Resilient Cyber Newsletter #105
China Explores Restricting AI Access, LLMs Extracting EDR Detection Rule, C2-less AI Malware, A CVSS for AI Jailbreaks, Vulnerability Clearinghouses & A New CVE Every 7.4 Minutes
Welcome to issue #105 of the Resilient Cyber Newsletter!
This week the question changed. We have spent months debating whether AI will eventually become a serious offensive tool, It’s hard to argue that it isn’t, as this week Wiz published a blog of an autonomous AI agent discovering and fully exploiting a critical authorization flaw in a live airline’s booking API, start to finish, in fifteen minutes flat.
SpecterOps demonstrated that LLMs can systematically extract every YARA rule, behavioral detection, and ML model from a production EDR product, and Dreadnode showed that C2-less, fully autonomous malware can run entirely on AI models already shipping with Windows.
The offensive AI future arrived while we were still writing governance frameworks for it.
Meanwhile, a parallel debate about who gets to benefit from AI-powered vulnerability discovery is playing out in real time.
Four separate open-source vulnerability clearinghouses launched in five weeks, and James Berthoty’s piece on the privatization of vulnerability management asks the hard question nobody else is willing to ask.
If AI-discovered patches get privatized while AI-discovered exploits get democratized, who wins?
I explored a related angle in my piece this week on whether we need a CVSS for AI jailbreaks (more on that in the AI section below), and I also published a deep dive on cloud security and SecOps convergence and a discussion with Tenable’s CPO on exposure management in the age of AI if you want to go deeper on those fronts.
Let’s get into it.
Dark matter hides in your AI supply chain. Plutonium finds it.
New skills, plugins, connectors, and MCP servers extend Claude, Copilot, and the wider AI supply chain every week. Most of what they can actually do stays invisible, dark matter in the stack, until something goes wrong.
That’s the idea behind Plutonium, Pluto Security’s free hub for the AI ecosystem. It pairs risk-assessment catalogs, covering every connector, skill, plugin, and MCP server across the entire AI supply chain, with Market Space, a curated set already checked safe to install.
Check any tool yourself before you approve it.
Security teams who want that same view across every employee and every tool already in use can see it live with Pluto, and bring the invisible risks into the light.
*Sponsored
Cyber Leadership & Market Dynamics
DHS Investigates Cyber Breach at Homeland Security Information Network
A breach of the Homeland Security Information Network, the unclassified system used to share sensitive information with foreign law enforcement and local authorities, is exactly the kind of incident that erodes trust in government cyber coordination.
The breach reportedly occurred between late May and early June 2026, and Senator Mark Warner called the exposed information “highly sensitive” with national security implications. DHS has provided minimal details, which is not unusual for an active investigation but is frustrating given that HSIN is the backbone of cross-agency threat sharing.
Coming just weeks after the Mythos classified systems testing I covered in issue #104, this is another reminder that the government’s own infrastructure faces the same vulnerabilities it is asking the private sector to fix.
Beijing Moves to Restrict Overseas Access to China’s Top AI Models
The symmetry here is hard to miss.
Three weeks after the U.S. briefly pulled Fable 5 from the market via export controls, Beijing is now considering the same approach for its own frontier models. Reuters reports that Chinese authorities have been meeting with Alibaba, ByteDance, and Z.ai about restricting overseas access to advanced AI models, including unreleased ones.
The proposed tiered system would require simple filing for basic open-source tools, security reviews for more advanced technology, and outright restrictions on frontier models.
Maxime Labonne analysis of the open frontier adds critical context. Six of the seven strongest open-weight models are now Chinese, with GLM-5.2 leading the pack as the first frontier model trained entirely off Nvidia silicon on Huawei Ascend chips.
Both superpowers are now treating cutting-edge AI as a national asset, and the window where open-weight models could flow freely across borders is closing from both directions.
Keyfactor Secures $1B+ Strategic Growth Investment from Summit Partners
A billion-dollar growth investment in machine identity and post-quantum cryptography signals where institutional money sees the next critical infrastructure layer.
Keyfactor currently manages billions of machine identities across 2,500+ customers, including half the largest U.S. and EU banks and over 40% of the Fortune 100. The timing tracks with the White House’s June 2026 executive orders accelerating PQC transition ahead of 2030 and the JPMorgan data from last week showing NHIs outnumbering human identities 144-to-1.
I have been saying for a while that identity is key context, especially for securing the era of Agentic AI. A billion-dollar bet from Summit Partners suggests the private equity market agrees.
Cyber Insurers Now Pricing Remediation Speed Into Underwriting Policies
Insurance underwriters are shifting from asking “do you have vulnerabilities?” to “how fast do you fix them?” and I think this is exactly the right question.
Vulnerability exploitation has become the leading initial access vector at 31% of breaches (up from 20%) per Verizon’s 2026 DBIR. The median time to fully resolve a critical vulnerability is 43 days, while the mean time-to-exploit is negative 7 days, meaning attackers are weaponizing flaws before the patch ships.
Organizations using AI agents for remediation report 6x faster CVE remediation and 83% fewer blocked pull requests. When insurance companies start pricing operational tempo, security leaders finally get a financial argument for the tooling investments they have been requesting.
Bank for International Settlements Warns AI Investment Bubble Risks Global Economy
When the central bank for central banks starts warning about an investment bubble, it is worth paying attention.
The BIS report notes that AI is attracting far more capital than the resulting industry can produce in returns, a pattern it has seen before. Oracle has lost more than 40% of its share value in the past month. Hyperscalers keep pouring money into GPU infrastructure while creating RAM shortages that affect even consumer hardware purchases.
I remain cautiously optimistic about AI’s long-term value for security, but the spending trajectory I covered in prior issues is clearly unsustainable. The correction will not eliminate AI adoption but it will force a reckoning about which use cases actually justify the cost.
Bloomberg Reports AI Anxiety Fueling Burnout Across Silicon Valley
One entrepreneur quoted in the piece captured something I have been hearing from practitioners across the industry. AI agents were supposed to do his work for him, but he has “never worked harder” while producing roughly 100x more output than before. This is often referred to as the AI Vampire.
Tech career coach Kyle Elliott says 2026 has been his busiest year as workers prepare for AI-driven layoffs or escape burnout. The pattern is paradoxical but predictable. AI eliminates routine tasks, bosses demand more strategic work, and mental downtime disappears entirely.
For security teams already dealing with alert fatigue and staffing shortages, adding AI-driven productivity pressure on top of existing stressors is a recipe for attrition.
Pragmatic Engineer Reports Cloud Agents Going Mainstream at OpenAI, Anthropic, and Cursor
Gergely Orosz visited the offices of OpenAI, Anthropic, and Cursor and reports that all three are investing heavily in cloud-based AI agent execution.
OpenAI acquired Ona (formerly Gitpod) for cloud dev environments. Anthropic built Claude Managed Agents over six months. Cursor launched cloud agents and an iOS mobile app. The most striking data point was that more than 95% of non-engineers at OpenAI now use Codex rather than ChatGPT, suggesting that AI coding tools are becoming the default interface even for people who do not write code.
The implications for shadow AI in enterprises are significant, and security teams should be planning for a world where every employee has access to a cloud-based code execution environment.
Nicolas Colin Argues This Is the Beginning of the End for “Big AI”
Vsquared Ventures’ head of research Nicolas Colin reacts to Palantir CEO Alex Karp’s critique of frontier model companies and makes a provocative case. For context, this is the video from Alex Karp that made a ton of waves this week:
If a local model running on your own data solves 95% of the problem at a fraction of the cost, the economics of paying for opaque tokens and uploading proprietary data to frontier labs stop making sense.
Chinese open-source models have become “astonishingly good” and frontier labs are still burning cash at industrial scale. Colin compares frontier AI to supersonic airliners, impressive until the economics kill them. His most interesting prediction is that Anthropic could survive as “a next-generation Google” with Claude Code as its AdWords-equivalent cash engine, while OpenAI faces a trickier path.
Whether or not you buy the full thesis, the direction of travel, more capable open models and tightening enterprise budgets, is real.
Anthropic Sues Abnormal AI Over Logo Similarity in Trademark Dispute
Of all the stories I expected to cover this week, Anthropic suing one of its customers was not one of them.
Abnormal AI’s CEO Evan Reiser points out that Abnormal was founded in 2018 (three years before Anthropic), the disputed logo was designed in April 2021, and Anthropic does not hold a registered trademark covering cybersecurity products. Reiser notes that his personal account will spend roughly $1M on Anthropic products this year, with the company spending over $10M. He emphasizes that Abnormal does not use Claude for customer-facing security features, only as an internal productivity tool.
The lawsuit demands “disgorgement of all revenues, earnings, profits, compensation, and benefits,” which seems remarkably aggressive given the facts. Whatever the legal merits, suing your own paying customers is rarely a winning business strategy.
AI
Wiz’s Red Agent Autonomously Exploits Critical BOLA Vulnerability in Live Airline API in 15 Minutes
This is the story that should change how you think about AI-powered offense.
With zero prior knowledge of the target, Wiz’s autonomous Red Agent discovered and fully exploited a Broken Object-Level Authorization flaw in a real airline’s GraphQL booking API in fifteen minutes flat.
The agent minted an anonymous session token by analyzing client-side JavaScript, performed GraphQL introspection revealing 514 queries and 428 mutations available to that anonymous session, then enumerated sequential booking IDs to extract two years of passenger records including names, dates of birth, billing addresses, and masked credit cards.
The anonymous session also had write capabilities including deleting flights, overriding prices, and issuing refunds. No human guided any step. This is not a CTF challenge or a research demo.
This is an AI agent autonomously executing a complete attack chain against production infrastructure protecting real customer data, and it found a vulnerability class that traditional DAST scanners are blind to.
SpecterOps Demonstrates LLMs Can Systematically Extract All EDR Detection Rules
If the Wiz story shows AI-powered offense in action, this one shows the defensive scaffolding being dismantled.
Adam Chester at SpecterOps used GPT-5.5-Cyber in a simple while-loop harness connected to Binary Ninja via MCP, a setup they call “Day Shift,” and fully dissected Palo Alto Cortex XDR.
The LLM extracted 6,358 encrypted YARA rules (cracking AES-128-ECB with keys embedded in the binary), discovered 9,350 DSE rules and 4,209 BIOC behavioral detection rules, pulled out 7 ML models with their decision thresholds, and even decrypted CLIPS-based rule blobs.
One extracted rule revealed that “reg save HKLM\SAM” to a specific path was explicitly allowlisted and would bypass detection entirely. SpecterOps confirms they have done this internally against every major EDR vendor with similar results.
The defense-in-depth argument I keep making just got a lot more urgent. EDR remains essential, but anyone treating it as their primary defensive layer is building on sand.
Cursor IDE Environment Keys Stolen via Malicious README Prompt Injection
Mozilla’s 0DIN team demonstrated a prompt injection attack where a malicious GitHub README tricks Cursor’s LLM agent into dumping environment variables and exfiltrating API keys via browser GET requests to an attacker-controlled server.
The attack exploits what the researchers call the “lethal trifecta” in agentic tools, specifically access to private data, exposure to untrusted content, and ability to communicate externally.
Cursor’s permission model is bypassed because users routinely allowlist “powershell -c” to avoid constant prompts, and Cursor only validates the beginning of the command string.
Last week I covered two Claude Code vulnerabilities with similar trust-model failures, and the pattern is consistent across every AI coding tool I have examined.
Agent frameworks that combine broad system access with exposure to untrusted repository content and the ability to make external network calls are structurally vulnerable to exfiltration, and permission fatigue makes the theoretical safeguards functionally useless.
Dreadnode Demonstrates C2-less AI Malware Running on Models Already Shipping with Windows
This research should be on every threat intelligence team’s reading list.
Max Harley at Dreadnode demonstrates that malware can eliminate command-and-control servers entirely by using AI models and inference libraries already present on the victim’s machine.
Microsoft CoPilot+ PCs ship with Phi-3 (3.8B parameters) and ONNX Runtime has shipped with Windows for a bit. The proof-of-concept used these locally available resources to autonomously discover a misconfigured Windows service and escalate privileges without ever contacting an external server.
Current limitations include CPU inference being slow and conspicuous, but as NPU-equipped machines become standard and local model quality improves, C2-less autonomous exploitation will become practical at scale.
Traditional network-based detection that depends on identifying C2 traffic will be completely blind to this class of attack.
UK AI Safety Institute Finds Real Cloud Misconfigurations Using Frontier AI for Under £1,000
Instead of testing AI on benchmarks, the UK AISI pointed frontier models at their own AWS infrastructure and looked for real misconfigurations.
Over a two-week sprint using three methods (static source analysis, automated agentic probing, and human-in-the-loop red teaming), they found and fixed several real issues including a previously undiscovered multi-step attack chain requiring five independent steps that allowed user impersonation.
The total cost was under £1,000 in LLM tokens, with the critical finding discovered for under £150. One basic commercial alerting system failed to flag any of the automated agent activity, while a more advanced monitoring system did catch some aggressive behavior.
Every organization with a cloud footprint can afford to do this, there is no excuse left for not trying.
T3MP3ST Framework Claims 90% Pass Rate on Offensive Security Benchmarks
An open-source multi-agent offensive security framework claiming 90.1% pass on XBOW’s 104-challenge black-box benchmark suite is worth watching carefully, if the numbers hold up.
T3MP3ST orchestrates specialist AI operators (recon, scanner, exploiter, infiltrator) to run the kill chain autonomously using local agent CLIs with zero API keys required. The emphasis on measurement integrity is notable, with every quantitative claim shipping with committed JSON artifacts that can be independently verified. The project also tested against post-training-cutoff 2026 CVEs to rule out memorization, scoring 4/10 strict.
Whether T3MP3ST itself becomes significant matters less than what it represents. The barrier to building autonomous offensive security harnesses has dropped to the point where a single developer can do it with open-source tooling.
FrontierCyber Introduces Real-System Offensive Benchmark with Physical Devices
Most AI security benchmarks test against planted vulnerabilities in sandboxed environments with predefined exploit paths.
FrontierCyber tests against real systems with real defenses, no planted vulnerabilities, and no predefined attack routes. The benchmark spans physical mobile phones running real applications, production software (Pillow, lxml, FFmpeg, PostgreSQL, Redis), and full network environments.
Initial evaluations have already surfaced previously unknown vulnerabilities now in responsible disclosure, and one model built a novel multi-vulnerability chain against a mobile device to gain unauthorized access. This is the evaluation methodology the field has needed.
Benchmarks built on known vulnerabilities and documented exploit paths tell you how well a model follows instructions, not how well it discovers new attack surfaces.
Addy Osmani Proposes Two-Axis Framework for Measuring AI Agent Autonomy
The single-axis autonomy ladder most people use conflates two separate questions, how far an agent operates independently (agency) and how many agents you coordinate (orchestration), and Addy Osmani’s two-axis framework is a useful corrective.
His six levels run from L0 Assist (suggestions only) through L5 Managed-by-Exception (factory model with human review only on exceptions).
Analysis of roughly 400,000 Claude sessions from 235,000 users showed that people make about 70% of planning decisions while Claude handles about 80% of execution, and experienced users were more likely to auto-approve.
That auto-approval pattern is exactly the permission fatigue that the Cursor IDE vulnerability in this issue exploits. Four anti-patterns are worth memorizing, especially “Permission Laundering” where humans approve what they do not understand.
Gartner Warns That Securing AI Agents Before They Go Rogue Is “Next to Impossible”
Dennis Xu at Gartner’s Security & Risk Management Summit said what most vendors will not.
LLMs will “always” be susceptible to jailbreak and prompt injection, and no amount of guardrail spending provides 100% prevention. The Akeyless survey data is sobering at 84% of 400+ IT and security leaders saying AI agents can access sensitive data, with 67% believing agents have already accessed data they should not have.
Brian Murphy from ReliaQuest offered the most quotable line of the week. “I don’t worry about attackers poisoning an agent’s memory. I worry about the agent poisoning its own memory.”
The PocketOS incident they referenced, where an AI coding agent deleted a production database and all backups in 9 seconds, is the kind of operational risk that should make every CISO reconsider deployment velocity.
I had a chance to chat with Dennis in-person at the Gartner event, and I consider him one of the sharpest analysts covering the space of AI and Agent Security.
Do We Need a CVSS for AI Jailbreaks?
I published a deep dive this week examining Anthropic’s proposal for a consensus jailbreak severity framework, the one buried in the Fable 5 redeployment announcement I covered in issue #104.
The cybersecurity industry spent 20 years learning that severity alone (CVSS) is insufficient without exploitation context (EPSS), organizational context (SSVC), and real-world telemetry (KEV). The AI safety community is compressing that same realization into months. NIST scientist Apostol Vassilev published a peer-reviewed proof extending Godel’s incompleteness theorems to AI guardrail systems, formally proving that no finite set of guardrails can be universally effective.
OWASP’s parallel AIVSS effort (v0.8) has founding members from NIST, NSA, Google, Microsoft, Anthropic, AWS, and others. Jailbreaks are a permanent feature of AI systems, not a bug to be patched.
AppSec
James Berthoty Warns Vulnerability Management Is Being Privatized
There’s been a TON of vulnerability discussion this year, largely due to AI’s industrialization of vulnerability discovery the “Mythos Moment”, and general buzz.
James Berthoty identifies privatization of VulnMgt across three dimensions. Detection, where frontier model access is gatekept to large enterprises. Investigation, where NVD enrichment is at its lowest point while commercial alternatives like Flashpoint, VulnCheck, and GitHub Security Advisories fill the gap, and Response, where the growth of vendor-hosted “supply chain firewalls” means patches increasingly flow through private channels before (or instead of) reaching the public.
Four separate clearinghouse initiatives launched in five weeks, and none give open-source maintainers real governance power.
James’ warning is blunt, “Fixes get privatized, while attacker capabilities get democratized.” If the clearinghouse model consolidates around subscribers-first disclosure, the CVE system as we know it is going out with a whisper.
Dan Lorenc Explains Why the Clearinghouse Itself Is the Least Important Part
Chainguard’s CEO offers the practitioner’s counterpoint to the privatization concern.
The clearinghouse is just data, and the real value is “actuation,” turning findings into rebuilt, tested, signed artifacts backported to the versions you actually run. Athena has taken in 20,000+ findings and shipped 2,000+ patches across 500 projects, and Chainguard’s existing build system already remediates well over 100,000 CVEs. CrowdStrike puts the stat at 42% of exploited vulnerabilities being hit before disclosure, which means the mean time-to-exploit is effectively negative.
Only a few large clearinghouses will survive, like root DNS servers or certificate authorities, and the long-term goal is secure-by-design making clearinghouses unnecessary.
That is exactly right but also probably years away and would require major changes in market and regulatory forces, which I’ve written about many times in terms of cybersecurity being a market failure.
Detailed Comparison Reveals None of Four New OSS Security Initiatives Include Maintainer Governance
A side-by-side analysis of Lightwell (IBM/Red Hat), Patch the Planet (OpenAI/Trail of Bits), Akrites (Linux Foundation), and Athena (Chainguard) reveals a striking gap across all four.
None give open-source maintainers real governance power, and none include any public body or national CSIRT. Two are “members-first” (Lightwell and Athena) where paying members get private hardened builds before public disclosure. Two are “equal” (Patch the Planet and Akrites) with single embargo windows. Lightwell is a $5B commercial subscription clearinghouse with 20,000+ engineers and 11 banks. Patch the Planet is free and non-profit, with 30+ projects and 51 significant findings plus 19 fixes in its first week.
I covered the Akrites launch in issue #104 as one of the most important announcements of the year, and this comparison adds necessary context about governance models.
The question is not whether these initiatives are valuable (they clearly are) but whether they protect the broader community or primarily serve paying members.
Epoch AI Documents 3.5x Spike in High-Severity CVE Disclosures After Mythos Release
In June 2026, notable organizations published around 1,500 high- and critical-severity CVEs, more than 3.5x the pre-Mythos monthly record.
Luke Emberson at Epoch AI tracked 21 major organizations (Microsoft, Google, Apple, Adobe, Oracle, Cisco, and others) and found the spike follows directly from Anthropic’s April 2026 announcement that Claude Mythos Preview could autonomously discover software vulnerabilities. Project Glasswing partners had been using Mythos pre-release and claim over 10,000 high- or critical-severity discoveries.
The figures are from publicly disclosed vulnerabilities only, meaning the actual discovered count is much higher. This is the vulnerability flood that the clearinghouse debate is trying to get ahead of.
Empirical Security Pushes Back on AI Vulnerability Flood Narrative
Ben Edwards at Empirical Security offers a measured counterpoint to the Epoch AI analysis.
His segmented Poisson model identifies an October 2022 breakpoint in CVE publication rates, well before the AI era, suggesting CVE volume was already accelerating for non-AI reasons.
Of the top 100 CNAs, only 24 have experienced a statistically measurable recent acceleration. Some of those (VulnCheck, VulnDB) have been accelerating since inception, not in response to AI. Edwards directly critiques Epoch’s methodology, arguing they “selectively picked a set of CNAs, aggregated them, and declared AI a spike.” I think both analyses contain important truths.
The spike is real for specific organizations using AI tools, but attributing the entire CVE volume increase to AI oversimplifies a much more complex picture.
Jerry Gamblin’s H1 2026 Data Shows 35,364 CVEs Published at a Rate of One Every 7.4 Minutes
Gamblin’s mid-year CVE analysis puts hard numbers behind the flood everyone is feeling. H1 2026 produced 35,364 CVEs, up 49.5% over H1 2025, with the single busiest day being June 9 at 747 CVEs.
GitHub Security Advisories is the busiest CNA at 6,801 assignments. The top CWEs remain frustratingly familiar, with XSS leading at 3,783 followed by Missing Authorization (1,704) and SQL Injection (1,445). Only 85 CVEs (0.24%) appear in CISA’s KEV catalog, reinforcing the data point I keep coming back to about the futility of treating all vulnerabilities equally.
Full-year projections now range from 66,000 to 72,000, with CPE coverage sitting at only 59%. For those who missed it, I recently sat down with Jerry to give into all things CVE’s, CNA’s and vulnerabilities:
Gal Elbaz Argues the 90-Day Disclosure Window Is Dead
Oligo Security’s CTO makes the case that AI has compressed both vulnerability discovery and exploit development timelines to the point where fixed disclosure windows are obsolete. AI can weaponize a published patch, turning a fix into a working exploit, in approximately 30 minutes.
MITRE cannot keep up with CVE report volume. Linus Torvalds has said the same about the Linux kernel. Elbaz argues disclosure timelines should be based on exploitability rather than a fixed number of days, and his bottom line is that “the noise needs to be cut, the critical bugs need better definition, and both vendors and researchers need to get back to the table as humans.”
I think he is right that the 90-day window is an artifact of a pre-AI era, but the replacement cannot be vendor-determined timelines either. The answer likely involves automated exploitability assessment as a disclosure trigger.
Corridor Makes Code Review Optional by Building an Auto-Approval System for PRs
The idea of merging code without human review runs counter to everything security culture has drilled into engineering organizations for two decades, but Corridor’s internal experiment is producing data that challenges that assumption.
The AI code security startup, which raised $25M in Series A funding, has been running most PRs through automated security and quality checks rather than human reviewers. If the auto-approval system’s false negative rate proves lower than human reviewer error rates, and given what we know about code review effectiveness that is not impossible, the industry’s assumption that human code review is a meaningful security control may need revisiting.
But the failure modes of AI-based approval are different and potentially more dangerous than human oversight gaps, so I would want to see independent validation before recommending anyone follow this path.
Final Thoughts
This week drove home a point I have been circling for months in prior issues and blogs. The offensive-defensive asymmetry in AI is not a future concern but a present reality.
An autonomous agent exploiting airline infrastructure in fifteen minutes, an LLM extracting every detection rule from a production EDR, AI malware running on models that ship with the operating system, and an open-source framework claiming 90% pass rates on offensive benchmarks, all in one week.
The vulnerability management world is grappling with its own reckoning. Four clearinghouses in five weeks, a 3.5x spike in high-severity disclosures, 35,000 CVEs in six months, and a genuine debate about whether the flood is AI-driven or structural. Whether Epoch or Empirical has the better methodology matters less than the shared conclusion. The volume is going up, the complexity is going up, and the existing institutional infrastructure was not designed for this.
What gives me some hope is that the defensive side is not standing still. The UK AISI found real vulnerabilities in their own infrastructure for under £1,000. Insurance companies are pricing remediation speed as a risk factor. And the clearinghouse debate, messy as it is, represents the industry at least trying to build new institutions before the old ones collapse.
The organizations that will be fine are the ones treating AI as both the threat and the tool, not choosing one framing over the other. Run frontier models against your own infrastructure, price your remediation speed, and accept that the 90-day disclosure window, like the CVSS score that drives it, is a legacy artifact of a world that no longer exists.
Stay Resilient!
























