Welcome to issue #101 of the Resilient Cyber Newsletter!
If last week’s executive order set the policy table, this week the market and the models showed up to eat. CrowdStrike’s Q1 earnings told the story in a single line from George Kurtz, who called it “the Mythos moment,” and the numbers backed it up with $256 million in net new ARR.
Anthropic released Claude Fable 5, the first publicly available Mythos-class model, and if you think the vulnerability discovery wave was intense with Glasswing restricted to 200 partners, wait until every Pro subscriber has access. I wrote a full piece on what that means in The Vulnpocalypse Goes GA.
Meanwhile, NIST dropped a mathematical proof showing that no finite set of guardrails can block every adversarial prompt, which is exactly the kind of foundational research that should reshape how we think about AI security.
Trail of Bits demonstrated that every major skill scanner can be bypassed in under an hour, and the Miasma supply chain worm compromised 73 Microsoft GitHub repositories through a self-propagating npm attack.
The lesson from this week is that both the offensive and defensive capabilities are accelerating, and the organizations that treat security as a continuous process rather than a static checkpoint will be the ones that survive.
500+ SaaS apps. Thousands of devices. A flood of help desk tickets. And a team of 30 people to manage all of it.
That’s the reality for Jamf’s IT team - but instead of drowning, they built their way out. On July 10th, join them live to learn exactly how they replaced manual, ticket-based IT work with intelligent workflows.
Join to hear:
The early use cases that proved the value of intelligent workflows
Where AI fits into their IT ops today - and where it’s going
How they compressed a year-long device audit into a matter of weeks
Plus, they’ll walk through a live demo of one of their most impactful workflows - Come ready to steal their playbook.
Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 30,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.
George Kurtz framed CrowdStrike’s Q1 as the quarter “the worlds of cybersecurity and frontier AI collided.” The numbers are hard to argue with. Net new ARR hit $256 million, up 32% year-over-year, with total ARR crossing $5.51 billion.
The AI Detection and Response pipeline surged 250% sequentially, crossing $50 million for Q2. What I find most telling is that CrowdStrike raised its full-year ARR growth guidance by 520 basis points and still cautioned that market expectations around AI security demand are running ahead of reality.
That tension between demonstrable demand acceleration and the CEO tempering enthusiasm tells you exactly where we are in the cycle.
Scott Galloway laid out what might be the largest IPO year in history. SpaceX at $75 billion, Anthropic approaching $100 billion, OpenAI planning a record debut, and roughly $350 billion in total new equity supply.
For cybersecurity, the signal is that the capital flowing into AI companies will create enormous downstream demand for security infrastructure. The flip side is that peak exuberance often leaves retail investors holding the bag, and Galloway is not shy about making that point.
Mike Privette flagged a new entry into the cybersecurity decacorn club, Cyera, continuing the pattern of massive private valuations before any of these companies test the public markets.
The timing is interesting given the IPO pipeline building up and the reality that SailPoint and Netskope both underperformed post-listing. Private markets continue to price cybersecurity at a premium that public markets have not validated yet. Whether the AI demand wave changes that equation is the question worth watching.
Palantir CTO Shyam Sankar is reportedly the frontrunner for the still-vacant CISA director role, though the White House later disputed the accuracy of this reporting. Sankar has spent over 20 years at Palantir in senior technical and operational roles.
If confirmed, placing a Palantir executive at the helm of CISA would signal a clear tilt toward AI-driven national cyber defense and platformization, which would align with the executive order’s push for rapid AI adoption across federal agencies.
I actually interviewed Shyam over a year ago on the Resilient Cyber Show, diving into both the tech and national security topics:
GCHQ director Anne Keast-Butler used the agency’s first annual lecture at Bletchley Park to announce a national AI cyber shield. The system would deploy agentic AI to detect and respond to threats across critical infrastructure, airlines, telecoms, and major corporations, with an operational target of five years.
The UK is explicitly framing this as agentic AI for defense, not just analytics, and the ambition of real-time autonomous detection at national scale is something no country has attempted at this level before.
Congress opened a joint investigation into Chinese AI model proliferation. The hearings examined how the U.S. leads with proprietary frontier models while China releases open-weight models freely, and the concern is that Chinese state actors could use those models to exploit vulnerabilities in critical infrastructure.
The geopolitical dimension of AI-enabled cybersecurity is no longer theoretical. It is now a formal congressional investigation. Speaking of AI’s intersection with U.S. interests and the broader cyber landscape, Jack Cable of Corridor and others recent testified in a Homeland Security event titled “The AI Security Landscape: How AI is Reshaping Cybersecurity and Critical Infrastructure Resilience” and it was an excellent listen.
Representatives Obernolte and Trahan introduced draft legislation establishing a four-pillar federal AI governance framework that would override state AI regulations for three years. Advocacy groups immediately pushed back, arguing it sets a federal ceiling rather than a floor.
This is the legislative companion to the executive order I analyzed last week, and the pattern is consistent with the administration’s deregulatory posture toward AI development. If you missed my breakdown of the AI EO, you can find it below:
Jay McBain, Omdia’s Chief Analyst for Channels and Partnerships, is forecasting record growth in managed security and AI services heading into 2027. With 99% of MSPs deeply engaged in cybersecurity and the industry worth $87 billion on the vendor side, his argument is that the AI wave creates a generational channel opportunity.
The demand acceleration CrowdStrike reported in Q1 is the enterprise side of that same story.
Masayoshi Son told CNBC that OpenAI’s next model is being designed by another AI model, accelerating his superintelligence timeline to within two years. He predicts AI will surpass human intelligence in 70-80% of subjects within that window.
The cybersecurity implications are worth thinking through. If Son is even directionally correct, the offensive capability acceleration we are tracking with Mythos and GPT-5.5-Cyber is still in its early innings.
This is the biggest AI story of the week, and it changes the threat landscape in ways most organizations are not ready for. Anthropic released Claude Fable 5 on June 9, the first publicly available Mythos-class model, accessible to Pro, Max, Team, and Enterprise users.
Fable 5 delivers state-of-the-art performance on nearly all benchmarks and its capabilities exceed anything Anthropic has ever made generally available. The safeguards are conservative. Queries in high-risk areas like cybersecurity, biology, and chemistry fall back to Claude Opus 4.8 responses, triggering in less than 5% of sessions.
Separately, Claude Mythos 5 launched for vetted cyberdefenders and infrastructure providers through Project Glasswing, with the safeguards partially lifted. The pricing signals intent at $10 per million input tokens and $50 per million output. What keeps me up at night is the gap between when frontier capability becomes broadly available and when organizations update their defenses to match. That gap just got a lot wider.
The concern is not just Mythos itself but what comes next. Security experts are warning that frontier AI models from Google and at least two Chinese labs are not far behind Mythos in cybersecurity capability, potentially compressing the disclosure-to-exploit window from months to hours.
Anthropic has expanded Glasswing to 200 partners, but that still leaves the vast majority of organizations without access to equivalent defensive tools. The asymmetry between offensive availability and defensive access is the structural problem nobody has solved yet.
Anthropic analyzed 832 accounts banned for cyber-related policy violations between March 2025 and March 2026, mapping 13,873 actions across 482 unique techniques and all 14 ATT&CK tactics. The most common technique family was T1587 (Develop Capabilities), used by 574 actors, with malware development alone accounting for 560.
The percentage of medium-to-high-risk AI-enabled actors jumped from 33% to 56% in under a year. Anthropic partnered with Verizon to include findings in the 2026 DBIR, and the report argues that traditional risk signals no longer work because ATT&CK lacks categories for autonomous agentic attacks.
This one matters more than the headline suggests. NIST senior scientist Apostol Vassilev published a peer-reviewed proof in IEEE Security & Privacy showing that for any finite set of guardrails, some adversarial prompt exists that can bypass them.
The proof extends Godel’s incompleteness theorems to AI security. The practical implication is clear and it aligns with what practitioners already know intuitively. Static guardrails are necessary but never sufficient.
Continuous monitoring, red teaming, and iterative updates are the only viable security model for AI systems, and organizations still treating AI safety as a deploy-and-forget exercise need to rethink their approach.
OpenAI rolled out Lockdown Mode on June 4, an optional security setting that limits outbound network requests to prevent data exfiltration from prompt injection attacks. When enabled, it disables web access, image support, Deep Research, Agent Mode, and file downloads.
The tradeoff is explicit and honest. You lose capability in exchange for a substantially reduced attack surface. Lockdown Mode does not prevent prompt injections from occurring. It prevents the final stage of exfiltration.
This is defense-in-depth thinking applied to an LLM product, and while it is designed for a small set of security-conscious users handling sensitive data, the concept of hard boundaries at the product level is worth watching as a design pattern.
Okta’s former Chief Product Architect makes the case that existing identity infrastructure was built for humans or long-lived machines, not agents that spawn, collaborate, and disappear in seconds.
The Agent Identity Service he describes uses the AGNTCY Linux Foundation project with cryptographic badge generation for MCP servers and human-in-the-loop policy authorization for critical actions.
This is exactly the identity layer that agentic architectures need. Agents operating with probabilistic intent at machine speed require authorization models that go far beyond binary allow/deny decisions.
Karl is genuinely one of the sharpest people I’ve discussed Agentic IAM with, and I had a excellent conversation with him below:
Researchers at the University of Toronto’s CleverHans Lab built a proof-of-concept AI worm using only small, free AI models that autonomously identifies vulnerabilities, reasons about attack strategies, and self-replicates across networks.
In seven days of fully autonomous operation, the worm identified an average of 31.3 vulnerabilities per target, successfully exploited 73.8% of the network, and replicated to 61.8% of hosts across up to seven generations.
Critically, it exploited three vulnerabilities disclosed in 2026, after the model’s training cutoff, by ingesting publicly available advisories at runtime. Nobody needs Mythos to build a chaos-causing worm, free open-source models work just fine.
LangChain and Lee Hanchung both published complementary pieces this recently on agent harnesses, the infrastructure surrounding an AI model including tools, memory, sandboxing, and orchestration logic.
LangChain showed that harness improvements alone can significantly boost benchmark performance without changing the underlying model. Hanchung’s analysis goes further, arguing that most durable agent teams treat harnesses as 90-day artifacts and delete most code on model updates.
The security implication is that harness code is disposable by design, which means security controls embedded in the harness layer are likely to be discarded and rebuilt on every model upgrade cycle.
Pillar Security documented how coding agents with read/write access to repositories and deployment keys create new attack surfaces in CI/CD pipelines. The risk model includes prompt injection, privilege escalation, and lateral movement through compromised containers.
This piece landed the around the same time that the Agent Control Standard (ACS) went public at v0.1.0 as the first open, MIT-licensed spec for runtime governance of AI agents. The pattern is becoming clear, agents are getting pipeline access before the governance frameworks exist to constrain them.
The methodology here is worth paying attention to. A 6-stage loop for AI-driven code security spans threat modeling, sandbox creation, discovery, verification, triage, and patching.
Their own open source scanning has disclosed 1,596 items and validated over 500 high-severity vulnerabilities. The key insight I took from this is that discovery has become trivially parallelizable, but the bottleneck has shifted entirely to verification, triage, and patching.
That is the same bottleneck I keep coming back to in the vulnpocalypse discussion, and no amount of discovery tooling solves it without investing equally in the remediation pipeline.
MIT’s AI Risk Initiative surveyed experts across 200+ organizations and found that 18 of 24 AI risk domains carry at least a 10% probability of catastrophic outcomes within five years. Information, finance, and national security face the highest vulnerability. These are not fringe researchers making dramatic claims.
This is MIT putting probability estimates on AI-driven systemic risk across every major sector, and the numbers should inform how organizations think about AI governance.
I wrote a full piece this week on what Fable 5’s public release means for the vulnerability landscape. The vulnpocalypse is no longer a theoretical exercise gated behind Glasswing access.
With Mythos-class capability in the hands of every Pro subscriber, the volume of AI-discovered vulnerabilities is about to jump again, and the remediation bottleneck that was already stretched thin is going to break for organizations that have not invested in triage automation and risk-based prioritization.
The math has not changed. Discovery scales with compute, remediation scales with humans. That gap is the story of the next twelve months.
Nikesh Arora revealed that Mythos found years’ worth of vulnerabilities in Palo Alto’s codebase in six weeks. They scanned over 130 products, uncovering 75 legitimate vulnerabilities that have since been patched. The company estimates organizations have three to five months before attackers broadly gain access to frontier AI cyber models.
Early models had false positive rates up to 30%, making them more effective for offense or testing than for immediate defense without proper contextualization. This is the same dynamics playing out everywhere. Discovery is outrunning remediation, and the window to get ahead of it is measured in months, not years.
The talks from fwd:cloudsec North America 2026 are live and it is full of excellent talks, including a CNAPP walkthrough on the paste and future from James Berthoty, great talks on topics such as Agentic IAM, and of course all things Cloud Security as well.
Trail of Bits bypassed ClawHub’s malicious skill detector, Cisco’s agent skill scanner, and all three scanners integrated into skills.sh, with three of the four bypasses taking less than an hour.
Their simplest bypass prepended 100,000 blank lines to a malicious skill, causing ClawHub’s scanner to truncate the file before reaching the payload and mark it safe. The structural problem is damning. Arbitrary combinations of code, data, and natural language create the broadest possible attack surface, while the cost of inference motivates the use of weak models and truncated contexts.
Their recommendation is blunt and I agree with it. Public skill marketplaces are not safe for agents operating in sensitive contexts, curate your own.
ReverseC demonstrated that a single .md file can achieve a reverse shell through Claude Code with out-of-the-box settings. Dynamic context commands execute before the model sees the skill, meaning model-level prompt injection defenses never get a chance to intervene.
The broader data point from the ecosystem is sobering. If you installed a skill from ClawHub in the past month, there is a 13% chance it contains a critical security flaw. Skills supply chain security is rapidly becoming one of the most urgent problems in the agent ecosystem.
This is the supply chain attack that should have everyone’s attention. Miasma, an evolved variant of the Shai-Hulud worm open-sourced by TeamPCP, compromised 32 packages across 90+ versions under the redhat-cloud-services npm scope through a hijacked CI/CD pipeline.
The malware stole SSH keys, CLI credentials, and browser data on developer systems, while in CI/CD environments it scraped GitHub Actions runner memory for secrets and republished poisoned packages with forged SLSA provenance. On June 5, GitHub disabled 73 Microsoft repositories after Miasma re-compromised Azure’s durabletask project.
The worm executes automatically when an infected repository is cloned and opened in Claude Code, Gemini CLI, Cursor, or VS Code. This is the software supply chain threat model operating at a level of sophistication that most organizations are not equipped to detect.
Filip Stojkovski raised a point on Enterprise Security Weekly that I think deserves more attention. “Vulnmaxxing,” the practice of expensive AI-driven vulnerability discovery at industrial scale, threatens to create a two-tier security world where well-funded organizations race ahead while everyone else falls further behind.
If AI vulnerability discovery becomes a rich-organization sport, we end up widening the security inequality gap rather than closing it. The democratization of defensive capability is just as important as the democratization of discovery.
O’Reilly published a piece advocating for EPSS-based exploit prediction over exhaustive vulnerability enumeration, referencing Anthropic’s April 2026 security guide.
The core argument is elegant. Since vulnerabilities are effectively infinite, the only viable strategy is prioritizing by exploitability rather than trying to catalog everything. This aligns with what I have been saying about risk-based prioritization for years, and the vulnpocalypse makes it even more urgent. The organizations still trying to chase zero CVEs are going to drown.
Final Thoughts
This week crystallized something I have been building toward across the last several issues. The vulnpocalypse went from restricted preview to general availability. Fable 5 put Mythos-class capability in the hands of millions, and the market responded instantly. CrowdStrike reported its “Mythos moment” with record ARR, while the IPO pipeline suggests hundreds of billions in AI-adjacent capital is looking for a home. The demand signal for security is unmistakable.
But capability without governance is just chaos with better tooling. NIST proved mathematically that static guardrails will always be breakable. Trail of Bits showed that skill scanners can be bypassed in under an hour. Miasma demonstrated supply chain attacks operating at a sophistication level that forges provenance and spreads through developer tools automatically.
The lesson is not that we should stop building. It is that continuous monitoring, curated trust, and defense-in-depth are the only models that work when both the offensive and defensive sides are moving at AI speed.
The organizations that will thrive are the ones treating security as a continuous, adaptive process rather than a compliance checkbox. The building blocks exist. The challenge is building the muscle to use them before the window closes.
