I say this not because it invented anything new, but because it finally codified what practitioner have been arguing for years.

Prioritize remediation based on risk, not generic severity scores. Prioritize based on exploitation, exposure, and impact, not arbitrary CVSS thresholds. Stop pretending every critical vulnerability demands the same urgency.

The directive is titled “Prioritizing Security Updates Based on Risk,” and the name tells you everything about the shift. For the first time, U.S. Federal agencies are required to use Stakeholder-Specific Vulnerability Categorization (SSVC) rather than CVSS base scores to drive remediation timelines. It revokes both BOD 19-02 and BOD 22-01, replacing flat-deadline patch mandates with a risk-tiered framework built on four factors that actually matter.

I’ve been writing about this exact approach for years, including in my book Effective Vulnerability Management, and across dozens of Resilient Cyber articles. Seeing it formalized in a binding directive is a significant milestone. But formalization and execution are different things, and the gap between what BOD 26-04 demands and what agencies can actually deliver today is what I want to dive into and walkthrough.

What BOD 26-04 Actually Requires

The directive applies to all Federal Civilian Executive Branch agencies and the systems they operate, including third-party hosted and cloud environments. CISA acting director Nick Andersen signed it, and CISA’s Chris Butera and Jonathan Spring co-authored the accompanying blog post under the tagline “Patch Smarter, Not Harder.”

The core mechanism is a four-factor risk assessment that determines remediation timelines. Every vulnerability gets evaluated against four criteria.

• Is the vulnerable asset publicly exposed?

• Is the vulnerability listed in the KEV catalog?

• Can exploitation be fully automated?

• Does exploitation give attackers partial or total control of the system?

(Image credit - VulnCheck’s Blog)

The answers to those four questions determine whether you patch in 3 days, 14 days, 60 days, or defer to the next system upgrade. The highest-risk vulnerabilities, those that are publicly exposed, in the KEV catalog, automatable, and deliver total control, must be remediated within 72 hours.

Those same vulnerabilities also require forensic triage before patching to determine whether the system has already been compromised. That forensic assessment requirement is entirely new and reflects a hard-won operational reality, and likely comes as a result of incidents some agencies have already experienced in the past.

Patching a system an attacker already controls doesn’t evict them.

At the other end of the spectrum, vulnerabilities that aren’t publicly exposed, aren’t in the KEV, can’t be automated, and only deliver partial impact can be deferred until the next scheduled system upgrade. CISA’s own analysis of one large federal agency found that only 1% of vulnerabilities fell into the 3-day window, while over 60% could be deferred.

That ratio alone tells you how much wasted effort the old approach generated. and it isn’t an outlier, as I have written about many times, true exploitation rates are a fraction of the overall CVE’s published in a given year.

Agencies must update vulnerability management policies immediately, achieve compliance with all remediation timelines within 180 days, and continuously identify and tag all agency-owned assets reachable from outside the network.

Asset tagging requirements include organization, operating environment, exposure status, asset type, and all associated IP addresses. Agencies without full CDM automation must submit vulnerability data to CISA every seven days in machine-readable format.

While I understand this requirement, this is also a very cumbersome activity, and based on my experience in the Federal space, by the time it gets ingested and reviewed, it is likely stale and warrants a new export anyways.

The Death of CVSS as Federal Policy

This directive formally kills CVSS as the driving prioritization mechanism for federal vulnerability management (beyond KEV’s) and that alone makes it historic.

For years, federal policy, PCI DSS, and countless enterprise vulnerability management programs treated CVSS base scores as the primary input for remediation timelines. Critical and high severity vulnerabilities got 7-to-30-day deadlines, Medium got 60-90 days, Low got deprioritized or ignored.

The problem is that CVSS measures theoretical severity in a vacuum, it doesn’t account for whether the vulnerability is actually exploited, whether the asset is exposed, or whether exploitation is automatable at scale.

This is a point I have made for years in various articles on here, CSO Online, my own book and in public talks.

As I covered in A Look at the Exploit Prediction Scoring System (EPSS), research from ACM demonstrated that:

Using CVSS severity alone to measure risk is equivalent to picking random vulnerabilities to fix.

Organizations can only remediate 5-20% of vulnerabilities per month, with a median around 15.5%. When you’re burning that limited remediation capacity on vulnerabilities that will never be exploited, you’re not managing risk, you’re performing compliance theater, another topic I have railed against.

BOD 26-04 replaces that theater with SSVC, the decision-tree model developed by CISA and Carnegie Mellon’s CERT/CC. I wrote about CISA’s own articulation of this framework back in 2022 in CISA’s Take on Vulnerability Prioritization, when Eric Goldstein published “Transforming the Vulnerability Management Landscape.”

That publication outlined three pillars for change. Machine-readable advisories through CSAF, exploitability communication through VEX, and prioritization through SSVC and KEV. BOD 26-04 operationalizes that third pillar, and what’s insane is that it took four years to get from concept to mandate.

The Data That Forced the Shift

The Verizon 2026 DBIR found that only 26% of KEV catalog vulnerabilities were fully remediated by organizations in 2025, down from 38% the prior year. Median time for full resolution rose to 43 days. These aren’t obscure vulnerabilities buried in legacy systems. These are confirmed actively exploited vulnerabilities that CISA explicitly told organizations to fix, and remediation rates are getting worse, not better.The 2026 DBIR also showed that exploitation of software vulnerabilities is now the dominant initial access vector.

The problem isn’t that organizations don’t care about patching. It’s that they’re drowning in volume and treating every vulnerability with the same urgency, which means nothing gets the urgency it actually deserves.

I covered this dynamic extensively in Vulnerability Velocity and the Exploitation Enigma, where Mandiant’s M-Trends data confirmed vulnerability exploitation as the number one initial infection vector and year-over-year CVE growth was running at 30%.

The fundamental math doesn’t work when you try to patch everything at the same speed.

The Vulnpocalypse Makes Prioritization Existential

BOD 26-04 arrives in the middle of what I’ve been calling the Vulnpocalypse, the structural asymmetry between AI-accelerated vulnerability discovery and organizations’ capacity to remediate.

FIRST projects approximately 59,000 CVEs in 2026, with realistic upside approaching 100,000. Jerry Gamblin’s tracking data shows 27,758 vulnerabilities published by June 1, 2026 alone, a 39% increase over the same period in 2025.

AI hasn’t just accelerated discovery, it has industrialized it. Anthropic’s Claude Mythos discovered over 10,000 high and critical vulnerabilities across open-source software, including 271 zero-days in Firefox and a 27-year-old bug in OpenBSD. Researchers can now develop working exploits in 15 minutes using AI for a few dollars.

The window between vulnerability disclosure and weaponization has compressed from months to hours, and the volume of what gets disclosed is growing at a rate that makes blanket remediation physically impossible. This is captured perfectly in the Zero Day Clock, which I have often shared.

CISA explicitly acknowledges this in the directive. The AI threat is cited as a motivating factor, reflecting priorities from the recent AI Executive Order. That EO established constructs like the Treasury/CISA vulnerability clearinghouse and NSA frontier model benchmarking that are supposed to create infrastructure for managing AI-accelerated vulnerability discovery.

None of those constructs are operational yet, which means BOD 26-04 is the only concrete federal policy response to the Vulnpocalypse currently in effect. If you’re unfamiliar with the AI Executive Order, I did a breakdown below:

When you’re facing 59,000-plus CVEs per year and fewer than 5% will ever be exploited, risk-based prioritization isn’t a best practice, it’s the only viable strategy. Research found that 95-98% of all AppSec alerts can be safely deprioritized when context-based prioritization is applied, and only 2% truly pose risk and require action. CISA’s own finding that 60% of vulnerabilities at a large agency can be deferred to the next upgrade cycle aligns perfectly with this data.

Beyond the Federal Perimeter

BOD 26-04 technically binds only federal civilian agencies, but its impact will extend well beyond the public sector. CISA explicitly encourages state and local governments, critical infrastructure operators, and private sector organizations to adopt the same approach, and the procurement pipeline ensures it will spread.

Wiley Rein’s legal analysis flagged that government contractors should expect these requirements to flow down through Statements of Work and future contracts. Cloud Service Providers should plan for adoption in anticipation of FedRAMP updates.

This matters because the private sector faces the same structural problem. Average enterprise vulnerability backlogs exceed 100,000 findings and often can be in the hundreds of thousands to millions in large enterprise environments.

Remediation capacity runs at 5-20% per month. As I documented in The Evolution of AppSec, the average application faces 81 confirmed viable attacks per month on top of 10,000-plus probes, gains 17 new vulnerabilities per month, and fixes roughly 6. That gap only widens under CVSS-driven remediation timelines that don’t distinguish between theoretical severity and actual risk.

The evolution of vulnerability management toward Continuous Threat Exposure Management (CTEM) has been underway for several years and BOD 26-04 gives that evolution a federal stamp of approval. The directive’s requirement for continuous asset discovery, exposure-based tagging, and threat-informed prioritization maps directly to the CTEM framework. Organizations that have already adopted EPSS, KEV integration, reachability analysis, and business-context scoring are ahead of this curve. Organizations still running monthly scans and sorting by CVSS are now behind federal policy, not just best practice.

The Infrastructure Gap

The directive’s biggest vulnerability is the infrastructure it depends on. CISA’s Vulnrichment program provides SSVC decisions for only 45.8% of CVEs.

That means agencies must manually assess automatability and technical impact for more than half of all vulnerabilities. VulnCheck’s Patrick Garrity highlighted this gap immediately, noting that VulnCheck provides 90% SSVC coverage through automated generation. The fact that a private vendor covers twice as many CVEs as the government program the directive relies on tells you something about the execution challenge.

The NVD’s ongoing struggles compound the problem. As I’ve covered repeatedly, the NVD moved roughly 29,000 backlogged CVEs to “Not Scheduled” status, effectively reclassifying the backlog rather than solving it. If agencies can’t get enriched vulnerability data from the national database, the prioritization methodology BOD 26-04 requires becomes significantly harder to operationalize.

Then there’s the EPSS question. Despite being one of the most validated tools for exploitation probability assessment, EPSS is not explicitly mandated in the directive. The four-factor SSVC model captures exploitation status (via KEV) and automatability, but it doesn’t incorporate the probabilistic forward-looking assessment that EPSS provides.

An organization using KEV plus EPSS plus reachability analysis plus business context is making better prioritization decisions than the directive’s minimum requirements would produce. That’s not a criticism of the directive so much as an observation that policy rarely leads practice.

Kevin Greene raised another gap. The SSVC model tells you how bad a single CVE’s blast radius is on its component, but it doesn’t account for whether that component sits on a path to a privilege plane. A CVE with a CVSS score of 10 that can’t reach the privilege plane is operationally ineffective. A CVE with a moderate score that chains into lateral movement and persistence can be devastating. The directive doesn’t address that downstream privilege debt.

In an era of AI-driven exploitation this is a key point, as research from the UK’s AISI has shown, frontier models are getting good at chaining vulnerabilities, moving laterally and not just isolating vulnerabilities in isolation either.

What This Actually Means

BOD 26-04 is the right policy at the right time, even if the execution infrastructure isn’t fully built yet. The 72-hour patch window for the highest-risk vulnerabilities is aggressive. Some have rightly said they remain skeptical that the three day deadline is an achievable patch cadence today, but it is a positive step, even if it is aspirational at best currently.

The directive’s real value isn’t the specific timelines, it’s the formal burial of CVSS-driven patch mandates and the institutionalization of risk-based prioritization as federal policy.

For practitioners who have been arguing for years that organizations should prioritize based on exploitation evidence, asset exposure, reachability, and business context rather than arbitrary severity scores, this directive validates the approach.

For vendors who have built products around KEV integration, EPSS scoring, reachability analysis, and exposure management, this creates a compliance driver that didn’t exist before. For CISOs trying to justify investment in modern vulnerability prioritization tooling, this is the policy backstop they needed.

Despite much of this being a positive direction and signal to the broader industry it remains to be seen whether the ecosystem, from NVD enrichment to SSVC coverage to agency operational maturity, can execute at the speed the directive demands.

When 98% of vulnerabilities are noise, the organizations that can identify and act on the remaining 2% fastest will define what effective vulnerability management looks like in the age of the Vulnpocalypse. BOD 26-04 just told the U.S> Federal government to start acting like it.

Subscribe now

If last week’s executive order set the policy table, this week the market and the models showed up to eat. CrowdStrike’s Q1 earnings told the story in a single line from George Kurtz, who called it “the Mythos moment,” and the numbers backed it up with $256 million in net new ARR.

Anthropic released Claude Fable 5, the first publicly available Mythos-class model, and if you think the vulnerability discovery wave was intense with Glasswing restricted to 200 partners, wait until every Pro subscriber has access. I wrote a full piece on what that means in The Vulnpocalypse Goes GA.

Meanwhile, NIST dropped a mathematical proof showing that no finite set of guardrails can block every adversarial prompt, which is exactly the kind of foundational research that should reshape how we think about AI security.

Trail of Bits demonstrated that every major skill scanner can be bypassed in under an hour, and the Miasma supply chain worm compromised 73 Microsoft GitHub repositories through a self-propagating npm attack.

The lesson from this week is that both the offensive and defensive capabilities are accelerating, and the organizations that treat security as a continuous process rather than a static checkpoint will be the ones that survive.

Let’s get into it.

Inside Jamf’s IT Ops automation strategy

500+ SaaS apps. Thousands of devices. A flood of help desk tickets. And a team of 30 people to manage all of it.

That’s the reality for Jamf’s IT team - but instead of drowning, they built their way out. On July 10th, join them live to learn exactly how they replaced manual, ticket-based IT work with intelligent workflows.

Join to hear:

• The early use cases that proved the value of intelligent workflows

• Where AI fits into their IT ops today - and where it’s going

• How they compressed a year-long device audit into a matter of weeks

• Plus, they’ll walk through a live demo of one of their most impactful workflows - Come ready to steal their playbook.

REGISTER HERE

*Sponsored

Cyber Leadership & Market Dynamics

CrowdStrike Q1: The “Mythos Moment” Arrives with $256M in Net New ARR

George Kurtz framed CrowdStrike’s Q1 as the quarter “the worlds of cybersecurity and frontier AI collided.” The numbers are hard to argue with. Net new ARR hit $256 million, up 32% year-over-year, with total ARR crossing $5.51 billion.

The AI Detection and Response pipeline surged 250% sequentially, crossing $50 million for Q2. What I find most telling is that CrowdStrike raised its full-year ARR growth guidance by 520 basis points and still cautioned that market expectations around AI security demand are running ahead of reality.

That tension between demonstrable demand acceleration and the CEO tempering enthusiasm tells you exactly where we are in the cycle.

IPO Mania: $350 Billion in New Equity on Deck

laid out what might be the largest IPO year in history. SpaceX at $75 billion, Anthropic approaching $100 billion, OpenAI planning a record debut, and roughly $350 billion in total new equity supply.

For cybersecurity, the signal is that the capital flowing into AI companies will create enormous downstream demand for security infrastructure. The flip side is that peak exuberance often leaves retail investors holding the bag, and Galloway is not shy about making that point.

New Cybersecurity Decacorn Emerges

Mike Privette flagged a new entry into the cybersecurity decacorn club, Cyera, continuing the pattern of massive private valuations before any of these companies test the public markets.

The timing is interesting given the IPO pipeline building up and the reality that SailPoint and Netskope both underperformed post-listing. Private markets continue to price cybersecurity at a premium that public markets have not validated yet. Whether the AI demand wave changes that equation is the question worth watching.

Trump Administration Considers Palantir CTO for CISA Director

Palantir CTO Shyam Sankar is reportedly the frontrunner for the still-vacant CISA director role, though the White House later disputed the accuracy of this reporting. Sankar has spent over 20 years at Palantir in senior technical and operational roles.

If confirmed, placing a Palantir executive at the helm of CISA would signal a clear tilt toward AI-driven national cyber defense and platformization, which would align with the executive order’s push for rapid AI adoption across federal agencies.

I actually interviewed Shyam over a year ago on the Resilient Cyber Show, diving into both the tech and national security topics:

GCHQ Unveils Plans for World-First National AI Cyber Defence System

GCHQ director Anne Keast-Butler used the agency’s first annual lecture at Bletchley Park to announce a national AI cyber shield. The system would deploy agentic AI to detect and respond to threats across critical infrastructure, airlines, telecoms, and major corporations, with an operational target of five years.

The UK is explicitly framing this as agentic AI for defense, not just analytics, and the ambition of real-time autonomous detection at national scale is something no country has attempted at this level before.

Politico: Frontier AI Becomes Central to the U.S.-China Cybersecurity Race

Congress opened a joint investigation into Chinese AI model proliferation. The hearings examined how the U.S. leads with proprietary frontier models while China releases open-weight models freely, and the concern is that Chinese state actors could use those models to exploit vulnerabilities in critical infrastructure.

The geopolitical dimension of AI-enabled cybersecurity is no longer theoretical. It is now a formal congressional investigation. Speaking of AI’s intersection with U.S. interests and the broader cyber landscape, Jack Cable of Corridor and others recent testified in a Homeland Security event titled “The AI Security Landscape: How AI is Reshaping Cybersecurity and Critical Infrastructure Resilience” and it was an excellent listen.

Lawmakers Propose Federal AI Framework That Would Preempt State Laws for Three Years

Representatives Obernolte and Trahan introduced draft legislation establishing a four-pillar federal AI governance framework that would override state AI regulations for three years. Advocacy groups immediately pushed back, arguing it sets a federal ceiling rather than a floor.

This is the legislative companion to the executive order I analyzed last week, and the pattern is consistent with the administration’s deregulatory posture toward AI development. If you missed my breakdown of the AI EO, you can find it below:

Jay McBain: An “Unprecedented Cycle” in Cybersecurity Channel Spending

, Omdia’s Chief Analyst for Channels and Partnerships, is forecasting record growth in managed security and AI services heading into 2027. With 99% of MSPs deeply engaged in cybersecurity and the industry worth $87 billion on the vendor side, his argument is that the AI wave creates a generational channel opportunity.

The demand acceleration CrowdStrike reported in Q1 is the enterprise side of that same story.

SoftBank’s Son: AI Superintelligence Within Two Years

Masayoshi Son told CNBC that OpenAI’s next model is being designed by another AI model, accelerating his superintelligence timeline to within two years. He predicts AI will surpass human intelligence in 70-80% of subjects within that window.

The cybersecurity implications are worth thinking through. If Son is even directionally correct, the offensive capability acceleration we are tracking with Mythos and GPT-5.5-Cyber is still in its early innings.

AI

Anthropic Releases Claude Fable 5 and Claude Mythos 5

This is the biggest AI story of the week, and it changes the threat landscape in ways most organizations are not ready for. Anthropic released Claude Fable 5 on June 9, the first publicly available Mythos-class model, accessible to Pro, Max, Team, and Enterprise users.

Fable 5 delivers state-of-the-art performance on nearly all benchmarks and its capabilities exceed anything Anthropic has ever made generally available. The safeguards are conservative. Queries in high-risk areas like cybersecurity, biology, and chemistry fall back to Claude Opus 4.8 responses, triggering in less than 5% of sessions.

Separately, Claude Mythos 5 launched for vetted cyberdefenders and infrastructure providers through Project Glasswing, with the safeguards partially lifted. The pricing signals intent at $10 per million input tokens and $50 per million output. What keeps me up at night is the gap between when frontier capability becomes broadly available and when organizations update their defenses to match. That gap just got a lot wider.

Security Experts Warn of “Son of Mythos” Threat

The concern is not just Mythos itself but what comes next. Security experts are warning that frontier AI models from Google and at least two Chinese labs are not far behind Mythos in cybersecurity capability, potentially compressing the disclosure-to-exploit window from months to hours.

Anthropic has expanded Glasswing to 200 partners, but that still leaves the vast majority of organizations without access to equivalent defensive tools. The asymmetry between offensive availability and defensive access is the structural problem nobody has solved yet.

Anthropic LLM ATT&CK Navigator: 832 Banned Accounts Mapped to MITRE Framework

Anthropic analyzed 832 accounts banned for cyber-related policy violations between March 2025 and March 2026, mapping 13,873 actions across 482 unique techniques and all 14 ATT&CK tactics. The most common technique family was T1587 (Develop Capabilities), used by 574 actors, with malware development alone accounting for 560.

The percentage of medium-to-high-risk AI-enabled actors jumped from 33% to 56% in under a year. Anthropic partnered with Verizon to include findings in the 2026 DBIR, and the report argues that traditional risk signals no longer work because ATT&CK lacks categories for autonomous agentic attacks.

NIST Proves No Finite Set of AI Guardrails Can Block Every Attack

This one matters more than the headline suggests. NIST senior scientist Apostol Vassilev published a peer-reviewed proof in IEEE Security & Privacy showing that for any finite set of guardrails, some adversarial prompt exists that can bypass them.

The proof extends Godel’s incompleteness theorems to AI security. The practical implication is clear and it aligns with what practitioners already know intuitively. Static guardrails are necessary but never sufficient.

Continuous monitoring, red teaming, and iterative updates are the only viable security model for AI systems, and organizations still treating AI safety as a deploy-and-forget exercise need to rethink their approach.

OpenAI Launches Lockdown Mode for Prompt Injection Defense

OpenAI rolled out Lockdown Mode on June 4, an optional security setting that limits outbound network requests to prevent data exfiltration from prompt injection attacks. When enabled, it disables web access, image support, Deep Research, Agent Mode, and file downloads.

The tradeoff is explicit and honest. You lose capability in exchange for a substantially reduced attack surface. Lockdown Mode does not prevent prompt injections from occurring. It prevents the final stage of exfiltration.

This is defense-in-depth thinking applied to an LLM product, and while it is designed for a small set of security-conscious users handling sensitive data, the concept of hard boundaries at the product level is worth watching as a design pattern.

Karl McGuinness: “Authorization Denied” Is No Longer Enough for Agent Identity

Okta’s former Chief Product Architect makes the case that existing identity infrastructure was built for humans or long-lived machines, not agents that spawn, collaborate, and disappear in seconds.

The Agent Identity Service he describes uses the AGNTCY Linux Foundation project with cryptographic badge generation for MCP servers and human-in-the-loop policy authorization for critical actions.

This is exactly the identity layer that agentic architectures need. Agents operating with probabilistic intent at machine speed require authorization models that go far beyond binary allow/deny decisions.

Karl is genuinely one of the sharpest people I’ve discussed Agentic IAM with, and I had a excellent conversation with him below:

CleverHans Lab: Free AI Models Power Autonomous Computer Worms

Researchers at the University of Toronto’s CleverHans Lab built a proof-of-concept AI worm using only small, free AI models that autonomously identifies vulnerabilities, reasons about attack strategies, and self-replicates across networks.

In seven days of fully autonomous operation, the worm identified an average of 31.3 vulnerabilities per target, successfully exploited 73.8% of the network, and replicated to 61.8% of hosts across up to seven generations.

Critically, it exploited three vulnerabilities disclosed in 2026, after the model’s training cutoff, by ingesting publicly available advisories at runtime. Nobody needs Mythos to build a chaos-causing worm, free open-source models work just fine.

The Agent Harness Problem: Anatomy and Technical Debt

LangChain and Lee Hanchung both published complementary pieces this recently on agent harnesses, the infrastructure surrounding an AI model including tools, memory, sandboxing, and orchestration logic.

LangChain showed that harness improvements alone can significantly boost benchmark performance without changing the underlying model. Hanchung’s analysis goes further, arguing that most durable agent teams treat harnesses as 90-day artifacts and delete most code on model updates.

The security implication is that harness code is disposable by design, which means security controls embedded in the harness layer are likely to be discarded and rebuilt on every model upgrade cycle.

Pillar Security: Agentic AI Risks in CI/CD Pipelines

Pillar Security documented how coding agents with read/write access to repositories and deployment keys create new attack surfaces in CI/CD pipelines. The risk model includes prompt injection, privilege escalation, and lateral movement through compromised containers.

This piece landed the around the same time that the Agent Control Standard (ACS) went public at v0.1.0 as the first open, MIT-licensed spec for runtime governance of AI agents. The pattern is becoming clear, agents are getting pipeline access before the governance frameworks exist to constrain them.

Anthropic: Using LLMs to Secure Source Code

The methodology here is worth paying attention to. A 6-stage loop for AI-driven code security spans threat modeling, sandbox creation, discovery, verification, triage, and patching.

Their own open source scanning has disclosed 1,596 items and validated over 500 high-severity vulnerabilities. The key insight I took from this is that discovery has become trivially parallelizable, but the bottleneck has shifted entirely to verification, triage, and patching.

That is the same bottleneck I keep coming back to in the vulnpocalypse discussion, and no amount of discovery tooling solves it without investing equally in the remediation pipeline.

MIT AI Risk Repository: 18 of 24 Domains Carry Catastrophic Risk

MIT’s AI Risk Initiative surveyed experts across 200+ organizations and found that 18 of 24 AI risk domains carry at least a 10% probability of catastrophic outcomes within five years. Information, finance, and national security face the highest vulnerability. These are not fringe researchers making dramatic claims.

This is MIT putting probability estimates on AI-driven systemic risk across every major sector, and the numbers should inform how organizations think about AI governance.

AppSec

The Vulnpocalypse Goes GA

I wrote a full piece this week on what Fable 5’s public release means for the vulnerability landscape. The vulnpocalypse is no longer a theoretical exercise gated behind Glasswing access.

With Mythos-class capability in the hands of every Pro subscriber, the volume of AI-discovered vulnerabilities is about to jump again, and the remediation bottleneck that was already stretched thin is going to break for organizations that have not invested in triage automation and risk-based prioritization.

The math has not changed. Discovery scales with compute, remediation scales with humans. That gap is the story of the next twelve months.

Palo Alto Networks CEO: “AI Found 5 Years of Bugs in 6 Weeks”

Nikesh Arora revealed that Mythos found years’ worth of vulnerabilities in Palo Alto’s codebase in six weeks. They scanned over 130 products, uncovering 75 legitimate vulnerabilities that have since been patched. The company estimates organizations have three to five months before attackers broadly gain access to frontier AI cyber models.

Early models had false positive rates up to 30%, making them more effective for offense or testing than for immediate defense without proper contextualization. This is the same dynamics playing out everywhere. Discovery is outrunning remediation, and the window to get ahead of it is measured in months, not years.

fwd:cloudsec North America 2026 Playlist

The talks from fwd:cloudsec North America 2026 are live and it is full of excellent talks, including a CNAPP walkthrough on the paste and future from , great talks on topics such as Agentic IAM, and of course all things Cloud Security as well.

Trail of Bits: The Sorry State of Skill Distribution

Trail of Bits bypassed ClawHub’s malicious skill detector, Cisco’s agent skill scanner, and all three scanners integrated into skills.sh, with three of the four bypasses taking less than an hour.

Their simplest bypass prepended 100,000 blank lines to a malicious skill, causing ClawHub’s scanner to truncate the file before reaching the payload and mark it safe. The structural problem is damning. Arbitrary combinations of code, data, and natural language create the broadest possible attack surface, while the cost of inference motivates the use of weak models and truncated contexts.

Their recommendation is blunt and I agree with it. Public skill marketplaces are not safe for agents operating in sensitive contexts, curate your own.

Skill Issues: Compromising Claude Code with Malicious Skills and Agents

ReverseC demonstrated that a single .md file can achieve a reverse shell through Claude Code with out-of-the-box settings. Dynamic context commands execute before the model sees the skill, meaning model-level prompt injection defenses never get a chance to intervene.

The broader data point from the ecosystem is sobering. If you installed a skill from ClawHub in the past month, there is a 13% chance it contains a critical security flaw. Skills supply chain security is rapidly becoming one of the most urgent problems in the agent ecosystem.

Miasma Supply Chain Worm Compromises 73 Microsoft GitHub Repositories

This is the supply chain attack that should have everyone’s attention. Miasma, an evolved variant of the Shai-Hulud worm open-sourced by TeamPCP, compromised 32 packages across 90+ versions under the redhat-cloud-services npm scope through a hijacked CI/CD pipeline.

The malware stole SSH keys, CLI credentials, and browser data on developer systems, while in CI/CD environments it scraped GitHub Actions runner memory for secrets and republished poisoned packages with forged SLSA provenance. On June 5, GitHub disabled 73 Microsoft repositories after Miasma re-compromised Azure’s durabletask project.

The worm executes automatically when an infected repository is cloned and opened in Claude Code, Gemini CLI, Cursor, or VS Code. This is the software supply chain threat model operating at a level of sophistication that most organizations are not equipped to detect.

The Unintended Consequences of Vulnmaxxing

raised a point on Enterprise Security Weekly that I think deserves more attention. “Vulnmaxxing,” the practice of expensive AI-driven vulnerability discovery at industrial scale, threatens to create a two-tier security world where well-funded organizations race ahead while everyone else falls further behind.

If AI vulnerability discovery becomes a rich-organization sport, we end up widening the security inequality gap rather than closing it. The democratization of defensive capability is just as important as the democratization of discovery.

Predict, Don’t Enumerate

O’Reilly published a piece advocating for EPSS-based exploit prediction over exhaustive vulnerability enumeration, referencing Anthropic’s April 2026 security guide.

The core argument is elegant. Since vulnerabilities are effectively infinite, the only viable strategy is prioritizing by exploitability rather than trying to catalog everything. This aligns with what I have been saying about risk-based prioritization for years, and the vulnpocalypse makes it even more urgent. The organizations still trying to chase zero CVEs are going to drown.

Final Thoughts

This week crystallized something I have been building toward across the last several issues. The vulnpocalypse went from restricted preview to general availability. Fable 5 put Mythos-class capability in the hands of millions, and the market responded instantly. CrowdStrike reported its “Mythos moment” with record ARR, while the IPO pipeline suggests hundreds of billions in AI-adjacent capital is looking for a home. The demand signal for security is unmistakable.

But capability without governance is just chaos with better tooling. NIST proved mathematically that static guardrails will always be breakable. Trail of Bits showed that skill scanners can be bypassed in under an hour. Miasma demonstrated supply chain attacks operating at a sophistication level that forges provenance and spreads through developer tools automatically.

The lesson is not that we should stop building. It is that continuous monitoring, curated trust, and defense-in-depth are the only models that work when both the offensive and defensive sides are moving at AI speed.

The organizations that will thrive are the ones treating security as a continuous, adaptive process rather than a compliance checkbox. The building blocks exist. The challenge is building the muscle to use them before the window closes.

Stay resilient.

Subscribe now

As of today, the core model behind those capabilities is generally available. Claude Fable 5, a Mythos-class model wrapped in safety classifiers, is now accessible to anyone with an API key at $10 per million input tokens and $50 per million output tokens. The capabilities that were gated behind government partnerships and vetted research programs two months ago are now commercially available.

As I wrote in Claude Mythos: Why It Matters (And Why It Doesn’t), the significance of Mythos was never just about one model’s benchmarks. It was about what those benchmarks signaled for the structural economics of vulnerability discovery and exploitation.

With Fable 5, that signal goes from preview to production. The Vulnpocalypse I’ve been writing about, the structural asymmetry between AI-accelerated discovery and the capacity to remediate, just became accessible to every organization and every adversary with a credit card.

The Benchmarks

Fable 5 leads or matches the best available models across virtually every coding and reasoning benchmark.

On SWE-bench Verified it scores 95.0%, and on SWE-bench Pro it hits 80.3%, compared to 69.2% for Claude Opus 4.8, 58.6% for GPT-5.5, and 54.2% for Gemini 3.1 Pro. On Terminal-Bench 2.1 it scores 88.0%, on CursorBench it reaches 72.9% at max effort.

These aren’t marginal improvements, the gap between Fable 5 and the next best competitor on coding tasks is significant enough that it represents a qualitative shift in what autonomous coding agents can accomplish in production environments. In the PR from Anthropic they discuss how Stripe reported that Fable 5 completed a 50-million-line Ruby codebase migration in a single day, work that would have required two months of team effort.

The cybersecurity benchmarks come from the Mythos lineage, since Fable 5 and Mythos 5 share the same underlying model. During the Mythos Preview period, the model achieved a 73% success rate on expert-level CTF challenges, making it the first AI model to solve challenges at that difficulty tier. It completed a 32-step corporate network takeover simulation end-to-end as I discussed previously, in reporting from the UK’s AI Security Institute (AISI).

On ExploitGym, it successfully exploited 157 of 898 real-world vulnerabilities and developed 181 working exploits including a 20-gadget ROP chain against FreeBSD and a four-vulnerability browser sandbox escape. As I covered in The AI Cyber Capability Curve, the capability curve for frontier models on cyber tasks has been steepening with every release. Fable 5 represents another significant step up that curve, and this time the step is commercially available rather than gated.

Anthropic’s own scan of over 1,000 open-source projects during the Glasswing preview estimated 23,019 total vulnerabilities, with 6,202 classified as high or critical. Cloudflare, one of the Glasswing partners, found 2,000 bugs across their codebase with 400 rated high or critical, and reported false positive rates better than human testers. Partners across the program saw greater than 10x improvement in bug-finding rates. These numbers should be familiar to readers who followed my coverage in The Receipts Are In, but they take on new weight now that the underlying model is generally available.

The Jagged Frontier

One of the most important counterpoints to the Fable 5 narrative comes from research that Anthropic itself published alongside the launch, and from independent work by researchers like Niels Provos and AISLE. The capability distribution across AI models for cybersecurity tasks isn’t a smooth curve where bigger and more expensive models always win. It’s what AISLE calls a “jagged frontier,” where rankings reshuffle completely depending on the specific task and where with effective harness engineering, zero day discovery can be available to anyone, even with older, smaller and less capable models.

The numbers here are striking as well. A 3.6-billion parameter model, running at $0.11 per million tokens, which is 600x cheaper than Mythos, correctly detected Mythos’s flagship FreeBSD exploit, identifying the stack buffer overflow, computing remaining buffer space, and assessing it as critical with RCE potential.

Eight out of eight models AISLE tested detected the same vulnerability, including open-weights models like GPT-OSS-120B with only 5.1 billion active parameters. Niels Provos built an open-source framework called IronCurtain that achieved autonomous discovery of new zero-days in foundational software using a mix of commercial and open-weight models, leading him to argue that “vulnerability discovery is an orchestration problem, not a frontier-model problem.” Vidoc Security independently reproduced Anthropic’s Mythos findings with publicly available models, reaching the same conclusion.

Both AISLE and Vidoc concluded that the real moat isn’t the model, it’s the security expertise to operationalize the bug discovery process, building the harness, validating the results, and triaging findings against actual exploitability.

This matters because it directly challenges one of the two core narratives that emerged from the Mythos marketing campaign, that only the most powerful and expensive frontier models can do this work, and that they do it autonomously. The research shows that cheaper models can find the same vulnerabilities, and that the orchestration and expertise surrounding the model matters more than the model itself.

But the practical reality for most attackers and security researchers is more nuanced. Building the orchestration harnesses, targeting logic, iterative deepening, validation pipelines, and triage workflows that Provos describes in his IronCurtain framework is itself a significant engineering effort.

Most researchers and most attackers won’t build that infrastructure. They’ll use the most capable generally available model they can access through an API, and as of today, that model is Fable 5. The jagged frontier is real and the research matters, but the GA release of a Mythos-class model changes the practical calculus for the vast majority of users who want capability without building custom harnesses.

The Hype Cycle as Lead Funnel

There’s a pattern worth examining honestly in how this release played out and it is one skeptics have been pointing out and I want to acknowledge it as well. In April, Anthropic gated Mythos behind a government partnership, published benchmark results showing unprecedented vulnerability discovery capabilities, and framed the model as too dangerous for general release. Two months later, the same underlying model is available to anyone with an API key. The framing shifted from “this is so dangerous we can’t release it publicly” to “here it is, with safety classifiers, for $10 per million input tokens.”

wrote about this dynamic in his piece on what he calls “vulnmaxxing,” and his analysis raises some excellent points. Sanabria’s argument is that the Mythos launch wasn’t just a marketing campaign, it was a lead funnel.

Convince the world’s largest software makers that they need Mythos-class capabilities to find vulnerabilities in their code, and then you’ve created demand for the same AI to fix those vulnerabilities, because the volume of findings is too high for human remediation alone. The circular logic is hard to ignore, as AI finds the bugs, for a price and then AI fixes the bugs, for a price, and both sides of that equation run through the same vendor’s API.

The pricing tells part of the story. Fable 5 at $10/$50 per million tokens is double the cost of Claude Opus 4.8 at $5/$25. Mythos Preview ran at $25/$125. Anthropic gave away $100 million in free Mythos credits during the Glasswing preview, which seeded adoption and generated the vulnerability findings that are now cited as evidence that organizations need Mythos-class capabilities. Whether you see this as responsible scaling or as market creation depends on how much credit you give to the security narrative versus the commercial incentive structure.

Sanabria raises a related concern around the security poverty line. The 1% of companies with the largest engineering budgets can afford a Mythos-level audit of their codebases and the AI-assisted remediation that follows.

Everyone else either builds their own harnesses using cheaper models, which requires security expertise and engineering investment most organizations don’t have, or falls further behind. The gap between organizations that can afford AI-augmented security and those that can’t may widen rather than narrow with each frontier model release.

There’s also a question about the value of what’s being found. Cyentia’s research shows that 98% or more of all vulnerabilities are of low-to-no concern from an attacker’s perspective. The findings from Glasswing and Fable 5 scans will follow this same distribution. Anthropic’s marketing uses the language of “zero-day discovery,” but as Sanabria points out, a vulnerability with no value to an attacker is a software bug, not a meaningful security finding.

The volume of discoveries is impressive but the fraction of those discoveries that represent genuine risk to the organizations affected is a different and much smaller number. Organizations that can’t distinguish between the two will burn tokens and remediation cycles on findings that don’t actually reduce their risk.

This makes concepts such as effective vulnerability management (literally the title of a book I wrote) along with vulnerability prioritization (e.g. KEV, EPSS, reachability, business context etc.) even more critical.

The Safeguards

Anthropic’s approach to releasing Mythos-class capabilities to the general public hinges on three safety classifiers built into Fable 5 that aren’t present in the gated Mythos 5 deployment. wrote an excellent piece diving into some of those safeguards titled “Claude Fab 5 and New AI Safety Fables”.

The cybersecurity classifier prevents exploitation and offensive cyber tasks, with Anthropic reporting over 1,000 hours of red-teaming that found no universal jailbreaks, and zero compliance on harmful single-turn cyberattack requests across 30 public jailbreak techniques.

The biology and chemistry classifier applies broad safeguards on dual-use research, tuned conservatively toward safety. The distillation prevention classifier blocks large-scale extraction attempts designed to train competing models, something we’ve even seen The White House release memos of concern on, especially when it comes to maintaining the edge in AI over China. When any classifier triggers, the request falls back to Claude Opus 4.8 rather than refusing outright, which Anthropic says happens in less than 5% of sessions on average.

Mythos 5, the version without these classifiers, remains gated. Cyber safeguards are lifted only for Project Glasswing partners working with the U.S. government. Biology and chemistry safeguards are lifted only for select researchers enrolled in Anthropic’s life sciences program.

This tiered approach, same model with different guardrail configurations depending on the use case and the vetting of the user, is Anthropic’s answer to the dual-use challenge.

Whether the cybersecurity classifiers hold against motivated adversaries over time is an open question that the red-teaming results can’t fully answer, because the adversarial community hasn’t had access to the GA model long enough to develop novel techniques against it. I will definitely be keeping an eye on this aspect of things in the coming days/weeks to see what jailbreaks do emerge as the community gets to it.

Policy Is Already Behind

The timing of this release is hard to ignore. The White House signed the “Promoting Advanced Artificial Intelligence Innovation and Security“ executive order just last week, on June 2nd.

For those not familiar with it, I provided a detailed video breakdown of the EO:

That EO directs NSA to develop a classified benchmarking process within 60 days to determine which AI models qualify as “covered frontier models” and directs Treasury, NSA, and CISA to stand up an AI cybersecurity clearinghouse to coordinate vulnerability scanning and remediation.

As I discussed in my written and video coverage of the EO, none of those constructs exist yet. The NSA hasn’t designated any covered frontier models or likely even codified the criteria. The clearinghouse hasn’t been formed, the benchmarking process hasn’t been developed, and today, a Mythos-class model went GA.

This is the structural challenge I’ve been writing about. Policy operates on 30-day and 60-day timelines at best, often longer, while model capabilities advance on continuous deployment cycles. The Agentic SDLC runs on an entirely different pace than the regulatory and policy lifecycle does.

The EO’s vulnerability clearinghouse is a good idea, and the early access provision that gives government defenders a 30-day preview of frontier models before public release is a genuinely novel mechanism. But Fable 5 is available today, and the governance infrastructure the EO envisions won’t be operational for weeks or months. The models don’t wait for the institutions to catch up.

Even then, the 30d preview period will do little to nothing for actual remediation in real-world government and critical infrastructure environments where I’ve spent most of my carer, as the AI-driven vulnerability discovery meets the analog reality of the people, process and technology paradigm and massive vulnerability backlogs that existed well before the rise of LLM’s and Mythos class models.

The EO’s voluntary framework for industry participation makes this gap even more visible. Anthropic is voluntarily implementing safety classifiers, voluntarily gating Mythos, and voluntarily partnering with the government through Glasswing.

These are real commitments from a company that has consistently invested in safety research. But the framework depends on the frontier labs choosing to cooperate, and as I explored in The Regulation Pendulum, the open-weights ecosystem and smaller labs operating outside the voluntary framework face no equivalent constraints. The next model with Fable 5-class vulnerability discovery capabilities might not come with safety classifiers or government partnerships attached.

What This Means for the Ecosystem

The GA release of Mythos-class capabilities creates pressure across the entire software ecosystem, and the pressure is compounded by the dynamics Adrian Sanabria identifies.

For open-source maintainers, this is an acceleration of a problem that was already overwhelming and which has been well documented by industry leaders such as cURL’s Daniel Stenberg.

The Glasswing preview showed what happens when frontier AI models are pointed at large open-source codebases. Hundreds of high-severity vulnerabilities surface in projects maintained by small teams or individual developers who are already stretched thin.

This creates unintended outcomes and challenges in the real world. Code repositories are already going private as maintainers try to survive what he calls the vulnpocalypse through obscurity. As I’ve written about since Death Knell of the NVD, the vulnerability data infrastructure is buckling under the volume of discoveries that existed before AI-accelerated scanning. The NVD backlog, the strain on CVE numbering authorities, and the remediation gap between discovery and fix are all structural problems that Fable 5’s general availability will intensify. The Attack Surface Exponential is real, and now anyone can point a Mythos-class model at it.

For enterprise security teams, the math gets harder in multiple dimensions. Organizations already drowning in vulnerability backlogs will face an acceleration in externally reported findings as researchers, bug bounty hunters, and automated scanning services adopt Fable 5.

The remediation capacity doesn’t scale at the same rate as the discovery capacity, and if the fix for AI-discovered vulnerabilities is AI-generated patches, organizations face a new set of unknowns. We have limited visibility into what vibe-coded patches are doing to the future security and stability of codebases, and the pace of AI-generated fixes may not leave time for the human review that historically catches the secondary bugs that patches introduce.

The core tension of the Vulnpocalypse, the gap between the velocity of findings and the velocity of quality fixes, just widened.

There is a genuine opportunity on the other side of this. The same capabilities that enable vulnerability discovery at scale can be turned inward. Organizations can use Fable 5 to scan their own codebases, identify high-severity vulnerabilities in their own products and internal tools, and fix them before external researchers or adversaries find them first.

Cloudflare’s results, 2,000 bugs identified with false positive rates better than human testers, show what AI-assisted internal hardening looks like when applied systematically, but we have to remember most security and engineering teams don’t look like Cloudflare’s.

Concerns about the security poverty line are real. The organizations best positioned to capture this opportunity are the ones with the engineering budgets, security expertise, and triage workflows to separate the 2% of findings that matter from the 98% that don’t.

For everyone else, the flood of AI-generated findings without the context to prioritize them risks becoming noise that makes an already impossible triage problem worse.

Where This Leaves Practitioners

The GA release of a Mythos-class model is a structural inflection point, but what practitioners do with that inflection depends on how clearly they see both the opportunity and the business model underneath it.

The capabilities are real, Fable 5 can find vulnerabilities that human reviewers miss, at a speed and scale that manual code review can’t match and genuinely do represent a step-change in frontier model capabilities.

The hardening opportunity is genuine, and organizations that use it to find and fix their own most critical vulnerabilities before adversaries do will have a meaningful defensive advantage, but the framing matters too.

Not every vulnerability AI discovers is a zero-day that demands urgent remediation. Most are software bugs that have no realistic exploitation path. The organizations that treat every AI-generated finding as a critical priority will burn budget and remediation capacity on work that doesn’t reduce risk. The ones that pair AI-assisted discovery with mature triage and exploitability analysis, informed by the same prioritization discipline practitioners have been building for years, will get the most value. This is also a topic my friend has discussed in various pieces of his own as well.

The policy infrastructure the AI EO envisions, from the NSA’s frontier model designation to the vulnerability clearinghouse, is necessary but not yet operational, and the models aren’t waiting.

The jagged frontier research from AISLE and Provos should inform how security teams think about their own tooling strategy, because it means you don’t necessarily need the most expensive model to get meaningful results if you have the expertise to build the orchestration around cheaper alternatives.

The circular economics of AI finding bugs that AI then fixes, with both sides running through the same vendor’s API at double the cost of the previous generation, should be weighed with the same skepticism practitioners apply to any vendor’s pitch about why you need their product to solve a problem their other product helped create.

The Vulnpocalypse went GA today.

What practitioners do with it, whether they use it to harden their own code, get buried under the volume of findings, or recognize the commercial dynamics shaping how these capabilities are marketed, will depend on whether they approach it as a tool or accept it as a narrative.

Subscribe now

I’ve been tracking this trajectory across multiple articles, from Vulnpocalypse and The Attack Surface Exponential to The NVD Just Threw in the Towel, and the 2026 Verizon DBIR confirmed what the trendlines have been screaming. Vulnerability exploitation is now the leading initial access vector in confirmed breaches, nearly doubling phishing for the first time in the report’s history.

That isn’t just a data point, it’s the clearest signal yet that the era of reactive, human-paced vulnerability management is ending, and that defenders need to match the speed and autonomy that attackers are already operating with to have any chance of keeping pace and effectively mitigating organizational risks.

Most teams aren't short on vulnerability detections, they're drowning in them.

The signal-to-noise problem is the actual problem. Resilient Cyber’s partner, Zafran, put together “A Practical Guide: Evolving VM to CTEM” on moving from legacy VM to CTEM without boiling the ocean, start where you are, prioritize what's actually exploitable, iterate from there.

Worth the read if "we have 40,000 criticals" sounds familiar.

-> Get the CTEM Guide! <-

The Exploitation Timeline Has Collapsed

The gap between vulnerability disclosure and active exploitation has compressed to the point where traditional remediation cycles are functionally irrelevant for the most critical findings.

As I covered in The Zero Day Clock Is Ticking, research tracking the median time-to-exploit found it collapsed from 771 days in 2018 to roughly 4 hours by 2024.

The MOAK autonomous exploitation project demonstrated that an AI system could exploit 174 out of 178 CISA Known Exploited Vulnerabilities in an average of 21 minutes each, with no human in the loop, and the 2026 DBIR found that organizations take a median of 43 days to remediate edge device vulnerabilities, with only 54% remediated within an entire year.

Those two numbers, 43 days versus 4 hours, tell the whole story of why exploitation has become the dominant attack vector. Defenders are operating on patch cycles measured in weeks and months while attackers, increasingly aided by AI tooling, are operating in minutes and hours.

The window between disclosure and exploitation that the entire vulnerability management model was built around has effectively closed.

This is compounded by the sheer volume.

FIRST projected approximately 59,000 new CVEs for 2025, a 50% increase over the prior year, and 2026 is on pace to exceed that.

As I wrote in The NVD Just Threw in the Towel, NIST reclassified roughly 29,000 backlogged CVEs to “Not Scheduled,” acknowledging that the data infrastructure the industry relies on for vulnerability prioritization can’t keep up with the input volume.

More vulnerabilities are being discovered than ever before, the enrichment data needed to prioritize them is arriving late or not at all, and the exploitation timeline has compressed to the point where “patch quickly” is no longer a viable strategy for the most dangerous findings.

AI Is Accelerating Both Sides, But Not Equally

I explored the broader dynamics of AI in cybersecurity in The AI Cyber Capability Curve, and the core observation is playing out exactly as expected.

AI is amplifying capabilities on both sides of the security equation, but the attacker side is benefiting faster because offensive tasks are structurally simpler to automate and validate than defensive ones.

Generating a working exploit for a known vulnerability is a well-scoped, deterministic problem that AI excels at. Proof-of-concept code that once took researchers days to develop is now being generated in minutes. Researchers have demonstrated AI agents achieving an 87% success rate in autonomously identifying and exploiting one-day vulnerabilities in real-world software. Google DeepMind’s “Big Sleep” agent found a previously unknown vulnerability in SQLite, marking one of the first documented cases of AI discovering an exploitable memory safety bug in widely deployed software.

Defending against exploitation, by contrast, requires understanding organizational context, asset criticality, compensating controls, patch dependencies, business impact, and change management constraints.

These are exactly the kinds of multi-variable, context-dependent decisions that have historically resisted automation. The result is an asymmetry that grows wider with each generation of AI tooling.

Attackers are automating exploitation at machine speed. Defenders are still running remediation through human-paced processes that were designed for a world where they had weeks or months of lead time.

As I discussed in Claude, Mythos, and Why It Matters, Anthropic’s Mythos moment put a fine point on this. When a leading AI lab demonstrates advanced autonomous capabilities, the downstream implications for offensive security tooling are immediate and concrete.

There’s no longer a question whether AI will be weaponized for vulnerability exploitation at scale, it already has been. The question is whether defenders can operationalize AI and autonomy in their own workflows fast enough to close the gap, which has been a key recommendation in leading guidance, such as in Cloud Security Alliance’s “Building a AI-Ready Vulnerability Security Program”.

Recent reports, such as the latest Verizon DBIR make the case even stronger, showing that patches are still taking weeks but exploitation has collapsed to hours. The latest DBIR found that exploitation of vulnerabilities is the #1 attack vector, twice as high as #2, and growing, as attackers continue to capitalize on remediation bottleneck.

The Case for Autonomous Defensive Workflows

The traditional vulnerability management lifecycle, scan, prioritize, ticket, patch, verify, was built for a tempo that no longer exists.

Each step in that chain introduces latency, and latency is the thing defenders can least afford when exploitation timelines are measured in hours. The industry has recognized this at the conceptual level, which is why frameworks like Continuous Threat Exposure Management (CTEM) have gained traction as the successor to legacy VM programs.

As I wrote in Vulnerability Management Evolves to CTEM, the shift from periodic scanning and static prioritization to continuous, context-aware exposure management represents a necessary evolution.

But CTEM as a framework still requires operationalization, and that’s where most organizations stall. They understand the need for continuous assessment, business-aligned scoping, and validation-driven prioritization. They struggle to execute it at the speed the threat environment demands because their workflows still depend on human analysts to interpret findings, human operators to implement remediations, and human decision-makers to approve changes. Each of those handoffs introduces hours or days of delay in a world where exploitation happens in minutes.

This is why I wrote in Elevating CTEM with Agentic Exposure Management that the next evolution of exposure management requires agentic AI workflows that can operate autonomously within defined guardrails. The concept isn’t replacing human judgment entirely, it’s removing humans from the steps that don’t require judgment, automating the repetitive, time-sensitive execution work so that human analysts can focus on the genuinely complex decisions that benefit from their expertise.

As I explored in Vulnerability Management in the Age of Autonomous Exploitation, where I unpacked CSA’s guidance, the organizations that will navigate this era successfully are the ones that can match autonomy with autonomy.

That means workflows that detect new exposures within hours of disclosure, assess exploitability against the organization’s actual environment and compensating controls, generate and route remediation actions through existing tooling, and execute compensating controls without waiting for a patch cycle.

This is not a future aspiration, it’s a current operational requirement for any organization facing the exploitation timelines documented in the 2026 DBIR and other sources.

What Autonomous Workflows Look Like in Practice

Describing autonomous defensive workflows in the abstract or publications is fairly straightforward. Operationalizing them is where the real challenge lives, because autonomy without context is just faster noise. An autonomous system that generates thousands of tickets for vulnerabilities that aren’t exploitable in your environment hasn’t solved the problem, it’s added to it and created the exact type of toil that had led to developers dreading engaging with us in cyber.

Resilient Cyber’s partner, Zafran’s Zero Day Agent is one example of how autonomous workflows can be operationalized against the AI-augmented exploitation problem. The approach is built around a core insight that most vulnerability management programs miss entirely. Not every vulnerability that scores a 9.8 on CVSS is actually exploitable in every environment, because the presence of compensating controls, network segmentation, runtime configurations, and defensive tooling already in place can neutralize many critical findings before a patch is ever applied.

The Zero Day Agent’s workflow runs in a continuous loop. When a new zero-day or high-priority vulnerability is disclosed, the agent automatically identifies affected assets across the environment by cross-referencing against the organization’s software inventory and runtime presence data.

It then assesses whether the vulnerability is actually exploitable given the organization’s specific defensive posture, evaluating factors like internet reachability, existing firewall rules, EDR coverage, and WAF configurations.

For vulnerabilities where compensating controls already neutralize the risk, the agent documents that finding and moves on. For the subset that are genuinely exploitable, it automatically generates work items with pre-populated context, including affected assets, exploitability analysis, and recommended remediation steps, and routes them through existing ITSM tools.

We’ve seen the rise and popularity of “reachability analysis” in the SCA and runtime context for applications, and this sort of zero day agent helps take that a step further with broader organizational and environment context beyond just code.

This is a critical distinction from traditional vulnerability management, which treats every critical-severity finding as equally urgent regardless of environmental context. Zafran’s data suggests that roughly 90% of critical vulnerabilities are not exploitable in a given environment once compensating controls are properly mapped, which means the remediation effort can focus on the 10% that actually represent real risk. That’s the difference between an autonomous workflow that creates value and one that just creates velocity.

This sort of capability has been elusive for organizations both due to the level of effort needed to validate exposure, but also due to the comprehensive environmental and organizational context needed to determine it.

The practical impact is compressing the response timeline from weeks to hours. Instead of a vulnerability disclosure triggering a manual triage process that takes days to assess scope, additional days to prioritize against the backlog, and weeks to schedule and deploy patches, the autonomous workflow handles discovery, assessment, and routing within hours of disclosure.

For organizations operating under the exploitation timelines documented in the 2026 DBIR or M-Trends, that compression isn’t a nice-to-have, it’s the difference between responding before exploitation and performing incident response after it.

As someone who literally wrote the book on effective vulnerability management, there’s no question to me that vulnerability management needs to become autonomous. Data in reports such as M-Trends, DBIR and broader industry trends has already answered that.

That said, many are looking for guidance on how to operationalize that autonomy.

You can Join Zafran for the upcoming webinar With Zafran’s CISO Nate Rollings, along with Lawrence Pingree of where they’re dig deeper into what that operationalization looks like in practice and how to navigate the transition from traditional VM to autonomous workflows.

From Maturity Model to Operational Reality

The evolution from legacy vulnerability management through risk-based approaches to CTEM represents a maturity curve that most organizations are somewhere in the middle of navigating. Zafran’s updated CTEM whitepaper adds a fifth stage to the maturity model, Autonomous Workflows, which represents the operational end-state that the current threat environment demands.

The progression is logical and aligns with the broader industry trends that warrant the organizational evolution of CTEM.

• Stage one is scanner-focused vulnerability management, counting CVEs and generating reports.

• Stage two introduces basic prioritization, typically CVSS-driven.

• Stage three moves to risk-based vulnerability management, incorporating threat intelligence and asset context.

• Stage four is full CTEM, with continuous scoping, discovery, prioritization, validation, and mobilization.

• Stage five adds autonomous execution, where agentic AI systems handle the high-volume, time-sensitive operational work within human-defined policy guardrails.

Most organizations I talk to are somewhere between stages two and four, and the jump to autonomous workflows feels daunting because it requires trust in automated systems making decisions that have traditionally been reserved for human analysts.

That concern is reasonable, but it needs to be weighed against the alternative, which is continuing to run human-paced processes against machine-speed exploitation. The organizations that insist on human review of every remediation decision are implicitly accepting that they will be slower than their adversaries on every critical vulnerability. In the current environment, that is a choice with real consequences for the organizations we’re supposed to be defending.

The guardrails matter as well and autonomous doesn’t mean uncontrolled. The most effective implementations maintain human oversight at the policy level, humans define which classes of actions the autonomous system can take, what severity thresholds trigger automated response, and what changes require approval, while delegating the execution of those policies to automated workflows.

The human role shifts from doing the work to governing how the work gets done, which is both a more efficient use of scarce security talent and a more sustainable operating model given the volume of findings most programs are managing.

The Structural Shift Ahead

The AI-driven exploitation era isn’t a temporary phase. Every structural trend in the data, more vulnerabilities, faster exploitation, expanding attack surfaces, degrading data infrastructure, AI-accelerated offensive tooling, points in the same direction. The organizations that will navigate this successfully are the ones that operationalize autonomy in their defensive workflows now, rather than waiting for the exploitation gap to widen further.

As I argued at the SANS Agentic AI Security Summit in D.C. in April this year, cyber needs to shift from being a late adopter and laggard to being an early adopter and innovator if we hope to have any chance of keeping pace with attackers in the AI era.

The frameworks exist, CTEM provides the conceptual architecture, industry guidance is encouraging this shift and agentic AI provides the execution capability. Solutions like Zafran’s Zero Day Agent demonstrate that autonomous defensive workflows aren’t theoretical or aspirational. They’re operational today, compressing response timelines from weeks to hours and focusing human expertise where it actually matters.

It’s time for security to be an innovator in this technological wave, rather than a laggard, and one of the areas most ripe for disruption for us is leveraging AI and Agents for the biggest bottleneck of all - remediation.

Subscribe now

The economics of offense changed underneath us, and most security programs are still funded as if they did not.

Why this conversation matters

Doug has sat in two seats that give this argument weight.

At Splunk he evangelized detect and respond, and now at Aviatrix he is arguing that detect and respond, while still important, is no longer enough on its own. That is not a vendor pivot so much as an honest reading of the incentives, and it lands differently coming from someone who built a business on the previous era.

If you are a practitioner watching AI rewrite the attacker’s cost curve, or a leader trying to defend a prevention-heavy budget to a board, this conversation reframes where the money should actually go.

Key takeaways

• Offense became a compute problem, and that is permanent. Finding and exploiting a vulnerability is a search task, and the cost per token has been deflating faster than Moore’s Law. That is why this is a structural shift rather than a few headline demos, and why throwing compute at offense keeps getting cheaper and faster.

• Patching has a ceiling that offense does not. Every patch carries the risk of breaking something, so testing, deployment, and organizational friction cap how fast defenders can move. When vulnerability discovery scales freely and patching cannot, “find more and patch faster” turns into a race you are structurally set up to lose.

• The interesting question is not how they got in, it is where they went. Attackers increasingly arrive with valid credentials and move through the trust graph that runs across cloud services and CI/CD pipelines, including malware injected into trusted repositories. Once they look legitimate inside the environment, lateral movement and egress are where the real damage happens.

• Cloud rewarded velocity, and security paid the bill. Cloud providers made identity default-deny because someone has to own and pay for a workload, but they left networking wide open because their economic engine is developer velocity and security reads as friction. New agentic frameworks inherit that same wide-open default, connected to the internet with little oversight.

• A strong identity stance is necessary and not sufficient. Identity answers whether someone is allowed to act, not whether the action is an attack, which is why attackers log in rather than hack in. Human, agent, and workload identities are genuinely different, and workload identity in particular has been underserved.

• Containment is about blast radius, not about keeping everyone out. The mindset shift is to accept that breaches will occur and to govern every path a workload can take, so an incident stays local and recoverable. Done well, containment holds firm whether or not anyone has detected the attack yet.

• Blast radius has to become a boardroom metric. Doug’s argument is that CISOs, CIOs, CEOs, and boards should be able to answer how reachable anything is from anything else, and treat that number as something to drive down deliberately rather than discover after an incident.

• AI is the reason containment is finally workable. The historic blocker to micro-segmentation was cognitive load across tens or hundreds of thousands of workloads. AI is strong at synthesis and pattern matching, which makes a staged path of observe, discover, monitor, and then enforce realistic, ideally starting with the internet-exposed workloads that have no filtering at all.

Notable quotes

“developer velocity and security is friction”

Doug, on why cloud networking is wide open by default.

“It always is a lateral movement and egress problem.”

“To say I’ve got a strong identity stance, therefore I’m good, is irresponsible.”

Listen and Watch

Spotify

Apple Podcasts

Resources

Aviatrix Threat Research Center

Doug’s LinkedIn

Subscribe

If this kind of structural take on security is useful to you, subscribe to Resilient Cyber for more conversations and writing on cybersecurity, AI, and the incentives that shape both.

Subscribe now

One hundred issues in, and the pace has never been higher. As I get home from the Gartner Security & Risk Summit in National Harbor this week, there’s a lot to cover.

The White House signed an executive order on June 2nd titled “Promoting Advanced Artificial Intelligence Innovation and Security,” and the most revealing thing about it is not what it mandates but what it does not. The order creates binding requirements for Federal agencies to accelerate AI-enabled cyber defense while keeping every meaningful obligation for the private sector entirely voluntary. I wrote a full breakdown in The Vulnpocalypse Won’t Wait for Interagency Coordination, and the short version is that the voluntary model collides with exploit timelines measured in hours.

Meanwhile, Anthropic expanded Glasswing to 150+ new partners across 15 countries and began negotiations to give ENISA direct access to Mythos. Cisco scanned 1.8 billion lines of code in eight weeks using frontier AI, work that would have taken eight years, and the Nx Console supply chain compromise showed that 18 minutes of a malicious VSCode extension was enough to breach GitHub’s internal repositories.

On open source sustainability, Jen Easterly proposed a billion-dollar public-interest fund while Dan Lorenc at Chainguard committed $50 million and 100 engineers to become the “maintainer of last resort.” Both are direct responses to the human sustainability crisis I tracked through Daniel Stenberg’s posts in issues #97 through #99.

Root Evidence confirmed that only 1.4% of CVEs are ever exploited in the wild, the Pentagon’s new CISO announced plans to overhaul the Risk Management Framework, and the WSJ reported on “turncoat AI agents” as the new insider threat vector.

Let’s get into it!

Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 31,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Cyber Leadership & Market Dynamics

The Vulnpocalypse Won’t Wait for Interagency Coordination

I wrote a full analysis of the June 2nd executive order on AI. The order creates binding 30-day and 60-day deadlines for Federal agencies, including CISA Binding Operational Directives for AI-enabled defense, a Treasury-led cybersecurity clearinghouse, and classified NSA benchmarking to define “covered frontier models,” while keeping every private sector obligation voluntary.

The order explicitly prohibits mandatory licensing or preclearance for AI model development. The deregulatory logic has merit, but the voluntary model faces a structural problem I have been tracking since Vulnpocalypse. AI has compressed exploit timelines from months to hours while the latest DBIR shows 43 days as the median to remediate KEV vulnerabilities.

The ambition is real, but whether the institutions can execute at the speed the threat demands is the question that will determine whether this EO matters.

Glasswing Goes Global as Anthropic Adds 150 Partners Across 15 Countries

Project Glasswing is expanding from roughly 50 initial partners to over 200, adding sectors underrepresented in the first wave, including power, water, healthcare, and hardware. Anthropic also confidentially filed its IPO prospectus with the SEC.

The expansion validates the thesis I have been tracking since Glasswing launched. AI-driven vulnerability discovery at this scale cannot remain gated to a small group of technology companies, but widening the pipeline only works if the downstream systems can absorb it.

Anthropic Offers ENISA Direct Access to Mythos in a Move That Ends Weeks of Diplomatic Tension

Anthropic communicated its decision to the European Commission over the weekend, making ENISA the first EU agency to receive access to Mythos. The move ends a weeks-long standoff in which Euro-area finance ministers, the European Central Bank, and multiple EU member states demanded access after learning Mythos had found vulnerabilities in systems European governments and critical infrastructure rely on daily.

This is the clearest signal yet that frontier AI models with security capabilities will be treated as strategic assets, subject to access negotiations that look more like arms export controls than software licensing.

Mythos-Class Models Are Headed for Public Release Within Weeks

Anthropic has made “swift progress” on safety safeguards that would allow Mythos-level models to be released to all customers within weeks. The public release timeline changes everything in the Mythos Scrutiny Arc since issue #95. Until now, disclosure volume was constrained by partner count.

A public release means anyone with an API key can run the same discovery pipeline. A Just Security analysis titled “Too Dangerous to Deploy“ questioned whether any safeguard can be sufficient at this scale. Given how trivial it’s been shown to jailbreak any model, it begs the question why Mythos would be viewed any differently.

The Pentagon’s New CISO Plans to Overhaul the Risk Management Framework

DoW CISO Aaron Bishop characterized the current RMF as having a “1990s mentality” that is too slow, too paperwork-heavy, and too disconnected from modern cyber operations. Six months after completing an RMF package, the documentation is already outdated and wrong.

The proposed reform replaces static documentation with telemetry-driven operational awareness. For those of us who have argued that GRC is still in the dark ages, this is an encouraging signal.

Jen Easterly Argues Open Source Needs a Billion-Dollar Public-Interest Fund

Easterly’s argument is simple. Open source sits underneath banks, hospitals, cloud platforms, and government systems, and the maintainers carry enormous responsibility with limited resources. Her proposal is a billion-dollar fund to secure the software commons, supported by frontier AI companies.

Combined with Stenberg’s “The Pressure” post and the Chainguard commitment below, the conversation has moved from abstract concern to concrete proposals with dollar amounts attached. The question is whether the funding arrives before the AI-accelerated disclosure pipeline overwhelms the maintainers holding critical infrastructure together on goodwill.

The WSJ Reports on “Turncoat AI Agents” as the New Insider Threat

AI agents are always on, operate with persistent credentials, and can be hijacked without the agent or its operators knowing. The WSJ positions compromised agents as the next generation of insider threat, one that operates at machine speed without the behavioral tells traditional programs rely on.

The answer is the same one I have been writing about since my article on identity as the agentic AI problem. If you cannot answer “what can this agent do,” “on whose behalf,” and “who approved it” the same way you can for a human employee, you are not ready for the autonomy these systems are about to have.

Congress Extends Cybersecurity Pressure as CVE Volume Hits Record Pace

Jerry Gamblin’s data shows 27,758 vulnerabilities published by June 1, a 39% increase over the same period in 2025, which set a record with 48,185 total CVEs. Only 52% of 2025 CVEs have fully enriched NVD data.

AI-assisted discovery is not a spike but a permanent increase in baseline velocity. The organizations that will survive this volume are the ones prioritizing based on exploitability, reachability, and business context.

Root Evidence Confirms That Only 1.4% of CVEs Are Exploited in Real-World Attacks

This is the data every security leader should bring to their next board meeting. Root Evidence’s Q1 2026 “Stop Counting CVEs” report found that only 1.4% of CVEs are known to be exploited in real-world attacks.

Common prioritization signals, including CVSS, EPSS, and Metasploit modules, all perform poorly as indicators of actual exploitation. When 98.6% of vulnerabilities are never exploited, the organizations chasing zero CVEs are doing risk theater, not risk management.

CoSAI Publishes the AI Shared Responsibility Framework

CoSAI released a five-layer model that maps accountability across the full AI stack and assigns exactly one responsible party to each component. When something goes wrong with an AI system, who is responsible?

The answer today for most organizations is “nobody, because we never defined it.” This framework, combined with OWASP’s AIUC-1 crosswalk, is closing the governance gap between AI capability and accountability.

AI

Cisco Scanned 1.8 Billion Lines of Code in Eight Weeks Using Frontier AI Models

Cisco used a multi-model AI harness, including Claude Mythos Preview and GPT 5.5-Cyber, to scan 1.8 billion lines of code in over 25 languages. Their security research team estimated this would have taken eight years manually.

As a direct consequence, Cisco will shift to biweekly security disclosures starting in July. Cisco’s cadence change is the canary. Other large vendors will follow, and the organizations consuming those advisories need to be ready for twice the volume. This is not a temporary spike, it is the new normal.

Anthropic Publishes a Zero Trust Security Framework for AI Agents

This framework applies every core zero-trust principle to agentic workloads, identifying five agent-specific threats including prompt injection, tool poisoning, and identity abuse. Anthropic reports it blocked 95% of jailbreak attempts with minimal latency increase, and it is platform-agnostic.

As I wrote in “Zero Trust Was Built for a Different Kind of Trust Problem,” the principles translate but the implementation patterns are fundamentally different when the actor is an LLM with tool access rather than a human with a browser.

The Nx Console Supply Chain Compromise Breached GitHub’s Internal Repositories in 18 Minutes

Eighteen minutes. That is how long a trojanized Nx Console VSCode extension (version 18.95.0) needed to be live before automatic updates pushed it to every installed instance, compromising a GitHub employee’s device and exfiltrating internal repositories. CVE-2026-48027 has been added to the CISA KEV catalog.

In a separate “Megalodon” campaign, malicious GitHub Action workflows harvested CI/CD secrets and cloud credentials from public repositories. The development environment is now the primary attack surface.

Chainguard Commits $50 Million and 100 Engineers to Become the Maintainer of Last Resort

Dan Lorenc’s post is one of the most significant commitments to open source sustainability from a commercial entity I have seen in 20 years. AI models like Mythos can find hundreds of vulnerabilities overnight across projects maintained by one person with no obligation to patch.

Chainguard will build trust infrastructure for open source consumption by becoming the “maintainer of last resort.” Lorenc outlines three futures. The naive one where we pretend the current model works. The chaotic one where disclosure floods the ecosystem. And the hard fork, a deliberate decision to build one disclosure pipeline that works at scale.

AWS Adds Resource-Based Policies for Multi-Tenant Agent Security in AgentCore

AWS continues building out the AgentCore identity infrastructure. The new resource-based policies give SaaS providers centralized control over who can access AgentCore Runtime resources, with explicit Deny statements blocking requests not from approved VPCs and tool interceptors validating JWT claims.

Combined with AWS AgentCore OBO delegation, Uber’s agent identity architecture, and Google’s Agent Identity, the hyperscalers are converging on a shared pattern. Agent access is governed per-tenant, per-resource, and per-tool, with cryptographic attestation at each hop.

Tessl Argues That Security Should Target the Coder, Not the Code

When coding agents generate the majority of new code, scanning the output is necessary but insufficient. The leverage point is the agent itself, specifically the skills, instructions, and context that shape its behavior.

There is no established security infrastructure for agent skills yet. Tessl’s partnership with Snyk to bring scanning to every skill in the Tessl Registry addresses this gap. The unit of security in the agentic era is not the line of code. It is the agent and its capabilities.

Claude Compliance API Now Connects to 28 Security and Compliance Platforms

Anthropic’s Compliance API provides programmatic access to conversation content and activity event logs from Claude Enterprise, with 28 integrations spanning CrowdStrike, Purview, Okta, Wiz, Zscaler, and others.

Enterprise AI platforms are becoming first-class objects in security graphs. Governance and observability are the next gate for enterprise AI adoption, and Anthropic is treating them as first-class product requirements rather than afterthoughts.

The NSA Launches Zero Trust Implementation Guidelines

If you are implementing zero trust and want the most detailed government playbook available, this is it. The NSA’s interactive ZIG webpage defines 77 activities across two phases for transitioning to target-level zero-trust maturity, designed for DoD, DIB, and NSS organizations.

The interactive format with checklists and tasks moves zero trust from whiteboard strategy to executable work items. Combined with Anthropic’s Zero Trust for AI Agents framework, the zero-trust paradigm is extending from network architecture to agent architecture in real time.

AppSec

A Claude Code Skill Bundle Brings 681 Vulnerability Patterns to Bug Hunters

Claude-BugHunter packages 51 skills across 24 vulnerability classes, drawing from 681 disclosed HackerOne report patterns. The capability of coding agents is increasingly defined by the skills they carry rather than the tools they connect to. Skills like these make agent security tooling more capable while raising the stakes for skill supply chain integrity.

Patrick Garrity Maps the First Half of 2026 Vulnerability Data

Garrity’s VulnCheck analysis provides the operational context that Gamblin’s macro numbers need. AI-assisted discovery is compressing time between publication and exploitation while volume outpaces every downstream system.

The organizations succeeding are the ones that have operationalized exploitability signals, reachability analysis, and business context into their prioritization workflows.

The Entra Agent ID Administrator Role Could Escalate to Full Tenant Takeover

The Agent ID Administrator role in Microsoft Entra ID could be exploited to take over arbitrary service principals beyond agent-related identities, reported in March and patched by April 9. The irony is hard to miss.

The agent identity infrastructure that is supposed to bring agents under governance was itself a privilege escalation vector. Every new identity primitive creates new attack surface.

HackedIn Benchmarks AI Coding Agents Against Real Penetration Testing Targets

Jamieson O’Reilly’s work puts AI agents into the messier reality of actual penetration testing engagement scopes, adding practitioner context to the ExploitGym research.

The results confirm that AI offensive capability is real, measurable, and improving on a trajectory defenders need to take seriously. The offensive and defensive capability curves are both accelerating. The question is whether they accelerate symmetrically.

Final Thoughts

Issue #100 arrives at a moment when the abstractions are falling away. Anthropic is giving Mythos access to EU sovereign agencies. Cisco condensed eight years of security research into eight weeks. The Nx Console compromise turned 18 minutes into a breach of GitHub’s internal repositories. Trusted publishing was exploited to distribute malware with valid provenance across 32 Red Hat packages.

The systems we built to manage security at human speed are failing at machine speed. But the responses are proportional to the challenge. Chainguard’s $50 million commitment. Easterly’s billion-dollar fund. Anthropic’s Zero Trust for AI Agents. Root Evidence’s data proving only 1.4% of CVEs are ever exploited, giving defenders a rational basis for prioritization.

You cannot patch your way to safety when AI finds vulnerabilities faster than humans can fix them. You can prioritize ruthlessly, build containment that limits blast radius, and invest in the open source infrastructure that everything else depends on.

One hundred issues in, and the work has never mattered more.

Stay resilient.

Subscribe now

I spent some time yesterday heading back from the Gartner Security & Risk Summit digging into it and wanted to walk through some key takeaways.

The order creates binding requirements for Federal agencies to accelerate AI-enabled cyber defense while keeping every meaningful obligation for the private sector entirely voluntary.

That split tells you everything about the administration’s theory of the case on AI governance, and it raises a question practitioners should be thinking hard about, such as whether voluntary frameworks can hold up against the fast moving threats AI is creating.

That said, as I have written about many times, despite cyber being a market failure, regulation can create its own problems, from perverse incentives, stifling innovation, economic ramifications and more. Safe to say, these aren’t easy challenges to solve regardless of which direction you choose.

I’ve been writing about this tension from several angles over the past year, from the regulation pendulum and AI’s national security reckoning to the AI cyber capability curve that shows frontier model capabilities steepening with every release.

This EO sits at the intersection of those threads.

It’s the administration’s attempt to reconcile a deregulatory posture with the reality that AI capabilities, offensive and defensive, are accelerating faster than the institutions meant to govern them.

What the Order Actually Does

The Federal-facing provisions are concrete and carry real deadlines.

• Within 30 days, CISA must release Binding Operational Directives to expedite cyber defense of civilian Federal systems and establish or expand programs that deliver AI-enabled defensive tools.

• The Treasury Department, working with NSA and CISA, must stand up an AI cybersecurity clearinghouse to coordinate vulnerability scanning, discovery, validation, and patch distribution.

• The Committee on National Security Systems and the Department of Defense must take immediate action to prioritize their own cyber defense postures.

• OMB has 30 days to identify Federal grant programs with available funding that can be directed toward AI vulnerability detection.

• OPM has 60 days to expand cybersecurity workforce hiring through the Tech Force pipeline, which had onboarded only 10 employees as of late May 2026.

The classified side is notable too.

• Within 60 days, NSA must lead a benchmarking process to assess the advanced cyber capabilities of AI models and determine the threshold for designating a “covered frontier model.”

That designation triggers the voluntary framework for the private sector, but the criteria for whaat counts as a frontier model remain classified, with NSA making the final call.

For industry, the operative word throughout the order is “voluntary.”

AI developers can choose to engage with the Federal Government to determine whether their models meet the frontier threshold. They can provide up to 30 days of early access before release to trusted partners, subject to confidentiality and intellectual property protections.

On this note, I think 30 days is a little silly, given we know how long real-world remediation timelines are, for example the latest DBIR shows 43 days as the median to remediate KEV’s, let alone broader vulnerabilities, but if the early access period is too long, it could also impede the commercial ambitions of the frontier labs by delaying their model releases unreasonably.

They can participate in the cybersecurity clearinghouse as well, but none of it is required. The order includes explicit safeguard language stating that nothing:

“shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of new AI models, including frontier models.”

The Deregulatory Logic

This voluntary framing is consistent with the administration’s broader posture on AI.

As I wrote in The Regulation Pendulum and AI’s National Security Reckoning, the current administration has made a deliberate bet that innovation leadership, not regulatory guardrails, is the primary mechanism for maintaining U.S. advantage in AI.

The EO makes this explicit, declaring the policy of the United States is to:

“continue to lead an America First cybersecurity effort that enhances both our national security and our global AI dominance.”

The logic runs something like this when you unpack it.

Mandatory compliance frameworks slow down the companies building the most capable models. Slowing them down means ceding ground to China and other adversaries who face no equivalent regulatory friction. Therefore, keep the requirements on government, keep the private sector engagement collaborative, and trust that market incentives plus national security awareness will drive responsible behavior from the labs.

This is a reasonable framework if you believe the incentive structures between government and frontier labs are sufficiently aligned, and there’s a case to be made that they are, at least for the handful of companies building truly frontier systems.

Anthropic, OpenAI, and Google DeepMind already invest heavily in safety research and red-teaming. The 30-day early access provision isn’t asking them to do something fundamentally different from what they’re already doing internally. It’s asking them to share it with NSA and CISA before public release, giving government defenders preferential access to frontier cyber capabilities.

One big question mark is whether voluntary alignment holds as the ecosystem expands. Right now, frontier models come from a small number of well-capitalized labs with reputational incentives to cooperate.

But the open-weights ecosystem is growing fast, and the economics of AI are driving capability democratization. When smaller labs, open-source projects, and nation-state-backed efforts start producing models that cross the frontier threshold, voluntary frameworks have no mechanism to reach them. The classified benchmarking process can define what counts as a frontier model, but it can’t compel a non-cooperating developer to show up for review.

This is especially notable, as I have shown from teams such as AISLE and what they dub the “Jagged Frontier”, as well as longtime industry leaders such as Niels Provos who both demonstrated in his blog “Finding Zero-Days with Any Model” you can use smaller models, open source, or non-frontier models to find vulnerabilities effectively as well. I’ve also interviewed folks from Mother of All KEV’s (MOAK), who explained how they can autonomously develop exploits in minutes for nearly any CVE. You can catch both interviews below:

The DOJ AI Litigation Task Force adds another dimension to the deregulatory stance.

Within 30 days, DOJ must establish a task force specifically to challenge state AI laws that are inconsistent with the executive order’s federal AI policy. This is a preemption play, designed to prevent a patchwork of state-level AI regulations from creating compliance friction that slows innovation.

Whether you see this as streamlining or as removing necessary guardrails depends entirely on your assessment of whether the voluntary framework is sufficient on its own.

The Threat the EO Is Trying to Meet

The cybersecurity provisions of the order make the most sense when you read them against the backdrop of what AI has already done to the vulnerability and exploitation ecosystem.

The EO directs CISA to expand AI-enabled defensive tools and the Treasury clearinghouse (although many have argued why this resides with Treasury rather than say CISA or NSA) to coordinate vulnerability scanning and remediation at scale, which does seem very odd.

These aren’t abstract aspirations, and instead they’re responses to a threat dynamic that has been accelerating for months and I’ve been doing my best to document through interviews, videos and my own writing.

As I covered in “Claude Mythos - Why It Matters (And Why It Doesn’t)”, Anthropic’s frontier model achieved 73% success on expert-level CTF challenges and discovered thousands of high-severity vulnerabilities across major operating systems and browsers in its first month of operation.

In The Receipts Are In, I detailed how Anthropic’s partners using Claude for security discovered over 10,000 high-and-critical-severity vulnerabilities in a single month, with bug discovery rates up by more than 10x.

The 2026 DBIR confirmed that vulnerability exploitation is now the leading initial access vector, with exploitation timelines compressing while remediation capacity stays flat.

This is the Vulnpocalypse playing out in real time.

AI has industrialized vulnerability discovery and is compressing the window between discovery and weaponization from months to hours, at marginal costs measured in dollars.

The structural asymmetry between the rate at which vulnerabilities are found and the capacity to fix them is widening, not narrowing. And as I explored in The Attack Surface Exponential, GitHub commits are accelerating toward 14 billion in 2026 while AI simultaneously reduces the cost of finding and exploiting flaws in all that new code.

More code, worse code, cheaper exploitation.

The EO’s cybersecurity clearinghouse and AI-enabled defensive programs are direct responses to this dynamic.

The 30-day early access provision for frontier models, when read through this lens, isn’t primarily about regulation. It’s about giving government defenders a temporal advantage over adversaries, a head start on understanding what these models can do offensively before the capabilities become widely available.

That framing is sound but the challenge of course is execution. Remediation capacity and timelines have already lagged vulnerability discovery and disclosure and AI has collapsed exploitation timelines while not yet doing the same for remediation, which just exacerbates the gap even worse.

The Execution Gap

The ambition of the EO’s cybersecurity provisions runs into the same institutional constraints that have limited Federal cybersecurity capacity for years.

CISA is being asked to release Binding Operational Directives within 30 days to modernize civilian Federal cyber defense with AI-enabled tools. But CISA’s budget and staffing have been under pressure, and the agency is being asked to do this for Federal agencies while simultaneously making the same capabilities available to state and local authorities, rural hospitals, community banks, and local utilities. That’s an enormous scope expansion on an aggressive timeline.

The cybersecurity clearinghouse faces a coordination challenge that anyone who has worked in Federal interagency processes will recognize immediately. Getting Treasury, NSA, CISA, the National Cyber Director, and the private sector to coordinate and deconflict vulnerability scanning in 30 days is aspirational at best, and that’s coming from someone who has spent the majority of their career in the DoD and in and around Federal agencies

These agencies operate under different authorities, different classification regimes, and different institutional cultures. The intent is right, but standing up a functional coordination mechanism across those boundaries in a month would be historically unprecedented.

The workforce provisions reveal the gap most starkly.

The OPM directive to expand Tech Force cybersecurity hiring pathways within 60 days sounds promising until you learn the program had onboarded 10 employees as of late May. Scaling from 10 to a meaningful cybersecurity workforce capable of operating AI-enabled defensive tools across the Federal enterprise is a multi-year effort, not a 60-day sprint. This is especially acute given the Federal workforce, including in IT, just underwent massive changes through efforts such as DOGE as well.

The cyber capability curve is steepening with every model release, and the government’s human capital pipeline is still operating at a pace that reflects a pre-AI threat tempo.

The Agent Question

The order’s DOJ provisions on AI agents are worth noting even if they aren’t the centerpiece. The Attorney General is directed to prioritize enforcement of existing criminal statutes, including identity fraud, computer fraud, and wire fraud, against anyone who uses AI agents to unlawfully access data or computer systems. No new criminal authority is created and instead the order sharpens enforcement of laws already on the books.

This is a pragmatic choice because creating new legal frameworks for AI agent liability would take years of congressional action and wouldn’t survive the administration’s own anti-regulatory framing.

Directing DOJ to enforce existing statutes against AI-enabled crime is something the executive branch can do immediately, and it sends a signal to developers and deployers that agent misuse will be prosecuted under current law.

Whether existing fraud and computer crime statutes are adequate for the novel challenges agents create, particularly around autonomy, delegation, and attribution, is a question this order punts to future policymakers.

What will be interesting here is seeing how they determine which attacks involved LLMs and Agents and how, and it will likely require close collaboration with the frontier labs, model providers and CSPs.

What This Means for Practitioners

For security leaders in the private sector, the practical impact of this EO is limited in the near term. Nothing compels industry participation, especially if you aren’t a frontier lab.

The voluntary framework creates an option for frontier labs to engage with government review, but for most enterprises, the meaningful signal is directional rather than operational. The administration is betting on AI as a force multiplier for cyber defense and expects the private sector to make the same bet on its own terms.

As I mentioned above, the real question is whether the voluntary model can keep pace with the threat dynamics it’s trying to address. The Vulnpocalypse isn’t waiting for interagency coordination to mature.

Frontier AI models and even smaller and open source models with effective harness engineering are compressing exploit timelines now, the attack surface is expanding now, and adversaries with access to the same models aren’t participating in voluntary review frameworks.

The EO acknowledges the urgency through its aggressive 30-day and 60-day timelines, but institutional capacity doesn’t bend to executive order deadlines the way policy language does.

What practitioners should be watching is whether the cybersecurity clearinghouse becomes a real coordination mechanism or another interagency structure that exists on paper while the actual work happens bilaterally between individual agencies and labs.

The early access provision for frontier models is genuinely novel and could give defenders an informational edge if implemented well. That said, the gap between the EO’s ambition and the government’s current capacity to absorb and operationalize AI-enabled defensive capabilities is the story underneath the story.

The order gets the direction right, however whether the institutions can execute at the speed the threat demands is the question that will determine whether this EO matters or whether it becomes another aspirational document that reads better than it performed.

Unfortunately, having spent most of my career in the public sector, I fear it will trend towards the former more so than the latter, but I do hope I’m wrong.

Subscribe now

The per-gigabyte pricing model that defined the SIEM for the past fifteen years was never really a storage decision, it was a coverage decision.

Security teams learned to ration data because ingestion costs forced them to, and the consequence of that rationing was entirely predictable. Logs got sampled, retention windows shrank to days or weeks, and high-volume sources like DNS, VPC flow, and netflow were exiled to S3 buckets where they sat effectively dead, queryable in theory but inaccessible in any timeframe that matters for detection or investigation.

You cannot detect what you never ingested, and you cannot investigate what you could not afford to keep.

That tension has always sat at the center of the SIEM’s economic model, and for years the industry treated it as a budgeting problem rather than a security architecture problem. It also made organizations implicitly accept risks due to cost considerations and constraints.

The conversation has shifted in 2026 because two forces are converging at once. The SIEM monolith is unbundling into best-of-breed layers, and the arrival of agentic AI in the SOC is making complete, queryable security data a hard operational requirement rather than a nice-to-have.

The Unbundling

The traditional SIEM bundled five functions into a single platform, handling ingest, storage, detection, investigation, and response.

That monolithic design made sense when log volumes were manageable and the primary consumer of the data was a human analyst running manual queries. It doesn’t hold up when organizations generate terabytes of security telemetry daily and the fastest-growing consumer of that data is an AI agent that needs sub-second query response across months or years of logs.

What’s happening now is the same decomposition that hit the data analytics world roughly a decade ago with the rise of Snowflake and Databricks, where storage decoupled from compute and the “lakehouse” architecture became the dominant pattern. Security is arriving at this same architectural inflection late, which itself is telling.

Cybersecurity has a consistent pattern of being a laggard culture when it comes to adopting architectural shifts that adjacent disciplines validated years earlier, a point I’ve made at the SANS AI Summit and one that keeps proving itself.

The unbundled security stack has distinct layers emerging. A data lake layer handles storage and indexing. A detection-as-code layer runs rules against that data. An automation and orchestration layer, occupied by platforms like Torq and Tines, handles response workflows, and increasingly, an agentic layer sits on top, with AI agents consuming all three layers below through protocols like MCP.

The through line across all of it is the same principle, which is decoupling storage from compute so that the economics of keeping data doesn’t dictate the economics of using it and organizations don’t have to implicitly accept as much risk due to cost constraints.

Why Now

Three forces are driving this shift from theory to operational reality.

The first of those forces is volume. Cloud-native architectures, container orchestration, API-driven microservices, and distributed workloads generate orders of magnitude more telemetry than the on-prem environments the SIEM was originally designed to monitor.

Organizations running modern cloud infrastructure routinely produce terabytes of security-relevant logs per day, and the per-GB pricing model of legacy SIEMs makes ingesting all of it financially impossible. The rational response, and the one most security teams have adopted, is to drop, sample, or shorten retention on the highest-volume sources. The result is a detection gap that’s driven by economics, not by technology.

The second is the lakehouse pattern itself. The data analytics industry proved years ago that separating storage from compute allows organizations to keep everything and query it on demand without paying for always-on compute against cold data. Object storage in S3 or GCS costs a fraction of what SIEM-managed storage costs, and serverless compute can be invoked at query time and dismissed when the job finishes.

The architectural pattern is proven and the cost savings are real, but security tooling has been slow to adopt it because the query patterns are different. Security investigations require full-text search across semi-structured and unstructured data, not the SQL-based reporting that analytics platforms were optimized for.

The third, and the one that changes the urgency calculus, is the agentic inflection. As I wrote in “Beyond the Hype of AI Agents in the SOC”, the conversation around AI in security operations has moved from copilots assisting analysts to autonomous agents conducting investigations, triaging alerts, and executing response workflows with minimal human oversight.

AI agents are data-hungry by nature. They don’t sample, and they don’t accept a 15-day retention window. They need complete, fast, queryable access to the full breadth of security telemetry, and they need it in sub-second response times because an agent iterating through a triage workflow might run dozens of queries in a single investigation. The old SIEM only ever exposed the fraction of data that fit the budget, and that fraction is insufficient for the agentic model.

What Scanner Is

To ground this in a concrete example, Resilient Cyber’s partner Scanner.dev is a security data lake built from the ground up to solve the storage-compute coupling problem.

Founded by Cliff Crosland and Steven Wu and backed by a $22 million Series A led by Sequoia Capital with participation from CRV and Mantis VC, Scanner’s architecture indexes logs directly in the customer’s own S3 or GCS buckets using inverted index files that compress to roughly 15% the size of the original dataset.

At query time, Rust-based AWS Lambda functions traverse those index files at speeds up to 1TB per second, scanning only the data regions relevant to the query rather than brute-forcing through the entire dataset.

The practical difference is stark, and it’s easy to see the potential for practitioners. In a demo I saw with Cliff, a query across 1.15 petabytes of log data returned results in seconds, a job he estimated would take Amazon Athena roughly 12 hours.

Ramp, the financial operations platform, moved from Athena queries that took 30 minutes to Scanner queries that run in under two minutes, while simultaneously extending their searchable data retention from 15 days to a full year. Lemonade went from 7-30 days of accessible logs, with expensive rehydration fees for anything older, to months of instantly queryable history.

From my discussion with Cliff, the schema-less design is deliberate. Scanner doesn’t require the ETL work that SQL-based analytics tools demand. It indexes messy, semi-structured, and unstructured logs without forcing them into rigid table schemas, which eliminates the data engineering overhead that has historically made security data lake projects stall before they deliver value.

On the detection side, Scanner provides over 400 out-of-the-box detection rules managed through GitHub, following the detection-as-code pattern that treats security logic the same way engineering teams treat application code.

Rules are pre-run and cached at indexing time so that detection logic doesn’t degrade search performance. The platform includes Scanner Collect for data source ingestion, RBAC for access control, and offers both a fully managed deployment and a bring-your-own-cloud model where compute runs entirely within the customer’s AWS account.

The pricing reflects the architectural difference as well. Scanner charges approximately $0.10 per million log events for detection rules, compared to roughly $5 per million at competitors offering similar platforms. For an organization analyzing a terabyte of logs daily, that translates to roughly $40,000 per year versus $1.8 million. The typical deployment runs $50,000-$100,000 for a 250TB dataset, which is 80-90% less than standard SIEM pricing for equivalent data volumes.

The data-stays-in-your-cloud posture is a deliberate trust and data gravity play and one I discussed specifically with Cliff during the demo. With the BYOC model, the customer retains full control over their data at all times, and switching away doesn’t require migrating petabytes of logs out of a vendor’s infrastructure. This was a specific design choice that Cliff pointed out in our discussion, and it gives organizations more control of their own data while minimizing concerns over vendor lock-in.

The Agentic Bet

This is Scanner’s most ambitious and testable claim. Within weeks of releasing their MCP server, nearly one-third of customers were already using it in production, and Cliff told me that agents now account for 80% of weekly queries on the platform. The heaviest users of the security data lake aren’t human threat hunters. They’re AI agents conducting investigations around the clock.

Notion’s security team built Scruff, an AI agent that uses Scanner as its primary data layer alongside integrations with Wiz and CrowdStrike Falcon. Scruff autonomously triages and investigates security alerts, correlates findings across logs, user activity, and system events, and saves the team over six hours per week. It handles the workload of multiple on-call analysts and scales automatically as the company grows, the kind of force multiplication that makes the agentic SOC argument concrete rather than theoretical.

Sequoia’s Bogomil Balkansky framed Scanner as “the only technology on the market today that manages security data at AI scale” when leading the Series A. That claim rests on a specific architectural argument. Traditional SIEMs and even newer data lake tools like Athena and Presto weren’t built for the iterative, exploratory query patterns that AI agents use.

An agent investigating an alert might run 20-30 queries in rapid succession, each one refining a hypothesis based on the previous result. If each query takes 30 minutes, the agent is useless. If each query returns in seconds, the agent can conduct a thorough investigation faster than any human analyst.

This connects to the broader argument I’ve been making about where the real value sits in the agentic SOC. As I explored in “AI SOC Got Commoditized, Now What?”, the agent itself is rapidly becoming a commodity.

Every major security vendor is shipping some version of an AI-powered SOC agent, and the differentiation between them is narrowing. If the agent layer commoditizes, the durable value shifts to the infrastructure the agent depends on, and that infrastructure is the data layer. The agent is only as good as the data it can access, the speed at which it can query, and the completeness of the telemetry underneath it.

Where the Agentic SOC Goes from Here

The broader question isn’t about any single vendor’s roadmap. It’s about whether the industry recognizes that the data layer has become the constraining factor in how far the agentic SOC can go.

The early signals are starting to suggest it has. Security data lakes are increasingly serving as the infrastructure layer not just for in-house security teams but for AI-focused MDR providers building their own agent-driven products on top. I’ve previously worked with teams building security data lakes in large Federal enterprise environments and it is a complex endeavor, often requiring expertise beyond cyber into data science and other domains as well.

The pattern of deploying a data lake as a companion alongside an existing SIEM, offloading the highest-volume sources that the budget can’t justify ingesting at SIEM pricing, is already well-established. The more interesting question is what happens when organizations start running the majority of their detections and investigations on the data lake layer rather than the SIEM, and the SIEM’s role atrophies from platform to legacy integration point. That trajectory, from cost optimization companion to primary detection and investigation surface, will define the category over the next few years.

Detection-as-code managed through Git repositories represents a parallel bet on the continued convergence of security operations and software engineering practices and mimics what we’re seeing in other categories of cyber as well, such as the rise of GRC Engineering.

If SOC teams adopt GitOps workflows for managing their detection logic, the operational model for building and maintaining detections starts to look more like software development than it does like traditional rule management. As I discussed with Vineeth Sai Narajala in “MCP, Potential and Pitfalls”, MCP is growing at an extraordinary rate as the standard interface between AI agents and the tools they operate, and that growth accelerates the shift toward agent-consumable infrastructure across the SOC.

The organizations that expose their security telemetry through agent-friendly interfaces will be the ones whose agents can actually perform, and the organizations that keep their data locked behind slow, expensive, human-oriented query tools will be the ones wondering why their AI investments aren’t delivering results.

Data residency and control are also becoming a structural differentiator rather than a niche concern. As regulatory pressure around data sovereignty and third-party risk continues to build, keeping security telemetry in the customer’s own cloud environment rather than shipping it to a vendor’s SaaS platform becomes a genuine architectural advantage for organizations in regulated industries.

The bring-your-own-cloud (BYOC) model addresses the trust problem that has made enterprise security teams hesitant to move their most sensitive telemetry to external platforms, and it eliminates the vendor lock-in that makes switching costs a strategic liability, something I called out with Cliff as a common concern I hear among CISO’s.

-> Check out a demo of Scanner! <-

The Architecture Decision in Front of Every CISO

The question facing security leaders in 2026 isn’t which SIEM to buy. It’s whether to keep treating security data as something to ration or as infrastructure to query freely. The SIEM’s per-GB pricing model created a world where security teams made coverage decisions based on budget constraints rather than risk analysis, and the result was exactly the blind spots that attackers learned to live in.

The security data lake doesn’t solve every problem in the SOC. Detection engineering still requires skilled practitioners. Incident response still demands human judgment for high-stakes decisions, and the agentic SOC, for all its promise, is still early enough that the failure modes aren’t fully understood, something I explored in “Orchestrating Agentic AI Securely”.

But the data layer underneath all of those functions is no longer optional, and the economics of the old model are no longer defensible. When the most prolific users of your security data are AI agents that need sub-second access to complete telemetry, the cost of rationing isn’t just a budget line item. It’s a detection gap, an investigation bottleneck, and increasingly, the ceiling on what your agentic SOC can actually accomplish.

The organizations that figure out the data layer first will have a structural advantage in the agentic era, and the ones that keep rationing will keep wondering why their agents can’t find what they’re looking for, and potentially are missing critical risks to their organizations.

Making the right choices here will help define the true transformation that agents can deliver for SecOps.

Subscribe now

AI agents, autonomous systems that can reason, plan, and take actions across enterprise environments, don’t just add another endpoint to secure. They fundamentally change what “never trust, always verify” means in practice.

I’ve written extensively about Zero Trust over the years, from the DoD’s Zero Trust Strategy and the implementation challenges it surfaced to a Zero Trust-centric approach to cyber resilience that positioned ZT as a foundational design philosophy rather than a product category.

The core principles haven’t changed. Verify explicitly, enforce least privilege, and assume breach, but what those principles demand when applied to non-deterministic AI systems looks nothing like what they demand for a human sitting at a laptop authenticating through Okta.

Let’s take a look at Anthropic’s ZT for Agents framework and see where it leads.

The Unfinished Business of Zero Trust

Before we talk about what agents break, it’s worth being honest about what we still haven’t finished building for humans. I spent a lot of my career over the past decades in the U.S. public sector, in the military, and supporting U.S. Federal agencies, including in their pursuits of implementing Zero Trust.

The CISA Zero Trust Maturity Model lays out four maturity stages across five pillars, and the blunt reality is that years since its publication, most organizations are still somewhere between Traditional and Initial. The NSA’s Zero Trust guidance for the network and environment pillars focuses on data flow mapping, macro and micro segmentation, and software-defined networking with granular access controls.

These are table-stakes capabilities that many large enterprises still struggle to operationalize at scale despite most practitioners agreeing they are fundamental.

The reasons aren’t mysterious either and I’ve lived the struggles first hand. Large organizations carry decades of technical debt, legacy systems that can’t support modern identity federation, flat networks that were never designed for micro-segmentation, and change management cycles that move at a pace fundamentally mismatched to the speed at which threats evolve. Couple that with internal politics, fiefdoms, competing priorities and more and it is a recipe for gridlock and struggles.

I spent years in Federal environments watching agencies struggle with exactly these challenges, and the private sector isn’t meaningfully ahead. A Fortune 500 with 200 business units, a decade of M&A integration debt, and a patchwork of identity providers faces structural barriers every bit as daunting as a large Federal agency operating under executive mandates.

Implementing Zero Trust at enterprise scale isn’t a technology problem. It’s a structural and institutional challenge, shaped by budget constraints, workforce gaps, and competing priorities that pull attention in twelve directions at once.

This is the context into which AI agents are arriving. Not into mature, well-segmented, identity-aware environments with continuous monitoring and adaptive access controls, but into networks that are still trying to implement the fundamentals for human users, let alone autonomous agents powered by LLMs.

What Agents Actually Break

Anthropic’s framework starts from a refreshingly honest premise that most vendors building agentic capabilities won’t say out loud.

LLMs are, in Anthropic’s own words, “inherently somewhat insecure.” This isn’t a temporary limitation waiting for the next model release to fix. It’s a structural property of how these systems work. LLMs operate on natural language inputs that can be manipulated, they generate outputs probabilistically rather than deterministically, and they can be influenced by adversarial content embedded in the data they process. Anthropic calls this out in their section on threats, including examples such as prompt injection, instruction manipulation, tool and resource misuse and IAM abuse.

Traditional Zero Trust assumes the entity being governed, whether a user or a workload, will behave predictably within defined parameters.

A human user authenticated through MFA with a valid session token will interact with systems through well-defined interfaces.

A containerized microservice will make API calls according to its code. The trust decisions are binary and the behavior is bounded.

Agents break this assumption because their behavior isn’t fully predictable even to their developers, they are non-deterministic by their very nature, it isn’t a flaw.

An agent given access to a tool might use that tool in ways its designers didn’t anticipate, not because it’s been compromised but because that’s how generative models operate.

Anthropic identifies five agent-specific threat categories that don’t have clean analogs in traditional Zero Trust.

• Prompt injection allows adversaries to manipulate agent behavior through crafted inputs embedded in data the agent processes.

• Tool poisoning targets the interfaces between agents and the systems they interact with.

• Identity and privilege abuse exploits the fact that agents often operate with broader access than any single human task would require.

• Memory and context poisoning corrupts the information an agent uses to make decisions,

• Supply chain attacks target the growing ecosystem of third-party tools, plugins, and model providers that agents depend on.

The common thread across all five is that the attack surface isn’t just the network perimeter or the authentication layer, it’s the reasoning process itself. You can’t firewall an agent’s chain of thought, although many are proposing various methods to try and govern what goes into an agents context window, what actions agents are allowed to take etc.

The Unnamed Vulnpocalypse

There’s a thread in Anthropic’s framework it opens with that anyone following my previous writing will recognize immediately, even though Anthropic doesn’t use the term.

They state plainly that:

“Frontier AI models are compressing the timeline between vulnerability and exploit from months to hours, at a marginal cost measured in dollars.”

That’s the Vulnpocalypse by another name, something I have written about extensively. The industrialization of vulnerability discovery and autonomous exploitation, where the economics of finding and weaponizing flaws shift decisively in the attacker’s favor.

Anthropic’s framework treats this as a first-order design constraint rather than a background risk. When exploit windows collapse from months to hours, the traditional patch-and-pray cycle doesn’t just underperform, it becomes irrelevant and delusional as a single control.

Their emphasis on “dwell time” and “coverage” as the two metrics with the greatest leverage reflects this reality. If an AI agent can autonomously discover a vulnerability, generate a working exploit, and deploy it at machine speed, defenders need detection and containment that operates on the same timescale. Manual incident response procedures that route through a SOC analyst’s queue aren’t going to cut it.

This is why Anthropic pushes hard on automated response capabilities, from session termination and credential revocation at the Enterprise tier to full SOAR-integrated orchestrated response at the Advanced tier.

They frame it with a clear principle worth repeating. Automate the bookkeeping around incidents, not the decisions. Models should take notes, capture artifacts, pursue parallel investigation tracks, and draft the postmortem. Humans should make the containment calls, the disclosure calls, and the customer-comms calls.

That division of labor makes sense as a design principle, but it also reveals just how much infrastructure most organizations are missing. You can’t automate response to agent-speed threats if your detection pipeline still depends on a human triaging alerts in Splunk. Some of these challenges I have discussed with practitioners such as in an episode of Resilient Cyber titled “AI SOC Got Commoditized - Now What?”

The convergence matters because the same AI capabilities that make agents valuable for defenders are the capabilities that make autonomous exploitation possible. Any organization deploying agents without accounting for the fact that their adversaries are deploying similar capabilities is operating with a structural blind spot.

Least Agency, Not Just Least Privilege

One of the more important conceptual contributions in Anthropic’s framework is the distinction between least privilege and what they call “least agency”, which has been championed by the OWASP Agentic Security Initiative (ASI) where I serve as a Distinguished member.

Least privilege, the idea that any entity should have only the minimum access rights needed to perform its function, is a foundational Zero Trust principle that translates directly to agents. An agent that only needs to read log files shouldn’t have write access to production databases, that part is straightforward.

Least agency goes further, because i argues that agents should be granted the minimum level of autonomy needed for a given task, not just the minimum access.

This means preferring structured, constrained tool interfaces over open-ended capabilities. If an agent needs to query a database, give it a parameterized query interface rather than raw SQL access. If it needs to modify a configuration, provide a scoped API that limits what can be changed rather than giving it shell access to the underlying system. The goal is to constrain not just what the agent can access but what it can decide to do.

This distinction matters because traditional access control assumes the entity with access will use it predictably. An agent with read access to a customer database and the ability to send emails could, through a prompt injection attack or simply through an unexpected reasoning chain, decide to exfiltrate data by composing and sending emails containing customer records. The access controls were technically correct, but the agent’s autonomy created a risk that access controls alone don’t address.

This concept is also important because remember, we’re assuming breach. If we assume an agent will get breached, and they will, they now have ramifications for the environment and enterprise they operate in. An agent with broad permissions and agencies poses much more risk if compromised than one with least-permissive access control/agency.

Anthropic frames this as a principle for system designers, not just security teams. The developers building agent capabilities need to think about autonomy constraints from the beginning, designing tool interfaces that are narrow by default and expanded only when the task genuinely requires it.

Hard Boundaries and Soft Guardrails

One of the most practically useful call outs in the framework is between hard boundaries and soft boundaries. Hard boundaries are deterministic, code-level controls that an agent cannot override regardless of what it’s been instructed to do. Hard boundaries are something I have been advocating for in my writing and through my participation in groups such as AARM.

These include things like tool-level access controls enforced by the infrastructure rather than by the model, session-scoped credentials that expire automatically, sandboxed execution environments that limit file system and network access, and rate limits that prevent runaway behavior. Hard boundaries don’t depend on the agent’s cooperation, they’re enforced by the system architecture itself, outside of the reasoning loop.

Soft boundaries, by contrast, are controls that rely on the agent’s reasoning to comply. These include system prompts that instruct the agent to ask for human approval before taking certain actions, hooks that intercept agent actions and route them through approval workflows, and human-in-the-loop checkpoints for high-stakes operations. Soft boundaries are important because not every action can be anticipated and blocked through hard constraints.

That said, they’re inherently less reliable because they depend on the agent correctly interpreting and following instructions, and we already know that prompt injection can subvert that compliance, as we saw in real-world examples, such as PocketOS, where the agent completely ignored its system prompt.

As I’ve written about in the context of securing agentic AI systems, the right architecture layers both. Hard boundaries establish the non-negotiable constraints, the blast walls that hold even if the agent is fully compromised. Soft boundaries add flexibility and human oversight within those constraints.

The mistake organizations make is treating soft boundaries as if they were hard ones, trusting a system prompt that says “always ask before deleting files” as though it were an immutable access control, when it isn’t. It’s a suggestion to a probabilistic system, and a sufficiently sophisticated attack, or even the agents own reasoning can make the system ignore it.

Anthropic is explicit about this hierarchy. Hard boundaries should be the first line of defense. Soft boundaries provide defense in depth but should never be the only thing standing between an agent and a catastrophic action.

Blast Radius as the Design Principle

The “assume breach” principle of Zero Trust takes on new urgency when applied to agents because the blast radius of a compromised agent can be far larger than that of a compromised user account. A human user works within a single session, typically interacting with a handful of applications through defined workflows. A compromised agent, depending on its configured capabilities, can execute actions across multiple systems at machine speed with no human in the loop.

Anthropic’s framework emphasizes blast radius containment as a primary design objective. This means session-scoped credentials that limit an agent’s access to the minimum time window needed, sandboxed execution environments that restrict what a compromised agent can reach, and architectural isolation that prevents one agent’s compromise from cascading to other agents or systems.

The goal isn’t to prevent all breaches, a premise that would be naive given the inherent insecurity Anthropic acknowledges, but to ensure that when a breach occurs, the damage is contained to the smallest possible scope.

This maps directly to the micro-segmentation principles that the NSA and CISA have been pushing for traditional networks, but with a critical twist.

Agent segmentation isn’t just about network boundaries. It’s about capability boundaries, temporal boundaries, and data boundaries. An agent operating in a sandboxed environment with scoped credentials that expire after a single task, limited to a narrow set of parameterized tools, with no ability to spawn additional agents or escalate its own permissions, presents a fundamentally different risk profile than an agent with persistent credentials, broad tool access, and the ability to chain actions autonomously across systems.

For organizations looking to get this right, it requires a design for containment from the beginning rather than trying to bolt it on after deploying agents with broad permissions and discovering the hard way what “inherently somewhat insecure” means in practice.

That said, as we know from all previous technology waves, governing how technologies get deployed in real-world environments is incredibly difficult and there are already agents being rolled out in enterprise environments everywhere that violate these principles, whether via SaaS/embedded agents, endpoint coding agents, custom homegrown agents and more.

Where This Leaves Practitioners

Anthropic’s Zero Trust framework for agents isn’t a departure from the principles that CISA, NSA, and commercial industry have been advancing for years.

It’s a stress test that reveals which parts of those principles are durable and which parts assumed a world of deterministic, human-driven interactions that no longer reflects reality.

The principles are still incredibly valid. Verify explicitly, enforce least privilege, and assume breach.

These are sound architectural commitments that apply to any entity operating in an enterprise environment. But the implementation demands are categorically different when the entity you’re governing can reason, improvise, and be manipulated through the data it processes, which for most agents is the entire Internet, and was something documented really well by Google’s Deep Mind in a paper on AI Agent Traps, which I strongly recommend checking out.

Least privilege has to expand into least agency. Verify explicitly has to account for non-deterministic behavior that changes between identical inputs. Assume breach has to drive blast radius containment as a first-order design constraint rather than an afterthought.

On top of all of that, the threat model has to account for the Vulnpocalypse. When AI compresses the vulnerability-to-exploit timeline from months to hours, the containment architecture for agents isn’t just a security best practice, it’s arguably a survival requirement.

An agent compromised through a vulnerability that was discovered, weaponized, and deployed autonomously in the time it takes a human analyst to finish their morning standup demands a defense posture that most organizations haven’t built yet.

On top of that, agents are being rolled out incredibly quickly, across SaaS, cloud, endpoints and more, most of which is ungoverned let alone hardened and secured, so the implications for agent compromise as it related to enterprise risks is daunting.

The hardest part for most enterprises won’t be understanding these concepts. Instead it will be implementing them on top of Zero Trust programs that are still immature for traditional workloads, let alone autonomous agents.

If your organization hasn’t achieved micro-segmentation for human users and machine workloads, the notion of implementing capability-scoped, session-limited, sandboxed agent environments feels like building the third floor while the foundation is still setting.

That tension, between the urgency of deploying agents for competitive advantage and the maturity required to deploy them safely, is the defining challenge of this era for cybersecurity in my opinion.

The organizations that acknowledge it honestly, rather than pretending their current security architecture is securely ready for autonomous AI, will be the ones that navigate it without a catastrophic dose or reality to go along with their delusion.

Subscribe now

We dig into AI’s accelerating impact on AppSec and the SDLC, the productivity-versus-risk equation now that agentic coding tools are landing pull requests with minimal human review, and the so-called “Vulnpocalypse” – the explosion of CVEs, AI-generated code, and the widening gap between vulnerability discovery and remediation capacity. We explore whether legacy AppSec tooling categories like SAST, DAST, SCA, and ASPM can keep pace, or whether they’re being fundamentally reinvented for an agentic world.

Katie also shares her perspective on the rise of autonomous pen testing and offensive security agents, what it means when attackers operate at machine speed while defenders are still triaging tickets, and how practitioners, CISOs, and security leaders should be rethinking team structure, skills, and governance for an agentic SDLC.

Prefer to Listen?

Apple Podcasts

Spotify

Be sure to subscribe and leave a review!

Key Takeaways:

• AI is breaking the AppSec workload equation. Agentic coding tools have dramatically increased code velocity and volume, exposing the limits of human-paced security review and forcing organizations to rethink how AppSec scales.

• The “Vulnpocalypse” is real, but uneven. The gap between vulnerability discovery and remediation capacity is widening fast, and the organizations feeling it most are those still relying on legacy triage and ticketing models built for a pre-AI world.

• Legacy AppSec categories are being reinvented, not just extended. SAST, DAST, SCA, and ASPM weren’t designed for a world where AI agents author, review, and deploy code – and the tooling landscape is starting to reflect that reality.

• Autonomous offense is outpacing autonomous defense. With tools like XBOW, Project Naptime, and Project VAIL pushing the boundaries of agentic pen testing, defenders need to take the asymmetry seriously and invest accordingly.

• The agentic SDLC demands new governance, not just new tools. From AI-generated dependencies and hallucinated packages to MCP server integrity, supply chain risk is evolving – and the organizations that thrive will be the ones building governance models, skills, and team structures purpose-built for this era.

Subscribe now

The same week, Opus 4.6 reportedly surfaced over 500 high-severity vulnerabilities that had survived decades of expert review. The market’s read was immediate and unambiguous.

CrowdStrike dropped 8% and deepened toward 11% over the week, Zscaler fell 5.5% and kept sliding toward 10-11%, SailPoint dropped 9.4%, Okta 9.2%, JFrog 25%, Palo Alto 3.2%, and Cloudflare 8.1%. The Global X Cybersecurity ETF hit its lowest level since November 2023, down 4.9% in a single session.

The thesis the market was pricing was simple and clean. Frontier labs will eat cybersecurity. If the model can find vulnerabilities, write detections, and suggest patches, the entire security vendor stack becomes a middleman awaiting disintermediation.

As I wrote at the time in When the Frontier Labs Sneeze, the Cybersecurity Market Catches a Cold, the selloff reflected a structural anxiety that frontier labs were moving up the stack into territory that historically belonged to standalone security vendors.

Three months later, the evidence says the thesis was half right and half backwards. The frontier lab is both competitor and partner, and which one depends entirely on the category and the offering. Recent week’s integrations are the clearest proof yet, and they tell a fundamentally different story from the one the market sold in February.

The Reframe

The analyst community pushed back on the February selloff almost immediately, and their reasoning holds up. Berenberg stressed that Claude Code Security sits in application security, roughly 1.2% of total cyber TAM, and drew a clear distinction between build-time vulnerability finding and runtime security across endpoint, network, and identity. The reaction was harsh relative to the actual surface area being threatened.

JPMorgan called the selloff indiscriminate and kept Overweight ratings on all five affected names. Baird’s Shrenik Kothari called it a panic-driven, narrative-led selloff. Wedbush labeled the entire episode “AI Ghost Trade fears” and called it an overreaction, arguing that cybersecurity is a key beneficiary of AI rather than a casualty and expecting OpenAI and others to follow Anthropic’s path. As an aside, the NYT recently highlighted how cybersecurity roles are in high-demand with the rise of AI, counter-acting the layoff narrative that many circulate.

CrowdStrike CEO George Kurtz made the argument more directly and he’s right. AI increases the need for security, not less. Every enterprise AI deployment creates new surfaces to monitor, new data flows to govern, new identities to manage, and new compliance obligations to satisfy. The model doesn’t replace the security stack, it feeds it and in many ways, the rise of LLMs and Agents is a boon for cybersecurity as well. More attack surface, more code volume, more deployments, new novel attack vectors etc.

That framing sounded like corporate spin in February. By late May, it looks like a reasonable description of what’s actually happening.

The market data makes the reversal concrete.

On May 22, the same day Anthropic published its latest Glasswing update, which I published a comprehensive write-up and video on.

The three largest public cybersecurity companies sat at or near all-time high market capitalizations. Palo Alto Networks crossed $211 billion. CrowdStrike reached $168 billion after its stock hit a record $674 and its ARR topped $5 billion. Fortinet approached $100 billion.

As Elad Erez pointed out, the headline was supposed to be “Mythos is about to kill cybersecurity,” and instead the largest cyber companies were posting record valuations on the same day the lab’s most advanced offensive model shipped new results. The BUG ETF, which hit its lowest level since November 2023 during the February selloff, has fully recovered and then some.

The performance data underneath the headlines tells a more nuanced story.

As Nikoloz K. documented, the rally isn’t lifting all boats equally.

CrowdStrike is growing ARR at 24% at $5 billion scale. Zscaler is at $3.36 billion growing 26%. Palo Alto’s stock is up more than 30% this year following its $25 billion acquisition of CyberArk.

The companies winning are the ones that repositioned their messaging from “we sell security” to “we secure AI workloads, identities, and agents,” and the ones that leaned into platform consolidation as CISOs cut vendor counts. As I mentioned above, AI and the need to secure it is helping drive both revenue and market valuations for cybersecurity firms.

Meanwhile, Zscaler fell more than 50% from its 2025 highs before bouncing back, Check Point faces execution questions, and Microsoft quietly runs a $37 billion security business that’s larger than CrowdStrike, Palo Alto, and Zscaler combined. The gap between winners and losers in cyber has widened, but the category itself is growing, not shrinking.

That’s the opposite of what the February thesis predicted.

What Shipped In Recent Weeks

Between May 19 and 21, a wave of integrations landed that represent a fundamentally different relationship between Anthropic and the cybersecurity vendor ecosystem.

The enabling primitive is the Claude Compliance API, which opens Claude Enterprise’s activity, audit, and data-flow surface to the existing enterprise security stack. The throughline is that Claude Enterprise becomes a governed enterprise application that the existing security infrastructure now covers like any other SaaS or application platform.

Wiz built an integration that pulls Claude Enterprise activity into the Wiz platform and onto its Security Graph, currently in Private Preview. The integration gives security teams visibility into how Claude is being used across their environment with the same posture management and risk contextualization that Wiz applies to cloud infrastructure.

Cyera extended its Omni DLP through the Compliance API, adding data loss prevention, insider risk, and audit coverage over Claude Enterprise conversations, files, and user activity. Their public claims are that it delivers 95% precision on classification and risk scoring. Cyera CEO Yotam Segev framed it as "extending the same data security governance to AI that organizations already expect for every other enterprise application.

Datadog built an integration that ingests Claude Platform audit logs into Datadog for SIEM and compliance purposes, covering admin activity, API key lifecycle, and authentication events.

The same week, KPMG announced a strategic alliance integrating Claude across its core business and 276,000-person workforce.

The trajectory is clear, Claude is entering enterprise environments at scale, and the security and governance requirements that come with enterprise deployment at scale are real, growing, and not something the lab is positioned to solve alone.

Why This Is Not Glasswing

The Glasswing comparison matters because both are alliances between Anthropic and major cybersecurity vendors, but they are fundamentally different models of collaboration, and conflating them misses key distinctions.

Project Glasswing, which launched earlier this spring, is a coalition using the unreleased Claude Mythos Preview model defensively to find and fix vulnerabilities in partners’ own foundational systems.

The partner list includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks, among others. The work covers vulnerability detection, black-box binary testing, endpoint security, and penetration testing.

Mythos uncovered thousands of previously unknown zero-days across major operating systems and browsers, including a 27-year-old bug in OpenBSD. Anthropic committed $100 million in credits and $4 million in donations to open-source security.

Cisco’s engagement illustrates the Glasswing model clearly. Cisco stress-tested its own products and infrastructure against Mythos, and CSO Anthony Grieco said Anthropic’s models forced a rethink of how Cisco builds and secures its products. That is the lab lending an offensive-grade model inward so a vendor can red-team and harden its own systems.

Others such as Palo Alto Networks (PANW) have done the same, and publicly have discussed how they have identified 7x their usual monthly volume of vulnerabilities in their products through its use.

Recent week’s integrations such as Cyera, Wiz and Datadog are a different collaboration model entirely. The two modes are worth unpacking due to their key differences.

Mode one is capability injection for hardening, where the lab lends a frontier model inward so vendors can red-team and patch their own systems, that is Glasswing.

Mode two is platform embedding and surface governance, where the vendor extends its platform across the lab’s enterprise footprint, and the lab opens an API so the vendor’s tooling can govern the new surface, that is this the recent announcements from Wiz, Cyera, Datadog and others.

Both are alliances, but they are not the same alliance, and the distinction matters because the economic logic, the direction of value flow, and the competitive dynamics are entirely different with each approach.

In Glasswing, the lab provides offensive capability and the vendor is the consumer. In the Compliance API integrations, the vendor provides governance capability. The lab is the consumer, and so is every enterprise that deploys Claude. The direction reverses, and the dependency runs the other way.

The Economics

The zero-sum framing that dominated February assumed a fixed pie.

The lab builds security capabilities, takes revenue from security vendors, and the vendors shrink. The positive-sum reality is more interesting and more supported by the evidence now that the initial panic has died down some.

For the labs, governance was a procurement blocker. Regulated industries need DLP over AI conversation data, audit trails for compliance, and visibility into how AI tools interact with sensitive information.

These are requirements that traditional tools were never built to monitor, and they were stalling enterprise sales cycles. By opening the Compliance API and enabling Wiz, Cyera, and Datadog to extend their platforms over Claude Enterprise, Anthropic de-risks adoption for the buyer, expands seats, and shortens the sales cycle.

The lab doesn’t need to build governance tooling itself. It just needs to make its surface governable. Mythos is a separate revenue lane on top, priced as premium API access for security research and hardening.

Another angle to the recent integrations and partnerships between Anthropic and cyber vendors is it helps the cyber vendors differentiate and bolster their products among competitors, providing visibility and coverage to the faster growing enterprise software arguably ever seen.

For the vendors, every Claude Enterprise deployment is a new monitored surface and a new SKU. Cyera and Wiz aren’t competing against Claude. They’re becoming the control plane for the fastest-growing enterprise application category.

Every organization that adopts Claude Enterprise and needs DLP, audit, or posture management becomes a potential customer for the vendor’s platform extension. The TAM doesn’t shrink, it expands, because the AI surface that needs governing didn’t exist two years ago and is growing faster than any other enterprise software category. This same dynamic exists for agents, as those proliferate as well.

CrowdStrike’s framing from its 2026 Global Threat Report is relevant here. The same frontier models that expand the attack surface hand defenders a capability advantage that didn’t exist a year ago, and that report found an 89% year-over-year rise in AI-driven adversary attacks. The threat generates the demand, and the lab’s enterprise expansion generates the surface. Both feed the security vendor’s addressable market.

The frame is straightforward and much different than the initial market driven panic narrativre. Zero-sum thinking said the lab eats cyber.

The positive-sum reality is the lab grows the enterprise AI surface, and cyber sells the governance that the lab will not build and cannot credibly sell itself. The stock market has already priced this in, with the companies that repositioned fastest around AI workloads, identities, and agent governance posting the strongest performance in 2026.

A frontier lab telling a regulated enterprise “trust us, we govern ourselves” is a structural conflict of interest that no compliance officer will accept, and that structural gap is where the vendor value lives.

Where This Could Still Break

I’ve been skeptical of narratives that assume permanent alignment between parties whose incentives may diverge, and the same discipline applies here. Partner versus competitor is a roadmap decision, not a permanent state, and several dynamics could shift the boundary.

Code scanning genuinely pressures SAST and segments of application security, and nothing stops a lab from building natively into a category it partners on today. If Anthropic decides that first-party DLP or compliance tooling is a higher-value product than an open API that feeds third-party vendors, the partnership model changes overnight. The Compliance API is an invitation today, but it could become a competitive moat tomorrow if the lab decides to internalize the governance layer.

This is even more stark when you consider the funding and explosive growth of ARR companies like Anthropic have to deploy when it comes to building and shipping capabilities, which they’ve demonstrated to be excellent at. There is also another aspect, in the sense that each frontier lab is its own walled garden, much like CSP’s prior in the cloud security era, so security vendors can and should differentiate on multi-provider coverage (e.g. covering models and agents across the diverse landscape they are offered and can be deployed in).

Embedding and preferred-model status also raise concentration and lock-in questions. When your DLP, your SIEM integration, and your security graph are all built around one lab’s API and data schema, the switching cost isn’t just the model. It’s the entire governance architecture you’ve constructed on top of it. As I explored in Orchestrating Agentic AI Securely, the dependency surface of agentic AI extends well beyond the model itself, and every integration deepens that dependency.

The category boundary between build and partner is the whole story here, and it will move in time, as the market continues to evolve. It’s clear these partnerships are genuine today, in this moment. That said, the question is what structural incentives would cause the boundary to shift, and whether the organizations on either side of it are building with that possibility priced in, and going into the partnerships with eyes wide open versus rose colored glasses.

Takeaways

For practitioners, the operating model is straightforward. Treat every frontier lab relationship as category-specific rather than categorical. Claude Code Security is competitive pressure on AppSec, but even then AppSec programs are complex endeavors and code scanning is only a piece of that, and leading AppSec vendors also have various levels of differentiation from the labs native offerings.

The Compliance API integrations are partnership infrastructure for governance. Both can be true simultaneously, and the rational response is to evaluate each surface independently rather than making a binary bet on “lab as friend” or “lab as foe.”

For security leaders evaluating vendors, the Compliance API wave is a signal that the governance layer for enterprise AI and agents is going to be built by the security ecosystem, not by the labs themselves.

The vendors that move fastest to embed across the largest AI enterprise surfaces will have a structural advantage, and the organizations that wait for the lab to build governance natively will be waiting for a product the lab has no incentive to build well because it conflicts with the lab’s core commercial interest in frictionless adoption and even if it did come, it would be confined to that specific labs walled garden, rather than multi-lab coverage.

For investors, the February selloff priced the entire cybersecurity sector as a victim of frontier AI capability. The May integrations price a meaningful segment of it as a beneficiary. The truth is probably both, distributed unevenly across categories, and the allocation of winners and losers will track the build-versus-partner boundary as it moves over the next 12-24 months.

Subscribe now

On the market side, global AI spending hit $2.59 trillion in 2026, growing by roughly $1 trillion year over year. Cybersecurity stocks are surging. The Omdia Tech Titans index posted its strongest quarterly growth in 15 years. And Cloudflare cut 20% of its workforce while posting record revenue, with CEO Matthew Prince framing the layoffs as eliminating “measurers” in favor of builders and sellers.

Meanwhile, Anthropic published an engineering deep dive on how they contain Claude across products, Uber shipped a full agent identity architecture with attested actor chains, and Adversa AI found that the human approval prompt, the primary safety control in five major coding agents, can be bypassed through symlink manipulation.

Let’s get into it.

The CISO’s Guide to AI Pentesting in 2026

Every security team is being asked the same question in 2026: how are we testing our AI applications and agents? Traditional pentesting wasn’t built for non-deterministic systems. DAST and SAST miss prompt injection, tool abuse, and the new attack surface that comes with agentic pipelines. That’s why AI pentesting is on every CISO’s evaluation list this year.

The Definitive Buyer’s Guide to AI Penetration Testing walks through why this category exists, what it actually does, and the eight questions that separate basic automated scanners from real offensive security platforms built for AI systems.

Read it before your next vendor call.

*Sponsored

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Cyber Leadership & Market Dynamics

AI Spending Grows by Nearly One Trillion Dollars in a Single Year

Mark O’Neill framed the number that puts every other market discussion into perspective. Global AI spending will reach $2.59 trillion in 2026, a 47% increase year over year.

The growth alone, roughly $1 trillion, exceeds the entire cybersecurity market. Evercore and Bank of America estimate AI capital expenditure between $800 billion and $900 billion for 2026, with projections exceeding $1 trillion by 2027. As I discussed in issue #98 with the strange economics of cybersecurity, AI deflates costs everywhere except security.

Every dollar of that $2.59 trillion creates new identity vectors, new attack surfaces, and new governance requirements. The cybersecurity market is not just growing alongside AI. It is growing because of AI, and the ratio between AI investment and security investment tells you how wide the gap between capability and protection remains.

Cyera Pays $50 Million for a Five-Month-Old, Five-Person Startup

At a $9 billion valuation following its latest funding round, Cyera acquired Genie Security for $50 million. Genie was five months old with five employees, had raised $3 million in seed funding from Mensch Capital and Dynamic Loop, and had deployed across hundreds of endpoints.

Genie’s founders, Nadav Noy and Noam Dotan, built endpoint-based AI data protection technology that Cyera needed to extend its platform. Wiz co-founder Assaf Rappaport was among the early investors. The acquisition pace in cybersecurity right now reflects a market where high valuations fuel rapid consolidation and time-to-capability matters more than building in-house.

For founders, $50 million for a five-month-old company with five people is the kind of exit that reshapes how early-stage investors think about cybersecurity.

Tech Titans Post Their Strongest Quarterly Growth in 15 Years

The Omdia Tech Titans index showed the 18 largest technology suppliers generated $694 billion in Q1 2026, a 28.3% year-over-year increase and the fastest quarterly growth since 2011.

The full-year forecast projects 26.8% revenue growth, tracking toward $3 trillion annually. Semiconductors and memory are showing the highest growth, driven by AI infrastructure demand from NVIDIA, Samsung, AMD, and Broadcom. Jay McBain’s analysis highlights that cloud growth from AWS, Google Cloud, and Microsoft is accelerating as AI workloads move from experimentation to production deployment.

Matthew Ball’s cybersecurity research at Omdia projects cybersecurity spending at $311 billion in 2026, up 12%, with emerging categories like shadow AI governance, inference protection, and AI agent identity driving new budget allocation.

Cybersecurity Stocks Are Surging on AI-Driven Demand

The network security market is forecast to exceed $50 billion by year-end 2026. Fortinet, F5, Palo Alto Networks, CrowdStrike, and Cisco are leading the surge.

The structural drivers are ones I have been tracking across multiple issues. Zero-trust architecture adoption, hybrid cloud security requirements, and AI-generated attack surface expansion are creating sustained demand that makes cybersecurity one of the most recession-resistant sectors in technology. M&A is reaccelerating with CrowdStrike acquiring Seraphic Security in January and Zscaler acquiring SquareX in February.

As I discussed in issue #98 with Check Point’s fourth Israeli acquisition, vendor consolidation continues to intensify. The public market performance validates the thesis that AI creates more security spending, not less.

Cloudflare Cuts 20% of Its Workforce and the Reasoning Matters

flagged Matthew Prince’s internal memo as a must-read, and I agree. Cloudflare eliminated over 1,100 positions, roughly 20% of its workforce, despite posting record revenue.

Prince’s framing was unusually direct. The company exists to build product and sell product, everything else is friction. The positions eliminated were primarily what he called “measurers,” roles in middle management, finance, legal, internal audit, and revenue recognition. The argument is that AI agents can automate these functions, and organizations should restructure around builders (engineers) and sellers rather than measurer layers.

For cybersecurity, this is a preview of how AI-driven organizational restructuring will reshape the teams that security leaders work with. When the middle management layer thins, security governance that relied on those roles for enforcement needs new mechanisms. As I discussed in issue #98 with the headless architecture thesis, the enforcement points are moving.

HackerOne Slashes Internet Bug Bounty Payouts

The numbers tell the story on this one. Critical vulnerability rewards dropped from $9,250 to $2,257. High-severity payouts fell from $4,429 to $1,009. Medium went from $1,843 to $297. Low from $597 to $68.

HackerOne stated that the Internet Bug Bounty program is dynamic and bounty levels adjust based on active sponsor contributions. The program remains paused while they evaluate adjustments. Combined with the bug bounty structural damage I covered in issue #98, the economics of vulnerability research are being fundamentally reshaped.

When AI commoditizes discovery and platforms slash rewards simultaneously, the financial incentive that made bug bounties work for a decade is eroding from both sides. Daniel Stenberg’s observation that open source projects are experiencing DDoS-like effects from AI-generated reports adds another dimension. The entire researcher-platform-vendor triangle is under strain.

NYT Reports Cybersecurity as One of the Hottest Job Markets in Tech

For anyone who thinks AI will eliminate security jobs, the data says otherwise. Cybersecurity job postings rose 11% year over year in Q1 2026 per Glassdoor. 64% of cybersecurity job listings now require AI, ML, or automation expertise.

41% of security teams cite AI as their top skill requirement. But the workforce gap has widened to 4.8 million unfilled positions globally, up 19% year over year. 70% of firms are prioritizing senior talent while only 12% focus on entry-level hiring.

The Goldman Sachs CEO’s NYT essay arguing that AI job fears are overblown seems to be correct, at least in cybersecurity. AI is creating more security work, not less. The challenge is that the skills required are evolving faster than the talent pipeline can adapt.

Congress Pushes ONCD on Critical Infrastructure and Cybersecurity Grants

A bipartisan congressional coalition sent a paper titled “Reinvigorating Federal Cybersecurity Initiatives” to the National Cyber Director, urging action across four priorities.

Finalize the structure replacing CIPAC for critical infrastructure partnerships. Complete CIRCIA rulemaking with public engagement. Reauthorize the Cybersecurity Information Sharing Act of 2015. And reauthorize the State and Local Cybersecurity Grant Program with meaningful appropriations.

Combined with the CISA credential leak we discussed in last weeks and the ongoing congressional scrutiny, federal cybersecurity governance is under more pressure than at any point since the SolarWinds response. The gap between strategic ambition and operational execution at the federal level continues to widen.

The World Economic Forum Says 94% See AI as the Top Cybersecurity Change Driver

The WEF Global Cybersecurity Outlook confirms what I have been tracking across every recent issue. 94% of respondents agree AI is the most significant cybersecurity change driver. 77% of organizations already use AI in cybersecurity operations. KPMG reports a 25% boost in threat intelligence efficiency.

Accenture moved analysis time from 15 minutes to one second. IBM’s ATOM automates 850+ analyst hours per month. But 87% flagged AI-related vulnerabilities as the fastest-growing risk category, and one-third of organizations have no process to assess AI tool security before deployment.

The report frames AI as something organizations must treat as a capability rather than a tool. Those that get the distinction right will convert cyber risk into competitive advantage. Those that do not will face threats that scale faster than their defenses.

[Expert Panel] Mythos: When Perception Becomes Reality

Exploits used to take weeks to weaponize. With AI, hours. Patch cycles haven’t moved. CVE-driven prioritization isn’t keeping up. Brad Arkin (former Chief Trust Officer at Salesforce, Cisco, Adobe) joins Nadav Czerninski (CEO, Oligo) on what your stack actually has to do now.

You’ll learn how to prioritize exploitable exposures, move beyond CVE scores, & tighten the window between disclosure and response.

-> Watch the recording now <-

*Sponsored

AI

Anthropic Publishes the First Glasswing Numbers and They Redefine the Vulnerability Landscape

The data from Anthropic’s Glasswing initial update is the most significant vulnerability disclosure event since the creation of the CVE system. In its first month, Claude Mythos Preview identified over 10,000 vulnerabilities, with 6,202 rated high or critical out of 23,019 total findings across 1,000+ open-source projects. 1,726 were assessed as valid true positives at high or critical severity.

Cloudflare received 2,000 bug reports with 400 at high or critical severity. Mozilla had previously seen 271 Firefox vulnerabilities, a 10x improvement over the prior model. A wolfSSL certificate forgery flaw, CVE-2026-5194 at CVSS 9.1, allows attackers to masquerade as legitimate services. Average patching time for high-severity findings is two weeks, but some open-source maintainers are requesting a slower disclosure pace because the volume exceeds their remediation capacity.

As I discussed in a prior issue with the Glasswing partner sharing policy, the disclosure pipeline has widened while the remediation bottleneck has not. These numbers put concrete scale behind the crisis I have been tracking since Vulnpocalypse.

AI Agents Can Now Exploit Real Vulnerabilities, Not Just Find Them

Dawn Song’s team at UC Berkeley released ExploitGym, and the results should change how every defender thinks about the threat timeline. The benchmark comprises 898 instances from real-world vulnerabilities across userspace programs, Google’s V8 JavaScript engine, and the Linux kernel.

Claude Mythos Preview successfully exploited 157 of those 898 instances, a 17.5% success rate. GPT-5.5 exploited 120. The exploits remained effective even with standard security defenses like ASLR and V8 sandboxing enabled. This is fundamentally different from the vulnerability discovery story. Finding bugs is one thing. Autonomously converting them into working exploits against production-grade defenses is another.

Combined with ExploitBench from issue #98 and AISI’s 4.7-month doubling time, the exploitation capability curve is following the same trajectory as the discovery curve, just with a lag. That lag is the defensive window, and it is shrinking.

Uber Ships a Full Zero-Trust Identity Architecture for AI Agents

This is the most comprehensive agent identity implementation I have seen from a non-hyperscaler. Uber rebuilt its identity and access technology stack with three components.

An Agent Registry for centralized agent identity management. An AI Agent Mesh for secure inter-agent communication and authorization, and a Security Token Service that embeds a full attested actor chain into each token, maintaining traceability from the originating user through every intermediate agent.

The problem they solved is real. Traditional identity models built around humans and workloads fail for agents because execution context gets dropped across agent hops, making it impossible to apply fine-grained access policies or maintain auditable chains.

As I wrote in my article on identity as the agentic AI problem and with other ecosystem activities such as AAuth, Entra Agent ID, Google Agent Identity, and AWS AgentCore OBO, the building blocks are converging. Uber’s implementation is the first end-to-end production deployment I have seen that maintains full actor chain attestation across an agent mesh.

Agentic identity is a topic I went deep into with prior guests, such as industry leader Karl McGuinness

Anthropic’s Engineering Team Explains How They Actually Contain Claude

This engineering deep dive deserves careful reading because it explains why containment, not permission, is the right mental model for agent security.

Between mid-2025 and January 2026, Anthropic received vulnerability reports through responsible disclosure that included code executing before user consent and malicious .claude/settings.json hook injection. Their response philosophy is to supervise what agents can do, not what they do.

The implementation uses sandboxes, virtual machines, egress controls, and file access boundaries, but the most revealing data point is about approval fatigue. Users approve approximately 93% of permission prompts. Claude Code’s Auto Mode was designed specifically to automate safer approvals and reduce friction.

As I discussed previously with the Sondera analysis and Caleb Sima’s boring future of agents, the harness and containment layer is where the real security work happens. Anthropic’s own data confirms that user-in-the-loop approval is necessary but insufficient. Architectural constraints must limit blast radius regardless of user decisions.

Microsoft Open-Sources Rampart and Clarity for Agent Safety in Development

Microsoft’s philosophy here aligns with what I have been advocating. Safety must become a continuous engineering discipline, not a periodic checkpoint. Rampart is a pytest-native framework that encodes adversarial and benign scenarios as repeatable safety tests, runs in CI/CD pipelines, and creates regression coverage from red team findings and real incidents.

Clarity is a structured thinking tool for decision tracking and assumption pressure-testing before teams start building, but neither tool is a scanner. They are workflow instruments designed to embed safety into the development process where code originates.

Combined with Microsoft’s MDASH, the Foundry Security Spec from Cisco, and Anthropic’s containment engineering, the major AI infrastructure providers are converging on a shared insight. Agent safety is an engineering problem that requires engineering tools, not governance documents that nobody reads until after the incident.

The Approval Prompt Is Lying to You

Adversa AI found a vulnerability class that defeats the primary safety control in five major AI coding agents. Claude Code, Cursor Agent CLI, GitHub Copilot CLI, Gemini CLI, and Grok Build are all affected.

The attack, dubbed SymJack, works by weaponizing symlinked destinations in malicious repositories. When a victim approves a copy operation that looks benign, the symlink secretly overwrites the agent’s configuration files. The human approval step, the control that every vendor leans on as the foundation of safety, is the vulnerability being exploited. Anthropic hardened its approval flow after disclosure. Google and Cursor declined to patch. xAI and GitHub have not responded.

Combined with IDEsaster and IDEsaster2, the pattern is unmistakable. The development environment is the new attack surface, and the safety mechanisms designed to protect developers are themselves exploitable. As I wrote in my coverage of the OWASP Agentic Top 10, defense-in-depth is the only viable path when individual controls can be bypassed.

JIT Credentials Alone Will Not Secure Your Agents

Assury’s argument connects to a theme I have been building across the last several issues. Just-in-time credential management is necessary but insufficient for agent security.

JIT addresses the credential lifecycle, granting permissions only for the required duration, but it does not address what agents do with those permissions while they hold them. Assury’s Enforce platform adds OPA-based granular policy with policy-as-code using Rego, tenant scoping, and custom rules on top of JIT credentials. The broader point resonates with Anthropic’s containment philosophy from their engineering post this week. Single controls, whether JIT, approval prompts, or permission boundaries, are individually bypassable.

The organizations getting agent security right are the ones layering multiple controls. JIT for credential lifecycle, policy-as-code for runtime behavior, audit trails for accountability, and containment for blast radius. No single layer is sufficient on its own.

OWASP Maps AIUC-1 to the Agentic Top 10 and the Gaps Are Revealing

For those following my work on the OWASP Agentic Top 10, this crosswalk between AIUC-1 and the Agentic Top 10 provides the most detailed gap analysis to date. The bidirectional mapping covers agent goal hijacking, tool misuse, identity and privilege abuse, memory poisoning, insecure inter-agent communication, cascading failures, trust exploitation, and rogue agents.

Eight priority areas for AIUC-1 enhancement were identified, with the most significant gaps in agent identity, runtime containment, architectural monitoring, supply chain attestation, and schema controls. The crosswalk confirms what I have been arguing since my earliest writing on the Agentic Top 10. Current compliance frameworks were not designed for autonomous agent systems. The mapping is the first step toward closing that gap.

Most Developers Will Not Understand Security in Five Years, and That Is the Wrong Problem to Solve

PrimeSec’s framing resonates with what I have been writing since Security Throwing Toil Over the Fence. The security bottleneck has gotten 5x worse as development velocity increases and AI coding tools explode. Security teams can only manually review 5-10% of development work.

The answer is not expecting developers to become security experts. It is embedding AI-driven security guidance directly into developer workflows. As I wrote in Vulnerability Management and Developer Toil, the Linux Foundation study called security a “soul withering chore” for developers. Rather than fighting that reality, the pragmatic response is to democratize security knowledge and embed it where the code originates.

Combined with Microsoft’s Rampart, SecureForge, and Anthropic’s containment engineering, the tools to make this possible are arriving faster than the organizational change required to adopt them.

AppSec

CrowdStrike and Google Take Down the Glassworm Botnet Targeting Developers

This is the supply chain attack story that brings everything together. On May 26 at 14:00 UTC, CrowdStrike, Google, and the Shadowserver Foundation executed a coordinated simultaneous strike against four Glassworm command-and-control channels.

Active since early 2025, Glassworm targeted software developers with source code and CI/CD access through three vectors. Malicious VSCode extensions. Poisoned npm and Python packages with postinstall hooks. And over 300 weaponized GitHub repositories. GlasswormRAT delivered information theft, credential harvesting, and full remote access across Windows, macOS, and Linux. The infrastructure used Solana blockchain, BitTorrent P2P, and Google Calendar for C2 communication.

As I wrote in Software Transparency and tracked across issues with PyTorch Lightning, Mini Shai-Hulud, and the TeamPCP open-sourcing of the Shai-Hulud worm, the threat actors are not targeting products anymore. They are targeting the developers who build them. Every compromised development environment is a supply chain entry point that propagates downstream to billions of users.

Daniel Stenberg Documents the Human Cost of AI-Driven Vulnerability Discovery

I have been tracking Daniel Stenberg’s experience with Mythos, and this week’s post, titled simply “The Pressure,” is the most personal and concerning entry yet. curl is receiving security reports at 4-5x the rate of 2024 and 2x the rate of 2025, averaging more than one report per day.

Quality has significantly improved, the reports are detailed and comprehensive, but at the halfway point of the current release cycle, the project has already confirmed 12 vulnerabilities, on pace for 30 published CVEs in 2026. Stenberg describes an imbalanced work-life situation under sustained high workload. This is not a story about AI capability, it is a story about what happens to the humans maintaining critical infrastructure when AI accelerates the discovery pipeline beyond their capacity to process it.

As I wrote about with VulnCheck’s first CVE wave, AI-assisted discovery is a permanent increase in velocity. The downstream human systems were never built for this pace.

Contrast Security Quantifies the True Cost of AI Security Scanning

If there is one piece this week that should be required reading for anyone evaluating AI scanning tools, this is it. Contrast Labs tested three AI scanning approaches against enterprise Java codebases and the economics are brutal.

A simple Sonnet scan reproduced only 17% of its findings across three runs. Claude Opus improved to 25% but showed a 28.6% swing between best and worst runs. Of 59 total findings, only 3, or 5%, were identified by all three tools. The headline number is that a $315 scanning fee translates into $128,000 in triage burden before the first fix.

AI scanning is valuable against certain problem classes like authorization logic, but using it as the foundation of a production AppSec program creates more work than it eliminates. As I have been writing since Vulnerability Management and Developer Toil, tools that generate volume without context are the definition of security theater, and yes, that can apply to using AI tooling too.

Wiz Maps the Power-Law Distribution of SDLC Risk

Wiz’s SDLC Security Report makes an argument that I think is underappreciated. Risk follows a power-law distribution in software development environments. A small set of packages gets disproportionately reused, and weaknesses in that concentrated set propagate across entire organizations.

CI/CD pipelines, identity systems, developer tooling, and automation platforms create systemic exposure when trust and reuse concentrate. The report argues that organizations should focus on where trust concentrates rather than chasing isolated findings.

This connects to the supply chain thesis I have been tracking since Software Transparency and reinforces why the Glassworm takedown this week matters so much. When adversaries compromise the development infrastructure that sits at the center of the trust graph, the blast radius is not a single application. It is everything downstream.

Novee Bridges the Gap Between Discovery and Remediation with Agentic Fix

I have been tracking the discovery-remediation gap since Vulnpocalypse, and Novee’s Agentic Fix takes a different approach than most. Rather than building another scanner, Novee translates validated exploits from penetration testing directly into GitHub issues formatted for AI coding agents.

The platform is compatible with Claude, Copilot, Cursor, and Devin. The company raised $51.5 million within four months of inception, led by YL Ventures, Canaan Partners, and Zeev Ventures. The founding team includes national-level offensive security leaders. What makes this interesting is the directional bet. Instead of trying to fix the discovery problem, which AI has largely solved,

Novee is attacking the remediation bottleneck by feeding validated exploit context directly to the agents that write fixes. As I discussed with AISLE’s VulnOps model, the value chain is shifting from discovery to remediation, and the companies that close that loop will define the next era of vulnerability management.

Niels Provos on Building Invariants for the Day After the Zero-Days

Niels Provos delivered this talk at the CSA AI Summit on April 7, 2026, twelve years to the day after the OpenSSL Heartbleed disclosure. His central argument is that security strategy must shift from detecting zero-days to containing their impact through invariants built at the hardware and data layers.

2FA, default-deny egress, allowlisted execution, memory tagging, and context-aware access control create boundaries that hold even when the vulnerability is novel. Anthropic’s Mythos agent surfaced a bug in OpenBSD code from 27 years prior, which illustrates the point. If your security depends on finding every vulnerability before an attacker does, you have already lost.

The organizations that survive the next zero-day will be the ones that built containment in time. This aligns with Anthropic’s containment philosophy from their engineering post this week and with AISI’s 4.7-month capability doubling.

Perplexity Open-Sources Bumblebee for Supply Chain Scanning Without Execution

Perplexity released its internal supply chain security scanner as open source on May 22, and the design philosophy matters as much as the functionality. Bumblebee is written entirely in Go with zero non-stdlib dependencies.

It earned 1,450+ GitHub stars and 112+ forks in less than a week. The core principle is “never execute anything.” It reads lockfiles directly without invoking npm, pip, bun, or any package manager. It never runs postinstall scripts, which are the primary attack vector in supply chain compromises like Mini Shai-Hulud.

The scanner covers npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer, MCP configurations, editor extensions, and browser extensions. For security teams dealing with the Glassworm-style developer targeting described above, a read-only inventory tool that cannot trigger the attack vectors it is scanning for is exactly the right design.

Cisco’s LLM Security Leaderboard Brings Transparency to Model Risk Evaluation

Amy Chang’s work at Cisco on LLM adversarial evaluation addresses a gap I have been pointing to across multiple issues. How do you compare the security posture of different LLMs before selecting one for production?

Cisco’s LLM Security Leaderboard evaluates model susceptibility to malicious prompts, jailbreak attempts, and manipulation strategies. This is the kind of practical tooling that security teams need when the procurement decision includes choosing which model to deploy. Combined with Anthropic’s containment engineering, Microsoft’s Rampart, and ExploitBench. The ecosystem for measuring and testing AI security is rapidly maturing.

The question is whether organizations adopt these evaluation frameworks before or after the first breach involving a poorly chosen model.

The Sondera Agent PBJ Problem and Post-Prompt Policy Enforcement

Sondera’s framing of the “PBJ problem” connects to the broader shift from prompt-level safety to architectural enforcement that I have been tracking. The argument is that agent governance cannot depend on what happens at the prompt layer.

It must enforce policies after the prompt, during execution, through deterministic control planes. Sondera implements this through Cedar Policy Language integration that hooks into coding agents at the API level, providing enforcement for Claude, Cursor, Gemini, and other tools.

As Anthropic’s containment engineering post confirmed this week, 93% of user permission prompts get approved. When the human-in-the-loop approval rate is that high, the approval step is not providing meaningful security. Post-prompt policy enforcement that operates regardless of user decisions is the architecture that actually reduces risk.

Final Thoughts

This was the week that numbers replaced narratives.

Anthropic disclosed 10,000+ vulnerabilities from Glasswing’s first month. Dawn Song showed Mythos exploiting 17.5% of real-world vulnerabilities autonomously. VulnCheck documented CVE surges of 563% from AI-assisted discovery.

Contrast Security proved that AI scanning creates $128,000 in triage burden per $315 in scanning cost. Daniel Stenberg documented the human toll of receiving more than one security report per day against a 30-year-old codebase. And HackerOne slashed bounty rewards by 75%.

The story these numbers tell is consistent. The discovery problem is solved. AI finds vulnerabilities at a rate that exceeds every downstream system’s capacity to process them. The remediation problem, the prioritization problem, the human sustainability problem, and the economic incentive problem are all wide open.

The most encouraging developments this week were the ones that address those open problems. Uber’s agent identity architecture with attested actor chains. Anthropic’s containment engineering that supervises capabilities rather than individual actions.

Microsoft’s Rampart and Clarity for embedding safety into development workflows. Novee’s Agentic Fix that feeds validated exploits directly to coding agents. Perplexity’s Bumblebee that scans supply chains without executing anything. These are engineering solutions to engineering problems, and that is exactly what this moment requires.

Stay resilient.

Subscribe now

Roughly 50 partners running Anthropic’s Mythos Preview model found over 10,000 high-and-critical-severity vulnerabilities in approximately one month. Several reported that their rate of bug finding increased by more than a factor of ten, and Anthropic’s own framing states the thesis almost verbatim, that “progress on software security used to be limited by how quickly we could find new vulnerabilities” and “is now limited by how quickly we can verify, disclose, and patch” them. In short, remediation is (and has been) the bottleneck, and now driven by AI is more problematic than ever.

This is not a new argument from me. It’s a collection on predictions I already made, the data just got a lot harder to argue with.

What Glasswing Actually Reported

Glasswing is Anthropic’s coordinated effort to apply its Mythos-class vulnerability research model across both commercial partners and open-source projects.

The update covers roughly one month of activity and includes results from partners like Cloudflare, Mozilla, Palo Alto Networks, Microsoft, and Oracle, alongside an independent open-source scanning effort.

The partner-side numbers are striking. Cloudflare found 2,000 bugs, 400 of which were high or critical severity, with a false-positive rate that Cloudflare’s own team considers better than human testers. Mozilla found and fixed 271 vulnerabilities in Firefox 150, over ten times more than they found in Firefox 148 using Claude Opus 4.6. Palo Alto Networks shipped over five times as many patches as usual. Microsoft reported that patch volumes will continue trending larger for some time.

On the open-source side, the model identified 23,019 total vulnerabilities across more than 1,000 projects, with 6,202 estimated as high or critical severity. Of the 1,752 that independent security firms assessed, 90.6% were confirmed as valid true positives and 62.4% confirmed as genuinely high or critical. That puts the project on track to surface approximately 3,900 confirmed high-and-critical vulnerabilities in open-source software from this single scan.

The UK AI Safety Institute independently validated that Mythos Preview is the first model to solve both of their cybersecurity evaluation ranges end to end.

One partner bank reported that Mythos Preview helped detect and prevent a fraudulent $1.5 million wire transfer, and the wolfSSL certificate-forgery vulnerability the model discovered, assigned CVE-2026-5194, demonstrated that Mythos can not only find bugs but construct working exploits against real cryptographic libraries.

Validating Expectations

I want to walk through the specific prior arguments that Glasswing’s data confirms, because the value here isn’t in the novelty of the findings, it’s in the structural pattern they validate.

The Flood

In Vulnpocalypse, I laid out the case that AI-accelerated vulnerability discovery would overwhelm every downstream system the industry depends on for triage, enrichment, and remediation. The argument was structural, not speculative due to the widespread systemic impacts of AI-driven vulnerability industrialization.

If the cost of finding vulnerabilities drops to near zero while the cost of fixing them stays constant, the backlog doesn’t grow linearly, it compounds.

Glasswing’s 10,000-in-a-month result against commercial targets, combined with the 6,200 high-and-critical findings in open source, is exactly the flood I described. Nicolas Carlini’s research estimating that AI vulnerability research capability doubles roughly every four months makes these numbers a floor, not a ceiling, especially as model improvements continue to compound with each release.

The Capability Curve

In The AI Cyber Capability Curve, I argued that offensive AI capability was tracking an exponential improvement curve and that defenders needed to plan for capability levels that didn’t exist yet but were months away from arriving.

The UK AISI’s confirmation that Mythos Preview is the first model to solve both of their cyber ranges end to end, followed by GPT-5.5 shortly after is exactly the kind of step-function capability jump that curve predicts. These evaluation ranges were designed to be hard. A model cleared them entirely, and the next generation will be better still.

The NVD and Maintainer Collapse

In The NVD Just Threw in the Towel, I documented how NIST reclassified approximately 29,000 backlogged CVEs to “Not Scheduled,” effectively conceding that the system can’t keep pace with the current volume of incoming vulnerabilities, let alone an AI-accelerated one.

Glasswing’s open-source results now put concrete pressure on that already-broken system. The project disclosed 530 high-and-critical bugs to open-source maintainers in roughly a month, and maintainers responded exactly the way you’d expect an already-overloaded system to respond. Some asked Anthropic to slow down.

That last detail is the most telling data point in the entire update. Maintainers aren’t asking for better vulnerability reports. They’re asking for fewer of them.

The system’s constraint isn’t information (findings), it’s human capacity to act on information (remediation).

The Bottleneck Moved and the Crisis Didn’t

Glasswing’s patch-side data confirms the remediation crisis I’ve been tracking across multiple pieces. The average time to patch a high-or-critical bug disclosed through the project was two weeks. Only 75 of the 530 disclosed high-and-critical vulnerabilities have been patched so far, with just 65 receiving public advisories. That means less than 15% of the high-and-critical vulnerabilities Glasswing’s efforts have help expose are remediated.

This is relevant because it highlights the remediation bottleneck and also due to the fact that others, including malicious actors, are looking with alternative models and most certainly finding vulnerabilities.

Those numbers need context. The industry was already running a remediation deficit before AI-accelerated discovery entered the picture. FIRST projected a median of approximately 59,000 new CVEs for 2025, a roughly 50% increase over the prior year.

The 2026 DBIR showed that only 26% of critical KEV vulnerabilities were fully remediated, with a 43-day median to resolution, and the exploitation timeline has collapsed in the opposite direction. Sergej Epp’s Zero Day Clock research tracked the median time-to-exploit falling from 771 days in 2018 to roughly four hours by 2024.

The math is straightforward and unfavorable. Defenders measure their remediation timelines in weeks and months, attackers measure their exploitation timelines in hours.

Now the rate of vulnerability discovery has jumped by a factor of ten or more for organizations using Mythos-class models or even open source and alternative models coupled with effective harness engineering. The backlog doesn’t just grow, it grows faster than any organization’s ability to process it, which means the effective window of exploitability for every discovered vulnerability is expanding rather than shrinking.

Anthropic’s own Claude Security illustrates the asymmetry. Enterprise users patched 2,100 vulnerabilities in three weeks using the tool, a pace that looks fast only because enterprises fix their own code and skip the coordinated disclosure process entirely.

For open-source maintainers who don’t control the deployment environment and who rely on downstream consumers to actually apply the patch, the timeline stretches dramatically, and the 75-of-530 number is the honest measure of where the ecosystem actually stands.

The Skeptic’s Read

I’ve been critical of AI hype cycles in security throughout this newsletter and blog, including in Security’s AI-Driven Dilemma, and I don’t intend to turn off that filter because the data happens to be compelling. There are several things practitioners should hold with appropriate skepticism.

The “too dangerous to release” framing around Mythos serves dual purposes. It is genuinely responsible to withhold a model that can find thousands of critical vulnerabilities per month from general availability, that said it is also a competitive moat.

Anthropic has first-mover advantage with a capability that it openly states will be available from multiple labs soon, and the window during which it’s the only organization with that capability is a strategic asset, the same applies to security vendors who have been part of the gated release. Both things can be true simultaneously, and the responsible thing for practitioners is to evaluate the data on its merits while recognizing the incentive structure behind the framing.

The 90.6% true-positive rate deserves scrutiny in terms of generalizability. That number comes from a triaged sample of 1,752 vulnerabilities assessed by independent security firms.

Whether that rate holds across the full 23,019 findings, or across different codebases and vulnerability classes, is a question the update doesn’t fully answer. A false-positive rate better than human testers, as Cloudflare reported, is meaningful, but the comparison benchmark matters. Human testers vary enormously in quality, and “better than human testers” at one organization may mean something very different at another.

The enterprise patching speed also needs honest framing. Two thousand vulnerabilities patched in three weeks sounds fast until you recognize that enterprise teams patching their own proprietary code have fundamentally different dynamics than open-source maintainers who are often unpaid, understaffed, and managing projects in their spare time. The speed difference isn’t a technology gap, it’s a resource and incentive gap, and AI-accelerated discovery doesn’t change the resource equation on the maintainer side at all.

And the most uncomfortable admission in the update is that even a throttled, carefully managed disclosure pace is adding load to an already-overloaded ecosystem. If Anthropic is disclosing responsibly and maintainers are still asking for a slowdown, the implication is clear.

The system as currently designed cannot absorb AI-scale vulnerability discovery regardless of how carefully you manage the pipeline.

Coordinated disclosure norms were built for a world where finding vulnerabilities was hard and slow, and that world doesn’t exist anymore.

What Defenders Do Now

The structural reforms I’ve argued for in prior pieces aren’t theoretical anymore, Glasswing puts empirical weight behind each of them.

Patch cycles need to compress dramatically. A two-week median for a high-severity fix was acceptable when the discovery rate was measured in dozens per quarter. At thousands per month, two weeks is too slow for the most critical findings and completely unworkable for the long tail. Organizations that can’t move to continuous deployment for security patches will be running an ever-expanding window of exploitable exposure.

Reachability-based prioritization becomes non-negotiable. When the volume of incoming vulnerabilities jumps by 10x, the only viable triage strategy is to focus on what’s actually reachable and exploitable in your specific environment rather than treating every high-CVSS finding as equally urgent.

As I wrote in Vulnerability Management in the Age of AI-Accelerated Everything, Endor Labs’ research found that 92% of critical open-source vulnerabilities flagged by traditional scanners aren’t actually reachable in the application context. That 92% noise figure becomes the difference between a manageable workload and an impossible one when the denominator increases by an order of magnitude.

Memory-safe language mandates gain urgency with every one of these reports. A significant portion of the vulnerabilities AI models find are memory safety issues in C and C++ codebases, the same vulnerability class that’s been generating CVEs for decades. The structural fix is to stop writing new code in memory-unsafe languages, a position leaders such as Jen Easterly and Bob Lord advocated for during their tenure at CISA, and one that Glasswing’s data makes even harder to argue against.

Others, such as longtime security practitioner and leader Neils Provos have penned great articles such as “The Day After the Zero Days” pointing out that “patch faster” cannot keep up with AI-driven discovery, and instead argues for “structural invariants” to make bug classes irrelevant.

Niels states:

”The response is not to find bugs faster. It is to build infrastructure that takes attack classes off the critical path of ongoing human security decisions.”

The broader incentive question remains untouched as well. As Bruce Schneier has argued repeatedly, no industry in history has improved its safety practices without being forced to through regulation or liability.

The software industry’s current incentive structure rewards shipping fast over shipping secure, and nothing about AI-accelerated vulnerability discovery changes that calculus for the vendors producing the vulnerable software in the first place. If anything, it widens the gap between the organizations that can afford to respond and the ones that can’t.

That said, we’re currently in a deregulatory environment with the current U.S. presidential administration, and as others such as Jim Dempsey have pointed out, the topic of software liability is often considered a “third rail” of cybersecurity policy, meaning, no one typically wants to touch it.

Hence, many have considered cybersecurity a market failure and that’s unlikely to change in the current landscape.

The Floor, Not the Ceiling

The pattern I laid out in The AI Cyber Capability Curve predicts that every one of these numbers will look quaint within 12 months.

If AI vulnerability research capability is doubling every four months, the 10,000-in-a-month figure from this update represents roughly two doublings ago by the time the next Glasswing update ships. Mythos-class models will be available from multiple labs and even among the open source community, as Anthropic itself acknowledges, which means the discovery rate will multiply across the industry, not just within one company’s partner program.

There’s no question whether AI will continue to find vulnerabilities faster than humans can fix them, as that’s settled and no longer debatable.

The question is whether the institutions, incentive structures, and economic models that govern software security can adapt fast enough to absorb what’s coming, or whether the industry will learn the same lesson every other safety-critical domain has already learned, that the forcing function for real structural change is sufficient consequences, not foresight.

Subscribe now

In the span of a single week this April, two things happened that fundamentally changed the math. Anthropic announced Claude Mythos, a frontier model that autonomously found thousands of zero-days and wrote working exploits against code that had survived decades of human review.

Days later, NIST conceded it can no longer keep pace with CVE enrichment and moved everything published before March 2026 into a Not Scheduled status. With FIRST forecasting more than 50,000 new CVEs this year, the exploitation window is collapsing from weeks to hours at the exact moment our primary public source of vulnerability context is contracting.

Ivan and I dug into what this actually means for security teams on the ground. We talked through why programs built around periodic cadences break down when time disappears, why asset management is quietly becoming the most critical discipline in the stack, and how leaders should be answering the harder resilience questions now coming from the board. We also got into the fundamentals that compliance never quite covers, how to prioritize fixes against real business impact, and the remediation metrics that still matter when the volume explodes.

We closed on the question everyone is wrestling with, which is how much of security operations should be fighting AI with AI, and what the tradeoffs look like for the teams building it.

• Why the Mythos and NVD one-two punch broke the cadence model, and the mindset shift teams need to make when exploitation windows shrink to hours

• How boards are reframing resilience around the ability to absorb the incoming vulnpocalypse, and whether that actually unlocks budget or becomes another do more with less cycle

• Why asset management is moving from unglamorous bedrock to critical discipline, and what is driving that shift in the market right now

• The gap between 90% control coverage that passes the compliance bar and the weak auth, BYOD, and shadow IT exposures where exploits actually land

• How to measure business impact when both the attack surface and the volume of disclosures are exploding at the same time

• The remediation metrics that matter most in the AI era, including one measure most teams overlook

• How much of security operations should be fighting AI with AI, and the real considerations and tradeoffs for those building AI for security

Subscribe now

This was the week the Mythos narrative shifted from hype to measured evaluation, and the results are more interesting than either the cheerleaders or the skeptics predicted. The UK AI Safety Institute published data showing autonomous AI cyber capability is doubling every 4.7 months, faster than Moore’s Law. Palo Alto Networks reported that frontier AI found 7x more vulnerabilities across its product portfolio in a single month than the typical baseline.

Cloudflare tested Mythos against 50 internal code repositories and concluded the jump from prior frontier models is “not just a refinement of what came before.” And Anthropic formally allowed its Glasswing partners to share Mythos cybersecurity findings publicly, a move that will reshape how threat intelligence flows across the industry.

On the supply chain front, the TeamPCP threat actor open-sourced the Shai-Hulud worm on GitHub, complete with deployment instructions. Socket hit a $1 billion valuation with a $60 million Series C. And the story of the week in operational security may have been a CISA contractor who left AWS GovCloud keys and dozens of plaintext passwords in a public GitHub repository for six months.

Meanwhile, the EU agreed to delay high-risk AI rules by 12 to 18 months, prompt injection researchers demonstrated that current defenses are fundamentally flawed, and VulnCheck documented what they are calling the “first CVE wave” with disclosure volumes surging up to 563% for some vendors.

There is a lot to unpack, so let’s get into it.

[Expert Panel] Mythos: When Perception Becomes Reality

Exploits used to take weeks to weaponize. With AI, hours. Patch cycles haven’t moved. CVE-driven prioritization isn’t keeping up. Brad Arkin (former Chief Trust Officer at Salesforce, Cisco, Adobe) joins Nadav Czerninski (CEO, Oligo) on what your stack actually has to do now.

You’ll learn how to prioritize exploitable exposures, move beyond CVE scores, & tighten the window between disclosure and response.

Register for May 27th!

*Sponsored

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Cyber Leadership & Market Dynamics

AI Broke the Security Ecosystem

I had a chance to sit down with The Secure Disclosure to cover a wide ranging interview on AI, Cyber, AppSec, and the software supply chain, ironically right before GitHub itself got involved in an incident.

In this episode of The Secure Disclosure, host sits down with Chris Hughes founder of Resilient Cyber, CISA Cyber Innovation Fellow, and a leading voice in cybersecurity. We dive deep into the chaotic and rapidly shifting landscape of software supply chain security, the sudden operational struggles of the National Vulnerability Database (NVD), and how AI is completely rewriting the rules of vulnerability management.

From the technical and social engineering risks plaguing open-source software to the "human-in-the-loop" delusion, Chris shares his honest, unfiltered takes on where the industry is heading and why things will likely get worse before they get better. The episode wraps up with a chaotic round of "Would You Rather," forcing Chris to choose between missing firewalls, permanent vulnerability freezes, and total AI "vibe coding."

A CISA Contractor Left the Keys to the Kingdom on GitHub

I want to be careful about how I frame this because it is genuinely painful. A contractor working for Nightwing, based in Dulles, Virginia, maintained a public GitHub repository called “Private-CISA” from November 2025 through mid-May 2026.

The repository contained AWS GovCloud administrative credentials, dozens of internal CISA system usernames and passwords in plaintext, and files literally named “importantAWStokens.”

The administrator had disabled GitHub’s default secret detection. GitGuardian researcher Guillaume Valadon called it “the worst leak that I’ve witnessed in my career.” Congress is now demanding a classified briefing.

For the agency responsible for securing federal cybersecurity infrastructure, this is the kind of incident that erodes institutional credibility. The exposed credentials were reportedly still valid 48 hours after the repository was taken down. As I have been writing since Cybersecurity First Principles, the basics remain the hardest part. No amount of frontier AI capability matters if the people operating the infrastructure leave the keys in the open.

The EU Buys More Time on High-Risk AI Rules

The Council of the EU and European Parliament agreed on May 7 to delay application dates for high-risk AI system rules. Standalone high-risk AI systems now face a December 2, 2027 deadline, and high-risk AI embedded in products gets pushed to August 2, 2028.

The original timeline had targeted August 2026. The delay is part of the European Commission’s “Digital Omnibus” initiative from late 2025, acknowledging that AI Act compliance requires significant preparation and that supporting technical standards are still being finalized. On the positive side, legislators added a new ban on AI-generated non-consensual sexual content.

For organizations planning AI governance programs, the extended timeline is a relief but not an invitation to wait. The regulatory direction remains unchanged. The compliance expectations remain unchanged. What changed is the calendar.

Socket Hits $1 Billion on the Supply Chain Security Thesis

When I covered the PyTorch Lightning compromise in issue #96 and the Mini Shai-Hulud TanStack attack in issue #97, I wrote that the trust model in modern package ecosystems was not designed for the speed at which attacks now move.

Socket’s $60 million Series C at a $1 billion valuation validates that thesis with investor conviction. Led by Thrive Capital with participation from a16z, Abstract Ventures, and Capital One Ventures, the round brings total funding to $125 million.

Socket’s real-time dependency analysis detected the PyTorch Lightning compromise in 18 minutes. In a market where supply chain worms are self-propagating across ecosystems and threat actors are open-sourcing their frameworks, the ability to catch malicious packages before they propagate is not optional. It is infrastructure.

Check Point’s Fourth Israeli Acquisition Signals a Strategy Shift

Under CEO Nadav Zafrir, Check Point acquired Deepchecks, its fourth Israeli startup acquisition in 2026, following Cyclops and Cyata for a combined $150 million and an acqui-hire of Rotate. Deepchecks brings AI agent technology for network security operations.

The acquisition pace tells a story about where Check Point sees itself needing to catch up. The company has faced criticism for lagging in cloud and AI security, and Zafrir’s response has been to buy velocity through targeted acquisitions of Israeli security startups. For those tracking vendor consolidation across the cybersecurity market, Check Point’s strategy mirrors the broader pattern. Build the platform, buy the AI capabilities, integrate fast.

Torq Acquires Jit for the AI SOC Context Graph

Torq’s acquisition of Jit for approximately $70 million adds what they are calling the “grounding layer the AI SOC has been missing.” Jit’s Context Graph maps code, identities, roles, privileges, data sensitivity, and runtime behavior into a unified model that AI agents can reason over.

The problem this solves is real. AI security agents making prioritization and response decisions without organizational context produce noisy, low-confidence outputs. Jit’s technology translates agent actions into enterprise context, enabling better-informed decisions. Combined with Torq’s existing hyperautomation platform, the integrated offering targets the gap between AI speed and organizational understanding.

As I discussed in issue #97 with Microsoft’s MDASH, the trend is clear. Multi-agent security architectures require rich context layers to be effective.

The Strange Economics of Cybersecurity in the AI Age

put his finger on something I have been observing for months. Cybersecurity is uniquely resistant to AI-driven cost deflation. While AI reduces costs across coding, design, support, and content creation, it drives spending increases in security.

Microsoft Security’s FY25 revenue hit approximately $37 billion, exceeding the entire global cybersecurity industry from 2016. Gartner projects global information security spending at $244 billion in 2026, up 13.3% year over year. The AI-Amplified Security sub-segment is projected to grow from $49 billion in 2025 to $160 billion by 2029. Every AI agent introduces new identity vectors and attack surfaces.

The AI Subscription Time Bomb Goes Off

If you built production workflows on AI pricing that felt too good to last, this is the week it caught up. Anthropic split Claude subscriptions into two separate usage pools effective June 15, 2026. GitHub Copilot transitioned to usage-based billing on June 1. Both OpenAI and Anthropic are on IPO timelines for H2 2026, and public markets demand unit economics, not subsidized growth.

The State of Brand reported that Uber burned through its entire 2026 AI budget by April, four months into the fiscal year. For security teams that have built agentic workflows and AI-powered scanning pipelines on flat-rate subscriptions, the economics are about to change materially. As Greg Notch noted this week, the token budget divide is going to make the digital divide look quaint. NVIDIA is reportedly telling engineers to consume roughly 50% of their base salary in tokens. Budget planning for AI security operations just got a lot more complicated.

Software Is Losing Its Head and Security Must Follow

Seema Amble at a16z argues that software is collapsing under its own complexity, and AI exposed the problem rather than creating it. The future belongs to headless architectures where agents access systems of record directly through APIs rather than through human-facing interfaces. Salesforce’s headless API strategy for agentic access is the bellwether.

The security implication is significant. When agents interact with backend systems without a UI layer, the traditional enforcement points in the browser, in the session, in the user interaction disappear. As I discussed in issue #97 with Sysdig’s headless cloud security platform, the future of security is not a better dashboard. It is security that operates at the data layer, enforcing policy on agent requests that never touch a human interface. The organizations that redesign their security controls for headless access will have an advantage. Everyone else will be defending a perimeter that no longer exists.

NightDragon Invests in Armada’s $230 Million Series B

Armada raised $230 million at a $2 billion pre-money valuation for modular AI data center infrastructure, with bookings jumping 540% between fiscal 2025 and fiscal 2026. Co-led by BlackRock, Overmatch, and 8090 Industries, with NightDragon participating as a strategic investor.

The edge AI infrastructure thesis is straightforward. Sovereign AI requirements, data residency regulations, and latency-sensitive workloads demand compute capacity that cannot live exclusively in centralized hyperscaler data centers. For cybersecurity, the implication is that security controls must follow the compute. Every modular data center at the edge is an attack surface that needs the same governance, monitoring, and access controls as a traditional data center. The compute is distributing, the security has to distribute with it.

Sean Plankey Pivots from CISA Nominee to Defense Startup CEO

After 13 months of his CISA director nomination languishing in the Senate without confirmation, Sean Plankey withdrew and within weeks was named U.S. CEO of UFORCE, a London-based defense startup founded by Ukrainians that builds combat drones and autonomous vessels.

The move from government cybersecurity leadership to defense technology is emblematic of a broader pattern where senior government cyber officials are finding faster impact in the private sector. First U.S.-made unmanned surface vessels are planned for summer 2026. The personnel pipeline between government cybersecurity and private sector defense technology continues to accelerate.

28 Years Since L0pht Told Congress They Could Take Down the Internet

Space Rogue’s retrospective on the L0pht Heavy Industries congressional testimony hit its 28th anniversary this week. In May 1998, seven hackers in suits told the U.S. Senate they could take down the internet in 30 minutes. Two years later they founded stake.

The testimony was a pivot point that began normalizing security researcher perspectives in policy conversations. Space Rogue’s memoir, released in February 2026, provides essential historical context. As we debate AI model access, responsible disclosure, and the role of frontier AI in offensive security, it is worth remembering that we have been here before. The tools change. The tension between security researchers, policymakers, and the public interest remains constant.

AI

Autonomous AI Cyber Capability Is Doubling Every 4.7 Months

This is the metric that should anchor every conversation about AI and cybersecurity strategy. The UK AI Safety Institute measured that the length of cyber tasks frontier AI models can complete has been doubling every 4.7 months since late 2024, an acceleration from the 8-month estimate they published in November 2025. Claude Sonnet 4.5 succeeds 80% of the time at cyber tasks that take human experts 16 minutes.

Claude Mythos Preview became the first model to complete two evaluated cyber ranges, including “Cooling Tower,” a 7-step industrial control system attack that no prior model had solved. METR’s independent measurement of a 4.2-month doubling time for software engineering tasks converges with this finding. When I covered the NCSC’s £65 attack cost number in issue #96, the underlying concern was exactly this. The cost floor on sophisticated attacks is collapsing while capability is accelerating faster than Moore’s Law.

Defense strategies built on the assumption that human expertise remains the bottleneck are already outdated.

Palo Alto Networks Reports 7x More Vulnerabilities from Frontier AI in a Single Month

The numbers from Palo Alto Networks’ May 2026 Defender’s Guide update are striking. Frontier AI models discovered 75 vulnerabilities across the company’s 130+ product portfolio in a single month, a 7x increase from the typical baseline of approximately five per month.

The AI accomplished the equivalent of a full year’s penetration testing effort in less than three weeks. The most concerning finding was not the volume but the sophistication. The models demonstrated exceptional capability at vulnerability chaining, combining multiple lower-severity issues into critical-level exploit paths that traditional scanning would have missed individually. Palo Alto estimates a 3-to-5-month strategic window for defenders to capitalize on this capability before it becomes universally accessible for offense.

As I discussed in my coverage of Microsoft’s MDASH in issue #97, the organizations investing in multi-agent vulnerability discovery infrastructure are finding real, Critical-severity flaws. The question is whether defenders or attackers industrialize these capabilities first.

Cloudflare Tested Mythos Against 50 Internal Repositories and the Results Are Nuanced

Cloudflare’s write-up on Project Glasswing is the most technically grounded Mythos evaluation I have read. They tested the model against over 50 internal code repositories and identified two standout capabilities. First, exploit chain construction, where the model combines multiple vulnerability primitives into working exploits. Second, proof generation, where it writes code to trigger suspected bugs, compiles in a scratch environment, runs tests, and iterates.

The Cloudflare team concluded that the jump from previous frontier models to Mythos is “not just a refinement of what came before.” But they were equally clear that the model’s organic guardrails are “not consistent enough to serve as a complete safety boundary.”

Combined with Nikesh Arora’s comments on the NYT Hard Fork podcast about Palo Alto receiving early access to both Mythos and GPT-5.5 Cyber, the emerging picture is that frontier AI for cybersecurity is real, differentiated, and insufficiently governed.

Anthropic Opens the Door for Glasswing Partners to Share Findings

The disclosure pipeline for Mythos just widened significantly. Anthropic will now allow its Project Glasswing partners, which include Amazon, Microsoft, Nvidia, and Apple, to share cybersecurity findings with security teams, industry bodies, regulators, government agencies, open-source maintainers, and media.

The Pentagon is deploying Mythos for U.S. government vulnerability patching. This policy shift will have cascading effects on how threat intelligence flows. When the organizations with early access to the most capable offensive AI model can now share what they find, the volume of disclosed vulnerabilities will accelerate further. As I discussed in issue #97 with the HackerOne remediation gap, we are already finding vulnerabilities at dense-world rates while fixing them at sparse-world rates.

Opening the disclosure pipeline wider without solving the remediation bottleneck risks making the gap worse before it gets better.

Prompt Injection May Be an Unsolvable Problem

If you are building agentic AI systems, the research Sahar Abdelnabi and Eugene Bagdasarian posted on May 17 should be required reading. Using Contextual Integrity theory, they demonstrated that the prevailing defense paradigm of data-instruction separation both fails to detect attacks and degrades legitimate behavior. Their impossibility result shows that adversaries can always construct contexts where blocked flows appear legitimate.

Tightening defense norms to block attacks necessarily blocks legitimate flows. If this holds, it means prompt injection is a fundamental vulnerability that cannot be fully resolved through any defense mechanism that relies on distinguishing data from instructions. As I have written since my early coverage of the OWASP Agentic Top 10, “if your defense can be prompt injected, it’s not a defense.” This research provides the theoretical grounding for that position.

Defense-in-depth, not single-point defenses, remains the only viable path.

AAuth Gets a Full Working Demo with Keycloak and A2A

Christian Posta followed up on the on-behalf-of piece I covered in issue #97 with a full working demonstration of the AAuth protocol. The demo walks through Agent-to-Agent (A2A) communication using the Python AAuth Library, Agentgateway, and the AAuth resource proxy. It covers HWK and JWKS signature schemes, identity establishment, HTTP message signing, and backend signing flows.

The practical significance is that AAuth is no longer a theoretical specification. It is a working implementation that you can deploy today. Between AAuth, Microsoft Entra Agent ID, Google Agent Identity, AWS AgentCore OBO, and now the Infoblox/GoDaddy DNS-AID and ANS standards for agent discovery and verification using existing DNS infrastructure, the agent identity ecosystem is maturing rapidly.

As I wrote in my article on identity as the agentic AI problem, the building blocks are taking shape. The convergence question is now a matter of market adoption, not technical feasibility.

Anthropic Ships MCP Tunnels for Secure Agent Access to Internal Systems

MCP Tunnels allow Claude agents to connect to private Model Context Protocol servers without exposing internal infrastructure to the public internet. Traffic flows over outbound-only encrypted connections using cloudflared, with no need to open inbound firewall ports or allowlist Anthropic IP ranges.

Organizations can expose internal databases, APIs, ticketing systems, and knowledge bases to Claude agents while maintaining existing network security boundaries. The feature is in research preview. For security teams evaluating MCP adoption, this addresses one of the primary concerns I have heard repeatedly. How do you give agents access to internal systems without punching holes in your perimeter? MCP Tunnels answers that question with a design that respects existing security architecture.

Combined with Solo.io’s AgentGateway that converts OpenAPI specifications to MCP tools without code changes, the MCP infrastructure layer is becoming enterprise-ready.

AWS Security Agent Now Scans Full Repositories in Preview

The shift here is from pattern-matching to architecture reasoning. AWS Security Agent’s full repository code review performs context-aware security analysis of entire codebases, reasoning about application architecture, trust boundaries, and data flows rather than scanning for known vulnerability patterns.

Remediation suggestions tie to exact files and line numbers. The feature is available at no additional cost for existing customers in preview, with penetration testing already at general availability since March 31, 2026. As I have tracked across issues #96 and #97 with CodeMender, MDASH, and AISLE’s VulnOps model, the trend is unmistakable.

AI-powered security tools are moving from “find known patterns” to “understand the system and reason about where vulnerabilities can exist.” That architectural reasoning capability is what separates the current generation from traditional static analysis.

Dragos Documents the First AI-Assisted Attack on Industrial Control Systems

This is the story that brings the Mexico government breach from issue #96 into the OT domain. Between December 2025 and February 2026, an attacker used Claude and GPT models against the Monterrey metropolitan water utility in Mexico, building a 17,000-line Python attack framework with 49 offensive security modules.

Claude independently identified the OT environment as strategically significant, correctly recognized the vNode interface as a gateway to operational systems, and wrote sophisticated attack code. The attack ultimately failed to breach operational technology. No OT systems were compromised. But the capability demonstration is significant. This is the first documented case where commercial AI models were used to conduct intrusion activities specifically targeting industrial control systems.

Caleb Sima on Why the Boring Future of Agents Is the Important One

I mentioned Caleb Sima’s Unprompted conference in issue #97, and his latest piece makes a point that I think deserves wider attention. The important work in agentic AI security is not the flashy model capability demonstrations. It is the harnesses, the orchestration frameworks, the guardrails, and the governance layers that make agents safe enough to deploy in production.

The market is shifting from theoretical capability debates to practical deployment questions. How do you scope permissions? How do you audit agent actions? How do you ensure agents fail safely? These are not glamorous questions, but they are the ones that determine whether organizations can actually ship agentic AI into production.

As I discussed in issue #95 with the Sondera analysis of the Claude Code leak, the security of the harness layer is where the real work is.

AppSec

VulnCheck Documents the “First CVE Wave” from AI-Assisted Discovery

The data from VulnCheck tells the story of a structural shift. Year-to-date CVE disclosure volumes for 2026 show Chrome up 563%, VMware up 181%, Apache up 170%, Mozilla up 157%, HPE up 132%, and F5 up 114%.

The catalyst was the April 7, 2026 announcement of Project Glasswing and Claude Mythos Preview. VulnCheck notes that early submissions showed signs of “slop” from automated discovery, but quality has improved over subsequent months while volume sustained. CVE Forecast, maintained by Jerry Gamblin, projects 50,000+ CVEs in 2026, with FIRST estimating a median of approximately 59,427. Combined with my coverage of the HackerOne remediation gap in issue #97 and AISLE’s VulnOps model in issue #96, the pattern is clear.

AI-assisted discovery is not a temporary spike. It is a permanent increase in the velocity of vulnerability disclosure, and every downstream system from triage to remediation to patch management needs to adapt.

TeamPCP Open-Sourced the Shai-Hulud Worm on GitHub

If the TanStack compromise from issue #97 demonstrated how dangerous Mini Shai-Hulud was as a weaponized supply chain worm, this week’s development makes it exponentially worse.

TeamPCP published the complete Shai-Hulud source code to GitHub, with deployment instructions. The worm searches for AWS, GCP, Azure, and GitHub credentials, then creates and publishes poisoned code for self-propagation through npm. As I wrote in Software Transparency, the trust model in package ecosystems was designed for a different threat landscape.

Open-sourcing a supply chain worm framework is the equivalent of publishing a recipe for mass credential theft. Every engineering team running npm dependencies, which is effectively every JavaScript shop on the planet, needs to evaluate their exposure to this threat vector immediately.

IDEsaster2 Expands the Attack Surface Across AI Coding Tools

Ari Marzouk’s IDEsaster research that I covered in issue #97 continues with IDEsaster2, expanding the vulnerability class across additional AI-integrated development tools. The core problem remains the same. AI coding IDEs fail to account for how AI features interact with existing IDE capabilities, enabling attackers to chain prompt injection with legitimate IDE functionality to achieve data exfiltration and remote code execution without user interaction. 100% of tested tools remain vulnerable.

The root cause is that IDE vendors treat AI features as inherently safe because the underlying IDE functions have existed for years. That assumption is wrong, and it continues to expose every developer using AI-powered coding tools to attacks that exploit the gap between AI behavior and IDE trust models.

XBOW Finds a Critical RCE in Exim and the Details Matter

CVE-2026-45185, dubbed “Dead.Letter,” is a CVSS 9.8 use-after-free in Exim’s SMTP input handling when linked against GnuTLS. The vulnerability is triggered by a STARTTLS command followed by a BDAT chunking command. During TLS shutdown, Exim frees the transfer buffer but fails to clear lower-level receive pointers. A single newline character written to freed memory causes heap corruption leading to unauthenticated remote code execution.

Affected versions span Exim 4.97 through 4.99.x on GnuTLS-linked builds, making Debian, Ubuntu, and Debian-derived distributions the primary targets. OpenSSL builds are not affected. XBOW’s separate evaluation of Mythos for offensive security showed the model is substantially better than prior models at source code vulnerability discovery but noted that many exploitable issues do not appear in source code.

They emerge from configuration, dependencies, and deployment choices. That nuance matters for calibrating expectations around AI-driven vulnerability discovery.

The Bug Bounty Model Is Breaking Under AI Pressure

For those who followed my coverage of the bug bounty slop problem in issue #96, this week brought more evidence that the structural damage is accelerating. Security researcher shubs documented 12-day response delays on PII leakage vulnerabilities and described how frontier AI models have commoditized the discovery process to the point where anyone with a Claude or GPT subscription can generate legitimate-looking reports.

The speed incentive that previously motivated researcher participation is evaporating. Platforms are deploying anti-AI controls, but the economic model itself is under stress. Daniel Stenberg reinforced this by continuing to question Mythos’s real-world capability against curl’s codebase. And in a separate but related development, the CTF scene is dying for the same reasons.

Frontier AI has automated enough of the competitive leaderboard that CTFTime scores no longer reliably signal human skill. When AI commoditizes both the discovery and the competition, the institutions built around human expertise have to reinvent themselves or fade.

ExploitBench Asks the Right Question About AI Cyber Capability

The way we measure AI cyber capability has been broken, and ExploitBench from CMU and Bugcrowd, released May 13, finally fixes it. Previous benchmarks asked whether a model could find a crash. ExploitBench decomposes exploitation into 16 measurable flags organized as a capability ladder, progressing from coverage through crash, sandbox primitives, arbitrary read/write, control-flow hijack, and finally arbitrary code execution.

The first benchmark targets V8, the JavaScript engine powering Chrome, Edge, Node.js, and Cloudflare Workers. This matters because it gives us a rigorous, reproducible way to track how quickly AI models climb the exploitation ladder over time. Combined with AISI’s 4.7-month doubling metric, ExploitBench provides the measurement framework the industry needs to move beyond marketing narratives about what AI can and cannot do offensively.

The Vulnpocalypse Is Real, but It Is Not the CISO’s Problem

This piece reframes a debate I have been tracking since I first wrote about Vulnpocalypse. At RSAC 2026, only 16% of exhibitors believed the vulnpocalypse is a CISO problem, down from 29% at BlackHat 2025. The argument is that responsibility should shift to CIOs, CTOs, and heads of engineering.

As long as the CISO stands in front of the runaway train, nobody else will stop it. I think there is real merit to this framing. Traditional security operations, from CTI feeds through SIEM to analyst triaging, are running out of road as AI-driven discovery volumes surge.

The operational model has to change. But I would push back on the idea that ownership can simply be reassigned. The answer is not moving the problem from one executive to another. It is building operational frameworks like AISLE’s VulnOps that match the velocity of discovery with the velocity of remediation.

The UK Government Rejects Security-Through-Obscurity for Open Code

The UK government published guidance explicitly rejecting blanket code closures based on concerns about AI-powered vulnerability discovery. Their position is clear. Remediation capacity matters more than code secrecy.

Making code private introduces delivery overhead while reducing both reuse and scrutiny. Open code allows faster identification through broader community review. The minimum standard requires clear ownership, secure-by-design principles, automated hygiene, and credible remediation capacity. This is a refreshingly pragmatic stance from a government body.

The temptation when confronted with AI-driven vulnerability discovery is to hide the code. The UK is arguing, correctly in my view, that the better response is to invest in the ability to fix issues faster. As I have been writing since Software Transparency, openness combined with operational maturity beats secrecy combined with patching debt.

Chainguard and Endor Labs Partner for End-to-End Supply Chain Security

I covered Chainguard’s one-day KEV SLA commitment in issue #96, and this partnership with Endor Labs extends their approach into the AI-generated code domain. The integration addresses a specific problem. AI coding agents generate code faster than humans can review it.

Chainguard ensures container infrastructure starts clean while Endor Labs provides function-level vulnerability analysis. AURI, Endor Labs’ platform, integrates into Cursor, VS Code, GitHub Copilot, and Claude Code. Chainguard’s $140 million Series C for “securing the next frontier of AI workloads” signals that the investor community sees supply chain security as the critical enabling layer for enterprise AI adoption.

The partnership model, combining infrastructure-level and code-level security, is the right architecture for an era where the code is generated autonomously and the containers are deployed at machine speed.

SecureForge Tackles Vulnerabilities in LLM-Generated Code Through Prompt Optimization

Here is a research direction that deserves more attention. SecureForge, highlighted by CISA Chief AI Officer Lisa Einstein, focuses on finding and preventing security vulnerabilities in LLM-generated code through prompt optimization techniques.

The research, published on arXiv with contributions from Stanford, demonstrates that the prompts used to generate code significantly affect the security properties of the output. This connects directly to the vibe coding crisis I covered in issue #97 where 380,000 publicly accessible vibe-coded apps had 5,000 actively leaking data. If the prompt shapes the security of the code, then prompt engineering for security becomes a first-class concern.

The fact that CISA’s AI leadership is signaling this research suggests it will inform future government guidance on AI-generated code security.

Terra Security Unifies Offensive Testing Across Web, AI, and Network

For those following my coverage of Terra Security’s OpenClaw vulnerability research in issue #97, the company expanded its agentic offensive security platform to include network infrastructure. The platform now covers web applications, AI systems, and network infrastructure through swarms of hundreds of AI agents paired with human-in-the-loop governance.

Findings are ranked by real exploitability and business impact rather than raw severity scores. The unification matters because offensive security has historically been fragmented, with separate vendors and separate outputs for each domain. When attack paths cross domains, as they almost always do in real-world breaches, siloed testing misses the connections. Continuous, unified offensive validation is the direction the market is heading.

Final Thoughts

This week crystallized something I have been circling around for several issues. The frontier AI capability question has been largely answered. AISI measured a 4.7-month doubling time. Palo Alto Networks found 7x more vulnerabilities in a single month. Cloudflare confirmed that Mythos is a qualitative jump, not an incremental refinement. VulnCheck documented CVE surges of up to 563% in a single vendor’s disclosure volume. ExploitBench gave us a rigorous measurement ladder. The capability is real, it is accelerating, and it is available to both defenders and attackers.

The open questions are now operational. Who remediates the vulnerabilities being found at 7x the previous rate? Who governs the agents deployed by 80% of the Fortune 500 with strategies at only 10%? Who secures the supply chain when threat actors open-source their attack frameworks on GitHub? Who enforces policy in headless architectures where agents interact with systems of record without touching a human interface?

The CISA GitHub leak is a painful reminder that the basics still matter more than the frontier. No AI model can compensate for leaving AWS GovCloud keys in a public repository for six months. The organizations that will thrive in this environment are the ones investing simultaneously in operational fundamentals and next-generation capabilities. The ones that treat AI as a replacement for operational discipline rather than an accelerant for it will learn the lesson the hard way.

Stay resilient.

Subscribe now

The 2025 report showed vulnerability exploitation surging as an initial access vector, closing the gap on credential-based attacks and signaling a structural shift in how breaches begin.

The 2026 report doesn’t just confirm that thesis, it blows past it. Vulnerability exploitation is now the leading initial access vector in confirmed breaches, and the gap between exploitation and every other method of entry is widening, not narrowing.

The 2026 DBIR analyzed 22,624 confirmed breaches across 31,860 security incidents, the largest dataset in the report’s 19-year history. The findings tell a story that anyone working in vulnerability management already feels in their bones, but now has the numbers to prove. Attackers aren’t waiting for defenders to catch up, if anything, they’re doubling down on their lead.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Exploitation Takes the Lead

The headline number is stark and of course gets a lot of the attention, and rightfully so.

Exploitation of vulnerabilities now accounts for the largest share of initial access vectors in breaches, nearly doubling the share held by phishing. That’s a complete inversion of the hierarchy that dominated the DBIR for over a decade, where stolen credentials and social engineering sat comfortably at the top of the chart and vulnerability exploitation was a secondary concern.

This isn’t a marginal shift either.

The DBIR shows exploitation’s share growing year over year while credential-based initial access flattens and the structural reason is straightforward. The attack surface has expanded faster than any organization’s ability to defend it, and the math favors the attacker.

As I laid out in The Attack Surface Exponential, the combination of cloud-native architectures, third-party dependencies, and sprawling SaaS footprints means there are simply more vulnerable entry points than any security team can monitor, let alone patch, in any reasonable timeframe.

The DBIR found that only 26% of critical KEV vulnerabilities were fully remediated in 2025, down from 38% the prior year, with a median time to full resolution of 43 days, almost two weeks more than the previous year. Edge devices sit at the boundary between the internet and the internal network, and attackers have learned to target them precisely because they're notoriously slow to patch and often lack the monitoring coverage that endpoints receive.

The exploitation pattern also shows up in the third-party data. Third-party involvement in breaches surged to 48%, a 60% year-over-year increase, driven in large part by exploitation of vulnerabilities in vendor software and edge infrastructure. When your perimeter is someone else’s code, your patch timeline is someone else’s priority.

The Remediation Gap Is a Chasm

The core problem isn’t that organizations don’t know about vulnerabilities. It’s that they can’t fix them fast enough to matter.

This is the remediation gap I’ve been writing about since Vulnpocalypse, and the 2026 DBIR provides the clearest evidence yet that the gap isn’t just persistent. It’s accelerating.

On one side of the equation, the rate of vulnerability discovery continues to climb. FIRST projected a median of approximately 59,000 new CVEs for 2025, a 50% increase over the prior year.

The actual numbers tracked close to that projection, and 2026 is on pace to exceed it. Every year produces more vulnerabilities than the last, and nothing about the current software ecosystem suggests that trajectory will flatten. More code is being written by more developers (and non-developers, e.g. vibe coding), with more dependencies, deployed into more environments, at faster release cadences than at any point in history.

On the other side, remediation capacity hasn’t scaled to match.

The DBIR’s 43-day median remediation figure for edge devices is actually an improvement over some industry benchmarks, but it’s meaningless against the exploitation timeline. Sergej Epp’s research tracking the “Zero Day Clock” found that the median time-to-exploit collapsed from 771 days in 2018 to roughly 4 hours by 2024.

The defenders are measuring their response in weeks or months and the attackers are measuring theirs in hours.

The MOAK autonomous exploitation project makes this concrete. Researchers demonstrated that an autonomous system could exploit 174 out of 178 CISA Known Exploited Vulnerabilities in an average of 21 minutes per vulnerability, with no human intervention.

These aren’t theoretical proof-of-concept demonstrations against lab environments. These are real CVEs from CISA’s KEV catalog, the same vulnerabilities that federal agencies are mandated to patch, being exploited faster than most organizations can open a change management ticket.

As I covered in Vulnerability Management in the Age of Autonomous Exploitation, the traditional vulnerability management model assumed that defenders had a meaningful window between disclosure and exploitation. That window functionally no longer exists.

The DBIR’s data on exploitation as the leading initial access vector is the downstream consequence of that collapsed timeline playing out at scale.

The NVD and the Infrastructure That Isn’t There

The vulnerability data infrastructure that the industry depends on is itself in crisis. As I wrote in The NVD Just Threw in the Towel, NIST reclassified approximately 29,000 backlogged CVEs to a status of “Not Scheduled,” effectively acknowledging that it can’t keep pace with the volume of incoming vulnerabilities.

The National Vulnerability Database was designed for an era when vulnerability discovery was measured in thousands per year. At nearly 60,000 and climbing, the system has hit a structural scaling limit that no amount of incremental funding will solve.

This matters for the DBIR’s findings because the entire vulnerability management lifecycle, from discovery to prioritization to remediation, depends on accurate, timely enrichment data.

When the NVD can’t provide CVSS scores, CPE mappings, or affected product information within any reasonable timeframe, organizations are flying blind on which vulnerabilities actually affect their environment and which ones represent real exploitability risk. The prioritization models that security teams rely on to triage their backlogs are only as good as the data feeding them, and that data pipeline is increasingly unreliable.

The result is predictable and shouldn’t be surprising to anyone who’s been paying attention for years. Teams are drowning in vulnerability backlogs they can’t meaningfully prioritize, while attackers exploit the specific vulnerabilities that matter most.

The DBIR’s exploitation data isn’t just a story about attackers getting faster. It’s a story about the defensive infrastructure failing to provide the information defenders need to keep up.

Ransomware, SMBs, and the Business Model That Works

Ransomware was present in 48% of all breaches analyzed in the 2026 DBIR, up from 44% the prior year. For small and midsize businesses, the number was 88%. That’s not a typo. Nearly nine out of ten breaches affecting SMBs involved ransomware.

The economics explain why.

The median ransom payment declined to $139,875 down from $150,000, driven partly by the fact that 69% of victim organizations chose not to pay, up from 51% in 2022. But ransomware operators have adapted by shifting to volume over margin. They’re targeting smaller organizations that lack the security infrastructure, staffing, and incident response capabilities to prevent or recover from an attack.

When the cost of an attack is negligible and the success rate against SMBs is high, a lower per-target yield still produces enormous aggregate revenue.

The DBIR also surfaced a troubling pipeline between infostealers and ransomware. Roughly 50% of ransomware victims had a credential leak appear in infostealer logs within 95 days before the breach. This suggests that the ransomware attack chain is increasingly industrialized, with initial access brokers harvesting credentials at scale via infostealers and selling them to ransomware operators who handle the deployment.

The credential harvesting and the exploitation aren’t separate problems, they’re connected stages of the same kill chain.

This industrialization also shows up in the tooling data. Attacker use of remote monitoring and management tools increased by 240%, a signal that threat actors are increasingly leveraging legitimate administration tools to blend into normal network activity and avoid detection.

The line between “legitimate IT operations” and “active compromise” is blurring in ways that make traditional detection approaches less effective.

GenAI and the Attacker Curve

The 2026 DBIR introduces data on generative AI usage by threat actors, and while the findings are early, they track with what I’ve been writing about in The AI Cyber Capability Curve. GenAI-generated content appeared in phishing emails at a growing rate, with synthetic text enabling more convincing and scalable social engineering. The report also found that 15% of non-malicious bot traffic is now AI-driven, growing at 21% month over month.

The more interesting finding is on the defender side.

The DBIR found that 45% of employees are regular users of AI tools in the workplace, but 12% of data loss prevention events flagged Shadow AI usage, meaning employees accessing AI tools outside of sanctioned enterprise channels. The security implications are twofold. Organizations are struggling to maintain visibility into how AI tools are being used internally, and the data flowing into unsanctioned AI services represents an expanding and largely unmeasured exfiltration risk.

This isn’t a future problem, it’s a present one.

The DBIR’s inclusion of GenAI metrics signals that the report’s authors see AI-enabled threats and AI-related risks as a permanent addition to the breach data taxonomy, not a passing trend.

I suspect we will see a surge in AI-assisted vulnerability exploitation in future years of the DBIR, driven by the industrialization of AI discovery and autonomous exploitation.

Espionage and the Blurring of Motive

One of the quieter but structurally significant findings in the 2026 DBIR is that espionage-motivated attacks accounted for 13% of breaches, with a notable overlap between espionage and financial motivation. Threat actors that historically operated with a single clear motive are increasingly pursuing both intelligence collection and monetization within the same campaign.

This blurring complicates the defender’s calculus.

An organization that assumed it wasn’t a target for state-sponsored activity because it lacks classified data or geopolitical significance may find itself compromised by an actor whose primary goal is espionage but who deploys ransomware as a secondary revenue stream, or as cover for the real objective.

The traditional segmentation between “nation-state threats” and “financially motivated cybercrime” is breaking down, and the DBIR’s data reflects that convergence.

The Counter-Narrative Nobody Wants to Hear

Here is where the analysis gets uncomfortable and even counter-intuitive, given much of the FUD the security industry uses to try and drive spending, using cyber attackers and impacts as a forcing function.

Despite 22,624 confirmed breaches in a single year's dataset, despite exploitation as the leading attack vector, despite ransomware hitting 88% of SMB breaches, the overwhelming majority of breached organizations are still in business.. The site destroyedbybreach.com, run by tracks public companies that suffered major breaches and documents what happened to them afterward. The answer, in most cases, is not much. Stock prices recover, revenue continues, and customers often stay.

I will caveat this with those being public companies, which tend to be larger, more well resourced, and able to weather the storm of a cyber incident more so than SMB’s. This is a point others such as Kelly Shortridge have made, in her piece “Markets DGAF About Cybersecurity”. Other resources report that while stock prices may drop 5.3% post breach, they tend to recover and even climb higher within 46 days of an incident.

All that said, the lack of major systemic impacts, and continued revenue, stock price rebound etc. creates a perverse incentive structure that sits at the heart of why vulnerability management remains chronically underfunded and why exploitation keeps climbing as an initial access vector.

If breaches don’t destroy companies, the economic pressure to invest in prevention is weak. Boards and executives make rational capital allocation decisions based on observed consequences, and the observed consequences of most breaches are manageable. Insurance covers a portion of the loss, customers express concern but rarely leave. Regulatory fines exist but are typically absorbed as a cost of doing business.

The problem with this calculus is that it’s backward-looking. It assumes future breaches will carry the same consequences as past ones, even as the exploitation timeline collapses, autonomous attack tools proliferate, and regulatory regimes tighten.

That said, there is the reality that we’re currently in a deregulatory environment in the U.S. at the Federal level, so any concept of software liability is likely tabled for now, so vendors don’t feel the pressure to address the technical debt they ship downstream to consumers and society either. This of course is why many consider cybersecurity to be a market failure.

Why Exploitation Stays at Number One

The structural forces driving exploitation to the top of the DBIR’s initial access chart aren’t temporary, they’re compounding.

The attack surface continues to expand. Cloud adoption, third-party integrations, API proliferation, and the rise of agentic AI systems are all adding new categories of exploitable surface faster than security programs can inventory them, let alone secure them.

The NVD’s inability to keep pace with vulnerability enumeration means the data infrastructure that prioritization depends on is degrading at the same time that the volume of vulnerabilities is increasing. Autonomous exploitation tools are lowering the skill barrier and collapsing the time-to-exploit to hours, while defenders still operate on patch cycles measured in weeks and months, and the economic incentives to invest in vulnerability management remain structurally weak because breaches, so far, haven’t been existential events for most organizations.

This is the exploitation era.

Not because a single report declared it, but because every structural trend in the data points the same direction.

More vulnerabilities, faster exploitation, slower remediation, expanding attack surfaces, and insufficient economic consequences to force a different outcome.

The question the DBIR leaves unanswered isn’t whether exploitation will remain the leading initial access vector. The data makes that nearly certain for the foreseeable future. The real question is what it will take to change the incentive structure that makes this outcome rational.

Until the cost of inaction exceeds the cost of investment, the gap between what attackers can exploit and what defenders can remediate will continue to widen, and the DBIR will continue to document the consequences.

Subscribe now

Richa brings a rare blend of perspectives to this conversation. She started her career on the policy side at McKinsey and the Commonwealth of Virginia, working on everything from drone privacy to autonomous vehicle policy, then moved into tech as Chief Strategy Officer at a legal tech company where she felt firsthand the impact of the regulations she had helped shape.

Complyance is her answer to the question of how you let companies meet their regulatory obligations without burning the resources that should be going toward real security work.

Prefer to Listen?

Apple Podcasts

Spotify

Be sure to leave a review and subscribe!

• Why the GRC market has a wide-open white space in the upper-right corner of the matrix, where enterprise customers meet truly agentic AI, and why the legacy incumbents and the modern startup-focused platforms have both missed it

• The legacy GRC practices still running by default in large enterprises today, and why even with agents in production, mature enterprises still want a final human check before the auditor sees anything

• How AI is letting enterprises leapfrog the technological waves they sat out, including the cloud-native, API-first, and automation eras that GRC largely missed

• Why the GRC workforce conversation should not be about replacement, including a customer anecdote from Northeast Georgia Health System where AI agents are letting the security leader hire more junior analysts because the agents themselves carry the domain expertise and train the team

• How Complyance navigates the SOC 2 commoditization and rubber-stamp crisis by drawing a hard commercial line, never selling external audits, never pushing audit partners, and never letting their agents touch the external assessment of controls

• The “pane of glass” model for the auditor relationship, where internal AI agents and external assessor AI agents operate independently on each side, with humans signing off on both

• What agentic GRC actually unlocks beyond the prior wave of integration-based continuous monitoring, including qualitative human-like assessments that catch scope drift, incomplete evidence, and gaps that red light / green light integration checks will never find

• How Complyance architects against hallucination by running a multi-agent design where each agent has blinders on and operates only on the micro use case it has been assigned, with tight inputs producing tight outputs

• A new approach to framework sprawl that flips the model, where instead of being reactive to thirty overlapping frameworks, organizations get proactive about their actual policies and let the agent map evidence into the relevant controls automatically

• Richa’s five-year vision for the industry, and why she calls agentic AI the biggest transformation GRC has ever seen, with teams finally shifting from reactive fire drills toward building security culture and getting a real grasp of organizational risk

Subscribe now

The perimeter problems that organizations have been ignoring for years haven’t gone away, and the data on who is actually fixing them and how fast reveals structural gaps that no amount of AI hype addresses. Across thousands of organizations and the 12 months leading up to March 2026, the report analyzed real-world attack surface data to measure what’s exposed, how long it stays exposed, and which organizations are doing something about it.

This is the third piece I’ve written in collaboration with the Intruder team, following my analysis of the 2025 Exposure Management Index and the Security Middle Child report, and the throughline across all three is consistent. The data keeps revealing the same structural pattern. Organizations know what’s exposed and they know what needs to be fixed. The gap is in the operational capacity to actually do it, and that gap widens predictably based on organization size, industry, and the maturity of the security program and AI is exacerbating all of the existing challenges, as the rate of vulnerability discovery and exploitation continues to collapse.

-> Check Out The Report! <-

What’s Actually Exposed

The report’s attack surface exposure data confirms what most practitioners already suspect but rarely have the aggregate data to prove. 60% of organizations had exposed HTTP admin panels, with WordPress Admin and phpMyAdmin leading the list. 49% had exposed ports and services, with Remote Desktop, SNMP, and UPnP among the most common. 42% had exposed databases, with MySQL and Postgres dominating, and 30% had exposed files and information, including API documentation, web.config files, and Apache configuration files.

The top 10 most common attack surface issues tell a story that should make every security team reflect on the effectiveness of their activities. Over a quarter of organizations, 26%, have an exposed MySQL database. One in six have an exposed Postgres database and more than one in seven have exposed API documentation, which ranked ahead of Remote Desktop in prevalence. These aren’t sophisticated misconfigurations buried deep in complex architectures. They’re basic exposure issues that have been well-understood for years, and they persist at scale because the incentive structure doesn’t force organizations to address them until something goes wrong. This of course is the longstanding bolting on rather than building in of security that we all painfully know so well.

The exposed API documentation finding is one that jumped out to me. Exposed Swagger or API docs give an attacker a complete roadmap to the backend, every endpoint, every parameter, every authentication requirement laid out in structured, machine-readable format. In a world where AI-powered reconnaissance tools can ingest that documentation and automatically generate attack payloads, leaving API docs publicly accessible isn’t just an information leak, it’s handing the attacker an instruction manual.

The database exposure figures are equally telling. The report references the 2020 PLEASE_READ_ME ransomware campaign that compromised over 250,000 databases by brute-forcing weak credentials on exposed MySQL instances. That was five years ago, and 26% of organizations still have MySQL databases visible on the internet.

This isn’t a knowledge problem, as security teams already know exposed databases are a risk. It’s a prioritization and visibility problem, where the exposed asset either isn’t known to the security team or sits in a remediation queue behind hundreds of other issues competing for the same limited engineering cycles.

The Midmarket Remediation Trap

The remediation data by organization size reveals a pattern I’ve been tracking across my prior work with Intruder, and it reinforces the structural argument from the Security Middle Child report.

The smallest organizations (1-250 employees) remediate fastest, averaging 14-18 days. The largest enterprises (50,000+ employees) are even faster at 11 days. But the organizations in between, specifically the 5,000 to 10,000 employee band, have the slowest average remediation time at 56 days.

That’s not a random distribution, but instead is a systemic signal. Small organizations have small attack surfaces and tight feedback loops between the person who finds the issue and the person who fixes it. Large enterprises have the budget, headcount, and tooling maturity to throw resources at the problem. The midmarket has the attack surface complexity of an enterprise without the resources to match.

The internet-facing asset counts make this concrete. Organizations with 5,000+ employees manage an average of nearly 1,700 external assets. That’s more than twice as many as those in the 1,000-5,000 band, and the inflection point in both scale and difficulty sits right in that middle range where headcount and tooling haven’t caught up to the size of the perimeter. As I covered in Security in the Middle, 42% of midmarket security teams describe themselves as stretched, overwhelmed, or consistently behind. The remediation data here explains why. These teams aren’t slow because they’re negligent. They’re slow because the ratio of exposed assets to available engineering capacity makes faster remediation physically impossible without either reducing the attack surface or significantly increasing the resources dedicated to managing it. Neither of these are an easily solved problem, as the security team can’t often dictate the asset footprint, the business does. Conversely, security also has to live within finite budgets and resources, leading to challenges with coverage.

The 56-day average for the 5,000-10,000 employee band compared to the 11-day average for organizations with 50,000+ employees isn’t a marginal difference. It’s a 5x gap that represents weeks of additional exposure during which any of those issues could be exploited. For the midmarket CISO reading this, the implication is that remediation speed isn’t primarily a process problem or a tooling problem. It’s a resource allocation problem that requires either a fundamentally different approach to attack surface management or a honest conversation with the board about what the current headcount can actually protect.

Industry Disparities Tell a Structural Story

The industry-level remediation data is where the report gets genuinely interesting, because the variance across sectors reveals how much industry structure, regulatory pressure, and business model shape security outcomes.

Insurance organizations have the slowest average remediation time at 50 days, while Retail remediates fastest at 10 days. That’s a 5x gap between industries, and it maps cleanly to architectural and operational differences rather than to any measure of security investment or intention. Insurance also has the largest attack surface per asset at 4.1 internet-facing services per asset compared to the cross-industry average, which compounds the remediation challenge. More services per asset means more things that can go wrong per target, and more things that need to be fixed when they do.

The split between Banks and Financial Services is revealing. Banks remediate in an average of 11 days while the broader Financial Services category takes 24 days, more than twice as long. Both operate under heavy regulatory pressure, both presumably invest significantly in security, and both understand the consequences of a breach. The difference is likely architectural and operational. Banks tend to have more mature, more consolidated infrastructure with stronger central security governance, while the broader Financial Services category includes a wider range of organizational maturity and infrastructure complexity.

Pharmaceuticals and Biotech remediate at 43 days and Automobiles and Components at 43 days, both sectors with significant resources that you’d expect to move faster. But both also tend to have complex, legacy-heavy infrastructure with operational technology components that slow down patching cycles. Healthcare, which often gets positioned as the industry with the worst security posture, actually remediates at 15 days, faster than Financial Services, Insurance, Pharma, and Auto. That likely reflects the regulatory pressure from HIPAA combined with the relatively modern, cloud-hosted infrastructure that many healthcare organizations have adopted in recent years.

The practitioner takeaway from the industry data isn’t about ranking sectors from best to worst. It’s that remediation speed is a function of organizational structure, infrastructure architecture, regulatory pressure, and operational maturity, and those factors vary more within industries than the averages suggest.

An insurance company running a modern cloud-native stack will remediate faster than a software company running legacy infrastructure, regardless of what the industry averages say. The averages are useful as benchmarks, but the real value is understanding which structural factors in your own environment are constraining your remediation speed and whether those constraints are fixable or inherent.

The Persistence of Old Vulnerabilities

One of the most consistent findings across both this year’s report and the 2025 Exposure Management Index I covered previously is that old vulnerabilities don’t go away. As I discussed in that earlier analysis, AI is lowering the technical barrier for exploitation, making it faster and more cost-effective for attackers to write new exploits targeting older CVEs that organizations left unpatched. The 2026 data reinforces this pattern. The same classes of exposures, open databases, exposed admin panels, publicly accessible configuration files, keep showing up year after year because organizations address individual instances without fixing the systemic conditions that produce them.

This is the remediation gap in its purest form. The rate at which new exposures appear, driven by infrastructure growth, cloud migration, shadow IT, and AI-accelerated development, consistently outpaces the rate at which security teams can identify and fix them. As I covered in The Attack Surface Exponential, GitHub is on pace for 14 billion commits in 2026, a 14x year-over-year increase driven by AI coding agents, and each of those commits potentially introduces new assets, new services, and new attack surface that the security team may not even know exists.

The exposed API documentation finding connects directly to this dynamic. As organizations deploy more APIs to support AI integrations, agent-to-agent communication, and microservices architectures, the number of potential information leaks and attack entry points multiplies. When 15% of organizations have API documentation publicly exposed and AI tools can automatically parse that documentation to identify exploitable patterns, the gap between how fast attack surface grows and how fast security teams can manage it becomes a strategic risk rather than an operational nuisance.

What Continuous Visibility Actually Changes

The structural argument running through all of this data is that periodic assessment can’t keep pace with continuous change. Running a quarterly penetration test or an annual vulnerability assessment against an attack surface that changes daily is the security equivalent of checking your bank balance once a year and assuming the number is still accurate. The organizations in this data set that remediate fastest aren’t doing so because they have better remediation processes. They’re doing so because they have continuous visibility into what’s exposed and can address issues as they appear rather than discovering them weeks or months later during a scheduled assessment.

This is where the shift from periodic vulnerability scanning to continuous attack surface management becomes a practical necessity rather than a vendor talking point. The data shows that the organizations with the fastest remediation times, the small organizations with tight feedback loops and the largest enterprises with mature tooling, share a common trait.

They’ve reduced the time between “something is exposed” and “someone knows about it” to near zero. The midmarket organizations struggling at 30-56 days haven’t necessarily failed to adopt the right tools or processes. They’ve failed to close the visibility gap, and until that gap closes, remediation will always lag behind exposure.

Intruder’s approach to this problem, continuous monitoring of internet-facing assets with automated discovery of unknown or unexpected services, directly addresses the visibility constraint that drives the remediation delays visible in the data. When a large portion of detected assets are unknown to the organization, and exposed databases persist at 26% prevalence five years after a mass exploitation campaign demonstrated the consequences, the problem isn’t that organizations don’t understand the risk. It’s that they can’t fix what they can’t see, and they can’t see what they aren’t continuously monitoring.

The Honest Conversation

The 2026 Attack Surface Management Index paints a picture that should be familiar to anyone who has been working in this space for more than a few years. The specific numbers change, remediation times improve in some categories, new exposure types emerge as architectures evolve, but the structural pattern holds.

Organizations are operating with more internet-facing assets than they realize, those assets expose basic security issues at rates that haven’t fundamentally changed, and the capacity to address those issues is distributed unevenly based on organizational size and industry structure.

The honest conversation this data forces is about expectations. If your organization sits in the midmarket band with 250 to 10,000 employees and your remediation times look anything like the 25-56 day averages in this report, the path forward isn’t telling your team to work harder or faster.

The path forward is either reducing the attack surface they’re responsible for, giving them continuous visibility into what’s actually exposed so they can prioritize based on real-time risk rather than periodic snapshots, or getting the headcount and budget that matches the actual size of the problem. Any other approach is asking people to bail water out of a boat faster than it’s coming in, and this data shows exactly how that works out.

Subscribe now

They’re also the first to inherit developer-level blast radius, with full access to source code, secrets, build pipelines, and production deployment paths. That combination is why coding agent security isn’t a niche within the broader agentic AI security conversation, it’s becoming the proving ground for the entire category.

Whatever security primitives mature here will define the playbook for every other agentic workload that follows.

Coding Is the Breakout AI Use Case

The data on coding agent adoption has moved past early-adopter territory and into enterprise-scale penetration. The Anthropic Economic Index found that 36% of Claude.ai usage is coding, making it the single largest use case on the platform. Cursor hit $2B in annual recurring revenue in roughly 28 months. Claude Code reached a $2.5B run-rate in under 12 months. GitHub Copilot sits at 4.7M paid seats.

The JetBrains 2025 Developer Survey found that 85% of developers now use AI tools regularly and 62% rely on at least one coding assistant as part of their daily workflow. The Octoverse 2025 report found that 80% of new GitHub developers use Copilot in their first week on the platform. Gartner projects 90% of enterprise software engineers will use AI coding assistants by 2028, up from less than 14% in early 2024.

These aren’t projections about future adoption curves, they describe what’s already happening.

Coding agents have crossed the threshold from experimental tooling to default infrastructure in how software gets written, reviewed, and shipped.

Code Volume Is Exploding

The adoption numbers tell one story, but the code volume numbers tell another, and they’re harder to ignore. GitHub is on pace for 14 billion commits in 2026, a 14x increase year over year, with weekly commit volume hitting 275 million.

Claude Code alone accounts for an estimated 4% of public GitHub commits as of early 2026, a share that doubled in roughly six weeks and is projected to reach 20% or more by year end.

The Ramp AI Index for March 2026 showed Anthropic overtaking OpenAI in business adoption at 34.4% versus 32.3%, with Claude Code reaching 326,731 daily commits by mid-March.

This is the largest expansion of write-access to production code in the history of software development. The volume of code being generated, committed, and merged is growing at a rate that outpaces any human review capacity.

As I covered in Vulnpocalypse, the math on vulnerability discovery and remediation was already unfavorable before coding agents entered the picture. The gap between the rate vulnerabilities are introduced and the rate they can be found and fixed was widening, not narrowing. Coding agents accelerate the introduction side of that equation dramatically while currently doing nothing to improve the remediation side, and the downstream implications for vulnerability management programs are significant.

The security question isn’t whether AI-generated code contains more or fewer vulnerabilities than human-written code.

It’s that the sheer volume of code entering production has grown by an order of magnitude while the capacity to review, test, and remediate has not scaled proportionally.

The denominator changed, but the security function didn’t.

The Developer Is the Highest-Value Attack Vector

The shift in attacker focus toward developer workstations and credentials isn’t new, but coding agents have made it structurally worse.

Developer machines hold source code, secrets, build pipeline configurations, cloud credentials, and now permanent agent runtimes with broad system access. The framing of developer workstations as the “new beachhead” captures the dynamic well. The workstation isn’t just where code gets written anymore. It’s where agents with persistent access to git, file systems, shell commands, and cloud SDKs operate continuously.

The open source supply chain attack data reinforces this. Sonatype’s 2026 report documented over 454,600 new malicious packages in 2025 alone, with 99% targeting npm.

The Shai-Hulud campaign became the first self-replicating npm worm, and its second wave (Shai-Hulud 2.0) compromised over 25,000 GitHub repositories and 600 to 800 npm packages. Unit 42 assessed with moderate confidence that LLMs were used to generate parts of the payload.

The named campaigns of the past 12 months, including s1ngularity targeting Nx, the chalk and debug compromises, the axios supply chain attack, the LiteLLM credential harvesting operation, and the TanStack incident, all follow the same pattern.

They target the developer environment, they target credentials, and they increasingly target the tools developers trust.

Coding agents sit directly in this attack path.

They consume packages, execute shell commands, read configuration files, and interact with the same repositories and registries that attackers are poisoning. The Nx malware campaign specifically targeted Claude Code, using flags designed to bypass its guardrails. This isn’t hypothetical risk modeling, it’s observed adversary behavior adapting to the tools developers actually use.

Coding Agents Amplify Every Existing Developer-Side Risk

The risk profile of coding agents goes beyond their role as another tool in the developer’s stack.

They inherit the user’s permissions by default, which means full local file system access, shell execution, git credentials, IDE-stored secrets, dotfiles, and write access to production repositories through commits, pull requests, and CI/CD triggers. UpGuard’s 2026 research found that 1 in 5 developers grant AI coding tools unrestricted workstation access, and almost 20% allow the AI to automatically save changes to the project’s main code repository with no human review.

The CVEs are already here too. Cursor’s CVE-2026-26268 was a sandbox escape that enabled remote code execution through malicious git repositories, rated 9.9 out of 10 in severity. Check Point disclosed CVE-2025-59536 and CVE-2026-21852 in Claude Code, enabling RCE and API key theft through malicious repository configuration files.

A separate vulnerability in Claude Code’s deny-rule implementation allowed command chains exceeding 50 subcommands to silently bypass security restrictions. These aren’t theoretical attack surfaces. They’re patched vulnerabilities that demonstrate the blast radius when a coding agent’s trust model gets exploited.

The Persistent Credential Problem Gets Worse

Credential exposure and compromise has been a persistent attack vector in every major threat report for years.

M-Trends and the DBIR consistently rank stolen credentials among the top initial access methods. Coding agents make this problem structurally harder because they are themselves new non-human identities with high-trust scopes.

They mediate access to GitHub PATs, npm tokens, cloud keys, and MCP server connections by default. Research found that 97% of NHIs are over-permissioned and that 0.01% of machine identities control 80% of cloud resources.

The breach pattern is already established. The incidents at Home Depot, Red Hat GitLab, Salesloft-Drift, and the Crimson Collective campaign all followed the same trajectory in 2025, which included leaked non-human identities to broad lateral movement.

Coding agents now sit at the intersection of all of these credential types, holding or mediating access to the same tokens and keys that attackers consistently target. The OWASP Non-Human Identities Top 10 exists for a reason, and coding agents are creating new NHI categories faster than most identity programs can inventory them.

The Emerging Security Primitives

The defensive stack for coding agents is taking shape across several layers, roughly in order of maturity.

Visibility comes first because you can’t secure what you can’t see. Which agents are running, on whose machines, with which permission scopes, connected to which MCP servers, and executing which tool calls. Most organizations can’t answer these questions today. Agent inventory and scope mapping is the baseline requirement, and without it every other layer is built on assumptions rather than evidence.

Posture management focuses on pre-deployment configuration. Deny rules, permission scoping, disabling dangerous flags like --dangerously-skip-permissions, and hardening agent configurations before they run in production environments. This is the prevention layer that reduces the attack surface before runtime, and it’s where organizations with mature configuration management practices have the clearest head start.

Governance addresses the organizational questions. Who can install which agents, which models they connect to, which plugins and extensions are approved, and what policy frameworks govern their behavior. Only 41% of employers have a formal AI tools policy according to JetBrains’ April 2026 research, which means the majority of organizations deploying coding agents are doing so without formal governance structures in place. That gap between adoption velocity and governance maturity is where the most preventable incidents will come from.

Detection and response brings runtime telemetry to agent behavior.Various vendors work on runtime security for coding agents demonstrates what this looks like in practice, applying the same continuous monitoring principles from cloud workload protection to agent execution, catching anomalous behavior patterns in tool calls, file access, and network activity. The key shift here is extending detection beyond infrastructure-level telemetry into the agent’s reasoning and action layer, where the attacks that matter most for coding agents actually occur.

Sandboxes as a Containment Boundary

Sandboxing has emerged as one of the most tangible security primitives for coding agents, and it’s the one that most directly addresses the blast radius problem. The core logic is straightforward. If a coding agent inherits the user’s full permissions by default, then constraining the environment where the agent executes is the most direct way to limit what a compromised or misbehaving agent can actually reach.

I have dove into the topic of Sandboxes for Agents with several guests and industry experts, including Alex Zenla of Edera and Luke Hinds, creator of nono.

The implementations vary significantly across platforms, and the differences matter.

Claude Code’s sandbox uses OS-level primitives, specifically Linux bubblewrap and macOS seatbelt, to restrict file system access to the current working directory and route network traffic through an external proxy.

Anthropic reported an 84% reduction in permission prompts with the sandbox enabled, which tells you something about how much unnecessary access agents were exercising by default before containment was in place.

Cursor’s sandbox takes a similar OS-native approach with Apple Seatbelt on macOS and seccomp plus Landlock on Linux, restricting file system writes to the workspace and /tmp while blocking network requests by default.

OpenAI’s Codex runs entirely in cloud-deployed microVMs with a dedicated filesystem, process space, and internet access disabled during execution, which is the strongest isolation model among the major coding agents but comes with the tradeoff of not running on the developer’s local machine.

GitHub Copilot’s cloud agent takes yet another approach, running in a sandboxed environment with a built-in firewall and recommended allowlist for package repositories and container registries. Organization admins can manage the firewall and custom allowlists across all repositories. The documentation is honest about limitations though. The firewall only applies to processes started by the agent via its Bash tool, not to MCP servers or processes started during setup steps.

The honest assessment of sandboxing is that it’s necessary but not sufficient, and the CVE history proves it. Cursor’s CVE-2026-26268 was specifically a sandbox escape. Shell built-in commands like export, cd, and echo are implicitly trusted and executed without confirmation in some implementations, creating bypass paths through environment variable manipulation.

The broader research on agent sandboxing consistently finds that environment variable exfiltration remains possible even in properly isolated sandboxes unless egress is explicitly restricted and secrets are scrubbed from the execution context. The UK’s AI Security Institute (AISI) for example found sandboxed AI agents can still learn a great deal about their hosting environments.

What sandboxes do well is establish a containment boundary that limits the blast radius of the most common failure modes, accidental file system modifications, credential reads from files and config directories, and unauthorized network calls.

What they don’t do is protect against attacks that operate within the sandbox’s permitted scope, like prompt injection that causes the agent to write malicious code to the files it’s authorized to modify or commit backdoored changes to the repository it’s authorized to push to.

Sandboxing constrains where the agent can act. Hooks and runtime enforcement constrain what the agent can do within those boundaries.

Hooks as a Key Security Primitive

One of the most significant defensive primitive emerging for coding agents is hooks, and the distinction from both sandboxes and prompt-level guidance is worth discussing further.

CLAUDE.md files and system prompts are advisory. As I wrote in a recent blog post from my Zenity team, “System Prompts Are Not Security Controls: A Deleted Production Database Proves It”, which was tied to the real-world PocketOS incident, where an agent outright ignored its system prompt and deleted production data.

The model can choose to follow them or not. Sandboxes constrain the execution environment but can’t evaluate the intent or appropriateness of actions within their permitted scope. Hooks are deterministic and semantic. They fire at the process level regardless of what the model decides, intercepting tool calls before execution and enforcing policy decisions that the agent cannot override or reason its way around.

As I covered in A Look at an Emerging Runtime Enforcement Layer for Agents, hooks represent a convergence pattern across multiple agent platforms, with implementations showing up in Claude Code, Cursor, Windsurf, Cline, GitHub Copilot, and OpenClaw.

The data supports the distinction as well. Research on runtime policy enforcement found 48% policy compliance without a reference monitor compared to 93% with one. The difference between advisory guardrails and deterministic enforcement is the difference between hoping the agent behaves and ensuring it does.

There’s a caveat worth discussing as well, as attackers and researchers seem to have an infinite amount of ingenuity as we all painfully know.

Hooks themselves are now an attack surface. The Check Point disclosure chain included malicious .claude/settings.json files that could manipulate hook configurations through compromised repositories. Trust the repo before you trust its hooks. This is the same lesson the industry learned with CI/CD pipeline configurations, where the policy enforcement mechanism is only as trustworthy as the supply chain that delivers it.

Where this is heading is becoming clearer.

Hooks become a policy-as-code layer for agentic development, playing the same role that infrastructure-as-code scanners played for cloud security. Sandboxes provide the containment boundary. Hooks provide the semantic enforcement within that boundary. Together they form the two-layer defense model that coding agent security is converging toward, one constraining the environment and the other constraining the behavior. The question isn’t whether both will be required but how fast the tooling matures to support them at enterprise scale.

The Market Opportunity

I watch this market closely, as I work at Zenity, one of the leading players in the Agentic AI Security space, where I serve as the VP Security Strategy. I’m seeing narrow focused startups focused on endpoint coding agents exclusively, as well as some agentic security/AI security startups pivot to emphasize their focus on endpoint coding agents given the market opportunity and momentum as well.

Our team at Zenity was recently named the company to beat in Agent Governance. That said, I obviously am closely watching this category and market both as someone operating at a vendor building in this space, and looking to understand it both from the market and technical perspective.

The market dynamics reflect the adoption reality.

MarketsandMarkets sizes the agentic AI security market at $1.65 billion in 2026, growing to $13.52 billion by 2032 at a 42% compound annual growth rate.

Coding agent revenue is the leading indicator. Claude Code alone hit a $2.5B run-rate in under 12 months. Information Matters’ Q1 2026 analysis estimated the broader agentic AI market at $40 billion today with a path to $140 billion by 2030.

The procurement tailwind is worth acknowledging as real, given the various sources and metrics discussed.

The gap between coding agent adoption (85% of developers using AI tools) and formal governance (only 18% of enterprises have guidelines for AI-generated code) creates the exact conditions that drive security platform buying and creates an opportunity for agentic AI security vendors. Every organization deploying coding agents without governance, visibility, and enforcement is a future buyer of these capabilities.

The security primitives maturing around coding agents today, from visibility and posture management to sandboxing, runtime detection, and hooks-based enforcement, are the same primitives that every other agentic workload category will need. The vendors building for coding agent security are building for the entire agentic security market.

Where It Goes From Here

Coding agents are the first agentic workload to hit production at scale, with measurable revenue, measurable adoption, and measurable risk.

The security category forming around them isn’t waiting for the rest of the agentic AI market to catch up, it’s setting the terms. The defensive primitives that win here, visibility, governance, sandboxing, runtime detection, and deterministic enforcement through hooks, will become the reference architecture for securing every agentic workload that follows.

Defenders who own the coding agent boundary today will own the agentic security category tomorrow.

Subscribe now

This was a week that tested every narrative we have been building about AI and cybersecurity. Microsoft unveiled MDASH, a multi-model agentic scanning harness that found 16 new vulnerabilities in the Windows networking stack, including four Critical remote code execution flaws. Google’s Threat Intelligence Group confirmed with high confidence that threat actors used an AI model to discover and exploit a zero-day for 2FA bypass, the first documented case of its kind. And the Mini Shai-Hulud worm struck TanStack, compromising 84 npm package artifacts across 42 packages in six minutes flat.

On the Mythos front, the scrutiny arc I have been tracking since issue #95 deepened. Rival Security found that one of Mythos’s celebrated discoveries was a CVE already present in its training data. Daniel Stenberg ran Mythos against curl’s 178,000 lines and concluded the results were no more advanced than existing tools. Meanwhile, Wired reported that nearly 380,000 vibe-coded apps are publicly accessible, with 5,000 of them leaking sensitive medical, financial, and corporate data.

The policy side moved too. The Trump administration formally listed offensive cyber operations as a counterterrorism tool, and both OpenAI and Anthropic announced enterprise services ventures that signal a structural shift in how AI labs compete for government and enterprise customers.

Let’s get into it.

Social engineering has a new playbook.

Social engineering attacks are no longer isolated incidents; they follow a structured chain. Attackers gather context, build credible identities, and engage targets in ways that feel routine and trustworthy.

That’s what makes them difficult to detect. Each step is designed to blend in.

Defending against this kind of activity means understanding how attacks unfold from start to finish, across both multiple channels.

Doppel breaks down how the modern social engineering attack chain works, and what it takes to identify and disrupt it earlier.

Read More

*Sponsored

Cyber Leadership & Market Dynamics

Offensive Cyber Operations Get a Formal Counterterrorism Mandate

I have been tracking the expanding role of offensive cyber in national security since the Pentagon’s 100,000 vibe-coded agents story in issue #95, and this week the Trump administration made it official.

The new counterterrorism strategy explicitly lists offensive cyber operations as a tool against narcoterrorists, transnational criminal organizations, and state-backed proxy groups.

This is the first time a U.S. counterterrorism strategy document has formally and publicly integrated offensive cyber capabilities alongside kinetic options. Whether you view this as overdue transparency or a troubling normalization of cyber offense as routine statecraft, the direction is unmistakable. Offensive cyber is no longer a classified footnote. It is a named instrument of national power.

AI Labs Are Becoming Services Companies

This is the story that should concern every traditional IT services firm. OpenAI launched Deployment Co., a consulting venture backed by $4 billion from 19 investment firms including TPG, Advent, and Bain Capital, valued at $10 billion. Anthropic announced its own enterprise services joint venture with Blackstone, Hellman & Friedman, and Goldman Sachs, with $300 million committed from each partner and ecosystem support from Accenture, Deloitte, and PwC.

As I discussed in issue #96 when covering Anthropic’s $4.4 billion ARR, these companies are not just building models anymore. They are building the implementation layer. For cybersecurity, the implication is that the AI labs deploying frontier models into government and enterprise environments will also be the ones advising on how to secure those deployments. That is an unprecedented consolidation of capability and influence.

Frame Security Enters the Human Risk Market with $50 Million

Here is a stat that should make every CISO pause. 96% of organizations run security awareness training, yet 90% of breaches still involve the human element.

Frame Security, backed by Index Ventures, Team8, and Picture Capital, is betting $50 million that the answer is not more slide decks. Their platform automates realistic attack simulations including deepfake audio and video scenarios, delivers role-based training, and provides real-time guidance.

Gartner’s 2025 data showed that 43% of CISOs had already experienced deepfake audio calls and 37% had encountered deepfake video. The traditional annual phishing simulation is starting to look like a relic. As AI-generated social engineering scales, defense has to match the personalization and speed of the attack.

Rising in Cyber Tracks the Market’s Structural Transformation

The Rising in Cyber report paints the macro picture for anyone who wants to understand where the cybersecurity market is headed. The market is projected to grow from $153 billion in 2025 to $255 billion by 2029. Series A and B funding dominated 2025 at over $10 billion, with $5.5 billion going to AI-native startups, the only segment that did not decline year over year.

Expected double-digit growth areas include IAM, data security, and cloud-native application protection. As I discussed in issue #96 with Sequoia’s Konstantine Buhler on narrative violation, the investors who recognized the AI-native shift early are positioned to capture the opportunity. Everyone else is recalibrating assumptions that should have been challenged a year ago. Yet, they also demonstrate just how fragmented the cybersecurity market is, despite how dominant some of the players seem based on brand name.

The Unprompted Conference and What It Tells Us About AI Security’s Maturity

Caleb Sima has been one of the most credible voices in AI security for years, and the Unprompted 2026 conference in San Francisco reflected the field’s growing maturity. The event featured real demos and sharp technical talks rather than the vendor pitch theater that dominates most security conferences.

With Caleb’s background as CSO at Robinhood and VP Security at Databricks, now leading White Rabbit as an AI-driven security venture studio, the conference curates from a practitioner perspective rather than an investor one. The AI security conversation needs more venues where the emphasis is on what works rather than what sells.

This is a great resource consolidating not just [un]prompted by many other conferences and talks into a single comprehensive resource.

Cloud attacks have a new entry point. It’s your running applications.*

That’s why a new category is emerging: Cloud Application Detection and Response (CADR).

This new guide breaks down what CADR is, why runtime is the only place real attacks can be detected, and how security teams are protecting applications, cloud infrastructure, and AI systems in production.

If you’re responsible for securing modern cloud workloads, this is a concept you’ll want to understand.

Get the Guide

*Sponsored

AI

Microsoft Finds 16 Windows Vulnerabilities with a Multi-Model Agent Swarm

This is the kind of applied AI security work that moves the field forward.

Microsoft’s Autonomous Code Security team built MDASH, a multi-model agentic scanning harness that orchestrates over 100 specialized AI agents across an ensemble of frontier and distilled models.

The system found 16 new vulnerabilities in the Windows networking and authentication stack, including four Critical remote code execution flaws in the kernel TCP/IP stack and IKEv2 service. The architecture runs in stages. Specialized auditor agents scan, debater agents argue for and against exploitability, deduplication agents collapse semantically equivalent findings, and prover agents construct triggering inputs.

Combined with CodeMender from issue #96 and AISLE’s VulnOps model, this represents a clear trend. Multi-agent architectures are outperforming single-model approaches for vulnerability discovery, and the organizations investing in this infrastructure are finding real, Critical-severity flaws.

Google Confirms the First AI-Generated Zero-Day Used in the Wild

If there was a single story this week that validates the threat models I have been writing about since the OWASP Agentic Top 10, this is the one.

Google’s Threat Intelligence Group confirmed with high confidence that threat actors used an AI model to discover and exploit a zero-day vulnerability, creating a 2FA bypass. GTIG also documented UNC2814, a Chinese group targeting telecom and government sectors, using persona-driven jailbreaks for vulnerability research on embedded devices.

APT45, a North Korean group, sent thousands of repetitive prompts to recursively analyze CVEs and validate proof-of-concept exploits. As I wrote in my article on Agentic AI Threats and Mitigations, the use cases available to defenders are equally available to attackers. We now have documented confirmation from Google’s threat intelligence team that this is happening at the nation-state level.

Cisco Ships an Open Specification for Agentic AI Security Pipelines

What makes Cisco’s Foundry Security Spec interesting is what it is not. It is not a managed service or a proprietary platform. It is an open specification distilled from Cisco’s internal security evaluation systems, defining eight core agent roles including Orchestrator, Indexer, Detector, Triager, and Validator.

The specification is built alongside Foundation-sec-8B, an 8-billion-parameter security model built on Llama 3.1, and Foundation-sec-8B-Reasoning for multi-step security analysis. The design philosophy is that the need for orchestrators, detectors, and validators persists regardless of which underlying models evolve.

Combined with Microsoft’s MDASH and the Model Provenance Kit from issue #96, Cisco is building both the open standards and the open models for an agentic security ecosystem. That approach deserves attention from anyone building security tooling on top of foundation models.

CSA Releases the AI Security Maturity Model

The Cloud Security Alliance released the AI Security Maturity Model after receiving over 600 comments from 60 international reviewers, and it fills a gap I have been pointing to across multiple issues.

Only 26% of organizations report having comprehensive AI security governance policies. 64% have some guidelines or are still developing them. The maturity model aligns with CSA’s Cloud Security Maturity Model and AI Controls Matrix, covering model security, AI infrastructure, agentic applications, MCP servers, and AI developer enablement.

CSA’s research shows that governance maturity is the strongest predictor of AI readiness. This connects directly to the shadow AI crisis I covered in issue #96, where 80% of Fortune 500 companies deploy agents but only 10% have a strategy to manage them. You cannot secure what you cannot measure, and the AISMM gives organizations a framework to start measuring.

Sysdig Launches a Headless Platform for Non-Human Identity Security

Machine identities outnumber human identities 40,000 to 1. They are 7.5 times more risky than human identities, and nearly 40% of breaches start with credential exploitation.

Sysdig’s response is what they call the industry’s first headless cloud security platform, designed not for human analysts clicking through dashboards but for AI agents operating at machine speed. The platform embeds full CNAPP capabilities directly into AI coding agents for real-time detection and response without requiring a human interface.

As I wrote in my article on What are Non-Human Identities and Why Do They Matter, the NHI challenge is not theoretical. It is the operational reality of every cloud-native environment. Sysdig’s headless approach acknowledges that the future of cloud security is not a better UI, it is no UI at all.

The Poisoned Truth Inside Enterprise RAG Systems

RAG has become the default architecture for grounding enterprise AI in organizational knowledge, and that creates a trust problem most security teams have not fully grasped.

Research accepted to USENIX Security 2025 demonstrated that injecting just five malicious texts into a database containing millions of documents achieved a 90% attack success rate. CrowdStrike has already detected data poisoning in the wild, including embedded hidden instructions in scripts. OWASP added LLM08:2025 (Vector and Embedding Weaknesses) to address these threats specifically.

The core issue is that LLMs cannot distinguish between legitimate and poisoned content. Everything retrieved is treated as ground truth. When you combine that with agentic systems that autonomously execute instructions from retrieved context, the attack surface expands from misinformation to arbitrary code execution.

As I discussed in Agentic AI Threats and Mitigations, the risks compound when agents act on poisoned inputs without human review.

ODNI Tells CISOs to Build Their Own AI Espionage Defenses

The intelligence community is being unusually direct about a difficult reality. ODNI acknowledged AI-powered espionage as a growing national security threat and then essentially told CISOs they are on their own building defenses. In August 2025, an AI tool was used for data extortion against international government, healthcare, and public health sectors.

By May 2025, NSA, CISA, and FBI had issued a joint bulletin confirming that adversaries are poisoning AI systems across sectors by corrupting training data. The poisoned data can reshape how systems label financial transactions, interpret medical scans, or filter content without triggering alerts. Only 26% of organizations report comprehensive AI security governance policies, per CSA research. This reinforces the maturity model discussion above. The government is being transparent about the threat. It is less clear on who owns the solution.

175,000 Ollama Servers and the Anatomy of LLM Infrastructure Abuse

For anyone who thinks exposed LLM infrastructure is a theoretical risk, this honeypot data should recalibrate that assumption. Over 91,000 attack sessions were captured between October 2025 and January 2026, with more than 80,000 concentrated in an 11-day burst over the holidays.

Attackers follow systematic reconnaissance patterns. They start with simple queries to identify which models respond, then attempt SSRF exploitation through Ollama’s model pull functionality using attacker-controlled registry URLs, and finally deploy prompt injection to extract system prompts, environment variables, and container artifacts like Docker sockets and Kubernetes tokens.

With more than 175,000 Ollama servers exposed and estimated attack costs of $46,000 per day, this is not opportunistic scanning. It is organized, methodical infrastructure exploitation. The lesson for security teams deploying local LLMs is that anything exposed to the internet will be found and probed within hours.

You Do Not Need Frontier Models to Transform Security Operations

Comcast Business made an argument that I think deserves more airtime. Organizations do not need to wait for the next frontier model to realize meaningful security gains from AI.

Current AI and ML capabilities can already automate threat analysis, anomaly detection, and incident response at machine speed. The obsession with frontier model capabilities, while understandable given the Mythos attention cycle, risks creating a false dependency where teams delay security improvements because they are waiting for the next model generation.

A multi-layered approach combining current AI with human expertise is the pragmatic path. As I have been writing since the 2025 AI Security Rewind, the organizations getting the most value from AI in security are not the ones chasing the bleeding edge. They are the ones deploying proven capabilities at scale.

AppSec

Mini Shai-Hulud Devours TanStack in a Six-Minute Supply Chain Blitz

The speed and sophistication of this attack should be required reading for every engineering team. On May 11, 2026, the TeamPCP threat actor published 84 malicious versions across 42 @tanstack/* npm packages in six minutes.

The tanstack/react-router package alone receives roughly 12 million weekly downloads. Within 48 hours, the campaign expanded to 172 packages with 403 malicious versions across npm and PyPI. The attack chain exploited three GitHub Actions vulnerabilities in sequence, creating a fork with malicious code, poisoning the GitHub Actions cache, and extracting OIDC tokens from runner process memory for unauthorized package publishing.

The payload was a credential stealer targeting CI/CD tokens, cloud credentials from AWS IMDSv2, GCP, and Azure, Kubernetes service accounts, and HashiCorp Vault secrets.

As I wrote in Software Transparency, the trust model in modern package ecosystems was not designed for this kind of coordinated, multi-vector attack. Combined with the PyTorch Lightning compromise from issue #96, Mini Shai-Hulud demonstrates that supply chain worms are becoming self-propagating and cross-ecosystem.

Mythos Found a CVE That Was Already in Its Training Data

The Mythos scrutiny arc that I have been tracking since issue #95 took another turn this week. Rival Security examined CVE-2026-4747, a remote code execution vulnerability in FreeBSD’s networked file system that Mythos reportedly discovered.

The vulnerable function matched CVE-2007-3999, which was patched in 2007, and the code was already present in Claude’s training data. Rival Security characterized this as “combinatorial creativity” rather than genuine novel discovery.

The AI rediscovered and recombined information it had already been trained on. This does not mean the finding is worthless. Rediscovery of latent vulnerabilities in active codebases has real value. But it does mean we need to be precise about what “AI-discovered vulnerability” actually means. The distinction between novel zero-day discovery and informed pattern matching matters for how we calibrate trust in AI security tools.

Daniel Stenberg Ran Mythos Against Curl and Was Not Impressed

Nobody knows curl better than Daniel Stenberg, and his assessment of Mythos’s performance against the project’s 178,000 lines of code is worth reading carefully. Of five “confirmed security vulnerabilities” that Mythos identified, three were known issues already in the official documentation, one was a bug but not a security hole, and one was an actual low-severity vulnerability that was patched in late June.

Previous analysis with other AI tools including Zeropath, AISLE, and OpenAI’s Codex had identified 200-300 issues with a dozen or more confirmed vulnerabilities. Stenberg’s conclusion was blunt. He saw no evidence that Mythos finds issues to any higher or more advanced degree than existing tools.

Combined with Rival Security’s training data findings and the Glasswing Paradox from issue #96 where fewer than 1% of Mythos-found vulnerabilities were patched, the picture that emerges is of a capability that is real but substantially overhyped relative to the marketing narrative.

380,000 Vibe-Coded Apps and the Data Leaking from Them

This is the vibe coding reckoning I warned about in Vibe Coding Conundrums and across newsletters #73, #76, and #78. RedAccess researchers identified approximately 380,000 publicly accessible applications created with vibe-coding platforms like Lovable, Replit, Base44, and Netlify.

Of those, 5,000 were actively leaking sensitive data including medical records, financial information, and corporate documents. 40% of examined applications had virtually no security or authentication. The examples are damning. A shipping company’s app exposed vessel routes.

A Brazilian bank’s financial data was publicly accessible. Unredacted customer service conversations were indexed by search engines. Platform responses ranged from ignoring findings to deflecting responsibility to users. As Andrej Karpathy defined it, vibe coding is for scenarios where you intentionally disregard code quality.

The problem is that thousands of people are shipping vibe-coded apps into production with real user data behind them.

Wiz Proposes an AI Threat Readiness Framework

Wiz framed the problem in a way that resonates with everything I have been tracking on the vulnerability management front. The gap between exposure and exploitation is shrinking, and security programs need to reduce the time between identification, validation, and remediation.

Their four-pillar framework is organized around two axes. Speed of Action and Breadth of Visibility. Wiz Defend provides runtime visibility and threat detection across workloads, cloud environments, Kubernetes, identities, and AI runtime activity. What I appreciate about this framework is the explicit acknowledgment that AI readiness is not just about deploying AI tools.

It requires comprehensive visibility across the full environment, from cloud infrastructure to code to SaaS to supply chain. As I wrote in my piece on the AI cyber capability curve, the organizations best positioned for the AI threat era are the ones that solved the visibility problem first.

Cloudflare’s Response to the Copy Fail Linux Privilege Escalation

CVE-2026-31431 is the kind of vulnerability that keeps infrastructure teams up at night. An out-of-bounds write in the Linux kernel’s algif_aead crypto module, exploitable through splice() and page cache manipulation, affecting virtually every Linux distribution since 2017.

The exploit is deterministic, does not rely on race conditions, and can be implemented in approximately 732 bytes. Cloudflare’s Security and Engineering teams validated that their existing behavioral detections could identify the exploit pattern within minutes of disclosure, and no customer impact occurred.

What makes this worth highlighting is the operational maturity on display. The flaw existed for nine years across every major distribution, and Cloudflare’s defense-in-depth approach caught it before it mattered. That is the model. You cannot prevent every vulnerability from existing, but you can build detection and response capabilities that reduce the window between disclosure and mitigation to minutes rather than days.

Simon Willison Corrects the Record on Vibe Coding

Simon Willison’s clarification matters because the misuse of Andrej Karpathy’s term has real consequences for how we think about AI-generated code risk. Vibe coding does not mean using AI tools to help write code. It means generating code without caring about the output.

Karpathy coined it on February 6, 2025, for throwaway and experimental projects where code quality is intentionally disregarded. The tech publishing industry has conflated vibe coding with responsible AI-assisted development, and that conflation muddies every conversation about security implications. When I write about vibe coding risks, I am talking about the 380,000 publicly accessible apps that Wired documented this week, not about professional developers using AI with proper review.

The distinction between intentional disregard for quality and augmented professional development is the difference between a security crisis and a productivity gain. Getting the terminology right is the first step toward getting the governance right.

Rami McCarthy’s Spooky Skills and the Agent Trust Problem

Wiz Principal Security Researcher Rami McCarthy’s “spooky-skills” project highlights a risk that intersects directly with the OpenClaw backdoor discussed above and the broader supply chain concerns I have been tracking.

Agent skills, the extensible capabilities that allow AI agents to interact with external systems, represent a growing attack surface where misconfigured GitHub Actions, social engineering of maintainers, and credential hygiene failures converge. McCarthy’s research emphasizes that the same trust assumptions that created the npm and PyPI supply chain problems are being replicated in agent skill marketplaces.

As I wrote in issue #96 with the PyTorch Lightning compromise and in Software Transparency, the trust model has to evolve. Every new extension point for AI agents is a potential supply chain entry vector, and most organizations have zero visibility into the skills their agents are consuming.

Final Thoughts

This week drove home a point that keeps sharpening with every issue. The Mythos hype cycle is colliding with operational reality, and operational reality is winning. Rival Security found a celebrated discovery that was already in the training data.

Daniel Stenberg found no evidence of capability beyond existing tools. Meanwhile, the actual threats are accelerating. Google confirmed the first AI-generated zero-day exploit used in the wild. Mini Shai-Hulud compromised 172 packages across two ecosystems in 48 hours. Every major AI coding IDE is vulnerable to IDEsaster attacks. And 380,000 vibe-coded apps are leaking real user data.

The positive developments are real but unevenly distributed. Microsoft’s MDASH found Critical Windows vulnerabilities with a 100-agent swarm. Cisco open-sourced both a security specification and an 8-billion-parameter security model. CSA gave us a maturity framework. Cloudflare demonstrated what operationally mature detection looks like against a nine-year-old Linux vulnerability. These are concrete, measurable advances.

But the gap I identified in issue #96 between discovery and remediation is widening, not narrowing. The Internet Bug Bounty paused new submissions. The organizations that will navigate this well are not the ones with the most advanced AI models. They are the ones building operational frameworks, identity infrastructure, and detection capabilities that match the speed of the threat. The race is not about who finds the most vulnerabilities. It is about who closes the loop fastest.

Stay resilient.

Subscribe now