Welcome to issue #99 of the Resilient Cyber Newsletter! This week brought the first official numbers from Anthropic’s Project Glasswing, and they are staggering. Claude Mythos Preview identified over 10,000 vulnerabilities in its first month, with 6,202 rated high or critical severity. Dawn Song’s team at UC Berkeley showed that Mythos can autonomously exploit 157 out of 898 real-world vulnerabilities across userspace programs, V8, and the Linux kernel. And CrowdStrike and Google coordinated a simultaneous takedown of the Glassworm botnet, a sophisticated campaign that had been targeting software developers through poisoned VSCode extensions, npm packages, and 300+ GitHub repositories since early 2025.
On the market side, global AI spending hit $2.59 trillion in 2026, growing by roughly $1 trillion year over year. Cybersecurity stocks are surging. The Omdia Tech Titans index posted its strongest quarterly growth in 15 years. And Cloudflare cut 20% of its workforce while posting record revenue, with CEO Matthew Prince framing the layoffs as eliminating “measurers” in favor of builders and sellers.
Meanwhile, Anthropic published an engineering deep dive on how they contain Claude across products, Uber shipped a full agent identity architecture with attested actor chains, and Adversa AI found that the human approval prompt, the primary safety control in five major coding agents, can be bypassed through symlink manipulation.
Every security team is being asked the same question in 2026: how are we testing our AI applications and agents? Traditional pentesting wasn’t built for non-deterministic systems. DAST and SAST miss prompt injection, tool abuse, and the new attack surface that comes with agentic pipelines. That’s why AI pentesting is on every CISO’s evaluation list this year.
The Definitive Buyer’s Guide to AI Penetration Testing walks through why this category exists, what it actually does, and the eight questions that separate basic automated scanners from real offensive security platforms built for AI systems.
Thanks for reading the Resilient Cyber Newsletter! Subscribe for FREE and join 31,000+ readers to receive weekly updates with the latest news across AppSec, Leadership, AI, Supply Chain, and more for Cybersecurity.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Mark O’Neill framed the number that puts every other market discussion into perspective. Global AI spending will reach $2.59 trillion in 2026, a 47% increase year over year.
The growth alone, roughly $1 trillion, exceeds the entire cybersecurity market. Evercore and Bank of America estimate AI capital expenditure between $800 billion and $900 billion for 2026, with projections exceeding $1 trillion by 2027. As I discussed in issue #98 with the strange economics of cybersecurity, AI deflates costs everywhere except security.
Every dollar of that $2.59 trillion creates new identity vectors, new attack surfaces, and new governance requirements. The cybersecurity market is not just growing alongside AI. It is growing because of AI, and the ratio between AI investment and security investment tells you how wide the gap between capability and protection remains.
At a $9 billion valuation following its latest funding round, Cyera acquired Genie Security for $50 million. Genie was five months old with five employees, had raised $3 million in seed funding from Mensch Capital and Dynamic Loop, and had deployed across hundreds of endpoints.
Genie’s founders, Nadav Noy and Noam Dotan, built endpoint-based AI data protection technology that Cyera needed to extend its platform. Wiz co-founder Assaf Rappaport was among the early investors. The acquisition pace in cybersecurity right now reflects a market where high valuations fuel rapid consolidation and time-to-capability matters more than building in-house.
For founders, $50 million for a five-month-old company with five people is the kind of exit that reshapes how early-stage investors think about cybersecurity.
The Omdia Tech Titans index showed the 18 largest technology suppliers generated $694 billion in Q1 2026, a 28.3% year-over-year increase and the fastest quarterly growth since 2011.
The full-year forecast projects 26.8% revenue growth, tracking toward $3 trillion annually. Semiconductors and memory are showing the highest growth, driven by AI infrastructure demand from NVIDIA, Samsung, AMD, and Broadcom. Jay McBain’s analysis highlights that cloud growth from AWS, Google Cloud, and Microsoft is accelerating as AI workloads move from experimentation to production deployment.
Matthew Ball’s cybersecurity research at Omdia projects cybersecurity spending at $311 billion in 2026, up 12%, with emerging categories like shadow AI governance, inference protection, and AI agent identity driving new budget allocation.
The network security market is forecast to exceed $50 billion by year-end 2026. Fortinet, F5, Palo Alto Networks, CrowdStrike, and Cisco are leading the surge.
The structural drivers are ones I have been tracking across multiple issues. Zero-trust architecture adoption, hybrid cloud security requirements, and AI-generated attack surface expansion are creating sustained demand that makes cybersecurity one of the most recession-resistant sectors in technology. M&A is reaccelerating with CrowdStrike acquiring Seraphic Security in January and Zscaler acquiring SquareX in February.
As I discussed in issue #98 with Check Point’s fourth Israeli acquisition, vendor consolidation continues to intensify. The public market performance validates the thesis that AI creates more security spending, not less.
Ed Sim flagged Matthew Prince’s internal memo as a must-read, and I agree. Cloudflare eliminated over 1,100 positions, roughly 20% of its workforce, despite posting record revenue.
Prince’s framing was unusually direct. The company exists to build product and sell product, everything else is friction. The positions eliminated were primarily what he called “measurers,” roles in middle management, finance, legal, internal audit, and revenue recognition. The argument is that AI agents can automate these functions, and organizations should restructure around builders (engineers) and sellers rather than measurer layers.
For cybersecurity, this is a preview of how AI-driven organizational restructuring will reshape the teams that security leaders work with. When the middle management layer thins, security governance that relied on those roles for enforcement needs new mechanisms. As I discussed in issue #98 with the headless architecture thesis, the enforcement points are moving.
The numbers tell the story on this one. Critical vulnerability rewards dropped from $9,250 to $2,257. High-severity payouts fell from $4,429 to $1,009. Medium went from $1,843 to $297. Low from $597 to $68.
HackerOne stated that the Internet Bug Bounty program is dynamic and bounty levels adjust based on active sponsor contributions. The program remains paused while they evaluate adjustments. Combined with the bug bounty structural damage I covered in issue #98, the economics of vulnerability research are being fundamentally reshaped.
When AI commoditizes discovery and platforms slash rewards simultaneously, the financial incentive that made bug bounties work for a decade is eroding from both sides. Daniel Stenberg’s observation that open source projects are experiencing DDoS-like effects from AI-generated reports adds another dimension. The entire researcher-platform-vendor triangle is under strain.
For anyone who thinks AI will eliminate security jobs, the data says otherwise. Cybersecurity job postings rose 11% year over year in Q1 2026 per Glassdoor. 64% of cybersecurity job listings now require AI, ML, or automation expertise.
41% of security teams cite AI as their top skill requirement. But the workforce gap has widened to 4.8 million unfilled positions globally, up 19% year over year. 70% of firms are prioritizing senior talent while only 12% focus on entry-level hiring.
The Goldman Sachs CEO’s NYT essay arguing that AI job fears are overblown seems to be correct, at least in cybersecurity. AI is creating more security work, not less. The challenge is that the skills required are evolving faster than the talent pipeline can adapt.
A bipartisan congressional coalition sent a paper titled “Reinvigorating Federal Cybersecurity Initiatives” to the National Cyber Director, urging action across four priorities.
Finalize the structure replacing CIPAC for critical infrastructure partnerships. Complete CIRCIA rulemaking with public engagement. Reauthorize the Cybersecurity Information Sharing Act of 2015. And reauthorize the State and Local Cybersecurity Grant Program with meaningful appropriations.
Combined with the CISA credential leak we discussed in last weeks and the ongoing congressional scrutiny, federal cybersecurity governance is under more pressure than at any point since the SolarWinds response. The gap between strategic ambition and operational execution at the federal level continues to widen.
The WEF Global Cybersecurity Outlook confirms what I have been tracking across every recent issue. 94% of respondents agree AI is the most significant cybersecurity change driver. 77% of organizations already use AI in cybersecurity operations. KPMG reports a 25% boost in threat intelligence efficiency.
Accenture moved analysis time from 15 minutes to one second. IBM’s ATOM automates 850+ analyst hours per month. But 87% flagged AI-related vulnerabilities as the fastest-growing risk category, and one-third of organizations have no process to assess AI tool security before deployment.
The report frames AI as something organizations must treat as a capability rather than a tool. Those that get the distinction right will convert cyber risk into competitive advantage. Those that do not will face threats that scale faster than their defenses.
Exploits used to take weeks to weaponize. With AI, hours. Patch cycles haven’t moved. CVE-driven prioritization isn’t keeping up. Brad Arkin (former Chief Trust Officer at Salesforce, Cisco, Adobe) joins Nadav Czerninski (CEO, Oligo) on what your stack actually has to do now.
You’ll learn how to prioritize exploitable exposures, move beyond CVE scores, & tighten the window between disclosure and response.
The data from Anthropic’s Glasswing initial update is the most significant vulnerability disclosure event since the creation of the CVE system. In its first month, Claude Mythos Preview identified over 10,000 vulnerabilities, with 6,202 rated high or critical out of 23,019 total findings across 1,000+ open-source projects. 1,726 were assessed as valid true positives at high or critical severity.
Cloudflare received 2,000 bug reports with 400 at high or critical severity. Mozilla had previously seen 271 Firefox vulnerabilities, a 10x improvement over the prior model. A wolfSSL certificate forgery flaw, CVE-2026-5194 at CVSS 9.1, allows attackers to masquerade as legitimate services. Average patching time for high-severity findings is two weeks, but some open-source maintainers are requesting a slower disclosure pace because the volume exceeds their remediation capacity.
As I discussed in a prior issue with the Glasswing partner sharing policy, the disclosure pipeline has widened while the remediation bottleneck has not. These numbers put concrete scale behind the crisis I have been tracking since Vulnpocalypse.
Dawn Song’s team at UC Berkeley released ExploitGym, and the results should change how every defender thinks about the threat timeline. The benchmark comprises 898 instances from real-world vulnerabilities across userspace programs, Google’s V8 JavaScript engine, and the Linux kernel.
Claude Mythos Preview successfully exploited 157 of those 898 instances, a 17.5% success rate. GPT-5.5 exploited 120. The exploits remained effective even with standard security defenses like ASLR and V8 sandboxing enabled. This is fundamentally different from the vulnerability discovery story. Finding bugs is one thing. Autonomously converting them into working exploits against production-grade defenses is another.
Combined with ExploitBench from issue #98 and AISI’s 4.7-month doubling time, the exploitation capability curve is following the same trajectory as the discovery curve, just with a lag. That lag is the defensive window, and it is shrinking.
This is the most comprehensive agent identity implementation I have seen from a non-hyperscaler. Uber rebuilt its identity and access technology stack with three components.
An Agent Registry for centralized agent identity management. An AI Agent Mesh for secure inter-agent communication and authorization, and a Security Token Service that embeds a full attested actor chain into each token, maintaining traceability from the originating user through every intermediate agent.
The problem they solved is real. Traditional identity models built around humans and workloads fail for agents because execution context gets dropped across agent hops, making it impossible to apply fine-grained access policies or maintain auditable chains.
As I wrote in my article on identity as the agentic AI problem and with other ecosystem activities such as AAuth, Entra Agent ID, Google Agent Identity, and AWS AgentCore OBO, the building blocks are converging. Uber’s implementation is the first end-to-end production deployment I have seen that maintains full actor chain attestation across an agent mesh.
Agentic identity is a topic I went deep into with prior guests, such as industry leader Karl McGuinness
This engineering deep dive deserves careful reading because it explains why containment, not permission, is the right mental model for agent security.
Between mid-2025 and January 2026, Anthropic received vulnerability reports through responsible disclosure that included code executing before user consent and malicious .claude/settings.json hook injection. Their response philosophy is to supervise what agents can do, not what they do.
The implementation uses sandboxes, virtual machines, egress controls, and file access boundaries, but the most revealing data point is about approval fatigue. Users approve approximately 93% of permission prompts. Claude Code’s Auto Mode was designed specifically to automate safer approvals and reduce friction.
As I discussed previously with the Sondera analysis and Caleb Sima’s boring future of agents, the harness and containment layer is where the real security work happens. Anthropic’s own data confirms that user-in-the-loop approval is necessary but insufficient. Architectural constraints must limit blast radius regardless of user decisions.
Microsoft’s philosophy here aligns with what I have been advocating. Safety must become a continuous engineering discipline, not a periodic checkpoint. Rampart is a pytest-native framework that encodes adversarial and benign scenarios as repeatable safety tests, runs in CI/CD pipelines, and creates regression coverage from red team findings and real incidents.
Clarity is a structured thinking tool for decision tracking and assumption pressure-testing before teams start building, but neither tool is a scanner. They are workflow instruments designed to embed safety into the development process where code originates.
Combined with Microsoft’s MDASH, the Foundry Security Spec from Cisco, and Anthropic’s containment engineering, the major AI infrastructure providers are converging on a shared insight. Agent safety is an engineering problem that requires engineering tools, not governance documents that nobody reads until after the incident.
Adversa AI found a vulnerability class that defeats the primary safety control in five major AI coding agents. Claude Code, Cursor Agent CLI, GitHub Copilot CLI, Gemini CLI, and Grok Build are all affected.
The attack, dubbed SymJack, works by weaponizing symlinked destinations in malicious repositories. When a victim approves a copy operation that looks benign, the symlink secretly overwrites the agent’s configuration files. The human approval step, the control that every vendor leans on as the foundation of safety, is the vulnerability being exploited. Anthropic hardened its approval flow after disclosure. Google and Cursor declined to patch. xAI and GitHub have not responded.
Combined with IDEsaster and IDEsaster2, the pattern is unmistakable. The development environment is the new attack surface, and the safety mechanisms designed to protect developers are themselves exploitable. As I wrote in my coverage of the OWASP Agentic Top 10, defense-in-depth is the only viable path when individual controls can be bypassed.
Assury’s argument connects to a theme I have been building across the last several issues. Just-in-time credential management is necessary but insufficient for agent security.
JIT addresses the credential lifecycle, granting permissions only for the required duration, but it does not address what agents do with those permissions while they hold them. Assury’s Enforce platform adds OPA-based granular policy with policy-as-code using Rego, tenant scoping, and custom rules on top of JIT credentials. The broader point resonates with Anthropic’s containment philosophy from their engineering post this week. Single controls, whether JIT, approval prompts, or permission boundaries, are individually bypassable.
The organizations getting agent security right are the ones layering multiple controls. JIT for credential lifecycle, policy-as-code for runtime behavior, audit trails for accountability, and containment for blast radius. No single layer is sufficient on its own.
For those following my work on the OWASP Agentic Top 10, this crosswalk between AIUC-1 and the Agentic Top 10 provides the most detailed gap analysis to date. The bidirectional mapping covers agent goal hijacking, tool misuse, identity and privilege abuse, memory poisoning, insecure inter-agent communication, cascading failures, trust exploitation, and rogue agents.
Eight priority areas for AIUC-1 enhancement were identified, with the most significant gaps in agent identity, runtime containment, architectural monitoring, supply chain attestation, and schema controls. The crosswalk confirms what I have been arguing since my earliest writing on the Agentic Top 10. Current compliance frameworks were not designed for autonomous agent systems. The mapping is the first step toward closing that gap.
PrimeSec’s framing resonates with what I have been writing since Security Throwing Toil Over the Fence. The security bottleneck has gotten 5x worse as development velocity increases and AI coding tools explode. Security teams can only manually review 5-10% of development work.
The answer is not expecting developers to become security experts. It is embedding AI-driven security guidance directly into developer workflows. As I wrote in Vulnerability Management and Developer Toil, the Linux Foundation study called security a “soul withering chore” for developers. Rather than fighting that reality, the pragmatic response is to democratize security knowledge and embed it where the code originates.
Combined with Microsoft’s Rampart, SecureForge, and Anthropic’s containment engineering, the tools to make this possible are arriving faster than the organizational change required to adopt them.
This is the supply chain attack story that brings everything together. On May 26 at 14:00 UTC, CrowdStrike, Google, and the Shadowserver Foundation executed a coordinated simultaneous strike against four Glassworm command-and-control channels.
Active since early 2025, Glassworm targeted software developers with source code and CI/CD access through three vectors. Malicious VSCode extensions. Poisoned npm and Python packages with postinstall hooks. And over 300 weaponized GitHub repositories. GlasswormRAT delivered information theft, credential harvesting, and full remote access across Windows, macOS, and Linux. The infrastructure used Solana blockchain, BitTorrent P2P, and Google Calendar for C2 communication.
As I wrote in Software Transparency and tracked across issues with PyTorch Lightning, Mini Shai-Hulud, and the TeamPCP open-sourcing of the Shai-Hulud worm, the threat actors are not targeting products anymore. They are targeting the developers who build them. Every compromised development environment is a supply chain entry point that propagates downstream to billions of users.
I have been tracking Daniel Stenberg’s experience with Mythos, and this week’s post, titled simply “The Pressure,” is the most personal and concerning entry yet. curl is receiving security reports at 4-5x the rate of 2024 and 2x the rate of 2025, averaging more than one report per day.
Quality has significantly improved, the reports are detailed and comprehensive, but at the halfway point of the current release cycle, the project has already confirmed 12 vulnerabilities, on pace for 30 published CVEs in 2026. Stenberg describes an imbalanced work-life situation under sustained high workload. This is not a story about AI capability, it is a story about what happens to the humans maintaining critical infrastructure when AI accelerates the discovery pipeline beyond their capacity to process it.
As I wrote about with VulnCheck’s first CVE wave, AI-assisted discovery is a permanent increase in velocity. The downstream human systems were never built for this pace.
If there is one piece this week that should be required reading for anyone evaluating AI scanning tools, this is it. Contrast Labs tested three AI scanning approaches against enterprise Java codebases and the economics are brutal.
A simple Sonnet scan reproduced only 17% of its findings across three runs. Claude Opus improved to 25% but showed a 28.6% swing between best and worst runs. Of 59 total findings, only 3, or 5%, were identified by all three tools. The headline number is that a $315 scanning fee translates into $128,000 in triage burden before the first fix.
AI scanning is valuable against certain problem classes like authorization logic, but using it as the foundation of a production AppSec program creates more work than it eliminates. As I have been writing since Vulnerability Management and Developer Toil, tools that generate volume without context are the definition of security theater, and yes, that can apply to using AI tooling too.
Wiz’s SDLC Security Report makes an argument that I think is underappreciated. Risk follows a power-law distribution in software development environments. A small set of packages gets disproportionately reused, and weaknesses in that concentrated set propagate across entire organizations.
CI/CD pipelines, identity systems, developer tooling, and automation platforms create systemic exposure when trust and reuse concentrate. The report argues that organizations should focus on where trust concentrates rather than chasing isolated findings.
This connects to the supply chain thesis I have been tracking since Software Transparency and reinforces why the Glassworm takedown this week matters so much. When adversaries compromise the development infrastructure that sits at the center of the trust graph, the blast radius is not a single application. It is everything downstream.
I have been tracking the discovery-remediation gap since Vulnpocalypse, and Novee’s Agentic Fix takes a different approach than most. Rather than building another scanner, Novee translates validated exploits from penetration testing directly into GitHub issues formatted for AI coding agents.
The platform is compatible with Claude, Copilot, Cursor, and Devin. The company raised $51.5 million within four months of inception, led by YL Ventures, Canaan Partners, and Zeev Ventures. The founding team includes national-level offensive security leaders. What makes this interesting is the directional bet. Instead of trying to fix the discovery problem, which AI has largely solved,
Novee is attacking the remediation bottleneck by feeding validated exploit context directly to the agents that write fixes. As I discussed with AISLE’s VulnOps model, the value chain is shifting from discovery to remediation, and the companies that close that loop will define the next era of vulnerability management.
Niels Provos delivered this talk at the CSA AI Summit on April 7, 2026, twelve years to the day after the OpenSSL Heartbleed disclosure. His central argument is that security strategy must shift from detecting zero-days to containing their impact through invariants built at the hardware and data layers.
2FA, default-deny egress, allowlisted execution, memory tagging, and context-aware access control create boundaries that hold even when the vulnerability is novel. Anthropic’s Mythos agent surfaced a bug in OpenBSD code from 27 years prior, which illustrates the point. If your security depends on finding every vulnerability before an attacker does, you have already lost.
The organizations that survive the next zero-day will be the ones that built containment in time. This aligns with Anthropic’s containment philosophy from their engineering post this week and with AISI’s 4.7-month capability doubling.
Perplexity released its internal supply chain security scanner as open source on May 22, and the design philosophy matters as much as the functionality. Bumblebee is written entirely in Go with zero non-stdlib dependencies.
It earned 1,450+ GitHub stars and 112+ forks in less than a week. The core principle is “never execute anything.” It reads lockfiles directly without invoking npm, pip, bun, or any package manager. It never runs postinstall scripts, which are the primary attack vector in supply chain compromises like Mini Shai-Hulud.
The scanner covers npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer, MCP configurations, editor extensions, and browser extensions. For security teams dealing with the Glassworm-style developer targeting described above, a read-only inventory tool that cannot trigger the attack vectors it is scanning for is exactly the right design.
Amy Chang’s work at Cisco on LLM adversarial evaluation addresses a gap I have been pointing to across multiple issues. How do you compare the security posture of different LLMs before selecting one for production?
Cisco’s LLM Security Leaderboard evaluates model susceptibility to malicious prompts, jailbreak attempts, and manipulation strategies. This is the kind of practical tooling that security teams need when the procurement decision includes choosing which model to deploy. Combined with Anthropic’s containment engineering, Microsoft’s Rampart, and ExploitBench. The ecosystem for measuring and testing AI security is rapidly maturing.
The question is whether organizations adopt these evaluation frameworks before or after the first breach involving a poorly chosen model.
Sondera’s framing of the “PBJ problem” connects to the broader shift from prompt-level safety to architectural enforcement that I have been tracking. The argument is that agent governance cannot depend on what happens at the prompt layer.
It must enforce policies after the prompt, during execution, through deterministic control planes. Sondera implements this through Cedar Policy Language integration that hooks into coding agents at the API level, providing enforcement for Claude, Cursor, Gemini, and other tools.
As Anthropic’s containment engineering post confirmed this week, 93% of user permission prompts get approved. When the human-in-the-loop approval rate is that high, the approval step is not providing meaningful security. Post-prompt policy enforcement that operates regardless of user decisions is the architecture that actually reduces risk.
Final Thoughts
This was the week that numbers replaced narratives.
Anthropic disclosed 10,000+ vulnerabilities from Glasswing’s first month. Dawn Song showed Mythos exploiting 17.5% of real-world vulnerabilities autonomously. VulnCheck documented CVE surges of 563% from AI-assisted discovery.
Contrast Security proved that AI scanning creates $128,000 in triage burden per $315 in scanning cost. Daniel Stenberg documented the human toll of receiving more than one security report per day against a 30-year-old codebase. And HackerOne slashed bounty rewards by 75%.
The story these numbers tell is consistent. The discovery problem is solved. AI finds vulnerabilities at a rate that exceeds every downstream system’s capacity to process them. The remediation problem, the prioritization problem, the human sustainability problem, and the economic incentive problem are all wide open.
The most encouraging developments this week were the ones that address those open problems. Uber’s agent identity architecture with attested actor chains. Anthropic’s containment engineering that supervises capabilities rather than individual actions.
Microsoft’s Rampart and Clarity for embedding safety into development workflows. Novee’s Agentic Fix that feeds validated exploits directly to coding agents. Perplexity’s Bumblebee that scans supply chains without executing anything. These are engineering solutions to engineering problems, and that is exactly what this moment requires.
