Subscribe now

Share

Hi 👋 - Hope you’re having a great week wherever you’re reading from!

The past 7 days have felt like 582 days lumped into a single week, on all accounts. On the personal front, I shipped Pt. II of my OpenAI Codex Logs detection series and Monad won 2 Latio awards for user reliability and being a data pipeline leader. A true testament of how much the team has been cooking and what’s to come :)

I’ve been working a fair bit on AI tooling visibility and will share what I’ve come across so far soon so stay tuned on that front. For now, the Monad blog has the most recent updates.

Aside from that, more Mythos news of course, loads of funding (you’d think Blackhat is next week), and Opus 4.8 finds a very expensive bug.

TL;DR ✏️

• 🤷🏽‍♂️ Claude Opus found a bug causing $3B wipeout in Zcash — A public model surfaced a 4-year-old Orchard flaw in 24 hours; ZEC cap got cut in half.

• 🪶 Anthropic ships Claude Fable 5 — First public Mythos-class model, gated by a classifier layer a state-level team already cracked.

• 🔮 Salesforce’s triage agent hits 95% — SATA matches analysts on triage across 80,000 employees, if you have Salesforce’s budget.

• 🎥 fwd:cloudsec 2026 talks are live — All 38 sessions free on YouTube, heavy on agentic and neocloud risk.

• 📈 Cyera $600M round at $12B valuation — Led by Evolution Equity; valuation doubled since January. 7th major funding announcement.. Series G?

• 🥷 NinjaOne lands $400M+ secondary — Profitable, $500M ARR, and shopping for partners, not runway.

• 📊 Datadog drops 100+ features at DASH — AI Guard targets prompt injection; Agent Console monitors Claude Code, Cursor, Copilot.

• 🔑 Opal raises $23M for AI-native identity — Governs access for humans, service accounts, and agents; five senior hires alongside.

Plus: Kramer and Kurtz pile into the same Series A, AI-native identity keeps pulling checks, and an agentic vuln remediation continues its streak.

Your Agents Just Got Interactive

New from BlinkOps: interactive agents. Over a year ago we shipped the first natural language agent builder in security, where you set an agent's role, guardrails on how it reasons, limits on what it can do, plus its abilities and knowledge. Now those same agents are interactive.

Open a standalone chat and put one to work, ask questions, run an investigation, act on your policy, no workflow required. The agentic layer for SecOps just got hands-on.

See it in action

⚒️ Picks of the Week ⚒️

Claude Opus 4.8 Found a Zcash Bug That Wiped $3B in Market Cap

More than $3 billion in Zcash market cap vanished after a researcher pointed Claude Opus 4.8 at the Orchard shielded pool and found a critical flaw inside 24 hours. ZEC ran to a $624 peak on June 4 as the market read the emergency fix as bullish, then cratered to the low $300s the next day, cutting the cap in half. Arthur Hayes dumped his entire position on the way down.

Taylor Hornby, hired by the Zcash team to hunt exactly this, used the model the day after Opus 4.8 shipped and surfaced a bug that had been live since Orchard launched in May 2022. A validation check that looked like it was enforcing the rules wasn’t, so an attacker could feed false inputs and double-spend inside the shielded pool while the zero-knowledge proof system signed off as legitimate 🤯

The wild part is the because Orchard is a privacy pool, there is no cryptographic way to determine whether the bug was exploited at any point in those four years. The team’s assessment is that exploitation was unlikely, but they’re explicitly telling users not to rely on that, and are pursuing a network upgrade called “turnstile accounting” that forces every Orchard coin through a verifiable checkpoint to expose any counterfeit supply.

Between DPRK having stolen $7B+ in crypto and security kerfuffles like this in privacy/security-oriented coins, I truly don’t see cryptocurrency picking steam back up. The trust is gone and then there’s the looming threat of

Dig Deeper: Shielded Labs disclosure thread | Yahoo Finance on the undetectability problem

Anthropic Brings Mythos to the Masses With Claude Fable

Anthropic shipped Claude Fable 5, the first public model in the Mythos family, the one they sat on in April because it was “too good at finding bugs”. The whole release hinges on a safeguard layer, so that’s where the attention belongs. Also uses 2x the tokens as Opus 4.8 so use carefully.

Fable 5 runs separate AI classifiers in front of the model. Trip one on cybersecurity, biology and chemistry, or distillation and the request gets handed to Claude Opus 4.8 instead. The cyber net is widest, covering the full agentic kill chain (recon, lateral movement, exploit-gen), and Anthropic says it stops Fable from making any progress on offensive tasks. Over 95% of sessions never hit a fallback; bio and chem are tuned hardest and mostly punt to Opus for now.

We just watched a public Opus model find a four-year-old Zcash flaw in 24 hours. The capability is proven. The guardrail is two months old and a state-level team already found a seam. Bet accordingly.

Dig Deeper: Anthropic’s announcement | TechCrunch

Salesforce Built an AI Agent That Triages Security Alerts at 95% Analyst Agreement

Salesforce dropped an autonomous triage agent, SATA (Security Alerts Triage Agent), into production across 80,000 employees and is claiming ~95% agreement with human analysts.

Triage context is scattered across the case system, the log platform, and the runbook tooling stitched across it, and the logs are too fat to shovel into a model’s context without timing out. Salesforce had the agent call SOAR workflows to fetch only the slice each decision needs, ran multiple agents over the same case, and let a confidence score kick the inconclusive ones back to humans.

Salesforce is about as well-instrumented as a security org gets. $140B+ market cap, compute to burn, and an in-house agent platform in Agentforce their security teams already lean on hard, one of those agents has reportedly chewed through 44,000+ prompts and clawed back 3,000+ analyst hours. SATA is the autonomous-triage extension of a muscle they’ve built for two years.

Great write-up on what it takes to roll your own triage agent that is actually good.

fwd:cloudsec North America 2026 Talks Are Live on YouTube

All 38 talks from fwd:cloudsec North America 2026 are up on YouTube, free. This is the one cloud security con that isn’t a vendor pitch deck in disguise: independent, community-run, attack and defense research with the honest discussion of where security features actually fall short. This year’s theme leaned hard into agentic and neocloud risk. As a taste, Upwind’s Dan Gansel demoed C2 through an AWS data perimeter via Bedrock-AgentCore, abusing trusted AI services to slip past perimeter controls, plus the CloudTrail signals to catch it. Block out a weekend. This is the highest signal-to-noise content in the space right now.

Fun fact: I presented at fwd:cloud in 2022 on leveraging Azure Resource Graph for good and for evil 😈.. Easily in my top 3 of conferences.

Cyera Raises $600M at $12B Valuation

Cyera closed a $600M round at a $12B valuation, led by Evolution Equity Partners with participation from Cyberstarts, Temasek, and all existing investors including Accel, Blackstone, and Coatue.

That’s $2.3B raised total, with the valuation doubling since January’s $400M round at $9B and quadrupling over two years. The pitch has evolved from DSPM into an AI trust layer: this year’s AI Guardian launch positions Cyera as the control plane for what AI agents can see and touch across enterprise data.

Five months between mega-rounds at a 33% valuation bump is less about needing capital and I’d imagine for more acquisitions, GTM, and capitalizing on good raising conditions.

🔮 The Future of Security 🔮

AI Security

Datadog Launches 100+ Features at DASH, Leans Into Agent Security

Datadog unveiled more than 100 capabilities at DASH, its annual conference and the company’s biggest product moment of the year. The headline is Bits AI expanding from root cause analysis into autonomous detection, investigation, and remediation under predefined guardrails.

The security drops:

• AI Guard: blocks prompt injection and agent poisoning by pairing agent telemetry tracing with behavioral anomaly analysis, catching what single prompt-and-response checks miss

• Agent Console: centralized monitoring for AI agents and agentic dev tools, including Claude Code, Cursor, and GitHub Copilot

• Bits Detection and Agent Evals: always-on infrastructure scanning plus debugging and fix generation for AI agents

Datadog is my former employer so it’s super good to see them keep pounding the momentum. The observability data was always the moat, and pointing it at agent security is the right move.

More AI Security News

• Zscaler launches AI Broker and Endpoint AI Security for agents

• Snowflake and 1Password tackle the growing challenge of securing AI agents at scale

• OpenAI Unveils ChatGPT Account Security Controls

Cloud Security

Aryon Security Raises $25M Series A

Aryon raised a $25M Series A led by Brightmind Partners and Shlomo Kramer’s Skinos Ventures, with Datadog Ventures and CrowdStrike CEO George Kurtz participating; total funding hits $38M since late 2024.

The founders came out of Matzov, the IDF’s cyber defense unit, and built the company on lessons from securing Project Nimbus. Kramer and Kurtz on the same cap table is a strong signal for a 44-person company.

Endpoint Management

NinjaOne Secures $400M+ in Secondary Funding

NinjaOne raised over $400M in secondary funding, the second extension of its 2024 Series C, with CapitalG, Sequoia, and ICONIQ participating. The company says it crossed $500M ARR in 2025, turned profitable last quarter, and self-reports nearly 40,000 customer organizations. President Chris Matarese was blunt that the raise wasn’t about capital: “we used this round as an opportunity to pick the best possible partners.” A profitable endpoint management player taking secondaries at this size reads like pre-IPO positioning, not runway

Identity Security

Opal Security Raises $23 Million for AI-Native Identity Governance

Opal Security raised $23 million led by Greylock and Battery Ventures, bringing total funding to $59 million. The company governs access for employees, service accounts, and AI agents: just-in-time access by default, risk-based revocation, policy-as-code enforced across cloud, SaaS, and on-prem.

Opal also announced five senior hires in one shot, including a new CPO and CTO. A leadership overhaul of that size alongside fresh capital reads like a relaunch around agent identity, the lane every IGA vendor is now racing toward.

More Identity Security News

• Offroad launches with $7M to automate identity security with AI agents

• CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access

Offensive Security

A Security Raises $37 Million for Autonomous Offensive Security Platform

A Security left stealth with $37 million to fight AI-driven attackers with AI of its own. The platform runs offensive and defensive agents continuously, chains vulns into real cross-domain exploit paths, proves exploitability through scoped execution with audit trails, then remediates at the source. Founders Yossi Torati (ex-Sygnia), Omer Gull, and Yuval Itzchakov (both ex-Hunters) pulled in Lightspeed, Cyberstarts, and angel checks from Wiz CEO Assaf Rapaport and Cyera CEO Yotam Segev.

AI-assisted OffSec is a crowded, well-capitalized field. Armadin, Kevin Mandia’s new outfit, took $189.9M in March, the largest early-stage raise in cybersecurity history. XBOW has raised north of $270M at a $1B+ valuation. Horizon3.ai sits near $186M and already powers the NSA’s autonomous pentest program. MindFort, ADCL, and a dozen more pitch the same “AI red-teamer that never sleeps” line.

It’s a long road ahead for this domain and everyone competing in it.

Vulnerability Management

Emphere Raises $2.1 Million for AI-Powered Vulnerability Remediation

Emphere raised a $2.1 million pre-seed from AI2 Incubator and Outsiders Fund to automate vuln remediation. The platform maps the software dependency graph to determine what is actually exploitable, then executes, validates, and ships patches without breaking downstream builds.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

The 2026 AI in Enterprise Security Survey

We built Surf AI to fix how enterprise security teams operate. Before we publish our take on where things stand in 2026, we want to hear from the people running those teams.

17 questions. Five minutes. One respondent wins a Peloton.

Take the survey

Hi 👋 - Hope you’re having a great week wherever you’re reading from!

Two of the biggest players in security reported earnings this past week and of course, AI was at the center. Truly impressive numbers and performance though. This past week has been one of the most newsworthy in recent months. However, before we dive in, I’ve been digging into the telemetry that agentic dev tools like Claude Code, Codex, and Cursor emit.

While I haven’t done much detection work in recent years, my brain is truly intrigued by what’s possible to detect with what these tools emit natively and thus, I’ve been shipping some of that research via the Monad blog which you can read here.

The latest in the series takes a look at what OpenAI Codex emits through OpenTelemetry. Logs, metrics, traces. All pretty rich with detection value. Below is a map of key fields emitted and what detection opportunities they unlock:

Now, onto the news!

TL;DR ✏️

• 🧠 CrowdStrike and Palo Alto blowout the AI quarter — Both anchored strong quarters to frontier AI, but Palo Alto’s faster growth and raised guidance made the cleaner case.

• 🪟 Microsoft’s disclosure problem gets messy — Windows zero-day PoCs turn into a broader fight over trust, researcher access, and coordinated disclosure.

• 🪽 Anthropic expands Mythos access — ENISA nears Project Glasswing access as Anthropic expands Mythos to 150 orgs across 15+ countries.

• 🏆 Security investors climb the Midas List — Wiz’s $32B exit lifts Cyberstarts, Sequoia, and Index near the top of Forbes’ 2026 venture rankings.

• 🐝 Perplexity open sources Bumblebee — Read-only dev-machine scanner checks risky packages, extensions, AI configs, and local tool metadata.

• 🔐 Cyera nears $300M at $12B valuation — Data security keeps heating up as AI makes access, classification, and exposure harder to govern.

• 📧 Doppel launches agentic email security — Product traces phishing campaigns to attacker infrastructure and coordinates takedowns across domains, profiles, and kits.

• 🛡️ Dragos acquires Phosphorus — Dragos adds xIoT discovery and remediation depth for OT and critical infrastructure environments.

Plus: ZeroDrift raises $10M for AI compliance controls; RevEng.AI raises $15M for binary analysis; and Lastwall raises $11.5M for quantum-resilient identity.

⚒️ Picks of the Week ⚒️

CrowdStrike and Palo Alto both anchored their quarters to AI, Mythos, and faster remediation

The two biggest names in security reported quarterly performance a day apart, and both pretty much ran the exact same pitch: AI broke the threat model, and they’re the ones selling the fix.

CrowdStrike put up fiscal Q1 revenue of $1.39B, up 26%, ARR at $5.51B, and beat on earnings. Shares still dropped more than 9%, after climbing ~60% this year. Palo Alto Networks posted fiscal Q3 revenue of $3B, up 31%, NGS ARR of $8.13B, up 60% (28% if you strip out the CyberArk and Chronosphere buys), and its best hardware quarter in a decade. It raised guidance everywhere and the stock shrugged.

George Kurtz: “the worlds of cybersecurity and frontier AI collided: this was the Mythos moment.” Arora went further, claiming frontier models can weaponize a vuln in minutes, so the only thing that survives is a platform that gets smarter as it scales.

No surprise on performance or themes to me and probably not for you either, but somehow Wall St. always seems surprised by security outcomes ¯\_(ツ)_/¯

Dig Deeper: CrowdStrike Q1 FY27 (SiliconANGLE) | Palo Alto Q3 FY26 transcript (Motley Fool)

Microsoft’s disclosure problem is bigger than one researcher

Microsoft is catching heat after a messy public fight with the researcher known as Nightmare Eclipse / Chaotic Eclipse, who published exploit code for several Windows zero-days tied to products including Defender and BitLocker. Microsoft says the disclosures were not coordinated and put customers at risk. The researcher claims Microsoft mishandled prior reports, cut off access, and left them with no good path back through the front door.

The easy take is that Microsoft should not threaten researchers. True, but incomplete.

The harder issue is that coordinated disclosure only works when researchers believe the process is real, fair, and available to them. Once the vendor response becomes account bans, legal language, and public condemnation, the incentive model breaks. You may stop one disclosure, but you also teach the next researcher to stay quiet, go anonymous, or skip coordination entirely.

Microsoft is right that public PoCs for unpatched bugs can turn into a fire drill fast, especially when the affected products sit close to the security foundation of Windows. But in security, trust is part of the patch pipeline. If researchers don’t trust the intake path, vendors lose early warning. And customers lose the thing they actually need most: time.

Perplexity open sources Bumblebee

Perplexity open-sourced Bumblebee, a read-only scanner for macOS and Linux developer machines that checks for risky packages and tool configs. The use case is simple: when a bad package or version shows up in an advisory, security teams can ask which laptops have it sitting on disk right now.

What it looks for:

• Risky packages and versions

• Browser extensions

• Editor extensions

• AI tool configs

• Other developer-tool metadata sitting on disk

That sounds boring, which is usually where useful security tooling lives. Bumblebee does not execute package managers or read source files, which matters when malicious packages abuse install scripts and dev workflows. It is not an SBOM replacement or EDR killer. It is a sharper way to answer the messy middle question between “what shipped?” and “what is running?”

Anthropic expands Mythos access in Europe and critical infrastructure

ENISA, the European Union’s cybersecurity agency, is close to getting access to Anthropic’s Claude Mythos through Project Glasswing. That would make it the first European entity in the program, while Anthropic is also expanding Mythos access to roughly 150 organizations across 15+ countries.

The rollout targets critical infrastructure operators across power, water, healthcare, communications, and hardware sectors.

Anthropic marketing continues to do the security thing well.

Security investors climb the Forbes Midas List

Forbes released its 2026 Midas List, with several security and infrastructure investors near the top. Gili Raanan of Cyberstarts ranked No. 4, Doug Leone of Sequoia Capital ranked No. 8, Shardul Shah of Index Ventures ranked No. 10, and Shaun Maguire of Sequoia Capital ranked No. 22. The common thread is Wiz, which was acquired for $32 billion.

Wiz created one of the cleanest and biggest venture outcomes in security, with Cyberstarts, Index, and Sequoia all tied to the cap table. Security is still producing elite venture outcomes when the company becomes a control point.

🔮 The Future of Security 🔮

AI Security

ZeroDrift raises $10M for AI compliance controls

ZeroDrift raised a $10 million seed round for an AI compliance layer that sits between models and end users, flagging and replacing responses that could create regulatory or policy problems. The company is starting with the least glamorous, most necessary slice of AI security: making sure model outputs do not casually create legal, compliance, or brand risk at runtime. Not everything in AI security needs to be jailbreak chess.

More AI Security News

• Geordie Raises $30 Million for AI Security and Governance Platform

• CrowdStrike Brings Enterprise-Grade Security to the AI Factory with NVIDIA Vera BlueField-4 STX

Application Security

RevEng.AI raises $15M for binary analysis

RevEng.AI raised $15 million in Series A funding led by the NATO Innovation Fund to expand its binary analysis platform for reverse engineering software and spotting malicious functionality inside compiled code.

Teams still need to understand what is actually inside the binaries they ship, buy, deploy, and execute, especially as AI-generated code makes the “who wrote this and what does it do?” question messier.

Data Security

Cyera nears $300M round at a $12B valuation, 80x ARR

Cyera is closing at least $300M led by Evolution Equity Partners at a $12B valuation, per TechCrunch. That’s around 80x its reported $150M+ ARR. The round lands five months after a $400M Series F at a $9B valuation. A second monster round five months after the last one says investors expect this to compound fast, and they’re probably right given how critical data security is to securing AI.

Email Security

Doppel launches agentic email security

Doppel launched an agentic email security product designed to disrupt phishing campaigns. The system traces phishing emails back to attacker infrastructure, then coordinates takedowns across spoofed domains, lookalike profiles, impersonation kits, and other campaign surfaces.

Exposure Management

CrowdStrike and NVIDIA scale exposure agents

CrowdStrike and NVIDIA are working to scale AI-native agents inside Falcon Exposure Management using NVIDIA Nemotron 3 Super models, NeMo Data Designer, and the NeMo Framework.

The goal is faster vuln remediation by letting specialized agents reason across exposure data, exploitability, asset context, and remediation paths. It is a vendor blog, so season accordingly, but the direction makes sense: exposure management is becoming less about ranking CVEs and more about turning messy context into decisions teams can actually act on.

Identity Security

Lastwall raises $11.5M

Lastwall raised an $11.5 million Series A extension led by BDC Capital’s StrongNorth Fund to expand its quantum-resilient identity platform across North America. The company sells into defense and government use cases, combining passwordless authentication, PKI, zero trust, risk-based login signals, and post-quantum TLS protection.

IoT/OT Security

Dragos acquires Phosphorus

Dragos acquired Phosphorus, an xIoT security company focused on discovering, assessing, and remediating risks across connected devices. The move gives Dragos broader visibility into device-heavy OT and critical infrastructure environments, with integrated device intelligence coming first and automated remediation workflows expected later. Financial terms were not disclosed.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Hi 👋 - Hope you’re having a great week wherever you’re reading from!

I’m in Boston this week for their first ever TechWeek which surprisingly has quite a few security events. Last night, I hosted my first Darwin & Friends Dinner Club and it was a fun time with great operators. Shoutout to Monad and Fable Security for sponsoring it! One of our attendees even pulled up in their yacht so that was cool ¯\_(ツ)_/¯ (jk)

Tonight, I’ll be speaking on a panel with security leaders from Citizens Bank, DigitalOcean, Jiffy Labs and Scrut Automation, where we’ll cover how AI has changed security. Hosted at an art gallery with cocktail reception before 🎨. Come hang out if you’re in the area! You can RSVP here.

Now, let’s get into the news!

AI Agents Are Multiplying Faster Than Security Teams Can Track

AI agents are spreading across SaaS environments through ChatGPT integrations, Salesforce Agentforce, n8n workflows, custom tools, and embedded assistants. They act autonomously, keep persistent permissions, and connect to sensitive systems that security teams often can’t fully see.

Reco helps security teams discover AI agents, map their connections, and reduce the risk of data exposure before it happens.

Watch the Full Demo

TL;DR ✏️

• 🐳 Wiz’s 2026 report puts numbers on supply chain risk— Code, dev tools, automation, and AI are turning software delivery into one big trust problem. Shai-Hulud, TeamPCP, Megalodon, and poisoned packages make the timing feel very real.

• 📉 Zscaler gets punished after a strong quarter — Zscaler posted $850.5M in Q3 revenue, up 25% YoY, and $3.525B in ARR, also up 25% YoY, but the stock sold off after softer forward guidance.

• 🦈 Megalodon hits GitHub — 5,500+ repos were infected via fake automated commits that injected GitHub Actions workflows to steal CI secrets, keys, tokens, and credentials.

• 🔌 Socket raises $60M — Supply chain security startup hits a $1B valuation as the category expands from bad packages to IDE extensions, browser extensions, AI tools, and MCP servers.

• 🤖 Zscaler buys Symmetry — Zscaler adds data discovery and AI agent governance in an acquisition with undisclosed terms.

• 🧞 Cyera buys Genie Security — Cyera acquires a six-month-old Israeli startup for about $50M, adding endpoint-focused DLP for sensitive data leakage across employee devices, AI tools, and autonomous agents.

• 🧑‍🚒 7AI launches agentic MDR — Autonomous investigations with 7AI security engineers, pushing MDR from analyst assist toward agent-led SecOps.

• 🔐 AWS automates AD response — New Directory Service APIs let teams automate Microsoft AD user and group actions, including GuardDuty-to-Step Functions workflows that disable risky users.

⚒️ Picks of the Week ⚒️

Wiz's 2026 report puts numbers on supply chain risk

The software supply chain security space has been on fire this year, and not in a good way. Wiz’s 2026 SDLC security report gives a clear look at why. Supply chain attacks keep showing up in the same places: dependencies, developer machines, build systems, CI/CD, identity, and cloud credentials.

Shai-Hulud, Mini Shai-Hulud, TeamPCP, malicious npm packages, poisoned developer tooling, and stolen secrets all point in the same direction. The path from dev to prod is now one of the most useful routes for attackers, and teams are being forced to treat SDLC security as a core part of enterprise defense, not just an AppSec checklist.

That’s why the Wiz report hit. SDLC security is not just about finding vulnerable code anymore. It is about whether you can trust the packages, tools, workflows, agents, credentials, and people involved in shipping software. The question is no longer just “is this code vulnerable?” It is “can we trust how this code got here?” If you’ve been dealing with SDLC security in any capacity, this report is a must read as it puts empirical data to what we’ve all been experiencing.

Zscaler gets punished after a strong quarter

Zscaler reported a strong Q3, with revenue up 25% YoY to $850.5M, ARR up 25% YoY to $3.525B, and $100M+ in AI Protect bookings over the last 12 months, but the stock still sold off after softer forward guidance. The reaction says more about the current cyber tape than the quarter itself. Security stocks have been ripping, with names like CrowdStrike and Palo Alto trading near highs, so investors are punishing anything that looks like deceleration. The market moves fast. Just a bit ago, the SaaSpocalypse triggered by Anthropic had claimed a few “casualties,” and now we’re back near ATHs. Fun times.

This isn’t news but the earnings call transcript highlighted that security leaders are worried about AI-driven exposure: which users, apps, agents, and workloads can reach sensitive systems, under which identity, with what logging, and with what blast radius. Winning AI security products will need to show the graph: data, identity, apps, agents, and controls in one place.

Megalodon hits 5,500+ GitHub repos

Megalodon is the week’s clearest proof point for why SDLC security is top of mind. More than 5,500 GitHub repositories were reportedly infected through fake automated commits that injected malicious GitHub Actions workflows. The payloads were built to steal credentials, CI secrets, keys, tokens, and other sensitive data from developer and build environments.

The important part is that the attackers went after the pipeline. That is the same pattern behind Shai-Hulud, TeamPCP, poisoned packages, and malicious dev tooling. If attackers can compromise what builds the software, they can get access before anything ever reaches runtime.

Socket raises $60M as supply chain security heats up

Socket raised $60M at a $1B valuation, and the timing makes sense. The company started around open source dependency risk, but the category is getting bigger fast. Malicious packages, hijacked maintainer accounts, compromised release pipelines, IDE extensions, browser extensions, AI coding tools, and MCP servers are all becoming part of the same problem.

While Socket has had a great product and customer base for a while, the raise feels directly tied to what we are seeing in the wild. Attackers are moving earlier in the build process, and companies are realizing that runtime defense is too late if poisoned code already made it into the product.

AWS adds more automation for Managed Microsoft AD

AWS published a walkthrough for using its newer Directory Service Data APIs to automate identity lifecycle work in AWS Managed Microsoft AD. The APIs support user and group operations like listing users, retrieving details, disabling and enabling accounts, resetting passwords, and managing group membership through the AWS CLI, APIs, and console.

🔮 The Future of Security 🔮

AI Security

Zscaler buys Symmetry Systems for AI data security

Zscaler is acquiring Symmetry Systems, a data security startup focused on finding and monitoring data across cloud, on-prem, and air-gapped environments. The AI angle is the useful part: Symmetry can scan training datasets and monitor data ingested by AI agents, which gives Zscaler a stronger story around what agents can access, touch, and potentially leak.

This fits the broader AI security acquisition wave. The market is moving past “secure the chatbot” and into the harder problem of governing the data, identities, applications, and agents underneath it. Zscaler’s bet is that AI security will need an access graph that shows how identities, apps, agents, and data sources connect across the enterprise.

Data Security

Cyera buys six-month-old Genie Security

Cyera acquired Genie Security, a six-month-old Israeli startup, in a deal reportedly worth about $50M. Genie was building endpoint-focused DLP technology for detecting sensitive data leakage from employee devices, including leakage caused by generative AI tools and autonomous agents.

The fit is pretty obvious. Cyera already owns the data security layer, and Genie helps extend that control closer to laptops, phones, servers, and the messy places where employees and AI tools actually touch sensitive data.

Offensive Security

Terra adds continuous network exploitation validation

Terra added public preview support for continuous exploitation validation across network infrastructure, expanding its platform beyond web apps and AI systems. The pitch is agentic offensive security with human oversight across the full attack surface: web apps, AI, and network environments. Findings are verified for real exploitability, prioritized by business impact, and shown in one connected view so teams can see chained paths instead of juggling separate pentest, red team, and vulnerability reports.

More OffSec News

• Bugcrowd launches RL environments for AI vuln hunting

Security Operations

7AI launches agentic MDR

7AI launched PLAID ELITE, a fully managed agentic security operations service that pairs autonomous investigations with human oversight from 7AI security engineers. The service is positioned as AI-native MDR: agents handle alert ingestion, enrichment, triage, investigation, and response, while humans stay in the loop for review, escalation, and customer-specific context.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Hi 👋 - Hope you’re having a great week wherever you’re reading from!

Ever since TeamPCP started popping off in March and the Mythos news broke, it feels like the security space has just been on overdrive. So many vulns, supply chain attacks, and breaches. Definitely a sign of what’s to come. HugOps to the defenders, product builders and security leaders securing our critical infrastructure and the companies we all rely on.

That said, I took last week off from TCP weekly as things continue to heat up at Monad, but I did ship a recap on the AI SOC Nasdaq event I attended earlier this month. Lots of gold around SecOps, board-level vibe, and how CISOs are using Mythos news to achieve better outcomes.

Also, I’ll be in Boston next week for Tech Week and am hosting a small intimate dinner on Tuesday for security leaders and practitioners. You can register here. I’m also speaking on a panel with security leader friends. More details here. If you’re in or around town, definitely come hang out for some friendly banter, great food and good vibes. DM me if you have any questions!

Lastly, our friends at Surf are running a short survey to help bring more insight into what’s actually happening across security teams, AI, and SOC workflows in 2026. Take the survey here.

Now onto this week’s news!

The Phishing Threat Evolved. Your Simulations Should Too.

Most phishing simulations are still templated emails. Adaptive runs hyperrealistic, multi-channel simulations: AI voice clones, OSINT-based spear phishing, and attacks across email, SMS, and phone. Fully automated, no manual lift.

The result: measurable reductions in click rates and a workforce prepared for what's actually hitting them today. Trusted by security teams at PayPal, Ramp, Bose, and more.

Tour the platform

TL;DR ✏️

• 🐙 GitHub’s rough quarter — Internal repos stolen via poisoned VS Code extension after 20 degraded-service incidents in three months.

• 📕 DBIR 2026 lands — Verizon analyzed 22,000+ breaches; vuln exploitation is now the top initial access vector exceeding credential theft

• ☁️ Cloudflare tests Mythos — Anthropic’s model chained low-severity bugs into working exploits across 50+ repos.

• 🐍 TeamPCP hits DurableTask — Malicious durabletask PyPI versions stole cloud, Kubernetes, Vault, and password manager secrets.

• 🍎 Mythos bypasses Mac defenses — Calif used Mythos to help build a macOS kernel LPE chain on M5 in five days.

• 🤖 Exaforce raises $125M — Series B brings total funding to $200M for its AI-native SOC platform

• 🌅 OpenAI ships Daybreak — New vuln defense initiative bundles GPT-5.5-Cyber, Codex Security, and yet another confusing name.

• 🌊 Ocean raises $28M — Lightspeed led the round for agentic email security startup

• 🧠 Torq buys Jit — Torq adds context graphs across code, identity, privileges, data sensitivity, and runtime behavior.

• 🌐 Akamai buys LayerX — $205M deal gives Akamai more AI and browser security controls

Plus: Boost Security raises $4M and buys SecureIQx + Korbit.ai; Tanium and ServiceNow automate endpoint patching.

⚒️ Picks of the Week ⚒️

GitHub says internal repos were stolen after poisoned VS Code extension attack

GitHub confirmed attackers compromised an employee device through a poisoned VS Code extension from the official Marketplace, then exfiltrated GitHub-internal repositories. GitHub says the incident appears limited to internal repos, with no evidence so far that customer enterprises, organizations, or repositories were impacted.

The attacker’s claim of roughly 3,800 stolen repos is “directionally consistent” with GitHub’s investigation, according to The Register, and GitHub says it is rotating secrets, reviewing logs, and watching for follow-on activity.

The absurd part is the attack path. GitHub, the platform everyone uses to secure, review, build, and ship software, got popped through the developer tool supply chain. Not a Mythos zero-click magic spicy nation-state digital nuke. A poisoned VS Code extension. GitHub’s line that customer repos were not affected matters, but internal source code is still useful attacker material. It can expose architecture, workflows, secrets hygiene, internal tooling assumptions, and future attack paths.

Zoom out and you can see Github has been in a tough spot recently. GitHub’s own availability reports show six degraded-service incidents in February, four in March, and 10 in April. That is 20 incidents in three months before May even gets a full report. GitHub has also said it is designing for a future that requires 30X today’s scale, driven by AI coding growth. The degraded service/ post-mortem reports are truly educative btw.

So the question is getting harder to dodge: can GitHub keep up with the AI-generated code flood, AI agent traffic, extension supply chain risk, and uptime expectations all at once, or is there finally room for a serious alternative that is safer, more boring, and online more often? Reuters reported in March that OpenAI is developing a GitHub alternative after recurring GitHub disruptions hit its engineers.

What GitHub does is hard. And doing it for how long they’ve done it is seriously impressive but have they been caught off guard by the nature of code in 2026?

How Databricks Scales Modern Identity Governance with Opal Security

Most identity governance platforms add work instead of reducing it. Databricks took a different approach with Opal, using automation and developer-friendly policy controls to manage access at scale while maintaining visibility and control.

Automated workflows speed provisioning.

Policy-driven governance scales access rules.

Unified visibility shows who has access and why.

Read the case study

Verizon DBIR 2026: Faster Old Problems

The 2026 DBIR is live, and it is 121 pages of hard data and reminders that the basics are still where most teams bleed. It is well worth the full read-through, especially this year, because the story is not “AI changed everything.” It is that exposed apps, slow patching, stolen creds, third-party cloud auth, help desk social engineering, and unmanaged AI are all moving faster. Verizon analyzed 31,000+ incidents and 22,000+ confirmed breaches, its largest breach dataset yet.

Here are the top 5 takeaways I’d pull out:

1. Vuln exploitation is now the front door.
   Exploitation of vulnerabilities became the top initial access vector at 31%, passing credential abuse at 13%. Only 26% of CISA KEV vulns were fully remediated, and median full remediation slipped to 43 days.

2. Ransomware grew, but payments cracked.
   Ransomware appeared in 48% of breaches, up from 44% last year. But 69% of victims did not pay, and the median payment fell to $139,875. That reads like margin compression for criminals.

3. Third-party risk is now core breach risk.
   Third-party involvement hit 48% of breaches, up 60% from last year. Weak cloud auth, missing MFA, poor credential rotation, and permission misconfigs keep showing up. Vendor risk questionnaires are not going to save us here.

4. AI is accelerating known tradecraft.
   Threat actors are using GenAI for targeting, initial access, malware development, and tooling. But less than 2.5% of AI-assisted malware observations involved rare techniques. AI is mostly making known bad work faster and cheaper.

5. Social engineering moved closer to the phone.
   The human element appeared in 62% of breaches. Mobile-centric vectors like voice and SMS had a 40% higher median click rate than email in simulations. Email training alone is starting to look pretty incomplete.

Cloudflare says Mythos can chain low-severity bugs into working exploits

Cloudflare tested Anthropic’s Mythos Preview across 50+ internal repos and found the model was best at the part scanners usually botch: turning small primitives into a working exploit chain. It could write PoCs, compile them, run them, read the failure, adjust the hypothesis, and try again. That loop matters because “possible vuln” is cheap. Reproducible exploitability is not.

The team also found the chat-agent model breaks down fast. One generic agent pointed at a huge repo covers basically nothing useful before context gets messy. Cloudflare got better results with a harness: recon, narrow parallel hunts, independent validation, gapfill, dedupe, reachability tracing, and structured reporting. The trace stage is the money step: it turns “bug exists” into “attacker-controlled input can actually reach it.”

This is the shape of AI AppSec that actually matters. Not “ask Claude to find bugs.” More like distributed vuln research pipelines with adversarial review and reachability analysis. Also, Cloudflare is honest about the ugly part: the same capability helps attackers compress vuln research timelines. Faster patching helps, but architecture still decides how bad the blast radius gets.

TeamPCP compromises Microsoft DurableTask PyPI package

TeamPCP compromised durabletask, Microsoft’s official Python client for the Durable Task framework, publishing malicious PyPI versions 1.4.1, 1.4.2, and 1.4.3. Wiz tied the attack to the earlier @antv wave: a compromised GitHub account likely dumped repo secrets, exposed the PyPI token, and let the actor publish directly.

The payload targeted Linux systems and stole AWS, Azure, GCP, Kubernetes, Vault, filesystem, and password manager secrets. It also added AWS SSM propagation, Kubernetes lateral movement, shell history scraping, and brute-force attempts against Bitwarden, 1Password, and GPG. PyPI quarantined the malicious packages after Wiz’s analysis.

TeamPCP are turning trusted developer infrastructure into a propagation layer: GitHub secrets to PyPI tokens, PyPI installs to cloud creds, cloud creds to lateral movement. The package manager is the initial access vector. The build and runtime environment is the blast radius.

Anthropic’s Mythos helped bypass Apple’s Mac security

Anthropic’s unreleased Claude Mythos Preview helped researchers find a macOS privilege escalation chain that reportedly bypassed Apple’s Memory Integrity Enforcement on M5 systems. The bug let a standard user gain root on macOS 26.4.1, according to reporting on Calif’s AI-discovered bugs work.

Frontier models are getting useful at chaining real vuln research against hardware-backed mitigations. Not good.

🔮 The Future of Security 🔮

AI Security

OpenAI launches Daybreak, plus a naming problem

OpenAI launched Daybreak, a cybersecurity initiative that uses GPT-5.5, GPT-5.5-Cyber, and Codex Security to find, validate, patch, and verify software vulnerabilities.

If you’re confused, that’s okay. I am too. The naming is getting messy enough that OpenAI may need marketing help, which is a deeply weird thing to say about a company with hundreds of million in marketing budget and that made “ChatGPT” a household name.

As best as I can tell: Trusted Access for Cyber is the vetted-access program, GPT-5.5-Cyber is the specialized model tier, Codex Security is the code scanning and remediation product, and Daybreak is the umbrella initiative for vuln defense.

Ultimately, OpenAI wants to own more of the remediation loop, not just give defenders a smarter bug-finding assistant. Finding more vulns is easy to market and brutal to operationalize.

Application Security

Boost Security raises $4M, buys two AppSec startups

Boost Security, founded by Zaid Al Hamami and Rajiv Sinha, raised $4 million from White Star Capital, Amiral Ventures, Accelia Capital, and Sorensen Capital, bringing total funding to $16 million. The company also acquired SecureIQx and Korbit.ai, adding reachability analysis, SAST, and AI-assisted code review to its SDLC defense platform.

Browser Security

Akamai buys LayerX for $205M to push AI controls into the browser

Akamai agreed to acquire LayerX for roughly $205 million, adding browser-level controls for GenAI apps, SaaS AI, IDEs, and agentic workflows. LayerX gives Akamai visibility and policy enforcement where employees actually touch AI: the browser, not some clean architecture diagram nobody’s environment matches.

The browser is becoming the AI security control plane. DLP, CASB, and proxy controls still matter, but a lot of risky AI use now happens in copy-paste land, browser extensions, SaaS copilots, and agents acting through web apps.

Email Security

Ocean raises $28M to fight AI phishing

Ocean emerged from stealth with $28 million for an agentic email security platform built to catch AI-generated phishing, impersonation, and fraud. The round was led by Lightspeed Venture Partners, with participation from Picture Capital and Cerca Partners, plus angels including Wiz CEO Assaf Rappaport and Armis co-founders Yevgeny Dibrov and Nadir Izrael. Customers include Kayak, Kingston Technology, and Headspace.

Endpoint Security

Tanium and ServiceNow team up on autonomous patching

Tanium and ServiceNow launched ITOM AI Prime powered by Tanium, a joint offering that feeds Tanium’s real-time endpoint data into ServiceNow workflows for patching and remediation. ServiceNow agents get endpoint state from Tanium, then execute OS and third-party patching through approved change processes.

ServiceNow is uniquely positioned for the long-run in security given how much enterprise IT context and visibility they have as a go-to CMDB + the recent Armis and Veza acquisitions. Will be fun to watch what they do in the space.

Security Operations

Torq buys Jit to bring context graphs into the SOC

Torq acquired Jit, an AI security startup building context graphs that map relationships across code, identities, roles, privileges, data sensitivity, and runtime behavior.

Jit started as a security-as-code platform with SAST, SCA, IaC scanning, secrets detection, container scanning, and SBOM generation, but Torq wants the graph layer underneath its AI SOC agents.

This is the right direction for AI SOC, at least on paper. Alerts without context are just expensive confetti. If agents are going to investigate or contain anything with confidence, they need an environment-specific graph of what matters, who can touch it, and what blast radius looks like. The hard part is keeping that graph fresh enough to trust.

More SecOps news

• Exaforce raises USD $125m in Series B for AI security

• Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

I recently attended Intezer’s AI SOC Live show, a one-day, invite-only gathering of CISOs and security leaders at Nasdaq’s MarketSite. While this trip was sponsored, this piece highlights what I extracted from the experience and thought would be most valuable to you.

One thing that kept coming up across nearly every session is that it's the hardest time to be a CISO and also the most exciting. Pavi laid out everything stacking against defenders right now and Doug kept coming back to how AI is making the CISO seat more rewarding than it's been in years. While we covered a lot of ground in one day, that tension was kind of the undercurrent for everything else.

TL;DR

• Mythos quietly opened a budget window. It spooked many execs and brought security to the forefront even more. CISOs can and should parlay this into more funding to bolster their security programs for what comes next.

• The walls between SIEM, SOAR, MDR, and EDR are collapsing. The AI SOC unlocks the speed and coverage to investigate every alert, not just the obvious ones.

• Tier 1 is dead, Tier 2 is dying. MSSPs and MDRs whose business model depends on selling tiered analysis have a real problem.

• Mitchem Boles proposed AVERT (Action-Verified Resolution Time) as the executive metric to replace MTTR.

• Procurement is shifting from multi-year to one-year deals. Renewal motions just got harder.

• Mature SOCs will win bigger from AI than immature ones. Good brakes make the car go faster.

While AI SOC was at the forefront, the takeaways ranged well beyond that: procurement strategy, MSSP business models, board-level budget dynamics, metric reframes, and architectural patterns for adopting autonomous approaches to security.

This post covers the 8 things I walked away with.

Mythos quietly rewrote the budget conversation in real time

When the Mythos news broke, one of the panelist CISOs (I forget which one) got pulled aside by four different C-suite executives in short succession, each offering more budget. Not “send us a plan.” More money, now, because they were genuinely worried Mythos-class capability in the wrong hands could end the company.

Doug Mayer (CISO, WCG Clinical) made the same point from another angle: “I’m a huge fan of the marketing around Mythos because it opens eyes and interest into security. CISOs should use this moment to educate the board and get more funding.”

The window is open. CISOs who go to their boards in the next two quarters with a clear-eyed plan for AI-era threats will get funded in ways they wouldn’t have a year ago. The ones who wait may already be being questioned behind closed doors. Everyone is AI-pilled and security leaders who aren’t being vocal + tactical about securing it, securing from it, and using it to secure things, risk falling behind.

We’re tuning out the wrong alerts

Itai Tevet (co-founder and CEO of Intezer) opened by addressing the elephant in the room. SIEM, SOAR, MDR, and traditional SOC models are all broken in the same way. Each layer requires humans to operationalize, and humans don’t scale. So teams tune out, filter down, and only chase what looks obviously anomalous or bad.

Alert fatigue and analyst burnout are real, but they’re organization-specific problems with organization-specific fixes. The bigger issue is the industry-wide pattern that we’ve been forced to accept for over a decade. We collectively decided low-severity alerts aren’t worth investigating, and we built our entire SOC operating model around that assumption. Intezer’s 2026 AI SOC Report puts a number on what that costs us: nearly 2% of low-severity endpoint alerts turn out to be real threats.. Tune those out at scale, you tune out real attacks at scale.

Itai’s reframe of the SOC operating model boils down to three rules: every alert is investigated, every investigation is consistent, detection posture improves with every alert. None of those work with a human-bottlenecked tier 1 queue.

The offense has gotten too fast for human-in-the-loop on every alert

Alon Cohen (CyberArk founder, Intezer executive chairman) followed with: “In a world of machine-speed attacks, human-speed defense is a suicide mission.”

A few months ago I would have called that fearmongering or an overstatement but this has only become increasingly true. Anthropic’ showed a model that weaponized 181 working attacks from a single Firefox vulnerability set, where the prior generation managed two. The November 2025 GTG-1002 disclosure showed nation-state actors running 80 to 90% of an espionage campaign autonomously through Claude Code at thousands of requests per second. Now think about the capabilities nation-state actors have which don’t come up on traditional radars; the landscape has truly shifted and automation is one of our best answers for this.

If you’ve architected your SOC around human-in-the-loop on every alert, you’re not building a SOC. You’re building a forensics team.

Translating SOC outcomes into board language

Mitchem Boles (Field CISO at Intezer, four years previously as Field CISO and security advisor at GuidePoint) gave one of the most insightful talks of the day. I’ve never been a CISO so of course, I’ve never had to report to a board so aside from what I read or hear, I don’t truly know how CISOs navigate the dynamic.

“If you’ve seen a board, you’ve seen one board.” This means that every board is different, but every board is pretty much asking a version of the same three questions. Mitchem’s framework maps each one to what they actually need to hear: coverage to risk reduction, comparison to containment, operations to leverage. Reframe the conversation in those terms and you stop reporting activity and start reporting outcomes.

AVERT, a new executive-level metric. Action-Verified Resolution Time. The argument: MTTR is dead, MTTC is closer, but neither captures whether the threat was actually neutralized with forensic proof. AVERT bundles three sub-metrics:

• RMV (Risk Mitigation Velocity): 20x faster than industry average.

• ARR (Autonomous Resolution Rate): 85% resolved before an analyst touches them.

• VRR (Verified Resolution Rate): 97% closed with forensic proof of neutralization.

Mitchem framed AVERT as a “proposed executive and board metric,” so I’m reading those numbers as aspirational targets for a mature AI SOC rather than industry averages.

Procurement is shifting from multi-year to one-year deals.

Pavi Ramamurthy (CISO, Blackhawk Network) flagged a shift that’s going to compound: CISOs are pulling back from multi-year contracts in favor of one-year deals.

Two reasons. The industry is moving fast enough that locking into a three-year deal with anyone, including the vendor you love today, looks reckless. And security incidents are increasingly hitting security vendors themselves, eroding trust and making the ability to switch a feature, not a bug. Another point of concern is what usually happens when a vendor gets acquired. Things inevitably change and sometimes for the worse.

Tier 1 is dead. Tier 2 is dying.

Across both CISO panels, the consensus was nearly unanimous, and Doug Mayer made the case clearly: siloed tier 1 / tier 2 / tier 3 categorization is a relic of a staffing model that no longer makes sense when AI can do the triage and enrichment work that filled tier 1 queues for the last 15 years.

Bad news for any MSSP or MDR whose business model depends on selling tier 1 and tier 2 analysis as a service. The shops that survive are investing in higher-order detection engineering, threat hunting, and complex investigation. Jen Greulich’s Legato Security is a good example of a shop already adapting.

Counterpoint from Deepak Kolingivadi (ServiceNow): the security practitioner role isn’t disappearing, it’s changing. The new bar is whether you can think in automation, orchestration, and scale.

Stop measuring MTTR. Start measuring dwell time and time-to-decision

Two CISOs in the same room landed on the same idea from different angles: MTTR is measuring the wrong thing.

Doug Mayer: “Screw MTTR. Mean time to contain, dwell time, is the real thing.” MTTR measures activity. Dwell time measures outcome.

Nick Vigier (CISO, Oscar Health), in the closing CISO Series podcast taping with David Spark, pushed it further. Most SOCs are slow because decision-making rests with too few operators. The bottleneck isn’t analysis speed. It’s decision ownership. Nick’s reframe: mean time to decision.

Together, dwell time and time-to-decision describe the SOC’s job better than any framework I’ve seen.

Mature SOCs with strong foundations will win

Paul Carpenito (CISO, ION Group): “Good brakes make the car go faster.” Easily my favorite quote of the day.

To me, it means that if your SOC is mature-ish and has good hygiene (trustworthy log ingestion and coverage, fine-tuned detection content, well-mapped MITRE ATT&CK coverage, defined runbooks, clear ownership), you can adopt AI faster and trust it more. The AI has structured ground truth to operate against. Tiered autonomy based on asset criticality becomes achievable because you actually know how certain events should be responded to.

If your SOC is immature, AI accelerates your dysfunction, automates decisions you didn’t realize were wrong, and produces confident outputs against a foundation that can’t validate them. The gap between mature and immature SOCs will widen dramatically. The decisions (or lack thereof) SOC leaders make in 2026 will compound for the next five years.

Wrapping Up

The offense has gotten a lot faster and the defense hasn’t necessarily caught up. The AI SOC conversation is no longer about whether to adopt. I think that’s a settled debate. It’s about whether you have a mature foundation that can absorb it, or on top of a stack that’s going to amplify your existing problems.

Good brakes make the car go faster. If you don’t have good brakes, this is the year to build them.

Big kudos to Sarah, Lital, Ada and the Intezer marketing team for putting this together. A Nasdaq venue, a CISO-only invite list, and a David Spark podcast taping in a single day takes serious coordination, and they made it look easy. Shoutout also to Itai and Mitchem for the substance, and to the CISOs who didn’t hold back any punches. Cool event!

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to an audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Subscribe now

Share

Agentify Your Security Operations

Every SOC runs differently. BlinkOps is the agentic platform built for it. Run pre-built agentic solution on day-one. Customize it as your programs mature. Build your own from scratch to match your needs. Or co-build with our forward-deployed engineers.

Agentic SOC and Agentic SOAR on one platform. With enterprise governance, security, and scale.

See AI SOC in action

Hi 👋 - Hope you’re having a great week wherever you’re reading from!

On a personal note, I’m finally back home in Austin after being on the road for ~90% of the past 2 months. Life is good but there’s no rest for the wicked. I’ll be in Boston for Tech Week at the end of this month for an AI x Security panel. If you’re in the New England area, don’t miss it. It’s at a dope art gallery and we’re coming with hot, grounded takes. We also may or may not be hosting a chatham-house rules dinner at one of Drake’s favorite restaurants ¯\_(ツ)_/¯

Aside from that, the Monad team has partnered w/ Oso Security for a breakfast during #AIWeekNY. The line-up of attendees is pretty stacked. Register here.

Cool, now let’s get into all the wildness that’s taken place this past week.

TL;DR ✏️

• 💀 AI wipes a production database in 9 seconds — Cursor agent on Claude Opus 4.6 deleted PocketOS prod and all backups via single Railway API call, 3 months of data gone.

• 🇰🇵 North Korea owns 76% of 2026 crypto theft — DPRK actors stole $577M in two attacks (Drift, KelpDAO), pushing cumulative since 2017 past $6B.

• 🚨 cPanel auth bypass hits governments and MSPs — CVE-2026-41940 (CVSS 9.8) exploited since Feb 23, ~550K servers still vulnerable, ~2K confirmed compromised.

• 🐙 GitHub patches RCE in git push pipeline — Wiz Research finds CVE-2026-3854 (CVSS 8.7) on GitHub.com and GHES via X-Stat header injection, 88% of GHES instances vulnerable at disclosure.

• 💼 Cisco to acquire Astrix Security for ~$400M — NHI Anthology Fund and Anthropic-backed startup gets absorbed.

• 🗝️ OpenAI ships passkey-only Advanced Account Security — Passkeys or YubiKeys required, no password or SMS recovery, mandatory for Trusted Access for Cyber members by June 1.

Plus: Azure AD Graph Activity Logs land, closing a long-standing legacy-API detection gap; Rippling launches Automated Compliance for SOC 2 with AJ Yawn joining the team; and CrowdStrike extends Falcon OverWatch managed threat hunting to Microsoft Defender environments.

⚒️ Picks of the Week ⚒️

If AI’s So Smart, Why Does It Keep Deleting Production Databases?

A Cursor agent running Claude Opus 4.6 wiped PocketOS‘s production database and all volume-level backups in 9 seconds via a single API call to Railway. Three months of reservations, customer signups, and payment records: gone.

Founder Jer Crane discovered it Saturday morning while rental customers were arriving at his clients’ counters with no records on file. The agent hit a credential mismatch, decided on its own to “fix” it by deleting a Railway volume, and produced a written confession when asked to explain itself. Data was recovered two days later. A Replit agent did roughly the same thing to Jason Lemkin’s environment last summer.

PocketOS handed an LLM a token that could nuke prod and backups in one call, and Railway exposed an API where staging and prod volume IDs share a namespace with no destructive-action gate. That’s a blast radius problem and governance problem. Every CISO, CIO and CTO has to be asking themselves how they could prevent this type of insider risk. Continuously threat modeling AI coding agents should be at the top of the list.

This also reminds me of the time a Meta AI safety researcher had all her emails deleted by OpenClaw. Agents do go rogue.

AI signals in email attacks: Boosting detection and threat hunting

Most AI “tells” in email are noisy and unreliable on their own. But used correctly, they can still strengthen detections and improve threat hunting.

In Sublime Security’s upcoming webinar, we break down which AI signals actually work, how to apply signal stacking, and where these approaches fail. See real examples and a practical framework you can use immediately.

Register now, watch anytime

North Korea now responsible for 76% of all crypto stolen in 2026

DPRK-linked actors stole $577M in the first four months of 2026, 76% of all global crypto hack losses, per a TRM Labs report.

The number comes from just two attacks: a $285M Drift Protocol exploit on April 1 (Citrine Sleet, months of in-person social engineering against Drift employees, exploiting Solana durable nonce authorization) and a $292M KelpDAO breach on April 18 (TraderTraitor, single-verifier flaw in a LayerZero bridge). Cumulative DPRK crypto theft since 2017 exceeds $6B. THORChain handled most of the laundering on both Bybit (2025) and KelpDAO, converting stolen ETH to BTC with no operator willing to freeze.

#1 - that’s a lot of money. #2 - Crypto exchanges have startup-level security and are fending off nation-state actors. #3 - Something has to change.

Dig Deeper: TRM Labs report | CoinDesk on the months-long Drift social engineering campaign

cPanel auth bypass CVE-2026-41940 exploited against governments, MSPs as patches lag

CVE-2026-41940 is a pre-auth CRLF-injection bypass in cPanel and WHM (CVSS 9.8) disclosed by watchTowr on April 29, affecting Linux-based deployments (AlmaLinux, Rocky Linux, CloudLinux, and Ubuntu LTS). An unauthenticated attacker injects forged authentication state into a session file via the Basic-auth header and reloads it as root.

Shodan shows roughly 1.5M exposed cPanel instances, with ~550K still potentially vulnerable and ~2,000 confirmed compromised per Shadowserver, down from 44K Thursday. KnownHost detected exploitation as early as February 23, two months before the patch.

Vendor and government guidance line up. WebPros’ official advisory instructs admins to update via the standard script, verify the build, and restart cpsrvd, with firewall-level blocks on ports 2083, 2087, 2095, and 2096 as the interim mitigation. The Canadian Centre for Cyber Security calls exploitation “highly probable” and pushes the same patch path. Rapid7 and watchTowr both stress the two-month pre-disclosure window: patching alone won’t evict an attacker who’s already inside, so credential rotation, session-file audits, and persistence hunting need to follow.

A single git push got Wiz Research RCE on GitHub’s backend

Wiz Research disclosed CVE-2026-3854 (CVSS 8.7), a command injection in GitHub’s internal git push pipeline that gave any authenticated user RCE on GitHub.com and GitHub Enterprise Server, including against repos the attacker created themselves. The chain:

• The bug: babeld copied push option values into the X-Stat header unsanitized, and a semicolon let attackers inject arbitrary fields. Last-write-wins parsing meant injected fields silently overrode legitimate ones.

• The escalation: Sandbox escape via rails_env, hook directory redirection via custom_hooks_dir, then arbitrary binary execution as the git service user via repo_pre_receive_hooks with path traversal.

• The blast radius: On GitHub.com, that landed researchers on shared storage nodes with filesystem access to millions of repos belonging to other users and orgs (Wiz did not access contents).

GitHub patched cloud within hours on March 4 and shipped patches March 10, public disclosure April 28. 88% of GHES instances were still vulnerable at disclosure🤯

Wiz used IDA MCP, an AI-augmented reverse engineering setup, to analyze GitHub’s compiled binaries and reconstruct internal protocols at a speed that wasn’t economical before.

Dig Deeper: Wiz technical writeup | GitHub’s response post (authored by GH CISO)

Cisco to acquire Astrix Security for $400M, betting on non-human identity

Cisco announced intent to acquire Astrix Security for roughly $400M, per Calcalist.

Founded in 2021 by Alon Jackson and Idan Gour (both Unit 8200), Astrix raised $85M total across rounds led by Menlo Ventures’ Anthology Fund (with Anthropic), Bessemer, CRV, Workday Ventures, and F2.

~5x return on $85M raised is pretty good for Astrix and sets the bar for other NHI platforms like Oasis, Token, and Entro etc.

Capabilities will fold into Cisco Identity Intelligence and extend into Duo and Secure Access, with detection signals piping into Splunk.

🔮 The Future of Security 🔮

AI Security

OpenAI ships passkey-only Advanced Account Security for ChatGPT and Codex

OpenAI rolled out opt-in Advanced Account Security for ChatGPT and Codex accounts, requiring passkeys or FIDO hardware keys and disabling password login, email, and SMS recovery.

Account recovery falls entirely on the user; OpenAI support cannot assist. Conversations are auto-excluded from training. Partnered with Yubico on discounted YubiKey bundles. Members of OpenAI’s Trusted Access for Cyber program must enable it by June 1. Not available for ChatGPT Enterprise or managed accounts yet.

More AI security news

• Introducing AI traffic analysis dashboards for AWS WAF

• Cyberhaven expands AI security to track shadow agents

• Armadin Expands AI Attack Validation Push

• Unit 42 Expands Frontier AI Defense with Armadin Partnership

Detection Engineering

Azure AD Graph Activity Logs land in Sentinel, closing a long-standing detection gap

Microsoft made the AADGraphActivityLogs table queryable in Azure Monitor and Sentinel, giving defenders visibility into the legacy Azure AD Graph API (graph.windows.net) for the first time. The modern graph.microsoft.com endpoint has had a logging table since 2023, but the deprecated legacy API stayed active and unlogged, a gap Cloudbrothers documented as the reason offensive tooling evaded detection. What’s now detectable:

• AADInternals-based recon and persistence

• Ping Castle assessment scans

• Any custom tooling targeting the legacy endpoint

• Historical Azure AD Graph activity once ingestion is enabled

A significant win for blue teams. The “use the deprecated API to evade logging” technique has been documented and used in the wild for years, and any tenant running detections was effectively blind to a chunk of legitimate-looking reconnaissance. The interesting question for red teamers: what’s the next evasion path now that this one is closed.

Expect new detection content from the usual Sentinel community shops within weeks.

Governance, Risk, and Compliance

Rippling launches Automated Compliance for SOC 2, brings in AJ Yawn

Rippling rolled out Rippling Automated Compliance on April 28, leveraging its position as the system of record for HR, IT, identity, and device management to auto-collect SOC 2 evidence. Available now for SOC 2 Type 1 and Type 2, with more frameworks on the way. Connected CPA firm and pen testing partners are wired into the audit workflow.

Compliance veteran AJ Yawn, founder of the GRC Engineering Club and one of the most credible voices in GRC engineering, also joined the team around the same time this was announced.

Rippling is right that GRC tools have been reporting layers on top of systems they don’t control, and being the underlying system flips the economics. Bringing Yawn in lends real practitioner credibility and Rippling has a true moat as they control much of the underlying surface that compliance probes for anyways. Rippling has a massive customer base so the upsell opp. is real.

Security Operations

CrowdStrike extends OverWatch managed threat hunting to Microsoft Defender

CrowdStrike launched Falcon OverWatch for Defender, bringing its threat hunting service to organizations running Microsoft Defender for endpoint without requiring an EDR rip-and-replace. The service layers continuous human-led hunting, adversary intelligence (CrowdStrike tracks 280+ tracked groups), and response guidance on top of Defender’s native detections. Builds on March’s Falcon Next-Gen SIEM for Defender integration.

Smart land-grab. Seems like CrowdStrike and MSFT are deepening their partnership which is ultimately, what’s best for both customer bases.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Ship Fast. Sleep Well.

The 2026 Identity Governance Playbook Is Here.

Speed and security don't have to be a tradeoff. The security teams ready for AI have automated what used to take weeks: access approvals, lifecycle management, unused access removal and built a unified identity graph ready for AI agents. Read Opal's 2026 report to learn how they did it.

Get the report

Howdy 👋 - Hope you’re having a great week wherever you’re reading from!

This week has been quite eventful, literally. I had the opportunity to attend Intezer’s Nasdaq event in NYC and it was pretty insightful. F500 CISOs and security leaders shared how they’re thinking about AI, Mythos-level threats, how the buyer-vendor relationship has evolved, reporting up to the board and more. I have a full write-up coming out next Tuesday for this so I won’t spoil it all here. However, huge kudos to the Intezer GTM team for pulling off such a stellar event.

Aside from that, a quick heads up that DEF CON main stage Call for Papers, Labs, Workshops, Music and more closes today at 8PM ET. I think DC village CFPs closes a couple weeks later but always good to double check!

Also, a quick plug for this cool cost savings analysis feature that my team at Monad shipped.

Lastly, the past 2 TCP issues have gone out on Thursdays. We’ll be back to our regularly scheduled programming next Wednesday.

Cool, let’s dive in!

TL;DR ✏️

• 🩸 Checkmarx dump hits dark web — Lapsus$ posts 96GB archive after TeamPCP pivoted from Trivy → Checkmarx GitHub; 30-day persistence despite cred revocation

• ☁️ Google Cloud Next ‘26 ships agent governance — Three new SecOps agents, Wiz scanning all the things, Gemini Enterprise Agent Platform, Q1 earnings smoked

• 🐧 Copy Fail roots every Linux since 2017 — 732-byte Python script, CVSS 7.8, container escape primitive; not as critical as alarmist would have you think

• 🩺 ShinyHunters claims Medtronic and Carnival — 9M+ Medtronic records, 8.7M Carnival/Holland America loyalty records; both vectors still undisclosed

• 📊 Cyber insurance data is the real CISO ammo — Misconfigured MFA = 26% of losses, ransomware = 90% of total loss from 12% of claims. Industry needs more 3rd party data like this

• 💎 Opal's 2026 Identity Governance Report — Auto-granted access goes unused 50% of the time, NHIs outnumber humans 5:1, and 72% of CISOs say authz is their biggest AI blocker

• 🤖 Amazon CISO details RuleForge detection-rule pipeline — Bedrock generator agent proposes rules, separate judge model scores sensitivity vs specificity, MadPot honeypots validate before merge

Plus: Copperhelm exits stealth with $7M, Sublime Security goes 100% channel-led, and Silverfort acquires Fabrix Security ($8M raised to date) and more. 👇

⚒️ Picks of the Week ⚒️

Checkmarx debacle: AppSec vendor caught in the Trivy/TeamPCP supply chain blast radius

Checkmarx (the AppSec vendor who markets itself as covering 40% of the Fortune 100, including Apple, Salesforce, Walmart, Visa, Citigroup, Ford, Siemens, Airbus, Adidas, and SAP) confirmed that Lapsus$ dumped a 96GB archive of its data (source code, employee database, API keys, MongoDB and MySQL creds) on dark web and clearnet portals.

The access vector: stolen creds from the March 23 Trivy supply-chain compromise attributed to TeamPCP, which gave attackers the keys into Checkmarx’s GitHub.

Timeline

• Late Feb: TeamPCP compromises Trivy (Aqua Security’s open source vuln scanner)

• March 16: Credential-stealing malware injected into Trivy, harvesting CI/CD secrets, cloud creds, SSH keys, and K8s configs from downstream users

• March 23: Attackers use stolen Trivy creds to access Checkmarx GitHub

• March 30: Data exfil from Checkmarx GitHub

• April 22: Despite cred revocation and outbound blocks, attackers come back and poison the KICS Docker image, two VS Code/Open VSX extensions, and a GitHub Actions workflow

• Late April: Lapsus$ lists Checkmarx on its leak site and dumps the archive

Blast radius

Same campaign also briefly compromised the Bitwarden CLI npm package (@bitwarden/cli 2026.4.0), live for ~90 minutes, hoovering AWS keys, GitHub tokens, and SSH creds. Bitwarden has 10M+ users, 50K+ business customers. AI startup Mercor also got pulled in via the related LiteLLM compromise; Lapsus$ offered 4TB including 939GB of Mercor source code for sale.

This is the X-factor with software supply chain compromises. There’s a super long tail of downstream impact which may last months to years.

Google Cloud Next: Wiz everywhere, agents for everything, and stellar Q1 ‘26 Performance

Google Cloud Next ‘26 came with a slew of security updates: three new SecOps agents, Wiz sprawling across every rival cloud and agent platform, and a new Gemini Enterprise Agent Platform with governance bolted on.

SecOps agents

The existing Triage and Investigation agent (which Google says chewed through 5M+ alerts last year, taking 30-min triage down to 60 seconds) gets three new siblings in preview:

1. Threat Hunting agent to chase novel TTPs and stealthy behavior

2. Detection Engineering agent to find detection gaps and write rules for them

3. Third-Party Context agent to pull external context into analyst workflows

Remote MCP server support hit GA, dark web intel went into preview in Google Threat Intelligence (Google claims 98% accuracy on millions of daily events, take that with the usual grain of salt), and Darktrace, Gigamon, and SAP join as new partner integrations.

Wiz securing all the things, everywhere

Wiz now scans Databricks and the agent stacks of basically every competitor: AWS AgentCore, Azure Copilot Studio, Salesforce Agentforce, plus Google’s own Gemini platform. Apigee, Cloudflare AI Security for Apps, and Vercel got integrations too.

New AI-SDLC capabilities: a Lovable integration that runs Wiz scans inside the vibe-coding platform, inline AI security hooks for IDEs and agent workflows that scan prompts and generated code pre-commit, and a dynamic AI-BOM to surface shadow AI tools across an environment.

Agent identity, fraud, Chrome

Gemini Enterprise Agent Platform ships with Agent Identity (cryptographic IDs, scoped delegation, audit trails per action), Agent Gateway (policy enforcement aware of MCP and A2A, plus prompt injection, tool poisoning, and data leakage protections), and Model Armor for runtime model/agent protection now integrating with Agent Gateway, Agent Runtime, and LangChain. reCAPTCHA got rebranded to Google Cloud Fraud Defense (GA), with human/bot/agent distinction coming in preview. Chrome Enterprise gets an AI-aware threat detection extension plus shadow AI reporting for unsanctioned web AI apps.

Also key to note that absolutely smoked Q1 2026 earnings and I’d imagine Wiz will be a great add-on to their bottom line. Excited to see how it all plays out!

Copy Fail (CVE-2026-31431): one logic bug, every Linux distro since 2017

Researchers at Theori/Xint disclosed Copy Fail, a Linux kernel LPE (CVSS 7.8) that lets an unprivileged local user write 4 controlled bytes into the page cache of any readable file and pop a root shell via a 732-byte Python script that works unmodified across Ubuntu, Amazon Linux, RHEL, and SUSE. The bug is a logic flaw in algif_aead introduced by a 2017 in-place optimization commit, chained through AF_ALG and splice().

Critically, it’s not remotely exploitable by itself, but the same primitive crosses container and tenant boundaries via the shared page cache, which makes it serious for K8s nodes, CI runners (GitHub Actions self-hosted, GitLab, Jenkins), shell-as-a-service hosts, and any SaaS running tenant code. Theori/Xint surfaced it with their AI code-auditing tool and is using the disclosure page as a product showcase, so calibrate the marketing accordingly, but the bug itself is real and the PoC is public on GitHub.

Where to follow: the copy.fail landing page for the technical writeup and guidance on how to patch, the Theori GitHub issue tracker for ongoing distro confirmations, and your distro’s advisory page (Ubuntu, RHEL, SUSE, Amazon Linux, Debian).

ShinyHunters on a tear: Medtronic and Carnival both hit

ShinyHunters claimed two big names back to back this week: medical device giant Medtronic and the world’s largest cruise operator, Carnival Corporation.

Medtronic

Medtronic confirmed a data security incident affecting corporate IT after ShinyHunters listed it on its leak site in mid-April, claiming 9M+ records of personal info plus piles of internal corporate data. Medtronic has not validated the numbers and stresses that hospital networks running its devices are managed independently and were not exposed. ShinyHunters set a ransom deadline, then pulled the listing, which usually signals either negotiation or whatever face-saving move keeps the leak tab clean.

Carnival

Two days later, Have I Been Pwned flagged what it described as 8.7M records (with 7.5M unique email addresses) tied to the Mariner Society loyalty program run by Holland America, a Carnival subsidiary. Exposed fields: names, DOBs, genders, and membership status. Carnival’s framing: a phishing attack against a single user account, scope still being assessed. ShinyHunters posted on its leak site that “the company failed to reach an agreement with us despite our incredible patience,” adding “they don’t care.”

How did they get in?

Honestly, nobody’s saying. Medtronic’s disclosure is vague enough to drive a truck through (”an unauthorized party accessed certain internal systems”). Carnival’s only attributed vector is a single phished user account, which doesn’t square with terabytes of data unless that account had way more access than it should have. Neither side has named a SaaS platform, an initial access broker, or any IOCs

Cyber insurance data gives CISOs new ammo for budget talks

Misconfigured MFA drives more financial loss than any other single control failure, and ransomware drives 90% of total loss despite being only 12% of claims. The industry needs more of this kind of empirical claims data; vendor “state of X” reports don’t cut it for CISOs trying to justify budget against actual loss attribution.

New analysis from cyber insurer Resilience, drawn from its manufacturing claims portfolio (March 2021 to February 2026) and synthesized with IBM X-Force and KELA data. Misconfigured MFA accounted for 26% of losses, software vuln exploits 13%, and transfer fraud plus BEC tied to phishing and credential theft made up 30% of claims.

More insurers and ISACs should be publishing data like this. Claims data beats survey-based findings or vendor-funded research every time.

🔮 The Future of Security 🔮

Application Security

Wiz Code Week recap: visibility, IDE guardrails, and CI/CD as a first-class asset

Wiz ran Code Week in parallel with Google Cloud Next. Code Week is where they release a bunch of dev and AppSec-related features and announcements. This time around, they launched an AI-BOM that auto-inventories AI frameworks, models, and IDE extensions (Gemini Code Assist, Copilot, Cursor), plus an IaC Inventory that maps code-to-cloud blast radius.

New Wiz Code plugins for Claude Code and Cursor embed pre-commit hooks for hardcoded secrets, IaC misconfigs, and vulns, with new SAST rules mapped to the OWASP Top 10 for LLM and Agentic Applications.

Pipeline-side, Wiz now models CI/CD as first-class assets on its Security Graph, surfacing dangerous trigger configs, excessive perms, and prompt injection risks from AI agents, plus a CI-BOM for third-party action inventory.

Cloud Security

Copperhelm exits stealth with $7M for agentic cloud security platform

Copperhelm emerged from stealth with $7M in seed led by TLV Partners (with toDay Ventures, ICON, and SaaS Ventures Israel), pitching AI agents that autonomously monitor cloud environments, investigate threats, and execute remediation in real time while keeping humans in control.

Auto-remediation is the next frontier. Dozens of vendors going after it meanwhile security leaders remain skeptical/hesitant for the more critical stuff. Let’s see.

Email Security

Sublime Security goes 100% channel-led with new partner program

Sublime Security launched a formal channel partner program and is now operating as a 100% channel-led company.

Core elements of a partner-first GTM motion are recurring margins with deal protection, dedicated partner sales managers and SEs, technical enablement and accreditation, and co-marketing support. Wiz did the same and I covered it here. Channel-led sales is cool because some MSSPs and VARs have been around for decades and know where the bodies are buried regarding legacy, clunky tech and can accelerate displacement.

Identity and Access Management

Silverfort acquires Fabrix Security to add AI-native runtime access decisioning

Silverfort acquired Fabrix Security, an AI-native identity security startup founded in 2024, for an undisclosed price.

Fabrix had raised $8M to date. The product runs an identity knowledge graph paired with AI agents that handle authorization decisions, just-in-time access requests, and lifecycle management for human, non-human, and agentic identities (service accounts, API keys, bots, AI agents).

Vulnerability Management

Amazon’s RuleForge: agentic AI generates production detection rules

Amazon CISO, CJ Moses recently wrote a blog about RuleForge, an internal agentic AI system that turns CVE proof-of-concept exploits into production-ready detection rules 336% faster than manual analyst workflows, with humans in the loop for final approval.

Architecture: a generation agent on AWS Fargate + Bedrock proposes multiple candidate rules in parallel; a separate judge model scores each on sensitivity (will this miss exploits?) and specificity (does it target the vuln or a correlated feature?).

Rules then run through synthetic testing and validation against MadPot honeypot traffic before code review.

The separation of generation from evaluation reduced false positives by 67% while preserving true positives, and Amazon credits negative-phrased prompts (”what’s the probability this rule fails?”) for better LLM calibration on security tasks.

This is one of the more honest hyperscaler writeups on applied AI for security stuff, and the architectural lessons (judge != generator, decompose the workflow, keep humans gating prod) are directly transferable to anyone building internal AI-based security tooling.

More vulnerability management news:

• HackerOne Launches h1 Validation as AI Drives a Surge in Vulnerability Discovery

• Rilian Raises $17.5 Million for AI-Native Security Orchestration

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

AI signals in email attacks: Boosting detection and threat hunting

Most AI “tells” in email are noisy and unreliable on their own. But used correctly, they can still strengthen detections and improve threat hunting.

In Sublime Security’s upcoming webinar, we break down which AI signals actually work, how to apply signal stacking, and where these approaches fail. See real examples and a practical framework you can use immediately.

Register now, watch anytime

Howdy 👋 - Hope you’re having a great week wherever you’re tuning in from!

This has been a wild week. Anthropic’s Mythos model apparently accessed by a unauthorized 3rd party, Vercel breached via 3rd party OAuth abuse, Lovable exposure kerfuffle, 3 0-days found in MSFT Defender and security stocks rebound. And of course, there’s more marinating in the background (case in point: Cyera announces acq. of Ryft just as I was about to press ‘send’ 🙃).

Before we dive in, two plugs:

• If you’re a security operator in NYC, come hang out this upcoming Monday (Apr. 27th) at this live show I’m co-hosting with Intezer at the Nasdaq. Security leaders from Salesforce, Oscar Health, and many highly regarded folks you probably know. Truly a can’t miss event!

• I wrote a thing on the contents of and detection opportunities for OpenAI Enterprise Audit Logs. Read it here.

Cool. Now let's get into it!

TL;DR ✏️

• 🕳️ Mythos allegedly accessed via third-party vendor — Discord group reportedly combined contractor creds with URL patterns from the Mercor breach; story still developing

• 🧨 Vercel breached via Context.ai OAuth grant — Roblox cheat → Lumma Stealer → inherited “Allow All” token → prod env vars; campaign bigger than Context.ai alone

• 🧱 GitHub’s agentic workflows threat model — assume the agent is compromised; secretless execution, safe-outputs pipeline, damage-containment over prevention

• 🤝 Cyera acquires Ryft to extend its agentic AI data security play — Fourth acquisition for Cyera (now $9B val, $1.7B raised); deal size undisclosed

• 🎭 Lovable’s BOLA + disclosure meltdown — a few API calls → any user’s source code and DB creds; “fixed” only for projects created after Nov 2025

• 🪟 Three MSFT Defender 0-days, two still unpatched — BlueHammer (CVE-2026-33825) patched, RedSun and UnDefend live with public PoCs and in-the-wild exploitation

• 📡 Detection engineering for OpenAI Enterprise audit logs — Log set deep dive + 5 detection opportunities

• 📧 Sublime webinar: AI signals in email attacks — Alex Orleans and Luke Wescott on threat hunting with AI signals, signal stacking, and where they break; May 13

• 🏹 Artemis out of stealth with $70M — AI-native SIEM contender, Felicis-led, angels from Demisto and Abnormal founders

• 🧭 Spectrum exits stealth with $19M — AI-powered detection engineering layer on top of existing SIEMs, led by TechOperators and Skinos (Shlomo Kramer’s new fund)

• 💊 Capsule Security exits stealth with $7M — runtime trust layer for AI agents; disclosed ShareLeak (CVE-2026-21520) and PipeLeak alongside launch

Plus: Aikido ships Endpoint Protection for developer workstations, Microsoft publishes KQL for hunting DPRK IT workers in Workday and DocuSign, Cowbell launches a mid-market policy with affirmative AI and quantum coverage, and more 👇

⚒️ Picks of the Week ⚒️

Vercel breached via Context.ai x GWS OAuth grant

A Vercel employee connected Context.ai’s AI Office Suite to their enterprise Google Workspace and granted “Allow All” permissions. When Context.ai got popped (a Context.ai employee caught Lumma Stealer in February 2026 , reportedly from a Roblox cheat download of all things), the attacker inherited that OAuth grant and walked right into Vercel.

From there they escalated by sifting through environment variables not marked as “sensitive,” (😔) which were sitting in plaintext in the dashboard and API. Mandiant is engaged, and Vercel now defaults env vars to sensitive. No npm packages were tampered with, they say.

Also a ShinyHunters persona is shopping alleged internal data for $2M, but Google TAG’s Austin Larsen called the claimant “likely an imposter.”

No AI-powered Mythos nuke. Just 3rd party OAuth token grant abuse similar to what happened with Salesloft Drift. It’s exactly what Pat Opet, CISO @ JP Morgan, warned about almost exactly a year ago.

Update: Vercel disclosed on April 22 that it identified additional compromised accounts from independent prior compromises, and CEO Guillermo Rauch said the threat actor appears to be running a broader token-harvesting campaign beyond Context.ai. Context.ai has deprecated the AI Office Suite entirely.

HugOps to my friends on the Vercel security team.

Mythos allegedly leaked via third-party vendor, story still developing

Per TechCrunch, a group of Discord users claim to have gained unauthorized access to Anthropic’s Claude Mythos Preview on the same day it was announced, reportedly by combining compromised credentials from a third-party contractor with URL naming conventions reconstructed from a recent data breach at Mercor. Anthropic confirmed it’s investigating and said there’s no evidence its own systems were impacted or that activity extended beyond the vendor environment.

A ShinyHunters impersonator has since tried to take credit circulating AI-generated screenshots as proof, but security researcher Dominic Alvieri and others quickly called the claim out as fabricated.

Story is still developing, more to come as Anthropic’s investigation plays out, but if even part of this holds up it’s detrimental to the whole walled-off Project Glasswing model.

How Did We Miss This?

Every security leader has asked this at some point. Usually after an incident review, usually at 11pm, usually over cold pizza. And the answer is almost always the same: detection gaps nobody had time to map, rules nobody could write fast enough, and coverage that quietly broke weeks ago without firing a single alert. AI-powered attacks are just making that gap harder to ignore.

Spectrum is built for that exact problem. An AI-powered detection platform that maps your coverage, researches emerging threats, and writes custom, deployment-ready detections against your data, wherever it lives. The stuff your team would write if they had ten more hours in the day.

Fewer gaps, fewer blind spots, fewer “how did we miss this” moments.

Get a demo

GitHub’s security architecture for agentic workflows: assume the agent is compromised

GitHub published the threat model and architecture behind their Agentic Workflows, and it’s the most informative write-up I’ve seen on running agents in CI/CD pipeline. Shoutout to ByteByteGo for this one. Highly recommend reading if you’re using AI coding tools in an enterprise environement.

One core assumption they’ve made is that the agent will try to read and write state it shouldn’t, communicate over unintended channels, and abuse legitimate channels. In other words, the agent will misbehave.

Three-layer architecture (substrate, configuration, planning), with the agent running secretless: MCP auth tokens live in a separate gateway container, LLM tokens in an isolated proxy, all traffic through a dedicated firewall container. Every agent output goes through a deterministic “safe outputs” pipeline that checks operations against an allowlist, enforces quantity limits, and scans for leaked secrets before anything gets committed.

The “secrets are physically unreachable from the agent” pattern transfers well beyond GitHub and is a great example of “contain damage” vs. “stop breach” approach.

Detection engineering for OpenAI Enterprise audit logs

I dropped a new post on the Monad blog walking through the 5 detections worth shipping first against OpenAI’s enterprise audit log (51 event types, immutable once enabled). The starter pack: SCIM disabled, IP allowlist deactivated or broadened, role changes with permissions_added, api_call_logging reduced, and owner-level service account creation. Plus a bonus on external key (BYOK) tampering

Same playbook as the Claude Code OTel work we put out earlier this month. As AI platforms become control planes in your stack, their audit logs need to be treated more like cloud or identiy logs.

If you’re running enterprise ChatGPT, this blog should serve as a great starting point for understanding the log source + getting some coverage on high signal activity.

Cyera Acquires Ryft to Extend Its Agentic AI Security Platform

As I was getting ready to press ‘send’, I learned that Cyera announced its acquisition of Ryft, a secure data lake startup founded in 2024 and backed by Index Ventures and Bessemer Venture Partners. Deal terms were not disclosed. This is Cyera’s fourth acquisition in five years, following Trail Security ($162M, Oct 2024) and Otterize (June 2025).

The thesis as co-founder and CTO Tamar Bar-Ilan calls it “unified control plane” for agentic AI, fusing data discovery, classification, DLP, identity, and now AI-ready data lake infrastructure in one platform.

Cyera is valued at $9B per their last raise. Most companies stagnate around this point. Will be fun to see them continue cooking.

Lovable’s BOLA and how not to handle disclosure

A researcher (@weezerOSINT) showed that any free Lovable account could make a handful of API calls and walk away with another user’s source code, chat history, and database credentials.

Root cause: a textbook Broken Object Level Authorization (BOLA) flaw, OWASP API #1. The project endpoints verified the auth token but never checked if the user actually owned the resource. Reported through HackerOne on March 3rd and marked as a duplicate.

The worst part: Lovable shipped a fix in March, but only for projects created after November 2025. Every pre-existing project stayed wide open. New projects returned 403, legacy projects returned 200 OK with full data.

Then the PR arc: “did not suffer a data breach” → blame documentation → blame HackerOne → apologize for the apology. They also casually dropped that public project code visibility is “intentional behavior” and “by design.”

$6.6B valuation, nearly 8M users, enterprise customers including Uber, Klarna, Deutsche Telekom, and Zendesk, and the #1 item on the OWASP API Top 10 is sitting in production.

The wild part is the response: deny, gaslight, then blame HackerOne for closing a ticket your own triage team owns.

Spectrum exits stealth with $19M for AI-era detection engineering

SF-based Spectrum Security launched from stealth with $19M in seed funding led by TechOperators, with participation from WhiteRabbit Ventures, Skinos Ventures (the new fund from Shlomo Kramer and Yishay Yovel), and Alumni Ventures.

The platform sits on top of existing SIEMs, data lakes, and EDRs to automate detection authoring, continuously find coverage gaps, and maintain detection health as log schemas and infrastructure drift.

The team is stacked (Ex leadership at Siemplify, Opus Security, operators at Appian etc) are attacking the same problem most detection eng teams have, rules that quietly break when infrastructure shifts, coverage gaps nobody mapped, drift nobody noticed.

Backed by Nir Polak (Exabeam founder) and Kevin Skapinetz (TechOperators), this is a strong detection-engineering bet especially as the ground shifts from under us in the SecOps space.

Three Defender zero-days in the wild, two still unpatched

A researcher, Chaotic Eclipse, dropped three Defender Antivirus zero-days after beefing with Microsoft over disclosure: BlueHammer, RedSun, and UnDefend. BlueHammer and RedSun are local priv-esc; UnDefend is a DoS that kills Defender’s security definition updates. Only BlueHammer (CVE-2026-33825) is patched. The other two are still live with public PoCs on GitHub (yes, Microsoft-owned GitHub lol). Huntress reported BlueHammer exploitation starting April 10, with RedSun and UnDefend PoC activity kicking off April 16.

The disclosure drama is pretty wild. Per Chaotic Eclipse, MSRC required a video demonstration of the exploit before they’d triage the report, then dismissed the case when the researcher declined. Microsoft later said video demos are not a requirement for disclosure, which raises the obvious question of who told the researcher they were.

UnDefend is the sneakiest of the three because silently killing definition updates means the box looks healthy in your console while going blind in real time. A stark reminder that the software meant to secure your org could also be vulnerable. Also a reminder for software vendors to patch their shit when researchers surface findings. Don’t gaslight or brush it under the rug as it may very likely come back to bite and cost more than the initial fix would’ve cost.

🔮 The Future of Security 🔮

AI Security

Capsule Security Exits Stealth With $7M to Secure AI Agents at Runtime

Capsule Security, founded by Naor Paz (ex-F5, Unit 8200) and Lidan Hazout (ex-Transmit Security), exited stealth with $7M in seed funding led by Lama Partners and Forgepoint Capital International.

The platform sits in the agent execution path and blocks unsafe tool calls, manipulation, and data exfiltration at runtime, with support for Cursor, Claude Code, Copilot Studio, ServiceNow, and Salesforce Agentforce. Alongside the launch, Capsule disclosed two agent-platform vulnerabilities, ShareLeak in Copilot Studio (now tracked as CVE-2026-21520 and patched) and PipeLeak in Salesforce Agentforce.

More AI Security News:

• How Zscaler and OpenAI turn zero-trust security into an AI accelerator

Endpoint Security

Aikido Launches Endpoint Protection for Developer Devices

Aikido launched Endpoint, a lightweight agent for dev workstations that inspects packages, IDE extensions, browser extensions, MCP servers, and AI tools before installation. Built on their open source Safe Chain project.

Notable default: any package published less than 48 hours ago gets held back in favor of the most recent version that clears the age policy, killing the highest-risk window right after a compromised version ships.

Dev laptops are the softest spot in most orgs. Devs have local admin, install whatever they want, run MCPs calling APIs with prod creds, and hit npm/PyPI a hundred times a day. Most traditional EDR doesn’t understand any of that telemetry. The 48-hour age policy is the kind of simple heuristic that would have blocked a big chunk of recent supply chain attacks (Axios staged its dropper less than 24 hours before the compromised versions pulled it in, per Aikido’s own writeup). The endpoint space is getting crowded, but the developer-first and SMB-friendly approach is a true differentiator.

Insurance

Cowbell Debuts Prime One Cyber Insurance with AI and Quantum Risk Cover

Cowbell Cyber launched Prime One, a cyber insurance product targeting mid-market companies ($250M-$1B revenue) with up to $10 million in coverage limits.

The policy includes affirmative coverage for AI-related incidents and quantum computing risks, positioning itself ahead of the post-quantum cryptography curve. 4D PR play, imo.

SaaS Security

Microsoft drops detection strategies for North Korean IT worker

MSFT published KQL and detection logic for Jasper Sleet, the DPRK-aligned actor posing as legit hires with AI-assisted fake personas. Ready-to-ship queries for Workday, Teams, Zoom, Webex, and DocuSign in the post.

Probably the biggest novel piece from it all is that they’re recommending to hunt the pre-recruitment phase. They’ve observed Jasper Sleet hitting Workday’s /hrrecruiting/* API endpoints from known actor infrastructure in a consistent, repeating pattern across multiple external accounts , which looks different from a normal applicant.

The fact that you need to detect DPRK operatives inside your HRIS in 2026 is wild but here we are. What’s cool about this post is that it shifts the detection surface left of the endpoint entirely. Your SaaS audit logs (Workday, DocuSign, Zoom) are threat hunting surfaces now, not just compliance logs. If you’re not piping HR platform telemetry, that could be a big gap.

Security Operations

Artemis emerges from stealth with $70M to fight AI-powered attacks with AI

Artemis came out of stealth last week with $70M in combined seed and Series A funding, just six months after founding. Series A led by Felicis with First Round and Brightmind returning, plus angels from the founders of Demisto and Abnormal AI, the former Splunk CEO/CTO, and execs from CrowdStrike, Palo Alto, Microsoft, and Okta. Nice cap table.

The pitch is a data model built from each customer’s telemetry, fusing log data with business context to generate tuned detections, investigate alerts, and surface correlated attack stories. Early customers include Mercury, Wix, Lemonade, and Abnormal AI.

There have been quite a few SIEM contenders that have come out of stealth in the past year. Each has a slightly differentiated approach. I like Artemis’ pitch because it’s adaptive and built off of the reality of a customer’s environment as opposed to handing off great software to customers and expecting them to realize the full value of it.

My main question is can they get in front of the CrowdStrikes, Palos, and Splunks of the world who are all striving toward the same narrative with way more distribution? In any case, great funding, founding team and backing. SecOps space is a fun one!

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Level Up: Security Under Pressure Challenge

Join Abnormal’s 5-game cybersecurity challenge inspired by real behavioral attack signals. Step into fast-paced, human-layer scenarios where instinct and speed decide the outcome.

Win prizes after every game—and complete all 5 games to automatically earn an entry into the Grand Prize Draw for a chance to win two tickets to the FIFA World Cup 2026*! (*Subject to Terms & Conditions)

Start the challenge

Howdy 👋 - Hope you’re having a great week wherever you’re tuning in from!

I’m just getting back from some much needed time off in Costa Rica. Apparently something called Mythos happened and it nuked the security industry so we can all retire and start a new life now? Does this also mean DEF CON is canceled?

Just kidding but it does beg the question of “what comes next”? I cover that in the first story of the week. Before we get into that though, a few announcements:

• Abnormal AI is hosting a security challenge that if completed, enters you for a chance to win 2 tickets to the FIFA WORLD CUP! 🤯

• Claude Code Detection Opportunities blog my Monad teammates cooked up🔥

• Monad recently crossed 300+ integrations. Depth + width. Massive milestone.

• April 27th at the Nasdaq in NYC w/ Intezer for the AI SOC Live Show. Lining up to be a special event. Request an invite here!

Cool. Now, onto this week’s news!

TL;DR ✏️

• 🧬 Anthropic’s Claude Mythos + Project Glasswing — thousands of ‘zero-days’ across every major OS and browser; 50 orgs get restricted access, $100M in credits, and a whole lot of industry debate

• 🧙🏼‍♂️ OpenAI Fires Back With GPT-5.4-Cyber — fine-tuned defensive model with binary RE capabilities and lowered refusal guardrails, gated through expanded Trusted Access for Cyber program

• 🐙 OX Security Exposes Systemic MCP Protocol Flaw — architectural RCE across all 10 language SDKs, 200K+ exposed servers, 10+ CVEs; Anthropic calls it “by design”

• 📄 CSA/SANS Ship Emergency Mythos Strategy Briefing — 30-page playbook from 60+ contributors including Easterly, Gadi Evron, Rob Joyce and more

• 🛑 HackerOne Pauses Internet Bug Bounty Program — AI-driven discovery overwhelms open source maintainers; remediation is now the bottleneck and bounties don’t fund it

Plus: Mallory exits stealth with AI-native threat intel, Cisco nearing $250M+ Astrix acquisition, Wiz launches shadow data detection, GitHub publishes 2026 Actions security roadmap, Block details agentic code review architecture, Cloudflare expands Agent Cloud, and a whole lot more👇

⚒️ Picks of the Week ⚒️

Catching up on Anthropic’s Claude Mythos, OpenAI’s GPT-5.4-Cyber, and is DEF CON canceled?

If you were away last week like me, then you may have missed the internet and cyber stocks melting down due to some Anthropic news. While I hate beating a dead horse, I think this is a baby horse who’s just getting started so I’ll bring you up to speed a bit with continued coverage as this all evolves.

Anthropic launched private access to Claude Mythos Preview, an unreleased frontier model it says can find and exploit software vulnerabilities better than all but the most elite human researchers. Rather than release it publicly, Anthropic launched Project Glasswing, giving restricted access to roughly 50 organizations, backed by $100M in usage credits. As you read through what comes next, take it with a grain of salt. Anthropic is a for-profit company.

Mythos TLDR:

• Launch partners include AWS, Apple, Microsoft, Google, CrowdStrike, Palo Alto Networks, JPMorganChase, NVIDIA, and the Linux Foundation

• Autonomously discovered thousands of zero-days across every major OS and browser

• Found a 27-year-old OpenBSD vuln and a 17-year-old FreeBSD RCE

• Anthropic says it has no plans to release Mythos Preview publicly

OpenAI’s response: GPT-5.4-Cyber

Yesterday (a week later), OpenAI dropped GPT-5.4-Cyber, a fine-tuned variant built for defensive security work.

• Fine-tuned with lowered refusal guardrails for legit security tasks

• Adds binary reverse engineering capabilities not in standard GPT-5.4

• Access gated through their expanded Trusted Access for Cyber (TAC) program with tiered identity verification

• Codex Security has contributed to fixes for over 3,000 critical and high-severity vulns since broader launch

Industry response:

• CSA, SANS, OWASP, and [un]prompted assembled a 30-page emergency strategy briefing over a single weekend with 60+ contributors including Gadi Evron, Jen Easterly, Bruce Schneier, Chris Inglis, and Rob Joyce

• Paper introduces the concept of a “Mythos-ready” security program and frames VulnOps as a permanent organizational function

• Core recs: reinforce segmentation, egress filtering, phishing-resistant MFA, right-size IAM, tabletop exercises for multiple simultaneous critical-severity incidents

• According to the Zero Day Clock, mean time from disclosure to exploitation has fallen to under 1 day in 2026, down from 2.3 years in 2019

What I think

There’s a fair bit of pessimistic skepticism across the industry on these matters. How much of this is a PR play in the attention economy we’re living in vs. true cause for going haywire on making your security program “Mythos-ready”?

The answer to me is somewhere in the middle leaning towards the latter and yes, security programs should have been focusing on supply chain security and RemediationOps for the past few decades. AI has just lit a fire under these initiatives but the fundamentals still remain the same. Reduce attack surface, right-size IAM permissions, harden, strong ACLs, layered defenses esp. for crown jewels, detect, respond etc etc. AI has made achieving all of this 5x harder but it’s still all mostly the same activities we used to do 10 years ago. In that sense, I get why some folks are calling this nothing burger.

However, security programs thrive on being paranoid aka being prepared. It’s healthy to see the industry rally around initiatives like the CSA report. Attackers esp. nation-states that are carrying out attacks on critical infra and Fortune 500s+, have access to capabilities some of us couldn’t even imagine. The window of exploitation from when a vuln is disclosed or when a software pkg is compromised has shrunk tremendously and AI is the main culprit.

There’s a lot of shit on fire in our industry right now. TeamPCP, Scattered Spider, Lap$us and many nation-states are wreaking havoc across the board. If there’s ever been a time to come together as an industry, it’s now.

Dig Deeper:

• Anthropic: Project Glasswing

• OpenAI: Trusted Access for the Next Era of Cyber Defense

• CSA/SANS: “The AI Vulnerability Storm” Briefing

Don't just fix security breaches. Prevent them.

Security breaches are rising, and a detection-first model creates an added burden as teams manually remediate errors that should have been prevented. CNAPP platforms provide you visibility to what’s misconfigured, but they need a partner to prevent problems upfront.

Turbot pairs with your CNAPP to introduce a prevention-first model that blocks errors in build, at the cloud APl, and auto-remediates in runtime. Use PSPM (Preventive Security Posture Management) to cut your alerts in half.

Learn more

OX Security Documents Systemic RCE Risk in Anthropic’s MCP Protocol Design

OX Security published a 30-page research report detailing a class of command execution vulnerabilities rooted in how Anthropic’s Model Context Protocol handles STDIO transport.

The core finding: MCP’s process execution logic accepts user-supplied commands and passes them directly to the OS with no input sanitization. Even when a malicious command fails to initialize a valid MCP server, the command still executes. The flaw is present across all 10 supported language SDKs (Python, TypeScript, Java, Kotlin, C#, Go, Ruby, Swift, PHP, Rust) and produced 30+ responsible disclosures and over 10 CVEs rated Critical or High.

The most severe findings involve publicly deployed instances. LangFlow (owned by IBM) had 915 publicly accessible servers on Shodan exposing unauthenticated RCE via STDIO MCP config, no login required. OX achieved authenticated RCE on Letta AI production servers via transport-type substitution. These are real, exploitable attack paths. OX also uploaded a proof-of-concept malicious MCP server to 9 of 11 MCP marketplaces without challenge, the same class of supply chain risk as malicious npm/PyPI packages, now applied to MCP.

Anthropic did not fix the vulns and stated: “This is an explicit part of how stdio MCP servers work and we believe that this design does represent a secure default.” LangChain and FastMCP echoed the same stance. OX’s counter: protocol maintainers should take responsibility for secure defaults rather than pushing input sanitization onto every downstream implementer.

While these findings aren’t a fire drill, I think it highlights what we’ve been hammering for a while. MCP and agents are overprivileged by default and even frontier model labs are susceptible to design and code flaws. Great findings and stellar report by the OX team.

What Happens in the Browser Doesn't Stay in the Browser

The reality is that most people are pasting sensitive data into ChatGPT/Claude, clicking phishing links mid-workflow, and running browser extensions nobody's ever vetted.

All of that happens in the browser, and most security tooling isn't even looking there. Keep Aware is a great tool I recently came across that sits at the browser layer, giving you visibility into GenAI usage, native DLP controls, and real-time phishing prevention at the point of click. If you're not watching the browser yet, you're missing the biggest attack surface employees use every day.

Prevent Browser Threats in Real Time

AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties

HackerOne suspended new submissions to its Internet Bug Bounty program as of March 27 because AI-assisted discovery is flooding open source maintainers with more vulns than they can actually remediate. The whole bug bounty model was built for a world where finding bugs was the hard part, but AI flipped that completely. Now remediation is the bottleneck and bounties don’t fund it. This is a big signal that the economics of crowdsourced vuln research are breaking under AI pressure and the industry needs to start funding the fix, not just the find. Crowdsourced RemediationOps anyone? Lol… Security demand has only grown due to AI imo.

How Block Builds In-House Code Review with Agents

Block’s engineering team built AI “protector” agents (their tool Builderbot) that act as always-on code review guardians. They use standardized CLI contracts via Just, nested AGENTS.md files, and Amp’s Code Review Checks pattern to feed agents hyperlocal module-level context while keeping everything aligned to a global architectural “world model.” Yet another data point on build v. buy in security!

Mallory Exits Stealth With AI-Native Threat Intel🔥

Mallory, founded by Jonathan Cran (Intrigue founder (acq. By Mandiant), is now GA and out of stealth. Mallory is an AI-native threat intelligence platform that monitors thousands of threat sources and contextualizes them against an organization’s actual attack surface.

It’s the next gear for threat intel as it produces prioritized, evidence-based cases mapped to what’s exploitable within your environment, covering hunt, detection, and exposure management. The platform ships with native support for Claude Code, MCP, and API integrations. Mallory announced a seed round led by Decibel Partners with participation from Live Oak Venture Partners and angels from Google, Robinhood, Cisco, Fastly, and GreyNoise. No funding amount disclosed

Kudos to JCran! One of the nicest and smartest guys in the security industry. Check out this video/live demo with him and MattJay from VulnU!

🎙️Inside the Network with Christina Cacioppo, Vanta CEO

The Inside the Network crew (Sid Trivedi, Ross Haleliuk, Mahendra Ramsinghani) sat down with Vanta co-founder and CEO Christina Cacioppo for a conversation on her journey and building Vanta into a $4B+ valuation company.

To me, Christina is top 5 founders in the security (+adjacent space). Down to earth, brilliant, and relentless so this pod was a treat.

Worth a listen for anyone building a security company. Also kudos to the ITN crew. One of the best and most consistent pods in security right now.

🔮 The Future of Security 🔮

AI Security

Cloudflare Expands Agent Cloud With Sandboxed Runtimes and Persistent Compute

Cloudflare expanded its Agent Cloud platform with infrastructure designed to move AI agents from local demos to production workloads.

Key releases include Dynamic Workers, an isolate-based runtime that executes AI-generated code in sandboxed environments at 100x the speed and a fraction of the cost of containers; Artifacts, a Git-compatible storage layer supporting tens of millions of repositories for agent-managed code; and Sandboxes, which give agents access to persistent Linux environments with shell, filesystem, and background processes.

More AI Security News:

• Manifest platform from Manifold targets AI agent supply chain security gaps

Application Security

GitHub Publishes 2026 Actions Security Roadmap After Supply Chain Attacks Multiply

GitHub laid out its 2026 Actions security roadmap in response to a wave of supply chain attacks targeting CI/CD automation, including incidents hitting tj-actions/changed-files, Nx, and trivy-action.

The roadmap introduces workflow-level dependency locking (think go.mod for Actions), policy-driven execution controls via rulesets that restrict who can trigger workflows and which events are allowed, scoped secrets that bind credentials to specific execution contexts, and a native Layer 7 egress firewall for hosted runners. Most capabilities are targeting public preview within 3-6 months.

Long overdue: write access to a repo will no longer grant secret management permissions.

Cloud Security

Intruder Brings Agentless Container Image Scanning to Midmarket Teams

Intruder added container image scanning to its cloud security platform, integrating directly with AWS ECR, Google Cloud Artifact Registry, and Azure Container Registry to scan images daily without deploying agents.

Data Security

Wiz Targets Stale and Redundant Cloud Data With New DSPM Module

Wiz released Shadow Data Detection as part of its DSPM platform, designed to identify stale, duplicated, and over-retained data across cloud storage. The feature analyzes cloud provider inventory reports to flag redundant objects, excessive versioning, and orphaned data, then surfaces estimated cost savings and exposure reduction in a centralized dashboard. Across early customer environments, Wiz identified over 1 exabyte of data in storage buckets, with a significant portion classified as redundant.

Identity and Access Management

Cisco Reportedly Nearing $250M+ Deal for AI Agent Security Startup Astrix

Cisco is reportedly in talks to acquire Astrix Security for between $250M and $350M, roughly 3x the startup’s total funding to date. Astrix discovers AI agents, MCP servers, and non-human identities across enterprise environments, then scans for misconfigurations like overprivileged service accounts or publicly exposed agent endpoints. The platform includes JIT access controls that auto-expire agent credentials. This would be Cisco’s second AI security acquisition in a week, following the Galileo Technologies deal for its hallucination firewall, and signals Cisco is all in on AI security and observability.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

A Practical Approach to Securing AI

If your organization is building or using AI, you understand how critical data exposure risk is becoming. Varonis Atlas was built to solve that - giving teams insight into all AI usage (including shadow AI), the ability to fix risky exposures, enforce runtime guardrails, and manage governance all in one platform.

Watch the demo

Howdy 👋 - From RSAC to the TeamPCP software supply chain havoc, the past few weeks have been wild. I think this meme perfectly depicts what most of the industry is going through:

This post covers the biggest announcements and news from the past two weeks. But if you're looking for my unfiltered, practitioner-level takeaways from my time at RSAC this year, I dropped a deeper breakdown earlier this week:

TL;DR 🗞️

• 🔗 TeamPCP’s Cascading Supply Chain Attack — Trivy to LiteLLM to Axios to Mercor: one incomplete credential rotation turned into a 5-ecosystem, 8-day rampage

• 🤖 OpenAI Codex + GCP Vertex AI Vulns Disclosed — BeyondTrust and Unit 42 pop AI coding agents on basic AppSec failures while RSAC sells agent security

• 💰 XBOW Hits Unicorn at $120M Series C — GitHub Copilot creator’s autonomous pentesting platform reached #1 on HackerOne, first machine to outperform all human hackers

• 🆔 Oasis Security Raises $120M for Non-Human Identity — Craft Ventures led, Sequoia and Accel in; $195M total to build the access management layer for AI agents and machine identities

• 🛡️ Tenex Raises $250M Series B — One year old, agentic MDR that analyzes all telemetry within 60 seconds of ingestion

• 🏆 Geordie AI Wins RSAC Innovation Sandbox — Agent remediation via context engineering beats offensive security and code-level tooling for the crown

• 🇮🇷 FBI Confirms Hack of Director Patel’s Personal Email — Iranian-linked Handala group publishes ~300 emails from the FBI Director’s Gmail account

Plus: Delve’s fake compliance saga, a breathalyzer cyberattack stranding drivers, $160M+ in autonomous offensive security funding, 12 AI x Security product launches, and a whole lot more below 👇

Fair warning: this week’s issue is massive. Absurd amount of news across every domain, so I leaned on AI heavily to help me process, structure, and draft this one. Every take, every editorial call, and every fact-check is still me. But there’s no way I’m turning around a recap this comprehensive on my own, in a week, without it.

⚒️ Picks of the Week ⚒️

The Security Tool That Became the Weapon: Inside TeamPCP’s Supply Chain Campaign

The software supply chain didn’t just crack this month. It detonated.

TeamPCP executed a cascading campaign between March 19-27 that deliberately targeted the tools security teams trust most, chaining each compromise into the next across five ecosystems in eight days.

It started with Aqua Security’s Trivy, one of the most widely deployed open-source vulnerability scanners. TeamPCP used credentials retained from an incomplete February remediation to force-push malicious code to 75 of 76 trivy-action tags and publish poisoned binaries to GitHub Releases, Docker Hub, GHCR, and ECR. Tracked as CVE-2026-33634 (CVSS 9.4). It took five days to fully evict the attackers. Three days into remediation, they published additional malicious Docker images, proving access still hadn’t been severed.

From there, stolen credentials cascaded outward: a self-propagating npm worm (CanisterWorm) hit 64+ packages using blockchain-based C2 that can’t be taken down conventionally. Then Checkmarx KICS and AST GitHub Actions fell. Then LiteLLM, the open-source proxy routing API calls to 100+ LLM providers (95M monthly PyPI downloads). The poisoned versions used a .pth file that fires on Python interpreter startup without being imported or called. Three hours on PyPI at 3.4M daily downloads. Then Telnyx. Then the Axios npm package in a separate North Korean operation.

The downstream carnage hit Mercor, a $10 billion AI startup training models for OpenAI, Anthropic, and DeepMind. Reports indicate developers gave production credentials to an AI coding assistant running with unrestricted permissions. The compromised LiteLLM package came in through that pipeline. Lapsus is now auctioning 4TB: source code, database records, and 3TB of video interviews with face scans and KYC documents used for identity verification. Biometrics cannot be reset.

This is the story of the year. TeamPCP figured out that the open-source security tooling ecosystem is connected by credential chains, and if you pull on one thread, everything unravels. The most diligent organizations, the ones scanning every build, had the greatest exposure. The campaign started with a security scanner. Practical takeaways: pin to commit SHAs, not tags (71% of orgs still don’t, per Datadog). Treat every credential rotation as atomic or assume it’s incomplete. Audit your AI coding assistants’ permission scopes like you would a production service account. And know your transitive dependency tree, because the attackers already do.

Dig Deeper:Wiz | Datadog Security Labs | SANS | Endor Labs

Crush Insider Threats: Agent-to-Agent Security with Reco & Torq

Insider threats are evolving. Your defenses should too.

Agent sprawl, shadow AI, and disconnected tools leave your team chasing vague signals. Join Reco & Torq on April 15 to see how AI agents investigate insider threats in seconds, combining behavioral context with cross-stack signal orchestration to turn suspicious logins into confident verdicts automatically, with fewer false positives and faster MTTR.

Register now

AI Coding Agents Are Getting Popped on Fundamentals

BeyondTrust Phantom Labs disclosed a critical command injection in OpenAI Codex that allowed theft of GitHub OAuth tokens via an unsanitized Git branch name. Codex passes branch names directly to the shell without validation. A malicious branch name (hidden behind 94 ideographic Unicode spaces and || true) could execute arbitrary commands inside the container, extracting the plaintext token that grants read/write access to the victim’s entire codebase. Set the poisoned branch as default, and every Codex user on that repo gets compromised. OpenAI classified it P1, patched February 5, 2026.

Separately, Palo Alto Networks Unit 42 showed how AI agents on Google Cloud’s Vertex AI could be weaponized into “double agents” by exploiting overly broad default service agent permissions (P4SA). Researchers extracted credentials from a deployed agent and pivoted to unrestricted read access across Cloud Storage buckets, restricted Google-owned Artifact Registry repos, and internal Dockerfiles. Google updated its docs and now recommends Bring Your Own Service Account (BYOSA).

Branch name injection. Default OAuth scopes covering Google Workspace. Basic AppSec hygiene failures in a new context, while RSAC was wall-to-wall “agent security” product launches.

Dig Deeper: BeyondTrust Phantom Labs writeup | Unit 42 Double Agents research | SecurityWeek coverage

Geordie AI Wins RSAC Innovation Sandbox

Geordie AI took home the Innovation Sandbox title at RSAC 2026, beating out nine other finalists (each received $5M in investment). The company launched Beam, an AI agent remediation suite built on context engineering that continuously assesses risk and feeds mitigation back to agents in real time. Think guardrails that adapt to what the agent is actually doing rather than what you hoped it would do. Founded by Henry Comfort (ex-Darktrace COO Americas) and Benji Weber (ex-Snyk), the team went from buying laptops a year ago to winning the industry’s most prestigious startup competition.

Innovation Sandbox winners always signal where the industry’s head is at. Agent remediation winning over offensive security and code-level tooling tells you where buyer anxiety is right now. “Context engineering” is a term we’ll be hearing a lot more of. Whether Geordie can scale beyond the hype is the question, but the thesis is solid.

Cyberattack on Breathalyzer Company Leaves Drivers Stranded Across the US

Intoxalock, a company that makes court-mandated vehicle breathalyzer ignition interlock devices, confirmed a cyberattack on March 14 that knocked its systems offline and left drivers across the country unable to start their cars. The devices require periodic calibration, and the outage prevented calibration resets, effectively bricking vehicles for users who are legally required to have the devices installed.

Cyber-physical impact on vulnerable populations. People under court order who literally cannot drive to work, medical appointments, or childcare because a vendor got popped. If your device can be remotely bricked by a backend outage, your architecture is a liability.

Delve Whistleblower Doubles Down With Alleged Receipts on ‘Fake Compliance’

The Delve saga escalated again. Hours after CEO Karun Kaushik published a lengthy denial on X, anonymous whistleblower “DeepDelver” fired back with what they claim is video evidence and Slack messages backing up allegations that the Y Combinator-backed compliance automation startup ($32M Series A, valued at ~$300M) fabricated compliance data for customers. The original leak reportedly included 493 draft audit reports with 99.8% identical boilerplate text.

If even a fraction of these allegations hold up, this is a body blow to the automated compliance space. If a well-funded, YC-backed player was allegedly generating rubber-stamp audits, every CISO relying on automated compliance platforms is going to start asking harder questions about what’s actually behind the curtain.

FBI Confirms Hack of Director Patel’s Personal Email

Iranian-linked hacking group Handala claimed responsibility for breaching FBI Director Kash Patel’s personal Gmail account, publishing roughly 300 older emails along with photos and documents. The FBI confirmed the breach but stated the materials were “historical in nature” and contained no government information. The hack came shortly after the FBI seized Handala’s domains and announced a $10M reward for information on the group’s members, following their claimed attack on medical tech company Stryker.

“No government information” is doing a lot of heavy lifting in that statement. Personal email of the FBI Director is still useful for social engineering, relationship mapping, and reputational targeting. Another data point in the escalating US-Iran cyber conflict. If the FBI Director’s Gmail gets popped, your executives’ personal accounts are absolutely in scope for your threat model.

🔮 The Future of Security 🔮

AI x Security

RSAC 2026 had one message: agentic AI is in production and everyone wants to sell you the guardrails. The conference floor was wall-to-wall “agent security” launches. At least a dozen vendors shipped products targeting the same core problem: autonomous agents now have access to credentials, source code, production infrastructure, and elevated permissions, and nobody has a consistent way to discover what’s running, govern what it’s allowed to do, or enforce policy at runtime.

The market has split into three lanes: discovery (find your shadow agents), governance (write and enforce policy), and runtime enforcement (stop bad behavior in real time). MCP server security emerged as the new checkbox everyone is racing to claim.

The Big Announcements:

• NVIDIA launched OpenShell and NemoClaw, an open-source runtime that puts out-of-process policy enforcement between autonomous agents (“claws”) and your infrastructure: sandboxing, permission verification, and a privacy router that keeps sensitive context on local models

• CrowdStrike unveiled Charlotte AI AgentWorks, a no-code agent development platform with launch partners including Anthropic, OpenAI, NVIDIA, AWS, Salesforce, and Accenture

• Palo Alto Networks shipped Prisma AIRS 3.0, covering the full agentic lifecycle from discovery to runtime with an AI Agent Gateway and agentic endpoint security (via the pending Koi acquisition)

• Wiz (now Google Cloud) introduced AI-APP, an AI Application Protection Platform treating AI as an interconnected system across models, agents, and data, plus a Red Agent for AI-powered offensive testing

• Snyk launched Agent Security and brought Evo AI-SPM to GA, using automated agents to build a live AI Bill of Materials and enforce governance across the coding agent lifecycle

• Sysdig released runtime security for AI coding agents, detecting credential exposure, reverse shells, binary tampering, and unauthorized file access across tools like Claude Code, Codex, and Gemini

• Rubrik unveiled SAGE (Semantic AI Governance Engine), using a custom SLM to interpret natural-language policies and enforce them in real time

• Astrix expanded into full AI agent discovery and enforcement via its Agent Control Plane

• Nudge Security extended its platform to AI agent discovery alongside its existing SaaS security

• Apiiro launched AI Threat Modeling within Guardian Agent, generating architecture-aware threat models from tickets and design specs before code exists

• Straiker launched Discover AI and expanded Defend AI, with 12,000+ MCP vulnerability databases and runtime tracing across coding agents, productivity tools, and custom agent platforms

• F5 and Forcepoint partnered to secure enterprise AI data from creation through runtime operations

Application Security

AI is writing code faster than humans can review it. The industry is splitting into two camps. One is better detection: combining AI reasoning with deterministic analysis to catch logic flaws that traditional SAST misses entirely. The other is runtime protection: watching what code actually does in production, because signatures can’t keep up when time-to-exploit approaches zero.

• Semgrep launched Multimodal, pairing its rule-based engine with LLM reasoning to catch business logic flaws like IDORs and auth bypasses. Already finding zero-days at customer deployments. Custom Workflows (Python-based automated pipelines for detection, triage, and remediation) are in private beta.

• Raven raised $20M (Norwest led, with SentinelOne participating) for CVE-less runtime behavioral security. The platform maps execution chains inside running applications and generates behavioral fingerprints to detect malicious deviations in real time, even without known vulns. Three U.S. patents filed.

• Qodo raised $70M Series B (Qumra Capital led, $120M total) for AI-powered code verification. The bet: as tools like OpenClaw and Claude Code generate billions of lines of code monthly, verifying that software works as intended is the bottleneck.

Cloud Security

One announcement worth calling out: CrowdStrike shipped adversary-informed cloud risk prioritization in Falcon Cloud Security. CrowdStrike’s answer connects live application behavior to active adversary tradecraft in a single model. Three new capabilities: Application Explorer (runtime view of how app behavior shapes cloud risk), Timeline Explorer (chronological root-cause analysis of config and app changes), and a Cloud Risk Engine that maps exposures to real adversary TTPs.

Email Security

Sublime Security shipped ADÉ (Autonomous Detection Engineer) to GA. ADÉ is an AI agent that turns novel email attacks into new detections autonomously, going from reported threat to accepted detection in hours instead of weeks. The agent can run end-to-end without analyst intervention: picking up a newly reported threat, generating detection logic, and accepting high-confidence coverage. For teams drowning in phishing variants, this is detection engineering on autopilot.

Exposure Management

Censys raised $70M ($40M Series D from Morgan Stanley Expansion Capital + $30M debt; $149M total). Building AI-driven solutions on top of its continuously updated global map of internet infrastructure.

Onit Security emerged from stealth with $11M seed (Hetz Ventures and Brightmind Partners led). Founded after an Iranian state-sponsored attack exploited a known vuln buried in co-founder Ofer Amitai’s previous company’s backlog. Onit’s agentic platform automates the full exposure lifecycle: AI agents prioritize by business context rather than CVSS, auto-identify asset ownership, and execute fixes. Founding team has three prior acquisitions: SCADAfence (Honeywell), Portnox, and For-Each (Autodesk).

Identity and Access Management

Identity was RSAC’s quiet blockbuster. BeyondTrust data showed a 466.7% increase in enterprise AI agents over the past year, most deployed through low-code platforms with privileges that rival human admins. Non-human identity management and agentic access governance emerged as the hottest sub-categories, with massive funding and product launches all converging on the same problem.

• Oasis Security raised $120M Series B (Craft Ventures led; Sequoia, Accel, Cyberstarts participated; $195M total). Shipped Agentic Access Management (AAM): intent-based, just-in-time access for AI agents and machines that evaluates what a system is trying to do before granting permissions.

• ConductorOne launched AI Access Management, a unified control plane for governing AI tools, agents, and MCP connections. 3,000+ hosted MCP servers let any API-connected app be governed out of the box, with fine-grained tool call authorization and credential vaulting. AI agents are treated as first-class identities.

• BeyondTrust expanded its Pathfinder Platform to secure AI agent “coworkers” alongside human and machine identities under a single privilege model. Phantom Labs research found most enterprises run shadow AI agents with privileged access that security can’t see. Endpoint Privilege Management now enforces least privilege for AI clients (Claude, ChatGPT) on endpoints.

IoT/OT Security

Eclypsium raised $25M in strategic funding (PEAK6 Strategic Capital led, $110M total). Secures firmware, software, and hardware across enterprise device fleets. The new capital is earmarked for expanding into AI infrastructure: NVIDIA GPU servers in AI datacenters, Bluefield DPU-based appliances, CCTV cameras, 5G networking gear, and SASE/SD-WAN edge appliances.

Offensive Security

Autonomous offensive security had the biggest funding week of any sub-category at RSAC. $160M+ hit this space, and AWS made it a first-party service.

• XBOW raised $120M Series C (DFJ Growth and Northzone led, $237M total, valuation $1B+). Founded by GitHub Copilot creator Oege de Moor, XBOW’s autonomous platform reached #1 on the HackerOne leaderboard, the first time a machine outperformed all human hackers on the platform. Sequoia, Altimeter, and Alkeon also in the cap table.

• RunSybil raised $40M (Khosla Ventures led, with Anthropic’s Anthology Fund participating). Co-founded by OpenAI’s first security researcher and Meta’s former offensive security red team lead. Black-box AI agents conduct continuous pentesting without source code access, chaining vulns like human attackers. Customers include Cursor and Notion.

• AWS Security Agent hit GA for on-demand penetration testing across six regions. Autonomous pentesting at $50/task-hour (avg. test ~$1,200), supporting multicloud (AWS, Azure, GCP, on-prem).

Security Operations

Last year’s RSAC was “we’re building an agentic SOC.” This year’s was “here’s the receipt.” The difference is that vendors are now shipping GA products, acquiring purpose-built startups, and embedding multi-agent architectures into existing platforms. Whether any of it actually works at scale in production is still TBD, and Gartner publishing an evaluation framework for AI SOC agents suggests the analyst community shares that skepticism. But the investment thesis is clear: SOC teams can’t hire their way out of alert volume, and AI agents are the bet.

The Big Announcements:

• Tenex raised $250M Series B (Crosspoint Capital led) just a year after launch. Agentic MDR that ingests and analyzes all available telemetry within a minute. AI triages, investigates, and documents; humans make final calls.

• Rapid7 acquired Kenzo Security to bring multi-agent AI into its Command Platform. Kenzo’s entity-centric data mesh unifies endpoint, identity, cloud, and SaaS data to power autonomous alert investigations. The play: move Rapid7’s MDR from AI-assisted to AI-driven.

• Databricks entered the security market with Lakewatch, an open agentic SIEM built on its lakehouse architecture. The pitch: decouple compute from storage, retain all your telemetry in open formats, and deploy AI agents for detection and triage where the data already lives. Acquired SiftD.ai (founded by the creator of Splunk’s SPL) and Antimatter to bolster the stack. Anthropic’s Claude models power parts of the platform, and Anthropic itself uses Databricks for its own security lakehouse. Adobe and Dropbox are early customers. In private preview.

• Accenture and Anthropic partnered to scale AI-driven cybersecurity operations, combining Accenture’s managed security services with Anthropic’s Claude models.

• Wiz shipped the Blue Agent to GA, joining its Red and Green Agents to power agentic workflows across AI environments.

• Datadog launched Bits AI Security Analyst for Cloud SIEM (GA globally). Autonomously investigates alerts using unified security and observability data.

• Torq released Agentic Builder, turning natural language descriptions of security goals into production-grade AI agents and workflows.

• Dropzone AI launched AI Threat Hunter, an autonomous agent for continuous proactive threat hunting.

• Geordie AI introduced Beam, the first AI agent remediation suite using context engineering. Geordie also won the RSAC Innovation Sandbox (each finalist received $5M).

• Manifold raised $8M seed (Costanoa Ventures led) for its AI Detection and Response (AIDR) platform. Built by the creators of LLM Guard, Manifold monitors agent behavior at runtime on endpoints, mapping connections to MCP servers and external systems. Agentless, deploys in days.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Introducing the AI Security Platform Built on Data Security

AI adoption is exploding. But most security tools still can’t see what data AI is touching.

Varonis Atlas is designed to secure AI across the entire AI lifecycle, with data context built in. From visibility to runtime protection to governance, Atlas can secure everything you build and run with AI in one platform.

See it in action here

Though I’m still recovering from a 9-day conference stretch, this was easily my favorite BSidesSF + RSAC week. The energy was on point. I had 100+ conversations with security leaders on what they’re most excited about, biggest pain points, you name it. After RSAC, I ended up traveling 15 hours to another security conference where I presented on Saturday (more on that in a separate post ;)

It’s interesting because I wear multiple hats at conferences. I run this newsletter, so I’m always watching the emerging landscape from tradecraft to threats, tooling and capabilities, and how security leaders are future-proofing their teams and environments.

I’m also Head of Growth at Monad, so I do sales, marketing, and a bit of product management. If I learn that you have pain points Monad can solve, I will gladly pitch you on Monad and tell you about all the great stuff we’re up to. And at my core, I’m a security practitioner who still loves nerding out on how teams are staying current and how my previous crafts of detection engineering and cloud security continue to evolve.

That said, this post is an amalgamation and distillation of my biggest takeaways from the con from a holistic standpoint. Not my typical announcements roundup. That will come on Thursday!

Build vs. Buy is Shifting

In recent years, Build vs. Buy has become even more of a hot topic. The continual improvement of LLMs and agentic development has seriously lowered the barrier for entry. People are obviously all over the spectrum on this debate, but I feel like more people are leaning towards “Build” on certain categories than ever.

This was a main topic on the BSidesSF panel w/ security leaders from Anthropic, OpenAI, Perplexity, and Cursor. Here’s what stuck w/ me most after synthesizing a bunch of takes on this topic last week:

• The gap between MVP and “production-ready” is where things get ugly. It varies by application, use case, and criticality, but that middle stretch is always messy.

• Shipping it is only the beginning. Even after something is production-ready, you still have to staff for maintenance and scalability.

• Some problems are just too hairy to own. Sometimes it makes more sense to pay someone else and hand off the problem entirely.

Midmarket Security Is Quietly Overconfident — And the Numbers Prove It

94% of midmarket security leaders say they can catch critical risks before attackers do. But 51% admit a zero-day would take a week to assess. Something doesn't add up. Intruder surveyed 500+ security decision-makers at companies with 400–6,000 employees to get the real picture of how teams are coping with growing digital estates, shrinking exploitation windows, and tooling built for enterprise budgets.

Get the full report

People Are Building Really Cool Things with AI

I had a few convos with security leaders including some at F500s who are super AI-pilled. We’re talking dedicated homegrown agents and skills for dozens of different security functions, mostly handling initial triage and investigations all the way through recommending remediation paths.

I also spoke with a leader who built a living, digital twin of their entire environment. If an AWS asset config gets changed, the digital twin gets updated. If a new admin account is spun up in Okta, the digital twin records it. Now, this person is an anomaly and pretty forward-thinking, but I think more and more people will continue to get creative with AI for security in meaningful ways. The ones who think outside the box, own the future, as always.

MCP is Changing the Game

Model Context Protocol (MCP) has played a massive role in modernizing security workflows. One leader I spoke with even said he won’t consider a new vendor if they don’t have MCP capabilities. I don’t agree with his take as I think MCP eats a lot of tokens.

But it does makes sense when you look at what it unlocks. Security teams are using MCP to give AI agents direct access to their tools. Think an AI assistant that can pull alert context from your SIEM, query your CMDB for asset ownership, and check your threat intel platform for IOC enrichment, all in a single investigation flow. Teams are also building MCP-enabled agents that can take action like isolating endpoints, creating tickets, or kicking off response playbooks based on findings.

It’s basically turning every security tool with an MCP server into a composable building block that AI can orchestrate across.

The security data lake for AI agents

Scanner is an agentic security data lake to investigate alerts, hunt threats, and respond to incidents. It indexes logs directly in S3, making years of data searchable in seconds. Scanner scales up when needed and scales to zero after, so you pay for answers, not idle compute. Open-source agents help you get started fast.

See Scanner in Action

Decoupled Architectures for Security Operations

This goes hand in hand with the previous takeaway. More and more security leaders are considering a decoupled security architecture. Security data needs to live in more places than ever, especially with teams gaining more appetite to augment their tooling with homegrown capabilities. Recent breakthroughs are enabling teams to keep telemetry in ultra cost-effective, highly performant storage layers (Scanner.dev being a prime example) while data pipeline players like Monad have pretty much been the trojan horse enabling security teams to gain back control of how and where they route their data, with added benefits like enrichments and transformations that make data AI-ready.

I also heard more rumblings around federated search and how AI agents are good at querying data at the source for investigative work. The dust has yet to settle here but it’s clear that most security leaders are redrawing their SOC architectures, and there are a lot of emerging approaches and tooling to choose from. As someone who worked closely with Fortune 500 teams on detection engineering and response while at Accenture, this is a feel-good story. Security teams are breaking out of vendor lock-in and rebuilding their stacks with composable, best-of-breed solutions.

I’d say that after a long, hard-fought battle, SIEMs are no longer the one-stop shop for security analytics, response, and investigations. MCP, data lakes, data pipelines, triage agents etc. have disrupted the SIEMs moat. What comes next?

Talent and Upskilling

Security leaders are thinking hard about how to keep their teams at the forefront, not just of threats, but of evolving capabilities and tooling. They’re encouraging their people to adopt a builder mindset and go wider.

The world is changing fast. The ones who lean into the hacker and builder mindset will excel.

Honorable Mentions

Attack velocity + volume: Bad guys are using AI to find 0-days, exploit unpatched systems, and scale their campaigns. Defenders are cognizant of this and while there’s not an impending sense of doom, people are feeling the heat.

Agentic AI Identity: Still the wild west. No clear winner or winning approach, imo but we’re getting closer.

AI Pen Testing: Lots of funding and hype around it. I think it’s a space at risk if frontier model shops really wanted to go after it. Regardless, there’s a massive need for AI pen testing in validating vulns, securing new attack surface, and ensuring secure code and apps. This was a part of the security cycle that was painfully manual and having continual coverage here is a big upgrade.

Data Security: Scorching hot space and a top concern. Agentic AI is creating entirely new data access patterns that most teams aren’t equipped to govern yet. When your AI agents can autonomously query databases, pull documents, and chain API calls together, the blast radius of a misconfigured permission or over-scoped identity gets a lot bigger. Lots of energy here, and rightfully so.

Securing AI Code Gen Output and Agent Usage: Velocity and volume are big concerns, along with non-devs building small scripts to automate tasks. No clear winner here though the incumbents like Semgrep, Snyk, OX, etc. are shipping capabilities to keep up with the madness.

Software Supply Chain Security: Software Supply Chain Security: This one keeps getting scarier and giving me whiplash. March alone gave us the TeamPCP cascading campaign that started with compromising Aqua’s Trivy scanner, spread to Checkmarx KICS, and then used stolen CI/CD credentials to poison LiteLLM on PyPI (a library present in 36% of cloud environments according to Wiz). One compromised security tool turned into five compromised ecosystems in under a week.

And then literally today, Axios got hit with a hijacked maintainer account pushing a RAT through poisoned npm releases to a package with 100M+ weekly downloads. The window was only a couple hours but the blast radius is wild.

Scary pattern. Recommend checking these blogs out if you’re responding to these attacks:

• Supply Chain Attack on Axios Pulls Malicious Dependency from npm

• Trivy - StepSecurity

• LiteLLM - ReversingLabs

The dust has settled on BSidesSF and RSAC 2026, but there is still SO much in flux for security teams. So in that sense, the dust may never for security teams. Just have to keep operating through the chaos which is easier when you have strong leadership + culture. Fun time to be in security.

I’ve still got a lot more to share. On Thursday, I’ll drop Part II covering the biggest announcements, my favorite events, and the overall vibes from the week etc. Stay tuned!

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Subscribe now

Share

Midmarket Security Is Quietly Overconfident — And the Numbers Prove It

94% of midmarket security leaders say they can catch critical risks before attackers do. But 51% admit a zero-day would take a week to assess. Something doesn’t add up. Intruder surveyed 500+ security decision-makers at companies with 400–6,000 employees to get the real picture of how teams are coping with growing digital estates, shrinking exploitation windows, and tooling built for enterprise budgets.

Get the full report

Howdy 👋 - hope you’re having a stellar week. I’ll spare you from the personal BSidesSF/RSAC updates as I have something else coming on that front.

Aside from that, this past week was jampacked with launches + fundraising. Some of which have a truly novel or differentiated approach to their problem space. Good research in this week’s issue as well.

That said, let’s get into it!

TL;DR 🗞️

• 🏖️ AWS Bedrock Sandbox Escape via DNS — BeyondTrust’s Kinnaird McQuade built a full C2 channel through “isolated” AgentCore using DNS queries alone

• 🏄 Surf AI Launches with $57M — Accel-led round for agentic platform tackling the last mile of security remediation at enterprise scale

• ☁️ Google Closes $32B Wiz Acquisition — Largest VC-backed exit ever is officially done after US and EU antitrust clearance

• 🚔 Interpol Sinkholes 45,000 IPs in Operation Synergia III — 94 arrests across 72 countries targeting phishing, malware, and fraud infrastructure

• 🐍 Microsoft Publishes Prompt Abuse Playbook — Practical detection and response guide for direct, extractive, and indirect prompt injection

Plus: Okta's new AI agent identity framework, CrowdStrike x NVIDIA's agent security blueprint, Bold Security's $40M stealth exit, and 10 more stories below 👇

⚒️ Picks of the Week ⚒️

Researcher Break Out of AWS Bedrock AgentCore’s “Sandbox” Using DNS Queries

Our friend Kinnaird McQuade, cloud security legend and chief architect at BeyondTrust’s Phantom Labs, dropped a banger this week. He and the team demonstrated a full sandbox escape from AWS Bedrock AgentCore’s Interpreter using nothing more exotic than DNS queries.

Sandbox mode blocks most outbound traffic but still permits DNS A record lookups which I learned is enough to build a fully functional bidirectional C2 channel. Kinnaird will be walking through this exact exploit at BSides SF this Sunday. Definitely a must attend if you’re in town.

From the C2 channel, he demonstrated running commands (whoami) inside the sandbox, listing and reading S3 bucket contents, and exfiltrating credentials, PII, and financial data. All while the env happily reported that network access was disabled. The default AgentCore role ships with permissions broad enough to turn that DNS covert channel into a full reverse shell 😬

AWS’s response was pretty wild tbh. In September 2025, AWS reproduced the issue but classified it as “intended functionality.” The fix: updated docs of what ‘sandbox’ mode is. Kinnaird then received a $100 AWS Gear Shop gift card. A hundred dollars for a CVSS score 7.5 vuln in tooling that F500s use is interesting.

This is one of the best vuln disclosure reports I’ve read all year. Educational and fully walks you through the attack flow on a novel-ish cloud service. Kudos to Kinnaird on this!

AI Agents Don't Need Your Permission. They're Already Inside.

No approvals. No oversight. No visibility. AI agents act autonomously with permissions across your entire SaaS stack—and your security tools can't see them. When the breach happens, will you explain to your CISO that you didn't even know they existed? Reco AI Agent Security ends the blindness.

Discover your hidden AI agents

Surf AI Exits Stealth with $57M

Surf AI launched out of stealth yesterday with $57 million in combined seed and Series A funding led by Accel, with participation from Cyberstarts and Boldstart Ventures. It’s not another AI SOC or AI security tool but the way I’d describe is that the focus on the last mile of reducing risk, remediation, using AI.

What the platform does: Surf AI ingests signals from identity, cloud, security, HR, and IT systems to build what it calls a “living context graph” mapping assets, owners, permissions, and dependencies. Domain-specific AI agents (i.e., identity, cloud etc) then prioritize risk by context and coordinate remediation workflows under human oversight.

Automated remediation has almost always been a tough sell. The potential downside of remediation-induced downtime on critical systems often outweighs the perceived risk of the vulnerability itself. There’s sometimes sooooo much back and forth in remediating a vuln, implementing a compensating control, or just accepting the risk.

Up until like 5 years ago, humans held all the institutional knowledge about what touches what, and what would break if we patched a system or closed a port on a cluster. I saw this firsthand doing cloud security engagements at J&J and Accenture: the bigger the org, the worse this problem gets. I think the way Surf is tackling it makes sense. Build a context graph of what a cloud asset touches and what it means to the business before you close a port or harden a config. Present multiple remediation options with a human in the loop. That approach meaningfully reduces the risk of inadvertently breaking something.

The other thing to highlight is that most of the security debt sitting in enterprise backlogs wouldn’t introduce breaking changes if remediated. Clearing stale accounts from decommissioned employees, revoking orphaned permissions, fixing known misconfigs that nobody owns. That’s the long tail, and I think that’s where agentic execution can absorb work that humans would never get to.

Huge shout out to the Surf crew, especially their CISO, Yonesy Nuñez. Excited to watch this team and product help solve that painful last mile for teams.

Side note: We are hosting The Morning Burn with the Surf.ai, Monad and Oso Security crews on Wednesday at RSAC. RSVP to join the fun 🍊🔥

The security data lake built for AI agents

We've been watching Scanner evolve for a while now and the progress has been unlike anything else in the SecOps space. It indexes logs directly in S3 and makes years of data searchable in seconds through native MCP support or old school querying.

It hooks up to Claude Code, Cursor, or any MCP client and lets AI agents hunt threats, triage alerts, and run investigations across years full log history. Queries cost pennies meaning agents can explore freely without blowing your budget. Honestly their approach is the most sensible path forward to security analytics and storage.

Highly recommend checking them out if you’re struggling w/ massive SIEM bills and tired of visibility and budget trade-offs.

See Scanner in Action

Also worth reading: they just indexed 1.4 petabytes of logs over a weekend and hunted an APT in under 10 minutes.

Google Closes $32B Wiz Acquisition, Largest VC-Backed Exit Ever

Last week, Google officially completed its $32 billion all-cash acquisition of Wiz. The largest deal in Google’s history and the biggest acquisition of a venture-backed startup ever.

The deal closed after clearing antitrust review in both the US (November 2025) and EU (February 2026).

What a run by the Wiz team. Will be fun to see what they get up to w/ unlimited compute, Gemini models, Mandiant, VirusTotal and the Chronicle/Google SecOps SIEM at their fingertips. That probably deserves a blog somewhere down the road.

Tech Giants Invest $12.5M in Open Source Security Through Linux Foundation

Anthropic, AWS, Google, Google DeepMind, GitHub, Microsoft, and OpenAI collectively granted $12.5 million to the Linux Foundation’s Alpha-Omega and OpenSSF initiatives to strengthen the security of the open source ecosystem. Alpha-Omega has already issued 70+ grants totaling over $20 million across ecosystems including Rust, Node.js, and PyPI. Cool.

Interpol Sinkholes 45,000 IPs, Arrests 94 in Operation Synergia III

Interpol’s third iteration of Operation Synergia ran from July 2025 through January 2026 across 72 countries, resulting in 94 arrests, 212 devices seized, and over 45,000 malicious IP addresses sinkholed.

The operation targeted phishing, malware distribution, ransomware infrastructure, romance scams, and credit card fraud. Bad guys in jail = good.

Most arrests in the takedowns have taken place in Macau, Bngladesh, and Togo. These level of takedowns remind of the Beekeeper movie. Great film that covers these fraud farms + stars Jason Statham. Highly recommend.

🔮 The Future of Security 🔮

AI Security

Microsoft Publishes Prompt Abuse Detection Playbook for AI Tools

Microsoft Incident Response released a practical detection and response playbook for prompt abuse in enterprise AI tools, covering direct prompt overrides, extractive abuse against sensitive inputs, and indirect prompt injection.

The blog gives a good overview of detection and hardening opportunities. Great primer.

More AI Security news ⬇️

• Okta unveils new framework to manage AI agents and upcoming Okta for AI Agents platform

• CrowdStrike Unveils Secure-by-Design AI Blueprint for AI Agents Built with NVIDIA

• Netskope Launches AI Security Platform with AI Ecosystem Protection

Data Security

Varonis Launches Atlas, an End-to-End AI Security Platform

If you’re a long time reader of TCP then you already know I’m fond of their approach to data security. I wrote a report on why their context graph approach is the way to go for securing sensitive data in the age of AI. Since then, they’ve acquired SlashNext (email security) and AllTrue.ai (AI security). The latter which has led to their recent Atlas product which covers the most pressing AI security areas:

• shadow AI discovery

• posture management

• pen testing

• runtime guardrails

• compliance reporting

• third-party AI risk management

Big W and quick execution by Varonis on this. Here’s a video of Atlas in action:

Endpoint Security

Bold Security Exits Stealth with $40M for Edge AI Endpoint Protection

Bold Security emerged from stealth with $40 million from Bessemer Venture Partners, Picture Capital, and Red Dot Capital Partners. Bold runs small language models on endpoints rather than in the cloud, turning devices into local AI agents that monitor user behavior and AI tool interactions.

The edge-first approach sidesteps the latency, cost, and privacy concerns of cloud-based AI security. Cool.

More Endpoint Security news ⬇️

• Huntress adds tools to its Agentic Security Platform to detect, fix, and prevent endpoint and identity risks

• Cato Networks rolls out Neural Edge and AI Security to protect enterprise AI workloads

Governance, Risk, and Compliance

Knox Systems Raises $25M to Accelerate 90-Day FedRAMP Authorization

Knox Systems raised $25 million in Series A funding led by B Capital, with participation from M12 (Microsoft’s venture fund), Okta Ventures, MongoDB Ventures, Hearst Ventures, and previous investors Felicis and Ridgeline.

Knox operates the largest multi-cloud federal boundary across AWS, Azure, and GCP, and claims to deliver FedRAMP authorization in 90 days at 90% lower cost than the traditional process. FedRAMP is the final boss of compliance frameworks.

With fewer than 500 FedRAMP-authorized SaaS apps available to the US government commercially, the bottleneck is real and also means that fed services may not be getting the best of breed.

Security Operations

Tracebit Raises $20M to Scale Cloud-Native Deception Technology

Tracebit closed a $20 million Series A led by FirstMark, with Accel, MMC Ventures, Tapestry VC, and CCL participating, bringing total funding to $25 million. Tracebit deploys canaries (decoy assets) across AWS, Azure, Kubernetes, CI/CD pipelines, and identity providers to detect post-breach lateral movement.

Deception is one of the highest-signal detection methods available, because canaries have a near-zero legitimate-touch rate; if something interacts with them, it’s an attacker, insider threat or a disoriented employee/intern. Most teams don’t have the bandwidth to deploy and monitor canaries. Seems like Tracebit is tackling that problem. Cool.

Vulnerability Management

NinjaOne Adds AI-Driven Vulnerability Management to Its Endpoint Platform

NinjaOne launched NinjaOne Vulnerability Management, built natively into its unified endpoint management platform. The offering uses AI to identify vulnerabilities.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

How Snyk Deploys AI Agents to Catch What Legacy Email Defenses Miss

Email threats are evolving faster than legacy defenses can keep up. Join Snyk and Sublime Security for a live webinar to see how Sublime’s AI agents detect, investigate, and stop attacks in minutes. See how Snyk uses Sublime’s Autonomous Detection Engineer (ADÉ) and Autonomous Security Analyst (ASA) to analyze missed threats, generate detections, and deploy new coverage at attacker speed.

Register

Howdy 👋 - hope you’re having a stellar week. If you’re on the GTM side then you’re probably under the gun headed into RSAC and if you’re on the hands-on keyboard or leadership side of security… well then, you’re always under the gun. That said, make sure you’re touching grass + making time for yourself and family!

Before diving into anything security-related, I wanted to give a shout out to the Dominican Republic baseball team who is 4-0 in the World Baseball Classic and absolutely crushing it this year.

This is also a good opportunity to announce that I’ll be giving my first technical talk in 3 years in Dominican Republic later this month at HackConRD 🇩🇴. The talk is titled “Your detections are only as good as your data, aqui te enseño como resolver eso”… think Monad x MSFT Sentinel in Spanish. TCP is also sponsoring the con. More on that in coming weeks :)

Cool. Next personal note, I’ll be at BSidesSF/RSAC and it’s shaping out to be a super stacked week. If you’ll be in town and wanna meet, shoot me a DM here or on LIN ☕

I also highly recommend registering for our happy hour with our friends, Scanner.dev and coming to The Morning Burn workout at Orangetheory 🍊🔥 with our friends at Oso Security and Surf.ai… We may have a few surprises in store.

One more thing before news. We all know that traditional AppSec can’t keep up with AI code velocity and a structural shift is needed. Yes, better scanning + prioritization, but also moving security to where the most significant chokepoint for security is, and that’s at the design + architectural phase. Product security isn’t new but it’s mostly been IoT/OT companies who have adopted it up until recent years. I recently did a deep dive on this space and came away impressed by a vendor (Clover Security) who is tackling this in a such an eloquent fashion. Highly recommend carving time out to read here if you touch ProdSec or AppSec in any capacity.

Now, for the news!

TL;DR 🗞️

• 🩺 Iran-Linked Wiper Attack Devastates Stryker — Handala claims 200K+ systems wiped, 50TB exfiltrated from the $22.6B medtech giant across 79 countries.

• 🐔 When the Code Generator Is Also the Code Auditor — OpenAI + Claude double down on code scanning but who watches the henhouse?

• 📐 The AppSec Model Was Built for a World That’s Disappearing — Our deep dive on why security needs to shift to the design and architecture phase

• 🎯 What Actually Separates Effective CISOs — Lenny Zeltser and Aimee Cardwell on tenure, trust, burnout, and why most CISOs advise when they should act.

• 🎙️ [un]prompted Con Now Lives in NotebookLM — Every talk and slide deck from the AI security conference, searchable and podcast-ready.

• 🏗️ Mandia’s Armadin Raises Record $189.9M — Largest seed/Series A in cybersecurity history for AI-driven attack simulation.

• 📊 Scanner Raises $22M Series A Led by Sequoia — Super fast search across years of log data in object storage; AI agents now its most active users.

• ⚔️ AI as Tradecraft: How Threat Actors Operationalize AI — Microsoft breaks down how adversaries are integrating AI into real-world attack operations.

• 🛡️ Governing MCP Servers with an AI Gateway in Azure — Hands-on lab for security engineers locking down MCP server access in Azure.

• ⚡ Kai Emerges with $125M for Agentic Security — Claroty co-founder’s new play to unify IT and OT security ops at machine speed.

• 🔇 Jazz Exits Stealth with $61M — AI-powered DLP that understands intent and context; cut one customer’s daily alerts to 10.

• 🔒 Nir Zuk Launches Cylake with $45M — Palo Alto Networks founder builds AI-native security for orgs that can’t touch public cloud.

• 🤖 Onyx Security Launches with $40M — Builds a secure control plane to govern autonomous AI agents across the enterprise.

• 🩹 Reclaim Security Raises $20M for Agentic Remediation — Hexadite founder’s new startup simulates business impact before deploying automated fixes.

• 🧪 Escape Raises $18M to Replace Manual Pentesting — Automates offensive security lifecycle with AI agents

• 🤖 OpenAI to Acquire Promptfoo — AI security testing startup ($23.6M raised) gets absorbed into OpenAI Frontier platform.

• 🔗 OX Security Launches Agentic Pentester — Continuous attack simulation that traces validated exploits back to the exact repo, file, and commit.

⚒️ Picks of the Week ⚒️

Stryker Hit by Devastating Iran-Linked Wiper Attack

Iran-linked hacktivist group Handala claims to have wiped over 200,000 servers, mobile devices, and systems and exfiltrated 50TB of data from medtech giant Stryker ($22.6B in 2024 sales, 56,000 employees), forcing offices across 79 countries to shut down 🤯. The group said the attack was retaliation for a U.S. missile strike on an Iranian school that killed more than 175 people, most of them children.

According to Krebs on Security, the attackers appear to have weaponized Microsoft Intune, Stryker’s own mobile device management platform, to issue mass remote wipe commands against enrolled devices. Employees in the U.S., Ireland, Australia, and India reported corporate laptops and personal phones wiped without warning, login pages defaced with Handala’s logo, and entire offices reverting to pen and paper. Staff with personal devices enrolled for work access lost personal data too.

Palo Alto Networks links Handala to Void Manticore, an actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The group surfaced in late 2023 and has previously targeted Israeli civilian infrastructure and Gulf energy companies.

Stryker confirmed the attack in an SEC 8-K filing, acknowledging a global disruption to its Microsoft environment. The company says there is no indication of ransomware and believes the incident is contained, but has no timeline for full restoration.

This is a gut punch for healthcare. Stryker makes surgical equipment, joint replacements, defibrillators, and hospital beds used in operating rooms worldwide. When their systems go dark, hospitals are waiting for equipment and patients are waiting for care. I worked at Johnson&Johnson securing similar medical equipment. This is an absolute nightmare for everyone involved.

The Intune vector is particularly brutal: turning an orgs own management infrastructure into the weapon is the kind of move that should have every IT team auditing MDM admin access and conditional access policies this week.

Dig Deeper: Krebs on Security | Infosecurity Magazine | TechCrunch

Enforce Security Where Work Actually Happens

Keep Aware delivers Browser Detection and Response (BDR) to secure modern work where it actually happens—the browser. Monitor and govern GenAI usage, prevent sensitive data loss with browser-native DLP, and control extension risk before it becomes compromised. By analyzing real browser behavior, Keep Aware stops phishing, credential theft, and risky actions at the point of click, shifting security from reactive alerts to real-time prevention.

Prevent Browser Threats in Real Time

When the Code Generator Is Also the Code Auditor

Both Anthropic and OpenAI now ship SAST tooling: Claude Code Security scans for vulns using data flow context across files, while OpenAI’s Codex Security scanned 1.2M commits in its beta and flagged 792 critical and 10,561 high-severity findings across open-source projects including OpenSSH, GnuTLS, and Chromium. Mozilla is already using Claude to improve Firefox’s security posture.

The results are impressive, but there’s an uncomfortable question nobody is asking loudly enough: when the same model that generates your code is also the one reviewing it, who’s actually watching the henhouse?

Estimated cost sits around $15-25 per PR review, which i’d imagine matches up to what a SAST vendors charges when annualized. But consider the loop: an AI writes code, the same vendor’s AI reviews it, finds some issues, fixes them, and signs off.

I’m not saying they would intentionally do this, but a model is structurally unlikely to catch its own blind spots, and “we found and fixed the bugs our own tool introduced” is not the independent assurance most security programs are built on.

My friend James Wickett at DryRun Security actually just launched a report that derives real-world evidence on this exact topic. Worth checking out here.

$235M for the Founders Who Built Mandiant and Palo Alto

Two of the most consequential founders in security history officially came off the bench in the same week (although we covered Mandia’s moves nearly 2 months ago). Kevin Mandia (who sold Mandiant to Google for $5.4B) raised a cybersecurity-record $189.9M in combined seed and Series A for Armadin, an AI-driven attack simulation platform. Accel led, with GV, Kleiner Perkins, Menlo Ventures, In-Q-Tel, 8VC, and Ballistic Ventures participating. Armadin uses AI agents to model real adversary behavior across cloud, identity, and network infrastructure, producing validated attack paths instead of theoretical vuln scores.

Meanwhile, Nir Zuk (founder of Palo Alto Networks, CTO for 20+ years) launched Cylake with $45M in seed funding led by Greylock. Co-founded with Wilson Xu (former Palo Alto EVP of Engineering) and Udi Shamir (co-founder of SentinelOne), Cylake is building an AI-native security platform designed to run entirely on-prem or in private cloud for organizations that can’t touch the public cloud. Product availability is expected early 2027.

Combined, that’s $235M in seed/Series A capital behind two founders who already built category-defining companies. That’s a fair amount of funding to build great teams + product. As always, it comes down to execution and these two are masters at that.

Dig Deeper: Armadin Raises $189.9M | Cylake Launches with $45M | Greylock: Introducing Cylake

CISO Takes: What Separates Effective CISOs From the Rest

Two reads this week worth your time: Lenny Zeltser (former CISO at Axonius) distills six years of security leadership into a four-point framework, and SecurityWeek profiles Aimee Cardwell (former CISO at UnitedHealth Group, now CISO in Residence at Transcend) on the realities of running security at scale.

• Attack surface reduction is the only way off the hamster wheel. Decommission unused SaaS, deactivate stale accounts, kill unnecessary systems. This lowers security costs and frees budget for strategic work.

• Average CISO tenure is 3 years. Most leave before their foundational investments in identity architecture, attack surface reduction, and product security actually compound.

• The defender’s advantage is terrain knowledge, not tools. Years in the role build understanding of which systems are truly critical, which vendors are real partners, and which risks the org has consciously accepted. No onboarding replicates that.

• Burnout is a leadership problem, not a personal one. Cardwell gave her team “Flex Fridays” after major incidents. The result: measurable reduction in team burnout. People who feel seen stay longer and perform better.

• Shadow AI is an attack surface problem disguised as a productivity problem. Cardwell’s approach: make the secure path the path of least resistance. If approved tools are harder to use than unapproved ones, you’ve already lost.

Dig Deeper: Zeltser: CISO Leadership Lessons | SecurityWeek: CISO Conversations with Aimee Cardwell

Scanner Raises $22M Series A Led by Sequoia Capital

Our friends and continuing sponsor of TCP have raised a $22M Series A led by Sequoia for reimagining how security teams search log data at scale. Scanner gives you blazing fast search across years of logs stored in object storage, without the SIEM-tier price tag. Their product is a game changer on many levels incl. DE, IR, hunting, and teams like Notion are building homegrown AI triage agents on top of it. Super cool.

This is one of my favorite products in SecOps right now, and the team behind it is just as sharp. Congrats to Cliff, Alex, and the Scanner crew. Well deserved.

Zero Day Clock: The Exploitation Window is Collapsing to Zero

A new project called Zero Day Clock is tracking something every security team should internalize: the median time-to-exploit has collapsed from 771 days to just 6.36 days in five years, with nearly 40% of exploited flaws now weaponized before disclosure and over 44% exploited within 24 hours.

The site tracks TTE across 83,000+ CVEs from 10 sources including CISA KEV, ExploitDB, and Metasploit. The project maps milestones as TTE crosses thresholds: the 1-year mark was hit around 2021, 1 month around 2025, and 1 week in 2026, with 1-day and 1-hour marks projected for later this year and 1 minute by 2028.

When a vendor releases a patch, AI can now reverse-engineer it and generate a working exploit in minutes, but organizations still need an average of 20 days to test and deploy that same patch. Prioritization + attack surface reduction are the name of the game.

🎙️ [un]prompted Con Now Lives in NotebookLM

Every talk transcript and slide deck from the AI security conference has been loaded into Google’s NotebookLM, letting you chat with the full conference content, generate podcasts on any topic, or brief your team without rewatching hours of sessions. Brainchild of Rob T. Lee and one of the better examples of what an AI-native conference experience looks like after the event ends.

🔮 The Future of Security 🔮

AI Security

OpenAI to Acquire Promptfoo, to Bolster AI App Testing

OpenAI is acquiring Promptfoo, an open-source AI security evaluation platform that had raised $23.6M from Insight Partners and Andreessen Horowitz. Promptfoo’s tooling covers prompt injection, data leakage, jailbreak detection, and red-team simulations.

OpenAI buying its own testing layer signals that LLM security tooling is shifting from ecosystem play to platform feature.

More AI Security news ⬇️

• AI Hands-On Lab for the Security Engineer #2: Governing MCP Servers with an AI Gateway in Azure

• AI as Tradecraft: How Threat Actors Operationalize AI - Microsoft

• Onyx Security launches operations with $40 million funding round

Browser Security

Push Security Adds Malicious Extension Detection, ClickFix Blocking

Push Security shipped malicious browser extension detection powered by its own threat research and public threat intel feeds, with options to auto-warn or block users and enforce extension allowlists/blocklists. Browser-native security keeps getting more relevant as identity and SaaS attacks shift into the browser.

Data Security

Jazz Exits Stealth with $61M for AI-Powered DLP
Jazz emerged from stealth with $61 million in combined seed and Series A led by Glilot Capital Partners and Team8. AI-native DLP.

More Data Security news ⬇️

• Data Security Firm Evervault Raises $25 Million in Series B Funding

Fraud Prevention

Darwinium Launches Agent Intent Intelligence

There’s an interesting shift taking place in agentic payments and commerce (think: sendmy agent to buy me the best fitness supps based on my Dr,’s recs). I hadn’t previously dug into this space before so it was certainly interesting to me.Security Operations

IoT/OT Security

Kai Emerges from Stealth with $125M

Kai launched with $125 million led by Evolution Equity Partners, building an agentic platform for IoT/OT. Co-founded by Claroty co-founder Galina Antova.

More IoT/OT Security news ⬇️

• Augur lands $15 million funding to strengthen critical infrastructure security

Offensive Security

OX Security Launches Agentic Pentester That Maps Exploits to Source Code

OX Security (founded by former Check Point execs) launched an agentic pentester that runs continuous attack simulations and traces each validated exploit back to the exact repo, file, and commit responsible. The pitch: other pentest tools stop at findings, OX maps the fix path to source code so AppSec and engineering aren’t just staring at another backlog.

More OffSec news ⬇️

• Escape Raises $18 Million to Automate Pentesting

Vulnerability Management

Reclaim Security Raises $20M to Close the Remediation Gap

Reclaim Security raised $20M in Series A led by Acrew Capital ($26M total) to build an autonomous remediation platform that simulates business impact before deploying fixes.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

A Personal Note

Every now and again I come across a security vendor doing genuinely innovative and differentiated work. A breath of fresh air in a space full of copy/paste products with different logos.

I vet every TCP sponsor carefully to ensure I only put the best in front of you so if I’m writing a deep dive on a company, know that it’s passed a high bar. Clover Security brought me back to my Product Security days at Johnson & Johnson, where design-phase security reviews and threat modeling weren’t optional best practices, they were FDA and HITRUST requirements. This is a platform that would have made life meaningfully easier back then.

I’m excited to bring you this piece. Let’s get into it.

Executive Summary

The engineering world is undergoing a structural shift. AI coding agents now handle implementation at a pace and volume that human-led security processes were never designed to match. Innovation cycles are compressing. The response from the most forward-thinking engineering orgs isn’t to scan more code faster. It’s to invest in design and architecture rigor, the phase where most risk actually originates.

Clover Security made this bet two years ago. They’ve raised $36M and built a platform of AI agents that embed security into the design phase, where PRDs are written, architecture decisions are made, and threat models should live.

This deep dive covers why the design phase has become the critical gap in most security programs, how Clover’s platform actually works, what their early customer results look like, and where the product is headed as agentic development accelerates.

The Perfect Storm

Two years ago, a senior engineer would split their week between writing code, reviewing code, debugging code, and making architectural decisions. Today, AI coding agents handle the first three. Spotify’s co-CEO said it plainly on their Q4 earnings call. The company’s best developers haven’t written a single line of code since December. That trend is only accelerating.

What’s emerging is a fundamental reprioritization across engineering orgs. The smartest teams are investing in design and architecture rigor, the phase where risk actually enters the system. Innovation cycles are compressing. A feature that took a team two sprints now ships in days. The human role in software development is shifting from writing code to designing systems, choosing infrastructure, and deciding how services interact. The design decisions that determine whether a system is secure are now the most consequential part humans still control.

And this math was broken long before AI code generation entered the picture. Product security engineers are outnumbered by developers 300-to-1 at most technology companies. CrowdStrike’s 2024 State of Application Security Report quantifies the downstream impact. Over half of major code changes don’t undergo full security reviews (50% median, 54% mean). That was before AI-generated code tripled the volume. Jerry Gamblin’s 2025 CVE data review counted 48,185 published vulnerabilities, a 21% jump over 2024, with XSS still the most common class at over 8,000 entries despite decades of tooling investment. FIRST’s 2026 forecast projects that number climbing to roughly 59,000.

Clover Security saw this coming. Founded in 2023, right as the AI coding wave began to take shape, the company raised $36M on the thesis that the entire AppSec model was pointed at the wrong phase of development.

Their bet is that AI agents embedded in design and architecture workflows are the only way to close the gap. Two years in, the market is moving in their direction.

Now they’re building for what the next two years look like.

The Founding Story

Clover’s founding story starts with a big tech engineer and a product leader at two of the largest AppSec vendors in the world, both independently arriving at the same conclusion that scanning code after it’s written was never going to be enough. Then they found each other on X.

Alon Kollmann (CEO) spent 15+ years as an engineer at Microsoft and Google before taking strategic roles at Hysolate and Dazz, the ASPM company acquired by Wiz for roughly $450M.

Or Chen (CPO) spent 8 years in Unit 8200 leading technical cyber operations, then founded a startup acquired by Checkmarx. He rose to VP and built their SCA and API Security offerings from the ground up.

The two found each other the way a lot of good things start in 2022: sliding into each other’s DMs on Twitter. They had arrived at the same conclusion from opposite sides of the security stack, and connected right as ChatGPT launched and the AI coding revolution started to take shape. The timing validated their shared conviction: code generation would be automated, making design the true security chokepoint. They co-founded Clover in 2023.

Clover raised $36M across a seed led by Team8 and a Series A led by Notable Capital, with Team8 and SVCI participating. The angel roster tells the real story: Wiz co-founders Assaf Rappaport and Yinon Costica, Shlomo Kramer (Check Point, Imperva, Cato Networks), Rene Bonvanie (former CMO, Palo Alto Networks), and senior executives from Snyk, CrowdStrike, Atlassian, and Google.

You Can’t Scan Your Way Out of Insecure Design Choices

Every AppSec tool on the market today works the same way, downstream: wait for code to exist, then scan it. SAST, SCA, DAST, ASPM, runtime scanning.

Product Security (ProdSec) operates upstream. Architecture review, threat modeling, design-phase risk assessment. Security baked into how a system is designed, not bolted on after it’s built. If you’ve worked in automotive or medical devices, none of this is new. ProdSec is table stakes in those worlds.

I interned on Ford Motor’s Red Team and spent 2.5 years doing product security for a robotic surgical system at Johnson & Johnson. When you’re threat modeling software that controls a robot performing surgery on a human being, design-phase security reviews are a non-negotiable. The gap is that most pure software companies haven’t adopted this discipline yet, and the ones that have are doing it manually, expensively, and at a coverage rate that never keeps pace with engineering velocity.

In practice, ProdSec means a security engineer sits down with a PRD or architecture doc before a single line of code is written and asks: where are the trust boundaries? What are the data flows? Where could business logic be abused? How does this feature interact with existing services? They map the design against frameworks like OWASP ASVS or STRIDE, identify threats at the architecture level, and write security requirements into the ticket.

Here’s why this matters concretely. A team builds a payments integration where users can link external bank accounts. The code is solid: encrypted connections, proper auth tokens, passes every scan. But the design never accounted for what happens when a user links an account, initiates a transfer, then unlinks the account before settlement completes. The transaction goes through with no account to claw back from. That’s not a vulnerability. It’s a business logic gap that only exists at the design layer, and no scanner on the market catches it.

The problem is that ProdSec requires people who understand both software architecture and threat modeling deeply enough to review designs at speed. Those people are rare. Most orgs either can’t hire them or can’t hire enough of them, which is why even mature security teams end up triaging by risk and only reviewing the highest-priority features manually.

As AI handles more implementation, design is the last human-controlled artifact. If security isn’t embedded there, there’s no checkpoint before code ships. Clover’s bet is that as AI eliminates trivial code-level vulnerabilities, the remaining risk concentrates at the logic and architecture layer.

How It Works

Clover runs eight purpose-built AI agents, each handling a specific security function but all built on the same platform core. Design risk is the guiding principle, but risk can initiate at any point. A review can start from a PRD for a brand new feature just as easily as from code drifting from its original design requirements. The result is a platform that tracks design risk from the first spec through production, and catches drift long after code ships.

The Context Layer

The most differentiated thing I saw in the demo was Clover’s context engine. Two components work together here.

The Memory Agent builds and maintains a living knowledge base of your organization, split across three dimensions. Technical context covers your tech stack, infrastructure components, APIs, and data points. Business memory captures how your org makes decisions, internal glossary, and product relationships. Inferred memory surfaces connections the platform identifies across your environment over time.

The Feature Context Graph maps how a single feature connects to requirements, framework standards, code, and infrastructure. You can drill into the specific standards a feature was reviewed against, see which code repos are linked, and trace from design doc to implementation.

These two components are what make everything below possible. Without organizational context, an AI agent reviewing a design doc is just guessing. With it, the agent knows your tech stack, your policies, your architecture patterns, and how this feature connects to everything else you’ve already built.

Scenario 1. A new feature lands in your project management tool.

Your product team writes a PRD in Notion for a new instant peer-to-peer payments feature. Clover’s Discovery Agent picks it up automatically, identifies it as high-priority based on the financial data flows and regulatory surface involved, and flags it for security review.

The Design Review Agent takes over and runs a security review against your configured frameworks and threat models, whether that’s OWASP ASVS, PCI, STRIDE, or your own internal standards. Because of the context layer, Clover knows this feature interacts with your existing account linking service, handles external bank credentials, and exposes a new transaction initiation path to end users. The review reflects that specificity rather than returning generic findings.

Business logic flaws are a major focus. Or walked me through examples like logic gaps that let attackers siphon funds from a gaming platform, and arbitrage attacks on a prediction market. These are the exact categories of risk that traditional scanners miss because they have no awareness of what the feature is supposed to do, only what the code does.

On the app level, security teams manage risk posture through custom-built security models around applications, architecture, data flows, and risks. Each application view lets security teams tune prioritization sensitivity across three dimensions. Risk, Business Impact, and Depth and Complexity. You can also feed it pentest reports and it incorporates findings into the posture view.

Scenario 2. Code ships that drifts from the original design.

Your design spec requires encryption at rest for all candidate records. A developer (or an AI coding agent) implements the database layer but skips the encryption step.

The Developer Guidance Agent integrates with GitHub, GitLab, and Bitbucket, and compares implemented code against original design specifications and PRDs. It surfaces the drift between what was designed and what was built. Traditional SAST tools see code in isolation. They’d look at this implementation and find no vulnerability pattern, no dependency flaw, no known CVE. Clover sees the intent behind the code.

Scenario 3. Your developers are using Cursor, Codex and Claude Code. Who’s watching?

This is the forward-looking bet. Clover’s MCP Agent provides visibility into AI-generated code, enforces organizational policies for coding agents, and monitors MCP connections across AI-driven development workflows. The Vibe Coding Agent evaluates shadow AI and vibe coding for misconfigurations, excessive permissions, and missing controls.

What makes this tangible rather than theoretical is the Agent Observability dashboard. Clover gives you granular visibility into which LLMs are being used across your environment (Claude 3.5 Sonnet, GPT-4, GPT-4-turbo in this instance), which developers are using them, lines of code written with coding agents over time, how many MCP connections are active, and where the PR blind spots are.

Most security teams today have zero visibility into what AI coding agents are generating across their org. Engineering teams are three steps ahead of security teams on AI coding agent adoption. Clover has built an observability layer that helps make the invisible visible, which models, which developers, how much code, and where the blind spots are

Integrations and Day One Value

Clover hooks into where teams already work.

The platform also functions as a contextual security chatbot within Slack, where teams can ask questions like “What auth method should I use for this service?” and get answers informed by their org’s specific context and policies.

Clover produces actionable security reviews from day one, covering framework checks, threat modeling, and architecture anti-patterns out of the box. As it ingests more documentation and observes how teams build, reviews get sharper and more tailored to your specific environment.

From Stealth to Scale

Most security startups launch publicly, spend heavily on marketing, and grind through 12-month enterprise sales cycles before landing their first logos. Clover did it backwards. They hit millions in ARR before publicly launching. No website, no press, no conference booths. Deals came through CISO networks and word of mouth, which tells you something about how the product landed with the people actually using it.

Neo4j went from 49% to 100% design review coverage. CISO David Fox: “Manual review covered 49% of tickets, but with Clover’s automation we hit 100%.” (Full case study)

Lemonade cut review time from roughly two hours to fifteen minutes. Before Clover, Lemonade triaged reviews by perceived risk because the volume was too high to cover everything. Now they review all documents, not just the ones they think are risky. (Full case study)

Virgin Money, one of the UK’s largest retail banks serving 6.6 million customers, achieved 4x faster design reviews. But the bigger story is what changed qualitatively. Before Clover, reviews depended on individual interpretation across hundreds of policy controls. Now every design is reviewed against the same standard, every time. Head of Security Solutions Gordon Moon: “Clover turns generic threats into design-specific threats so our teams understand what really matters in that system.” (Full case study)

The fact that CISOs at Neo4j, Lemonade, and Virgin Money are willing to go on record with specific metrics at this stage is strong signal for both company direction and product validation. Excited to see how these numbers evolve as deployments scale.

Closing Thoughts

I’ve covered a lot of security startups through TCP. Very few make me stop and rethink how an entire category should work.

Where the bet gets bigger. AI coding agents are already writing production code across thousands of engineering orgs. Most security teams have zero visibility into what those agents are generating, which models they’re using, or whether the output aligns with internal policies. That’s not a future problem.

Clover’s MCP Agent and Vibe Coding Agent are newer than the design review core, but they’re pointed at exactly the right problem. The agent observability dashboard alone is the kind of visibility security leaders will be demanding within 12 months. Clover is building it now.

Who should care. If you’re a CISO or Head of ProdSec at a company with 50+ engineers and you’re still doing design reviews manually (or not doing them at all), Clover should be on your shortlist. If your team is drowning in review requests and triaging by gut because you can’t cover everything, this is built for you.

Product Security as a discipline has historically been locked behind scarce human expertise. The security architects who can review a design doc, run a threat model, and identify business logic flaws before code is written are among the hardest hires in the industry. Most companies either can’t find them or can’t afford enough of them. If Clover’s agents can replicate that thinking at scale, they’re not just building a product. They’re making ProdSec accessible to teams that could never afford to staff it the way it deserves.

Having done this work by hand, I can tell you: this is the platform I wish I’d had.

I've shown you the thesis and where I think things are headed. Let them show you the product.

See Clover in Action

Subscribe now

Share

Intezer recently dropped their 2026 AI SOC Report. A full analysis of 25 million security alerts triaged across live enterprise SOCs in 2025. I read all 35 pages. Here’s what stood out, what it means, and what I think most security teams can take from it.

The math inside most SOCs is broken, and it has been for years. Too many alerts, not enough analysts, and the people in those seats are legit running on fumes. Burnt-out analysts and overworked IR teams don’t just slow down. They miss things. So teams triage aggressively, auto-close the low-severity stuff, and hope nothing slips through.

This has been true for decades. Detection engineers can tune rules and build enrichment playbooks all day, but the volume problem is structural. Industry surveys consistently show that over 60% of alerts are never reviewed. Not by in-house SOC teams. Not by MDRs. They get deprioritized or buried.

Intezer just put a number on what “slips through” actually looks like and the cost of the trade-off that most SOCs make.

The scale of the dataset alone sets this apart:

• 25 million alerts. 10 million monitored endpoints and identities.

• 180 million files analyzed. 7 million IP addresses investigated. 550,000 emails analyzed.

• Over 82,000 endpoint forensic investigations, including live memory scans.

This wasn’t a survey or a simulation. It’s operational data from production SOC environments like NVIDIA, MGM Resorts, and Equifax.

I spent years building detection rules and investigation playbooks, and I work with detection engineers and SOC teams daily at Monad. I know what’s supposed to happen after a rule fires. I also know what actually happens. This report quantifies that gap.

Get the report here

Why I’m Writing About a Vendor Report

Let me be direct. AI SOC is a crowded, noisy market. There are 25+ vendors selling some version of it right now. Most are glorified LLM wrappers that summarize alert metadata and call it “investigation.” If you’re skeptical of the category, you should be.

I’ve watched Intezer’s platform evolve over years. Where most AI SOC tools are pattern-matching on alert metadata and hoping for the best LLM-generated verdict, Intezer is doing actual forensic analysis. Deterministic, not probabilistic. Every verdict is fully auditable. And the analysis goes to forensic depth: live memory scans, genetic code analysis, actual endpoint investigation.

The framing matters too. Intezer isn’t selling “replace your analysts.” They’re selling “cover the 60% that was never getting covered.” That’s a fundamentally different value proposition.

But the report itself earned this writeup on its own merits. It’s genuinely educational in a way that leads me to recommend it to anyone from Jr.-level operators to CISOs. Take the section on plaintext password alerts (p.20). They don’t just flag “we found unencrypted credentials on the wire” and move on. They trace it to directory services still running unencrypted LDAP, transmitting credentials in cleartext because nobody configured LDAPS or StartTLS. That level of precision tells you the people who wrote this have actually done the work. It’s a great refresher or learning track for pretty much any level.

And it puts numbers behind things practitioners have said for years but could hardly prove. “Most impossible travel alerts are false positives.” “Low-sev alerts are hiding real threats.” “EDRs aren’t as reliable as we think.” Now there are receipts.

The Math Nobody Wanted to See

Of everything in this report, this is the finding I keep coming back to.

Nearly 1% of low-severity and informational alerts turned out to be real threats

That sounds small until you do the math. The average enterprise generates around 450,000 alerts per year. Over 60% never get reviewed. At that scale, 1% of low-severity alerts being real means roughly 54 genuine threats per year that nobody investigates. That’s about one per week (!!)

On endpoints it’s worse. 2% of low-severity endpoint alerts were confirmed incidents. Active, real, and invisible to the teams responsible for catching them.

Intezer ran over 82,000 forensic scans on endpoints throughout the year, including live memory analysis. In 1.6% of those scans, the endpoint was still actively compromised even though the EDR had reported the threat as mitigated. The EDR closed the case. The analyst moved on. The attacker was still there.

And over half of all endpoint alerts were never automatically mitigated by endpoint protection in the first place. Of those non-mitigated alerts, roughly 9% were confirmed malicious.

There could be legitimate explanations. Vendor quirks, timing issues, partial remediation. But the operational reality doesn’t change: if you’re trusting your EDR’s “mitigated” status without verification, you have a blind spot.

As someone who built detection rules and playbooks that generate these exact alert types, I know the gap between the intended workflow and what actually happens. The detection fires, the alert enters the queue, and the math takes over. Low-severity stuff gets deprioritized or auto-closed.

That’s the real value of AI-driven triage. Not replacing analysts. Doing forensic-grade analysis on the alerts that were going to be ignored anyway. Finding the threats that may slip through.

Where Attacks Are Actually Evolving

Three patterns jumped out from the threat data. None of them are what most vendors are selling against.

Phishing Doesn’t Need Your Endpoint Anymore

Intezer analyzed 550,000 user-reported phishing emails. Less than 8% were confirmed malicious. But look at how those malicious emails actually breakdown: less than 6% carried an attachment. Around 30% relied on a link.

The attack surface has moved. Endpoints and inboxes are well-defended, and attackers know it. So they’re keeping the entire kill chain inside the browser, where most security stacks have minimal visibility.

Intezer found platforms like Vercel, CodePen, JSitor, and JSBin hosting live credential-harvesting pages on trusted domains. Phishing sites impersonating crypto wallets and exchanges, asking victims for recovery phrases. Legitimate developer infrastructure being used as disposable phishing hosting. Most threat intel feeds won’t flag these domains because the domains themselves aren’t malicious.

Microsoft was the most impersonated brand, representing nearly a third of all phishing URLs. Microsoft and DocuSign together accounted for almost 85% of brand impersonation. Brand impersonation was the top phishing technique at 28.7%, with callback scams right behind at 25.3%.

Attackers are also increasingly gating phishing pages behind Cloudflare’s Turnstile CAPTCHA. The majority of URLs using Google reCAPTCHA were safe. That ratio completely flipped for Cloudflare Turnstile. Attackers are using CAPTCHAs not to stop bots, but to stop security scanners from seeing what’s behind the page.

Identity Is Drowning in Noise

Location and geo anomalies made up over 36% of all identity alerts. Login failures accounted for 22%. But 74.1% of login verdicts were classified as likely benign. The “impossible travel” alerts that flood every SOC queue? Only about 2% were confirmed real compromises.

Roughly 30% of those alerts were caused by VPN activity. Mobile phones routing through distant data centers and overlapping security tools triggering alerts against each other accounted for most of the rest. The identity layer has become the highest-noise signal source in the SOC, and separating real compromise from normal variability at scale is one of the hardest unsolved problems in the space. I imagine this problem gets worse with the explosion of Non-Human Identities (NHI).

Cloud Attackers Are Playing the Long Game

Defense evasion and persistence dominated cloud TTPs. Attackers are getting in (usually through identity) and sitting quietly. Token manipulation, obfuscation, abuse of legitimate cloud features etc. The goal is long-term access + recon, not immediate impact.

S3 accounted for roughly 70% of all AWS control violations. Buckets still using ACLs instead of IAM policies, missing server access logging, overly permissive cross-account policies.

I spent years at Accenture and Datadog building the CSPM rules that flag these exact misconfigurations. The fact that they’re still this prevalent in 2026 tells you everything you need to know.

What to Actually Do About It

Invest in making your team AI-fluent, and seriously evaluate AI SOC platforms. LLMs are great for log analysis, triage assistance, detection rule development, playbook drafting. But for alert triage, the build vs. buy math almost never favors build. Reviewing every alert across every tool, investigating regardless of the original verdict, at forensic depth (live memory scans, genetic code analysis, full auditability)? That’s years of engineering, not a side project. The teams that figure out how to pair human judgment with AI speed at that level are the ones that will actually close the coverage gaps this report quantifies.

Stop trusting your tooling’s verdicts blindly. Real threats are hiding in low-severity alerts and EDRs are reporting “mitigated” while endpoints remain compromised. If your team can’t cover the full alert volume manually, that’s a strong case for AI-augmented triage.

Reassess your phishing defense model for browser-based attacks. The attack surface has shifted from attachments to links, from endpoints to browsers. If your phishing defense stack is primarily focused on catching malicious files, you’re defending last year’s battlefield. The code sandbox abuse and callback scam patterns in this report deserve your immediate attention.

Audit your cloud posture against what you’re actually running, not what the docs say. S3 misconfigs aren’t news. But 70% of all AWS violations concentrating there suggests most organizations still haven’t done the unglamorous work of cleaning up notoriously bad configurations.

The Full Report

I don’t say this often about vendor reports: go read the whole thing here. It’s 35 pages, it’s technical, and it respects your intelligence.

If you’re a CISO, send it to your SOC lead. If you’re a SOC lead, send it to your analysts. If you build detections, you’ll find data in here that validates half the arguments you’ve been losing in meetings.

Get the full report

Subscribe now

Share

What 5M Apps Revealed About Secrets in JavaScript

Leaked API keys aren’t unusual anymore. Neither are the breaches that follow. So why are sensitive tokens still being exposed so easily? To find out, Intruder’s security team built a new method for detecting secrets and scanned 5M applications. The results were staggering: over 42K exposed tokens spanning 334 secret types, hidden inside JS bundles. We break down why traditional scanning misses them and how to close the gap.

Read the research

Want to sponsor the TCP newsletter? Learn more here.

Howdy 👋 - hope you’re having a stellar week. It’s been quite the past few days here in Austin and across the globe. I don’t like politics (or politicians) and I also don’t like where things are headed from a geopolitical standpoint.

That said, we’re about 3 weeks out from BSides/RSAC and we’ve got a ton to cover on this week’s TCP… including a fair dose of war stuff.

Before we dive in, will you be at RSAC? If so, come hang out at one of the events I’m hosting:

• Monday kickback at Fang Restaurant w/ Scanner and Monad (RSVP Here)

• The Morning Burn🔥 workout at OrangeTheory on Wednesday AM w/ Surf.ai, Oso Security, Monad, and TCP (RSVP Here)

Now, let’s get into some fun.

TL;DR 🗞️

• 🏆 CrowdStrike Q4/FY26 Earnings - $5.25B ending ARR (up 24%), net new ARR hit $331M (up 47%), now selling Falcon on Microsoft Marketplace

• 🌍 Iran War Cyberfront - Iranian strikes hit AWS data centers in UAE/Bahrain; APTs ramping up; Polymarket saw $529M in suspect trading on strike timing

• 🤖 Pentagon vs. Anthropic Standoff - Anthropic refused DoW surveillance demands, got designated a supply chain risk; OpenAI swooped in; ChatGPT uninstalls spiked 295%

• 💀 Claude Code Abused in Mexico Breach - Attackers jailbroke Claude Code to exfiltrate 150GB from 10 Mexican government agencies, exposing 195M identities

• 🔧 Scanner’s AI SOC Agent Guide - Two-part series on building autonomous triage agents in AWS

• 🔑 AWS IAM Controls for Managed MCP Servers - Two new context keys differentiate human vs. AI-initiated API calls; VPC endpoint support coming

• ⚠️ hackerbot-claw Exploiting GitHub Actions - AI-powered bot hit Microsoft, DataDog, CNCF repos; achieved RCE in 4 of 7 targets using 5 different techniques

• 🛡️ Microsoft AI Threat Modeling Framework - New guide covering prompt injection, privilege escalation via tool chaining, and agentic system risks

• 🔒 Gambit Security Exits Stealth With $61M - Spark Capital, Kleiner Perkins, Cyberstarts; AI-native resilience platform; broke the Claude Code/Mexico research

• 📊 Fig Security Launches With $38M - Team8 and Ten Eleven backed; validates detection flows across SIEM, SOAR, and AI SOC tooling

• 💰 JetStream Security Raises $34M Seed - Redpoint-led round with CrowdStrike Falcon Fund; governance and guardrails for enterprise agentic AI

• 💳 Prophet Security Gets Amex & Citi Ventures Backing - Strategic investment to scale agentic AI SOC

⚒️ Picks of the Week ⚒️

$5.25B ARR. $1.5B on AWS. Now Selling on Microsoft Marketplace. CrowdStrike Had a Year.

CrowdStrike closed FY26 with a massive Q4 that beat on every guided metric. $5.25B in ending ARR (up 24% YoY), making it the fastest and only pure-play cyber software company to cross the $5B mark. For context, Palo Alto Networks reported NGS ARR of $6.3B last quarter and is guiding to nearly $8B next quarter, but that includes CyberArk and Chronosphere acquisition revenue and PANW isn’t pure-play software. Net new ARR hit $331M in Q4 (up 47% YoY), the third consecutive quarter of acceleration, and full-year net new ARR crossed $1B for the first time. The stock dropped 4.12% after hours, because stonks.

Falcon Flex is a Monster

Falcon Flex is CrowdStrike’s consumption-based subscription model. Instead of buying modules a la carte, customers commit to a single contract with access to the full platform and turn on modules as needed, no new procurement cycle required. When a Flex customer activates additional modules (a “reflex”), ARR goes up automatically. Zero friction, no new sales cycle. It’s CrowdStrike’s answer to platform consolidation, and the numbers look good. Flex ARR reached $1.69B (up 120%+ YoY), now across 1,600+ customers.

The Microsoft Marketplace Deal is the Real Story

Microsoft Defender for Endpoint is CrowdStrike’s most direct competitor. And now Falcon is purchasable on Microsoft Marketplace using Azure consumption commitment dollars. Kurtz and Satya Nadella jointly addressed CrowdStrike’s go-to-market team. Kurtz called it “a watershed moment reflecting a clear evolution of how our companies see each other.” On the AWS side, CrowdStrike transacted nearly $1.5B in total contract value on AWS Marketplace this year🤯. The hyperscaler distribution moat is bananas.

Growth highlights:

• Cloud security ARR $800M+ (up 35%+), next-gen SIEM $585M+ (up 75%+), identity $520M+ (up 34%+)

• FY27 ARR guidance: $6.47B-$6.52B

Another strong quarter of execution for . No surprise there. This comes on the backdrop of Wall St. panicking thinking Claude Code Sec would replace all of security but that couldn’t be further from the truth. The publicly traded platform players like CRWD, and have massive moats even in the AI era.

Your SIEM sees 1%. Scanner sees what it can’t.

Scanner is a radically different way to detect threats in security data. Most teams send 95% of logs to S3 to manage SIEM costs, leaving that data unsearchable. Scanner indexes logs directly in S3, making years of data searchable in seconds with detections running continuously.

Costs are 5-10x lower than a traditional SIEM. AI agents are our most prolific users, investigating alerts around the clock. Teams at Notion, Ramp, and Benchling rely on Scanner as their core security data layer.

See How Scanner Is Different

The Iran War’s Cyberfront: Drones Hit AWS, APTs Target Allies, and Prediction Markets

The U.S. and Israel struck Iran, killed Supreme Leader Khamenei, and the cyber and tech fallout has been relentless. Here’s what we’ve been tracking on our end.

Drones hit the cloud. Literally. Iranian retaliatory strikes directly hit two AWS data centers in the UAE and damaged a third in Bahrain. Structural damage, power failures, and fire suppression water damage cascaded into outages across dozens of AWS services, knocking banking apps, payments platforms, and Snowflake offline. AWS is now telling customers to migrate workloads out of the Middle East entirely. First time a major cloud provider has taken kinetic military damage.

Iran’s APTs have also ramped up. Zscaler ThreatLabz caught Iran-nexus group Dust Specter targeting Iraqi government officials with four previously undocumented malware families, using compromised government infra as delivery mechanisms.

Prediction markets reek of rigging. Polymarket saw $529M traded on contracts tied to Iran strike timing. Bubblemaps flagged six fresh accounts that netted $1M by correctly betting the U.S. would strike by Feb 28. That’s either very lucky or very informed 🤷🏽‍♂️

The Pentagon vs. Anthropic Standoff

Quick catch-up if you missed the biggest AI policy fight of the year. The Department of War (Pentagon’s Trump-era rebrand) demanded AI companies allow their models for “all lawful purposes,” including mass domestic surveillance and fully autonomous weapons. Anthropic refused both. The government hit back hard: Trump ordered all federal agencies to phase out Anthropic products within six months, and Secretary of Defense Hegseth moved to designate the company a “supply chain risk,” a label normally reserved for Chinese firms.

OpenAI swooped in with its own Pentagon deal hours later. Sam Altman claimed it included the same surveillance and autonomous weapons guardrails Anthropic fought for, then later admitted the timing “looked opportunistic.” He has since amended the contract to explicitly ban domestic mass surveillance of U.S. persons and says NSA access would require a separate contract modification. More than 60 OpenAI employees and 300 Google employees signed an open letter supporting Anthropic’s position.

Consumer backlash was swift: ChatGPT uninstalls spiked 295%, 1-star reviews jumped 775%, and Claude hit #1 on the App Store with downloads surpassing ChatGPT for the first time, per Sensor Tower and Appfigures data.

Claude Code Abused to Steal 150GB From Mexican Government Agencies

Attackers jailbroke Anthropic’s Claude Code and used it for roughly a month to build exploits, create custom tools, and exfiltrate 150GB of data from 10 Mexican government agencies and a financial institution, exposing an estimated 195 million identities. Targets included the federal tax authority, the electoral institute, state governments, and Monterrey’s water utility.

How do you even defend against this in your threat model? I imagine the Mexican govt. was on a proper enterprise tenant w/ “don’t train on our data” and other security configs/policies in place. #DumpsterFire

Scanner’s Guide to Building Your First AI SOC Agents

Scanner published a two-part technical series on building autonomous SOC agents. Part 1 (January) covers the foundations: hypothesis-driven triage, a graduated trust model (read-only for investigation, staging for response, never autonomous response actions), and working code for a triage agent using MCP integrations with Scanner, VirusTotal, CrowdStrike, and Wiz. Key finding from their testing: an LLM alone hit 71% accuracy on alert triage with brutal false positive rates. Paired with their Socdown framework, it reached 78% with zero false malicious calls.

Part 2 dropped last week and tackles production deployment on AWS: Lambda for per-alert triage (~$5/month compute for hundreds of daily alerts), ECS Fargate for scheduled threat hunts pulling from CISA KEV, ThreatFox, and Feodo Tracker IOCs.

This is a solid behind the scenes look of what it takes to roll your own AI-triage agent. The graduated trust model is a great barometer for evaluating and deploying AI SOC tools in production. Worth a read!

hackerbot-claw: AI-Powered Bot Actively Exploiting GitHub Actions

An autonomous bot called hackerbot-claw, self-described as powered by Claude Opus, spent a week systematically exploiting GitHub Actions workflows across repos belonging to Microsoft, DataDog, CNCF, and popular open source projects including awesome-go (140k+ stars) and Trivy. It achieved arbitrary code execution in at least 4 of 7 targets using 5 different exploitation techniques, and successfully exfiltrated a GITHUB_TOKEN with write permissions from awesome-go. The bot runs a vulnerability pattern index covering 9 classes and 47 sub-patterns, scanning repos continuously and dropping proof-of-concept exploits autonomously.

The most damaging attack exploited the classic pull_request_target misconfig where workflows that run with the target repo’s elevated permissions but check out untrusted fork code. We’re now in the era of AI agents attacking CI/CD pipelines at scale. If your workflows use pull_request_target with untrusted checkouts, assume you’re already being scanned. Step Security has a very solid product. Worth checking out from a software supply chain security perspective.

🔮 The Future of Security 🔮

AI Security

Microsoft Publishes Threat Modeling Framework for AI Applications

Microsoft released a detailed guide for threat modeling AI and agentic systems, arguing that traditional approaches built for deterministic software don’t map to probabilistic, instruction-following models.

The framework covers prompt injection, privilege escalation through tool chaining, silent data exfiltration, and the compounding risk of agentic systems that invoke APIs and persist state autonomously. Microsoft also flags human-centered risks like overreliance on confident but wrong outputs as first-class concerns alongside technical failures.

JetStream Security Raises $34M Seed to Build Guardrails for Agentic AI

JetStream Security raised a $34M seed led by Redpoint Ventures with CrowdStrike’s Falcon Fund participating. The company is building governance and controls for enterprise AI deployments: policy enforcement, activity monitoring, and guardrails around how AI agents interact with systems and data. Think visibility and leakage prevention for agentic AI at scale.

Business Continuity & Disaster Recovery

Gambit Security Emerges From Stealth With $61M to Fix Enterprise Resilience

Gambit Security exited stealth with $61M in combined seed and Series A from Spark Capital, Kleiner Perkins, and Cyberstarts, raised in under 12 months.

The platform connects across environments, security tools, and backup infrastructure to map whether recovery plans actually hold up. They don’t compete with Rubrik or Veeam directly; it sits above the backup layer as a validation plane. Having backups ≠ being recoverable is the core thesis. Gambit is also the firm behind the Claude Code/Mexico government research.

Identity & Access Management

AWS Publishes IAM Controls for Managed MCP Servers

AWS released guidance on using IAM to govern AI agent access through its managed Model Context Protocol (MCP) servers. Two new standardized context keys, aws:ViaAWSMCPService and aws:CalledViaAWSMCP, let security teams differentiate between human-initiated and AI-initiated API calls, enabling fine-grained policies like allowing agents to read S3 buckets but denying deletes.

AWS is also simplifying the auth model to work like the CLI and SDKs (no more separate MCP-specific IAM actions), with VPC endpoint support coming for organizations that need private network controls.

Security Operations

Fig Security Launches With $38M to Validate SecOps Detection Flows

Fig Security emerged from stealth with $38M in combined seed and Series A funding from Team8 Capital and Ten Eleven Ventures, with backing from former Splunk CEO Doug Merritt and the founders of Demisto and Siemplify.

The platform maps and validates end-to-end detection and response flows across SIEM, SOAR, data lakes, and AI SOC tooling, flagging when misconfigs, pipeline failures, or integration drift break detection coverage.

More SecOps news ⬇️

• Prophet Security accelerating the Agentic AI SOC Movement with Amex Ventures and Citi Ventures

• Post-Exploitation at Scale: The Rise of AILM

• Introducing the Next Evolution of Cortex

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

AI Agent Security: The Blind Spot That’s Growing Faster Than Your Security Can Track

AI agents have quietly multiplied into the thousands: ChatGPT integrations, Agentforce, n8n workflows, custom tools, embedded assistants. They act autonomously, hold persistent permissions, and execute across systems. Most security teams can account for maybe a dozen.

Watch our on-demand demo to see how Reco discovers every AI agent, maps their connections, and stops exfiltration before it happens.

Watch the Full Demo

Want to sponsor the TCP newsletter? Learn more here.

Howdy 👋 - hope you’re having a stellar week. It’s only Wednesday but feels like it should be Friday… not sure what that’s all about. Maybe it’s correlated with the amount of ‘wtf?’ moments and unintentional satire going on in security right now?

In any case, I’ll be at Unprompted con next week, hit me up if you’ll be in town and want to grab a coffee/lift. Same applies if you’re attending BSidesSF or RSAC! Monad has partnered with Scanner.dev (should be on every operators radar) for a happy hour event at Fang restaurant, you can RSVP here. More to come re: RSAC.

Now, onto this week’s news.

TL;DR 🗞️

• 🔬 Anthropic launches Claude Code Security — reasoning-based code scanner built on Opus 4.6; Wall Street panic-sold the entire cyber sector despite zero overlap with most co’s

• 💀 OpenClaw agent deleted a Meta researcher’s inbox — context window compaction silently dropped stop commands; she had to physically kill the process

• 🚪 Snyk CEO McKay steps down — says company needs an “AI-immersed” leader after building to $325M ARR and 4,800 customers

• 📨 Microsoft Copilot bug exposed confidential emails — DLP-labeled messages were summarized by AI for weeks despite policy restrictions

• 🔟 Microsoft published top 10 Copilot Studio agent risks — released detection queries on GitHub covering auth gaps, orphaned agents, and MCP misconfigs

• 📐 NIST launched AI Agent Standards Initiative — targeting identity, authentication, and interoperability standards for autonomous AI agents

• ⚔️ Aikido Security launched Infinite — continuous AI pentesting that triggers on every code change with auto-remediation and retest

• 🎓 CompTIA released SecAI+ certification — first vendor-neutral cert covering AI system security, AI-driven SecOps, and AI governance

• 🔐 Venice Security exits stealth with $33M — zero standing privilege PAM for human, machine, and AI identities; backed by Wiz founder

• 🧬 Astelia raised $35M for exposure management — founded by Israel’s National Red Team leads; agentic AI maps env topology to prove exploitability

• 🐺 Arctic Wolf acquires Sevco Security — adds Gartner-recognized exposure assessment platform to Aurora

⚒️ Picks of the Week ⚒️

Anthropic Shipped a Code Scanner. Wall Street Sold the Entire Cyber Sector

Okay, let’s start with the elephant in the room. Anthropic launched Claude Code Security on Friday, a reasoning-based code vuln scanner built into Claude Code powered by the new Opus 4.6 model. Rather than matching known patterns like traditional SAST tools, it reasons through code contextually, tracing data flows and identifying business logic flaws, with multi-stage self-verification and mandatory human approval before any patch is applied. In internal testing, Opus 4.6 found over 500 previously unknown high-severity vulns in production open-source codebases, including flaws that survived decades of expert review. Available as a limited research preview for Enterprise and Team customers, with free access for open-source maintainers.

Wall Street’s response was immediate and indiscriminate. CrowdStrike dropped ~10%. Cloudflare fell 8.1%. SailPoint slid 9.4%, Okta dropped 9.2%. The Global X Cybersecurity ETF fell 4.9%, closing at its lowest since November 2023. Clearly, the trading bots and hedge fund operators don’t know the difference between code scanning and a WAF, EDR, or IdP.

Cyber CEOs Takes

CrowdStrike CEO George Kurtz took the most direct approach possible: he opened Claude Code and asked it to build a tool to replace CrowdStrike. Claude’s response was blunt: “Building a replacement for CrowdStrike isn’t something I can do here, and it wouldn’t be responsible for me to suggest otherwise.”

Kurtz’s takeaway: “AI doesn’t eliminate the need for security. It increases it.” Palo Alto Networks CEO Nikesh Arora echoed the sentiment in his earnings call, saying he’s “confused why the market is treating AI as a threat to cybersecurity.”

I think this was a sell-off driven algorithmic trading combined with investors looking for a de-risking event in a sector trading at elevated multiples. Most of the companies that got hammered operate in domains Claude Code Security doesn’t touch: endpoint detection, identity management, network security, incident response etc.

In my opinion, Anthropic is just cleaning up after themselves. Claude Code and its competitors have generated an enormous volume of code over the past year (~4% of all daily public commits) .

Indie builders, vibe coders, and enterprise devs are shipping AI-written code into production at scale. Building a security scanner for that code should be tablestakes.

The bigger questions are:

• What’s it cost in terms of compute and tokens to run the feature at scale?

• How do SAST players that rely on foundation AI models beat those same model producers at their own game? What’s the differentiator? Is it enough to operate an entirely separate tool?

• Who owns liability when an AI scanner misses a vuln, or when its auto-suggested patch introduces a new one?

My LinkedIn post asking whether Anthropic just disrupted AppSec pulled 100K+ impressions, 400+ connection requests, and 750+ engagements within 72 hours. The answer, for now, is no. Anthropic is just securing its own output. If they start securing endpoints, runtime, cloud, etc then it’s a cause for concern.

Dig Deeper: Bloomberg | Axios

Meta AI Security Researcher’s OpenClaw Agent Goes Rogue on Her Inbox

This is some borderline Black Mirror stuff. Meta AI safety + alignment researcher Summer Yue posted her experience w/ an OpenClaw agent she’d been testing that went on a “speed run” deleting her email, ignoring her stop commands from her phone.

From the screenshots, you can see OpenClaw ignored stop prompts and did not apologize. “You’re right to be upset.” it said… Who do you call when your OpenClaw gaslights you?

What happened

Yu had been testing the agent on a smaller “toy” inbox where it performed well, building her trust. When she pointed it at her full inbox, the volume of data triggered context window compaction, causing the agent to summarize and compress its running instructions. The stop commands she issued got dropped during compaction, and the agent reverted to its earlier behavior from the test inbox.

What it means

1. If an AI alignment researcher at Meta gets burned, the rest of us may not stand a chance. Yu admitted it was a “rookie mistake,” but the failure mode is architectural, not user error. Context window compaction silently dropping safety instructions is a fundamental reliability problem.

2. Irreversible actions without confirmation gates. The agent had full delete access with no human-in-the-loop approval for destructive operations. This is the pattern every agentic security framework warns about.

We are deploying agents with real-world permissions at a pace that far outstrips our ability to govern them. Yu’s experience is almost comically relatable (who hasn’t wanted to hand their inbox to an AI?), but the failure mode is serious. Context window compaction silently eating safety instructions is the kind of bug that doesn’t show up in testing and only manifests at production scale.

Dig Deeper: TechCrunch | Summer Yu’s X post

After $325M in Revenue, Snyk’s CEO Says the Next Chapter Needs a New Kind of Leader

Snyk CEO Peter McKay announced he’s stepping down, saying the company needs a leader with deeper product innovation and AI chops for its next chapter. McKay pointed to his track record: 4,800 customers, $325M in annual revenue, and what he called a “monumental pivot to become the leader in AI-native security.” He’ll remain a significant shareholder and stay on until a replacement is found.

McKay framed the move around what he sees as a generational shift in how code gets written and secured. “This next chapter requires a visionary, AI-immersed leader ready to commit their full energy to a multi-year journey of technical disruption,” he wrote.

What to watch

1. The successor profile matters. McKay is essentially saying Snyk’s future CEO needs to be a product/AI person, not a go-to-market exec. That’s a meaningful signal about where the company thinks the competitive fight is heading.

2. Competitive pressure is real. Between Wiz expanding aggressively into AppSec, legacy SAST/DAST vendors bolting on AI features, and AI-native startups like Aikido launching autonomous pentesting, Snyk’s market position is under pressure from every direction.

3. $325M ARR is solid but stagnation is the enemy. At that scale, Snyk needs to either accelerate toward IPO territory or become an acquisition target. A leadership vacuum at this moment is risky.

Kudos to McKay for an unusually honest exit. Most CEOs get pushed; few publicly admit they’re not the right person for next company phases. Whoever takes over needs to answer a hard question: does Snyk become the platform that secures AI-generated software, or does it get outrun by companies that were born in that world? No in between.

Microsoft Copilot Bug Exposed Confidential Emails for Weeks

This one is absolutely wild and I’m surprised more people aren’t talking about it. Microsoft confirmed a bug in Copilot Chat allowed its AI to read and summarize emails labeled as confidential since January, even when customers had data loss prevention (DLP) policies explicitly configured to prevent their sensitive content from being ingested into the LLM.

Just days before the disclosure, the European Parliament’s IT department blocked built-in AI features on lawmakers’ work devices over concerns that AI tools could upload confidential correspondence to the cloud.

The whole value prop of AI assistants is that they operate within your existing access controls and classification boundaries. When they don’t, you’ve essentially deployed an insider threat with read access to your most sensitive data and a habit of summarizing it for anyone who asks. If Microsoft is messing this up, can you imagine what else is going on?

Microsoft Publishes Top 10 Copilot Studio Agent Security Risks

Unironically, Microsoft’s Defender Security Research team published a detailed breakdown of the 10 most common Copilot Studio agent misconfigurations they’re seeing in production environments, along with Advanced Hunting queries to detect each one.

The top 10 risks are:

1. Agents shared with the entire organization without scoped access

2. No authentication required, creating public entry points to internal data

3. HTTP request actions bypassing connector governance (non-HTTPS, non-standard ports)

4. Email-based data exfiltration via AI-controlled dynamic recipients

5. Dormant agents, connections, and actions creating hidden attack surface

6. Author (maker) authentication giving every user the creator’s elevated permissions

7. Hard-coded credentials embedded in topics or actions in cleartext

8. MCP tools configured without active review, creating undocumented access paths

9. Generative orchestration without instructions, leaving agents vulnerable to prompt abuse

10. Orphaned agents with no active owner for governance

Microsoft released corresponding community hunting queries on GitHub for each risk. They’re in KQL but could easily be converted to whatever you’re hunting in.

Dig Deeper: Microsoft Security Blog | GitHub Hunting Queries

🔮 The Future of Security 🔮

AI Security

NIST Launches AI Agent Standards Initiative

NIST’s Center for AI Standards and Innovation (CAISI) launched a new program to develop technical standards and guidance for autonomous AI agents. The initiative targets identity, authentication, and interoperability challenges as orgs push agent-based systems into production for coding, workflow automation, and task execution. NIST has issued an RFI seeking public input on agent security risks, identity models, and deployment considerations, and is coordinating with the NSF and other federal stakeholders.

Securing agentic AI is still a massive sh*tstorm. Crowdsourced and bulletproofed standards like this at least give a measuring stick on how teams should be addressing it. Will be good to see what comes from it. If you’re in the trenches securing AI, you can contribute your insights here.

Application Security

Aikido Security Launches Infinite for Continuous AI Pentesting

Aikido launched Infinite, a continuous AI-driven penetration testing solution that autonomously validates vulnerabilities, applies remediation where safe, and retests to confirm risk reduction. Each software change triggers AI pentesting agents, replacing the traditional periodic testing window with a feedback loop tied to release cycles.

Education

CompTIA Launches SecAI+ Certification for AI Security Skills

CompTIA released SecAI+, a cert covering AI system security, AI-driven security operations, and AI governance. Would be interesting to see the training materials for this. Sounds like it covers security for AI + AI for security.

Identity & Access Management

Venice Security Exits Stealth with $33M to Modernize Privileged Access Management

Venice Security emerged from stealth with $33M in combined funding: an $8M seed led by Index Ventures and a $25M Series A led by IVP. Angel investors include Assaf Rappaport (Wiz) and the Axis Security founders. Venice aims to eliminate standing privileges entirely, discovering every identity and entitlement across cloud, SaaS, on-prem, and AI-driven environments, then granting access only when needed and revoking it immediately after.

Vulnerability Management

Astelia Raises $35M to Replace Vuln Guesswork with Exploitability-Based Exposure Management

Astelia raised $35M in combined seed and Series A funding led by Index Ventures and Team8. Founded by the leaders of Israel’s National Red Team (the unit that stress-tests the country’s critical infrastructure). The platform uses agentic AI to map real network topology, segmentation, and existing controls, then correlates exploitability with reachability to surface only what’s genuinely exposed.

More Vulnerability Management news

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Minimal Containers, Fewer CVEs

Tired of the endless cycle of cloud vulnerabilities? Avoid over 97% of CVEs with minimal container images from Minimus. No bloated base layers, no unnecessary packages, just what your app needs to run. Drop Minimus images into existing deployments to dramatically reduce your attack surface and remediation work.

Prevent CVEs Now

Howdy 👋 - hope you’re having a stellar week. I’m at the Monad GTM offsite cooking up some heat. We’re co-hosting an event with Scanner.dev at RSAC on March 23rd at Fang. Come hang out if you’ll be in town. Register here.

Big week in security per usual. Let’s dive in!

TL;DR 🗞️

• 📊 PANW beats Q2, drops $400M on Koi, cuts CyberArk staff — $2.6B Q2 revenue; acquisition spree continues; ~400 staff cuts; platformizationnnnn

• 🏆 Wiz launches AI Cyber Model Arena benchmark — 257 real-world offensive challenges; Claude Code on Opus 4.6 tops 25 agent-model combos at ~$2/run

• 🔥 Latio's 2026 AppSec report declares runtime the source of truth — AI-accelerated code is expanding vuln backlogs; AI-native SAST is booming; runtime is still king

• 🎮 Hack The Box ships offensive AI security CTF pack — 11 challenges mapped to OWASP LLM Top 10 and ML Top 10; includes MCP server attacks

• 🧠 Cisco ships security-tuned 8B model into Splunk ES — Foundation-Sec-8B replaces Llama-3.1-70B for alert summaries; better latency, lower cost

• 🛒 Check Point acquires three Israeli startups, beats 2025 earnings — ~$150M for Cyata, Cyclops, Rotate; FY25 revenue $2.7B (+6%), non-GAAP EPS $11.89 (+30%)

• 🏗️ AWS publishes AI-powered defense-in-depth blueprint — 7-layer serverless security architecture with Bedrock agents for autonomous threat analysis

• 👜 South Korea fines LVMH brands $25M over Salesforce breaches — 5.5M customer records exposed; no IP controls, no export limits, no log reviews

• 📷 Ring kills Flock Safety partnership after Super Bowl ad backlash — Consumer sentiment killed surveillance integration faster than any regulator could

• 🔑 Oso + Tailscale tackle coding agent permissions gap — 96% of human permissions unused in 90 days; agents inherit all of them

• 👻 Okta ISPM adds shadow AI agent discovery — Detects unsanctioned AI agents via OAuth consents; Gartner: 69% of orgs have prohibited GenAI use

• 🏢 Booz Allen acquires Defy Security for commercial cyber expansion — Brings Vellox Reverser malware analysis; strengthens UK/EU presence across financial, healthcare, energy

• 💰 VulnCheck raises $25M Series B for ‘exploit intelligence’ — Enterprise ARR up 557%; 32% of vulns weaponized on disclosure day, up 36% from 2024

⚒️ Picks of the Week ⚒️

Palo Alto Networks Drops $400M on Koi, Cuts Hundreds at CyberArk, and Spooks Wall Street on Guidance

Big week in PANW land with 3 major stories. Koi deal is timely heading into RSAC + given agentic AI security concerns. CyberArk staff cuts to be expected. Strong earnings.

The Koi deal

Palo Alto Networks is acquiring Koi Security for ~$400M. Koi tackles a gap most endpoint tools weren’t built for: securing the non-binary files proliferating across enterprises today. Think AI training datasets, scripts, browser extensions, plugins, and code editor add-ons. Koi intercepts risky downloads with approval workflows, runs behavioral analysis on files post-install, and monitors for supply chain-style update poisoning.

From VSCode exploit to $400M exit in under two years.

Koi’s origin story is worth the read. Founded in 2024 by Unit 8200 alumni, the team proved their thesis by building a fake VSCode theme extension called “Darcula Official” that secretly exfiltrated source code and machine data. Within a week, it compromised 300+ organizations, including Fortune 50 companies and a major EDR vendor. That experiment became ExtensionTotal, which evolved into Koi’s broader platform.

The company raised $48M (including a $38M Series A led by Battery Ventures and Team8) in September 2025, scaled to 500,000+ protected endpoints, and hit seven-figure ARR in eight months. Now it’s a ~$400M exit less than 18 months after founding. Not a bad return for Battery.

PANW plans to fold Koi into Cortex XDR and Prisma AIRS, branding the combined play “Agentic Endpoint Security.” Hadar Oren, SVP of product management for Cortex, framed the rationale bluntly: AI agents “can autonomously discover, invoke and even install additional components at machine speed.”

CyberArk layoffs

Meanwhile, PANW completed its $25B CyberArk acquisition and laid off hundreds of CyberArk employees the very next day. Over 10% of CyberArk’s roughly 4,000 staff are affected, including dozens in Israel. The company called it “strategic organizational changes” in overlapping roles.

Earnings

Fiscal Q2 was strong on paper: $2.6B revenue (up 15% YoY), next-gen security ARR surging 33% to $6.33B, and remaining performance obligations hitting $16B. But forward guidance disappointed Wall Street, with the stock dropping 5%+ after hours. PANW is clearly reinvesting hard and telling investors to be patient.

Dig Deeper: SiliconANGLE (Earnings) | SiliconANGLE (Koi) | CyberScoop | Calcalist (Koi) | Calcalist (CyberArk layoffs)

Wiz Research Launches AI Cyber Model Arena: 257 Real-World Challenges Benchmarking Offensive AI Agents

Wiz Research dropped one of the more interesting public research efforts i’ve seen lately: the AI Cyber Model Arena, a benchmark of 257 real-world offensive security challenges spanning zero-day discovery, CVE detection, API security, web security, and cloud security (AWS/Azure/GCP/K8s).

Top performers: Claude Code on Claude Opus 4.6, with Gemini 3 Pro close behind.

Offensive capability is jointly determined by agent scaffold and model, and performance swings dramatically by domain.

This is one of the first serious attempts to standardize how we measure AI offensive capabilities in security. Very cool work by the Wiz research team. Would love to see how the leaderboard evolves over time.

Latio Drops Its 2026 Application Security Market Report, and It’s a Banger

and the team just released their 2026 Application Security Market Report, a 72-page deep dive covering survey data, vendor evaluations, and hands-on product testing across the entire AppSec landscape.

Full disclosure: I haven’t had time to fully digest this thing yet, but I’m about 20 pages in and it’s already one of the most useful analyst reports I’ve read this year. A couple things that jumped out early:

AI-native SAST is the real deal. Latio calls it a “generational improvement,” and the reasoning is compelling. AI-powered static analysis can now detect business logic flaws that traditional rule-based engines simply can’t catch. The report highlights vendors like Zeropath, Corgea, Semgrep, and Endor Labs as leaders here. The key insight: your SAST engine matters less than the quality of your rules, and AI is rewriting that equation entirely.

ASPM as a standalone category is dead. The report argues that “management without scanning” never justified its own budget line. The category has collapsed into CTEM, with enterprises never intending to centralize under a single management layer. Third-party integrations were a stopgap, not a strategy.

Developer experience now outranks detection quality in tool selection. That’s a significant shift. Survey respondents ranked DX as the #1 deciding factor when choosing AppSec tools, ahead of false positive rates. Meanwhile, 84% flagged AI-generated code security and supply chain malware as their top 2026 concerns.

Latio is one of the few analyst firms that actually tests the products it covers, and it shows. The practitioner-first lens makes this required reading for anyone evaluating AppSec tooling in 2026. The AI code security section alone is worth the download. I’ll be digging into the full report over the coming weeks and sharing more takeaways. Grab it from Latio’s site.

Hack The Box Drops Offensive AI Security CTF Pack

Hack The Box launched a challenge pack tailored toward offensive AI security. 11 challenges mapped to the OWASP LLM Top 10 and OWASP ML Top 10. The first 7 cover practical LLM exploitation accessible to pentesters (prompt injection, agent manipulation, MCP server attacks). The final 4 go deeper into ML-layer attacks most red teams have only read about in papers: adversarial examples, gradient leakage, federated learning backdoors, and LoRA artifact exploitation.

This is fire. If I were still a pentester, I’d be all over it.. I may still test it out if I ever get the time 😞

AWS Publishes AI-Powered Defense-in-Depth Blueprint for Serverless Security

AWS published a detailed reference architecture layering AI-powered security controls across serverless microservices. The blueprint maps seven security layers from edge to data: Shield and WAF at the perimeter, Cognito adaptive auth with compromised credential detection, API Gateway with schema validation, VPC network isolation, Lambda least-privilege with CodeGuru ML code analysis, Secrets Manager rotation, and DynamoDB encryption with fine-grained IAM.

Pretty cool but I’d imagine this costs an arm and a leg to run at scale lol.

Amazon Ring Kills Flock Safety Partnership After Super Bowl Surveillance Ad Backlash

Amazon’s Ring terminated its planned integration with police surveillance company Flock Safety after a Super Bowl ad ignited a public firestorm. The 30-second spot showed a lost dog tracked across a neighborhood by Ring cameras using AI, and viewers immediately asked the obvious question: if it can find a dog, it can find a person.

Slippery slope which is already taking place behind the scenes.

Related: DHS Sent Hundreds of Subpoenas to Unmask Anti-ICE Social Media Accounts

South Korea Fines LVMH Brands $25M After Salesforce Breaches Exposed 5.5 Million Customers

South Korea’s privacy regulator hit Louis Vuitton, Dior, and Tiffany with a combined $25M in fines after hackers popped their Salesforce instances and walked off with data on 5.5 million customers.

Louis Vuitton took the biggest hit at $15M after malware on an employee device led to credential theft across three separate breaches (3.6M records). The breaches are tied to the broader Scattered LAPSUS$/ShinyHunters campaign targeting Salesforce customers.

LV can make the fine $ back after selling 20 bags so I think they’ll be ok. The fine does set a strong precedence for those operating in SK though.

🔮 The Future of Security 🔮

AI Security

Oso Partners with Tailscale to Lock Down Coding Agent Permissions

The “agents inherit developer permissions” problem is one of the biggest unaddressed gaps in security, and Oso is one of the best positioned to go after it.

They launched ‘Oso for Coding Agents’, integrated with Tailscale’s Aperture, to bring viz and automated least-privilege controls to coding agents like Claude Code, Cursor, and Codex. The product monitors every agent tool call across an org, applies risk scoring, and fires alerts on anomalous behavior: new MCP servers, data exfiltration risk, PII exposure, unauthorized tool use.

Oso’s internal research found 96% of human permissions go unused in a 90-day window, and agents inherit all of them.

More AI news ⬇️

• The Skills That Will Matter for Offensive AI Security in 2026

• Top 10 actions to build agents securely with Microsoft Copilot Studio

• Check Point Announces Trio of Acquisitions Amid Solid 2025 Earnings Beat

Identity & Access Management

Okta Adds Shadow AI Agent Discovery to Identity Security Posture Management

Okta shipped new Agent Discovery capabilities in its ISPM product to find and map shadow AI agents that employees are spinning up without IT oversight. The feature detects OAuth consents from unsanctioned platforms and unvetted agent builders, maps relationships between client and resource apps, and alerts when unknown agents gain permissions to critical data. Shadow AI is shadow IT on steroids.

More IAM news ⬇️

• GitGuardian Raises $50M Series C to Address Non-Human Identities Crisis and AI Agent Security Gap

• 1Password open sources a benchmark to stop AI agents from leaking credentials

Managed Service Providers / VARs

Booz Allen Acquires Defy Security to Expand Commercial and International Cyber

Booz Allen Hamilton is acquiring Defy Security to expand its commercial and international cyber business across financial services, healthcare, manufacturing, and energy. Booz is a trusted name and Defy will help them w/ distribution of whatever security offerings they may have.

Security Operations

Cisco Ships Security-Tuned Foundation AI Model into Splunk Enterprise Security

Cisco’s Foundation AI team shipped its custom-tuned Foundation-Sec-8B-1.1-Instruct model into the Splunk AI Assistant in Splunk Enterprise Security, replacing previous Llama-3.1-70B model calls.

The model powers alert summary generation, producing structured incident overviews, alert timelines, MITRE ATT&CK mapping, and recommended next steps. I’d imagine this model will power their detection gen and fine-tuning capabilities, threat hunting, and whatever else they want to add to their offerings.

Fine-tuned models perform better at their set of tasks than a larger general purpose model.. Splunk has boat loads of proprietary data so it’ll be tough for competing vendors to keep up, imo.

Cisco used novel synthetic data generation and curriculum learning to tune the 8B-parameter model specifically for SOC workflows.

Vulnerability Management

VulnCheck Raises $25M Series B to Scale Exploit Intelligence

VulnCheck closed a $25M Series B led by Sorenson Capital, with participation from National Grid Partners, Ten Eleven Ventures, and In-Q-Tel, bringing total funding to $45M.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

AI has changed email attacks - but most defenses haven’t

Modern phishing blends text, images, links, QR codes, and social engineering to bypass legacy tools.

Varonis offers a free Email Risk Assessment to show the real threats already landing in your users’ inboxes. Get a 90-day lookback, live attack visibility, and a clear report - all backed by real production data.

See what your email security is missing.

Start your free assessment.

Howdy 👋 - What a week it’s been. Six weeks out from RSAC and the industry is already running hot with tons of rumbling underneath the surface.

Innovation Sandbox finalists dropped, earnings are rolling in, and every vendor on the planet is sharpening their pitch decks. It’s a lot. Lucky for you, I read it all so you don’t have to.

This week’s issue is stacked (!) but two quick plugs before we dive in:

• 🕸️ The Black Hills Information Security/Antisyphon Training crew and John Strand are hosting a free, virtual SOC Summit on March 25 (10AM-4PM ET) with 11 expert speakers covering real-world SOC operations. Highly recommend if you’re a SecOps operator in any capacity.

• 📝 I also dropped a new post this week: The Great Decoupling: Separating Your SIEM from Your Data Layer. It’s a great snapshot of architectural discussions many teams are having.

Cool, let’s dive in!

TL;DR 🗞️

• 🤖 Opus 4.6 Finds 500+ High-Severity Vulns — Anthropic's model discovered novel flaws in open-source libraries with no custom tooling or specialized prompting

• 🏆 RSAC Innovation Sandbox 2026 — 10 finalists announced, $5M each; 6 of 10 building for agentic AI security

• 🧠 AI Burnout Is Already Here — UC Berkeley study: AI tools didn’t reduce hours; to-do lists expanded to fill freed time

• 🚨 Google: APTs Using Gemini AI Across Full Kill Chain — First malware families calling LLMs at runtime; 100K+ prompt distillation attack on Gemini; mirrors Anthropic's finding that AI is now the operator, not just the tool

• 📊 Cloudflare Crushes Q4 Earnings — $614.5M revenue, up 34% YoY; largest contract ever at $42.5M/year

• 🐛 FIRST Projects 50K+ CVEs in 2026 — Median forecast of 59,427 new CVEs; first year crossing the 50K threshold

• 💰 Vega Security Raises $120M Series B — AI-native SIEM alternative valued at $700M; Fortune 500 logos already signed

• 🤖 Ex-GitHub CEO Raises Record $60M Seed — Thomas Dohmke’s Entire valued at $300M; open-source Checkpoints tool captures AI code provenance

• 🔐 Reco Raises $30M Series B — AI SaaS security platform fueled by 500% YoY growth; $85M total raised

• 🛡️ Nucleus Security Raises $20M Series C — Exposure management platform ingesting from 200+ tools across IT, cloud, appsec, and OT

• 🎯 Complyance Raises $20M Series A — GV-led round for AI-native GRC with 16 purpose-built agents live today

• 🔬 Microsoft Drops Dual LLM Security Research — Backdoor scanner for open-weight models plus single-prompt unalignment across 15 model families

• 🌐 Wiz Ships Backstage Plugin — Security findings now surfaced inside Spotify’s developer portal at GA

• 🧰 THOR Collective: How I Use LLMs for Security Work — Josh Rickard’s practical guide to prompting LLMs for SOC analysts and threat hunters

⚒️ Picks of the Week ⚒️

Anthropic’s Opus 4.6 Discovers 500+ High-Severity Vulns in Open-Source Libraries

Anthropic’s Red Team dropped a bombshell along with their latest model release. During testing, Claude Opus 4.6 identified over 500 previously unknown high-severity vulnerabilities across open-source software libraries.

500 novel findings in codebases that have had fuzzers running against them for years, some with bugs that went undetected for decades… Wild.

The model was pointed at open-source projects and given standard vulnerability analysis tools, but received no custom scaffolding, no specialized prompting, and no instructions on how to find bugs. It figured out its own methodology, including reading Git commit histories to find similar unpatched flaws and reasoning through compression algorithms to craft proof-of-concept exploits. Out-of-the-box capability, not months of fine-tuning.

For security teams running open-source dependencies (pretty much everyone), the window between discovery and exploitation just got shorter.

Dig Deeper: Anthropic Frontier Red Team Report | Fortune | Axios

FIRST Forecasts 50,000+ CVEs in 2026

FIRST’s 2026 Vulnerability Forecast projects a median of roughly 59,427 new CVEs this year, with a 90% confidence interval ranging from 30,000 to 117,000. If the median holds, 2026 will be the first year to cross the 50,000 CVE threshold, a milestone FIRST calls “significant in vulnerability disclosure history.” Realistic scenarios push the number as high as 70,000 to 100,000.

FIRST’s methodology, built on historical CVE records and NVD/MITRE publication trends, hit a 7.48% error rate on 2025 yearly predictions and 4.96% for Q4 2025. It also projects continued growth: median estimates of 51,018 CVEs in 2027 and 53,289 in 2028, with upper bounds approaching 193,000 by 2028.

My first reaction is “shit, that’s a lot of vulns”. Second reaction is this is extremely validating for vendors doing any sort of vulnerability prioritization. Third reaction is that this ties well into the Anthropic story we just covered above.

RSAC 2026 Innovation Sandbox: 10 Finalists, $5M Each, and a Very Clear Theme

RSAC announced the 10 finalists for its 21st Innovation Sandbox contest, each awarded a $5M SAFE investment ahead of three-minute pitches at Moscone on March 23.

The Class of 2026: Charm Security, Clearly AI, Crash Override, Fig Security, Geordie AI, Glide Identity, Humanix, Realm Labs, Token Security, and ZeroPath.

6 of 10 finalists are building for agentic AI security, AI governance, or human-layer defense.

The standouts for me are Realm Labs (inference-time observability is a genuinely unsolved problem), Geordie AI (agent governance with serious pedigree from Snyk, Veracode, and Darktrace founders, plus the Black Hat Europe 2025 Startup Spotlight win), and Glide Identity (SIM-anchored cryptographic auth is a fundamentally different approach than MFA).

I’m working on a standalone deep dive breaking down each finalist, what they actually do, and who has a real shot. Stay tuned.

Dig Deeper: RSAC Finalists Announcement

Google: State-Backed Hackers Caught Using Gemini Across the Full Kill Chain

Google’s Threat Intelligence Group (GTIG) released its latest AI Threat Tracker, and it validates what many of us have known for a while + was covered by anthtropic in November 2025. Adversaries are deploying AI-enabled malware in live operations.

APT groups from China, Iran, North Korea, and Russia are using Gemini for reconnaissance, phishing, C2 development, and data exfiltration.

GTIG identified two malware families, PROMPTFLUX and PROMPTSTEAL, that call LLMs during execution.

GTIG also flagged a surge in “distillation attacks.” One campaign hit Gemini with 100,000+ prompts attempting to extract reasoning traces.

The Anthropic parallel tracks exactly. In November 2025, Anthropic disrupted a Chinese state-sponsored group using Claude Code as an autonomous penetration orchestrator, with AI executing 80-90% of operations independently. I’d imagine there’s overlap in these threat actors and that they’re working for govts.

None of this is surprising but it’s certainly worth tracking.

Dig Deeper: GTIG AI Threat Tracker | Anthropic: AI-Orchestrated Espionage (Nov 2025) | BleepingComputer

The First Signs of AI Burnout Are Here, and Security Teams Should Be Paying Attention

A new study published in Harvard Business Review tracked what happened when employees at a 200-person tech company genuinely embraced AI tools over eight months. UC Berkeley researchers found nobody worked less.

To-do lists expanded to fill every hour AI freed up, then kept going. Separately, a METR trial found experienced developers using AI tools took 19% longer on tasks while believing they were 20% faster. An NBER study across thousands of workplaces measured actual productivity gains at just 3%.

Sound familiar? Vendors promise AI will finally solve SOC analyst and incident response burnout, alert fatigue, and the eternal “staffing gap.” The tools are getting genuinely better, and the right AI tooling on top of a well-architected SOC can be a real force multiplier. But if the pattern from this research holds, “faster” just means leadership expects more coverage, more investigations, more reporting, not fewer hours. The alert queue may shrink faster. You’ll detect and address threats sooner. But the roles will evolve to cover more ground, and operators should plan for that.

AI won’t save us from bad architecture, understaffed teams, or alert pipelines that were broken before the LLM showed up.

Cybersecurity Earnings Season Opens Strong: Cloudflare, Fortinet, Qualys All Beat

Early returns from Q4 earnings season are painting a healthy picture for cybersecurity and infrastructure spending.

Cloudflare stole the spotlight: $614.5M in Q4 revenue (up 34% YoY), crushing the Street’s $591.3M estimate. CEO Matthew Prince disclosed the company’s largest contract ever at $42.5M/year (🤯).

Fortinet posted $1.91B in Q4 revenue (up 15% YoY) with billings surging 18% to $2.37B and product revenue up 20%, suggesting the firewall refresh cycle is alive and well even though Fortinet has had a slew of critical vulnerablities over the past year+… Seems like their product is pretty sticky for vulns not to cause churn? Either way, they’re doing something very right.

Rapid7 posted $217.4M in Q4 revenue (up just 0.5% YoY). Full-year 2025 revenue hit $860M (up 2% YoY) with ARR flat at $840M. Sounds like they’ll be making a strong push for services/MDR in coming quarters.

Qualys delivered $175.3M in Q4 revenue (up 10% YoY)

Dig Deeper: Cloudflare Q4 Results | Fortinet, NetScout, Qualys Q4 Results | Rapid7

Vega Security Raises $120M Series B to Kill Legacy SIEM Model

Friends of the newsletter Vega Security closed a $120M Series B led by Accel with Cyberstarts, Redpoint, and CRV, nearly doubling their valuation to $700M and bringing total funding to $185M.

Vega is building a SecOps suite that adds federated detection and response capabilities across cloud services, data lakes, and existing storage, giving teams flexibility in how they query and act on security data at scale.

Approach seems to be resonating with recent multi-million-dollar contracts with banks, healthcare companies, and Fortune 500 firms including Instacart. Also worth noting that Vega has scaled to 100 employees in ~2 years since inception.

TCP readers got the early look as we covered Vega six months before they came out of stealth.

🔮 The Future of Security 🔮

AI Security

Microsoft Publishes Back-to-Back LLM Security Research: Backdoor Detection and One-Prompt Unalignment

Microsoft dropped two significant AI security research posts in one week. The first introduces a practical scanner for detecting backdoored open-weight language models at scale. The research identifies three “signatures” in poisoned models: trigger tokens hijack the model’s attention mechanism, creating a distinctive pattern that’s measurably different from clean models. Builds on Anthropic’s earlier “sleeper agents” work showing safety post-training fails to remove embedded backdoors.

The second paper is arguably more alarming: a single unlabeled prompt was enough to reliably strip safety alignment from 15 open-weight models across DeepSeek, GPT-OSS, Gemma, Llama, Ministral, and Qwen families, with minimal loss of utility. The technique reverses the same methods used to improve model safety.

Two takeaways: open-weight model supply chains need integrity scanning before deployment, and current alignment techniques remain not the best. If you’re running open-weight models in production, both papers are required reading, imo.

More AI news ⬇️

• SentinelOne debuts lifecycle platform for AI security

Application Security

Ex-GitHub CEO Raises $60M Seed to Tackle AI Code Provenance

Former GitHub CEO Thomas Dohmke launched Entire with a $60M seed round at a $300M valuation, led by Felicis with Madrona, M12 (Microsoft), Basis Set, Jerry Yang, and Datadog CEO Olivier Pomel.

The company is building AI-native developer infrastructure to solve a growing problem: as AI agents write more production code, engineering teams can’t review it fast enough or trace why decisions were made.

What it does:

• Checkpoints, an open-source CLI that captures full context behind AI-generated code: prompts, transcripts, agent decision steps, implementation logic

• Git-compatible database unifying AI-produced code with a semantic reasoning layer for multi-agent collaboration

• Supports Claude Code and Gemini CLI today

The security angle here is supply chain integrity for AI-generated code. If your agents are shipping code faster than humans can audit it, provenance tracking is crucial. Worth watching as AI coding tools move from “assist” to “author.”

More AppSec news ⬇️

• Wiz Launches Spotify Backstage Plugin for Developer-First Security

Browser Security

Zscaler Acquires Browser Security Firm SquareX

Zscaler acquired SquareX, an 80-person browser detection and response (BDR) startup that raised $26M including a $20M Series A led by SYN Ventures. SquareX’s lightweight browser extension delivers zero trust enforcement, DLP, and device posture checks in Chrome, Edge, Firefox, and Safari without requiring a standalone enterprise browser or full agent.

More BrowserSec news ⬇️

• “Own the Browser,” an Open-Source Browser Evaluation Framework

Governance, Risk, and Compliance

Complyance Raises $20M Series A for AI-Native GRC

Complyance closed a $20M Series A led by GV, with Speedinvest, Everywhere Ventures, and angels from Anthropic and Mastercard participating. Total raised sits at $28M. The platform deploys AI agents to automate governance, risk, and compliance workflows, running continuous checks against company-specific criteria and risk thresholds instead of the traditional quarterly audit cycle.

Identity & Access Management

Keycard Labs Acquires Anchor.dev to Build Identity Layer for AI Coding Agents

Keycard Labs acquired certificate management startup Anchor.dev, bringing on a team with infrastructure experience from Cloudflare, GitHub, and Heroku. Keycard provides short-lived, task-based credentials for coding agents (Cursor, Claude Code, Codex, Windsurf) accessing production systems, with a single identity and audit layer across MCP, CLI, and agent-created tooling. As agentic dev tools get deeper production access, expect identity and access governance to become the bottleneck everyone scrambles to solve.

Product Security

Nullify Raises $12.5M Seed for AI-Powered Product Security Workforce

Nullify closed a $12.5M seed led by SYN Ventures with Black Nova Venture Capital, bringing total raised to $16.9M. The company pitches autonomous “AI employees” that handle vuln detection, triage, exploit validation, and remediation end-to-end, shipping merge-ready fixes directly to developers.

SaaS Security

Reco Raises $30M Series B for AI SaaS Security

Reco closed a $30M Series B led by Zeev Ventures, bringing total funding to $85M. The round comes less than 10 months after its last raise, fueled by 500% YoY growth in 2024 and an additional 400% in 2025. The platform provides continuous discovery and governance across AI SaaS apps, autonomous agents, shadow AI, and MCP connections, covering 215+ integrations. Customers include Fortune 500s across finance, healthcare, pharma, and tech.

SaaS security was already a top concern but enterprise AI adoption has poured gas on that and Reco is capitalizing on it.

Security Operations

How I Use LLMs for Security Work -

Josh Rickard walks through six practical prompting techniques for security practitioners using Claude, Cursor, and ChatGPT: role-stacking (layering multiple perspectives per prompt), being explicit about your tech stack, requesting validation to reduce hallucinations, and framing questions as systems problems rather than point solutions.

Great primer for analysts and threat hunters experimenting with their LLM workflows.

AiRRived Emerges from Stealth with $6.1M for Agentic OS

AiRRived launched from stealth with a $6.1M seed led by Cannage Capital, with Plug and Play Ventures, Rebellion Ventures, and Inner Loop Capital participating. Airrived builds an “Agentic OS” that unifies SOC, GRC, IAM, vuln management, IT, and business operations into a single agentic layer.

I think their approach is cool. Goes toe-to-toe with the Palo Alto’s and CrowdStrike’s of the world whose moat has dwindled a bit given AI development advances. However, large players are mostly safe for now given their biggest moats are talent density and distribution channels.

More SecOps news ⬇️

• Halcyon’s IR Partner Program Lets MSSPs Deliver Ransomware Response Without Losing Customer Ownership

• LevelBlue will acquire MDR provider Alert Logic from Fortra

Vulnerability Management

Nucleus Security Raises $20M to Scale Exposure Management Platform

Nucleus Security closed a $20M Series C led by Delta-v Capital with Arthur Ventures, bringing total funding to roughly $86M. The platform acts as a centralized system of record for vulnerability and exposure management.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

The core architecture of SIEMs was never designed to solve modern SOC problems. Think ingesting 5TB/day of logs from 40+ sources, varying schemas, log quality, and low fidelity atomic alerts. It’s why forward-thinking teams at HSBC, Rippling, Brex and countless others are decoupling their data pipeline from their SIEM. AI/ML tooling has put a magnifying glass to this problem. Models don’t tolerate messy or incomplete data the way humans do.

After years as a security consultant and detection engineer, I've concluded that the data layer must be decoupled from the SIEM. The science nor the math make sense anymore and it hasn't for a while.

That conviction is why I've spent the past 2.5 years working on this problem at Monad, so I'm not unbiased. The timing has always felt right, but now it feels more important than ever. In this post, I'll highlight why.

Built to Search, Paid to Ingest

SIEMs were designed to be search engines with alerting capabilities. Somewhere along the way, vendors realized they could charge per gigabyte ingested, and log ingestion became a revenue driver rather than a customer success priority.

Think about what the SIEM actually does well: indexing logs, running queries, correlating events, creating historical baselines, and firing alerts.

Now think about what most SIEMs claim to do: collect data from N sources, normalize it into a consistent schema, route it to themselves, transform it and enrich it.

These are fundamentally different disciplines. The architectures don’t overlap. And the incentive structures definitely don’t overlap. SIEM vendors maintain hundreds of integrations across thousands of customers while adding AI SOC, SOAR, UEBA, agentic threat hunting, risk scoring and countless other features. They’re generalist platforms that thrive in search and alerting, not data engineering.

SIEM vendors make money when you ingest more data. They have zero incentive to help you route logs to cold storage at a fraction of the cost or send copies to your data lake for ML experiments.

Lock-in doesn’t hurt on day one. It hurts on year three when your vendor raises prices 40% and you realize your entire detection library, your normalized schemas, your enrichment logic, and your historical data are all trapped in a proprietary format and it would take 6+ months to migrate.

The Multi-Destination Era

Security data needs to live in more places than ever:

• SIEM for real-time detection and response

• Data lake + BI for threat hunting, dashboarding, and homegrown AI/ML

• Cold storage for compliance and incident response replay

• AI triage tools and analytics platforms that need access to the same telemetry

Now try to accomplish this with your SIEM as the central hub. Most SIEMs have little to no native support for routing data to external destinations.

Splunk, for example, has no native integration to send data to Databricks or ClickHouse. This is the routing compatibility problem, and it’s only gotten worse as security teams adopt more specialized tools and the enterprise sprawls into more SaaS and AI apps.

AI Doesn't Fix Bad Data

AI is changing how security teams operate, and every AI use case lives or dies on data quality and availability.

AI-powered SOC triage is the future. But right now, these tools are not ready for full unsupervised production use. Data availability and quality are the main culprits.

Talk to folks who have POC’d AI SOC vendors and you’ll hear they demo beautifully, reduce MTTR tremendously, and the UI is neat. But when digging into the actual triage output and reasoning, you may find the AI described a full attack chain: cmd.exe spawned PowerShell, which spawned certutil. But the actual data only had the certutil execution. The parent process fields were null. That's a model failure and a data failure. But only one of them is fixable upstream (unless you own + fine-tune your model).

When AI triage agents ingest unnormalized logs, heavily nested JSON with inconsistent field names, or events missing critical context, they hallucinate. They correlate events that shouldn’t be correlated because timestamps are formatted differently across sources. They miss obvious conclusions because the enrichment data that would make it obvious was never joined.

AI SOCs are only as good as the data they can access:

• No HR data? Can’t understand org structure.

• No asset inventory? Can’t distinguish a server from a laptop.

• Missing identity logs? Flying blind on user behavior.

When your SIEM owns the pipeline, your data is normalized to their schema, optimized for their query engine, stored in their proprietary format. The organizations that stand to gain the most from AI in security have full control over their data layer.

Credit where it’s due: Some AI SOC vendors like Prophet Security and Intezer aren’t just throwing LLMs at messy data and hoping for the best. They’re taking more deterministic, evidence-based approaches that surface data gaps rather than hallucinating over them.

What Decoupling Actually Looks Like

Decoupling means separating concerns, not building everything yourself.

Your data pipeline handles collection, parsing, normalization, enrichment, and routing. Source-agnostic. Destination-agnostic. Your SIEM / data lake receives clean, enriched data and does what it was built for: detection and investigation.

Purpose-built pipelines offer better filtering, routing flexibility, scalability, and observability. Typically at a fraction of SIEM ingestion costs.

This also gives you optionality:

• Migrate SIEMs? Your pipeline stays intact.

• Add a data lake? Add a route.

• Experiment with AI-powered triage? Run platforms in parallel without doubling ingestion costs.

• Vendor plays pricing games? You have real leverage to walk away.

When you own your pipeline, your SIEM becomes a destination, not a dependency.

The Path Forward

The window is open. SIEMs were never designed to be data pipelines, and the architecture+incentive mismatch is more obvious than ever. Vendor lock-in is getting harder to justify when budgets are tight and better options exist. AI capabilities are finally practical but demand clean data to function. The teams that own their pipeline will be the ones who actually get value from what comes next.

This is the problem we’re solving at Monad. We’re building a security data pipeline platform that gives teams full control over collection, normalization, enrichment, and routing. No vendor lock-in. No ingestion taxes. Just clean data flowing where it needs to go.

If you’re dealing with SIEM cost overruns, data quality issues, or want to future-proof your stack for AI, let’s talk.