Resilient Cyber Newsletter #106
A Record 622-CVE Patch Tuesday, White House’s GOLD EAGLE Initiative, Grok CLI Exfiltrating Repos, Context Bombs Derailing AI Attackers, Coding Agent Economics & Cyber’s 1H 2026 Market Numbers
Welcome to issue #106 of the Resilient Cyber Newsletter!
If there was a single theme this week, it was volume.
Microsoft shipped a record 622 fixes in a single Patch Tuesday, told us to expect even more as AI-powered discovery ramps up, Jerry Gamblin’s mid-year CVE numbers show publication volume up nearly 50% YoY, and the White House launched a new initiative aimed at coordinating vulnerability discovery and patching at the national level.
The vulnerability management conversation we’ve been having for years is starting to look much different as AI continues to industrialize vulnerability discovery and exploitation.
We also have the Grok CLI repo exfiltration saga, some excellent pieces on the economics of AI and what they mean for security, and the 1H 2026 cybersecurity market numbers.
Things continue to be a mix of exciting and chaotic heading into Black Hat, so let’s dig into it all.
Rethink your file security strategy
Most security tools are built to detect threats in files after the fact. Content Disarm and Reconstruction (CDR) takes the opposite approach. It assumes every file is untrusted, rebuilds it from clean components, and eliminates the threat before execution.
OPSWAT Founder and CEO Benny Czarny makes the full case in Cybersecurity Upside Down, a practitioner-focused book on why prevention-first security is not just possible, but necessary.
*Sponsored
Cyber Leadership & Market Dynamics
Cybersecurity Market Review 1H 2026
The team at Altitude Cyber, led by Dino Boukouris and Domenic Perri, published their 1H 2026 Cybersecurity Market Review, and as always it is one of the most comprehensive looks at the state of the cybersecurity market, spanning M&A, financing, public markets, and industry trends.
Some of the findings that stood out to me:
1H 2026 included 205 total M&A transactions with a total disclosed or estimated deal volume of $22.3B, with deal count up 24% YoY while dollar volume declined 47% (largely a base effect from Google’s announced $32B Wiz acquisition in Q1 2025)
2026 is on pace for the highest number of strategic acquisitions ever, with 131 through June
AI Security emerged as a top M&A sector in 1H 2026 with 19 deals, up from just 2 in the same period last year
On the financing side, 1H 2026 saw 391 financing transactions totaling $8.8B, with deal count down 20% YoY but dollar volume actually up 3%, showing larger rounds concentrating in fewer companies, including Cyera’s $600M Series G (bringing their total raised to $2.3B) and NinjaOne’s eye-watering $12.3B valuation. The IPO drought also continues, with no cybersecurity IPOs so far in 2026 and only 3 over the past five years, compared to 15 from 2018-2021.
I also thought their framing on identity was spot on, stating that “identity is no longer just about employees and customers. As AI agents, workloads, and service accounts proliferate, identity is becoming the control plane for access, action, and trust across modern environments.”
Defense at Machine Speed
Menlo Ventures’ Venky Ganesan and Sam Borja laid out their thesis for AI-native cybersecurity, arguing that as attackers begin operating at machine speed and machine scale, defense has to be rebuilt around three layers - behavioral context engines, autonomous response agents, and continuous validation from both internal and external perspectives.
Of course, this is a VC thesis piece and Menlo is talking their book to an extent, with portfolio companies mapped to each layer of the architecture. That said, the underlying argument that threats have shifted from software vulnerabilities to compromised identities and social engineering, and that enterprises deploying fleets of agents will need independent behavioral monitoring of those agents, aligns with a lot of what we’re seeing across the industry.
That said, I do want to point out that exploitation is actually the #1 attack vector per the latest DBIR, not credential compromise or phishing, so it is fair to push back on their thesis given that context in my opinion.
It is still very AI-relevant though, as we see the AI-driven industrialization of vulnerability discovery and soon exploitation coming.
Technology Waves and Security - Is This Time Really Different?
Phil Venables published a measured look at technology waves and security, asking whether the AI wave is fundamentally different from the PC, Internet, mobile, and cloud waves that preceded it.
His answer is largely no, and the patterns hold, security is never built in enough, we always overestimate the short-term impact of these changes while underestimating their long-term impact, and effective system-wide security only becomes possible once common design patterns crystallize, as they eventually did for the Internet and cloud eras.
I found this a useful counterweight to the breathless takes in both directions. We’ve been here before, and while the scale and pace are greater this time, the playbook of watching for design patterns to stabilize and then hardening around them is a familiar one.
His point that human-on-the-loop, rather than human-in-the-loop, is the appropriate governance model for agents at scale will also likely prove prescient and it touches on points I’ve made in my own article “The Human-in-the-Loop Illusion”.
White House Launches GOLD EAGLE Initiative
The White House announced Gold Eagle, a cybersecurity clearinghouse using frontier AI to coordinate vulnerability detection and patching across open source software and critical infrastructure.
The initiative flows from Executive Order 14409, “Promoting Advanced Artificial Intelligence Innovation and Security,” and involves Treasury, DHS/CISA, and the Department of War, with stated goals of reducing duplicative scanning, delivering prioritized threat intelligence to defenders, and strengthening critical infrastructure resilience.
Given the AI-driven surge in vulnerability discovery covered throughout this issue, some form of national-level coordination was probably inevitable, and this pairs interestingly with efforts like CMU’s FLARE-AI (covered below) that federal initiatives have been calling for. As always, execution will matter more than the announcement.
I touched on this back when I made a video covering the AI EO:
Lessons from CISA’s Cyber Incident
CISA published a postmortem of its own GitHub leak, and I want to give credit where it is due, because it takes organizational courage to publicly dissect your own incident, especially when you’re the nation’s cyber defense agency.
For those who missed it, a repository named “Private-CISA” containing 844 MB of sensitive data, including plaintext passwords, AWS GovCloud tokens, and Entra ID SAML certificates, sat publicly exposed for roughly six months before GitGuardian discovered it on May 14, 2026, with takedown within 26 hours of the report.
The lessons are ones every organization should internalize. Take external vulnerability reports seriously (nine automated alerts went unanswered), continuously scan repos for exposed secrets, simplify reporting channels (CISA admitted theirs “were not well defined, leading the security researcher to try multiple avenues”), and test key rotation readiness before you need it, as key invalidation took more than 48 hours.
If it can happen to CISA, it can happen to you.
Microsoft’s Secure Future Initiative July 2026 Progress Report
Microsoft released its July 2026 SFI progress report, continuing what has become one of the more transparent looks into security engineering at hyperscale, even if it is part marketing, mixed with security.
Some numbers that jumped out include phishing-resistant MFA now protects 99.97% of user/device pairs, 1.4 million unused Entra applications have been decommissioned, 732,000 resources were removed from public access, and automated container patching is addressing roughly 3 million vulnerability instances monthly.
Whatever your views on Microsoft’s security track record, and there is plenty of history to critique, the SFI reports offer a rare view into what Secure-by-Design looks like when applied across one of the largest attack surfaces on the planet, and the emphasis on AI-driven detection (with more than 90% of AI-assisted findings confirmed by their security engineers) is a preview of where enterprise security programs are headed.
American “Hackers-for-Hire” Proposal Sparks Heavy Criticism
A provision in the defense authorization bill would let the U.S. government deputize private contractors to conduct offensive cyber operations against foreign adversaries, effectively creating an American hack-for-hire network, and as BankInfoSecurity covers, the proposal is drawing heavy criticism from the security community.
The cyber letters-of-marque debate has been simmering for years, and the concerns are the usual ones, escalation, attribution, and collateral damage. That said, it is notable to see the concept advance this far in the legislative process rather than remaining a think-tank thought experiment, and it lands in the same season as offensive AI capabilities becoming dramatically cheaper.
Ways to Think About Token Pricing
Benedict Evans wrote an excellent piece on ways to think about token pricing that I’d recommend to anyone trying to reason about the economics underneath the AI wave. He points out that a trillion dollars or more of data center capex is coming down the pipe, that inference today carries 40-50% gross margins, and that the current capacity crunch has been driven by sudden product-market fit in really just one use case, software development.
The open question he poses is whether foundation models retain pricing power or become low-margin commodity infrastructure, with the telecom precedent looming large, cellular data traffic rose by orders of magnitude while the stocks went nowhere.
For those of us watching security vendors race to bolt LLMs onto everything, the question of who actually captures value in this stack is far from academic, and it connects directly to Nir Zuk’s cost math on AI-driven detection covered in the AI section below.
The Reverse Information Paradox
Satya Nadella published a piece on his personal blog on what he calls the reverse information paradox, inverting Kenneth Arrow’s classic information paradox for the AI era. Where Arrow worried the seller of information gives away its value by describing it, Nadella argues the buyer of AI now:
“risks giving away knowledge, just in order to use what they bought,” because using AI means revealing your proprietary context, corrections, and workflows to the platform. As he puts it, “in consuming intelligence, you are creating intelligence,” and “if learning flows in only one direction, economic value converges toward the owners of the learning infrastructure.”
His prescription is for enterprises to demand a hard boundary around their data, traces, and adaptive weights, and to treat their usage and corrections as competitive assets rather than exhaust.
The irony of this coming from the CEO of one of the largest AI platform owners is thick, but the argument itself is one every CISO and CIO negotiating AI contracts should sit with, and this week’s Grok CLI story (below) is about as concrete an illustration as you could ask for.
This comes after Palantir’s Alex Karp’s now viral interview where he argued that frontier labs were stealing the “alpha” (e.g. the secret sauce/value) from their customers by accessing their data and potentially competing with them in the future.
Stanford’s Economics of the AI Supercycle
For those who want to go deeper on AI economics, Stanford has posted session recordings from MS&E 435, “Economics of the AI Supercycle,” taught by Altimeter Capital’s Apoorv Agrawal, with this session covering infrastructure, enterprise AI, and SaaS.
The course treats AI as a technology cycle comparable to PCs, the Internet, and mobile, and examines the economics at each layer of the stack. Great free resource from a course whose guest list includes folks like Databricks’ Ali Ghodsi and Altimeter’s Brad Gerstner. I’ve been really enjoying the discussions from this series, and the latest with Databricks CEO is equally as good.
AI
The State of Agentic Security
OWASP recently launched v2 of their State of Agentic AI Security & Governance report. I decided to make a video capturing the key takeaways and findings.
This will be the start of a video series, where I will walkthrough the OWASP ASI Agentic AI Top 10 as well, tying each risk to real-world incidents, mitigations and industry trends, so keep an eye out for that!
Benchmarking Coding Agents on Databricks’ Multi-Million Line Codebase
Databricks published one of the more useful coding agent benchmarks I’ve seen from a non-frontier lab or research entity, running agents against real engineering tasks from their own multi-million line codebase rather than synthetic benchmark suites.
The headline finding is that per-token pricing is a poor guide to actual cost. Sonnet 5 is ~1.7x cheaper per token than Opus 4.8, but on their tasks Sonnet cost $2.09/task vs Opus’s $1.94 while scoring six points lower on task completion (81% vs 87%), because cheaper models often take longer, less efficient paths.
Open models also landed on the Pareto frontier, with GLM 5.2 statistically tied with Opus 4.8 on quality at $1.28/task against Opus’s $1.94, and harness choice mattered as much as model choice, with one harness sending about 3x less context per turn.
The takeaway for security leaders evaluating AI tooling is the same one that applies everywhere in this issue, benchmark on your own workloads, because list pricing and leaderboards will mislead you.
xAI’s Grok CLI Exfiltrates Your Entire Repo
The week’s biggest AI trust story, a researcher discovered that xAI’s Grok CLI coding agent was silently uploading users’ entire Git repositories, including full commit history, files the agent never read, and unredacted .env files, to xAI-controlled cloud storage.
Nikita Benkovich shared a good breakdown of the finding. In one test, a 12 GB repository produced 5.10 GiB of uploads while actual model-response traffic in the same session was just 192 KB, and a planted canary file the agent never touched was recovered verbatim from the intercepted traffic.
Worse, turning off the “Improve the model” setting didn’t stop the uploads, the toggle governed training use, not transmission. xAI disabled the uploads server-side on July 13, with Elon Musk stating previously uploaded data would be “completely and utterly deleted.”
This is exactly why the conversations happening at the leadership level, from Alex Karp to Satya Nadella’s reverse information paradox piece above, about frontier labs training on customers’ alpha and proprietary data matter so much. Your codebase is your IP, and increasingly your alpha, and this incident shows the gap that can exist between what an AI vendor’s settings imply and what the telemetry actually does.
Trust, but verify, and maybe run a proxy.
An Open-Weight Model as Capable as the Restricted Ones
Futurism covered the release of GLM-5.2, an open-weight model from Beijing-based Z.ai that researchers say can perform large-scale coding tasks similar to Anthropic’s Mythos 5, the model the U.S. government restricted over national security concerns and which remains available to only around 100 U.S. organizations and government agencies.
As Armadin founder and CTO Travis Lanham put it,
“an attacker can run it locally without safety guardrails, fine-tune it against their specific targets, and operate with zero visibility to any provider or defender,”
This is the exact point Joshua Saxe has rightly made in various blogs that I’ve shared previously.
This is the fundamental tension in the model restriction debate, export controls and access gates on U.S. frontier models don’t mean much when open-weight equivalents ship from jurisdictions that don’t share those controls. Joshua Saxe’s piece below makes the policy argument in depth.
The Rise of Affordable Models - GLM and Muse Spark on Cyber
Staying on that thread, XBOW benchmarked GLM-5.2 and Muse Spark 1.1 on offensive security tasks, finding GLM-5.2 performing somewhere between GPT-5 and Opus 4.6, short of the true frontier but remarkably capable for the cost. Their framing is the right one,
“GLM does not need to become Mythos to change the threat landscape. If a lower-cost model can perform useful offensive work at scale, then it is already relevant,” because “attackers do not usually need the best model in the world. They need a model that can find one real vulnerability before the cost stops making sense.”
Offensive capability is being commoditized from below, not just advanced from above, and the economics of attack are changing faster than most defensive planning assumes.
Grok 4.5 and the Middle of the AI Security Market
XBOW also put Grok 4.5 through its paces, finding it eventually solves roughly 93% of the vulnerabilities in their benchmark, performing like a frontier model at a fixed number of iterations.
The more interesting finding is the price band, between roughly $1 and $10 per attempt, Grok 4.5 consistently delivered the highest observed solve rate of the models they tested, reaching approximately 75% around $1 compared with about 65% for the nearest alternatives. They describe it as “a sports car that is surprisingly practical.”
Taken together with the GLM piece, the pattern is clear, the middle of the market is where attack economics get decided, and that middle is getting crowded and cheap.
Context Bombs - Stopping AI Attackers in Their Tracks
On the defensive side of the AI attacker equation, Tracebit published clever research on “context bombs”, short text strings planted in decoy resources like canary secrets, environment variables, and DNS records along an attacker’s likely path, designed to trip the built-in safety guardrails of offensive AI agents mid-intrusion.
Across 152 runs in simulated AWS environments, agents achieved at least one attack path in 91% of baseline runs versus only 15% in bombed ones, with admin privilege escalation dropping from 57% to 5%. One frontier model achieved admin access in 93% of baseline runs but failed every single time once a context bomb was in play.
There’s a delightful irony in defenders weaponizing prompt injection, the same class of weakness attackers exploit, as a tripwire. Also interesting, Western models halted on strings referencing sensitive biological topics, while Chinese models halted on politically sensitive topics written in Chinese.
Deception and canary techniques have always been underrated, and they may be entering a golden age against machine adversaries, a point I’ve seen others such as Gadi Evron make.
AI Is Exposing Cybersecurity’s Biggest Assumptions
Nir Zuk, Palo Alto Networks co-founder and now founder/CEO of Cylake, argues that the industry’s AI conversation is focused on the wrong bottleneck. The problem isn’t model intelligence, it’s data architecture, “an AI agent cannot defend what it cannot see,” and today’s fragmented security data can’t feed AI-driven detection.
His cost math is sobering, estimating that continuously running LLM-based detection over enterprise telemetry at scale would cost approximately $158 million per year at current frontier model pricing, and that even a one-million-token context window covers roughly 40 seconds of enterprise activity.
You can quibble with the assumptions (few would propose brute-forcing raw telemetry through a frontier LLM), but the underlying point stands, “AI does not reduce the need for data. It dramatically increases it,” and unified data architecture remains the unsolved problem underneath all the AI SOC hype.
The Origins of Ill-Conceived Model Cyber Restrictions
Speaking of Joshua Saxe, he wrote a sharp critique of model cyber capability restrictions, arguing the policy community adopted a flawed capabilities-centric view of model risk when an ecosystem-centric view would serve U.S. security far better.
His reasoning is that defenders benefit more from unrestricted access to capable models than attackers do, attackers can simply shift to non-monitored open-weight models (see GLM-5.2 above), and distillation makes capability diffusion inevitable anyway, with one 2026 study distilling under 4,000 expert trajectories from a frontier model into a small open model and nearly closing the performance gap.
He also brings receipts on actual attacker AI usage, noting that the leaked Black Basta chats showed operators using ChatGPT for polished phishing letters and exploit debugging, useful but hardly a capability transformation. Given this week’s GLM-5.2 news, the piece reads less like a prediction and more like a description of the present.
The Untrusted Tenant: Rethinking Infrastructure Security for Agentic AI
Ken Huang and Edera’s Alex Zenla published a piece arguing for treating AI agents as untrusted tenants, shifting the security question from whether the model is safe to what the model can reach.
Their core claim is hard to argue with, “an LLM’s output is untrusted data. If you are executing actions based on that output, you are executing untrusted code.” They point to last summer’s Replit incident, where a coding agent deleted a production database during an active code freeze with no exploit and no injection, as proof that autonomy plus access is enough for catastrophe.
The prescription is hard multi-tenant isolation, hardware-enforced boundaries, a separate kernel per workload rather than shared-kernel namespaces, scoped credentials, and default-deny networking, with modern microVM boot times meaning strong isolation is no longer the performance tax it once was.
I dove into all of this myself with Alex not long ago on the Resilient Cyber Show
When Agents Remember Too Much - Memory Poisoning Attacks
A new paper on arXiv introduces GhostWriter, a memory poisoning attack against tool-using personal LLM agents with long-term memory. The attack works in two phases, injection (an adversary plants a hidden payload, for example via email the agent processes) and activation (the poisoned memory is later retrieved and steers behavior), and the results are rough, approximately 98% injection rates and approximately 60% average activation rates against state-of-the-art agents.
The authors also propose a defense, AM-Sentry, combining memory-saving policies and retrieval screening.
Agent memory is a persistence mechanism, in both the product sense and the attacker sense. As agents accumulate long-term memory across sessions while ingesting untrusted inputs, poisoned memories become the agentic equivalent of a backdoor that survives reboots.
It’s another example where the utility of agents create the very circumstances for security risks and compromise, something I’ve been calling the Security vs. Usability tradeoff.
OWASP Agent Memory Guard
Conveniently paired with the above, OWASP has an open source project called Agent Memory Guard, a runtime defense layer that sits as middleware between an AI agent and its memory store, screening every read and write for prompt-injection markers, secret and PII leakage, protected-key modifications, and churn attacks.
It serves as the reference implementation for ASI06: Memory Poisoning from the OWASP Top 10 for Agentic Applications, and its published benchmarks show a 92.5% detection rate with 100% precision at 59 microseconds of median latency.
It’s early-stage, but this is the kind of concrete, deployable control the agentic security conversation needs more of, and it ships with drop-in LangChain middleware for those who want to kick the tires.
Contextual Agent Security - A Policy for Every Purpose
Google researchers Lillian Tsai and Eugene Bagdasarian make the case that static security policies cannot scale to generalist agents, because judging an action’s safety requires knowledge of the context in which it takes place, and this is a point I agree with. It’s why we see so much discussion around agent security right now and topics such as “intent analysis”.
Their proposed framework, Conseca, generates just-in-time, contextual, human-verifiable security policies with deterministic enforcement, rather than relying on manually crafted allow-lists or user confirmation fatigue. In their evaluation, Conseca preserved roughly 60% task completion (versus ~70% for unrestricted agents) while denying contextually inappropriate actions, where static restrictive policies dropped completion to zero.
This is a position paper rather than a product, but the direction feels right. Agent authorization has to become dynamic and contextual, because the space of things a generalist agent might legitimately do is too large to enumerate in advance.
That said, I did see a follow up from the paper from Google that they’ve begun implementing contextual based access control in their platform, building on these principles.
When OWASP LLM Risks Meet Agentic
Steve Wilson, who founded and leads the OWASP GenAI Security Project and literally wrote the book on LLM security, published a piece on how the OWASP LLM Top 10 risks translate into the agentic context.
With OWASP’s Top 10 for Agentic Applications now out and agentic deployments accelerating, mapping the two risk frameworks together is timely work, and Steve is about as authoritative a voice as exists on this topic
CMU Helps Close a Critical Security Gap Across AI Platforms
Carnegie Mellon’s Software Engineering Institute and partners launched FLARE-AI, an open source platform for standardized, machine-readable reporting of AI flaws, vulnerabilities, and incidents, routing reports to the right developers, vendors, and government bodies. It connects to the VINCE coordination environment, enabling CERT/CC to issue CVE IDs and vulnerability notes for AI systems, and SEI’s AI Security Incident Response Team will review submissions for coordinated disclosure.
As SEI’s Lauren McIlvenny notes, “a reporter might spot a problem in a particular model or system, but they’re not looking across all the vendors,” which is exactly the gap in AI flaw handling today, where the same weakness often exists across many models and platforms with no mechanism to coordinate disclosure. Between FLARE-AI and GOLD EAGLE above, the vulnerability coordination infrastructure for AI is starting to take real shape.
Couple this with the various commercial vulnerability clearinghouse efforts recently and it is feeling like while they are all good, it will lean to a bit of sprawl and trying to rationalize the outputs and data from each of the efforts too.
Limiting Reagents - Why AI Coding Isn’t Shipping Features
Keegan Hines borrows a concept from chemistry to explain why AI coding isn’t translating into shipped features, in any reaction, the limiting reagent determines the yield, and the argument here is that raw code generation was rarely the limiting reagent in software delivery, so accelerating it alone doesn’t accelerate shipping.
This dovetails with the Dark Reading piece in the AppSec section, if security review and vulnerability remediation are among the limiting reagents, AI-accelerated code generation just piles up work-in-progress in front of them.
In other words, the bottleneck just moves to other areas of the process and/or system.
A Framework for Frontier AI and the Dawning of a New Age
Google DeepMind CEO Demis Hassabis published a proposal for frontier AI governance, calling for a U.S.-led Frontier AI Standards Body modeled on a federally overseen public-private partnership or self-regulatory organization, much like FINRA, that would independently safety-test frontier models, with labs voluntarily sharing models for review up to 30 days before release. He believes AGI is probably only a few short years away and describes the magnitude of the technology’s impact as “perhaps 10x of the Industrial Revolution at 10x the speed.”
Whatever you make of the timeline claims, the fact that the leader of one of the world’s premier AI labs is publicly calling for independent pre-release safety testing, with cyber capabilities explicitly among the catastrophic risks in scope, says a lot about where the frontier conversation has moved.
The proposal’s emphasis on applying to all frontier-class models regardless of origin or openness will be the hard part, as this week’s GLM-5.2 coverage makes clear. It received positive attention from various industry leaders in my feeds, such as Elon, Satya and Sam Altman.
AppSec
Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days
July’s Patch Tuesday set a record, with Microsoft patching 622 vulnerabilities, including 416 in Windows and 164 across the Office suite. Two zero-days were already exploited in the wild, CVE-2026-56155, an Active Directory Federation Services flaw allowing local privilege escalation to administrator, and CVE-2026-56164, a SharePoint Server bug enabling network-based privilege escalation without authentication.
A BitLocker security bypass (CVE-2026-50661) was also publicly disclosed before patches were available, and the release includes a CVSS 9.9 Windows VMSwitch issue.
Prioritize the AD FS and SharePoint fixes if you haven’t already, and keep the 622 number in mind as you read the next two items, because it isn’t an anomaly, it’s a trendline of AI’s impact on the industrialization of discovering vulnerabilities, both for vendors and attackers.
Evolving Windows Vulnerability Management for AI-Powered Discovery
Right on cue, Microsoft published a piece on evolving Windows vulnerability management that amounts to a heads-up for every Windows shop. AI is making it possible to find more issues, faster, across more code, including through their multi-model agentic scanning harness (MDASH), and:
“as AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release.”
Microsoft is framing the coming surge in patch volume as defensive success rather than declining code quality, and there’s truth to that, but from the operator’s seat the effect is the same, more patches, more often, with the same change windows and the same staffing.
Vulnerability management programs built around monthly cadences and manual prioritization are going to buckle, and the mid-year CVE data below shows why.
CVE Mid-Year 2026 Check-In: Volume Vertical, Exploitation Rare
Per Vulnerability Researcher Jerry Gamblin’s mid-year CVE check-in, 35,364 CVEs were published in the first half of 2026, averaging 195.4 CVEs per day and representing 49.5% growth over H1 2025, putting the year on pace for roughly 72,000 CVEs. Meanwhile, only 85 of those H1 CVEs, 0.24%, appear in CISA’s KEV catalog.
As Jerry puts it, the volume curve has gone vertical while exploitation has not, and the challenge is signal-to-noise, not patch volume. This is the data underneath everything else in this section. Discovery is industrializing while exploitation remains rare and concentrated, which means context and prioritization, not raw patching throughput, determine whether your program survives the curve.
Signal Over Noise: AI Agents and the Operator Moat
One of the more interesting first-person accounts I’ve read on AI’s impact on offensive security work, ads (@0xmoose) who is an AI red teamer at Dreadnode documents how agents scaled his personal bug bounty output, with 2026 submission volume reaching nearly 6x his full-year 2025 output in roughly six months, including a peak day of 21 reports. The key detail is that quality improved while volume scaled, with reports closed without acceptance dropping from 32% to 24% across 853+ submissions spanning 78 unique CWEs.
His thesis is that the durable moat is the expert operator, the human who scopes targets, validates findings, reads agent traces, and acts as final arbiter between real vulnerabilities and false positives, not the agents themselves. AI scaling submission volume, and AI validating it on the receiving end. Every program in between is about to get squeezed.
PR3TACK: The Preemptive Tactics & Countermeasures Knowledgebase
Out of FIRSTCON26, Atlassian’s Vishal Thakur introduced PR3TACK, a knowledgebase of plausible-but-unobserved adversary TTPs designed to close the “anticipatory gap” left by retrospective frameworks like MITRE ATT&CK.
It spans 17 tactic categories, 6 of them exclusive to the framework, including Pre-Positioning (think sleeper commits in open source projects), Cognitive Manipulation (alert flooding, adversarial logs), AI/ML Subversion, and Digital Exhaust Manipulation (weaponizing telemetry and threat intel feeds).
As the author puts it, “PR3TACK is not a crystal ball,” and its value “lies instead in shaping a culture of anticipatory defence.” With AI compressing the timeline from plausible to observed, cataloging what attackers could do before they do it feels less academic than it would have even a couple of years ago.
You Can’t Reverse Engineer Your Way Out of the AI Supply Chain Problem
The Semgrep team, including Isaac Evans, Cris Thomas (Space Rogue), and Katie Paxton-Fear, published a thoughtful piece on the AI supply chain problem, arguing that unlike traditional binaries, we have almost no ability to reverse engineer models today, which means even open-weight models can’t be trusted the way inspectable software can.
They cite poisoning research showing that the number of samples required to add a backdoor does not increase as the model increases in size, and invoke Ken Thompson’s trusting-trust lesson, you can’t trust a system simply because you can inspect what’s in front of you.
Their conclusion is that “provenance, reproducibility, and independent evaluation will matter far more than marketing claims or benchmark scores,” and they’re right, benchmarks are gameable and model cards are marketing. This applies to every model in this issue, not just the ones from any particular country.
3,245 Malicious Components in One Week
Speaking of the traditional software supply chain, open source malware researcher Paul McCarty flagged 3,245 malicious components identified in a single week in his recurring supply chain recap. Numbers like this keep making the case that malicious packages are a distinct problem from vulnerable packages, and most SCA tooling remains oriented toward the latter.
AI Coding’s Security Costs vs. Productivity Gains
Dark Reading’s Alexander Culafi asks the uncomfortable ROI question about AI coding tools, and the numbers he assembles deserve attention. GitLab’s 2026 AI Accountability Report found 91% of organizations using two or more coding tools, a SonarSource survey found 96% of developers said they do not trust AI-generated code to be functionally correct as is, Veracode research found 45% of AI generated code samples contained OWASP Top 10 vulnerabilities, and GitGuardian found AI coding assistant use increases the secrets incidence rate by approximately 40%, with AI-assisted commits leaking secrets at 3.2% versus a 1.5% baseline.
Add remediation labor, false-positive triage (with experts citing security teams spending up to 40% of their time on findings that are ultimately non-exploitable), and credential cleanup, and the productivity math starts looking murkier than the vendor decks suggest.
The gains are real, but the costs land in a different budget, usually security’s.
LLMs in SAST: Good, Bad, Costly
A grounded practitioner take on where LLMs actually fit in static analysis from Ali Yazdani. His argument is the highest-ROI role for LLMs is triage and explanation layered on top of deterministic SAST engines, not replacing them, since traditional SAST’s false-positive burden commonly runs between 30% and 100% of findings volume, and LLM triage has achieved 96% agreement with security researchers, with Semgrep’s Assistant now handling around 60% of incoming triage work for customers. LLM-alone scanning, by contrast, under-reports and creates false confidence.
My favorite line, “Accuracy isn’t a slope you slide down gracefully, it’s a cliff.” Alert fatigue has always been SAST’s costliest problem, and triage is exactly where a probabilistic system belongs, with a deterministic engine remaining the source of truth.
Final Thoughts
Stepping back from the individual stories, the through line this week is that the economics of security are being repriced in real time.
Discovery is industrializing on both sides, with CVE volume up nearly 50%, a record Patch Tuesday, offensive capability available at commodity prices, and bug bounty operators scaling 6x with agents. Meanwhile, the durable value keeps concentrating in the same places, context, validation, identity, and the humans who know what actually matters.
We’ve spent two decades optimizing for finding more things. Now organizations are doing the long overdue work of getting ruthless about deciding what deserves attention, and treating their data, their identities, and increasingly their AI agents as the assets and attack surface they actually are.
Stay resilient.


























