enforce is equally important. This is where declarative policy languages like Cedar enter the picture, and why I think they represent a critical evolution in how we think about agent governance.

Cedar is a policy language created by AWS that was designed for fine-grained authorization decisions. It is declarative, meaning you express what is allowed or denied as policy statements rather than writing imperative code that makes those decisions procedurally, and it is a distinction that matters for several reasons.

First, declarative policies are auditable. A Cedar policy that says “forbid action execute when resource.command contains ‘rm -rf’” is readable by security teams, compliance auditors, and governance reviewers without requiring them to understand the underlying code. This is essential for enterprise environments where security policies need to be reviewed, approved, and documented.

The below example is from a blog by Sondera and Matt Maisel titled “Hooking Coding Agents with Cedar Policy Language” and it is one of the best on the topic I’ve seen yet.

Second, declarative policies are portable across agent platforms. Sondera demonstrated this with their reference monitor implementation, which maps agent-specific tool names from Claude, Cursor, Copilot, and Gemini to common types, allowing Cedar rules to work identically across all four agent platforms. This sort of reusability allows for an approach of writing the policy once and enforcing it everywhere. of Sondera also delivered an excellent talk on this concept titled “Hooking Coding Agents with the Cedar Policy Language” at the [un]prompted conference in March.

Third, declarative policies separate policy from code, which is a foundational principle of good security architecture. When policies live in the application code, changing them requires code changes, testing, and deployment cycles.

When policies are externalized into a declarative language, they can be updated, versioned, and deployed independently of the agent or application code. Phil Windley’s work on the policy-aware agent loop with Cedar and OpenClaw demonstrates this pattern in practice, showing how every tool invocation can be evaluated at runtime by a Cedar-backed policy decision point.

Instead of authorization being a one-time gate at the edge, it becomes a continuous feedback signal that guides replanning and enforces Zero Trust principles throughout the agent’s execution. The below image from Phil’s blog helps demonstrate a policy-aware agent loop and shows how Cedar policy evaluation can sit inside the agent execution loop between action proposal and action execution.

This matters because the alternative is what we have today in most environments. Hard-coded allow lists and deny lists in JSON configuration files, bespoke shell scripts that check for specific patterns, and ad hoc rules that vary across teams and tools. That approach does not scale, it does not provide consistent enforcement and it does not give security leaders the governance and audit capabilities they need.

The Reference Monitor Pattern

The concept of a reference monitor is not new. It originates from classical computer security, where it describes an enforcement mechanism that must meet three criteria. First, it must be always invoked, meaning every action is intercepted without exception. Second, it must be tamper-proof, meaning the subject cannot alter the monitor or its policies. Third, it must be verifiable, meaning the enforcement logic must be simple, deterministic, and auditable.

Recent academic research has formalized how this pattern applies directly to agentic AI. “Policy Compiler for Secure Agentic Systems” (PCAS), which implements a reference monitor that intercepts all agent actions and blocks policy violations before execution. PCAS models agentic system state as dependency graphs, expresses authorization policies in a Datalog-derived language, and compiles agent implementations with policy specifications into instrumented systems that are policy-compliant by construction.

Their results are telling. Across frontier models including Claude Opus 4.5, GPT-5.2, and Gemini 3 Pro, un-instrumented agents achieved only 48% policy compliance. With the reference monitor in place, that jumped to 93%, with zero violations in instrumented runs. The takeaway is straightforward, you cannot rely on the model to follow the rules on its own, you need an external enforcement layer that does not ask the model for permission.

This framing is important because it draws a clear line between hooks as a security enforcement mechanism and the probabilistic AI-based classifiers that some platforms use as safety controls. An AI classifier that evaluates whether an action “looks safe” fails the verifiability criterion. It is non-deterministic by nature. A declarative policy engine that evaluates a structured authorization request against explicit rules meets all three criteria. The reference monitor pattern is what turns hooks from a convenient automation feature into a genuine security boundary building on longstanding cybersecurity principles and concepts.

Microsoft’s recently released Agent Governance Toolkit reinforces this pattern. Their Agent OS component functions as a stateless policy engine that intercepts every agent action before execution with sub-millisecond latency. It hooks into framework-native extension points across LangChain, CrewAI, Google ADK, and Microsoft’s own agent framework, providing consistent governance without requiring agent code rewrites. The toolkit addresses all ten OWASP agentic AI risks and is available across Python, TypeScript, Rust, Go, and .NET.

Were seeing industry leaders such as Microsoft, Anthropic, GitHub, startups and academic researchers are all converging on the same architectural pattern.

Beyond Endpoint Agents - Inline Enforcement for SaaS and Custom Agents

I also want to highlight that the capability extends beyond endpoint coding agents, where most of the industry discussion has been focused. The hook implementations I have described so far are primarily designed for endpoint coding agents.

Claude Code, Cursor, Windsurf, Cline, and GitHub Copilot are all tools that run on developer machines or in CI/CD environments. Hooks in these contexts intercept shell commands, file writes, and tool calls within the development workflow. That is valuable, but it is one-third of the agentic AI security problem in terms of common deployment scenarios for agents.

As I have written about extensively, there are three major agent deployment patterns that enterprises need to secure. Endpoint agents are the first. SaaS/Embedded agents that come bundled inside enterprise SaaS platforms are the second, and Homegrown/Custom agents that organizations build internally are the third, often in cloud hosting environments. The hook pattern needs to extend across all three, and we are starting to see that happen.

Not to self-promote, but my team Zenity recently announced inline runtime security for Microsoft Foundry agents as well. This is an example of what this looks like beyond the coding agent world and covering other agent deployment patterns as well. Zenity integrates natively into the agent execution path within Microsoft Foundry, intercepting agent actions in real time and blocking unsafe behavior before data moves or tools execute.

This is the same PreToolUse enforcement pattern that Claude Code and Cursor implement for coding agents, but applied to enterprise agents that connect to SharePoint, OneDrive, databases, SaaS platforms, and internal APIs.

These are not coding agents running shell commands on a developer laptop. These are business agents built by both professional developers in Microsoft Foundry and citizen developers in Copilot Studio, operating across IT operations, customer support, finance, healthcare, manufacturing, and the public sector.

They make decisions, chain actions, and invoke tools across enterprise environments, and they introduce classes of risk that traditional prompt-level or post-execution controls were never designed to address. Similar to utilizing inline enforcement for coding agents, it can help mitigate risks such as sensitive data leakage, secret exposure, jailbreak attempts and tool misuse and it does so across chained actions not isolated prompts.

For homegrown and custom agents beyond the Microsoft ecosystem, the pattern is equally critical. Organizations building agents using frameworks like LangChain, LangGraph, CrewAI, or the OpenAI Agents SDK need to embed policy enforcement directly into the agent loop.

Microsoft’s Agent Governance Toolkit provides one path, hooking into framework-native extension points to enforce governance without agent code rewrites. Phil Windley’s work on Cedar and OpenClaw provides another, demonstrating how declarative policy evaluation can be inserted into the agent loop as a continuous authorization mechanism.

The OpenClaw project itself now supports pre and post tool use hooks with the ability to pause execution and request human approval for specific actions, blending programmatic enforcement with human oversight where it is genuinely warranted.

The organizations that only think about hooks in the context of endpoint coding agents are making the same mistake as organizations that only thought about cloud security in terms of IaaS.

The agent surface extends across all three deployment patterns, and the enforcement mechanism needs to follow. The coding agent ecosystem has hooks and it is starting to become a key discussion point.

Enterprise platforms like Microsoft Foundry now have inline enforcement as well. We’re starting to see this mechanism as a dominant pattern from those leading in the ecosystem when it comes to securing agentic AI and mitigating risks.

What This Means for Security Leaders

The convergence on hooks and inline enforcement across the agentic AI ecosystem tells security leaders several important things.

First, the industry has collectively recognized that human-in-the-loop approval does not work as a primary safety mechanism, a topic I’ve already written extensively on. Every platform that has implemented hooks did so because the alternative, asking users to approve every action, was failing in practice as HITL became a rubber stamp or sidestepped entirely. Hooks represent the industry’s answer to that failure. They move enforcement from the human to the infrastructure.

Second, declarative policy languages like Cedar (or others such as OPA etc.) provide the governance layer that hooks need to be operationally viable at scale. Hard-coded rules in JSON files work for small teams. They do not work for enterprises with hundreds or thousands of developers, dozens of agent tools, and regulatory requirements for policy documentation and audit trails. The separation of policy from code is not optional at enterprise scale.

Third, the hook pattern maps directly to the AISPM and AIDR capabilities I have been advocating for and that are common among leading Agentic AI security platforms. AISPM defines the policies, trust boundaries, and posture configuration. AIDR enforces those policies at runtime and detects violations. Hooks and inline enforcement are the mechanisms that connect the two. They are the runtime enforcement point where posture becomes protection.

Fourth, this pattern needs to span all three deployment environments. The same enforcement architecture that prevents a coding agent from executing rm -rf on a production server needs to prevent a Custom-built agent from leaking sensitive customer data through a chained tool call, and a SaaS-embedded agent from exceeding its authorized action scope.

We discussed several leading examples across different deployment scenarios. The policy language may differ, but the architectural principle is identical. Intercept every action, evaluate against policy, enforce before execution.

Like Any Other Control, Hooks Are Not Infallible

I want to be direct about something before this piece sounds like hooks are the silver bullet for agentic AI security, they are not. Like any security control, hooks have real limitations, known bypass vectors, and failure modes that practitioners need to understand.

The research is already piling up. In February 2026, Check Point Research disclosed critical vulnerabilities in Claude Code (CVE-2025-59536 and CVE-2026-21852) that turned hooks from a defensive mechanism into an attack vector. By injecting a malicious hook definition into the .claude/settings.json file within a repository, an attacker could gain remote code execution the moment a developer cloned and opened the project.

The hook command ran before the user ever saw a trust dialog. A second finding showed that repository-controlled configuration settings could override safeguards and auto-approve all MCP servers, triggering execution on launch without any user confirmation.

In March 2026, Adversa AI disclosed a separate vulnerability where Claude Code silently ignored all user-configured deny rules when a shell command contained more than 50 subcommands.

The root cause was a hard cap (MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50) introduced to avoid UI freezes during security analysis of compound commands. When a command exceeded that threshold, Claude Code skipped all per-subcommand deny rule enforcement entirely and fell back to a generic prompt that could be auto-allowed. The practical attack was straightforward.

A malicious CLAUDE.md file in a public repository could craft a compound command long enough to bypass every deny rule the developer had configured, with SSH keys, cloud credentials, and publishing tokens all at risk. The fix existed in a newer parser in the same codebase. It had simply never been deployed to customers.

These are not theoretical concerns. They are disclosed CVEs, published research, and real bypass vectors that worked against one of the most prominent agentic coding tools on the market.

Beyond implementation bugs, there are architectural limitations worth acknowledging. Hooks operate on the tool calls the agent makes, but they cannot govern what the agent reasons about, plans internally, or decides not to surface.

An agent that has been prompt-injected may never issue the tool call that would trigger the hook. It may instead find alternative paths, decompose a restricted action into individually permissible sub-actions, or simply provide misleading context about what it intends to do. Hooks enforce policy at the action boundary, not at the reasoning boundary, and that gap matters.

Another interesting (and scary) example came from Nathan Sportsman, CEO of OffSec company Praetorian, who demonstrated how his agent, in its own words, “gamed” the hook to bypass the control, directly exploiting a loophole it identified.

Again, hooks are not a silver bullet, and agents are incredibly unpredictable and relentlessly pursue their goals.

There is also the configuration problem. Hooks are only as strong as the policies behind them. A misconfigured rule, an incomplete deny list, or an overly permissive default can create a false sense of security that is arguably worse than having no hooks at all.

Projects like Cupcake from EQTY Lab, built on OPA/Rego with agentic safety research support from Trail of Bits, are working to make policy authoring more rigorous by bringing governance-as-code practices from the DevSecOps world into the agent security context. But policy completeness remains an open challenge.

None of this means hooks are not worth implementing. It means they need to be understood for what they are. One layer in a defense-in-depth strategy for agentic AI security, not the entire strategy.

The reference monitor pattern I discussed earlier provides the architectural foundation. Hooks are the mechanism through which that pattern gets instantiated. But like firewalls, EDR, and every other security control the industry has deployed over the past three decades, they will be bypassed, misconfigured, and attacked.

The goal is not perfection. The goal is raising the cost and complexity of compromise while maintaining the visibility and audit trail needed to detect what gets through. That is what defense in depth has always meant, and agentic AI does not get a special exemption from that reality.

The Bottom Line

Hooks and inline enforcement are not just developer convenience features. They are becoming an architectural foundation of runtime security for agentic AI. The fact that every major coding agent platform, enterprise agent security vendors, and framework-level toolkits have all converged on this pattern tells you it is not a trend.

It is a becoming a structural requirement. Agents that take real-world actions need deterministic, policy-driven enforcement at the point of execution, whether they are writing code on a developer machine, processing customer records in an enterprise application, or executing workflows inside a SaaS platform.

The organizations that build their agentic AI security strategy around this pattern, with declarative policies, cross-platform enforcement, and coverage across all three deployment types, will be the ones that deploy agents at scale with genuine guardrails.

The ones that rely on permission prompts and hope will eventually find out what happens when an agent acts without oversight in an environment without boundaries. That said, as I pointed out above, hooks are but one part of a broader defense-in-depth strategy for securing agentic AI as well.

Subscribe now

In this video, I break down what Mythos means for AppSec and cybersecurity, why enterprises are already drowning in vulnerability backlogs, and why the industry needs to embrace AI-powered auto-remediation to close the gap. I also discuss why shift-left and secure-by-design have historically failed, and how AI integration into the SDLC can finally deliver on those promises.

Topics covered:

• Claude Mythos and Project Glasswing ($100M coalition with AWS, Apple, Microsoft, Google, and more)

• AI vulnerability discovery: AISLE, XBOW, Nicholas Carlini’s Frontier Red Team findings

• The Vulnpocalypse: 48,000+ CVEs in 2025 and the remediation crisis

• Vulnerability prioritization: CISA KEV, EPSS, reachability analysis, runtime reachability, business context

• Why shift-left created friction instead of security

• AI Code Security and auto-remediation as the path forward

• James Berthoty’s emerging AI Code Security category

Referenced in this video:

• Anthropic Project Glasswing

• Anthropic Red Team - Mythos Preview:

• My article - Vulnpocalypse: AI, Open Source, and the Race to Remediate

• - AI Code Security: Enterprise Governance for AI Generated Code

Subscribe now

Luke Hinds did, and then he built something about it.

Luke is the creator of Sigstore, the cryptographic signing infrastructure now used by PyPI, Homebrew, GitHub, and Google as the industry standard for software supply chain security. In this episode, he joins Chris to talk about why he’s watching the industry make the exact same mistake it made a decade ago, and what he built to try to stop it.

We cover the full picture, why application-layer guardrails and system prompts fundamentally fail as security boundaries for AI agents (and what kernel-level enforcement actually means), the .md file as an emerging control plane attack surface, the OpenClaw wake-up call and what the skills marketplace ecosystem gets structurally wrong about trust and provenance, the approval fatigue problem and Anthropic’s 17% false negative rate on Claude Code’s auto-mode classifier, extending SLSA and Sigstore attestation frameworks to AI-generated code, and why LLM-as-a-judge may not be the silver bullet many are hoping for.

Luke also makes a broader argument about where this is all heading, volumes of AI-generated code growing faster than human capacity to review it, junior engineers being priced out of the industry, and an aging cohort of engineers who can actually read and reason about code at depth. It’s a candid, technically grounded conversation from someone who’s been in open source security for 20+ years and has seen this movie before.

nono is at nono.sh, one line to install, one line to run, no excuse not to!

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

🎙️ Your AI Agent Is Running as Root — Key Takeaways

The Core Problem

• AI agents like Claude Code and Cursor run with your full user permissions by default — SSH keys, cloud credentials, browser passwords, every file on your machine

• This isn’t a design flaw — it’s just how operating systems work. Nobody built an AI agent exception into Unix

• The industry is repeating the exact mistake it made with software supply chains: moving fast and ignoring security until incidents force a retrofit

Why Application-Layer Guardrails Fail

• System prompts and in-process filters can be circumvented — agents are trained to be goal-driven and relentlessly creative at achieving objectives

• Luke’s team tests this directly: agents placed in sandboxes will wrap blocked commands in Python interpreters, create symlinks, and keep iterating until they find an escape

• Real enforcement has to come from the OS kernel — the kernel doesn’t respond to jailbreaks, doesn’t have a system prompt you can override, and enforces access control absolutely

The .md File as a New Attack Surface

• CLAUDE.md, AGENTS.md, SKILLS.md are now effectively control planes for autonomous agents — they define what agents believe they’re authorized to do

• Unlike YAML or JSON, Markdown has no schema, no parser, no validator — a legitimate instruction and an injected malicious one are syntactically identical

• nono addresses this by applying Sigstore-style cryptographic signing to instruction files — unsigned or tampered files are blocked before the agent ever starts

The Skills Ecosystem Problem

• Skills marketplaces are reproducing the worst patterns of early open source dependency management — people grabbing and running things from the internet with zero verification of where they came from

• Research has already identified hundreds of malicious skills masquerading as legitimate tools, harvesting credentials and SSH keys

• The fix already exists — trusted publishing and provenance chains like those used by PyPI and npm — but the agent ecosystem has largely sidestepped it

The OpenClaw Wake-Up Call

• 180,000 GitHub stars in a week, 1,800 exposed instances found on Shodan, multiple critical CVEs in the first days — not because of sophisticated attacks, but because of structural access problems

• Luke’s view: this pattern will get worse before it gets better, and the fix is more likely to come bottom-up from OS and hardware innovation than top-down from the application layer

The Human-in-the-Loop Illusion

• Anthropic’s Claude Code auto-mode classifier has a 17% false negative rate — roughly 1 in 6 genuinely dangerous actions still slips through

• Developers are clicking “approve” 93% of the time anyway, or disabling the sandbox entirely with --dangerously-skip-permissions

• The result is skill atrophy — engineers are reviewing code less deeply, junior developers are struggling to break into the industry, and the volume of AI-generated code is growing faster than human capacity to audit it

Extending Supply Chain Provenance to AI

• The SLSA/Sigstore attestation chain starts at the commit — but the most important upstream piece (which agent, which model version, what plan was it given) is completely invisible

• Non-determinism makes this harder: feed the same plan into the same model twice and you may get different code, so provenance attestations must capture the output explicitly

• Model weights themselves (PyTorch tensor files) can technically be signed — some open models do this — but most powerful proprietary models don’t

LLM-as-a-Judge Has Real Limits

• Using AI to evaluate AI output is becoming the default because there’s no better solution yet — but these systems can be steered and aren’t foolproof

• For low-stakes use cases the failure rate may be acceptable; for critical infrastructure, vehicle systems, or financial controls it absolutely isn’t

• Context and business criticality need to govern how much autonomy and AI-based review you allow

nono in Practice

• One line to install (brew install nono), one line to run — wraps any agent with kernel-level isolation, deny-by-default filesystem and network access, atomic rollbacks, cryptographic audit trails, and Sigstore-backed instruction file signing

• 3,000 regular users within 40 days of launch, active community building on Kubernetes, Lambda, and CI/CD integrations

• Philosophy: agents should be treated as untrusted processes granted specific permissions — not as extensions of the user with full system access

Subscribe now

This was a landmark week for AI security. Anthropic announced Project Glasswing, a $100 million industry coalition with Amazon, Apple, Broadcom, Cisco, CrowdStrike, Linux Foundation, Microsoft, and Palo Alto Networks to apply a new frontier model called Claude Mythos Preview to finding and fixing critical software vulnerabilities at scale. Mythos has already discovered tens of thousands of vulnerabilities, including bugs in every major operating system and browser, some of them decades old.

At the same time, the industry continued to process the fallout from the Claude Code source code leak, Cisco disclosed a persistent memory compromise in Claude Code, Straiker demonstrated a full sandbox escape from Cursor through prompt injection, SentinelOne published more details on autonomously stopping Claude Code from executing the LiteLLM supply chain attack from issue #90, and Dick Hardt, Karl McGuinness, and Christian Posta pushed forward a real proposal for agentic identity with AAuth.

I also published a deep dive this week called Vulnpocalypse, looking at how AI is reshaping vulnerability research and why we are losing the race to remediate. There is a lot to get into, so let’s go.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Cyber Leadership & Market Dynamics

Nikesh Arora on the Virtues of Being an Outsider

Sequoia Capital published a compelling conversation with Palo Alto Networks CEO Nikesh Arora on the virtues of being an outsider. Arora famously said that when he took over Palo Alto Networks, he thought “cyber” and “security” were two different words.

That kind of intellectual honesty is refreshing from a CEO running one of the most valuable cybersecurity companies on the planet. The core insight is that outside-in thinking brings fresh perspectives to industries that get too caught up in their own conventions. Arora’s willingness to question every assumption is part of why Palo Alto Networks has been so aggressive on platformization, even as Mark Kraynak’s RAIGNark piece in issue #91 argued the platformization era is ending. Whether you agree with Arora’s strategy or not, this conversation is worth your time.

Cybersecurity Stocks Are Getting Hammered

The cybersecurity sector is having a rough start to the year. The Global X Cybersecurity ETF dropped 4.5% in a single trading day, with year-to-date declines exceeding 21% as of early April. CrowdStrike is down 13% YTD and Palo Alto Networks is down 12% YTD.

The market narrative is that AI is disrupting traditional cybersecurity product utility, with Claude Code and AI coding assistants raising questions about the durability of legacy vendor moats.

I lean cautiously optimistic here. The same AI disruption that is pressuring traditional vendors is also creating entirely new categories of security work, from agentic identity to runtime agent monitoring. The vendors who adapt will thrive, and the ones who do not will be routed around. This is the same dynamic I wrote about in issue #91 with Malcolm Harkins’ RSAC observations about vendors repackaging existing capabilities with AI branding.

Phil Venables on the Real Role of the Field CISO

Phil Venables published an important clarification on what Field CISO roles actually are, and more importantly, what they should be. His core argument is that Field CISO teams should primarily comprise former CISOs and senior security leaders who have lived the operational reality of customer pain points.

Too many vendors put “Field CISO” titles on people who have never sat in the chair, and the credibility gap shows immediately. As someone who has spent time on both the practitioner and vendor side, this resonates strongly. Field CISO work is not about selling. It is about translating vendor capabilities into customer outcomes with enough operational empathy to actually be useful.

Anton Chuvakin’s RSA 2026 Reflections

Anton Chuvakin published his post-RSA 2026 analysis and the title captures it perfectly. We have an agentic future running on analog fundamentals, and the old guard still survives because most organizations cannot do the basics. Anton’s observation that vendors “spray paint AI” onto 2021 marketing materials tracks directly with Malcolm Harkins’ reflections from last week.

The more interesting insight is that buyer expertise has never mattered more. Organizations that cannot distinguish genuine innovation from rebranding exercises will get taken for a ride, and the fundamentals still determine whether any of this new technology actually delivers value.

An AI State of the Union

Lenny Rachitsky interviewed Simon Willison for an AI state of the union, and the central insight is that November 2025 was the inflection point. Before GPT 5.1 and Claude Opus 4.5, AI-generated code “mostly worked but required close attention.” After, it “almost always does what you told it to do.”

That capability shift changes the economics of software development fundamentally. Projects that required hundreds of engineers can now be done by tens, and work that took months now takes days. Simon’s analysis also surfaces the inverse problem, which is that humans cannot review code at the speed agents produce it. This feeds directly into the NYT article below and the broader vulnerability remediation challenge I wrote about in Vulnpocalypse.

a16z AI Adoption by the Numbers

Andreessen Horowitz published comprehensive adoption data that reinforces how far AI has moved from early adopter to mainstream infrastructure. OpenAI holds 85% adoption in mid-market and enterprise, while Anthropic has climbed to roughly 55%. ChatGPT now has 900 million weekly active users, and 81% of enterprises use three or more model families in testing or production.

The generational spending data is particularly striking, with Gen Z AI spending up 55% in under a year. Singapore, the UAE, Hong Kong, and South Korea lead per capita adoption, while the US sits at 20th. If you are still building your AI strategy around the assumption that this is an emerging technology, the data says otherwise.

Steve Yegge on the AI Vampire

Steve Yegge published one of the more unsettling pieces on AI-assisted work. His argument is that AI makes workers 10x more productive, but companies capture 100% of the productivity gains while workers bear the cognitive and physical toll.

Yegge reports experiencing sudden “nap attacks” and massive fatigue after long sessions of AI-assisted coding, and he advocates for 3-4 hour workdays as the sustainable pace. This connects to a theme I have been tracking about the difference between what AI enables and what organizations demand. The scaffolding work is going away, but the thinking work is denser and more exhausting. Security practitioners, who already deal with burnout as a persistent problem, need to pay attention to this signal.

The Decade-Long Feud Shaping the Future of AI

The Wall Street Journal profiled the personal rivalry between Sam Altman and Dario Amodei, and why it matters for AI policy. Amodei has escalated public attacks on Altman, including comparing a legal dispute to a fight between Hitler and Stalin and calling a pro-Trump PAC donation “evil.”

The feud has material consequences, with OpenAI pursuing classified DoD work while Anthropic sued the Trump administration over the Pentagon ban I covered extensively in issues #88 and #91. AI governance at the frontier is increasingly shaped by personal history between a handful of lab leaders, which is not a stable foundation for national security policy.

SVB State of the Markets H1 2026

Silicon Valley Bank released its H1 2026 State of the Markets report, and the data reveals an extreme bifurcation. In 2025, $340 billion flowed into US VC-backed companies, the second-highest year ever.

The top 1% of companies captured a third of all capital while the bottom 50% received just 7%. Deal count fell 15% year-over-year while dollars invested jumped 53%. Post-raise burn rates increased 50% and revenue growth increased 75%. SVB calls this the “surgical” phase, defined by fewer deals, bigger checks, and conviction concentrated at the top. For cybersecurity founders, the message is clear. You either have an AI-native story that resonates or you are fighting for scraps.

Forecasting the Economic Effects of AI

A large-scale forecasting study from the Forecasting Research Institute, Federal Reserve Bank of Chicago, Yale, Stanford, and Penn surveyed 69 leading economists, 52 AI experts, 38 superforecasters, and 401 general public members.

Their consensus forecast puts a 14% probability on AI progress matching the “rapid scenario” by 2030, which would include AI outperforming humans at many tasks and robots performing most in-home and industrial work. Under that scenario, the labor force participation rate drops by 7 percentage points by 2050. Even the slow scenario shows meaningful disruption. Security workforce planning should account for multiple scenarios, because the traditional career paths in our field are going to shift dramatically.

The Pragmatic Engineer on Industry Leaders Returning to Code

Gergely Orosz observed that C-level executives like Mark Zuckerberg and Garry Tan are returning to hands-on coding, enabled by AI development tools. This is a meaningful cultural shift.

Technical founders who stepped away from the keyboard years ago are coming back, because AI has compressed the time required to build things. I suspect we will see the same dynamic play out in security leadership, with CISOs and Field CISOs getting more hands-on with tooling through natural language interfaces to complex security operations.

Gov Navigators on AI and Federal Policy

The latest Gov Navigators episode covers federal AI policy developments at a pivotal moment. With the Anthropic injunction, California’s executive order, and the broader regulatory collision I have been tracking since issues #88 and #91, federal-level AI governance is increasingly fragmented. For cybersecurity practitioners working with government agencies, the policy uncertainty is itself becoming a risk factor.

This episode breaks down the evolution FedRAMP is undergoing under the leadership of Pete Warterman and has implications for SaaS and Software companies looking to work with the U.S. government.

20VC Podcast on Venture and AI

Harry Stebbings’ latest episode continues his excellent coverage of how AI is reshaping venture capital, startup formation, and investment thesis construction. Recent episodes have covered SpaceX’s acquisition of xAI and 2026 SaaS market dynamics, which connect directly to the broader SaaSpocalypse narrative I have been tracking since issue #85.

This episode is with industry leader Demis Hassabis of Google’s DeepMind and it was interesting to hear where he sees AI heading, and also discussions related to capital and markets.

AI

Anthropic Announces Project Glasswing

This is the biggest AI security announcement of the year so far. Anthropic launched Project Glasswing, a $100 million initiative backed by a coalition including Amazon, Apple, Broadcom, Cisco, CrowdStrike, the Linux Foundation, Microsoft, and Palo Alto Networks. The goal is to apply a new frontier model called Claude Mythos Preview to finding and fixing critical software vulnerabilities at scale. More than 40 additional organizations have been granted access to scan first-party and open-source systems. Anthropic is committing $100 million in model usage credits to fund the research.

What makes this significant is not the money, but the capability. As Anthropic’s red team detailed, Mythos has found tens of thousands of vulnerabilities in real open-source codebases, including critical bugs in every major operating system and web browser. Some of these vulnerabilities are believed to be decades old. The model not only finds issues but writes working proof-of-concept exploits and reverse-engineers closed-source software. Anthropic has withheld broader public access specifically because of the offensive potential. This is one of the first major instances of capability-based access controls being applied to a frontier AI model.

I have a lot of thoughts on this, and I discuss it at length in my Vulnpocalypse piece. The short version is that Glasswing validates everything I have been writing about the vulnerability research race. AI has crossed a capability threshold where defenders now have a real advantage, but only if they can coordinate faster than adversaries. Coalitions like Glasswing are exactly what needs to happen if we want to win the remediation race. This is also the kind of defensive mobilization that Project Zero and OSSF have been calling for, and it is encouraging to see an AI lab put serious money and capability behind it.

Vulnerability Research Is Cooked

Thomas Ptacek made the case bluntly, and I largely agree. Within months, autonomous coding agents will drastically alter the economics of vulnerability research and exploit development. Ptacek argues that “most high-impact vulnerability research” will soon happen by “pointing an agent at a source tree and typing find me zero days.”

The traditional profession of human vulnerability research faces existential disruption. This piece, combined with the Glasswing announcement, is the reason I wrote Vulnpocalypse this week. The question is not whether AI can find vulnerabilities. That question has been answered. The question is whether we can build the institutional capacity to remediate them at AI speed.

AAuth Agentic Identity from Dick Hardt

This is the biggest Agentic Identity development I have seen all year, and it deserves serious attention. Dick Hardt, co-author of OAuth 2.0, published the AAuth draft spec, which is evolving into an IETF internet draft as the Agentic Authorization OAuth 2.1 Extension. The design principles are a complete rethink of authentication for AI agents. No bearer tokens, progressive authentication from pseudonymous to full identity plus authorization, cryptographic agent identity and delegation, resource challenges. Deferred and asynchronous auth grants, cross-service token exchange and message signing.

Christian Posta is already building practical implementations of AAuth, including extending Keycloak with SPI support and modifying agentgateway to handle message and identity verification. This is moving from theory to production-ready infrastructure at a pace I did not expect.

Karl McGuinness on Agents Needing Authority Not Passports

Karl McGuinness at Okta wrote the clearest philosophical framing of agentic identity I have seen. His core argument is that agents do not need identity passports telling the world who they are. They need authority grants telling the world what they can do. The distinction matters enormously for how we architect agent security. Identity-first models focus on authentication and impersonation. Authority-first models focus on capability, delegation, and least privilege. For those following my work on the OWASP NHI Top 10 and my writing on non-human identity, this is exactly the right framing. Karl also published a complementary piece on mission shaping that extends the thinking into how agents should interpret and constrain their objectives.

Taken together, AAuth and Karl’s writing represent the first credible attempt to build agentic identity infrastructure from first principles. and I discussed many of these themes in Securing AI Agents, and it is encouraging to see the standards work catching up with the conceptual work.

Anthropic Races to Contain the Claude Code Leak

The Wall Street Journal covered the Claude Code source code leak in detail. On March 31, Anthropic “accidentally” published the entire source map for Claude Code through an npm release, exposing 512,000 lines of code across 1,906 TypeScript files. Claude Code is a $2.5 billion run-rate product, so this was not a small slip. Anthropic initially issued over 8,000 DMCA takedowns on GitHub before narrowing the effort to 96. The company characterized it as a release packaging issue caused by human error, not a security breach, and no customer data or credentials were exposed.

The Deep View’s follow-up analysis dug into the fallout. Within hours of the leak, attackers had begun weaponizing the exposed architecture. Squatted Anthropic package names appeared on npm, weaponized repositories showed up on GitHub and underground forums, and researchers quickly identified prompt injection vectors that bypassed Claude Code’s deny rules. The leak provided a complete operational blueprint for how Claude Code enforces permissions, which accelerated the timeline for every downstream attack we have seen this week.

Cisco Identifies Persistent Memory Compromise in Claude Code

Idan Habler and Amy Chang at Cisco published research on a persistent memory compromise vector in Claude Code. The attack works by poisoning the MEMORY.md files that Claude reads from the user’s home directory and project folders. Because Claude treats these memory files as authoritative system-level instructions, an attacker who can write to them can reframe the agent’s behavior in ways that persist across sessions, projects, and even reboots.

Anthropic mitigated the System Prompt Override vector in Claude Code v2.1.50, but the underlying tension remains. AI agents conflate user intent with system instruction in ways that traditional operating systems deliberately separate. This is exactly the kind of architectural issue that the OWASP Agentic Top 10 tries to address, particularly around Tool Misuse and Agent Goal Hijack.

Straiker Demonstrates Cursor Sandbox Breakout

Straiker published details on NomHub, a vulnerability chain that combines indirect prompt injection with a sandbox escape through shell builtins and Cursor’s built-in remote tunnel feature. The chain grants persistent, undetected shell access to an attacker who only needs the victim to open a malicious repository.

The key insight is that Cursor’s command parser only tracks external executables, making it blind to shell builtins like export and cd. Attackers used those builtins to escape workspace scope, overwrite .zshenv, and establish persistence. Cursor assessed the sandbox breakout as High severity and fixed it in Cursor 3.0. This is the kind of chained exploit that traditional security models completely miss, which is why runtime detection and sandboxing need to assume the agent is already compromised.

AWS Building AI Defenses at Scale Before the Threats Emerge

AWS published a substantive piece on their philosophy of building defenses before threats emerge. The numbers are striking. AI-powered log analysis has reduced SecOps analysis time from 6 hours to 7 minutes, a 50x improvement. AWS analyzes 400+ trillion network flows daily to detect emerging patterns.

In 2025 alone, AWS blocked 300+ million attempts to maliciously encrypt files on S3. AWS also partnered with CrowdStrike and NVIDIA to back 35 AI-focused cybersecurity startups through their 2026 accelerator. The philosophical point is that reactive security cannot match AI-powered attack speed, and proactive defense needs to be built into the infrastructure layer.

Zenity on Context Engineering Is Security Engineering

made an argument I strongly agree with. Context engineering and security engineering are fundamentally inseparable when securing AI agents. Traditional identity and permission controls are not enough because agent behavior depends entirely on what the agent knows, what it is trying to accomplish, and what is happening around it at runtime.

Zenity introduced Continuous Contextual Security, combining a stateful threat engine with real-time exposure visibility and contextual risk correlation. The key distinction is moving from asking “is this identity permitted to take this action” to asking “does this activity make sense given everything we know about this agent’s purpose and environment right now.”

CSO Online on 6 Ways Attackers Abuse AI Services

CSO Online cataloged six attack vectors abusing AI services, and the list tracks closely with what I have been covering over the past several issues. Malicious MCP servers mimicking legitimate tools. AI platforms used as covert command-and-control channels.

Public interface manipulation of Copilot and Grok to fetch attacker-controlled URLs. Supply chain poisoning of downstream dependencies in agent workflows. Agent hijacking that abuses legitimate automation and memory features. And exploitation of agent-specific vulnerabilities like memory manipulation and sandbox escapes. The collective picture is that AI services dramatically expand attack surface through supply chain integration, autonomy, and persistent state.

a16z Et Tu Agent Did You Install the Backdoor

Andreessen Horowitz published research that I want to highlight because the numbers are genuinely disturbing. A study of 117,000 dependency changes found that AI agents select known-vulnerable dependency versions 50% more often than humans do, and the vulnerable versions AI agents pick are harder to fix. Separately, 20% of AI-recommended packages are fabrications that do not exist, and 43% of hallucinated package names appear consistently across multiple queries.

Attackers have already begun “slopsquatting” these hallucinated names, with one proof-of-concept dummy package accumulating 30,000 downloads in weeks. This is a new attack pattern where attackers do not need to compromise real packages. They compromise what AI thinks packages are and wait for autonomous agents to execute their will. I covered slopsquatting as an emerging risk months ago, but a16z’s data shows it has arrived in full force.

AI Agent Traps Academic Research on Agent Attack Surface

Franklin, Tomašev, Jacobs, Leibo, and Osindero published an academic paper cataloging six categories of attacks on AI agents. Content injection traps exploit gaps between human perception and machine parsing. Semantic manipulation traps corrupt agent reasoning. Cognitive state traps target long-term memory and knowledge bases. Behavioral control traps hijack agent capabilities.

Systemic traps create cascading failures. And human-in-the-loop traps exploit the cognitive biases of human overseers. The paper is a useful academic formalization of the attack surface that the OWASP Agentic Top 10 addresses from a practitioner lens. If you want rigorous theoretical grounding for the risks we are seeing in production, this is worth reading.

Sebastian Raschka on the Components of a Coding Agent

Sebastian Raschka published a clear technical breakdown of the six building blocks of effective coding agents, organized around a three-layer architecture of model family, agent loop, and runtime supports. The agent loop itself cycles through observe, inspect, choose, and act.

The security implication that jumps out at me is that each layer creates distinct attack surface. The model is subject to prompt injection and jailbreaks. The agent loop is vulnerable to goal hijacking and tool misuse. The runtime supports introduce supply chain, sandbox, and identity risks. You cannot secure a coding agent by hardening only one layer, which is why defense-in-depth matters so much in this context.

Unprompted 2026 AI Security Conference

White Rabbit VC published the full archive of Unprompted 2026, their AI security practitioner conference. 55 talks and 105,000 words of analysis across two days in San Francisco covering AI-powered vulnerability finding, AI in security operations, threat hunting, and policy.

The existence of a dedicated conference with this kind of depth signals that “AI security” has matured into a distinct discipline with its own professional community. Worth bookmarking for the depth of practitioner content.

AppSec

Vulnpocalypse AI, Open Source, and the Race to Remediate

This is my own deep dive that I published this week, and I wanted to highlight it in the newsletter because it connects almost every theme we are tracking. AI systems are fundamentally transforming vulnerability research, discovery timelines, and exploitation economics. AISLE identified all 12 CVEs in OpenSSL’s January 2026 coordinated release. XBOW became HackerOne’s top-ranked researcher in 2025 and has identified over 1,000 vulnerabilities across companies like AT&T, Epic Games, Ford, and Disney. Anthropic’s Mythos model has now found tens of thousands of vulnerabilities, many of them decades old.

The core question I try to answer is whether we can fix the bugs we find before attackers exploit them. The evidence suggests we are losing that race. Vulnerability backlogs continue to balloon into the hundreds of thousands or millions for large enterprises. Remediation rates sit at roughly 10% per month. The average MTTR for defenders is 30.6 days while attackers weaponize vulnerabilities in 19.5 days. Now layer on AI-assisted discovery that produces findings at machine speed, and the gap gets worse before it gets better.

Project Glasswing is exactly the kind of coordinated response we need, but it only works if the remediation side scales with the research side. If you have time for one long read this week, this is where I land on the bigger picture.

The New York Times on the AI Code Overload

The New York Times captured what every engineering leader I talk to is wrestling with. AI has solved the code production problem and created a code review crisis. Meta CTO Andrew Bosworth said projects that once required hundreds of engineers now need tens, and months of work compress into days.

The bottleneck has moved from writing code to reviewing and validating it. Cursor has acquired Graphite, and Anthropic and OpenAI have launched AI-powered code review agents. But the fundamental problem remains that humans cannot review everything AI produces. This is the single biggest driver of the vulnerability remediation gap I discuss in Vulnpocalypse.

Axios Compromise Full Fallout

Open Source Malware published a thorough writeup of the axios compromise I covered in issue #91. New details have emerged. The attack window was 2 to 3 hours, with an estimated 3 million installations during that time. Microsoft attributed the attack to Sapphire Sleet while Google tracked it as UNC1069, both DPRK-nexus actors.

The payload was a hidden “plain-crypto-js@4.2.1” dependency delivering a cross-platform RAT on macOS, Windows, and Linux through a post-install hook. Elastic Security Labs published their detection writeup showing how AI-powered diff analysis in their automated supply-chain monitoring flagged the malicious versions before widespread execution.

StepSecurity published their detection story as well, showing how their AI Package Analyst flagged the package as critical before public disclosure. The common thread across both detection stories is that AI-powered analysis is now essential for catching these attacks at the speed they propagate.

Attackers Hunting High-Impact Node.js Maintainers

Socket.dev published research on a coordinated social engineering campaign targeting high-trust Node.js maintainers. Targets include Lodash, Fastify, buffer, Pino, mocha, Express, and Node.js core.

The attack playbook involves weeks of rapport building, a scheduled video call, a faked audio error, and then an install prompt for a fake “fix” that drops a RAT. The RAT exfiltrates .npmrc tokens, browser cookies, AWS credentials, and keychain contents. With stolen credentials, publishing malicious packages requires no additional authentication bypass.

The axios compromise appears to have originated from exactly this playbook. Open Source Malware’s companion social engineering playbook writeup breaks down the attacker techniques in detail. Maintainers are the weakest link in the open source supply chain, and the attackers have industrialized the social engineering that exploits them.

PyPI Incident Report on LiteLLM and Telnyx

PyPI published the official incident report on the LiteLLM and Telnyx compromises, which started when TeamPCP compromised Trivy via an exposed API token on March 19. LiteLLM versions 1.82.7 and 1.82.8 were published with malware on March 24 and remained live for 40 minutes. Telnyx SDK versions 4.87.1 and 4.87.2 were published on March 27 and were live for approximately 6 hours.

The Telnyx payload included a three-stage attack with a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor, encrypted with AES-256 plus RSA-4096 session keys. LiteLLM has 97 million monthly downloads. The blast radius across GitHub Actions, Docker Hub, npm, Open VSX, and PyPI demonstrates how a single upstream compromise can cascade across every major package ecosystem.

GitHub’s Year of Open Source Vulnerability Trends

GitHub published an annual trend report that captures how much the landscape has shifted. CVE records grew 35% year-over-year with 10-16% quarterly growth. GitHub reviewed 4,101 advisories in 2025, which is actually fewer than prior years despite 19% more new vulnerabilities reviewed.

The report also highlights the Shai-Hulud worm campaign that compromised 700+ npm packages and tens of thousands of repositories, and the TeamPCP Trivy attack (CVE-2026-33634, CVSS 9.4) that cascaded across GitHub Actions, Docker Hub, npm, Open VSX, and PyPI. Perhaps most concerning, 65% of OSV-assigned CVEs lack severity scores in NVD, and 46% would be rated “High” if they were properly analyzed.

The data quality crisis in vulnerability management is accelerating, not improving, and I discuss this at length in Vulnpocalypse.

Endor Labs 2026 Open Source Malware Research

Endor Labs published their 2026 open source malware research report and the headline numbers are staggering. There has been a 14x surge in malware advisories over the past two years. 90% of OSV malware advisories were reported in 2025 alone. 92% of npm account takeovers occurred in 2025. 81% of organizations identify open source malware as a top security priority, but only 21% actually enforce protections. This is the awareness-action gap in stark relief.

Organizations know the threat is real but lack the coordinated governance, investment, and enforcement to actually address it. The report also highlights fragmented ownership across engineering, AppSec, cloud security, and SOC teams as a key barrier to coordinated response.

The $60 Billion Package Registry Problem

This analysis puts a dollar figure on the supply chain attack problem. Global losses from software supply chain attacks are projected to reach $60 billion by the end of 2026. Roughly 30% of all data breaches are now linked to third-party or supply chain issues. Over 99% of open source malware targets npm specifically.

The September 2025 attack on 18 npm packages with 2.6 billion weekly downloads, the Shai-Hulud worm hitting 500+ packages, and the cascade we have seen across axios, LiteLLM, Telnyx, and Trivy over the past quarter all point to the same structural issue. The trust model in open source package registries is broken and the cost of inaction is measured in tens of billions.

Raptor Autonomous AI Security Research Framework

Gadi Evron, Daniel Cuthbert, Thomas Dullien, Michael Bargury, and John Cartwright released Raptor, an open source Recursive Autonomous Penetration Testing and Observation Robot. The tool orchestrates offensive and defensive security research and exploitation workflows, including full-lifecycle vulnerability research from discovery through exploitation and patching.

Raptor runs on top of Claude Code and is MIT licensed. This is the open source expression of exactly what Mythos is doing at Anthropic, and it demonstrates that agentic security research tooling is proliferating rapidly. The same capability that powers Glasswing on the defensive side is now available to anyone with Claude Code access.

CVE Program Faces an Existential Crisis from AI-Generated Reports

Oliver Ficorilli at GitHub pulled together the data on AI-generated vulnerability reports and it paints a bleak picture. GitHub saw a 224% increase in vulnerability reports over a 90-day period and had to declare the situation an “existential crisis.”

Data curation now takes 5 to 8 times longer because of the volume of fabricated, hallucinated, and low-quality AI-generated submissions. Some developers report never receiving a valid AI-generated report at all. The signal-to-noise ratio in bug bounty platforms has collapsed, and it is threatening the fundamental utility of CVE assignment and coordinated disclosure.

Jerry Gamblin on CVE Data Quality

Jerry Gamblin published updated CVE rejection data showing 1,787 CVEs were rejected in 2025, a 3.58% rejection rate that is consistent with 2024. Jerry has also launched CNAScorecard.org, a public scorecard measuring CVE Numbering Authority data quality, along with Patchthis.app and RogoLabs.

If you work in vulnerability management, Jerry’s tools are essential. The consistency of the rejection rate suggests the ecosystem is still functioning despite the AI pressure Oliver documented, but data quality remains a critical unsolved problem.

Daniel Stenberg on Curl and AI Slop

Daniel Stenberg, the cURL maintainer, has become the clearest voice on the AI slop problem in bug bounty programs. Stenberg initially shut down cURL’s HackerOne bug bounty because of the volume of AI-generated false reports. He now requires HackerOne reports to disclose AI tool usage and has removed monetary rewards from the cURL bug bounty.

Simultaneously, AI-assisted tools have fixed over 100 cURL bugs. The paradox is real. AI is excellent at finding bugs and terrible at documenting findings, which breaks traditional bug bounty workflows at a fundamental level. We need new models for how human researchers, AI tools, and maintainers collaborate.

Latio 2026 AI Code Security Enterprise Governance

James Berthoty at Latio published the 2026 AI Code Security Enterprise Governance report. The headline is that application security is in crisis as AI changes scanner capabilities and developer workflows. AppSec and AI-first development security are becoming inseparable. Enterprises are investing in governance specifically for AI-generated code security, with focus areas including rules management, context injection, and MCP supply chain protection.

The market is shifting from standalone ASPM to broader code-to-cloud CTEM platforms, and interest in AI pentesting capabilities is accelerating. This tracks with the NYT article on code overload and the broader challenge of scaling review to match AI generation speed.

Container Escape Telemetry and Detection

Catscrdl published technical research on detecting container escapes through host telemetry and command-line analysis. The key insight is that container escape detection requires host-level visibility because once a container escapes, traditional container-level monitoring is blind.

Process parent and child relationships, osquery-based telemetry, eBPF runtime detection, and Kubernetes admission control form a layered defense. Worth reading for practitioners building container security programs, because the traditional boundary-based model is not enough.

Open Source Security Ecosystems

Andrew Nesbitt published ongoing analysis of open source ecosystem challenges, particularly the differences between newer ecosystems like Rust and Go and legacy ones like C. His work connects to the broader NSF Safe-OSE program funding open source safety, security, and privacy research. These kinds of ecosystem-level initiatives are what will eventually move us from incident response to structural prevention.

Final Thoughts

This week brought two themes into sharp focus, and they are deeply connected.

The first is that AI has crossed a capability inflection point in vulnerability research. Anthropic’s Mythos model has found tens of thousands of bugs, some of them decades old. Project Glasswing is the first major coordinated defensive response, bringing $100 million and an industry coalition to the table. XBOW has already overtaken human researchers on HackerOne. Ptacek called vulnerability research cooked and he is not wrong. What matters now is whether the institutional capacity for remediation can scale to match discovery. My Vulnpocalypse piece lays out why I am cautiously optimistic but not complacent. The building blocks exist, but coordination has to happen at AI speed, not committee speed.

The second is that agentic identity is finally getting serious infrastructure. Dick Hardt’s AAuth spec, Karl McGuinness’s authority-first framing, and Christian Posta’s practical implementations are exactly the kind of foundational work the ecosystem needs. For years I have been writing that non-human identity is the most under-addressed problem in cybersecurity. The work this week shows that the standards community is catching up with the threat reality. It will take time to mature, but the direction is correct.

Running through all of it is the same stubborn truth. AI is accelerating both offense and defense, and the winners will be the organizations that can mobilize coordinated responses at the speed the technology demands. Policy theater will not get us there. Vendor hype will not get us there. What will get us there is deep investment in fundamentals, honest accounting of where we are losing, and the willingness to build new infrastructure instead of retrofitting old models onto new problems.

Stay resilient.

Chris Hughes

Subscribe now

Fast forward a few months. Stenberg is now crediting AI-assisted tools with helping fix over 100 bugs in cURL. Bugs that survived years of aggressive fuzzing, compiler flags, static analysis, and multiple human security audits. The turning point came when researcher Joshua Rogers used AI-assisted tools like ZeroPath to systematically analyze cURL’s codebase, filtering results through his own expertise before submitting anything. Stenberg’s assessment of the findings? “Truly awesome.”

That arc, from frustration to recognition, tells you everything about where we are right now. AI is fundamentally changing vulnerability research. And as Thomas Ptacek recently argued in his widely discussed essay “Vulnerability Research Is Cooked”, the implications are far more profound than most of the industry has internalized.

The question is no longer whether AI can find the bugs, it can. The question is whether we can fix them before attackers exploit them, and right now, the evidence suggests we’re losing that race.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

The Evidence Base Has Gotten Impossible to Ignore

The data points have been stacking up across multiple independent efforts, and together they paint a picture that the industry cannot afford to dismiss.

I recently sat down with AISLE to discuss what their autonomous analyzer has accomplished. The numbers are staggering: AISLE found all 12 CVEs in OpenSSL’s January 2026 coordinated release, every single one. When you include the CVEs from the fall 2025 release, AISLE is credited with discovering 13 of 14 OpenSSL CVEs assigned across both releases, 15 total. Some of these vulnerabilities had been sitting in OpenSSL’s codebase for decades, undetected by thousands of security researchers, extensive fuzzing campaigns, and multiple audits. This is OpenSSL, the cryptographic library that underpins a massive portion of the internet’s secure communications.

XBOW became the number one ranked hacker on HackerOne in 2025, the first time an autonomous system outperformed every human participant on a major bug bounty platform. They have identified over 1,000 vulnerabilities across companies like AT&T, Epic Games, Ford, and Disney. DARPA’s AI Cyber Challenge saw autonomous systems analyze 54 million lines of code at roughly $152 per task, making continuous security testing economically viable at a scale that was previously unthinkable.

And then there is what the frontier labs themselves are doing. Nicholas Carlini from Anthropic’s Frontier Red Team presented at Unprompted 2026 and laid out findings the industry needs to take seriously when it comes to the ability of LLMs to identify vulnerabilities in widely used critical open source projects and beyond.

Anthropic has used Claude to discover and validate over 500 high-severity zero-day vulnerabilities across production open source codebases. That includes 22 Firefox vulnerabilities found in collaboration with Mozilla over just two weeks, and a Linux kernel heap buffer overflow in the NFS v4 daemon that had been sitting unnoticed since 2003.

In a live demo, Carlini showed Claude finding a blind SQL injection in Ghost, a publishing platform with 50,000 GitHub stars that had never had a critical security vulnerability in its history, it took 90 minutes. Carlini’s assessment is blunt, AI capability for vulnerability research is doubling roughly every four months. His words:

“Current models are already better vulnerability researchers than I am, and in a year, they will likely be better than everyone.”

Ptacek frames the broader dynamic well in his piece “Vulnerability Research is Cooked”. He argues that vulnerability researchers have historically spent about 20% of their time on the computer science and 80% on what amounts to giant, time-consuming jigsaw puzzles.

“Within the next few months, coding agents will drastically alter both the practice and the economics of exploit development. Frontier model improvement won’t be a slow burn, but rather a step function. Substantial amounts of high-impact vulnerability research (maybe even most of it) will happen simply by pointing an agent at a source tree and typing “find me zero days”.

Now everybody has a universal jigsaw solver. Before you feed a frontier LLM a single token of context, it already encodes vast amounts of correlation across massive bodies of source code, plus the complete library of documented bug classes that exploit development builds on. The scarcity of elite attention that used to shield us from a flood of discovered vulnerabilities is gone.

The Open Source Reality

This is where the conversation gets systemic, and where I think the implications extend far beyond the technology itself.

Open source software runs everything. Google, iPhones, the national power grid, medical devices, military systems. As Chinmayi Sharma wrote in her Lawfare piece on open source security, our digital infrastructure is built on a house of cards. Eric Brewer of Google has explicitly called open source software “critical infrastructure.” I previously did a long form discussion on open sources challenges, and its role as critical infrastructure with Chinmayi.

The numbers reinforce just how pervasive open source has become. According to the 2026 Black Duck OSSRA report, 97% of audited commercial codebases contain open source components. Open source vulnerabilities doubled to 581 per codebase as AI adoption explodes, with 87% of codebases at risk. The mean number of files per codebase grew by 74% year-over-year, while the average number of open source components increased by 30%. And 97% of organizations are now using open source AI models in development, adding yet another layer of dependency.

Sonatype’s 2026 State of the Software Supply Chain report shows developers downloaded components 9.8 trillion times in 2025 across Maven Central, PyPI, npm, and NuGet. Open source malware has surpassed 1.2 million packages, with 454,648 new malicious packages discovered in 2025 alone, a 75% increase. Sonatype observed an 18% decline in actively maintained open source projects, meaning the codebase is growing while the people maintaining it are shrinking.

Who is maintaining all of this? According to Tidelift’s annual survey, 60% of open source maintainers are unpaid. 61% of those unpaid maintainers maintain their projects alone, no co-maintainers, no support team. Just one person responsible for code that might be running in millions of production environments. 60% of maintainers have quit or considered quitting, with 44% citing burnout as the reason. I covered the broader dynamics of this in my piece on the 2025 open source security landscape.

Now think about what happens when AI starts generating high-quality vulnerability reports at scale against these codebases. Daniel Stenberg is one of the most dedicated and capable open source maintainers alive, and even he was overwhelmed. Multiply that across the estimated 1.4 million unique maintainers in the ecosystem, most of whom have far fewer resources than cURL.

Attackers Are Pivoting to Maintainers, CI/CD, and the Infrastructure Itself

While AI accelerates vulnerability discovery on the defensive side, attackers are simultaneously exploiting the structural weaknesses of the open source ecosystem with increasing sophistication. The attack patterns in 2025 and 2026 show a clear pivot, adversaries are moving beyond poisoning individual libraries and are now targeting the maintainers, the CI/CD infrastructure, and the trust mechanisms that hold the ecosystem together.

The Axios supply chain attack in March 2026 illustrates this perfectly. Axios has over 300 million weekly downloads and is used in virtually every Node.js and browser project that makes HTTP requests. The attacker did not submit a malicious pull request or publish a typosquatted package. They hijacked the npm account of jasonsaayman, the primary maintainer, changed the email to an anonymous ProtonMail address, and manually published infected packages via the npm CLI, completely bypassing the normal GitHub Actions CI/CD process. The compromised versions introduced a hidden dependency that functioned as a cross-platform remote access Trojan.

The LiteLLM compromise followed a similar pattern of targeting trust infrastructure. The TeamPCP threat actor compromised LiteLLM’s PyPI publishing credentials through a chain that originated from a misconfigured CI/CD workflow in another open source project, Trivy. The malicious packages deployed credential harvesting, Kubernetes lateral movement, and persistent backdoors. The same campaign hit npm packages with self-propagating worms. The malicious packages were live for about 40 minutes before being quarantined, but in the world of automated dependency resolution, 40 minutes is more than enough.

And then there was the tj-actions/changed-files compromise in March 2025, which exposed an entirely different attack surface, GitHub Actions. The attacker exploited a leaked personal access token from a reviewdog maintainer, used an automated invitation process to join a maintainer team, and pushed malicious commits that redirected version tags. The payload scanned GitHub Actions runner memory for secrets and exfiltrated them through GitHub’s own logs. The attack went undetected for four months.

These attacks share a common thread. Adversaries are no longer just targeting the code. They are targeting the people, the credentials, the CI/CD workflows, and the trust relationships that the entire ecosystem depends on. The attack surface has expanded from “malicious code in a package” to “compromise the human or automated system that publishes the package.”

That is a fundamentally different problem, and it requires a fundamentally different defensive posture. Sonatype’s 2026 report confirms this is industrializing, the Lazarus Group has evolved from simple droppers to five-stage payload chains, with more than 800 Lazarus-associated packages identified this year, concentrated overwhelmingly in npm, and the first-ever self-replicating npm malware proved that open source malware can now propagate autonomously through ecosystems.

Remediation Is the Real Bottleneck

Jen Easterly, the former CISA director and now CEO of RSAC, wrote a piece in Foreign Affairs arguing that we do not have a cybersecurity problem, we have a software quality problem. She is right that AI has the potential to address systemic software quality issues at scale, finding flaws and potentially fixing them before they ever ship. The window to take advantage of this technology is real.

But the problem is finding bugs is only half the problem, and with the introduction of AI, definitely not the harder half. Finding bugs is getting exponentially easier and cheaper.

Fixing them still requires human judgment, code review, testing, regression analysis, and deployment. For open source projects maintained by unpaid volunteers, often a single person, the capacity to absorb a flood of legitimate vulnerability reports simply does not exist. For enterprise organizations, every fix competes with feature development, every patch cycle requires change management, and every remediation decision has to weigh security risk against business continuity, release schedules, and revenue targets, and as we know, security almost always loses to competing priorities such as speed to market and revenue.

Over 48,000 CVEs were published in 2025 alone, a 21% increase over the prior year. The Black Duck OSSRA data shows that 90% of audited codebases contain open source components more than four years out-of-date. These are not obscure dependencies. Applications contain an average of 911 open source components, and many of those carry known, unpatched vulnerabilities that organizations have not gotten to yet.

Now add autonomous discovery tools scanning both open source and private repositories continuously. As frontier labs, AppSec vendors, and open source tools turn AI-powered discovery on proprietary codebases and internal applications, enterprise organizations will face the same flood of legitimate findings that open source maintainers are already struggling with.

The volume is about to overwhelm existing remediation workflows across the entire software ecosystem, and the organizations that struggle to patch known, publicly disclosed vulnerabilities in a timely manner are about to face an order-of-magnitude increase in findings that need attention. This doesn’t even account for the fact that many vulnerabilities don’t have formal CVE identifiers or the various attack vectors such as malicious packages, compromised maintainers and more.

The Exploitation Timeline Is Collapsing

And while we struggle with remediation capacity, the other side of the equation is accelerating at a pace that should alarm everyone.

I recently interviewed Sergej Epp about his Zero Day Clock project, which tracks the collapse of exploitation timelines. In 2018, the median time from vulnerability disclosure to first observed exploit was 771 days. By 2023, it was 6 days. By 2024, it was measured in hours. And in 2025, the majority of exploited vulnerabilities were weaponized before they were even publicly disclosed. 67% of exploited CVEs in 2026 are zero-days, up from 16% in 2018.

AI is industrializing exploit generation alongside discovery. Researchers have demonstrated AI agents generating over 40 working exploits for a single flaw for $50, and AI agent swarms finding over 100 exploitable vulnerabilities across AMD, Intel, NVIDIA, Dell, Lenovo, and IBM drivers in 30 days for $600 total.

As Ptacek notes in his essay, no defense looks flimsier now than closed-source code, because reversing was already mostly a speed bump, and agents can reason directly from assembly. A four-layer system of sandboxes, kernels, hypervisors, and IPC schemes is, to an agent, just an iterated version of the same problem. The economics of offensive security have fundamentally shifted, and the implications extend well beyond open source into every proprietary codebase and commercial product on the market.

And unlike defenders, attackers do not have competing priorities. They do not have sprint planning meetings. They do not have to justify headcount to a CFO. They do not have to balance security fixes against speed to market and revenue. Their pipeline is simple, find, weaponize, exploit, and there’s plenty of low hanging fruit and the landscape is only getting more porous, driven by AI-driven development.

The Defining Challenge

Here is how I think about this. We have a finite and closing window to use AI to find and fix vulnerabilities before malicious actors find and exploit them. The technology to discover bugs at scale is here. AISLE proved it with OpenSSL. Anthropic proved it with 500 zero-days. XBOW proved it on HackerOne. cURL proved it with over 100 bug fixes, and if Carlini is right that this capability is doubling every four months, the window to get ahead of attackers is measured in months, not years.

But moving first only matters if we can actually remediate what we find, and right now, the remediation pipeline, both in open source and in enterprise environments, is the constraint. The open source ecosystem is maintained by a shrinking, burned-out workforce being asked to absorb an exponential increase in findings while simultaneously being targeted by increasingly sophisticated supply chain attacks. Enterprise organizations face the same remediation volume challenge, compounded by organizational friction and competing business priorities.

At the same time, attackers are not just finding bugs faster. They are attacking the ecosystem’s trust infrastructure directly, compromising maintainer accounts, CI/CD pipelines, and the automated workflows that modern software delivery depends on. The attack surface is not just the code. It is the entire system of human and automated trust that makes open source work.

This is the defining challenge for the cybersecurity ecosystem. Not whether AI can find the bugs, we know it can. But whether we can build the remediation capacity, the tooling, the institutional support, and the economic incentives to fix them at the speed the threat demands, and whether we can secure the supply chain infrastructure itself from the adversaries who are already inside it.

I have been writing about the evolution of vulnerability management and AppSec for a while now, and the trajectory is clear. The defenders have the opportunity to move first. AI gives us the ability to find and fix vulnerabilities at a scale and speed that was previously impossible. But that advantage is meaningless if we cannot build the remediation capacity to match, and it is meaningless if we cannot secure the supply chain infrastructure that attackers are already inside.

The technology is ready, the question is whether the ecosystem is, and unfortunately I don’t feel too optimistic about that, given the complexity, stakeholders, competing incentives and other systemic challenges.

I have written entire books on software supply chain security, vulnerability management and AppSec and the challenges then were immense, and that was before the introduction of AI and agents.

Things are about to get a whole lot worse, at least in the near term future.

Subscribe now

This was the week Axios got compromised. The npm package that handles HTTP requests for roughly 80% of cloud environments was backdoored by UNC1069, a North Korea-nexus threat actor, after they hijacked a maintainer’s account and published malicious versions containing a cross-platform RAT. Within a 39-minute window, the attacker turned one of npm’s most trusted packages into a weapon.

If you thought the TeamPCP campaign I covered in issue #90 was the peak of supply chain chaos, this week raised the bar.

Meanwhile, a federal judge blocked the Trump administration’s supply chain risk designation against Anthropic in a blistering 43-page ruling, SentinelOne published a remarkable case study showing their EDR autonomously stopping Claude Code from executing a zero-day supply chain attack, Anthropic launched auto-approve mode for Claude Code (with immediate security debate), the UK AI Safety Institute published data on 177,000 AI agent tools, and NIST released its first formal report on the challenges of monitoring deployed AI systems.

The cybersecurity market hit another record quarter, California signed a first-of-its-kind AI executive order in direct opposition to the White House, and OWASP seems to be cooking up a Agentic Skills Top 10.

There is a lot to unpack this week, so let’s get into it.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Growing Trivy/TeamPCP Attack — Get 3 Free Months of Chainguard Libraries Now

A coordinated supply chain attack is still unfolding, and your team may already be in the blast radius. In the past two weeks, malicious actors compromised Trivy, Checkmarx, LiteLLM, Telnyx, and 100+ npm packages through CanisterWorm — an attack that spans open source containers, CI/CD workflows, and language dependencies across ecosystems.

Chainguard customers were unaffected by each one.

As your team works through incident response and triage, we want to help. Now through May 31, we are offering three free months of Chainguard Libraries and Chainguard Actions. No paid commitment required.

Get started for free

Cyber Leadership & Market Dynamics

The Future of AI Enterprise Security - PANW CEO Keynote

When the industry’s largest and most influential security vendor lays out their vision and bets for what the future of enterprise cybersecurity are, it is worth listening to.

20VC Podcast: AI and Venture

Harry Stebbings’ latest episode covers the intersection of AI and venture capital, exploring how AI is reshaping startup formation, development velocity, and investment thesis construction. Worth a listen for anyone interested in how the capital allocation side of cybersecurity is adapting to the agentic era.

When one of the most successful investors in Cyber speaks, it is worth listening to. Gili Raanan has an insane track record, from Seqoia through Cyberstarts, backing some of the most defining cyber startups/companies of the era.

I found this discussion really interesting from various perspectives including finance, building and more.

Pro-Iran Hackers Claim Breach of FBI Director’s Personal Email

The Handala Hack Team, an Iran-linked group, claimed responsibility for breaching FBI Director Kash Patel’s personal email account. The leaked materials included personal photographs and historical correspondence from 2011-2022. The breach was described as retaliation for FBI operations seizing Handala’s domains. While the FBI stated the information was “historical in nature” with no government information involved, the Trump administration offered a $10 million reward for information leading to identification of Handala members.

Personal email accounts of senior government officials remain a persistent target, and this incident reinforces why operational security extends well beyond government systems.

Federal Judge Blocks Anthropic Supply Chain Risk Designation

This is a significant development in the Anthropic saga I’ve been tracking since issue #88, when the Trump administration designated Anthropic as a supply chain risk and ordered federal agencies to sever ties with the company. US District Judge Rita Lin issued a 43-page ruling granting Anthropic a preliminary injunction, calling the government’s action “Orwellian” and finding that punishing Anthropic for bringing public scrutiny to the government’s contracting position constituted First Amendment retaliation.

The backstory matters. Anthropic held a $200 million Pentagon contract signed in July 2025. Negotiations broke down when the Pentagon demanded unfettered access while Anthropic insisted on maintaining contractual guardrails around autonomous weapons and mass surveillance uses of Claude. The government’s response was to brand an American AI company as a potential adversary using a designation previously reserved for companies connected to foreign adversaries.

The Breaking Defense follow-up reveals an important wrinkle, the Pentagon CTO says the ban still stands despite the judicial ruling. Judge Lin imposed a seven-day stay on her order, and institutional resistance within the defense establishment continues. This tension between judicial oversight and executive enforcement is worth watching closely.

It has implications for every AI company doing business with the federal government and highlights an interesting intersection of AI and politics.

AI Is the Top National Security Concern for 2026

The Office of the Director of National Intelligence’s 2026 Threat Assessment elevated AI from a technology category to a cross-cutting national security concern that amplifies all other threat vectors. Unlike discrete threats from China, Russia, Iran, and North Korea, AI is now treated as a force multiplier across all adversarial capabilities.

China plans to overtake US AI capabilities by 2030, and Russia is pioneering battlefield AI applications, particularly in anti-drone operations. The intelligence community specifically noted AI being used actively in combat operations, not as a theoretical future capability but as a present reality.

California Signs First-of-Its-Kind AI Executive Order

Governor Newsom signed an executive order requiring AI companies contracting with California to demonstrate safety and privacy guardrails. This directly opposes the Trump administration’s December executive order declaring that state AI regulation “thwarts” American AI leadership. California and New York are now partnering to forge standards across all states on AI transparency, safety, and innovation.

The federal-state regulatory collision on AI governance is intensifying, and the cybersecurity implications are significant for any organization operating across jurisdictions, as we seem to continue on a path of a patchwork quilt of AI regulatory requirements across states and even nations.

RAIGNark: The End of the Platformization Era in Cybersecurity

Mark Kraynak argues that the consolidation era in cybersecurity is ending. The thesis is that AI agents will enable more distributed, specialized security tools that work together rather than requiring monolithic platforms. Instead of building everything into one platform, agents can orchestrate across multiple specialized tools.

This is a meaningful counterpoint to the platform consolidation narrative from CrowdStrike, Palo Alto, and others that we’ve been tracking. If agents can function as connective tissue between best-of-breed solutions, the case for massive platform consolidation weakens. The pendulum between platforms and best-of-breed has always been perennial, as I’ve noted in prior issues, but AI agents could be the force that tilts it back toward specialized tools.

Reflections on RSAC 2026: Same Vendor Playbook, New Packaging

Malcolm Harkins shared his reflections from RSAC 2026, and the title tells you everything. Same vendor playbook, new packaging. Harkins has long been one of the most thoughtful voices on the business side of cybersecurity, and his observation that vendors are largely repackaging existing capabilities with AI branding tracks with what I’ve been seeing.

The challenge for practitioners is separating genuine capability improvements from marketing repositioning. This is where frameworks like the OWASP Agentic Top 10 and CSA’s CSAI Foundation (issue #90) become essential for establishing objective benchmarks.

I saw a TON of existing category players (e.g. AppSec, SOC, EDR, CNAPP etc.) all trying to reposition themselves as an agentic security solution at RSAC. However, as I’ve been writing, the all primarily see the problem from their myopic viewpoint, rather than offering a truly agentic-centric solution that uses signals from across the categories as context in a broader picture.

RSA 2026 Vendor Landscape

Jake Epstein at Premji Invest published an interactive visualization mapping 320 cybersecurity startups across 18 categories from the RSA 2026 exhibitor catalog. This is a useful tool for anyone trying to understand the competitive landscape, identify white space, or just get a sense of where investment dollars are flowing. Worth bookmarking as a reference.

RSAC 2026 - State of Security Vendors and AI-Washing

Andy Ellis of Duha spent 11 hours walking every exhibitor booth at RSAC 2026. The findings are worth paying attention to.

AI Signal vs. AI Noise

37% of booths mentioned AI. 223 vendors featured “AI” or “agentic” language, but much of it was AI-washing. Vendors flagging AI risk in third-party ecosystems, adding LLM chatbots to existing products, or simply inserting “AI-driven” into threat language with no underlying capability change. This aligns with Malcom’s post above about everyone trying to mention AI and Agents, even if their view is isolated and off target.

Where Competition Is Concentrated

• Applications/AppSec — 98 exhibitors

• Identity — 82 exhibitors

• Security Operations — 61 exhibitors

• Human Risk Management/EDR — 55 exhibitors

If you operate in these spaces, you’re competing in a very loud room with increasingly confused buyers.

What’s Underrepresented

Non-human identity had only 4 dedicated booths, largely absorbed into the broader AI narrative. OT/ICS had 10. Quantum/PQC had 12. The NHI number is telling given the investment hype heading into 2026.

The Show Floor Reality

Nearly 8% of booths left practitioners unable to determine what the company does. Badge scanning was prioritized over market education. The floor behaves more like a lead generation operation than a place to learn.

The security market is overcrowded, messaging is increasingly muddled, and AI is being used as veneer as much as genuine differentiation. Clarity of problem and specificity of solution matters more than ever when 37% of the room is saying the same word

The Cybersecurity Market Posts Another Record Quarter

Matthew Ball highlighted another record quarter for cybersecurity spending. The global market is on track to exceed $520 billion annually by 2026, with cybercrime projected to cost $10.8 trillion, which would rank third globally after the US and China as an economy. AI-cybersecurity companies are commanding premium valuations with faster fundraising cycles and larger tickets than their non-AI peers.

Jay McBain added critical context with his analysis showing cybersecurity is on track to reach $311 billion in 2026, with over 90% sold through channel partners. Services are growing faster than technology, and partners are critical for design, deployment, MDR, and operational support. That 90%+ channel dependency is a distribution reality that shapes everything from go-to-market strategy to vendor consolidation dynamics.

IRIS 2025: Have Security Incidents Gotten More Severe?

The Cyentia Institute’s IRIS 2025 report provides the kind of actuarial data the industry needs more of. Ransomware accounted for 32% of all security incidents and 38% of financial losses over the last five years, with a median loss per incident of $3.2 million. Credential compromise remains the most common entry point. Web application attack exploitation increased sixfold for smaller firms, and third-party relationship incidents doubled for large organizations.

That third-party finding reinforces everything I’ve been writing about supply chain risk. The blast radius of the Axios and TeamPCP compromises this quarter demonstrates why those third-party numbers keep climbing.

Beyond SaaS: New Business Models in Cybersecurity

Maggie Gray explored how cybersecurity business models are evolving beyond traditional SaaS. As I discussed in issue #90 with Sequoia’s services thesis and a16z’s two-path framework, per-seat pricing breaks down when AI agents replace human workers.

Gray identified emerging models including SLA-based pricing (tiers based on latency, accuracy, and relevance), output-based pricing (charging per value delivered, like per insurance claim processed), and consumption-based pricing tied to tokens or outcomes. This is the business model corollary to the SaaSpocalypse we’ve been tracking since issue #85.

AI Unmasked: Our Work as Scaffolding

Daniel Miessler published a thought-provoking piece arguing that 75-99% of knowledge work is scaffolding overhead, and AI is revealing just how small the actual “thinking” portion is.

His cybersecurity example is particularly sharp. Security testing involves stitching context on targets, creating and maintaining tooling, and building workflows, not actually discovering new vulnerabilities. When that scaffolding is packaged into AI context and methodologies, AI can execute at comparable or superior levels.

This connects directly to Caleb Sima’s piece on the brain becoming portable, where he argues that expertise can now be captured and deployed through AI agents in ways that were previously impossible. For cybersecurity professionals, the implication is clear: your value proposition needs to be in the thinking, not the scaffolding. If your job is primarily maintaining tooling and workflows, AI will compress that dramatically.

The Department of No Meets the Age of Yes

wrote about the fundamental tension security teams face in the AI era. The traditional security mindset of blocking everything is ineffective when shadow AI is exponentially more dangerous than known AI.

Her key insight is that the real systemic risk is not what gets typed into an LLM but what systems those AI tools connect to - email, Slack, Google Drive, internal databases, and code repos. Effective security needs to be use-case driven, not blanket policy-driven.

As I’ve been saying since the early days of this newsletter, security leaders who position themselves as enablers rather than gatekeepers will be the ones who maintain influence. The ones who say no to everything will simply be routed around.

AI

Anthropic Launches Auto Mode for Claude Code

Anthropic launched auto-approve mode for Claude Code, a new permissions system where Claude makes tool-call decisions autonomously using a safety classifier. Before each action, the classifier reviews whether it involves destructive operations like mass file deletion, data exfiltration, or malicious code execution. Safe actions proceed automatically, risky actions get blocked and Claude redirects to alternative approaches. Anthropic cited data showing 93% of permission prompts are typically approved by users, suggesting strong potential for automation.

Simon Willison’s analysis raised an important concern, the classifier treats pip install -r requirements.txt as routine, which is deeply problematic given the supply chain attacks we’ve been covering. His point is valid and timely. The LiteLLM backdoor (issue #90) would have sailed through an AI-based safety classifier because pip install looks perfectly normal. Willison prefers OS-level sandboxing that deterministically restricts file access and network connections over non-deterministic AI classifiers.

The Human-in-the-Loop (HITL) Illusion

I published a new deep dive on Resilient Cyber this week looking at why human-in-the-loop is not functioning as a security control and what Auto Mode tells us about the future of agentic AI safety.

The catalyst was Anthropic’s own data showing users approve 93% of Claude Code permission prompts. But the behavioral patterns underneath that number are what matter most.

• New users auto-approve about 20% of sessions. By 750 sessions, that climbs to over 40%. Trust accumulates and oversight erodes predictably over time.

• Experienced users do not stop paying attention entirely. They shift from proactive per-action review to reactive monitoring and intervention, interrupting roughly 9% of turns compared to 5% for new users.

• Anthropic built Auto Mode as a two-layer classifier system that strips the agent’s own reasoning from what the safety model sees, so the agent cannot talk its way past the filter. The result is a 0.4% false positive rate but a 17% miss rate on genuinely dangerous actions.

• Simon Willison raised a critical point that classifier-based safety is non-deterministic by nature. Traditional security controls are binary. A firewall rule blocks or it does not. An AI classifier introduces probabilistic uncertainty into a security boundary.

• But the realistic baseline is not careful manual review. It is “YOLO mode” with zero guardrails. A classifier with a 17% miss rate is meaningfully better than no controls at all.

The takeaway for security leaders is that per-action human approval does not match how humans actually work with autonomous systems at scale. The answer is layering deterministic controls like sandboxing, allowlists, and tool restrictions with probabilistic protections like behavioral monitoring and intent analysis.

Build security for how humans actually interact with agents, not how we wish they would.

SentinelOne EDR Autonomously Stops Claude Code Zero-Day Supply Chain Attack

This is one of the most important case studies I’ve seen this year. SentinelOne published a detailed account of their AI-powered EDR autonomously detecting and stopping Claude Code from executing a zero-day supply chain attack through the compromised LiteLLM package. Here is the critical detail, no human developer ran pip install. Claude Code autonomously updated LiteLLM to the compromised version as part of its normal workflow. This is a documented supply chain attack triggered by an AI agent without human intervention, which is a pattern where it is easy to see how this happens for many other organizations as well in AI-native development flows.

SentinelOne’s Singularity Platform detected the behavioral pattern (Python interpreter executing base64-decoded code in a spawned subprocess) and preemptively killed the process before the stealer, persistence, or lateral movement stages could execute. The attack chain went from TeamPCP compromising Trivy upstream, to backdooring LiteLLM on PyPI, to Claude Code autonomously pulling in the malicious package.

This validates multiple themes I’ve been tracking, including AI agents as attack vectors (OWASP Agentic Top 10), the cascading nature of supply chain compromise (Software Transparency), and the need for runtime behavioral detection rather than just signature matching.

It also, somewhat ironically, makes the strongest case for why Anthropic’s auto-approve mode needs more than an AI safety classifier. The exact scenario Willison warned about played out in production.

UK AISI: Evidence from 177,000 AI Agent Tools

The UK AI Safety Institute, working with the Bank of England, published remarkable data on AI agent tool adoption. MCP tools grew from roughly 5,000 to 177,436 over 16 months, with downloads surging from 80,000 to 14 million. The most striking shift is that action tools grew from 24% to 65% of monthly downloads, confirming the fundamental transition from analysis to action that defines the agentic era.

Software development and IT tools represent 67% of all published tools and 90% of downloads, which aligns with what we’re seeing in the market. Perhaps most concerning from a security perspective was 28% of all MCP servers contain AI-generated code, and 62% of newly created servers in February 2026 were AI-generated.

This is the vibe coding supply chain risk at scale. When the tools that agents use are themselves built by AI, the attack surface compounds. The OWASP Agentic Skills Top 10 launch (below) could not be more timely.

Runtime: The New Frontier of AI Agent Security

CSO Online profiled the emerging runtime security market for AI agents. The thesis is “Shift Left, Shield Right”, move security controls into development while also implementing runtime monitoring as a last-mile safety net.

Microsoft is launching Agent 365 with runtime threat protection (GA May 1, 2026 at $15/user/month), NVIDIA’s OpenShell provides policy-based guardrails, and Cisco’s Agent Runtime SDK embeds enforcement directly into agent workflows. The core argument is that zero-day vulnerabilities and novel attack patterns cannot be anticipated at build time, making runtime monitoring essential. Given the SentinelOne/Claude case study above, this is not theoretical. Runtime detection caught what static analysis never could have.

OWASP Agentic Skills Top 10: Official Launch

announced the official launch of the OWASP Agentic Skills Top 10. For those following my work on the OWASP Agentic Top 10 and the broader ASI initiative, this is an important milestone. The timing is critical, as the ClawHub registry (the primary AI agent skill marketplace) was systematically poisoned in Q1 2026, with five of the top seven most-downloaded skills confirmed as malware. Critical vulnerabilities in Claude Code itself (CVE-2025-59536 at CVSS 8.7 and CVE-2026-21852 at CVSS 5.3) further demonstrate the attack surface.

The Top 10 recommends immediate skill inventory across all agent platforms, ed25519 signing before publication, pinning nested dependencies to immutable hashes, and including content hashes in manifests.

This is the software supply chain security playbook Tony Turner and I wrote about in Software Transparency, adapted for the agentic era. I’m encouraged by the pace at which OWASP is producing actionable guidance.

NIST AI 800-4: Challenges Monitoring Deployed AI Systems

NIST published its first formal report on the challenges of monitoring deployed AI systems, based on three practitioner workshops with over 200 experts and an 87-paper literature review. The findings are sobering: there are no validated methodologies, no agreed metrics, and no standardized processes for production AI monitoring.

The most interesting gap they identified is human-AI interaction monitoring. Workshop practitioners discussed human factors far more than the published literature reflects, indicating the biggest blind spot is exactly where humans and AI systems interact.

RockCyber’s analysis adds an important critique - NIST’s proposed evaluation framework operates on the assumption that no adversaries are present, which is fundamentally incompatible with security requirements. You cannot evaluate security standards using a methodology designed for data formatting standards. Security operates in a fundamentally different reality, and the standards need to reflect that.

What Separates Real AI Governance from Policy Theater

This piece articulates something I’ve been observing across the industry. Most AI governance programs are compliance theater. The real test, as my friend from Zenity notes, is whether violations result in consequences. If silence follows a violation, you have theater, not governance.

Real governance must be enforceable with underlying standards and SOPs, mapped to actual AI in use, and regularly audited. AI governance differs from traditional cybersecurity governance because you are dealing with probabilistic systems whose behavior changes based on input and model updates that happen outside the organization’s control. This is a useful framework for any CISO trying to stand up an AI governance program that actually works.

Mastercard: Verifiable Intent for Agentic Commerce

Mastercard released an open-source specification for “Verifiable Intent” that creates tamper-resistant cryptographic records linking identity, intent, and action for AI agent-authorized transactions. The protocol uses selective disclosure to share only the minimum information needed with each party.

Partners include Google, Fiserv, IBM, Checkout.com, and others. This is exactly the kind of infrastructure the agentic economy needs. As I’ve discussed through my work on the OWASP NHI Top 10, the identity challenge for AI agents extends beyond authentication into authorization and audit trails. Mastercard is building the financial infrastructure layer for agent-to-agent commerce, and the security architecture matters enormously.

T-MAP: Red-Teaming LLM Agents with Trajectory-Aware Search

This research paper proposes T-MAP, a trajectory-aware evolutionary search method for red-teaming AI agents. The key insight is that traditional LLM red-teaming focuses on eliciting harmful text outputs, but agent-specific vulnerabilities emerge through multi-step tool execution. T-MAP leverages execution trajectories to discover adversarial prompts that bypass safety guardrails through actual tool interactions.

Combined with the NIST-aligned security considerations paper that maps agent architectures against code-data separation, authority boundaries, and confused-deputy behavior, the academic community is building the theoretical foundations for agent security testing.

AppSec

Axios Compromised: A Supply Chain Attack on npm’s Most Popular HTTP Client

This is the supply chain story of the week, and given what we covered with TeamPCP/LiteLLM in issue #90, the timing could not be worse. Axios, the npm package that handles HTTP requests for roughly 80% of cloud and code environments with approximately 100 million weekly downloads, was compromised after attackers hijacked the npm account of jasonsaayman, the lead maintainer. Within a 39-minute window, two malicious versions were published: 1.14.1 and 0.30.4.

The payload was a hidden dependency called “plain-crypto-js” that silently deployed WAVESHAPER.V2, a cross-platform RAT covering Windows, macOS, and Linux. The postinstall hook fired on npm install, and the payload called back to sfrclak[.]com:8000 to retrieve stage-2 implants. Google Threat Intelligence Group attributed the attack to UNC1069, a financially motivated North Korea-nexus threat actor active since 2018.

Multiple sources confirmed that execution was observed in roughly 3% of affected environments before removal. Given the install base, even 3% represents a massive number of compromised environments.

This is being compared to the 2021 ua-parser-js compromise and the event-stream incident for good reason. As I wrote in Software Transparency, the implicit trust model in open-source package registries is fundamentally broken. One compromised maintainer account can propagate malware to millions of installations within minutes.

The Complete Guide to Preventing Supply Chain Attacks

published practical guidance on supply chain defense that feels essential reading after the Axios and TeamPCP campaigns. The key recommendations include pinning GitHub Actions to version SHAs rather than version numbers, restrict GitHub Actions access using least privilege, require cooldown periods before version updates, expand SBOM data to include packages from local dev machines and pipelines (not just production), enforce MFA on all package registries, and audit user permissions aggressively.

Latio’s 2026 Application Security Report also identified four strategic approaches - minimal container images, secure package registries with pre-import scanning, backporting patches for application libraries, and OS-level patching for base images.

The Comforting Lie of SHA Pinning

This piece provides an important nuance to the “pin everything to SHAs” advice. The argument is that SHA pinning optimizes for machine verification but fails during human code review.

The author demonstrates this using the real Trivy attack: attackers changed SHAs while keeping version tag comments intact, and no tool validated whether the SHA actually corresponded to the claimed version. Transitive dependencies create additional exposure since unpinned actions within pinned actions still leave you vulnerable.

The conclusion is not that SHA pinning is useless but that it is necessary and insufficient. Multi-layered defense combining pinning with strict permissions, network monitoring, and automated security scoring is the right approach.

Final Thoughts

This week crystallizes a theme I keep returning to, the speed of AI adoption is outpacing every layer of security, from standards bodies to runtime controls to the basic trust model in open-source registries.

The Axios compromise and the SentinelOne case study together tell a complete story. In one case, a North Korean threat actor weaponized a trusted npm package and reached millions of environments in under 40 minutes. In the other, an AI coding agent autonomously pulled in a backdoored package as part of its normal workflow, and only behavioral EDR stopped it. Neither traditional security controls nor Anthropic’s new auto-approve classifier would have caught either attack at the point of installation.

The policy landscape is equally dynamic. A federal judge called the Trump administration’s actions against Anthropic “Orwellian,” California is signing AI safety executive orders in direct opposition to the White House, and the intelligence community named AI the top national security concern for 2026. The tension between innovation velocity and governance maturity has never been more acute.

I am encouraged by the building blocks emerging, such as OWASP’s Agentic Skills Top 10, NIST’s monitoring gap analysis, Mastercard’s Verifiable Intent specification, and the growing body of academic work on agent-specific red teaming. But as the AI governance piece rightly noted, the difference between real governance and policy theater is enforcement. Frameworks on paper mean nothing without the institutional will to implement them.

The scaffolding metaphor from Miessler is the right frame for where we are. AI is stripping away the overhead that made knowledge work look harder than it actually is, a theme echoed by PANW’s CEO too, and security is no exception. The question for every cybersecurity professional is whether your value is in the thinking or the scaffolding. If it is in the scaffolding, the clock is ticking.

Subscribe now

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

In this video, we cut through the noise and focus on what actually matters:

• Why exploits remain the #1 initial access vector (for the 6th year straight)

• The sharp rise of voice phishing (vishing) now the 2 entry point

• Why email phishing is declining faster than expected

• The truth behind increased dwell time and why it’s misunderstood

• How internal detection is quietly improving

• Long-term persistence of state-sponsored actors on edge devices

• Cloud-specific attack trends that shift the usual narrative

• DPRK IT worker campaigns operating at scale

• The growing role of AI in social engineering and “vibe coding” risks

This isn’t just a summary it’s a breakdown of what’s driving these trends, where defenders are still blind, and what security leaders need to rethink right now.

If you want my full deep dive breakdown, check it out “M-Trends 2026: What 450,000 Hours of Incident Response Tells Us”.

And of course, for those who prefer the full report from Google/Mandiant: M-Trends 2026 Report: Real-world investigations and actionable defense insights

If you’re in cybersecurity, threat intelligence, or leadership this is essential viewing.

Subscribe now

Anthropic recently launched Auto Mode for Claude Code, and it sparked one of the most important conversations in agentic AI security this year. Not because of what Auto Mode does, but because of what it admits. According to Anthropic’s own data, users approve 93% of Claude Code permission prompts. Anthropic describes this as leading to “approval fatigue, where people stop paying close attention to what they’re approving.” The human-in-the-loop is not functioning as a meaningful safety control. It is a formality that users power through to maintain their workflow.

This is not just an Anthropic problem. This is an industry-wide reckoning with a foundational assumption that has underpinned agentic AI safety from the beginning.

The assumption that a human will be present, paying attention, and making informed decisions about what an agent should and should not do. The data suggests otherwise, and the implications for enterprise security are significant.

Even my friend Steve Wilson, head of OWASP’s LLM Top 10 called out this fantasy during my panel at OWASP’s Agentic Security Initiative (ASI) event recently when we were on stage.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

What Auto Mode Actually Is

Claude Code Auto Mode is a new permissions mode that delegates approval decisions to a model-based classifier rather than requiring the user to approve every file write, shell command, and external operation.

It uses a two-layer defense system. At the input layer, a server-side prompt injection probe scans tool outputs before the agent processes them, flagging content that looks like an attempt to hijack the agent’s behavior. At the output layer, a transcript classifier running on Sonnet 4.6 evaluates each action against a set of decision criteria before it executes.

The classifier operates in two stages. A fast single-token filter runs first, tuned to block aggressively. If the first stage flags an action, a chain-of-thought reasoning step follows to reduce false positives. The classifier receives user messages and tool calls as input, but assistant text and tool results are stripped out. This is an intentional design choice. Because tool results never reach the classifier, hostile content embedded in files, web pages, or tool outputs cannot directly manipulate the classifier’s decisions.

The system hard-blocks actions like piping curl output to bash, production deployments, destructive shared-infrastructure changes, and force-pushing to main. Anthropic maintains an internal incident log of real-world agentic misbehaviors, including deleting remote git branches from vague instructions, uploading an engineer’s GitHub auth token to an internal compute cluster, and attempting migrations against a production database. Auto Mode is designed to catch exactly these kinds of overeager and potentially destructive actions.

On Anthropic’s own benchmarks, the full pipeline produces a 0.4% false-positive rate on real traffic and a 17% false-negative rate on real overeager actions. That 17% miss rate is important. It means roughly one in six genuinely dangerous actions still gets through. Anthropic is transparent about this, noting that Auto Mode is “not a drop-in replacement for careful human review on high-stakes infrastructure.”

The Data on How Humans Actually Interact with Agent Permissions

What makes Auto Mode significant is not just the technology. It is the context that prompted it. Anthropic published separate research titled “Measuring AI Agent Autonomy in Practice,” analyzing millions of interactions across Claude Code and their API. The findings paint a detailed picture of how humans actually interact with agent permissions, and it is more nuanced than a simple “nobody reviews anything” narrative.

The 93% approval rate is the headline number, but the behavioral patterns underneath it are what matter most. New users with fewer than 50 sessions employ full auto-approve roughly 20% of the time. By 750 sessions, that number climbs to over 40%. Anthropic describes this as a “steady accumulation of trust.” Autonomous session durations have also grown significantly, with the 99.9th percentile turn duration nearly doubling over three months, from under 25 minutes to over 45 minutes.

Here is where the data gets genuinely interesting. Experienced users auto-approve more frequently but also interrupt more often. New users approve individual actions before they execute and rarely need to intervene, interrupting in roughly 5% of turns. Experienced users let the agent run autonomously and step in when something goes wrong, interrupting in roughly 9% of turns. This is not recklessness, it is a deliberate shift in oversight strategy, from proactive review of each action to reactive monitoring and intervention, and on the most complex tasks, the agent stops to ask for clarification more than twice as often as the human interrupts it.

Anthropic’s own researchers draw a meaningful conclusion from this data. They argue that oversight requirements that prescribe specific interaction patterns, such as requiring humans to approve every action, “will create friction without necessarily producing safety benefits.” The focus, they suggest, should be on whether humans are in a position to effectively monitor and intervene, rather than on requiring particular forms of involvement.

This aligns with what I have been arguing in my writing on agentic AI governance. In “Governing Agentic AI,” I made the case that existing governance frameworks were built for a world where humans are in the loop at every decision point.

The Anthropic data suggests that even when the product is designed to require per-action approval, users naturally migrate toward a monitoring-and-intervention model. The UK AISI paper “How are AI agents used?” reinforces this broader trend with data showing that action tools grew from 27% to 65% of total agent tool usage in just 16 months. Agents are doing more, and human interaction patterns are evolving in response.

Simon Willison’s Critique and the Determinism Question

Simon Willison, one of the most thoughtful voices in the developer community on AI security, published a detailed analysis of Auto Mode that raised important concerns. His core argument is that he remains unconvinced by prompt injection protections that rely on AI, since they are non-deterministic by nature. This is not a dismissal, it is a fundamental architectural concern.

I remain unconvinced by prompt injection protections that rely on AI, since they're non-deterministic by nature.

Willison’s point is that a classifier-based safety system, no matter how well-designed, introduces probabilistic behavior into a security boundary. Traditional security controls are deterministic. A firewall rule either blocks traffic or it does not. A file permission either grants access or it does not. An AI classifier that makes judgment calls about whether an action is safe introduces a category of uncertainty that does not exist in traditional security architecture. The 17% miss rate on overeager actions is a concrete example of this non-determinism in practice.

Willison also flagged a specific practical concern. The default allow list includes pip install -r requirements.txt, which means Auto Mode would not block supply chain attacks through compromised dependencies. He referenced the LiteLLM incident, where compromised packages were downloaded nearly 47,000 times during the 46 minutes they were live on PyPI, with 88% of dependent packages not pinning versions in a way that would have prevented the exploit. When your safety classifier auto-approves dependency installation and the supply chain is compromised, the classifier is irrelevant.

Willison’s preferred alternative is OS-level sandboxing that restricts file access and network connections deterministically. He trusts that approach far more than prompt-based protections. This is a legitimate position, and it reflects a broader tension in the industry between AI-based safety mechanisms and traditional infrastructure-level controls.

That said, I also shared a research paper from UK’s AI Security Institute and others titled “Quantifying Frontier LLM Capabilities for Container Sandbox Escape”. What is interesting, is the researchers found frontier models can reliably escape common sandbox misconfigured, privileged containers, writable host mounts etc. and even harder escapes saw 40% success rates. They also found more compute = more escapes, a parallel we see playing out in pen testing, OffSec, exploitation etc.

But there is the practical reality that Willison himself acknowledges implicitly. Auto Mode is not competing against the theoretical ideal of deterministic sandboxing with every agent deployment. It is competing against --dangerously-skip-permissions, which the developer community calls “YOLO mode,” where Claude Code runs with zero guardrails.

When the realistic baseline for a significant portion of users is no safety controls at all, a classifier with a 17% miss rate and 0.4% false-positive rate represents a meaningful improvement in real-world risk posture. The perfect should not be the enemy of the dramatically better, and makes this new mode from Claude still a significant improvement security wise for most users, even if it still brings significant risks.

Why Hard Boundaries Still Matter

That said, Auto Mode and similar classifier-based approaches are necessary but not sufficient. The answer is not to choose between AI-based safety and deterministic controls, the answer is to layer both, and defense in depth is a longstanding security principle that should still be applicable here with agents as well.

This is the argument I have been making in my work on agentic AI security across multiple articles. Key capabilities enterprises need, including hard boundary enforcement that combines deterministic controls like allowlists, blocklists, and tool-level restrictions with probabilistic protections like intent analysis, behavioral monitoring, and anomaly detection should all be part of the arsenal for securing agents.

The UK AISI data makes this even more urgent. Their analysis of 177,000 MCP tools found that AI-coauthored agent tooling went from 6% to 62% in just over a year. Agents are building the tools that other agents use. Financial transaction tools grew from 47 servers to over 1,500, and the most consequential agent actions are increasingly happening in unconstrained environments like browsers and operating systems rather than through restricted API integrations.

When you combine these trends with the Anthropic data showing a 93% approval rate and experienced users auto-approving over 40% of sessions, the conclusion is straightforward. Per-action human approval is not a reliable primary safety mechanism at scale, even if human-in-the-loop feels good for security practitioners to say, it simply isn’t practical and isn’t happening in reality.

You need to build the guardrails into the infrastructure itself.

What Security Leaders Should Do

For security leaders trying to get ahead of this, I keep coming back to the same framework across the three major agent deployment patterns.

For homegrown and custom agents that organizations build internally, this means defining explicit trust boundaries, tool permissions, and action constraints at the architecture level. What environments can the agent access? What actions can it take? What data can it touch? These decisions should be baked into the agent’s configuration and enforced programmatically, not left to runtime approval prompts that data shows users will approve the vast majority of the time as a rubber stamp.

For endpoint agents like coding assistants and agentic browsers, the Willison argument for OS-level sandboxing has real merit. These agents operate on developer machines with access to source code, credentials, terminals, and browser sessions. Combining classifier-based protections like Auto Mode with deterministic sandboxing that restricts file system access and network connectivity creates defense in depth that neither approach achieves alone.

For SaaS and embedded agents that come bundled in enterprise platforms, the challenge is visibility. When a vendor embeds agent capabilities into your CRM, HR platform, or collaboration tool, you inherit their security decisions. You need the ability to monitor what those agents are doing, what tools they are using, and what actions they are taking within your environment. Much like the Cloud’s Shared Responsibility Model, you still are accountable for the data embedded SaaS agents utilize, and you can’t outsource that to your SaaS vendor.

Across all three patterns, the capabilities that matter are visibility and observability to understand what agents exist and what they are doing, AISPM to continuously assess the security posture of agent deployments, AIDR to detect anomalous behavior and policy violations in real time, and governance frameworks that account for the unique properties of agents rather than treating them as traditional software or standalone models.

The Bottom Line

Auto Mode is not the end of the conversation, it is the beginning of a much harder one. Anthropic deserves credit for being transparent about the data and for building a middle ground between per-action approval and no guardrails at all.

The 93% approval rate is not evidence that users are irresponsible. It is evidence that the per-action approval model does not match how humans actually work with autonomous systems. Users naturally shift from reviewing individual actions to monitoring overall behavior, and they do so more as they gain experience and trust.

The takeaway for security leaders is not that humans cannot be trusted. It is that security architectures should not depend on a model of human behavior that the data shows does not hold at scale. Build hard boundaries, layer deterministic and probabilistic controls, invest in runtime visibility and treat agent permissions as an infrastructure problem, not a user behavior problem.

Agents are taking action faster, in more environments, and with more autonomy than ever before. We need to build security programs for how humans actually interact with them, not how we wish they would.

Subscribe now

The UK’s AI Safety Institute recently published one of the most empirically rigorous studies I have seen on how AI agents are actually being used in the wild. Titled “How are AI agents used? Evidence from 177,000 MCP tools,” the paper analyzed 177,436 agent tools created between November 2024 and February 2026 by tracking public Model Context Protocol (MCP) server repositories. MCP has become the dominant open protocol for agent tooling, with all of GitHub’s top 10 new agent-related repositories in the first half of 2025 either building MCP infrastructure or integrating with it.

This is not a survey, it is not a vendor report, it is a large-scale empirical measurement of what agents are actually doing, and the findings should be required reading for every security leader.

I have been writing about the agentic AI security problem for months. I’ve argued that the industry has a massive blind spot around what agents actually do at runtime. In “Governing Agentic AI,” I laid out the governance gap that exists because none of the major AI frameworks account for autonomous agents.

This UK AISI paper validates every one of those arguments with hard data. It quantifies the shift that practitioners have been feeling in the field and puts numbers behind what many of us have been warning about.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

The Shift from Observation to Action

As the authors note, the share of action tools in terms of monthly downloads, rose from 24% to 65% in 16 months, primarily driven by growth in computer use and browser automation tools.

The single most important finding in this paper is the dramatic shift in what agents are being built to do. The researchers classify agent tools into three categories based on their direct impact. Perception tools access and read data. Reasoning tools analyze data or concepts, and action tools directly modify external environments through file editing, sending emails, executing code, making API calls, steering drones, or interacting with financial systems.

The share of action tools in total agent tool usage grew from 27% in November 2024 to 65% by February 2026. Let that trajectory sink in for a moment. In just 16 months, agents went from being primarily passive observers to being predominantly active participants in the environments they interact with. The paper notes that this shift was driven largely by the adoption of general-purpose tools that permit access to unconstrained environments, enabling agents to use a computer or browser with broad, open-ended capabilities rather than narrow, API-specific integrations.

For commercial entities specifically, the shift is even more pronounced. The download share of action tools released by registered commercial entities increased from 21% to 71% over the same period. This is not hobbyist experimentation. This is enterprise adoption at scale.

This matters enormously for security because the risk profile of an agent changes fundamentally when it moves from perception to action. An agent that can only read data has a limited blast radius. An agent that can execute code, modify files, send emails, and interact with financial systems has a blast radius that extends across the entire set of environments and services it can reach.

The paper makes this point explicitly, noting that potentially consequential agent actions are increasingly occurring in the least controlled environments, like an agent browsing the web or using a computer, rather than through restricted, secure API integrations. That finding alone should get most security leaders attention.

Agents Are Writing Themselves

The second finding that jumped out at me is the data on AI-coauthored agent tools. The paper detected AI assistance in 28% of MCP servers, representing 36% of all tools. But the trend line is what matters most. The share of newly created MCP servers with detected AI assistance rose from 6% in January 2025 to 62% by February 2026. In other words, by early 2026, nearly two-thirds of all new agent tools being published showed evidence of being built with the help of AI coding agents.

Claude dominates this space, accounting for 69% of AI-coauthored servers, followed by Cursor at 9.2%, Copilot at 9.1%, and Codex at 6%. The paper identifies these through commit metadata, AI tool configuration files, bot account commits, and explicit mentions of AI tool names in commit messages and pull request bodies.

This is the recursive loop some have been warning about. AI agents are building the tools that other AI agents use. The paper describes this as “recursive self-improvement” where AI agents that create their own tools expand the action space without requiring human effort. When AI coding agents build new tools for other AI agents, tool proliferation is no longer bottlenecked by human developers, and tool creation may scale beyond human oversight.

I covered the broader implications of AI-generated code in “Vibe Coding Conundrums,” where I examined what happens when a growing share of production code is written by AI rather than humans.

This paper adds a critical dimension to that argument. It is not just application code being generated by AI. It is the agent infrastructure itself. The tools, integrations, and capabilities that define what agents can do in production environments are increasingly being created by agents, with all the security implications that entails. If 62% of new agent tooling is AI-coauthored and the quality, security, and trustworthiness of that tooling is not being systematically validated, the enterprise is inheriting risk at a pace that no manual review process can match, where humans can’t govern neither the code nor the underlying tooling that is introduced via AI.

Software Development Dominates, But High-Stakes Domains Are Emerging

The paper found that software development and IT tasks account for 67% of all published agent tools and a staggering 90% of MCP server downloads. This confirms what most practitioners already sense. The current primary use case for agents is accelerating technical workflows, particularly coding, testing, deployment, and infrastructure management.

But the paper also surfaces an important signal about where things are headed. Financial services emerged as a significant outlier, with high-stakes financial occupations having disproportionately more action tools than predicted by the overall pattern. MCP servers with payment execution capabilities grew from 47 servers in January 2025 to 1,578 by February 2026. Financial regulators are already paying attention, and the paper was produced in part through a collaboration with the Bank of England.

This expansion into high-stakes domains is exactly the trajectory I described in “Governing Agentic AI,” where I argued that the governance frameworks we have today were built for a world of models producing recommendations for human review, not agents autonomously executing financial transactions, modifying production databases, or interacting with critical infrastructure. The UK AISI data shows that this transition is not theoretical. It is measurable, accelerating, and expanding into domains where the consequences of misalignment, mistakes, or misuse are severe.

What This Means Across the Three Dominant Agent Deployment Patterns

For security leaders trying to get their arms around this, I continue to believe the most practical framework is the three major agent deployment patterns I have been writing about.

The first is homegrown and custom agents that organizations build internally. The UK AISI data shows that tool availability has grown from roughly 4,888 tools in January 2025 to 177,000 by February 2026, a 36x increase. Organizations building custom agents are pulling from this rapidly expanding ecosystem of publicly available tools, many of which were built by AI with limited security validation. The question for security leaders is whether they have visibility into which tools their internal agents are using, what those tools can access, and whether the tools themselves are trustworthy. In most cases today, the answer is no.

The second pattern is endpoint agents like coding assistants and agentic browsers that operate on developer and employee machines. The paper’s finding that software development accounts for 90% of agent tool downloads, combined with the explosive growth in computer-use and browser automation tools, means that endpoint agents are the most widely deployed and the most action-oriented. These agents have access to local file systems, terminals, source code repositories, and browser sessions. The shift toward general-purpose, unconstrained tools means these endpoint agents increasingly operate with broad permissions in environments that are difficult to monitor with traditional security controls.

The third pattern is SaaS and embedded agents that come bundled within enterprise platforms. The paper identifies “official” MCP servers published by companies like PayPal, Stripe, Google, and Asana, noting that while they represent a smaller share of published tools, they account for a disproportionately large share of downloads, roughly 45 million out of 78 million total. When a vendor embeds agent capabilities into a platform your organization already uses, the enterprise inherits whatever security decisions the vendor made about what actions the agent can take, what environments it can access, and what constraints are in place, similar to the shared responsibility model from the cloud-era

The UK AISI data on the shift from constrained to unconstrained environments should raise serious questions about whether those vendor decisions are conservative enough.

Visibility, AISPM, AIDR, and Governance Are Not Optional

The paper reinforces a thesis I have been developing across multiple articles. You cannot secure what you cannot see, and right now, most organizations cannot see what their agents are doing.

Start with visibility and observability. The paper demonstrates that monitoring agent tools provides early indicators of deployment patterns, emerging risk domains, and shifts in capability. If a government research institute can track 177,000 tools across public repositories, there is no reason enterprise security teams should not have comparable visibility into their own agent deployments. How many agents are running in your environment? What tools do they have access to? What actions are they taking? What data are they touching? For most organizations, these are unanswered questions.

Then there is AI Security Posture Management, or AISPM. The paper’s framework for characterizing agent tools across five dimensions, including direct impact, generality, task domain, geography, and AI co-authorship, provides a useful model for how organizations should be assessing the security posture of their agent deployments.

Each dimension maps to a risk variable. An agent with action tools in an unconstrained environment operating in a high-stakes domain with AI-coauthored tooling represents a fundamentally different risk profile than an agent using narrow perception tools in a constrained API environment. AISPM is about continuously assessing these variables across your entire agent inventory. Factors such as data sensitivity, system criticality, business context and more should be part of agentic risk assessments as they have in prior era of cyber as well.

AI Detection and Response, or AIDR, addresses what happens when agents misbehave. The paper catalogs the real-world consequences of agent misalignment and mistakes, including deleted databases, exposed patient records, blackmail by misaligned agents, and cryptocurrency theft through prompt injection. It notes that narrow-purpose tools are easier to govern because a cryptocurrency transfer tool has a clear risk profile, while a general-purpose browser tool can do almost anything. When the most consequential actions are happening in the least constrained environments, detection and response capabilities purpose-built for agent behavior become essential.

Finally, governance. The paper explicitly raises the challenge that general-purpose tools complicate tool-based governance. Current agent systems like Claude Code’s settings.json can permit or block specific narrow tools, while requiring user review for potentially risky general-purpose tools. But the paper acknowledges that if general-purpose tools continue to dominate, the manual review approach becomes unsustainable.

For consequential actions like large financial transfers or legal registrations, the paper suggests that developers and regulators could require human authentication. This maps directly to the governance frameworks I have been advocating for, frameworks that account for the unique properties of agents including their autonomy, tool access, data sensitivity, and action capabilities, rather than trying to retrofit model-level or traditional software governance approaches.

The Bottom Line

This paper is one of the most important pieces of empirical research on AI agents published to date. It moves the conversation from speculation to measurement. Agents are not just coming, they are already here. They went from roughly 5,000 tools to 177,000 in just over a year. Action tools grew from 27% to 65% of usage. AI-coauthored tooling went from 6% to 62%. Financial transaction tools grew by over 3,000%, and the most consequential agent actions are increasingly happening in uncontrolled environments.

The organizations that treat this as an AI research curiosity rather than an enterprise security imperative are going to learn expensive lessons. The ones that invest in visibility, posture management, detection and response, and governance purpose-built for agents will be the ones that deploy AI at scale without becoming the next case study.

There’s no question that agents are in action. What determines which organizations adopt agents securely will be those who have observability, posture management, detection and response and account for capabilities such as hard boundaries, intent-analysis and comprehensive governance.

Subscribe now

This was the week the supply chain came apart. TeamPCP, the threat actor behind the hackerbot-claw campaign I covered in issue #87, escalated from GitHub Actions exploitation to a full-spectrum supply chain attack that compromised Trivy (Aqua Security’s vulnerability scanner used by millions), hijacked 76 GitHub Action tags, defaced Aqua’s entire GitHub organization, and then used stolen CI/CD credentials to backdoor LiteLLM, one of the most widely used Python libraries in the AI ecosystem. A single pip install pulled in a credential stealer that targeted everything from API keys and SSH credentials to Kubernetes secrets and cryptocurrency wallets.

Meanwhile, Google’s M-Trends 2026 report showed attackers handing off access in 22 seconds, Sequoia declared that the next trillion-dollar company will sell work rather than software, AI agents beat 90% of human hackers in a global competition with 18,000 participants, and Jack Cable raised $25 million for Corridor to embed security into AI coding workflows. The CSA launched an entire new foundation dedicated to “Securing the Agentic Control Plane.” There is a lot to cover. Let’s get into it.

Oh yeah, and I spent the week out in San Francisco at RSAC, hanging with the community, speaking with analysts, practitioners, founders, investors, researchers and more.

So yeah, it’s been a slow week :)

Looks like the CEO. Might be a deepfake.

Today’s social engineering attacks look trustworthy by design. Disguised as a routine request, an internal email, a familiar face on a call—they succeed because they blend in. But not with Doppel.

Built to outpace attacks with AI-native defense, Doppel fights back through:

• Digital Risk Management that dismantles attacker infrastructure and continually compounds intelligence

• Human Risk Management that builds team resilience through simulation and training.

Protect your organization with Doppel’s AI-native social engineering defense platform.

Learn More

Cyber Leadership & Market Dynamics

Sequoia Capital: Services Are the New Software

Sequoia published one of the most consequential investment theses of the AI era. The argument is straightforward but has massive implications, they argue for every dollar spent on software, six dollars go to services, and the next trillion-dollar company will sell the work done rather than the tool that does it. The distinction between copilots (selling tools) and autopilots (selling outcomes) is the defining architectural choice for AI companies in 2026.

This matters enormously for cybersecurity. If the business model shifts from selling software seats to selling labor outcomes, the identity surface transforms completely. Instead of human users authenticated to SaaS platforms, you have autonomous agents executing tasks on behalf of organizations, each requiring their own credentials, authorization scopes, and audit trails. This is the agentic identity challenge I’ve been writing about through the OWASP NHI Top 10, but at a scale that dwarfs anything we’ve seen from traditional service accounts and API keys.

Sequoia also declared in a companion piece that 2026 is the year of AGI, with coding agents as the first proof point. Whether you agree with that framing or not, the investment capital flowing into agent-first companies is reshaping the entire technology landscape, and security must evolve to match.

WSJ: US Cyber Assault on Iran Hasn’t Stopped Hackers

The Wall Street Journal reported that US cyber operations against Iran, which I first discussed in issue #87, have not achieved the desired deterrent effect. Iranian cyber threat actors remain active and are increasingly targeting civilian infrastructure. This is a reminder that cybersecurity exists within a geopolitical context that can change rapidly and that defensive posture matters regardless of offensive operations.

Fast Company’s Most Innovative Companies 2026: Cybersecurity Edition

Fast Company named four cybersecurity companies to its 2026 Most Innovative Companies list: Sublime Security (#1 in the security category), Cyera, Chainguard, and Horizon3.ai. The common thread is AI as a core architectural pattern, not just a feature.

Sublime Security raised $150 million in Series C and shipped two autonomous AI agents for threat triage and detection engineering, embodying the agentic security pattern we’ve been tracking. Horizon3.ai reported 102% year-over-year ARR growth with its continuous “hack, fix, verify, repeat” proactive testing model, now trusted by four Fortune 10 companies.

Chainguard’s inclusion speaks directly to this week’s supply chain security themes, tackling vulnerabilities in open-source dependencies and container images. Cyera rounds out the list with agentless DSPM across cloud, SaaS, and on-prem environments. Several of these CEOs made a point worth repeating, which is that good cybersecurity is no longer a cost center but a revenue accelerator.

SentinelOne S Ventures Invests in Replit

SentinelOne’s venture arm invested in Replit, the browser-based development platform that has become one of the most popular environments for vibe coding. This is a security company making a strategic bet on the AI development ecosystem, which signals that securing AI-generated code is now a portfolio-level priority for cybersecurity vendors.

The investment makes sense when you consider the data. DryRun’s report (which I covered in issue #89) showed 87% of AI-generated PRs introduce vulnerabilities. Replit is where many non-traditional developers are building their first applications using natural language prompts. The security implications are significant, and having a security-first investor at the table is valuable.

Corridor Raises $25M Series A at $200M Valuation

Jack Cable, who previously led CISA’s Secure by Design initiative, raised $25 million for Corridor with Alex Stamos as CPO and backing from Felicis, Lux Capital, Datadog, and angels from Anthropic, OpenAI, Cursor, and Cognition. The company is building an Agentic Coding Security Management (ACSM) platform that embeds security directly into AI coding workflows.

When Latio’s 2026 Application Security Market Report found that securing AI-generated code is the number one concern for 48% of respondents, it validated exactly the problem Corridor is tackling. Cable’s background at CISA gives him credibility on the policy side, and the investor list reads like a who’s who of the AI coding ecosystem. This team is one to watch in my opinion.

a16z: Two Paths Left for Software Companies

Andreessen Horowitz laid out their view that software companies face a binary choice, which is become an AI platform or become an AI-powered service. There is no third path. This echoes Sequoia’s thesis and reinforces the structural shift we’ve been tracking since issue #85 when we discussed the SaaSpocalypse. The security implications remain the same, as software companies transform into agent-native platforms, every assumption about authentication, authorization, and behavioral monitoring needs to be revisited.

a16z Podcast: Distillation and Supply Chains

The a16z podcast featured a discussion on model distillation and supply chain security that connects directly to themes we’ve been following. As I covered in issue #85, Anthropic accused three Chinese AI labs of running coordinated distillation campaigns using 24,000 fraudulent accounts. The supply chain for AI models is becoming as critical to secure as the software supply chain, and the attack vectors are different but equally consequential.

SentinelOne: More Than Endpoint Security

Cole Grolmus analyzed SentinelOne’s strategic positioning, highlighting the company’s expansion well beyond its endpoint security roots. With the S Ventures investment in Replit and acquisitions in AI security, SentinelOne is positioning itself as a platform player in the AI-native security era. Combined with CrowdStrike’s record earnings (issue #88) and Okta’s agentic identity pivot, the largest cybersecurity companies are all making aggressive bets on AI.

Equifax Annual Security Report

Equifax’s annual security report provides a useful benchmark for how one of the most prominent data companies approaches security governance. For practitioners interested in how large enterprises structure their security programs and communicate risk to stakeholders, this is worth reviewing.

The State of the Product Job Market

’s analysis of the product management job market reveals the broader labor impact of AI on knowledge work. Product roles are being reshaped as AI takes on more of the analytical and operational work that PMs traditionally handled. For cybersecurity professionals, this is another signal that the skills required in our field are shifting toward governance, architecture, and AI oversight rather than manual operational tasks.

What many may find most surprising is that the number of engineering jobs is growing, which is counterintuitive given all the mainstream narratives about AI eating the labor market.

AI

CSA Launches CSAI Foundation: Securing the Agentic Control Plane

The Cloud Security Alliance launched CSAI, a new 501(c)(3) foundation dedicated exclusively to AI security with the strategic mission of “Securing the Agentic Control Plane.” The six strategic programs include an AI Risk Observatory (with a CNA scoped on agentic AI), agentic best practices covering identity-first controls for non-human actors, and a CxOtrust program providing board-ready risk narratives.

CSA CEO Jim Reavis declared that the Agentic Control Plane will become as fundamental as identity or network security. This is the kind of institutional infrastructure the industry needs. Standards bodies, certification programs, and governance frameworks do not move as fast as startups, but they create the durable foundation that the entire ecosystem relies on. Combined with NIST’s agent identity concept paper and OWASP’s Agentic Top 10, the standards landscape is finally starting to match the pace of deployment.

Forbes: AI Beats Most Humans in Elite Hacking Competitions

In the Cyber Apocalypse CTF with over 18,000 participants, AI agents landed in the top 10%, outperforming 90% of human entries. In the NeuroGrid competition, AI-augmented teams completed challenges at a 73% rate compared to 46% for human-only participants. At the elite tier, AI teams completed challenges several times faster than their human counterparts.

This is the offensive capability data that gives weight to Kevin Mandia’s $190 million bet on autonomous AI defense (issue #88) and Anthropic’s own warning that the gap between vulnerability discovery and exploitation is closing. When AI agents can outperform 90% of human hackers in a competition, the assumption that sophisticated attacks require sophisticated human operators is no longer valid.

CSO Online: Runtime, the New Frontier of AI Agent Security

This piece frames runtime security as the critical layer for agentic systems. Static analysis catches issues before deployment, but agents make decisions and take actions at runtime that no static analysis can predict.

The argument aligns with what I’ve been saying, you cannot secure agents solely through pre-deployment scanning. You need continuous monitoring, dynamic authorization, and runtime policy enforcement, exactly the kind of architecture that Cedar-based approaches (covered in issues #84, #87, #88, and #89) are designed to provide, coupled with runtime detection and response, intent-analysis and other topics I’ve been discussing.

Cisco: Adversarial Hubness in RAG Systems

Cisco’s AI security research team continued their work on adversarial attacks against RAG systems, building on the memory poisoning research we’ve been tracking since issue #85. The concept of “adversarial hubness,” where injected documents become disproportionately influential in retrieval, represents a maturing attack technique against one of the most common AI agent architectures.

Caleb Sima: The Data Security Industry Has a Context Problem

Caleb Sima’s analysis of the data security industry’s context problem resonates with a theme I’ve been emphasizing: security tools that generate findings without helping teams understand which ones matter are part of the problem, not the solution. In the agentic era, context becomes even more critical because agents are making autonomous decisions about data access, tool invocation, and action execution. Without context, you cannot distinguish between authorized and unauthorized agent behavior.

UK AI Security Institute Research

The UK AISI continued their research into AI agent offensive capabilities, contributing to the growing evidence base we’ve been tracking. Combined with the CTF competition results and Anthropic’s Firefox audit, the trajectory is clear, AI agents are already capable security tools, and their capabilities are improving faster than governance frameworks can adapt.

Arxiv: New Research on AI Agent Security

New academic research continues to advance our understanding of AI agent security threats and defenses. The research community’s output on agentic security has been remarkable, and these papers provide the theoretical foundation for the practical tools and frameworks the industry is building.

AppSec

Google M-Trends 2026: Access Handoff in 22 Seconds

Google Mandiant’s annual report, based on over 500,000 hours of frontline investigations, showed that the time between initial access and handoff to secondary threat groups has collapsed from 8 hours in 2022 to 22 seconds in 2025. Let that sink in. Attackers are automating access brokerage to the point where it is essentially instantaneous.

Other notable findings include global median dwell time rose to 14 days from 11, reflecting more sophisticated persistence. Voice phishing climbed to 11% of initial infections (second only to exploits at 32%), while email phishing dropped to 6%. Mandiant observed “recovery denial” ransomware tactics targeting backup infrastructure, identity services, and virtualization management planes. The mean time to exploit vulnerabilities dropped to an estimated negative seven days, meaning exploitation routinely occurs before patches exist.

The malware landscape expanded with 714 new families identified (up from 632), and SaaS/cloud compromise via long-lived OAuth tokens and session cookies was a persistent theme. Mandiant’s recommendation is to treat routine malware alerts as high-priority indicators of imminent secondary intrusion. When handoff happens in 22 seconds, your triage window has effectively disappeared.

TeamPCP Compromises Trivy and Backdoors LiteLLM: The Week Supply Chain Security Broke

This is the biggest story of the week, TeamPCP, the same threat actor across various incidents, escalated from exploiting GitHub Actions to a full-spectrum supply chain attack that represents one of the most sophisticated campaigns the open-source ecosystem has ever seen.

The timeline is worth understanding in full. On March 19, TeamPCP used those retained credentials to simultaneously compromise Trivy’s core binary, the trivy-action GitHub Action, and the setup-trivy GitHub Action. They hijacked 76 of 77 tags in trivy-action, meaning every CI/CD pipeline referencing those actions by tag began running the attacker’s code. The malicious Trivy binary (v0.69.4) was published to GitHub Releases and Docker Hub.

Then came the defacement. TeamPCP renamed all 44 repositories in Aqua’s “aquasec-com” GitHub organization with “tpcp-docs-” prefixes in a scripted two-minute burst. All descriptions were changed to “TeamPCP Owns Aqua Security.”

But the real escalation came on March 24 when TeamPCP used the PyPI publish token stolen from Trivy’s CI/CD pipeline to backdoor LiteLLM, the Python library with 40,000+ GitHub stars that serves as a unified interface for interacting with LLMs. Versions 1.82.7 and 1.82.8 contained a multi-stage credential stealer targeting environment variables, API keys, SSH keys, cloud credentials, Kubernetes configs, and cryptocurrency wallets. The .pth file technique in version 1.82.8 fires on every Python interpreter startup with no import required.

The discovery is itself a story about the agentic era. Callum McMahon at FutureSearch found the attack because his Cursor IDE pulled in the malicious package through an MCP plugin. An AI coding tool became the vector for a supply chain attack against AI infrastructure.

As of this writing, the entire LiteLLM package has been quarantined on PyPI. Organizations that installed versions 1.82.7 or 1.82.8 should assume full credential compromise. This is exactly the kind of cascading supply chain failure Tony Turner and I warned about in Software Transparency: a single compromised credential propagating through interconnected ecosystems, from a security scanner to a package registry to an AI infrastructure library.

Socket: Trivy Docker Images Compromised

Socket’s analysis provided additional detail on the Docker Hub dimension of the Trivy compromise. Between March 19 and March 23, anyone who pulled Trivy images with the 0.69.4, 0.69.5, 0.69.6, or latest tags may have had their CI/CD secrets, cloud credentials, SSH keys, and Docker configurations compromised. Images 0.69.5 and 0.69.6 were pushed without corresponding GitHub releases, a red flag that automated detection should have caught.

Latio: How to Know If the Trivy Supply Chain Attack Affected You

published practical guidance for organizations trying to determine their exposure. For security teams in triage mode, this is actionable: check your CI/CD logs, audit your GitHub Actions references, and verify that you are pinning to SHA hashes rather than mutable tags. If you ran a compromised Trivy image with the Docker socket mounted, treat the entire host as compromised.

Pluto Security: Analyzing the Supply Chain Attack

Pluto Security’s technical analysis added depth to the understanding of how TeamPCP operated. The forensic breakdown of the attack chain from initial credential theft through lateral movement to downstream compromise is a valuable reference for incident responders and security architects.

Endor Labs: TeamPCP Isn’t Done

Endor Labs warned that TeamPCP’s campaign is expanding, not contracting. After Trivy and LiteLLM, the threat actor has been observed moving into additional ecosystems. Combined with the PhantomRaven campaign I covered in issue #89 (88 malicious npm packages), the supply chain threat landscape for AI infrastructure is at an unprecedented level of activity.

FutureSearch: LiteLLM PyPI Supply Chain Attack Analysis

FutureSearch’s Callum McMahon, who discovered the LiteLLM compromise, published a detailed account of how the attack was found and what the payload does. The three-layer architecture of the malware, with separate modules for launching, reconnaissance/credential harvesting, and persistence/remote control, demonstrates a level of sophistication that should concern every organization using open-source AI tooling.

The Software Security Market Is Broken Right Now

Ken Johnson’s analysis of the software security market cuts to the heart of a transition I’ve been watching closely. Traditional AppSec tools were designed for a world where humans write code at human speed. When AI agents produce 87% of PRs with at least one vulnerability (DryRun’s data from issue #89), the scanning, triaging, and remediation workflows built for human-paced development simply cannot keep up. Johnson argues the market needs to be rebuilt around AI-native workflows, and I agree.

OpenAI: Why Codex Security Doesn’t Include SAST

OpenAI’s explanation of why they chose reasoning-based analysis over traditional SAST for Codex Security continues to generate industry discussion. The argument that pattern matching produces high false-positive rates while missing contextual understanding of real-world impact aligns with the broader shift toward AI-native security tooling. As I covered in issues #88 and #89, both OpenAI and Anthropic have concluded that reasoning about code produces better outcomes than signature matching.

Boring AppSec: The Role of AppSec Engineers

This piece examines how the role of AppSec engineers is evolving as AI reshapes software development. The shift from “find and report vulnerabilities” to “architect secure AI-native development workflows” is underway, and practitioners who adapt will be more valuable than ever. This is consistent with the Trail of Bits model I covered in issue #88, AI does not replace security professionals, it amplifies their capability.

VulnCheck: n8n Needs More KEV

VulnCheck’s analysis of n8n vulnerabilities and the CISA KEV catalog highlights the ongoing challenge of vulnerability prioritization. As I wrote in Effective Vulnerability Management, the CVE volume continues to accelerate (Jerry Gamblin’s data projects 55,000+ in 2026), and the gap between what is exploited in the wild and what appears in prioritization catalogs like KEV remains significant.

GSA’s New CUI Security Requirements for Government Contractors

Holland & Knight published guidance on GSA’s new Controlled Unclassified Information security requirements. For government contractors navigating the evolving compliance landscape, this provides practical guidance on what is changing and how to prepare. As AI agents increasingly handle CUI in government workflows, the intersection of compliance requirements and agent governance will become more complex.

Praetorian: AI-Driven Offensive Security

Praetorian expanded on their CVE Researcher work that I covered in issue #87, demonstrating how AI agents can automate offensive security workflows. The productivity gains are real: research that consumed 4 to 8 hours completes in under 30 minutes. For defenders, this represents the kind of force multiplication that can help close the gap between attacker speed and defender response time.

Christian Posta: AAuth Full Demo

Christian Posta’s full working demo of AAuth bridges the gap between the theoretical framework for agent identity (which I covered in issues #85 and #88) and practical implementation. For organizations trying to implement agent authentication and authorization, this demo provides a concrete starting point.

Final Thoughts

The TeamPCP campaign that unfolded this week should be a watershed moment for the industry. A single threat actor compromised a widely used security scanner, pivoted through stolen CI/CD credentials to backdoor one of the most critical Python libraries in the AI ecosystem, and created a blast radius that extends to every organization that depends on LiteLLM or ran a compromised Trivy image.

The attack was discovered not by a SAST tool or a vulnerability scanner, but because a developer’s Cursor IDE pulled in the malicious package through an MCP plugin. An AI coding tool became both the vector and the detection mechanism.

This is the supply chain risk I have been writing about for years. In Software Transparency, Tony Turner and I argued that organizations need the ability to rapidly map their dependencies when a supplier event becomes operationally urgent. This week tested that thesis in the most direct way possible. How many organizations could answer, within hours, whether they had exposure to Trivy v0.69.4 or LiteLLM 1.82.7? Based on what I’ve seen, not nearly enough.

But there are also reasons for optimism. The CSA’s launch of CSAI and its mission to secure the Agentic Control Plane represents institutional recognition that agent security is not a niche concern but a foundational requirement. Corridor’s $25 million raise, backed by people from Anthropic, OpenAI, and Cursor, signals that the builders of AI coding tools recognize the security gap in their own ecosystem. OpenAI’s prompt injection defense framework, Cursor’s open-source security agents, and the Cedar policy language all represent real progress on the defensive side.

The M-Trends data showing 22-second access handoff and the CTF results showing AI outperforming 90% of human hackers both tell us the same thing: the speed of attack has outpaced the speed of human response. Automation is no longer optional. The organizations that will thrive in this environment are those that deploy AI defensively at the same pace adversaries deploy it offensively, while building the governance frameworks to ensure those defensive agents operate within appropriate boundaries.

Ninety issues in, and the pace has never been faster.

Stay resilient.

Subscribe now