Subscribe now

Share

AI signals in email attacks: Boosting detection and threat hunting

Most AI “tells” in email are noisy and unreliable on their own. But used correctly, they can still strengthen detections and improve threat hunting.

In Sublime Security’s upcoming webinar, we break down which AI signals actually work, how to apply signal stacking, and where these approaches fail. See real examples and a practical framework you can use immediately.

Register now, watch anytime

Howdy 👋 - Hope you’re having a great week wherever you’re tuning in from!

This has been a wild week. Anthropic’s Mythos model apparently accessed by a unauthorized 3rd party, Vercel breached via 3rd party OAuth abuse, Lovable exposure kerfuffle, 3 0-days found in MSFT Defender and security stocks rebound. And of course, there’s more marinating in the background (case in point: Cyera announces acq. of Ryft just as I was about to press ‘send’ 🙃).

Before we dive in, two plugs:

• If you’re a security operator in NYC, come hang out this upcoming Monday (Apr. 27th) at this live show I’m co-hosting with Intezer at the Nasdaq. Security leaders from Salesforce, Oscar Health, and many highly regarded folks you probably know. Truly a can’t miss event!

• I wrote a thing on the contents of and detection opportunities for OpenAI Enterprise Audit Logs. Read it here.

Cool. Now let's get into it!

TL;DR ✏️

• 🕳️ Mythos allegedly accessed via third-party vendor — Discord group reportedly combined contractor creds with URL patterns from the Mercor breach; story still developing

• 🧨 Vercel breached via Context.ai OAuth grant — Roblox cheat → Lumma Stealer → inherited “Allow All” token → prod env vars; campaign bigger than Context.ai alone

• 🧱 GitHub’s agentic workflows threat model — assume the agent is compromised; secretless execution, safe-outputs pipeline, damage-containment over prevention

• 🤝 Cyera acquires Ryft to extend its agentic AI data security play — Fourth acquisition for Cyera (now $9B val, $1.7B raised); deal size undisclosed

• 🎭 Lovable’s BOLA + disclosure meltdown — a few API calls → any user’s source code and DB creds; “fixed” only for projects created after Nov 2025

• 🪟 Three MSFT Defender 0-days, two still unpatched — BlueHammer (CVE-2026-33825) patched, RedSun and UnDefend live with public PoCs and in-the-wild exploitation

• 📡 Detection engineering for OpenAI Enterprise audit logs — Log set deep dive + 5 detection opportunities

• 📧 Sublime webinar: AI signals in email attacks — Alex Orleans and Luke Wescott on threat hunting with AI signals, signal stacking, and where they break; May 13

• 🏹 Artemis out of stealth with $70M — AI-native SIEM contender, Felicis-led, angels from Demisto and Abnormal founders

• 🧭 Spectrum exits stealth with $19M — AI-powered detection engineering layer on top of existing SIEMs, led by TechOperators and Skinos (Shlomo Kramer’s new fund)

• 💊 Capsule Security exits stealth with $7M — runtime trust layer for AI agents; disclosed ShareLeak (CVE-2026-21520) and PipeLeak alongside launch

Plus: Aikido ships Endpoint Protection for developer workstations, Microsoft publishes KQL for hunting DPRK IT workers in Workday and DocuSign, Cowbell launches a mid-market policy with affirmative AI and quantum coverage, and more 👇

⚒️ Picks of the Week ⚒️

Vercel breached via Context.ai x GWS OAuth grant

A Vercel employee connected Context.ai’s AI Office Suite to their enterprise Google Workspace and granted “Allow All” permissions. When Context.ai got popped (a Context.ai employee caught Lumma Stealer in February 2026 , reportedly from a Roblox cheat download of all things), the attacker inherited that OAuth grant and walked right into Vercel.

From there they escalated by sifting through environment variables not marked as “sensitive,” (😔) which were sitting in plaintext in the dashboard and API. Mandiant is engaged, and Vercel now defaults env vars to sensitive. No npm packages were tampered with, they say.

Also a ShinyHunters persona is shopping alleged internal data for $2M, but Google TAG’s Austin Larsen called the claimant “likely an imposter.”

No AI-powered Mythos nuke. Just 3rd party OAuth token grant abuse similar to what happened with Salesloft Drift. It’s exactly what Pat Opet, CISO @ JP Morgan, warned about almost exactly a year ago.

Update: Vercel disclosed on April 22 that it identified additional compromised accounts from independent prior compromises, and CEO Guillermo Rauch said the threat actor appears to be running a broader token-harvesting campaign beyond Context.ai. Context.ai has deprecated the AI Office Suite entirely.

HugOps to my friends on the Vercel security team.

Mythos allegedly leaked via third-party vendor, story still developing

Per TechCrunch, a group of Discord users claim to have gained unauthorized access to Anthropic’s Claude Mythos Preview on the same day it was announced, reportedly by combining compromised credentials from a third-party contractor with URL naming conventions reconstructed from a recent data breach at Mercor. Anthropic confirmed it’s investigating and said there’s no evidence its own systems were impacted or that activity extended beyond the vendor environment.

A ShinyHunters impersonator has since tried to take credit circulating AI-generated screenshots as proof, but security researcher Dominic Alvieri and others quickly called the claim out as fabricated.

Story is still developing, more to come as Anthropic’s investigation plays out, but if even part of this holds up it’s detrimental to the whole walled-off Project Glasswing model.

How Did We Miss This?

Every security leader has asked this at some point. Usually after an incident review, usually at 11pm, usually over cold pizza. And the answer is almost always the same: detection gaps nobody had time to map, rules nobody could write fast enough, and coverage that quietly broke weeks ago without firing a single alert. AI-powered attacks are just making that gap harder to ignore.

Spectrum is built for that exact problem. An AI-powered detection platform that maps your coverage, researches emerging threats, and writes custom, deployment-ready detections against your data, wherever it lives. The stuff your team would write if they had ten more hours in the day.

Fewer gaps, fewer blind spots, fewer “how did we miss this” moments.

Get a demo

GitHub’s security architecture for agentic workflows: assume the agent is compromised

GitHub published the threat model and architecture behind their Agentic Workflows, and it’s the most informative write-up I’ve seen on running agents in CI/CD pipeline. Shoutout to ByteByteGo for this one. Highly recommend reading if you’re using AI coding tools in an enterprise environement.

One core assumption they’ve made is that the agent will try to read and write state it shouldn’t, communicate over unintended channels, and abuse legitimate channels. In other words, the agent will misbehave.

Three-layer architecture (substrate, configuration, planning), with the agent running secretless: MCP auth tokens live in a separate gateway container, LLM tokens in an isolated proxy, all traffic through a dedicated firewall container. Every agent output goes through a deterministic “safe outputs” pipeline that checks operations against an allowlist, enforces quantity limits, and scans for leaked secrets before anything gets committed.

The “secrets are physically unreachable from the agent” pattern transfers well beyond GitHub and is a great example of “contain damage” vs. “stop breach” approach.

Detection engineering for OpenAI Enterprise audit logs

I dropped a new post on the Monad blog walking through the 5 detections worth shipping first against OpenAI’s enterprise audit log (51 event types, immutable once enabled). The starter pack: SCIM disabled, IP allowlist deactivated or broadened, role changes with permissions_added, api_call_logging reduced, and owner-level service account creation. Plus a bonus on external key (BYOK) tampering

Same playbook as the Claude Code OTel work we put out earlier this month. As AI platforms become control planes in your stack, their audit logs need to be treated more like cloud or identiy logs.

If you’re running enterprise ChatGPT, this blog should serve as a great starting point for understanding the log source + getting some coverage on high signal activity.

Cyera Acquires Ryft to Extend Its Agentic AI Security Platform

As I was getting ready to press ‘send’, I learned that Cyera announced its acquisition of Ryft, a secure data lake startup founded in 2024 and backed by Index Ventures and Bessemer Venture Partners. Deal terms were not disclosed. This is Cyera’s fourth acquisition in five years, following Trail Security ($162M, Oct 2024) and Otterize (June 2025).

The thesis as co-founder and CTO Tamar Bar-Ilan calls it “unified control plane” for agentic AI, fusing data discovery, classification, DLP, identity, and now AI-ready data lake infrastructure in one platform.

Cyera is valued at $9B per their last raise. Most companies stagnate around this point. Will be fun to see them continue cooking.

Lovable’s BOLA and how not to handle disclosure

A researcher (@weezerOSINT) showed that any free Lovable account could make a handful of API calls and walk away with another user’s source code, chat history, and database credentials.

Root cause: a textbook Broken Object Level Authorization (BOLA) flaw, OWASP API #1. The project endpoints verified the auth token but never checked if the user actually owned the resource. Reported through HackerOne on March 3rd and marked as a duplicate.

The worst part: Lovable shipped a fix in March, but only for projects created after November 2025. Every pre-existing project stayed wide open. New projects returned 403, legacy projects returned 200 OK with full data.

Then the PR arc: “did not suffer a data breach” → blame documentation → blame HackerOne → apologize for the apology. They also casually dropped that public project code visibility is “intentional behavior” and “by design.”

$6.6B valuation, nearly 8M users, enterprise customers including Uber, Klarna, Deutsche Telekom, and Zendesk, and the #1 item on the OWASP API Top 10 is sitting in production.

The wild part is the response: deny, gaslight, then blame HackerOne for closing a ticket your own triage team owns.

Spectrum exits stealth with $19M for AI-era detection engineering

SF-based Spectrum Security launched from stealth with $19M in seed funding led by TechOperators, with participation from WhiteRabbit Ventures, Skinos Ventures (the new fund from Shlomo Kramer and Yishay Yovel), and Alumni Ventures.

The platform sits on top of existing SIEMs, data lakes, and EDRs to automate detection authoring, continuously find coverage gaps, and maintain detection health as log schemas and infrastructure drift.

The team is stacked (Ex leadership at Siemplify, Opus Security, operators at Appian etc) are attacking the same problem most detection eng teams have, rules that quietly break when infrastructure shifts, coverage gaps nobody mapped, drift nobody noticed.

Backed by Nir Polak (Exabeam founder) and Kevin Skapinetz (TechOperators), this is a strong detection-engineering bet especially as the ground shifts from under us in the SecOps space.

Three Defender zero-days in the wild, two still unpatched

A researcher, Chaotic Eclipse, dropped three Defender Antivirus zero-days after beefing with Microsoft over disclosure: BlueHammer, RedSun, and UnDefend. BlueHammer and RedSun are local priv-esc; UnDefend is a DoS that kills Defender’s security definition updates. Only BlueHammer (CVE-2026-33825) is patched. The other two are still live with public PoCs on GitHub (yes, Microsoft-owned GitHub lol). Huntress reported BlueHammer exploitation starting April 10, with RedSun and UnDefend PoC activity kicking off April 16.

The disclosure drama is pretty wild. Per Chaotic Eclipse, MSRC required a video demonstration of the exploit before they’d triage the report, then dismissed the case when the researcher declined. Microsoft later said video demos are not a requirement for disclosure, which raises the obvious question of who told the researcher they were.

UnDefend is the sneakiest of the three because silently killing definition updates means the box looks healthy in your console while going blind in real time. A stark reminder that the software meant to secure your org could also be vulnerable. Also a reminder for software vendors to patch their shit when researchers surface findings. Don’t gaslight or brush it under the rug as it may very likely come back to bite and cost more than the initial fix would’ve cost.

🔮 The Future of Security 🔮

AI Security

Capsule Security Exits Stealth With $7M to Secure AI Agents at Runtime

Capsule Security, founded by Naor Paz (ex-F5, Unit 8200) and Lidan Hazout (ex-Transmit Security), exited stealth with $7M in seed funding led by Lama Partners and Forgepoint Capital International.

The platform sits in the agent execution path and blocks unsafe tool calls, manipulation, and data exfiltration at runtime, with support for Cursor, Claude Code, Copilot Studio, ServiceNow, and Salesforce Agentforce. Alongside the launch, Capsule disclosed two agent-platform vulnerabilities, ShareLeak in Copilot Studio (now tracked as CVE-2026-21520 and patched) and PipeLeak in Salesforce Agentforce.

More AI Security News:

• How Zscaler and OpenAI turn zero-trust security into an AI accelerator

Endpoint Security

Aikido Launches Endpoint Protection for Developer Devices

Aikido launched Endpoint, a lightweight agent for dev workstations that inspects packages, IDE extensions, browser extensions, MCP servers, and AI tools before installation. Built on their open source Safe Chain project.

Notable default: any package published less than 48 hours ago gets held back in favor of the most recent version that clears the age policy, killing the highest-risk window right after a compromised version ships.

Dev laptops are the softest spot in most orgs. Devs have local admin, install whatever they want, run MCPs calling APIs with prod creds, and hit npm/PyPI a hundred times a day. Most traditional EDR doesn’t understand any of that telemetry. The 48-hour age policy is the kind of simple heuristic that would have blocked a big chunk of recent supply chain attacks (Axios staged its dropper less than 24 hours before the compromised versions pulled it in, per Aikido’s own writeup). The endpoint space is getting crowded, but the developer-first and SMB-friendly approach is a true differentiator.

Insurance

Cowbell Debuts Prime One Cyber Insurance with AI and Quantum Risk Cover

Cowbell Cyber launched Prime One, a cyber insurance product targeting mid-market companies ($250M-$1B revenue) with up to $10 million in coverage limits.

The policy includes affirmative coverage for AI-related incidents and quantum computing risks, positioning itself ahead of the post-quantum cryptography curve. 4D PR play, imo.

SaaS Security

Microsoft drops detection strategies for North Korean IT worker

MSFT published KQL and detection logic for Jasper Sleet, the DPRK-aligned actor posing as legit hires with AI-assisted fake personas. Ready-to-ship queries for Workday, Teams, Zoom, Webex, and DocuSign in the post.

Probably the biggest novel piece from it all is that they’re recommending to hunt the pre-recruitment phase. They’ve observed Jasper Sleet hitting Workday’s /hrrecruiting/* API endpoints from known actor infrastructure in a consistent, repeating pattern across multiple external accounts , which looks different from a normal applicant.

The fact that you need to detect DPRK operatives inside your HRIS in 2026 is wild but here we are. What’s cool about this post is that it shifts the detection surface left of the endpoint entirely. Your SaaS audit logs (Workday, DocuSign, Zoom) are threat hunting surfaces now, not just compliance logs. If you’re not piping HR platform telemetry, that could be a big gap.

Security Operations

Artemis emerges from stealth with $70M to fight AI-powered attacks with AI

Artemis came out of stealth last week with $70M in combined seed and Series A funding, just six months after founding. Series A led by Felicis with First Round and Brightmind returning, plus angels from the founders of Demisto and Abnormal AI, the former Splunk CEO/CTO, and execs from CrowdStrike, Palo Alto, Microsoft, and Okta. Nice cap table.

The pitch is a data model built from each customer’s telemetry, fusing log data with business context to generate tuned detections, investigate alerts, and surface correlated attack stories. Early customers include Mercury, Wix, Lemonade, and Abnormal AI.

There have been quite a few SIEM contenders that have come out of stealth in the past year. Each has a slightly differentiated approach. I like Artemis’ pitch because it’s adaptive and built off of the reality of a customer’s environment as opposed to handing off great software to customers and expecting them to realize the full value of it.

My main question is can they get in front of the CrowdStrikes, Palos, and Splunks of the world who are all striving toward the same narrative with way more distribution? In any case, great funding, founding team and backing. SecOps space is a fun one!

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Level Up: Security Under Pressure Challenge

Join Abnormal’s 5-game cybersecurity challenge inspired by real behavioral attack signals. Step into fast-paced, human-layer scenarios where instinct and speed decide the outcome.

Win prizes after every game—and complete all 5 games to automatically earn an entry into the Grand Prize Draw for a chance to win two tickets to the FIFA World Cup 2026*! (*Subject to Terms & Conditions)

Start the challenge

Howdy 👋 - Hope you’re having a great week wherever you’re tuning in from!

I’m just getting back from some much needed time off in Costa Rica. Apparently something called Mythos happened and it nuked the security industry so we can all retire and start a new life now? Does this also mean DEF CON is canceled?

Just kidding but it does beg the question of “what comes next”? I cover that in the first story of the week. Before we get into that though, a few announcements:

• Abnormal AI is hosting a security challenge that if completed, enters you for a chance to win 2 tickets to the FIFA WORLD CUP! 🤯

• Claude Code Detection Opportunities blog my Monad teammates cooked up🔥

• Monad recently crossed 300+ integrations. Depth + width. Massive milestone.

• April 27th at the Nasdaq in NYC w/ Intezer for the AI SOC Live Show. Lining up to be a special event. Request an invite here!

Cool. Now, onto this week’s news!

TL;DR ✏️

• 🧬 Anthropic’s Claude Mythos + Project Glasswing — thousands of ‘zero-days’ across every major OS and browser; 50 orgs get restricted access, $100M in credits, and a whole lot of industry debate

• 🧙🏼‍♂️ OpenAI Fires Back With GPT-5.4-Cyber — fine-tuned defensive model with binary RE capabilities and lowered refusal guardrails, gated through expanded Trusted Access for Cyber program

• 🐙 OX Security Exposes Systemic MCP Protocol Flaw — architectural RCE across all 10 language SDKs, 200K+ exposed servers, 10+ CVEs; Anthropic calls it “by design”

• 📄 CSA/SANS Ship Emergency Mythos Strategy Briefing — 30-page playbook from 60+ contributors including Easterly, Gadi Evron, Rob Joyce and more

• 🛑 HackerOne Pauses Internet Bug Bounty Program — AI-driven discovery overwhelms open source maintainers; remediation is now the bottleneck and bounties don’t fund it

Plus: Mallory exits stealth with AI-native threat intel, Cisco nearing $250M+ Astrix acquisition, Wiz launches shadow data detection, GitHub publishes 2026 Actions security roadmap, Block details agentic code review architecture, Cloudflare expands Agent Cloud, and a whole lot more👇

⚒️ Picks of the Week ⚒️

Catching up on Anthropic’s Claude Mythos, OpenAI’s GPT-5.4-Cyber, and is DEF CON canceled?

If you were away last week like me, then you may have missed the internet and cyber stocks melting down due to some Anthropic news. While I hate beating a dead horse, I think this is a baby horse who’s just getting started so I’ll bring you up to speed a bit with continued coverage as this all evolves.

Anthropic launched private access to Claude Mythos Preview, an unreleased frontier model it says can find and exploit software vulnerabilities better than all but the most elite human researchers. Rather than release it publicly, Anthropic launched Project Glasswing, giving restricted access to roughly 50 organizations, backed by $100M in usage credits. As you read through what comes next, take it with a grain of salt. Anthropic is a for-profit company.

Mythos TLDR:

• Launch partners include AWS, Apple, Microsoft, Google, CrowdStrike, Palo Alto Networks, JPMorganChase, NVIDIA, and the Linux Foundation

• Autonomously discovered thousands of zero-days across every major OS and browser

• Found a 27-year-old OpenBSD vuln and a 17-year-old FreeBSD RCE

• Anthropic says it has no plans to release Mythos Preview publicly

OpenAI’s response: GPT-5.4-Cyber

Yesterday (a week later), OpenAI dropped GPT-5.4-Cyber, a fine-tuned variant built for defensive security work.

• Fine-tuned with lowered refusal guardrails for legit security tasks

• Adds binary reverse engineering capabilities not in standard GPT-5.4

• Access gated through their expanded Trusted Access for Cyber (TAC) program with tiered identity verification

• Codex Security has contributed to fixes for over 3,000 critical and high-severity vulns since broader launch

Industry response:

• CSA, SANS, OWASP, and [un]prompted assembled a 30-page emergency strategy briefing over a single weekend with 60+ contributors including Gadi Evron, Jen Easterly, Bruce Schneier, Chris Inglis, and Rob Joyce

• Paper introduces the concept of a “Mythos-ready” security program and frames VulnOps as a permanent organizational function

• Core recs: reinforce segmentation, egress filtering, phishing-resistant MFA, right-size IAM, tabletop exercises for multiple simultaneous critical-severity incidents

• According to the Zero Day Clock, mean time from disclosure to exploitation has fallen to under 1 day in 2026, down from 2.3 years in 2019

What I think

There’s a fair bit of pessimistic skepticism across the industry on these matters. How much of this is a PR play in the attention economy we’re living in vs. true cause for going haywire on making your security program “Mythos-ready”?

The answer to me is somewhere in the middle leaning towards the latter and yes, security programs should have been focusing on supply chain security and RemediationOps for the past few decades. AI has just lit a fire under these initiatives but the fundamentals still remain the same. Reduce attack surface, right-size IAM permissions, harden, strong ACLs, layered defenses esp. for crown jewels, detect, respond etc etc. AI has made achieving all of this 5x harder but it’s still all mostly the same activities we used to do 10 years ago. In that sense, I get why some folks are calling this nothing burger.

However, security programs thrive on being paranoid aka being prepared. It’s healthy to see the industry rally around initiatives like the CSA report. Attackers esp. nation-states that are carrying out attacks on critical infra and Fortune 500s+, have access to capabilities some of us couldn’t even imagine. The window of exploitation from when a vuln is disclosed or when a software pkg is compromised has shrunk tremendously and AI is the main culprit.

There’s a lot of shit on fire in our industry right now. TeamPCP, Scattered Spider, Lap$us and many nation-states are wreaking havoc across the board. If there’s ever been a time to come together as an industry, it’s now.

Dig Deeper:

• Anthropic: Project Glasswing

• OpenAI: Trusted Access for the Next Era of Cyber Defense

• CSA/SANS: “The AI Vulnerability Storm” Briefing

Don't just fix security breaches. Prevent them.

Security breaches are rising, and a detection-first model creates an added burden as teams manually remediate errors that should have been prevented. CNAPP platforms provide you visibility to what’s misconfigured, but they need a partner to prevent problems upfront.

Turbot pairs with your CNAPP to introduce a prevention-first model that blocks errors in build, at the cloud APl, and auto-remediates in runtime. Use PSPM (Preventive Security Posture Management) to cut your alerts in half.

Learn more

OX Security Documents Systemic RCE Risk in Anthropic’s MCP Protocol Design

OX Security published a 30-page research report detailing a class of command execution vulnerabilities rooted in how Anthropic’s Model Context Protocol handles STDIO transport.

The core finding: MCP’s process execution logic accepts user-supplied commands and passes them directly to the OS with no input sanitization. Even when a malicious command fails to initialize a valid MCP server, the command still executes. The flaw is present across all 10 supported language SDKs (Python, TypeScript, Java, Kotlin, C#, Go, Ruby, Swift, PHP, Rust) and produced 30+ responsible disclosures and over 10 CVEs rated Critical or High.

The most severe findings involve publicly deployed instances. LangFlow (owned by IBM) had 915 publicly accessible servers on Shodan exposing unauthenticated RCE via STDIO MCP config, no login required. OX achieved authenticated RCE on Letta AI production servers via transport-type substitution. These are real, exploitable attack paths. OX also uploaded a proof-of-concept malicious MCP server to 9 of 11 MCP marketplaces without challenge, the same class of supply chain risk as malicious npm/PyPI packages, now applied to MCP.

Anthropic did not fix the vulns and stated: “This is an explicit part of how stdio MCP servers work and we believe that this design does represent a secure default.” LangChain and FastMCP echoed the same stance. OX’s counter: protocol maintainers should take responsibility for secure defaults rather than pushing input sanitization onto every downstream implementer.

While these findings aren’t a fire drill, I think it highlights what we’ve been hammering for a while. MCP and agents are overprivileged by default and even frontier model labs are susceptible to design and code flaws. Great findings and stellar report by the OX team.

What Happens in the Browser Doesn't Stay in the Browser

The reality is that most people are pasting sensitive data into ChatGPT/Claude, clicking phishing links mid-workflow, and running browser extensions nobody's ever vetted.

All of that happens in the browser, and most security tooling isn't even looking there. Keep Aware is a great tool I recently came across that sits at the browser layer, giving you visibility into GenAI usage, native DLP controls, and real-time phishing prevention at the point of click. If you're not watching the browser yet, you're missing the biggest attack surface employees use every day.

Prevent Browser Threats in Real Time

AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties

HackerOne suspended new submissions to its Internet Bug Bounty program as of March 27 because AI-assisted discovery is flooding open source maintainers with more vulns than they can actually remediate. The whole bug bounty model was built for a world where finding bugs was the hard part, but AI flipped that completely. Now remediation is the bottleneck and bounties don’t fund it. This is a big signal that the economics of crowdsourced vuln research are breaking under AI pressure and the industry needs to start funding the fix, not just the find. Crowdsourced RemediationOps anyone? Lol… Security demand has only grown due to AI imo.

How Block Builds In-House Code Review with Agents

Block’s engineering team built AI “protector” agents (their tool Builderbot) that act as always-on code review guardians. They use standardized CLI contracts via Just, nested AGENTS.md files, and Amp’s Code Review Checks pattern to feed agents hyperlocal module-level context while keeping everything aligned to a global architectural “world model.” Yet another data point on build v. buy in security!

Mallory Exits Stealth With AI-Native Threat Intel🔥

Mallory, founded by Jonathan Cran (Intrigue founder (acq. By Mandiant), is now GA and out of stealth. Mallory is an AI-native threat intelligence platform that monitors thousands of threat sources and contextualizes them against an organization’s actual attack surface.

It’s the next gear for threat intel as it produces prioritized, evidence-based cases mapped to what’s exploitable within your environment, covering hunt, detection, and exposure management. The platform ships with native support for Claude Code, MCP, and API integrations. Mallory announced a seed round led by Decibel Partners with participation from Live Oak Venture Partners and angels from Google, Robinhood, Cisco, Fastly, and GreyNoise. No funding amount disclosed

Kudos to JCran! One of the nicest and smartest guys in the security industry. Check out this video/live demo with him and MattJay from VulnU!

🎙️Inside the Network with Christina Cacioppo, Vanta CEO

The Inside the Network crew (Sid Trivedi, Ross Haleliuk, Mahendra Ramsinghani) sat down with Vanta co-founder and CEO Christina Cacioppo for a conversation on her journey and building Vanta into a $4B+ valuation company.

To me, Christina is top 5 founders in the security (+adjacent space). Down to earth, brilliant, and relentless so this pod was a treat.

Worth a listen for anyone building a security company. Also kudos to the ITN crew. One of the best and most consistent pods in security right now.

🔮 The Future of Security 🔮

AI Security

Cloudflare Expands Agent Cloud With Sandboxed Runtimes and Persistent Compute

Cloudflare expanded its Agent Cloud platform with infrastructure designed to move AI agents from local demos to production workloads.

Key releases include Dynamic Workers, an isolate-based runtime that executes AI-generated code in sandboxed environments at 100x the speed and a fraction of the cost of containers; Artifacts, a Git-compatible storage layer supporting tens of millions of repositories for agent-managed code; and Sandboxes, which give agents access to persistent Linux environments with shell, filesystem, and background processes.

More AI Security News:

• Manifest platform from Manifold targets AI agent supply chain security gaps

Application Security

GitHub Publishes 2026 Actions Security Roadmap After Supply Chain Attacks Multiply

GitHub laid out its 2026 Actions security roadmap in response to a wave of supply chain attacks targeting CI/CD automation, including incidents hitting tj-actions/changed-files, Nx, and trivy-action.

The roadmap introduces workflow-level dependency locking (think go.mod for Actions), policy-driven execution controls via rulesets that restrict who can trigger workflows and which events are allowed, scoped secrets that bind credentials to specific execution contexts, and a native Layer 7 egress firewall for hosted runners. Most capabilities are targeting public preview within 3-6 months.

Long overdue: write access to a repo will no longer grant secret management permissions.

Cloud Security

Intruder Brings Agentless Container Image Scanning to Midmarket Teams

Intruder added container image scanning to its cloud security platform, integrating directly with AWS ECR, Google Cloud Artifact Registry, and Azure Container Registry to scan images daily without deploying agents.

Data Security

Wiz Targets Stale and Redundant Cloud Data With New DSPM Module

Wiz released Shadow Data Detection as part of its DSPM platform, designed to identify stale, duplicated, and over-retained data across cloud storage. The feature analyzes cloud provider inventory reports to flag redundant objects, excessive versioning, and orphaned data, then surfaces estimated cost savings and exposure reduction in a centralized dashboard. Across early customer environments, Wiz identified over 1 exabyte of data in storage buckets, with a significant portion classified as redundant.

Identity and Access Management

Cisco Reportedly Nearing $250M+ Deal for AI Agent Security Startup Astrix

Cisco is reportedly in talks to acquire Astrix Security for between $250M and $350M, roughly 3x the startup’s total funding to date. Astrix discovers AI agents, MCP servers, and non-human identities across enterprise environments, then scans for misconfigurations like overprivileged service accounts or publicly exposed agent endpoints. The platform includes JIT access controls that auto-expire agent credentials. This would be Cisco’s second AI security acquisition in a week, following the Galileo Technologies deal for its hallucination firewall, and signals Cisco is all in on AI security and observability.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

A Practical Approach to Securing AI

If your organization is building or using AI, you understand how critical data exposure risk is becoming. Varonis Atlas was built to solve that - giving teams insight into all AI usage (including shadow AI), the ability to fix risky exposures, enforce runtime guardrails, and manage governance all in one platform.

Watch the demo

Howdy 👋 - From RSAC to the TeamPCP software supply chain havoc, the past few weeks have been wild. I think this meme perfectly depicts what most of the industry is going through:

This post covers the biggest announcements and news from the past two weeks. But if you're looking for my unfiltered, practitioner-level takeaways from my time at RSAC this year, I dropped a deeper breakdown earlier this week:

TL;DR 🗞️

• 🔗 TeamPCP’s Cascading Supply Chain Attack — Trivy to LiteLLM to Axios to Mercor: one incomplete credential rotation turned into a 5-ecosystem, 8-day rampage

• 🤖 OpenAI Codex + GCP Vertex AI Vulns Disclosed — BeyondTrust and Unit 42 pop AI coding agents on basic AppSec failures while RSAC sells agent security

• 💰 XBOW Hits Unicorn at $120M Series C — GitHub Copilot creator’s autonomous pentesting platform reached #1 on HackerOne, first machine to outperform all human hackers

• 🆔 Oasis Security Raises $120M for Non-Human Identity — Craft Ventures led, Sequoia and Accel in; $195M total to build the access management layer for AI agents and machine identities

• 🛡️ Tenex Raises $250M Series B — One year old, agentic MDR that analyzes all telemetry within 60 seconds of ingestion

• 🏆 Geordie AI Wins RSAC Innovation Sandbox — Agent remediation via context engineering beats offensive security and code-level tooling for the crown

• 🇮🇷 FBI Confirms Hack of Director Patel’s Personal Email — Iranian-linked Handala group publishes ~300 emails from the FBI Director’s Gmail account

Plus: Delve’s fake compliance saga, a breathalyzer cyberattack stranding drivers, $160M+ in autonomous offensive security funding, 12 AI x Security product launches, and a whole lot more below 👇

Fair warning: this week’s issue is massive. Absurd amount of news across every domain, so I leaned on AI heavily to help me process, structure, and draft this one. Every take, every editorial call, and every fact-check is still me. But there’s no way I’m turning around a recap this comprehensive on my own, in a week, without it.

⚒️ Picks of the Week ⚒️

The Security Tool That Became the Weapon: Inside TeamPCP’s Supply Chain Campaign

The software supply chain didn’t just crack this month. It detonated.

TeamPCP executed a cascading campaign between March 19-27 that deliberately targeted the tools security teams trust most, chaining each compromise into the next across five ecosystems in eight days.

It started with Aqua Security’s Trivy, one of the most widely deployed open-source vulnerability scanners. TeamPCP used credentials retained from an incomplete February remediation to force-push malicious code to 75 of 76 trivy-action tags and publish poisoned binaries to GitHub Releases, Docker Hub, GHCR, and ECR. Tracked as CVE-2026-33634 (CVSS 9.4). It took five days to fully evict the attackers. Three days into remediation, they published additional malicious Docker images, proving access still hadn’t been severed.

From there, stolen credentials cascaded outward: a self-propagating npm worm (CanisterWorm) hit 64+ packages using blockchain-based C2 that can’t be taken down conventionally. Then Checkmarx KICS and AST GitHub Actions fell. Then LiteLLM, the open-source proxy routing API calls to 100+ LLM providers (95M monthly PyPI downloads). The poisoned versions used a .pth file that fires on Python interpreter startup without being imported or called. Three hours on PyPI at 3.4M daily downloads. Then Telnyx. Then the Axios npm package in a separate North Korean operation.

The downstream carnage hit Mercor, a $10 billion AI startup training models for OpenAI, Anthropic, and DeepMind. Reports indicate developers gave production credentials to an AI coding assistant running with unrestricted permissions. The compromised LiteLLM package came in through that pipeline. Lapsus is now auctioning 4TB: source code, database records, and 3TB of video interviews with face scans and KYC documents used for identity verification. Biometrics cannot be reset.

This is the story of the year. TeamPCP figured out that the open-source security tooling ecosystem is connected by credential chains, and if you pull on one thread, everything unravels. The most diligent organizations, the ones scanning every build, had the greatest exposure. The campaign started with a security scanner. Practical takeaways: pin to commit SHAs, not tags (71% of orgs still don’t, per Datadog). Treat every credential rotation as atomic or assume it’s incomplete. Audit your AI coding assistants’ permission scopes like you would a production service account. And know your transitive dependency tree, because the attackers already do.

Dig Deeper:Wiz | Datadog Security Labs | SANS | Endor Labs

Crush Insider Threats: Agent-to-Agent Security with Reco & Torq

Insider threats are evolving. Your defenses should too.

Agent sprawl, shadow AI, and disconnected tools leave your team chasing vague signals. Join Reco & Torq on April 15 to see how AI agents investigate insider threats in seconds, combining behavioral context with cross-stack signal orchestration to turn suspicious logins into confident verdicts automatically, with fewer false positives and faster MTTR.

Register now

AI Coding Agents Are Getting Popped on Fundamentals

BeyondTrust Phantom Labs disclosed a critical command injection in OpenAI Codex that allowed theft of GitHub OAuth tokens via an unsanitized Git branch name. Codex passes branch names directly to the shell without validation. A malicious branch name (hidden behind 94 ideographic Unicode spaces and || true) could execute arbitrary commands inside the container, extracting the plaintext token that grants read/write access to the victim’s entire codebase. Set the poisoned branch as default, and every Codex user on that repo gets compromised. OpenAI classified it P1, patched February 5, 2026.

Separately, Palo Alto Networks Unit 42 showed how AI agents on Google Cloud’s Vertex AI could be weaponized into “double agents” by exploiting overly broad default service agent permissions (P4SA). Researchers extracted credentials from a deployed agent and pivoted to unrestricted read access across Cloud Storage buckets, restricted Google-owned Artifact Registry repos, and internal Dockerfiles. Google updated its docs and now recommends Bring Your Own Service Account (BYOSA).

Branch name injection. Default OAuth scopes covering Google Workspace. Basic AppSec hygiene failures in a new context, while RSAC was wall-to-wall “agent security” product launches.

Dig Deeper: BeyondTrust Phantom Labs writeup | Unit 42 Double Agents research | SecurityWeek coverage

Geordie AI Wins RSAC Innovation Sandbox

Geordie AI took home the Innovation Sandbox title at RSAC 2026, beating out nine other finalists (each received $5M in investment). The company launched Beam, an AI agent remediation suite built on context engineering that continuously assesses risk and feeds mitigation back to agents in real time. Think guardrails that adapt to what the agent is actually doing rather than what you hoped it would do. Founded by Henry Comfort (ex-Darktrace COO Americas) and Benji Weber (ex-Snyk), the team went from buying laptops a year ago to winning the industry’s most prestigious startup competition.

Innovation Sandbox winners always signal where the industry’s head is at. Agent remediation winning over offensive security and code-level tooling tells you where buyer anxiety is right now. “Context engineering” is a term we’ll be hearing a lot more of. Whether Geordie can scale beyond the hype is the question, but the thesis is solid.

Cyberattack on Breathalyzer Company Leaves Drivers Stranded Across the US

Intoxalock, a company that makes court-mandated vehicle breathalyzer ignition interlock devices, confirmed a cyberattack on March 14 that knocked its systems offline and left drivers across the country unable to start their cars. The devices require periodic calibration, and the outage prevented calibration resets, effectively bricking vehicles for users who are legally required to have the devices installed.

Cyber-physical impact on vulnerable populations. People under court order who literally cannot drive to work, medical appointments, or childcare because a vendor got popped. If your device can be remotely bricked by a backend outage, your architecture is a liability.

Delve Whistleblower Doubles Down With Alleged Receipts on ‘Fake Compliance’

The Delve saga escalated again. Hours after CEO Karun Kaushik published a lengthy denial on X, anonymous whistleblower “DeepDelver” fired back with what they claim is video evidence and Slack messages backing up allegations that the Y Combinator-backed compliance automation startup ($32M Series A, valued at ~$300M) fabricated compliance data for customers. The original leak reportedly included 493 draft audit reports with 99.8% identical boilerplate text.

If even a fraction of these allegations hold up, this is a body blow to the automated compliance space. If a well-funded, YC-backed player was allegedly generating rubber-stamp audits, every CISO relying on automated compliance platforms is going to start asking harder questions about what’s actually behind the curtain.

FBI Confirms Hack of Director Patel’s Personal Email

Iranian-linked hacking group Handala claimed responsibility for breaching FBI Director Kash Patel’s personal Gmail account, publishing roughly 300 older emails along with photos and documents. The FBI confirmed the breach but stated the materials were “historical in nature” and contained no government information. The hack came shortly after the FBI seized Handala’s domains and announced a $10M reward for information on the group’s members, following their claimed attack on medical tech company Stryker.

“No government information” is doing a lot of heavy lifting in that statement. Personal email of the FBI Director is still useful for social engineering, relationship mapping, and reputational targeting. Another data point in the escalating US-Iran cyber conflict. If the FBI Director’s Gmail gets popped, your executives’ personal accounts are absolutely in scope for your threat model.

🔮 The Future of Security 🔮

AI x Security

RSAC 2026 had one message: agentic AI is in production and everyone wants to sell you the guardrails. The conference floor was wall-to-wall “agent security” launches. At least a dozen vendors shipped products targeting the same core problem: autonomous agents now have access to credentials, source code, production infrastructure, and elevated permissions, and nobody has a consistent way to discover what’s running, govern what it’s allowed to do, or enforce policy at runtime.

The market has split into three lanes: discovery (find your shadow agents), governance (write and enforce policy), and runtime enforcement (stop bad behavior in real time). MCP server security emerged as the new checkbox everyone is racing to claim.

The Big Announcements:

• NVIDIA launched OpenShell and NemoClaw, an open-source runtime that puts out-of-process policy enforcement between autonomous agents (“claws”) and your infrastructure: sandboxing, permission verification, and a privacy router that keeps sensitive context on local models

• CrowdStrike unveiled Charlotte AI AgentWorks, a no-code agent development platform with launch partners including Anthropic, OpenAI, NVIDIA, AWS, Salesforce, and Accenture

• Palo Alto Networks shipped Prisma AIRS 3.0, covering the full agentic lifecycle from discovery to runtime with an AI Agent Gateway and agentic endpoint security (via the pending Koi acquisition)

• Wiz (now Google Cloud) introduced AI-APP, an AI Application Protection Platform treating AI as an interconnected system across models, agents, and data, plus a Red Agent for AI-powered offensive testing

• Snyk launched Agent Security and brought Evo AI-SPM to GA, using automated agents to build a live AI Bill of Materials and enforce governance across the coding agent lifecycle

• Sysdig released runtime security for AI coding agents, detecting credential exposure, reverse shells, binary tampering, and unauthorized file access across tools like Claude Code, Codex, and Gemini

• Rubrik unveiled SAGE (Semantic AI Governance Engine), using a custom SLM to interpret natural-language policies and enforce them in real time

• Astrix expanded into full AI agent discovery and enforcement via its Agent Control Plane

• Nudge Security extended its platform to AI agent discovery alongside its existing SaaS security

• Apiiro launched AI Threat Modeling within Guardian Agent, generating architecture-aware threat models from tickets and design specs before code exists

• Straiker launched Discover AI and expanded Defend AI, with 12,000+ MCP vulnerability databases and runtime tracing across coding agents, productivity tools, and custom agent platforms

• F5 and Forcepoint partnered to secure enterprise AI data from creation through runtime operations

Application Security

AI is writing code faster than humans can review it. The industry is splitting into two camps. One is better detection: combining AI reasoning with deterministic analysis to catch logic flaws that traditional SAST misses entirely. The other is runtime protection: watching what code actually does in production, because signatures can’t keep up when time-to-exploit approaches zero.

• Semgrep launched Multimodal, pairing its rule-based engine with LLM reasoning to catch business logic flaws like IDORs and auth bypasses. Already finding zero-days at customer deployments. Custom Workflows (Python-based automated pipelines for detection, triage, and remediation) are in private beta.

• Raven raised $20M (Norwest led, with SentinelOne participating) for CVE-less runtime behavioral security. The platform maps execution chains inside running applications and generates behavioral fingerprints to detect malicious deviations in real time, even without known vulns. Three U.S. patents filed.

• Qodo raised $70M Series B (Qumra Capital led, $120M total) for AI-powered code verification. The bet: as tools like OpenClaw and Claude Code generate billions of lines of code monthly, verifying that software works as intended is the bottleneck.

Cloud Security

One announcement worth calling out: CrowdStrike shipped adversary-informed cloud risk prioritization in Falcon Cloud Security. CrowdStrike’s answer connects live application behavior to active adversary tradecraft in a single model. Three new capabilities: Application Explorer (runtime view of how app behavior shapes cloud risk), Timeline Explorer (chronological root-cause analysis of config and app changes), and a Cloud Risk Engine that maps exposures to real adversary TTPs.

Email Security

Sublime Security shipped ADÉ (Autonomous Detection Engineer) to GA. ADÉ is an AI agent that turns novel email attacks into new detections autonomously, going from reported threat to accepted detection in hours instead of weeks. The agent can run end-to-end without analyst intervention: picking up a newly reported threat, generating detection logic, and accepting high-confidence coverage. For teams drowning in phishing variants, this is detection engineering on autopilot.

Exposure Management

Censys raised $70M ($40M Series D from Morgan Stanley Expansion Capital + $30M debt; $149M total). Building AI-driven solutions on top of its continuously updated global map of internet infrastructure.

Onit Security emerged from stealth with $11M seed (Hetz Ventures and Brightmind Partners led). Founded after an Iranian state-sponsored attack exploited a known vuln buried in co-founder Ofer Amitai’s previous company’s backlog. Onit’s agentic platform automates the full exposure lifecycle: AI agents prioritize by business context rather than CVSS, auto-identify asset ownership, and execute fixes. Founding team has three prior acquisitions: SCADAfence (Honeywell), Portnox, and For-Each (Autodesk).

Identity and Access Management

Identity was RSAC’s quiet blockbuster. BeyondTrust data showed a 466.7% increase in enterprise AI agents over the past year, most deployed through low-code platforms with privileges that rival human admins. Non-human identity management and agentic access governance emerged as the hottest sub-categories, with massive funding and product launches all converging on the same problem.

• Oasis Security raised $120M Series B (Craft Ventures led; Sequoia, Accel, Cyberstarts participated; $195M total). Shipped Agentic Access Management (AAM): intent-based, just-in-time access for AI agents and machines that evaluates what a system is trying to do before granting permissions.

• ConductorOne launched AI Access Management, a unified control plane for governing AI tools, agents, and MCP connections. 3,000+ hosted MCP servers let any API-connected app be governed out of the box, with fine-grained tool call authorization and credential vaulting. AI agents are treated as first-class identities.

• BeyondTrust expanded its Pathfinder Platform to secure AI agent “coworkers” alongside human and machine identities under a single privilege model. Phantom Labs research found most enterprises run shadow AI agents with privileged access that security can’t see. Endpoint Privilege Management now enforces least privilege for AI clients (Claude, ChatGPT) on endpoints.

IoT/OT Security

Eclypsium raised $25M in strategic funding (PEAK6 Strategic Capital led, $110M total). Secures firmware, software, and hardware across enterprise device fleets. The new capital is earmarked for expanding into AI infrastructure: NVIDIA GPU servers in AI datacenters, Bluefield DPU-based appliances, CCTV cameras, 5G networking gear, and SASE/SD-WAN edge appliances.

Offensive Security

Autonomous offensive security had the biggest funding week of any sub-category at RSAC. $160M+ hit this space, and AWS made it a first-party service.

• XBOW raised $120M Series C (DFJ Growth and Northzone led, $237M total, valuation $1B+). Founded by GitHub Copilot creator Oege de Moor, XBOW’s autonomous platform reached #1 on the HackerOne leaderboard, the first time a machine outperformed all human hackers on the platform. Sequoia, Altimeter, and Alkeon also in the cap table.

• RunSybil raised $40M (Khosla Ventures led, with Anthropic’s Anthology Fund participating). Co-founded by OpenAI’s first security researcher and Meta’s former offensive security red team lead. Black-box AI agents conduct continuous pentesting without source code access, chaining vulns like human attackers. Customers include Cursor and Notion.

• AWS Security Agent hit GA for on-demand penetration testing across six regions. Autonomous pentesting at $50/task-hour (avg. test ~$1,200), supporting multicloud (AWS, Azure, GCP, on-prem).

Security Operations

Last year’s RSAC was “we’re building an agentic SOC.” This year’s was “here’s the receipt.” The difference is that vendors are now shipping GA products, acquiring purpose-built startups, and embedding multi-agent architectures into existing platforms. Whether any of it actually works at scale in production is still TBD, and Gartner publishing an evaluation framework for AI SOC agents suggests the analyst community shares that skepticism. But the investment thesis is clear: SOC teams can’t hire their way out of alert volume, and AI agents are the bet.

The Big Announcements:

• Tenex raised $250M Series B (Crosspoint Capital led) just a year after launch. Agentic MDR that ingests and analyzes all available telemetry within a minute. AI triages, investigates, and documents; humans make final calls.

• Rapid7 acquired Kenzo Security to bring multi-agent AI into its Command Platform. Kenzo’s entity-centric data mesh unifies endpoint, identity, cloud, and SaaS data to power autonomous alert investigations. The play: move Rapid7’s MDR from AI-assisted to AI-driven.

• Databricks entered the security market with Lakewatch, an open agentic SIEM built on its lakehouse architecture. The pitch: decouple compute from storage, retain all your telemetry in open formats, and deploy AI agents for detection and triage where the data already lives. Acquired SiftD.ai (founded by the creator of Splunk’s SPL) and Antimatter to bolster the stack. Anthropic’s Claude models power parts of the platform, and Anthropic itself uses Databricks for its own security lakehouse. Adobe and Dropbox are early customers. In private preview.

• Accenture and Anthropic partnered to scale AI-driven cybersecurity operations, combining Accenture’s managed security services with Anthropic’s Claude models.

• Wiz shipped the Blue Agent to GA, joining its Red and Green Agents to power agentic workflows across AI environments.

• Datadog launched Bits AI Security Analyst for Cloud SIEM (GA globally). Autonomously investigates alerts using unified security and observability data.

• Torq released Agentic Builder, turning natural language descriptions of security goals into production-grade AI agents and workflows.

• Dropzone AI launched AI Threat Hunter, an autonomous agent for continuous proactive threat hunting.

• Geordie AI introduced Beam, the first AI agent remediation suite using context engineering. Geordie also won the RSAC Innovation Sandbox (each finalist received $5M).

• Manifold raised $8M seed (Costanoa Ventures led) for its AI Detection and Response (AIDR) platform. Built by the creators of LLM Guard, Manifold monitors agent behavior at runtime on endpoints, mapping connections to MCP servers and external systems. Agentless, deploys in days.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Introducing the AI Security Platform Built on Data Security

AI adoption is exploding. But most security tools still can’t see what data AI is touching.

Varonis Atlas is designed to secure AI across the entire AI lifecycle, with data context built in. From visibility to runtime protection to governance, Atlas can secure everything you build and run with AI in one platform.

See it in action here

Though I’m still recovering from a 9-day conference stretch, this was easily my favorite BSidesSF + RSAC week. The energy was on point. I had 100+ conversations with security leaders on what they’re most excited about, biggest pain points, you name it. After RSAC, I ended up traveling 15 hours to another security conference where I presented on Saturday (more on that in a separate post ;)

It’s interesting because I wear multiple hats at conferences. I run this newsletter, so I’m always watching the emerging landscape from tradecraft to threats, tooling and capabilities, and how security leaders are future-proofing their teams and environments.

I’m also Head of Growth at Monad, so I do sales, marketing, and a bit of product management. If I learn that you have pain points Monad can solve, I will gladly pitch you on Monad and tell you about all the great stuff we’re up to. And at my core, I’m a security practitioner who still loves nerding out on how teams are staying current and how my previous crafts of detection engineering and cloud security continue to evolve.

That said, this post is an amalgamation and distillation of my biggest takeaways from the con from a holistic standpoint. Not my typical announcements roundup. That will come on Thursday!

Build vs. Buy is Shifting

In recent years, Build vs. Buy has become even more of a hot topic. The continual improvement of LLMs and agentic development has seriously lowered the barrier for entry. People are obviously all over the spectrum on this debate, but I feel like more people are leaning towards “Build” on certain categories than ever.

This was a main topic on the BSidesSF panel w/ security leaders from Anthropic, OpenAI, Perplexity, and Cursor. Here’s what stuck w/ me most after synthesizing a bunch of takes on this topic last week:

• The gap between MVP and “production-ready” is where things get ugly. It varies by application, use case, and criticality, but that middle stretch is always messy.

• Shipping it is only the beginning. Even after something is production-ready, you still have to staff for maintenance and scalability.

• Some problems are just too hairy to own. Sometimes it makes more sense to pay someone else and hand off the problem entirely.

Midmarket Security Is Quietly Overconfident — And the Numbers Prove It

94% of midmarket security leaders say they can catch critical risks before attackers do. But 51% admit a zero-day would take a week to assess. Something doesn't add up. Intruder surveyed 500+ security decision-makers at companies with 400–6,000 employees to get the real picture of how teams are coping with growing digital estates, shrinking exploitation windows, and tooling built for enterprise budgets.

Get the full report

People Are Building Really Cool Things with AI

I had a few convos with security leaders including some at F500s who are super AI-pilled. We’re talking dedicated homegrown agents and skills for dozens of different security functions, mostly handling initial triage and investigations all the way through recommending remediation paths.

I also spoke with a leader who built a living, digital twin of their entire environment. If an AWS asset config gets changed, the digital twin gets updated. If a new admin account is spun up in Okta, the digital twin records it. Now, this person is an anomaly and pretty forward-thinking, but I think more and more people will continue to get creative with AI for security in meaningful ways. The ones who think outside the box, own the future, as always.

MCP is Changing the Game

Model Context Protocol (MCP) has played a massive role in modernizing security workflows. One leader I spoke with even said he won’t consider a new vendor if they don’t have MCP capabilities. I don’t agree with his take as I think MCP eats a lot of tokens.

But it does makes sense when you look at what it unlocks. Security teams are using MCP to give AI agents direct access to their tools. Think an AI assistant that can pull alert context from your SIEM, query your CMDB for asset ownership, and check your threat intel platform for IOC enrichment, all in a single investigation flow. Teams are also building MCP-enabled agents that can take action like isolating endpoints, creating tickets, or kicking off response playbooks based on findings.

It’s basically turning every security tool with an MCP server into a composable building block that AI can orchestrate across.

The security data lake for AI agents

Scanner is an agentic security data lake to investigate alerts, hunt threats, and respond to incidents. It indexes logs directly in S3, making years of data searchable in seconds. Scanner scales up when needed and scales to zero after, so you pay for answers, not idle compute. Open-source agents help you get started fast.

See Scanner in Action

Decoupled Architectures for Security Operations

This goes hand in hand with the previous takeaway. More and more security leaders are considering a decoupled security architecture. Security data needs to live in more places than ever, especially with teams gaining more appetite to augment their tooling with homegrown capabilities. Recent breakthroughs are enabling teams to keep telemetry in ultra cost-effective, highly performant storage layers (Scanner.dev being a prime example) while data pipeline players like Monad have pretty much been the trojan horse enabling security teams to gain back control of how and where they route their data, with added benefits like enrichments and transformations that make data AI-ready.

I also heard more rumblings around federated search and how AI agents are good at querying data at the source for investigative work. The dust has yet to settle here but it’s clear that most security leaders are redrawing their SOC architectures, and there are a lot of emerging approaches and tooling to choose from. As someone who worked closely with Fortune 500 teams on detection engineering and response while at Accenture, this is a feel-good story. Security teams are breaking out of vendor lock-in and rebuilding their stacks with composable, best-of-breed solutions.

I’d say that after a long, hard-fought battle, SIEMs are no longer the one-stop shop for security analytics, response, and investigations. MCP, data lakes, data pipelines, triage agents etc. have disrupted the SIEMs moat. What comes next?

Talent and Upskilling

Security leaders are thinking hard about how to keep their teams at the forefront, not just of threats, but of evolving capabilities and tooling. They’re encouraging their people to adopt a builder mindset and go wider.

The world is changing fast. The ones who lean into the hacker and builder mindset will excel.

Honorable Mentions

Attack velocity + volume: Bad guys are using AI to find 0-days, exploit unpatched systems, and scale their campaigns. Defenders are cognizant of this and while there’s not an impending sense of doom, people are feeling the heat.

Agentic AI Identity: Still the wild west. No clear winner or winning approach, imo but we’re getting closer.

AI Pen Testing: Lots of funding and hype around it. I think it’s a space at risk if frontier model shops really wanted to go after it. Regardless, there’s a massive need for AI pen testing in validating vulns, securing new attack surface, and ensuring secure code and apps. This was a part of the security cycle that was painfully manual and having continual coverage here is a big upgrade.

Data Security: Scorching hot space and a top concern. Agentic AI is creating entirely new data access patterns that most teams aren’t equipped to govern yet. When your AI agents can autonomously query databases, pull documents, and chain API calls together, the blast radius of a misconfigured permission or over-scoped identity gets a lot bigger. Lots of energy here, and rightfully so.

Securing AI Code Gen Output and Agent Usage: Velocity and volume are big concerns, along with non-devs building small scripts to automate tasks. No clear winner here though the incumbents like Semgrep, Snyk, OX, etc. are shipping capabilities to keep up with the madness.

Software Supply Chain Security: Software Supply Chain Security: This one keeps getting scarier and giving me whiplash. March alone gave us the TeamPCP cascading campaign that started with compromising Aqua’s Trivy scanner, spread to Checkmarx KICS, and then used stolen CI/CD credentials to poison LiteLLM on PyPI (a library present in 36% of cloud environments according to Wiz). One compromised security tool turned into five compromised ecosystems in under a week.

And then literally today, Axios got hit with a hijacked maintainer account pushing a RAT through poisoned npm releases to a package with 100M+ weekly downloads. The window was only a couple hours but the blast radius is wild.

Scary pattern. Recommend checking these blogs out if you’re responding to these attacks:

• Supply Chain Attack on Axios Pulls Malicious Dependency from npm

• Trivy - StepSecurity

• LiteLLM - ReversingLabs

The dust has settled on BSidesSF and RSAC 2026, but there is still SO much in flux for security teams. So in that sense, the dust may never for security teams. Just have to keep operating through the chaos which is easier when you have strong leadership + culture. Fun time to be in security.

I’ve still got a lot more to share. On Thursday, I’ll drop Part II covering the biggest announcements, my favorite events, and the overall vibes from the week etc. Stay tuned!

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Subscribe now

Share

Midmarket Security Is Quietly Overconfident — And the Numbers Prove It

94% of midmarket security leaders say they can catch critical risks before attackers do. But 51% admit a zero-day would take a week to assess. Something doesn’t add up. Intruder surveyed 500+ security decision-makers at companies with 400–6,000 employees to get the real picture of how teams are coping with growing digital estates, shrinking exploitation windows, and tooling built for enterprise budgets.

Get the full report

Howdy 👋 - hope you’re having a stellar week. I’ll spare you from the personal BSidesSF/RSAC updates as I have something else coming on that front.

Aside from that, this past week was jampacked with launches + fundraising. Some of which have a truly novel or differentiated approach to their problem space. Good research in this week’s issue as well.

That said, let’s get into it!

TL;DR 🗞️

• 🏖️ AWS Bedrock Sandbox Escape via DNS — BeyondTrust’s Kinnaird McQuade built a full C2 channel through “isolated” AgentCore using DNS queries alone

• 🏄 Surf AI Launches with $57M — Accel-led round for agentic platform tackling the last mile of security remediation at enterprise scale

• ☁️ Google Closes $32B Wiz Acquisition — Largest VC-backed exit ever is officially done after US and EU antitrust clearance

• 🚔 Interpol Sinkholes 45,000 IPs in Operation Synergia III — 94 arrests across 72 countries targeting phishing, malware, and fraud infrastructure

• 🐍 Microsoft Publishes Prompt Abuse Playbook — Practical detection and response guide for direct, extractive, and indirect prompt injection

Plus: Okta's new AI agent identity framework, CrowdStrike x NVIDIA's agent security blueprint, Bold Security's $40M stealth exit, and 10 more stories below 👇

⚒️ Picks of the Week ⚒️

Researcher Break Out of AWS Bedrock AgentCore’s “Sandbox” Using DNS Queries

Our friend Kinnaird McQuade, cloud security legend and chief architect at BeyondTrust’s Phantom Labs, dropped a banger this week. He and the team demonstrated a full sandbox escape from AWS Bedrock AgentCore’s Interpreter using nothing more exotic than DNS queries.

Sandbox mode blocks most outbound traffic but still permits DNS A record lookups which I learned is enough to build a fully functional bidirectional C2 channel. Kinnaird will be walking through this exact exploit at BSides SF this Sunday. Definitely a must attend if you’re in town.

From the C2 channel, he demonstrated running commands (whoami) inside the sandbox, listing and reading S3 bucket contents, and exfiltrating credentials, PII, and financial data. All while the env happily reported that network access was disabled. The default AgentCore role ships with permissions broad enough to turn that DNS covert channel into a full reverse shell 😬

AWS’s response was pretty wild tbh. In September 2025, AWS reproduced the issue but classified it as “intended functionality.” The fix: updated docs of what ‘sandbox’ mode is. Kinnaird then received a $100 AWS Gear Shop gift card. A hundred dollars for a CVSS score 7.5 vuln in tooling that F500s use is interesting.

This is one of the best vuln disclosure reports I’ve read all year. Educational and fully walks you through the attack flow on a novel-ish cloud service. Kudos to Kinnaird on this!

AI Agents Don't Need Your Permission. They're Already Inside.

No approvals. No oversight. No visibility. AI agents act autonomously with permissions across your entire SaaS stack—and your security tools can't see them. When the breach happens, will you explain to your CISO that you didn't even know they existed? Reco AI Agent Security ends the blindness.

Discover your hidden AI agents

Surf AI Exits Stealth with $57M

Surf AI launched out of stealth yesterday with $57 million in combined seed and Series A funding led by Accel, with participation from Cyberstarts and Boldstart Ventures. It’s not another AI SOC or AI security tool but the way I’d describe is that the focus on the last mile of reducing risk, remediation, using AI.

What the platform does: Surf AI ingests signals from identity, cloud, security, HR, and IT systems to build what it calls a “living context graph” mapping assets, owners, permissions, and dependencies. Domain-specific AI agents (i.e., identity, cloud etc) then prioritize risk by context and coordinate remediation workflows under human oversight.

Automated remediation has almost always been a tough sell. The potential downside of remediation-induced downtime on critical systems often outweighs the perceived risk of the vulnerability itself. There’s sometimes sooooo much back and forth in remediating a vuln, implementing a compensating control, or just accepting the risk.

Up until like 5 years ago, humans held all the institutional knowledge about what touches what, and what would break if we patched a system or closed a port on a cluster. I saw this firsthand doing cloud security engagements at J&J and Accenture: the bigger the org, the worse this problem gets. I think the way Surf is tackling it makes sense. Build a context graph of what a cloud asset touches and what it means to the business before you close a port or harden a config. Present multiple remediation options with a human in the loop. That approach meaningfully reduces the risk of inadvertently breaking something.

The other thing to highlight is that most of the security debt sitting in enterprise backlogs wouldn’t introduce breaking changes if remediated. Clearing stale accounts from decommissioned employees, revoking orphaned permissions, fixing known misconfigs that nobody owns. That’s the long tail, and I think that’s where agentic execution can absorb work that humans would never get to.

Huge shout out to the Surf crew, especially their CISO, Yonesy Nuñez. Excited to watch this team and product help solve that painful last mile for teams.

Side note: We are hosting The Morning Burn with the Surf.ai, Monad and Oso Security crews on Wednesday at RSAC. RSVP to join the fun 🍊🔥

The security data lake built for AI agents

We've been watching Scanner evolve for a while now and the progress has been unlike anything else in the SecOps space. It indexes logs directly in S3 and makes years of data searchable in seconds through native MCP support or old school querying.

It hooks up to Claude Code, Cursor, or any MCP client and lets AI agents hunt threats, triage alerts, and run investigations across years full log history. Queries cost pennies meaning agents can explore freely without blowing your budget. Honestly their approach is the most sensible path forward to security analytics and storage.

Highly recommend checking them out if you’re struggling w/ massive SIEM bills and tired of visibility and budget trade-offs.

See Scanner in Action

Also worth reading: they just indexed 1.4 petabytes of logs over a weekend and hunted an APT in under 10 minutes.

Google Closes $32B Wiz Acquisition, Largest VC-Backed Exit Ever

Last week, Google officially completed its $32 billion all-cash acquisition of Wiz. The largest deal in Google’s history and the biggest acquisition of a venture-backed startup ever.

The deal closed after clearing antitrust review in both the US (November 2025) and EU (February 2026).

What a run by the Wiz team. Will be fun to see what they get up to w/ unlimited compute, Gemini models, Mandiant, VirusTotal and the Chronicle/Google SecOps SIEM at their fingertips. That probably deserves a blog somewhere down the road.

Tech Giants Invest $12.5M in Open Source Security Through Linux Foundation

Anthropic, AWS, Google, Google DeepMind, GitHub, Microsoft, and OpenAI collectively granted $12.5 million to the Linux Foundation’s Alpha-Omega and OpenSSF initiatives to strengthen the security of the open source ecosystem. Alpha-Omega has already issued 70+ grants totaling over $20 million across ecosystems including Rust, Node.js, and PyPI. Cool.

Interpol Sinkholes 45,000 IPs, Arrests 94 in Operation Synergia III

Interpol’s third iteration of Operation Synergia ran from July 2025 through January 2026 across 72 countries, resulting in 94 arrests, 212 devices seized, and over 45,000 malicious IP addresses sinkholed.

The operation targeted phishing, malware distribution, ransomware infrastructure, romance scams, and credit card fraud. Bad guys in jail = good.

Most arrests in the takedowns have taken place in Macau, Bngladesh, and Togo. These level of takedowns remind of the Beekeeper movie. Great film that covers these fraud farms + stars Jason Statham. Highly recommend.

🔮 The Future of Security 🔮

AI Security

Microsoft Publishes Prompt Abuse Detection Playbook for AI Tools

Microsoft Incident Response released a practical detection and response playbook for prompt abuse in enterprise AI tools, covering direct prompt overrides, extractive abuse against sensitive inputs, and indirect prompt injection.

The blog gives a good overview of detection and hardening opportunities. Great primer.

More AI Security news ⬇️

• Okta unveils new framework to manage AI agents and upcoming Okta for AI Agents platform

• CrowdStrike Unveils Secure-by-Design AI Blueprint for AI Agents Built with NVIDIA

• Netskope Launches AI Security Platform with AI Ecosystem Protection

Data Security

Varonis Launches Atlas, an End-to-End AI Security Platform

If you’re a long time reader of TCP then you already know I’m fond of their approach to data security. I wrote a report on why their context graph approach is the way to go for securing sensitive data in the age of AI. Since then, they’ve acquired SlashNext (email security) and AllTrue.ai (AI security). The latter which has led to their recent Atlas product which covers the most pressing AI security areas:

• shadow AI discovery

• posture management

• pen testing

• runtime guardrails

• compliance reporting

• third-party AI risk management

Big W and quick execution by Varonis on this. Here’s a video of Atlas in action:

Endpoint Security

Bold Security Exits Stealth with $40M for Edge AI Endpoint Protection

Bold Security emerged from stealth with $40 million from Bessemer Venture Partners, Picture Capital, and Red Dot Capital Partners. Bold runs small language models on endpoints rather than in the cloud, turning devices into local AI agents that monitor user behavior and AI tool interactions.

The edge-first approach sidesteps the latency, cost, and privacy concerns of cloud-based AI security. Cool.

More Endpoint Security news ⬇️

• Huntress adds tools to its Agentic Security Platform to detect, fix, and prevent endpoint and identity risks

• Cato Networks rolls out Neural Edge and AI Security to protect enterprise AI workloads

Governance, Risk, and Compliance

Knox Systems Raises $25M to Accelerate 90-Day FedRAMP Authorization

Knox Systems raised $25 million in Series A funding led by B Capital, with participation from M12 (Microsoft’s venture fund), Okta Ventures, MongoDB Ventures, Hearst Ventures, and previous investors Felicis and Ridgeline.

Knox operates the largest multi-cloud federal boundary across AWS, Azure, and GCP, and claims to deliver FedRAMP authorization in 90 days at 90% lower cost than the traditional process. FedRAMP is the final boss of compliance frameworks.

With fewer than 500 FedRAMP-authorized SaaS apps available to the US government commercially, the bottleneck is real and also means that fed services may not be getting the best of breed.

Security Operations

Tracebit Raises $20M to Scale Cloud-Native Deception Technology

Tracebit closed a $20 million Series A led by FirstMark, with Accel, MMC Ventures, Tapestry VC, and CCL participating, bringing total funding to $25 million. Tracebit deploys canaries (decoy assets) across AWS, Azure, Kubernetes, CI/CD pipelines, and identity providers to detect post-breach lateral movement.

Deception is one of the highest-signal detection methods available, because canaries have a near-zero legitimate-touch rate; if something interacts with them, it’s an attacker, insider threat or a disoriented employee/intern. Most teams don’t have the bandwidth to deploy and monitor canaries. Seems like Tracebit is tackling that problem. Cool.

Vulnerability Management

NinjaOne Adds AI-Driven Vulnerability Management to Its Endpoint Platform

NinjaOne launched NinjaOne Vulnerability Management, built natively into its unified endpoint management platform. The offering uses AI to identify vulnerabilities.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

How Snyk Deploys AI Agents to Catch What Legacy Email Defenses Miss

Email threats are evolving faster than legacy defenses can keep up. Join Snyk and Sublime Security for a live webinar to see how Sublime’s AI agents detect, investigate, and stop attacks in minutes. See how Snyk uses Sublime’s Autonomous Detection Engineer (ADÉ) and Autonomous Security Analyst (ASA) to analyze missed threats, generate detections, and deploy new coverage at attacker speed.

Register

Howdy 👋 - hope you’re having a stellar week. If you’re on the GTM side then you’re probably under the gun headed into RSAC and if you’re on the hands-on keyboard or leadership side of security… well then, you’re always under the gun. That said, make sure you’re touching grass + making time for yourself and family!

Before diving into anything security-related, I wanted to give a shout out to the Dominican Republic baseball team who is 4-0 in the World Baseball Classic and absolutely crushing it this year.

This is also a good opportunity to announce that I’ll be giving my first technical talk in 3 years in Dominican Republic later this month at HackConRD 🇩🇴. The talk is titled “Your detections are only as good as your data, aqui te enseño como resolver eso”… think Monad x MSFT Sentinel in Spanish. TCP is also sponsoring the con. More on that in coming weeks :)

Cool. Next personal note, I’ll be at BSidesSF/RSAC and it’s shaping out to be a super stacked week. If you’ll be in town and wanna meet, shoot me a DM here or on LIN ☕

I also highly recommend registering for our happy hour with our friends, Scanner.dev and coming to The Morning Burn workout at Orangetheory 🍊🔥 with our friends at Oso Security and Surf.ai… We may have a few surprises in store.

One more thing before news. We all know that traditional AppSec can’t keep up with AI code velocity and a structural shift is needed. Yes, better scanning + prioritization, but also moving security to where the most significant chokepoint for security is, and that’s at the design + architectural phase. Product security isn’t new but it’s mostly been IoT/OT companies who have adopted it up until recent years. I recently did a deep dive on this space and came away impressed by a vendor (Clover Security) who is tackling this in a such an eloquent fashion. Highly recommend carving time out to read here if you touch ProdSec or AppSec in any capacity.

Now, for the news!

TL;DR 🗞️

• 🩺 Iran-Linked Wiper Attack Devastates Stryker — Handala claims 200K+ systems wiped, 50TB exfiltrated from the $22.6B medtech giant across 79 countries.

• 🐔 When the Code Generator Is Also the Code Auditor — OpenAI + Claude double down on code scanning but who watches the henhouse?

• 📐 The AppSec Model Was Built for a World That’s Disappearing — Our deep dive on why security needs to shift to the design and architecture phase

• 🎯 What Actually Separates Effective CISOs — Lenny Zeltser and Aimee Cardwell on tenure, trust, burnout, and why most CISOs advise when they should act.

• 🎙️ [un]prompted Con Now Lives in NotebookLM — Every talk and slide deck from the AI security conference, searchable and podcast-ready.

• 🏗️ Mandia’s Armadin Raises Record $189.9M — Largest seed/Series A in cybersecurity history for AI-driven attack simulation.

• 📊 Scanner Raises $22M Series A Led by Sequoia — Super fast search across years of log data in object storage; AI agents now its most active users.

• ⚔️ AI as Tradecraft: How Threat Actors Operationalize AI — Microsoft breaks down how adversaries are integrating AI into real-world attack operations.

• 🛡️ Governing MCP Servers with an AI Gateway in Azure — Hands-on lab for security engineers locking down MCP server access in Azure.

• ⚡ Kai Emerges with $125M for Agentic Security — Claroty co-founder’s new play to unify IT and OT security ops at machine speed.

• 🔇 Jazz Exits Stealth with $61M — AI-powered DLP that understands intent and context; cut one customer’s daily alerts to 10.

• 🔒 Nir Zuk Launches Cylake with $45M — Palo Alto Networks founder builds AI-native security for orgs that can’t touch public cloud.

• 🤖 Onyx Security Launches with $40M — Builds a secure control plane to govern autonomous AI agents across the enterprise.

• 🩹 Reclaim Security Raises $20M for Agentic Remediation — Hexadite founder’s new startup simulates business impact before deploying automated fixes.

• 🧪 Escape Raises $18M to Replace Manual Pentesting — Automates offensive security lifecycle with AI agents

• 🤖 OpenAI to Acquire Promptfoo — AI security testing startup ($23.6M raised) gets absorbed into OpenAI Frontier platform.

• 🔗 OX Security Launches Agentic Pentester — Continuous attack simulation that traces validated exploits back to the exact repo, file, and commit.

⚒️ Picks of the Week ⚒️

Stryker Hit by Devastating Iran-Linked Wiper Attack

Iran-linked hacktivist group Handala claims to have wiped over 200,000 servers, mobile devices, and systems and exfiltrated 50TB of data from medtech giant Stryker ($22.6B in 2024 sales, 56,000 employees), forcing offices across 79 countries to shut down 🤯. The group said the attack was retaliation for a U.S. missile strike on an Iranian school that killed more than 175 people, most of them children.

According to Krebs on Security, the attackers appear to have weaponized Microsoft Intune, Stryker’s own mobile device management platform, to issue mass remote wipe commands against enrolled devices. Employees in the U.S., Ireland, Australia, and India reported corporate laptops and personal phones wiped without warning, login pages defaced with Handala’s logo, and entire offices reverting to pen and paper. Staff with personal devices enrolled for work access lost personal data too.

Palo Alto Networks links Handala to Void Manticore, an actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The group surfaced in late 2023 and has previously targeted Israeli civilian infrastructure and Gulf energy companies.

Stryker confirmed the attack in an SEC 8-K filing, acknowledging a global disruption to its Microsoft environment. The company says there is no indication of ransomware and believes the incident is contained, but has no timeline for full restoration.

This is a gut punch for healthcare. Stryker makes surgical equipment, joint replacements, defibrillators, and hospital beds used in operating rooms worldwide. When their systems go dark, hospitals are waiting for equipment and patients are waiting for care. I worked at Johnson&Johnson securing similar medical equipment. This is an absolute nightmare for everyone involved.

The Intune vector is particularly brutal: turning an orgs own management infrastructure into the weapon is the kind of move that should have every IT team auditing MDM admin access and conditional access policies this week.

Dig Deeper: Krebs on Security | Infosecurity Magazine | TechCrunch

Enforce Security Where Work Actually Happens

Keep Aware delivers Browser Detection and Response (BDR) to secure modern work where it actually happens—the browser. Monitor and govern GenAI usage, prevent sensitive data loss with browser-native DLP, and control extension risk before it becomes compromised. By analyzing real browser behavior, Keep Aware stops phishing, credential theft, and risky actions at the point of click, shifting security from reactive alerts to real-time prevention.

Prevent Browser Threats in Real Time

When the Code Generator Is Also the Code Auditor

Both Anthropic and OpenAI now ship SAST tooling: Claude Code Security scans for vulns using data flow context across files, while OpenAI’s Codex Security scanned 1.2M commits in its beta and flagged 792 critical and 10,561 high-severity findings across open-source projects including OpenSSH, GnuTLS, and Chromium. Mozilla is already using Claude to improve Firefox’s security posture.

The results are impressive, but there’s an uncomfortable question nobody is asking loudly enough: when the same model that generates your code is also the one reviewing it, who’s actually watching the henhouse?

Estimated cost sits around $15-25 per PR review, which i’d imagine matches up to what a SAST vendors charges when annualized. But consider the loop: an AI writes code, the same vendor’s AI reviews it, finds some issues, fixes them, and signs off.

I’m not saying they would intentionally do this, but a model is structurally unlikely to catch its own blind spots, and “we found and fixed the bugs our own tool introduced” is not the independent assurance most security programs are built on.

My friend James Wickett at DryRun Security actually just launched a report that derives real-world evidence on this exact topic. Worth checking out here.

$235M for the Founders Who Built Mandiant and Palo Alto

Two of the most consequential founders in security history officially came off the bench in the same week (although we covered Mandia’s moves nearly 2 months ago). Kevin Mandia (who sold Mandiant to Google for $5.4B) raised a cybersecurity-record $189.9M in combined seed and Series A for Armadin, an AI-driven attack simulation platform. Accel led, with GV, Kleiner Perkins, Menlo Ventures, In-Q-Tel, 8VC, and Ballistic Ventures participating. Armadin uses AI agents to model real adversary behavior across cloud, identity, and network infrastructure, producing validated attack paths instead of theoretical vuln scores.

Meanwhile, Nir Zuk (founder of Palo Alto Networks, CTO for 20+ years) launched Cylake with $45M in seed funding led by Greylock. Co-founded with Wilson Xu (former Palo Alto EVP of Engineering) and Udi Shamir (co-founder of SentinelOne), Cylake is building an AI-native security platform designed to run entirely on-prem or in private cloud for organizations that can’t touch the public cloud. Product availability is expected early 2027.

Combined, that’s $235M in seed/Series A capital behind two founders who already built category-defining companies. That’s a fair amount of funding to build great teams + product. As always, it comes down to execution and these two are masters at that.

Dig Deeper: Armadin Raises $189.9M | Cylake Launches with $45M | Greylock: Introducing Cylake

CISO Takes: What Separates Effective CISOs From the Rest

Two reads this week worth your time: Lenny Zeltser (former CISO at Axonius) distills six years of security leadership into a four-point framework, and SecurityWeek profiles Aimee Cardwell (former CISO at UnitedHealth Group, now CISO in Residence at Transcend) on the realities of running security at scale.

• Attack surface reduction is the only way off the hamster wheel. Decommission unused SaaS, deactivate stale accounts, kill unnecessary systems. This lowers security costs and frees budget for strategic work.

• Average CISO tenure is 3 years. Most leave before their foundational investments in identity architecture, attack surface reduction, and product security actually compound.

• The defender’s advantage is terrain knowledge, not tools. Years in the role build understanding of which systems are truly critical, which vendors are real partners, and which risks the org has consciously accepted. No onboarding replicates that.

• Burnout is a leadership problem, not a personal one. Cardwell gave her team “Flex Fridays” after major incidents. The result: measurable reduction in team burnout. People who feel seen stay longer and perform better.

• Shadow AI is an attack surface problem disguised as a productivity problem. Cardwell’s approach: make the secure path the path of least resistance. If approved tools are harder to use than unapproved ones, you’ve already lost.

Dig Deeper: Zeltser: CISO Leadership Lessons | SecurityWeek: CISO Conversations with Aimee Cardwell

Scanner Raises $22M Series A Led by Sequoia Capital

Our friends and continuing sponsor of TCP have raised a $22M Series A led by Sequoia for reimagining how security teams search log data at scale. Scanner gives you blazing fast search across years of logs stored in object storage, without the SIEM-tier price tag. Their product is a game changer on many levels incl. DE, IR, hunting, and teams like Notion are building homegrown AI triage agents on top of it. Super cool.

This is one of my favorite products in SecOps right now, and the team behind it is just as sharp. Congrats to Cliff, Alex, and the Scanner crew. Well deserved.

Zero Day Clock: The Exploitation Window is Collapsing to Zero

A new project called Zero Day Clock is tracking something every security team should internalize: the median time-to-exploit has collapsed from 771 days to just 6.36 days in five years, with nearly 40% of exploited flaws now weaponized before disclosure and over 44% exploited within 24 hours.

The site tracks TTE across 83,000+ CVEs from 10 sources including CISA KEV, ExploitDB, and Metasploit. The project maps milestones as TTE crosses thresholds: the 1-year mark was hit around 2021, 1 month around 2025, and 1 week in 2026, with 1-day and 1-hour marks projected for later this year and 1 minute by 2028.

When a vendor releases a patch, AI can now reverse-engineer it and generate a working exploit in minutes, but organizations still need an average of 20 days to test and deploy that same patch. Prioritization + attack surface reduction are the name of the game.

🎙️ [un]prompted Con Now Lives in NotebookLM

Every talk transcript and slide deck from the AI security conference has been loaded into Google’s NotebookLM, letting you chat with the full conference content, generate podcasts on any topic, or brief your team without rewatching hours of sessions. Brainchild of Rob T. Lee and one of the better examples of what an AI-native conference experience looks like after the event ends.

🔮 The Future of Security 🔮

AI Security

OpenAI to Acquire Promptfoo, to Bolster AI App Testing

OpenAI is acquiring Promptfoo, an open-source AI security evaluation platform that had raised $23.6M from Insight Partners and Andreessen Horowitz. Promptfoo’s tooling covers prompt injection, data leakage, jailbreak detection, and red-team simulations.

OpenAI buying its own testing layer signals that LLM security tooling is shifting from ecosystem play to platform feature.

More AI Security news ⬇️

• AI Hands-On Lab for the Security Engineer #2: Governing MCP Servers with an AI Gateway in Azure

• AI as Tradecraft: How Threat Actors Operationalize AI - Microsoft

• Onyx Security launches operations with $40 million funding round

Browser Security

Push Security Adds Malicious Extension Detection, ClickFix Blocking

Push Security shipped malicious browser extension detection powered by its own threat research and public threat intel feeds, with options to auto-warn or block users and enforce extension allowlists/blocklists. Browser-native security keeps getting more relevant as identity and SaaS attacks shift into the browser.

Data Security

Jazz Exits Stealth with $61M for AI-Powered DLP
Jazz emerged from stealth with $61 million in combined seed and Series A led by Glilot Capital Partners and Team8. AI-native DLP.

More Data Security news ⬇️

• Data Security Firm Evervault Raises $25 Million in Series B Funding

Fraud Prevention

Darwinium Launches Agent Intent Intelligence

There’s an interesting shift taking place in agentic payments and commerce (think: sendmy agent to buy me the best fitness supps based on my Dr,’s recs). I hadn’t previously dug into this space before so it was certainly interesting to me.Security Operations

IoT/OT Security

Kai Emerges from Stealth with $125M

Kai launched with $125 million led by Evolution Equity Partners, building an agentic platform for IoT/OT. Co-founded by Claroty co-founder Galina Antova.

More IoT/OT Security news ⬇️

• Augur lands $15 million funding to strengthen critical infrastructure security

Offensive Security

OX Security Launches Agentic Pentester That Maps Exploits to Source Code

OX Security (founded by former Check Point execs) launched an agentic pentester that runs continuous attack simulations and traces each validated exploit back to the exact repo, file, and commit responsible. The pitch: other pentest tools stop at findings, OX maps the fix path to source code so AppSec and engineering aren’t just staring at another backlog.

More OffSec news ⬇️

• Escape Raises $18 Million to Automate Pentesting

Vulnerability Management

Reclaim Security Raises $20M to Close the Remediation Gap

Reclaim Security raised $20M in Series A led by Acrew Capital ($26M total) to build an autonomous remediation platform that simulates business impact before deploying fixes.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

A Personal Note

Every now and again I come across a security vendor doing genuinely innovative and differentiated work. A breath of fresh air in a space full of copy/paste products with different logos.

I vet every TCP sponsor carefully to ensure I only put the best in front of you so if I’m writing a deep dive on a company, know that it’s passed a high bar. Clover Security brought me back to my Product Security days at Johnson & Johnson, where design-phase security reviews and threat modeling weren’t optional best practices, they were FDA and HITRUST requirements. This is a platform that would have made life meaningfully easier back then.

I’m excited to bring you this piece. Let’s get into it.

Executive Summary

The engineering world is undergoing a structural shift. AI coding agents now handle implementation at a pace and volume that human-led security processes were never designed to match. Innovation cycles are compressing. The response from the most forward-thinking engineering orgs isn’t to scan more code faster. It’s to invest in design and architecture rigor, the phase where most risk actually originates.

Clover Security made this bet two years ago. They’ve raised $36M and built a platform of AI agents that embed security into the design phase, where PRDs are written, architecture decisions are made, and threat models should live.

This deep dive covers why the design phase has become the critical gap in most security programs, how Clover’s platform actually works, what their early customer results look like, and where the product is headed as agentic development accelerates.

The Perfect Storm

Two years ago, a senior engineer would split their week between writing code, reviewing code, debugging code, and making architectural decisions. Today, AI coding agents handle the first three. Spotify’s co-CEO said it plainly on their Q4 earnings call. The company’s best developers haven’t written a single line of code since December. That trend is only accelerating.

What’s emerging is a fundamental reprioritization across engineering orgs. The smartest teams are investing in design and architecture rigor, the phase where risk actually enters the system. Innovation cycles are compressing. A feature that took a team two sprints now ships in days. The human role in software development is shifting from writing code to designing systems, choosing infrastructure, and deciding how services interact. The design decisions that determine whether a system is secure are now the most consequential part humans still control.

And this math was broken long before AI code generation entered the picture. Product security engineers are outnumbered by developers 300-to-1 at most technology companies. CrowdStrike’s 2024 State of Application Security Report quantifies the downstream impact. Over half of major code changes don’t undergo full security reviews (50% median, 54% mean). That was before AI-generated code tripled the volume. Jerry Gamblin’s 2025 CVE data review counted 48,185 published vulnerabilities, a 21% jump over 2024, with XSS still the most common class at over 8,000 entries despite decades of tooling investment. FIRST’s 2026 forecast projects that number climbing to roughly 59,000.

Clover Security saw this coming. Founded in 2023, right as the AI coding wave began to take shape, the company raised $36M on the thesis that the entire AppSec model was pointed at the wrong phase of development.

Their bet is that AI agents embedded in design and architecture workflows are the only way to close the gap. Two years in, the market is moving in their direction.

Now they’re building for what the next two years look like.

The Founding Story

Clover’s founding story starts with a big tech engineer and a product leader at two of the largest AppSec vendors in the world, both independently arriving at the same conclusion that scanning code after it’s written was never going to be enough. Then they found each other on X.

Alon Kollmann (CEO) spent 15+ years as an engineer at Microsoft and Google before taking strategic roles at Hysolate and Dazz, the ASPM company acquired by Wiz for roughly $450M.

Or Chen (CPO) spent 8 years in Unit 8200 leading technical cyber operations, then founded a startup acquired by Checkmarx. He rose to VP and built their SCA and API Security offerings from the ground up.

The two found each other the way a lot of good things start in 2022: sliding into each other’s DMs on Twitter. They had arrived at the same conclusion from opposite sides of the security stack, and connected right as ChatGPT launched and the AI coding revolution started to take shape. The timing validated their shared conviction: code generation would be automated, making design the true security chokepoint. They co-founded Clover in 2023.

Clover raised $36M across a seed led by Team8 and a Series A led by Notable Capital, with Team8 and SVCI participating. The angel roster tells the real story: Wiz co-founders Assaf Rappaport and Yinon Costica, Shlomo Kramer (Check Point, Imperva, Cato Networks), Rene Bonvanie (former CMO, Palo Alto Networks), and senior executives from Snyk, CrowdStrike, Atlassian, and Google.

You Can’t Scan Your Way Out of Insecure Design Choices

Every AppSec tool on the market today works the same way, downstream: wait for code to exist, then scan it. SAST, SCA, DAST, ASPM, runtime scanning.

Product Security (ProdSec) operates upstream. Architecture review, threat modeling, design-phase risk assessment. Security baked into how a system is designed, not bolted on after it’s built. If you’ve worked in automotive or medical devices, none of this is new. ProdSec is table stakes in those worlds.

I interned on Ford Motor’s Red Team and spent 2.5 years doing product security for a robotic surgical system at Johnson & Johnson. When you’re threat modeling software that controls a robot performing surgery on a human being, design-phase security reviews are a non-negotiable. The gap is that most pure software companies haven’t adopted this discipline yet, and the ones that have are doing it manually, expensively, and at a coverage rate that never keeps pace with engineering velocity.

In practice, ProdSec means a security engineer sits down with a PRD or architecture doc before a single line of code is written and asks: where are the trust boundaries? What are the data flows? Where could business logic be abused? How does this feature interact with existing services? They map the design against frameworks like OWASP ASVS or STRIDE, identify threats at the architecture level, and write security requirements into the ticket.

Here’s why this matters concretely. A team builds a payments integration where users can link external bank accounts. The code is solid: encrypted connections, proper auth tokens, passes every scan. But the design never accounted for what happens when a user links an account, initiates a transfer, then unlinks the account before settlement completes. The transaction goes through with no account to claw back from. That’s not a vulnerability. It’s a business logic gap that only exists at the design layer, and no scanner on the market catches it.

The problem is that ProdSec requires people who understand both software architecture and threat modeling deeply enough to review designs at speed. Those people are rare. Most orgs either can’t hire them or can’t hire enough of them, which is why even mature security teams end up triaging by risk and only reviewing the highest-priority features manually.

As AI handles more implementation, design is the last human-controlled artifact. If security isn’t embedded there, there’s no checkpoint before code ships. Clover’s bet is that as AI eliminates trivial code-level vulnerabilities, the remaining risk concentrates at the logic and architecture layer.

How It Works

Clover runs eight purpose-built AI agents, each handling a specific security function but all built on the same platform core. Design risk is the guiding principle, but risk can initiate at any point. A review can start from a PRD for a brand new feature just as easily as from code drifting from its original design requirements. The result is a platform that tracks design risk from the first spec through production, and catches drift long after code ships.

The Context Layer

The most differentiated thing I saw in the demo was Clover’s context engine. Two components work together here.

The Memory Agent builds and maintains a living knowledge base of your organization, split across three dimensions. Technical context covers your tech stack, infrastructure components, APIs, and data points. Business memory captures how your org makes decisions, internal glossary, and product relationships. Inferred memory surfaces connections the platform identifies across your environment over time.

The Feature Context Graph maps how a single feature connects to requirements, framework standards, code, and infrastructure. You can drill into the specific standards a feature was reviewed against, see which code repos are linked, and trace from design doc to implementation.

These two components are what make everything below possible. Without organizational context, an AI agent reviewing a design doc is just guessing. With it, the agent knows your tech stack, your policies, your architecture patterns, and how this feature connects to everything else you’ve already built.

Scenario 1. A new feature lands in your project management tool.

Your product team writes a PRD in Notion for a new instant peer-to-peer payments feature. Clover’s Discovery Agent picks it up automatically, identifies it as high-priority based on the financial data flows and regulatory surface involved, and flags it for security review.

The Design Review Agent takes over and runs a security review against your configured frameworks and threat models, whether that’s OWASP ASVS, PCI, STRIDE, or your own internal standards. Because of the context layer, Clover knows this feature interacts with your existing account linking service, handles external bank credentials, and exposes a new transaction initiation path to end users. The review reflects that specificity rather than returning generic findings.

Business logic flaws are a major focus. Or walked me through examples like logic gaps that let attackers siphon funds from a gaming platform, and arbitrage attacks on a prediction market. These are the exact categories of risk that traditional scanners miss because they have no awareness of what the feature is supposed to do, only what the code does.

On the app level, security teams manage risk posture through custom-built security models around applications, architecture, data flows, and risks. Each application view lets security teams tune prioritization sensitivity across three dimensions. Risk, Business Impact, and Depth and Complexity. You can also feed it pentest reports and it incorporates findings into the posture view.

Scenario 2. Code ships that drifts from the original design.

Your design spec requires encryption at rest for all candidate records. A developer (or an AI coding agent) implements the database layer but skips the encryption step.

The Developer Guidance Agent integrates with GitHub, GitLab, and Bitbucket, and compares implemented code against original design specifications and PRDs. It surfaces the drift between what was designed and what was built. Traditional SAST tools see code in isolation. They’d look at this implementation and find no vulnerability pattern, no dependency flaw, no known CVE. Clover sees the intent behind the code.

Scenario 3. Your developers are using Cursor, Codex and Claude Code. Who’s watching?

This is the forward-looking bet. Clover’s MCP Agent provides visibility into AI-generated code, enforces organizational policies for coding agents, and monitors MCP connections across AI-driven development workflows. The Vibe Coding Agent evaluates shadow AI and vibe coding for misconfigurations, excessive permissions, and missing controls.

What makes this tangible rather than theoretical is the Agent Observability dashboard. Clover gives you granular visibility into which LLMs are being used across your environment (Claude 3.5 Sonnet, GPT-4, GPT-4-turbo in this instance), which developers are using them, lines of code written with coding agents over time, how many MCP connections are active, and where the PR blind spots are.

Most security teams today have zero visibility into what AI coding agents are generating across their org. Engineering teams are three steps ahead of security teams on AI coding agent adoption. Clover has built an observability layer that helps make the invisible visible, which models, which developers, how much code, and where the blind spots are

Integrations and Day One Value

Clover hooks into where teams already work.

The platform also functions as a contextual security chatbot within Slack, where teams can ask questions like “What auth method should I use for this service?” and get answers informed by their org’s specific context and policies.

Clover produces actionable security reviews from day one, covering framework checks, threat modeling, and architecture anti-patterns out of the box. As it ingests more documentation and observes how teams build, reviews get sharper and more tailored to your specific environment.

From Stealth to Scale

Most security startups launch publicly, spend heavily on marketing, and grind through 12-month enterprise sales cycles before landing their first logos. Clover did it backwards. They hit millions in ARR before publicly launching. No website, no press, no conference booths. Deals came through CISO networks and word of mouth, which tells you something about how the product landed with the people actually using it.

Neo4j went from 49% to 100% design review coverage. CISO David Fox: “Manual review covered 49% of tickets, but with Clover’s automation we hit 100%.” (Full case study)

Lemonade cut review time from roughly two hours to fifteen minutes. Before Clover, Lemonade triaged reviews by perceived risk because the volume was too high to cover everything. Now they review all documents, not just the ones they think are risky. (Full case study)

Virgin Money, one of the UK’s largest retail banks serving 6.6 million customers, achieved 4x faster design reviews. But the bigger story is what changed qualitatively. Before Clover, reviews depended on individual interpretation across hundreds of policy controls. Now every design is reviewed against the same standard, every time. Head of Security Solutions Gordon Moon: “Clover turns generic threats into design-specific threats so our teams understand what really matters in that system.” (Full case study)

The fact that CISOs at Neo4j, Lemonade, and Virgin Money are willing to go on record with specific metrics at this stage is strong signal for both company direction and product validation. Excited to see how these numbers evolve as deployments scale.

Closing Thoughts

I’ve covered a lot of security startups through TCP. Very few make me stop and rethink how an entire category should work.

Where the bet gets bigger. AI coding agents are already writing production code across thousands of engineering orgs. Most security teams have zero visibility into what those agents are generating, which models they’re using, or whether the output aligns with internal policies. That’s not a future problem.

Clover’s MCP Agent and Vibe Coding Agent are newer than the design review core, but they’re pointed at exactly the right problem. The agent observability dashboard alone is the kind of visibility security leaders will be demanding within 12 months. Clover is building it now.

Who should care. If you’re a CISO or Head of ProdSec at a company with 50+ engineers and you’re still doing design reviews manually (or not doing them at all), Clover should be on your shortlist. If your team is drowning in review requests and triaging by gut because you can’t cover everything, this is built for you.

Product Security as a discipline has historically been locked behind scarce human expertise. The security architects who can review a design doc, run a threat model, and identify business logic flaws before code is written are among the hardest hires in the industry. Most companies either can’t find them or can’t afford enough of them. If Clover’s agents can replicate that thinking at scale, they’re not just building a product. They’re making ProdSec accessible to teams that could never afford to staff it the way it deserves.

Having done this work by hand, I can tell you: this is the platform I wish I’d had.

I've shown you the thesis and where I think things are headed. Let them show you the product.

See Clover in Action

Subscribe now

Share

Intezer recently dropped their 2026 AI SOC Report. A full analysis of 25 million security alerts triaged across live enterprise SOCs in 2025. I read all 35 pages. Here’s what stood out, what it means, and what I think most security teams can take from it.

The math inside most SOCs is broken, and it has been for years. Too many alerts, not enough analysts, and the people in those seats are legit running on fumes. Burnt-out analysts and overworked IR teams don’t just slow down. They miss things. So teams triage aggressively, auto-close the low-severity stuff, and hope nothing slips through.

This has been true for decades. Detection engineers can tune rules and build enrichment playbooks all day, but the volume problem is structural. Industry surveys consistently show that over 60% of alerts are never reviewed. Not by in-house SOC teams. Not by MDRs. They get deprioritized or buried.

Intezer just put a number on what “slips through” actually looks like and the cost of the trade-off that most SOCs make.

The scale of the dataset alone sets this apart:

• 25 million alerts. 10 million monitored endpoints and identities.

• 180 million files analyzed. 7 million IP addresses investigated. 550,000 emails analyzed.

• Over 82,000 endpoint forensic investigations, including live memory scans.

This wasn’t a survey or a simulation. It’s operational data from production SOC environments like NVIDIA, MGM Resorts, and Equifax.

I spent years building detection rules and investigation playbooks, and I work with detection engineers and SOC teams daily at Monad. I know what’s supposed to happen after a rule fires. I also know what actually happens. This report quantifies that gap.

Get the report here

Why I’m Writing About a Vendor Report

Let me be direct. AI SOC is a crowded, noisy market. There are 25+ vendors selling some version of it right now. Most are glorified LLM wrappers that summarize alert metadata and call it “investigation.” If you’re skeptical of the category, you should be.

I’ve watched Intezer’s platform evolve over years. Where most AI SOC tools are pattern-matching on alert metadata and hoping for the best LLM-generated verdict, Intezer is doing actual forensic analysis. Deterministic, not probabilistic. Every verdict is fully auditable. And the analysis goes to forensic depth: live memory scans, genetic code analysis, actual endpoint investigation.

The framing matters too. Intezer isn’t selling “replace your analysts.” They’re selling “cover the 60% that was never getting covered.” That’s a fundamentally different value proposition.

But the report itself earned this writeup on its own merits. It’s genuinely educational in a way that leads me to recommend it to anyone from Jr.-level operators to CISOs. Take the section on plaintext password alerts (p.20). They don’t just flag “we found unencrypted credentials on the wire” and move on. They trace it to directory services still running unencrypted LDAP, transmitting credentials in cleartext because nobody configured LDAPS or StartTLS. That level of precision tells you the people who wrote this have actually done the work. It’s a great refresher or learning track for pretty much any level.

And it puts numbers behind things practitioners have said for years but could hardly prove. “Most impossible travel alerts are false positives.” “Low-sev alerts are hiding real threats.” “EDRs aren’t as reliable as we think.” Now there are receipts.

The Math Nobody Wanted to See

Of everything in this report, this is the finding I keep coming back to.

Nearly 1% of low-severity and informational alerts turned out to be real threats

That sounds small until you do the math. The average enterprise generates around 450,000 alerts per year. Over 60% never get reviewed. At that scale, 1% of low-severity alerts being real means roughly 54 genuine threats per year that nobody investigates. That’s about one per week (!!)

On endpoints it’s worse. 2% of low-severity endpoint alerts were confirmed incidents. Active, real, and invisible to the teams responsible for catching them.

Intezer ran over 82,000 forensic scans on endpoints throughout the year, including live memory analysis. In 1.6% of those scans, the endpoint was still actively compromised even though the EDR had reported the threat as mitigated. The EDR closed the case. The analyst moved on. The attacker was still there.

And over half of all endpoint alerts were never automatically mitigated by endpoint protection in the first place. Of those non-mitigated alerts, roughly 9% were confirmed malicious.

There could be legitimate explanations. Vendor quirks, timing issues, partial remediation. But the operational reality doesn’t change: if you’re trusting your EDR’s “mitigated” status without verification, you have a blind spot.

As someone who built detection rules and playbooks that generate these exact alert types, I know the gap between the intended workflow and what actually happens. The detection fires, the alert enters the queue, and the math takes over. Low-severity stuff gets deprioritized or auto-closed.

That’s the real value of AI-driven triage. Not replacing analysts. Doing forensic-grade analysis on the alerts that were going to be ignored anyway. Finding the threats that may slip through.

Where Attacks Are Actually Evolving

Three patterns jumped out from the threat data. None of them are what most vendors are selling against.

Phishing Doesn’t Need Your Endpoint Anymore

Intezer analyzed 550,000 user-reported phishing emails. Less than 8% were confirmed malicious. But look at how those malicious emails actually breakdown: less than 6% carried an attachment. Around 30% relied on a link.

The attack surface has moved. Endpoints and inboxes are well-defended, and attackers know it. So they’re keeping the entire kill chain inside the browser, where most security stacks have minimal visibility.

Intezer found platforms like Vercel, CodePen, JSitor, and JSBin hosting live credential-harvesting pages on trusted domains. Phishing sites impersonating crypto wallets and exchanges, asking victims for recovery phrases. Legitimate developer infrastructure being used as disposable phishing hosting. Most threat intel feeds won’t flag these domains because the domains themselves aren’t malicious.

Microsoft was the most impersonated brand, representing nearly a third of all phishing URLs. Microsoft and DocuSign together accounted for almost 85% of brand impersonation. Brand impersonation was the top phishing technique at 28.7%, with callback scams right behind at 25.3%.

Attackers are also increasingly gating phishing pages behind Cloudflare’s Turnstile CAPTCHA. The majority of URLs using Google reCAPTCHA were safe. That ratio completely flipped for Cloudflare Turnstile. Attackers are using CAPTCHAs not to stop bots, but to stop security scanners from seeing what’s behind the page.

Identity Is Drowning in Noise

Location and geo anomalies made up over 36% of all identity alerts. Login failures accounted for 22%. But 74.1% of login verdicts were classified as likely benign. The “impossible travel” alerts that flood every SOC queue? Only about 2% were confirmed real compromises.

Roughly 30% of those alerts were caused by VPN activity. Mobile phones routing through distant data centers and overlapping security tools triggering alerts against each other accounted for most of the rest. The identity layer has become the highest-noise signal source in the SOC, and separating real compromise from normal variability at scale is one of the hardest unsolved problems in the space. I imagine this problem gets worse with the explosion of Non-Human Identities (NHI).

Cloud Attackers Are Playing the Long Game

Defense evasion and persistence dominated cloud TTPs. Attackers are getting in (usually through identity) and sitting quietly. Token manipulation, obfuscation, abuse of legitimate cloud features etc. The goal is long-term access + recon, not immediate impact.

S3 accounted for roughly 70% of all AWS control violations. Buckets still using ACLs instead of IAM policies, missing server access logging, overly permissive cross-account policies.

I spent years at Accenture and Datadog building the CSPM rules that flag these exact misconfigurations. The fact that they’re still this prevalent in 2026 tells you everything you need to know.

What to Actually Do About It

Invest in making your team AI-fluent, and seriously evaluate AI SOC platforms. LLMs are great for log analysis, triage assistance, detection rule development, playbook drafting. But for alert triage, the build vs. buy math almost never favors build. Reviewing every alert across every tool, investigating regardless of the original verdict, at forensic depth (live memory scans, genetic code analysis, full auditability)? That’s years of engineering, not a side project. The teams that figure out how to pair human judgment with AI speed at that level are the ones that will actually close the coverage gaps this report quantifies.

Stop trusting your tooling’s verdicts blindly. Real threats are hiding in low-severity alerts and EDRs are reporting “mitigated” while endpoints remain compromised. If your team can’t cover the full alert volume manually, that’s a strong case for AI-augmented triage.

Reassess your phishing defense model for browser-based attacks. The attack surface has shifted from attachments to links, from endpoints to browsers. If your phishing defense stack is primarily focused on catching malicious files, you’re defending last year’s battlefield. The code sandbox abuse and callback scam patterns in this report deserve your immediate attention.

Audit your cloud posture against what you’re actually running, not what the docs say. S3 misconfigs aren’t news. But 70% of all AWS violations concentrating there suggests most organizations still haven’t done the unglamorous work of cleaning up notoriously bad configurations.

The Full Report

I don’t say this often about vendor reports: go read the whole thing here. It’s 35 pages, it’s technical, and it respects your intelligence.

If you’re a CISO, send it to your SOC lead. If you’re a SOC lead, send it to your analysts. If you build detections, you’ll find data in here that validates half the arguments you’ve been losing in meetings.

Get the full report

Subscribe now

Share

What 5M Apps Revealed About Secrets in JavaScript

Leaked API keys aren’t unusual anymore. Neither are the breaches that follow. So why are sensitive tokens still being exposed so easily? To find out, Intruder’s security team built a new method for detecting secrets and scanned 5M applications. The results were staggering: over 42K exposed tokens spanning 334 secret types, hidden inside JS bundles. We break down why traditional scanning misses them and how to close the gap.

Read the research

Want to sponsor the TCP newsletter? Learn more here.

Howdy 👋 - hope you’re having a stellar week. It’s been quite the past few days here in Austin and across the globe. I don’t like politics (or politicians) and I also don’t like where things are headed from a geopolitical standpoint.

That said, we’re about 3 weeks out from BSides/RSAC and we’ve got a ton to cover on this week’s TCP… including a fair dose of war stuff.

Before we dive in, will you be at RSAC? If so, come hang out at one of the events I’m hosting:

• Monday kickback at Fang Restaurant w/ Scanner and Monad (RSVP Here)

• The Morning Burn🔥 workout at OrangeTheory on Wednesday AM w/ Surf.ai, Oso Security, Monad, and TCP (RSVP Here)

Now, let’s get into some fun.

TL;DR 🗞️

• 🏆 CrowdStrike Q4/FY26 Earnings - $5.25B ending ARR (up 24%), net new ARR hit $331M (up 47%), now selling Falcon on Microsoft Marketplace

• 🌍 Iran War Cyberfront - Iranian strikes hit AWS data centers in UAE/Bahrain; APTs ramping up; Polymarket saw $529M in suspect trading on strike timing

• 🤖 Pentagon vs. Anthropic Standoff - Anthropic refused DoW surveillance demands, got designated a supply chain risk; OpenAI swooped in; ChatGPT uninstalls spiked 295%

• 💀 Claude Code Abused in Mexico Breach - Attackers jailbroke Claude Code to exfiltrate 150GB from 10 Mexican government agencies, exposing 195M identities

• 🔧 Scanner’s AI SOC Agent Guide - Two-part series on building autonomous triage agents in AWS

• 🔑 AWS IAM Controls for Managed MCP Servers - Two new context keys differentiate human vs. AI-initiated API calls; VPC endpoint support coming

• ⚠️ hackerbot-claw Exploiting GitHub Actions - AI-powered bot hit Microsoft, DataDog, CNCF repos; achieved RCE in 4 of 7 targets using 5 different techniques

• 🛡️ Microsoft AI Threat Modeling Framework - New guide covering prompt injection, privilege escalation via tool chaining, and agentic system risks

• 🔒 Gambit Security Exits Stealth With $61M - Spark Capital, Kleiner Perkins, Cyberstarts; AI-native resilience platform; broke the Claude Code/Mexico research

• 📊 Fig Security Launches With $38M - Team8 and Ten Eleven backed; validates detection flows across SIEM, SOAR, and AI SOC tooling

• 💰 JetStream Security Raises $34M Seed - Redpoint-led round with CrowdStrike Falcon Fund; governance and guardrails for enterprise agentic AI

• 💳 Prophet Security Gets Amex & Citi Ventures Backing - Strategic investment to scale agentic AI SOC

⚒️ Picks of the Week ⚒️

$5.25B ARR. $1.5B on AWS. Now Selling on Microsoft Marketplace. CrowdStrike Had a Year.

CrowdStrike closed FY26 with a massive Q4 that beat on every guided metric. $5.25B in ending ARR (up 24% YoY), making it the fastest and only pure-play cyber software company to cross the $5B mark. For context, Palo Alto Networks reported NGS ARR of $6.3B last quarter and is guiding to nearly $8B next quarter, but that includes CyberArk and Chronosphere acquisition revenue and PANW isn’t pure-play software. Net new ARR hit $331M in Q4 (up 47% YoY), the third consecutive quarter of acceleration, and full-year net new ARR crossed $1B for the first time. The stock dropped 4.12% after hours, because stonks.

Falcon Flex is a Monster

Falcon Flex is CrowdStrike’s consumption-based subscription model. Instead of buying modules a la carte, customers commit to a single contract with access to the full platform and turn on modules as needed, no new procurement cycle required. When a Flex customer activates additional modules (a “reflex”), ARR goes up automatically. Zero friction, no new sales cycle. It’s CrowdStrike’s answer to platform consolidation, and the numbers look good. Flex ARR reached $1.69B (up 120%+ YoY), now across 1,600+ customers.

The Microsoft Marketplace Deal is the Real Story

Microsoft Defender for Endpoint is CrowdStrike’s most direct competitor. And now Falcon is purchasable on Microsoft Marketplace using Azure consumption commitment dollars. Kurtz and Satya Nadella jointly addressed CrowdStrike’s go-to-market team. Kurtz called it “a watershed moment reflecting a clear evolution of how our companies see each other.” On the AWS side, CrowdStrike transacted nearly $1.5B in total contract value on AWS Marketplace this year🤯. The hyperscaler distribution moat is bananas.

Growth highlights:

• Cloud security ARR $800M+ (up 35%+), next-gen SIEM $585M+ (up 75%+), identity $520M+ (up 34%+)

• FY27 ARR guidance: $6.47B-$6.52B

Another strong quarter of execution for . No surprise there. This comes on the backdrop of Wall St. panicking thinking Claude Code Sec would replace all of security but that couldn’t be further from the truth. The publicly traded platform players like CRWD, and have massive moats even in the AI era.

Your SIEM sees 1%. Scanner sees what it can’t.

Scanner is a radically different way to detect threats in security data. Most teams send 95% of logs to S3 to manage SIEM costs, leaving that data unsearchable. Scanner indexes logs directly in S3, making years of data searchable in seconds with detections running continuously.

Costs are 5-10x lower than a traditional SIEM. AI agents are our most prolific users, investigating alerts around the clock. Teams at Notion, Ramp, and Benchling rely on Scanner as their core security data layer.

See How Scanner Is Different

The Iran War’s Cyberfront: Drones Hit AWS, APTs Target Allies, and Prediction Markets

The U.S. and Israel struck Iran, killed Supreme Leader Khamenei, and the cyber and tech fallout has been relentless. Here’s what we’ve been tracking on our end.

Drones hit the cloud. Literally. Iranian retaliatory strikes directly hit two AWS data centers in the UAE and damaged a third in Bahrain. Structural damage, power failures, and fire suppression water damage cascaded into outages across dozens of AWS services, knocking banking apps, payments platforms, and Snowflake offline. AWS is now telling customers to migrate workloads out of the Middle East entirely. First time a major cloud provider has taken kinetic military damage.

Iran’s APTs have also ramped up. Zscaler ThreatLabz caught Iran-nexus group Dust Specter targeting Iraqi government officials with four previously undocumented malware families, using compromised government infra as delivery mechanisms.

Prediction markets reek of rigging. Polymarket saw $529M traded on contracts tied to Iran strike timing. Bubblemaps flagged six fresh accounts that netted $1M by correctly betting the U.S. would strike by Feb 28. That’s either very lucky or very informed 🤷🏽‍♂️

The Pentagon vs. Anthropic Standoff

Quick catch-up if you missed the biggest AI policy fight of the year. The Department of War (Pentagon’s Trump-era rebrand) demanded AI companies allow their models for “all lawful purposes,” including mass domestic surveillance and fully autonomous weapons. Anthropic refused both. The government hit back hard: Trump ordered all federal agencies to phase out Anthropic products within six months, and Secretary of Defense Hegseth moved to designate the company a “supply chain risk,” a label normally reserved for Chinese firms.

OpenAI swooped in with its own Pentagon deal hours later. Sam Altman claimed it included the same surveillance and autonomous weapons guardrails Anthropic fought for, then later admitted the timing “looked opportunistic.” He has since amended the contract to explicitly ban domestic mass surveillance of U.S. persons and says NSA access would require a separate contract modification. More than 60 OpenAI employees and 300 Google employees signed an open letter supporting Anthropic’s position.

Consumer backlash was swift: ChatGPT uninstalls spiked 295%, 1-star reviews jumped 775%, and Claude hit #1 on the App Store with downloads surpassing ChatGPT for the first time, per Sensor Tower and Appfigures data.

Claude Code Abused to Steal 150GB From Mexican Government Agencies

Attackers jailbroke Anthropic’s Claude Code and used it for roughly a month to build exploits, create custom tools, and exfiltrate 150GB of data from 10 Mexican government agencies and a financial institution, exposing an estimated 195 million identities. Targets included the federal tax authority, the electoral institute, state governments, and Monterrey’s water utility.

How do you even defend against this in your threat model? I imagine the Mexican govt. was on a proper enterprise tenant w/ “don’t train on our data” and other security configs/policies in place. #DumpsterFire

Scanner’s Guide to Building Your First AI SOC Agents

Scanner published a two-part technical series on building autonomous SOC agents. Part 1 (January) covers the foundations: hypothesis-driven triage, a graduated trust model (read-only for investigation, staging for response, never autonomous response actions), and working code for a triage agent using MCP integrations with Scanner, VirusTotal, CrowdStrike, and Wiz. Key finding from their testing: an LLM alone hit 71% accuracy on alert triage with brutal false positive rates. Paired with their Socdown framework, it reached 78% with zero false malicious calls.

Part 2 dropped last week and tackles production deployment on AWS: Lambda for per-alert triage (~$5/month compute for hundreds of daily alerts), ECS Fargate for scheduled threat hunts pulling from CISA KEV, ThreatFox, and Feodo Tracker IOCs.

This is a solid behind the scenes look of what it takes to roll your own AI-triage agent. The graduated trust model is a great barometer for evaluating and deploying AI SOC tools in production. Worth a read!

hackerbot-claw: AI-Powered Bot Actively Exploiting GitHub Actions

An autonomous bot called hackerbot-claw, self-described as powered by Claude Opus, spent a week systematically exploiting GitHub Actions workflows across repos belonging to Microsoft, DataDog, CNCF, and popular open source projects including awesome-go (140k+ stars) and Trivy. It achieved arbitrary code execution in at least 4 of 7 targets using 5 different exploitation techniques, and successfully exfiltrated a GITHUB_TOKEN with write permissions from awesome-go. The bot runs a vulnerability pattern index covering 9 classes and 47 sub-patterns, scanning repos continuously and dropping proof-of-concept exploits autonomously.

The most damaging attack exploited the classic pull_request_target misconfig where workflows that run with the target repo’s elevated permissions but check out untrusted fork code. We’re now in the era of AI agents attacking CI/CD pipelines at scale. If your workflows use pull_request_target with untrusted checkouts, assume you’re already being scanned. Step Security has a very solid product. Worth checking out from a software supply chain security perspective.

🔮 The Future of Security 🔮

AI Security

Microsoft Publishes Threat Modeling Framework for AI Applications

Microsoft released a detailed guide for threat modeling AI and agentic systems, arguing that traditional approaches built for deterministic software don’t map to probabilistic, instruction-following models.

The framework covers prompt injection, privilege escalation through tool chaining, silent data exfiltration, and the compounding risk of agentic systems that invoke APIs and persist state autonomously. Microsoft also flags human-centered risks like overreliance on confident but wrong outputs as first-class concerns alongside technical failures.

JetStream Security Raises $34M Seed to Build Guardrails for Agentic AI

JetStream Security raised a $34M seed led by Redpoint Ventures with CrowdStrike’s Falcon Fund participating. The company is building governance and controls for enterprise AI deployments: policy enforcement, activity monitoring, and guardrails around how AI agents interact with systems and data. Think visibility and leakage prevention for agentic AI at scale.

Business Continuity & Disaster Recovery

Gambit Security Emerges From Stealth With $61M to Fix Enterprise Resilience

Gambit Security exited stealth with $61M in combined seed and Series A from Spark Capital, Kleiner Perkins, and Cyberstarts, raised in under 12 months.

The platform connects across environments, security tools, and backup infrastructure to map whether recovery plans actually hold up. They don’t compete with Rubrik or Veeam directly; it sits above the backup layer as a validation plane. Having backups ≠ being recoverable is the core thesis. Gambit is also the firm behind the Claude Code/Mexico government research.

Identity & Access Management

AWS Publishes IAM Controls for Managed MCP Servers

AWS released guidance on using IAM to govern AI agent access through its managed Model Context Protocol (MCP) servers. Two new standardized context keys, aws:ViaAWSMCPService and aws:CalledViaAWSMCP, let security teams differentiate between human-initiated and AI-initiated API calls, enabling fine-grained policies like allowing agents to read S3 buckets but denying deletes.

AWS is also simplifying the auth model to work like the CLI and SDKs (no more separate MCP-specific IAM actions), with VPC endpoint support coming for organizations that need private network controls.

Security Operations

Fig Security Launches With $38M to Validate SecOps Detection Flows

Fig Security emerged from stealth with $38M in combined seed and Series A funding from Team8 Capital and Ten Eleven Ventures, with backing from former Splunk CEO Doug Merritt and the founders of Demisto and Siemplify.

The platform maps and validates end-to-end detection and response flows across SIEM, SOAR, data lakes, and AI SOC tooling, flagging when misconfigs, pipeline failures, or integration drift break detection coverage.

More SecOps news ⬇️

• Prophet Security accelerating the Agentic AI SOC Movement with Amex Ventures and Citi Ventures

• Post-Exploitation at Scale: The Rise of AILM

• Introducing the Next Evolution of Cortex

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

AI Agent Security: The Blind Spot That’s Growing Faster Than Your Security Can Track

AI agents have quietly multiplied into the thousands: ChatGPT integrations, Agentforce, n8n workflows, custom tools, embedded assistants. They act autonomously, hold persistent permissions, and execute across systems. Most security teams can account for maybe a dozen.

Watch our on-demand demo to see how Reco discovers every AI agent, maps their connections, and stops exfiltration before it happens.

Watch the Full Demo

Want to sponsor the TCP newsletter? Learn more here.

Howdy 👋 - hope you’re having a stellar week. It’s only Wednesday but feels like it should be Friday… not sure what that’s all about. Maybe it’s correlated with the amount of ‘wtf?’ moments and unintentional satire going on in security right now?

In any case, I’ll be at Unprompted con next week, hit me up if you’ll be in town and want to grab a coffee/lift. Same applies if you’re attending BSidesSF or RSAC! Monad has partnered with Scanner.dev (should be on every operators radar) for a happy hour event at Fang restaurant, you can RSVP here. More to come re: RSAC.

Now, onto this week’s news.

TL;DR 🗞️

• 🔬 Anthropic launches Claude Code Security — reasoning-based code scanner built on Opus 4.6; Wall Street panic-sold the entire cyber sector despite zero overlap with most co’s

• 💀 OpenClaw agent deleted a Meta researcher’s inbox — context window compaction silently dropped stop commands; she had to physically kill the process

• 🚪 Snyk CEO McKay steps down — says company needs an “AI-immersed” leader after building to $325M ARR and 4,800 customers

• 📨 Microsoft Copilot bug exposed confidential emails — DLP-labeled messages were summarized by AI for weeks despite policy restrictions

• 🔟 Microsoft published top 10 Copilot Studio agent risks — released detection queries on GitHub covering auth gaps, orphaned agents, and MCP misconfigs

• 📐 NIST launched AI Agent Standards Initiative — targeting identity, authentication, and interoperability standards for autonomous AI agents

• ⚔️ Aikido Security launched Infinite — continuous AI pentesting that triggers on every code change with auto-remediation and retest

• 🎓 CompTIA released SecAI+ certification — first vendor-neutral cert covering AI system security, AI-driven SecOps, and AI governance

• 🔐 Venice Security exits stealth with $33M — zero standing privilege PAM for human, machine, and AI identities; backed by Wiz founder

• 🧬 Astelia raised $35M for exposure management — founded by Israel’s National Red Team leads; agentic AI maps env topology to prove exploitability

• 🐺 Arctic Wolf acquires Sevco Security — adds Gartner-recognized exposure assessment platform to Aurora

⚒️ Picks of the Week ⚒️

Anthropic Shipped a Code Scanner. Wall Street Sold the Entire Cyber Sector

Okay, let’s start with the elephant in the room. Anthropic launched Claude Code Security on Friday, a reasoning-based code vuln scanner built into Claude Code powered by the new Opus 4.6 model. Rather than matching known patterns like traditional SAST tools, it reasons through code contextually, tracing data flows and identifying business logic flaws, with multi-stage self-verification and mandatory human approval before any patch is applied. In internal testing, Opus 4.6 found over 500 previously unknown high-severity vulns in production open-source codebases, including flaws that survived decades of expert review. Available as a limited research preview for Enterprise and Team customers, with free access for open-source maintainers.

Wall Street’s response was immediate and indiscriminate. CrowdStrike dropped ~10%. Cloudflare fell 8.1%. SailPoint slid 9.4%, Okta dropped 9.2%. The Global X Cybersecurity ETF fell 4.9%, closing at its lowest since November 2023. Clearly, the trading bots and hedge fund operators don’t know the difference between code scanning and a WAF, EDR, or IdP.

Cyber CEOs Takes

CrowdStrike CEO George Kurtz took the most direct approach possible: he opened Claude Code and asked it to build a tool to replace CrowdStrike. Claude’s response was blunt: “Building a replacement for CrowdStrike isn’t something I can do here, and it wouldn’t be responsible for me to suggest otherwise.”

Kurtz’s takeaway: “AI doesn’t eliminate the need for security. It increases it.” Palo Alto Networks CEO Nikesh Arora echoed the sentiment in his earnings call, saying he’s “confused why the market is treating AI as a threat to cybersecurity.”

I think this was a sell-off driven algorithmic trading combined with investors looking for a de-risking event in a sector trading at elevated multiples. Most of the companies that got hammered operate in domains Claude Code Security doesn’t touch: endpoint detection, identity management, network security, incident response etc.

In my opinion, Anthropic is just cleaning up after themselves. Claude Code and its competitors have generated an enormous volume of code over the past year (~4% of all daily public commits) .

Indie builders, vibe coders, and enterprise devs are shipping AI-written code into production at scale. Building a security scanner for that code should be tablestakes.

The bigger questions are:

• What’s it cost in terms of compute and tokens to run the feature at scale?

• How do SAST players that rely on foundation AI models beat those same model producers at their own game? What’s the differentiator? Is it enough to operate an entirely separate tool?

• Who owns liability when an AI scanner misses a vuln, or when its auto-suggested patch introduces a new one?

My LinkedIn post asking whether Anthropic just disrupted AppSec pulled 100K+ impressions, 400+ connection requests, and 750+ engagements within 72 hours. The answer, for now, is no. Anthropic is just securing its own output. If they start securing endpoints, runtime, cloud, etc then it’s a cause for concern.

Dig Deeper: Bloomberg | Axios

Meta AI Security Researcher’s OpenClaw Agent Goes Rogue on Her Inbox

This is some borderline Black Mirror stuff. Meta AI safety + alignment researcher Summer Yue posted her experience w/ an OpenClaw agent she’d been testing that went on a “speed run” deleting her email, ignoring her stop commands from her phone.

From the screenshots, you can see OpenClaw ignored stop prompts and did not apologize. “You’re right to be upset.” it said… Who do you call when your OpenClaw gaslights you?

What happened

Yu had been testing the agent on a smaller “toy” inbox where it performed well, building her trust. When she pointed it at her full inbox, the volume of data triggered context window compaction, causing the agent to summarize and compress its running instructions. The stop commands she issued got dropped during compaction, and the agent reverted to its earlier behavior from the test inbox.

What it means

1. If an AI alignment researcher at Meta gets burned, the rest of us may not stand a chance. Yu admitted it was a “rookie mistake,” but the failure mode is architectural, not user error. Context window compaction silently dropping safety instructions is a fundamental reliability problem.

2. Irreversible actions without confirmation gates. The agent had full delete access with no human-in-the-loop approval for destructive operations. This is the pattern every agentic security framework warns about.

We are deploying agents with real-world permissions at a pace that far outstrips our ability to govern them. Yu’s experience is almost comically relatable (who hasn’t wanted to hand their inbox to an AI?), but the failure mode is serious. Context window compaction silently eating safety instructions is the kind of bug that doesn’t show up in testing and only manifests at production scale.

Dig Deeper: TechCrunch | Summer Yu’s X post

After $325M in Revenue, Snyk’s CEO Says the Next Chapter Needs a New Kind of Leader

Snyk CEO Peter McKay announced he’s stepping down, saying the company needs a leader with deeper product innovation and AI chops for its next chapter. McKay pointed to his track record: 4,800 customers, $325M in annual revenue, and what he called a “monumental pivot to become the leader in AI-native security.” He’ll remain a significant shareholder and stay on until a replacement is found.

McKay framed the move around what he sees as a generational shift in how code gets written and secured. “This next chapter requires a visionary, AI-immersed leader ready to commit their full energy to a multi-year journey of technical disruption,” he wrote.

What to watch

1. The successor profile matters. McKay is essentially saying Snyk’s future CEO needs to be a product/AI person, not a go-to-market exec. That’s a meaningful signal about where the company thinks the competitive fight is heading.

2. Competitive pressure is real. Between Wiz expanding aggressively into AppSec, legacy SAST/DAST vendors bolting on AI features, and AI-native startups like Aikido launching autonomous pentesting, Snyk’s market position is under pressure from every direction.

3. $325M ARR is solid but stagnation is the enemy. At that scale, Snyk needs to either accelerate toward IPO territory or become an acquisition target. A leadership vacuum at this moment is risky.

Kudos to McKay for an unusually honest exit. Most CEOs get pushed; few publicly admit they’re not the right person for next company phases. Whoever takes over needs to answer a hard question: does Snyk become the platform that secures AI-generated software, or does it get outrun by companies that were born in that world? No in between.

Microsoft Copilot Bug Exposed Confidential Emails for Weeks

This one is absolutely wild and I’m surprised more people aren’t talking about it. Microsoft confirmed a bug in Copilot Chat allowed its AI to read and summarize emails labeled as confidential since January, even when customers had data loss prevention (DLP) policies explicitly configured to prevent their sensitive content from being ingested into the LLM.

Just days before the disclosure, the European Parliament’s IT department blocked built-in AI features on lawmakers’ work devices over concerns that AI tools could upload confidential correspondence to the cloud.

The whole value prop of AI assistants is that they operate within your existing access controls and classification boundaries. When they don’t, you’ve essentially deployed an insider threat with read access to your most sensitive data and a habit of summarizing it for anyone who asks. If Microsoft is messing this up, can you imagine what else is going on?

Microsoft Publishes Top 10 Copilot Studio Agent Security Risks

Unironically, Microsoft’s Defender Security Research team published a detailed breakdown of the 10 most common Copilot Studio agent misconfigurations they’re seeing in production environments, along with Advanced Hunting queries to detect each one.

The top 10 risks are:

1. Agents shared with the entire organization without scoped access

2. No authentication required, creating public entry points to internal data

3. HTTP request actions bypassing connector governance (non-HTTPS, non-standard ports)

4. Email-based data exfiltration via AI-controlled dynamic recipients

5. Dormant agents, connections, and actions creating hidden attack surface

6. Author (maker) authentication giving every user the creator’s elevated permissions

7. Hard-coded credentials embedded in topics or actions in cleartext

8. MCP tools configured without active review, creating undocumented access paths

9. Generative orchestration without instructions, leaving agents vulnerable to prompt abuse

10. Orphaned agents with no active owner for governance

Microsoft released corresponding community hunting queries on GitHub for each risk. They’re in KQL but could easily be converted to whatever you’re hunting in.

Dig Deeper: Microsoft Security Blog | GitHub Hunting Queries

🔮 The Future of Security 🔮

AI Security

NIST Launches AI Agent Standards Initiative

NIST’s Center for AI Standards and Innovation (CAISI) launched a new program to develop technical standards and guidance for autonomous AI agents. The initiative targets identity, authentication, and interoperability challenges as orgs push agent-based systems into production for coding, workflow automation, and task execution. NIST has issued an RFI seeking public input on agent security risks, identity models, and deployment considerations, and is coordinating with the NSF and other federal stakeholders.

Securing agentic AI is still a massive sh*tstorm. Crowdsourced and bulletproofed standards like this at least give a measuring stick on how teams should be addressing it. Will be good to see what comes from it. If you’re in the trenches securing AI, you can contribute your insights here.

Application Security

Aikido Security Launches Infinite for Continuous AI Pentesting

Aikido launched Infinite, a continuous AI-driven penetration testing solution that autonomously validates vulnerabilities, applies remediation where safe, and retests to confirm risk reduction. Each software change triggers AI pentesting agents, replacing the traditional periodic testing window with a feedback loop tied to release cycles.

Education

CompTIA Launches SecAI+ Certification for AI Security Skills

CompTIA released SecAI+, a cert covering AI system security, AI-driven security operations, and AI governance. Would be interesting to see the training materials for this. Sounds like it covers security for AI + AI for security.

Identity & Access Management

Venice Security Exits Stealth with $33M to Modernize Privileged Access Management

Venice Security emerged from stealth with $33M in combined funding: an $8M seed led by Index Ventures and a $25M Series A led by IVP. Angel investors include Assaf Rappaport (Wiz) and the Axis Security founders. Venice aims to eliminate standing privileges entirely, discovering every identity and entitlement across cloud, SaaS, on-prem, and AI-driven environments, then granting access only when needed and revoking it immediately after.

Vulnerability Management

Astelia Raises $35M to Replace Vuln Guesswork with Exploitability-Based Exposure Management

Astelia raised $35M in combined seed and Series A funding led by Index Ventures and Team8. Founded by the leaders of Israel’s National Red Team (the unit that stress-tests the country’s critical infrastructure). The platform uses agentic AI to map real network topology, segmentation, and existing controls, then correlates exploitability with reachability to surface only what’s genuinely exposed.

More Vulnerability Management news

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Minimal Containers, Fewer CVEs

Tired of the endless cycle of cloud vulnerabilities? Avoid over 97% of CVEs with minimal container images from Minimus. No bloated base layers, no unnecessary packages, just what your app needs to run. Drop Minimus images into existing deployments to dramatically reduce your attack surface and remediation work.

Prevent CVEs Now

Howdy 👋 - hope you’re having a stellar week. I’m at the Monad GTM offsite cooking up some heat. We’re co-hosting an event with Scanner.dev at RSAC on March 23rd at Fang. Come hang out if you’ll be in town. Register here.

Big week in security per usual. Let’s dive in!

TL;DR 🗞️

• 📊 PANW beats Q2, drops $400M on Koi, cuts CyberArk staff — $2.6B Q2 revenue; acquisition spree continues; ~400 staff cuts; platformizationnnnn

• 🏆 Wiz launches AI Cyber Model Arena benchmark — 257 real-world offensive challenges; Claude Code on Opus 4.6 tops 25 agent-model combos at ~$2/run

• 🔥 Latio's 2026 AppSec report declares runtime the source of truth — AI-accelerated code is expanding vuln backlogs; AI-native SAST is booming; runtime is still king

• 🎮 Hack The Box ships offensive AI security CTF pack — 11 challenges mapped to OWASP LLM Top 10 and ML Top 10; includes MCP server attacks

• 🧠 Cisco ships security-tuned 8B model into Splunk ES — Foundation-Sec-8B replaces Llama-3.1-70B for alert summaries; better latency, lower cost

• 🛒 Check Point acquires three Israeli startups, beats 2025 earnings — ~$150M for Cyata, Cyclops, Rotate; FY25 revenue $2.7B (+6%), non-GAAP EPS $11.89 (+30%)

• 🏗️ AWS publishes AI-powered defense-in-depth blueprint — 7-layer serverless security architecture with Bedrock agents for autonomous threat analysis

• 👜 South Korea fines LVMH brands $25M over Salesforce breaches — 5.5M customer records exposed; no IP controls, no export limits, no log reviews

• 📷 Ring kills Flock Safety partnership after Super Bowl ad backlash — Consumer sentiment killed surveillance integration faster than any regulator could

• 🔑 Oso + Tailscale tackle coding agent permissions gap — 96% of human permissions unused in 90 days; agents inherit all of them

• 👻 Okta ISPM adds shadow AI agent discovery — Detects unsanctioned AI agents via OAuth consents; Gartner: 69% of orgs have prohibited GenAI use

• 🏢 Booz Allen acquires Defy Security for commercial cyber expansion — Brings Vellox Reverser malware analysis; strengthens UK/EU presence across financial, healthcare, energy

• 💰 VulnCheck raises $25M Series B for ‘exploit intelligence’ — Enterprise ARR up 557%; 32% of vulns weaponized on disclosure day, up 36% from 2024

⚒️ Picks of the Week ⚒️

Palo Alto Networks Drops $400M on Koi, Cuts Hundreds at CyberArk, and Spooks Wall Street on Guidance

Big week in PANW land with 3 major stories. Koi deal is timely heading into RSAC + given agentic AI security concerns. CyberArk staff cuts to be expected. Strong earnings.

The Koi deal

Palo Alto Networks is acquiring Koi Security for ~$400M. Koi tackles a gap most endpoint tools weren’t built for: securing the non-binary files proliferating across enterprises today. Think AI training datasets, scripts, browser extensions, plugins, and code editor add-ons. Koi intercepts risky downloads with approval workflows, runs behavioral analysis on files post-install, and monitors for supply chain-style update poisoning.

From VSCode exploit to $400M exit in under two years.

Koi’s origin story is worth the read. Founded in 2024 by Unit 8200 alumni, the team proved their thesis by building a fake VSCode theme extension called “Darcula Official” that secretly exfiltrated source code and machine data. Within a week, it compromised 300+ organizations, including Fortune 50 companies and a major EDR vendor. That experiment became ExtensionTotal, which evolved into Koi’s broader platform.

The company raised $48M (including a $38M Series A led by Battery Ventures and Team8) in September 2025, scaled to 500,000+ protected endpoints, and hit seven-figure ARR in eight months. Now it’s a ~$400M exit less than 18 months after founding. Not a bad return for Battery.

PANW plans to fold Koi into Cortex XDR and Prisma AIRS, branding the combined play “Agentic Endpoint Security.” Hadar Oren, SVP of product management for Cortex, framed the rationale bluntly: AI agents “can autonomously discover, invoke and even install additional components at machine speed.”

CyberArk layoffs

Meanwhile, PANW completed its $25B CyberArk acquisition and laid off hundreds of CyberArk employees the very next day. Over 10% of CyberArk’s roughly 4,000 staff are affected, including dozens in Israel. The company called it “strategic organizational changes” in overlapping roles.

Earnings

Fiscal Q2 was strong on paper: $2.6B revenue (up 15% YoY), next-gen security ARR surging 33% to $6.33B, and remaining performance obligations hitting $16B. But forward guidance disappointed Wall Street, with the stock dropping 5%+ after hours. PANW is clearly reinvesting hard and telling investors to be patient.

Dig Deeper: SiliconANGLE (Earnings) | SiliconANGLE (Koi) | CyberScoop | Calcalist (Koi) | Calcalist (CyberArk layoffs)

Wiz Research Launches AI Cyber Model Arena: 257 Real-World Challenges Benchmarking Offensive AI Agents

Wiz Research dropped one of the more interesting public research efforts i’ve seen lately: the AI Cyber Model Arena, a benchmark of 257 real-world offensive security challenges spanning zero-day discovery, CVE detection, API security, web security, and cloud security (AWS/Azure/GCP/K8s).

Top performers: Claude Code on Claude Opus 4.6, with Gemini 3 Pro close behind.

Offensive capability is jointly determined by agent scaffold and model, and performance swings dramatically by domain.

This is one of the first serious attempts to standardize how we measure AI offensive capabilities in security. Very cool work by the Wiz research team. Would love to see how the leaderboard evolves over time.

Latio Drops Its 2026 Application Security Market Report, and It’s a Banger

and the team just released their 2026 Application Security Market Report, a 72-page deep dive covering survey data, vendor evaluations, and hands-on product testing across the entire AppSec landscape.

Full disclosure: I haven’t had time to fully digest this thing yet, but I’m about 20 pages in and it’s already one of the most useful analyst reports I’ve read this year. A couple things that jumped out early:

AI-native SAST is the real deal. Latio calls it a “generational improvement,” and the reasoning is compelling. AI-powered static analysis can now detect business logic flaws that traditional rule-based engines simply can’t catch. The report highlights vendors like Zeropath, Corgea, Semgrep, and Endor Labs as leaders here. The key insight: your SAST engine matters less than the quality of your rules, and AI is rewriting that equation entirely.

ASPM as a standalone category is dead. The report argues that “management without scanning” never justified its own budget line. The category has collapsed into CTEM, with enterprises never intending to centralize under a single management layer. Third-party integrations were a stopgap, not a strategy.

Developer experience now outranks detection quality in tool selection. That’s a significant shift. Survey respondents ranked DX as the #1 deciding factor when choosing AppSec tools, ahead of false positive rates. Meanwhile, 84% flagged AI-generated code security and supply chain malware as their top 2026 concerns.

Latio is one of the few analyst firms that actually tests the products it covers, and it shows. The practitioner-first lens makes this required reading for anyone evaluating AppSec tooling in 2026. The AI code security section alone is worth the download. I’ll be digging into the full report over the coming weeks and sharing more takeaways. Grab it from Latio’s site.

Hack The Box Drops Offensive AI Security CTF Pack

Hack The Box launched a challenge pack tailored toward offensive AI security. 11 challenges mapped to the OWASP LLM Top 10 and OWASP ML Top 10. The first 7 cover practical LLM exploitation accessible to pentesters (prompt injection, agent manipulation, MCP server attacks). The final 4 go deeper into ML-layer attacks most red teams have only read about in papers: adversarial examples, gradient leakage, federated learning backdoors, and LoRA artifact exploitation.

This is fire. If I were still a pentester, I’d be all over it.. I may still test it out if I ever get the time 😞

AWS Publishes AI-Powered Defense-in-Depth Blueprint for Serverless Security

AWS published a detailed reference architecture layering AI-powered security controls across serverless microservices. The blueprint maps seven security layers from edge to data: Shield and WAF at the perimeter, Cognito adaptive auth with compromised credential detection, API Gateway with schema validation, VPC network isolation, Lambda least-privilege with CodeGuru ML code analysis, Secrets Manager rotation, and DynamoDB encryption with fine-grained IAM.

Pretty cool but I’d imagine this costs an arm and a leg to run at scale lol.

Amazon Ring Kills Flock Safety Partnership After Super Bowl Surveillance Ad Backlash

Amazon’s Ring terminated its planned integration with police surveillance company Flock Safety after a Super Bowl ad ignited a public firestorm. The 30-second spot showed a lost dog tracked across a neighborhood by Ring cameras using AI, and viewers immediately asked the obvious question: if it can find a dog, it can find a person.

Slippery slope which is already taking place behind the scenes.

Related: DHS Sent Hundreds of Subpoenas to Unmask Anti-ICE Social Media Accounts

South Korea Fines LVMH Brands $25M After Salesforce Breaches Exposed 5.5 Million Customers

South Korea’s privacy regulator hit Louis Vuitton, Dior, and Tiffany with a combined $25M in fines after hackers popped their Salesforce instances and walked off with data on 5.5 million customers.

Louis Vuitton took the biggest hit at $15M after malware on an employee device led to credential theft across three separate breaches (3.6M records). The breaches are tied to the broader Scattered LAPSUS$/ShinyHunters campaign targeting Salesforce customers.

LV can make the fine $ back after selling 20 bags so I think they’ll be ok. The fine does set a strong precedence for those operating in SK though.

🔮 The Future of Security 🔮

AI Security

Oso Partners with Tailscale to Lock Down Coding Agent Permissions

The “agents inherit developer permissions” problem is one of the biggest unaddressed gaps in security, and Oso is one of the best positioned to go after it.

They launched ‘Oso for Coding Agents’, integrated with Tailscale’s Aperture, to bring viz and automated least-privilege controls to coding agents like Claude Code, Cursor, and Codex. The product monitors every agent tool call across an org, applies risk scoring, and fires alerts on anomalous behavior: new MCP servers, data exfiltration risk, PII exposure, unauthorized tool use.

Oso’s internal research found 96% of human permissions go unused in a 90-day window, and agents inherit all of them.

More AI news ⬇️

• The Skills That Will Matter for Offensive AI Security in 2026

• Top 10 actions to build agents securely with Microsoft Copilot Studio

• Check Point Announces Trio of Acquisitions Amid Solid 2025 Earnings Beat

Identity & Access Management

Okta Adds Shadow AI Agent Discovery to Identity Security Posture Management

Okta shipped new Agent Discovery capabilities in its ISPM product to find and map shadow AI agents that employees are spinning up without IT oversight. The feature detects OAuth consents from unsanctioned platforms and unvetted agent builders, maps relationships between client and resource apps, and alerts when unknown agents gain permissions to critical data. Shadow AI is shadow IT on steroids.

More IAM news ⬇️

• GitGuardian Raises $50M Series C to Address Non-Human Identities Crisis and AI Agent Security Gap

• 1Password open sources a benchmark to stop AI agents from leaking credentials

Managed Service Providers / VARs

Booz Allen Acquires Defy Security to Expand Commercial and International Cyber

Booz Allen Hamilton is acquiring Defy Security to expand its commercial and international cyber business across financial services, healthcare, manufacturing, and energy. Booz is a trusted name and Defy will help them w/ distribution of whatever security offerings they may have.

Security Operations

Cisco Ships Security-Tuned Foundation AI Model into Splunk Enterprise Security

Cisco’s Foundation AI team shipped its custom-tuned Foundation-Sec-8B-1.1-Instruct model into the Splunk AI Assistant in Splunk Enterprise Security, replacing previous Llama-3.1-70B model calls.

The model powers alert summary generation, producing structured incident overviews, alert timelines, MITRE ATT&CK mapping, and recommended next steps. I’d imagine this model will power their detection gen and fine-tuning capabilities, threat hunting, and whatever else they want to add to their offerings.

Fine-tuned models perform better at their set of tasks than a larger general purpose model.. Splunk has boat loads of proprietary data so it’ll be tough for competing vendors to keep up, imo.

Cisco used novel synthetic data generation and curriculum learning to tune the 8B-parameter model specifically for SOC workflows.

Vulnerability Management

VulnCheck Raises $25M Series B to Scale Exploit Intelligence

VulnCheck closed a $25M Series B led by Sorenson Capital, with participation from National Grid Partners, Ten Eleven Ventures, and In-Q-Tel, bringing total funding to $45M.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

AI has changed email attacks - but most defenses haven’t

Modern phishing blends text, images, links, QR codes, and social engineering to bypass legacy tools.

Varonis offers a free Email Risk Assessment to show the real threats already landing in your users’ inboxes. Get a 90-day lookback, live attack visibility, and a clear report - all backed by real production data.

See what your email security is missing.

Start your free assessment.

Howdy 👋 - What a week it’s been. Six weeks out from RSAC and the industry is already running hot with tons of rumbling underneath the surface.

Innovation Sandbox finalists dropped, earnings are rolling in, and every vendor on the planet is sharpening their pitch decks. It’s a lot. Lucky for you, I read it all so you don’t have to.

This week’s issue is stacked (!) but two quick plugs before we dive in:

• 🕸️ The Black Hills Information Security/Antisyphon Training crew and John Strand are hosting a free, virtual SOC Summit on March 25 (10AM-4PM ET) with 11 expert speakers covering real-world SOC operations. Highly recommend if you’re a SecOps operator in any capacity.

• 📝 I also dropped a new post this week: The Great Decoupling: Separating Your SIEM from Your Data Layer. It’s a great snapshot of architectural discussions many teams are having.

Cool, let’s dive in!

TL;DR 🗞️

• 🤖 Opus 4.6 Finds 500+ High-Severity Vulns — Anthropic's model discovered novel flaws in open-source libraries with no custom tooling or specialized prompting

• 🏆 RSAC Innovation Sandbox 2026 — 10 finalists announced, $5M each; 6 of 10 building for agentic AI security

• 🧠 AI Burnout Is Already Here — UC Berkeley study: AI tools didn’t reduce hours; to-do lists expanded to fill freed time

• 🚨 Google: APTs Using Gemini AI Across Full Kill Chain — First malware families calling LLMs at runtime; 100K+ prompt distillation attack on Gemini; mirrors Anthropic's finding that AI is now the operator, not just the tool

• 📊 Cloudflare Crushes Q4 Earnings — $614.5M revenue, up 34% YoY; largest contract ever at $42.5M/year

• 🐛 FIRST Projects 50K+ CVEs in 2026 — Median forecast of 59,427 new CVEs; first year crossing the 50K threshold

• 💰 Vega Security Raises $120M Series B — AI-native SIEM alternative valued at $700M; Fortune 500 logos already signed

• 🤖 Ex-GitHub CEO Raises Record $60M Seed — Thomas Dohmke’s Entire valued at $300M; open-source Checkpoints tool captures AI code provenance

• 🔐 Reco Raises $30M Series B — AI SaaS security platform fueled by 500% YoY growth; $85M total raised

• 🛡️ Nucleus Security Raises $20M Series C — Exposure management platform ingesting from 200+ tools across IT, cloud, appsec, and OT

• 🎯 Complyance Raises $20M Series A — GV-led round for AI-native GRC with 16 purpose-built agents live today

• 🔬 Microsoft Drops Dual LLM Security Research — Backdoor scanner for open-weight models plus single-prompt unalignment across 15 model families

• 🌐 Wiz Ships Backstage Plugin — Security findings now surfaced inside Spotify’s developer portal at GA

• 🧰 THOR Collective: How I Use LLMs for Security Work — Josh Rickard’s practical guide to prompting LLMs for SOC analysts and threat hunters

⚒️ Picks of the Week ⚒️

Anthropic’s Opus 4.6 Discovers 500+ High-Severity Vulns in Open-Source Libraries

Anthropic’s Red Team dropped a bombshell along with their latest model release. During testing, Claude Opus 4.6 identified over 500 previously unknown high-severity vulnerabilities across open-source software libraries.

500 novel findings in codebases that have had fuzzers running against them for years, some with bugs that went undetected for decades… Wild.

The model was pointed at open-source projects and given standard vulnerability analysis tools, but received no custom scaffolding, no specialized prompting, and no instructions on how to find bugs. It figured out its own methodology, including reading Git commit histories to find similar unpatched flaws and reasoning through compression algorithms to craft proof-of-concept exploits. Out-of-the-box capability, not months of fine-tuning.

For security teams running open-source dependencies (pretty much everyone), the window between discovery and exploitation just got shorter.

Dig Deeper: Anthropic Frontier Red Team Report | Fortune | Axios

FIRST Forecasts 50,000+ CVEs in 2026

FIRST’s 2026 Vulnerability Forecast projects a median of roughly 59,427 new CVEs this year, with a 90% confidence interval ranging from 30,000 to 117,000. If the median holds, 2026 will be the first year to cross the 50,000 CVE threshold, a milestone FIRST calls “significant in vulnerability disclosure history.” Realistic scenarios push the number as high as 70,000 to 100,000.

FIRST’s methodology, built on historical CVE records and NVD/MITRE publication trends, hit a 7.48% error rate on 2025 yearly predictions and 4.96% for Q4 2025. It also projects continued growth: median estimates of 51,018 CVEs in 2027 and 53,289 in 2028, with upper bounds approaching 193,000 by 2028.

My first reaction is “shit, that’s a lot of vulns”. Second reaction is this is extremely validating for vendors doing any sort of vulnerability prioritization. Third reaction is that this ties well into the Anthropic story we just covered above.

RSAC 2026 Innovation Sandbox: 10 Finalists, $5M Each, and a Very Clear Theme

RSAC announced the 10 finalists for its 21st Innovation Sandbox contest, each awarded a $5M SAFE investment ahead of three-minute pitches at Moscone on March 23.

The Class of 2026: Charm Security, Clearly AI, Crash Override, Fig Security, Geordie AI, Glide Identity, Humanix, Realm Labs, Token Security, and ZeroPath.

6 of 10 finalists are building for agentic AI security, AI governance, or human-layer defense.

The standouts for me are Realm Labs (inference-time observability is a genuinely unsolved problem), Geordie AI (agent governance with serious pedigree from Snyk, Veracode, and Darktrace founders, plus the Black Hat Europe 2025 Startup Spotlight win), and Glide Identity (SIM-anchored cryptographic auth is a fundamentally different approach than MFA).

I’m working on a standalone deep dive breaking down each finalist, what they actually do, and who has a real shot. Stay tuned.

Dig Deeper: RSAC Finalists Announcement

Google: State-Backed Hackers Caught Using Gemini Across the Full Kill Chain

Google’s Threat Intelligence Group (GTIG) released its latest AI Threat Tracker, and it validates what many of us have known for a while + was covered by anthtropic in November 2025. Adversaries are deploying AI-enabled malware in live operations.

APT groups from China, Iran, North Korea, and Russia are using Gemini for reconnaissance, phishing, C2 development, and data exfiltration.

GTIG identified two malware families, PROMPTFLUX and PROMPTSTEAL, that call LLMs during execution.

GTIG also flagged a surge in “distillation attacks.” One campaign hit Gemini with 100,000+ prompts attempting to extract reasoning traces.

The Anthropic parallel tracks exactly. In November 2025, Anthropic disrupted a Chinese state-sponsored group using Claude Code as an autonomous penetration orchestrator, with AI executing 80-90% of operations independently. I’d imagine there’s overlap in these threat actors and that they’re working for govts.

None of this is surprising but it’s certainly worth tracking.

Dig Deeper: GTIG AI Threat Tracker | Anthropic: AI-Orchestrated Espionage (Nov 2025) | BleepingComputer

The First Signs of AI Burnout Are Here, and Security Teams Should Be Paying Attention

A new study published in Harvard Business Review tracked what happened when employees at a 200-person tech company genuinely embraced AI tools over eight months. UC Berkeley researchers found nobody worked less.

To-do lists expanded to fill every hour AI freed up, then kept going. Separately, a METR trial found experienced developers using AI tools took 19% longer on tasks while believing they were 20% faster. An NBER study across thousands of workplaces measured actual productivity gains at just 3%.

Sound familiar? Vendors promise AI will finally solve SOC analyst and incident response burnout, alert fatigue, and the eternal “staffing gap.” The tools are getting genuinely better, and the right AI tooling on top of a well-architected SOC can be a real force multiplier. But if the pattern from this research holds, “faster” just means leadership expects more coverage, more investigations, more reporting, not fewer hours. The alert queue may shrink faster. You’ll detect and address threats sooner. But the roles will evolve to cover more ground, and operators should plan for that.

AI won’t save us from bad architecture, understaffed teams, or alert pipelines that were broken before the LLM showed up.

Cybersecurity Earnings Season Opens Strong: Cloudflare, Fortinet, Qualys All Beat

Early returns from Q4 earnings season are painting a healthy picture for cybersecurity and infrastructure spending.

Cloudflare stole the spotlight: $614.5M in Q4 revenue (up 34% YoY), crushing the Street’s $591.3M estimate. CEO Matthew Prince disclosed the company’s largest contract ever at $42.5M/year (🤯).

Fortinet posted $1.91B in Q4 revenue (up 15% YoY) with billings surging 18% to $2.37B and product revenue up 20%, suggesting the firewall refresh cycle is alive and well even though Fortinet has had a slew of critical vulnerablities over the past year+… Seems like their product is pretty sticky for vulns not to cause churn? Either way, they’re doing something very right.

Rapid7 posted $217.4M in Q4 revenue (up just 0.5% YoY). Full-year 2025 revenue hit $860M (up 2% YoY) with ARR flat at $840M. Sounds like they’ll be making a strong push for services/MDR in coming quarters.

Qualys delivered $175.3M in Q4 revenue (up 10% YoY)

Dig Deeper: Cloudflare Q4 Results | Fortinet, NetScout, Qualys Q4 Results | Rapid7

Vega Security Raises $120M Series B to Kill Legacy SIEM Model

Friends of the newsletter Vega Security closed a $120M Series B led by Accel with Cyberstarts, Redpoint, and CRV, nearly doubling their valuation to $700M and bringing total funding to $185M.

Vega is building a SecOps suite that adds federated detection and response capabilities across cloud services, data lakes, and existing storage, giving teams flexibility in how they query and act on security data at scale.

Approach seems to be resonating with recent multi-million-dollar contracts with banks, healthcare companies, and Fortune 500 firms including Instacart. Also worth noting that Vega has scaled to 100 employees in ~2 years since inception.

TCP readers got the early look as we covered Vega six months before they came out of stealth.

🔮 The Future of Security 🔮

AI Security

Microsoft Publishes Back-to-Back LLM Security Research: Backdoor Detection and One-Prompt Unalignment

Microsoft dropped two significant AI security research posts in one week. The first introduces a practical scanner for detecting backdoored open-weight language models at scale. The research identifies three “signatures” in poisoned models: trigger tokens hijack the model’s attention mechanism, creating a distinctive pattern that’s measurably different from clean models. Builds on Anthropic’s earlier “sleeper agents” work showing safety post-training fails to remove embedded backdoors.

The second paper is arguably more alarming: a single unlabeled prompt was enough to reliably strip safety alignment from 15 open-weight models across DeepSeek, GPT-OSS, Gemma, Llama, Ministral, and Qwen families, with minimal loss of utility. The technique reverses the same methods used to improve model safety.

Two takeaways: open-weight model supply chains need integrity scanning before deployment, and current alignment techniques remain not the best. If you’re running open-weight models in production, both papers are required reading, imo.

More AI news ⬇️

• SentinelOne debuts lifecycle platform for AI security

Application Security

Ex-GitHub CEO Raises $60M Seed to Tackle AI Code Provenance

Former GitHub CEO Thomas Dohmke launched Entire with a $60M seed round at a $300M valuation, led by Felicis with Madrona, M12 (Microsoft), Basis Set, Jerry Yang, and Datadog CEO Olivier Pomel.

The company is building AI-native developer infrastructure to solve a growing problem: as AI agents write more production code, engineering teams can’t review it fast enough or trace why decisions were made.

What it does:

• Checkpoints, an open-source CLI that captures full context behind AI-generated code: prompts, transcripts, agent decision steps, implementation logic

• Git-compatible database unifying AI-produced code with a semantic reasoning layer for multi-agent collaboration

• Supports Claude Code and Gemini CLI today

The security angle here is supply chain integrity for AI-generated code. If your agents are shipping code faster than humans can audit it, provenance tracking is crucial. Worth watching as AI coding tools move from “assist” to “author.”

More AppSec news ⬇️

• Wiz Launches Spotify Backstage Plugin for Developer-First Security

Browser Security

Zscaler Acquires Browser Security Firm SquareX

Zscaler acquired SquareX, an 80-person browser detection and response (BDR) startup that raised $26M including a $20M Series A led by SYN Ventures. SquareX’s lightweight browser extension delivers zero trust enforcement, DLP, and device posture checks in Chrome, Edge, Firefox, and Safari without requiring a standalone enterprise browser or full agent.

More BrowserSec news ⬇️

• “Own the Browser,” an Open-Source Browser Evaluation Framework

Governance, Risk, and Compliance

Complyance Raises $20M Series A for AI-Native GRC

Complyance closed a $20M Series A led by GV, with Speedinvest, Everywhere Ventures, and angels from Anthropic and Mastercard participating. Total raised sits at $28M. The platform deploys AI agents to automate governance, risk, and compliance workflows, running continuous checks against company-specific criteria and risk thresholds instead of the traditional quarterly audit cycle.

Identity & Access Management

Keycard Labs Acquires Anchor.dev to Build Identity Layer for AI Coding Agents

Keycard Labs acquired certificate management startup Anchor.dev, bringing on a team with infrastructure experience from Cloudflare, GitHub, and Heroku. Keycard provides short-lived, task-based credentials for coding agents (Cursor, Claude Code, Codex, Windsurf) accessing production systems, with a single identity and audit layer across MCP, CLI, and agent-created tooling. As agentic dev tools get deeper production access, expect identity and access governance to become the bottleneck everyone scrambles to solve.

Product Security

Nullify Raises $12.5M Seed for AI-Powered Product Security Workforce

Nullify closed a $12.5M seed led by SYN Ventures with Black Nova Venture Capital, bringing total raised to $16.9M. The company pitches autonomous “AI employees” that handle vuln detection, triage, exploit validation, and remediation end-to-end, shipping merge-ready fixes directly to developers.

SaaS Security

Reco Raises $30M Series B for AI SaaS Security

Reco closed a $30M Series B led by Zeev Ventures, bringing total funding to $85M. The round comes less than 10 months after its last raise, fueled by 500% YoY growth in 2024 and an additional 400% in 2025. The platform provides continuous discovery and governance across AI SaaS apps, autonomous agents, shadow AI, and MCP connections, covering 215+ integrations. Customers include Fortune 500s across finance, healthcare, pharma, and tech.

SaaS security was already a top concern but enterprise AI adoption has poured gas on that and Reco is capitalizing on it.

Security Operations

How I Use LLMs for Security Work -

Josh Rickard walks through six practical prompting techniques for security practitioners using Claude, Cursor, and ChatGPT: role-stacking (layering multiple perspectives per prompt), being explicit about your tech stack, requesting validation to reduce hallucinations, and framing questions as systems problems rather than point solutions.

Great primer for analysts and threat hunters experimenting with their LLM workflows.

AiRRived Emerges from Stealth with $6.1M for Agentic OS

AiRRived launched from stealth with a $6.1M seed led by Cannage Capital, with Plug and Play Ventures, Rebellion Ventures, and Inner Loop Capital participating. Airrived builds an “Agentic OS” that unifies SOC, GRC, IAM, vuln management, IT, and business operations into a single agentic layer.

I think their approach is cool. Goes toe-to-toe with the Palo Alto’s and CrowdStrike’s of the world whose moat has dwindled a bit given AI development advances. However, large players are mostly safe for now given their biggest moats are talent density and distribution channels.

More SecOps news ⬇️

• Halcyon’s IR Partner Program Lets MSSPs Deliver Ransomware Response Without Losing Customer Ownership

• LevelBlue will acquire MDR provider Alert Logic from Fortra

Vulnerability Management

Nucleus Security Raises $20M to Scale Exposure Management Platform

Nucleus Security closed a $20M Series C led by Delta-v Capital with Arthur Ventures, bringing total funding to roughly $86M. The platform acts as a centralized system of record for vulnerability and exposure management.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

The core architecture of SIEMs was never designed to solve modern SOC problems. Think ingesting 5TB/day of logs from 40+ sources, varying schemas, log quality, and low fidelity atomic alerts. It’s why forward-thinking teams at HSBC, Rippling, Brex and countless others are decoupling their data pipeline from their SIEM. AI/ML tooling has put a magnifying glass to this problem. Models don’t tolerate messy or incomplete data the way humans do.

After years as a security consultant and detection engineer, I've concluded that the data layer must be decoupled from the SIEM. The science nor the math make sense anymore and it hasn't for a while.

That conviction is why I've spent the past 2.5 years working on this problem at Monad, so I'm not unbiased. The timing has always felt right, but now it feels more important than ever. In this post, I'll highlight why.

Built to Search, Paid to Ingest

SIEMs were designed to be search engines with alerting capabilities. Somewhere along the way, vendors realized they could charge per gigabyte ingested, and log ingestion became a revenue driver rather than a customer success priority.

Think about what the SIEM actually does well: indexing logs, running queries, correlating events, creating historical baselines, and firing alerts.

Now think about what most SIEMs claim to do: collect data from N sources, normalize it into a consistent schema, route it to themselves, transform it and enrich it.

These are fundamentally different disciplines. The architectures don’t overlap. And the incentive structures definitely don’t overlap. SIEM vendors maintain hundreds of integrations across thousands of customers while adding AI SOC, SOAR, UEBA, agentic threat hunting, risk scoring and countless other features. They’re generalist platforms that thrive in search and alerting, not data engineering.

SIEM vendors make money when you ingest more data. They have zero incentive to help you route logs to cold storage at a fraction of the cost or send copies to your data lake for ML experiments.

Lock-in doesn’t hurt on day one. It hurts on year three when your vendor raises prices 40% and you realize your entire detection library, your normalized schemas, your enrichment logic, and your historical data are all trapped in a proprietary format and it would take 6+ months to migrate.

The Multi-Destination Era

Security data needs to live in more places than ever:

• SIEM for real-time detection and response

• Data lake + BI for threat hunting, dashboarding, and homegrown AI/ML

• Cold storage for compliance and incident response replay

• AI triage tools and analytics platforms that need access to the same telemetry

Now try to accomplish this with your SIEM as the central hub. Most SIEMs have little to no native support for routing data to external destinations.

Splunk, for example, has no native integration to send data to Databricks or ClickHouse. This is the routing compatibility problem, and it’s only gotten worse as security teams adopt more specialized tools and the enterprise sprawls into more SaaS and AI apps.

AI Doesn't Fix Bad Data

AI is changing how security teams operate, and every AI use case lives or dies on data quality and availability.

AI-powered SOC triage is the future. But right now, these tools are not ready for full unsupervised production use. Data availability and quality are the main culprits.

Talk to folks who have POC’d AI SOC vendors and you’ll hear they demo beautifully, reduce MTTR tremendously, and the UI is neat. But when digging into the actual triage output and reasoning, you may find the AI described a full attack chain: cmd.exe spawned PowerShell, which spawned certutil. But the actual data only had the certutil execution. The parent process fields were null. That's a model failure and a data failure. But only one of them is fixable upstream (unless you own + fine-tune your model).

When AI triage agents ingest unnormalized logs, heavily nested JSON with inconsistent field names, or events missing critical context, they hallucinate. They correlate events that shouldn’t be correlated because timestamps are formatted differently across sources. They miss obvious conclusions because the enrichment data that would make it obvious was never joined.

AI SOCs are only as good as the data they can access:

• No HR data? Can’t understand org structure.

• No asset inventory? Can’t distinguish a server from a laptop.

• Missing identity logs? Flying blind on user behavior.

When your SIEM owns the pipeline, your data is normalized to their schema, optimized for their query engine, stored in their proprietary format. The organizations that stand to gain the most from AI in security have full control over their data layer.

Credit where it’s due: Some AI SOC vendors like Prophet Security and Intezer aren’t just throwing LLMs at messy data and hoping for the best. They’re taking more deterministic, evidence-based approaches that surface data gaps rather than hallucinating over them.

What Decoupling Actually Looks Like

Decoupling means separating concerns, not building everything yourself.

Your data pipeline handles collection, parsing, normalization, enrichment, and routing. Source-agnostic. Destination-agnostic. Your SIEM / data lake receives clean, enriched data and does what it was built for: detection and investigation.

Purpose-built pipelines offer better filtering, routing flexibility, scalability, and observability. Typically at a fraction of SIEM ingestion costs.

This also gives you optionality:

• Migrate SIEMs? Your pipeline stays intact.

• Add a data lake? Add a route.

• Experiment with AI-powered triage? Run platforms in parallel without doubling ingestion costs.

• Vendor plays pricing games? You have real leverage to walk away.

When you own your pipeline, your SIEM becomes a destination, not a dependency.

The Path Forward

The window is open. SIEMs were never designed to be data pipelines, and the architecture+incentive mismatch is more obvious than ever. Vendor lock-in is getting harder to justify when budgets are tight and better options exist. AI capabilities are finally practical but demand clean data to function. The teams that own their pipeline will be the ones who actually get value from what comes next.

This is the problem we’re solving at Monad. We’re building a security data pipeline platform that gives teams full control over collection, normalization, enrichment, and routing. No vendor lock-in. No ingestion taxes. Just clean data flowing where it needs to go.

If you’re dealing with SIEM cost overruns, data quality issues, or want to future-proof your stack for AI, let’s talk.

Subscribe now

Share

Unified Patching for Windows, macOS, and Now Linux 🐧

Action1 now supports Linux, completing our unified cloud-native platform for autonomous patching across every major OS and third-party app. Gain real-time, enterprise-wide visibility, automate remediation, and deploy updates at scale—with zero infrastructure.

Your first 200 endpoints are free, forever—with no feature limits, no expiration, and no trial strings attached. It’s the fastest way to evaluate Action1 in real environments and scale when you’re ready.

Start Now

Want to sponsor the TCP newsletter? Learn more here.

Howdy! 👋 Another wild week in security esp. with the moltbook/openclaw craze which has sent social media and indie devs in a frenzy. Many security implications and precedents set which we cover in a later section.

Aside from that, we’re about 6 weeks from RSAC so things will start heating up real soon across M&A, funding, product launches etc. I’m also looking forward to seeing which co’s are selected for RSAC’s innovation sandbox.

Quick plug: Intezer is going live tomorrow to unveil their 2026 AI SOC Report findings. Worth attending if you’re evaluating AI SOC stuff in any capacity.

In any case, we have a ton to get to so let’s dive in!

TL;DR 🗞️

• 🔥 OpenClaw/Moltbook dumpster fire continues — 1-click RCE, 341 malicious skills, 1.5M exposed API tokens; Wiz found Supabase key in client-side JS

• 🏰 Palantir drops Agentic Runtime framework — An inside looks at how Palantir secures agentic AI; covers compute, memory, tools, lineage, change management

• 🐕 MaliciousCorgi VS Code extensions hit 1.5M devs — Two AI coding assistants exfiltrating source code to China; still live in marketplace. Great research by Koi

• 🍎 Apple Platform Security Guide updated — 262 pages covering Secure Enclave, biometrics, FileVault, quantum-secure crypto

• 🔍 DryRun launches DeepScan Agent — Full-repo security assessments in hours; intent-first vs syntax-first SAST

• 🤝 Varonis acquires AllTrue.ai — Adds AI TRiSM to data security platform

• 💰 Outtake raises $40M Series B — Deepfake + impersonation defense. Angels include Satya Nadella, Nikesh Arora, Bill Ackman; ARR up 6x YoY

• 🛡️ Orion Security raises $32M Series A — AI-powered DLP replacing static policies with context-aware detection

• 🎖️ RADICL raises $31M Series A — Autonomous vSOC for defense SMBs; revenue up 7x YoY

• 📦 RapidFort raises $42M Series A — Automated supply chain security; container sec

• 🤖 Kasada raises $20M — Bot mitigation at ~$300M valuation

• 🔗 Mesh Security raises $12M — Security mesh architecture platform

• ☁️ Zscaler unveils AI Security Suite — Shadow AI discovery, Zero Trust for AI traffic, automated red teaming

⚒️ Picks of the Week ⚒️

The OpenClaw Chaos: A Field Guide to the Dumpster Fire

If you’ve been struggling to follow the Clawdbot/Moltbot/OpenClaw/Moltbook saga this past week, you’re not alone. So much has happened in such a short time frame. Feels like months of dumpster fires compressed into 2 weeks.

Here’s the latest:

OpenClaw (formerly Moltbot, formerly Clawdbot) is an open-source AI agent that runs locally and can manage your calendar, send messages via WhatsApp/iMessage, shop online, and execute shell commands. Created by Peter Steinberger in November 2025, it exploded to 149,000+ GitHub stars and 21,000+ publicly exposed instances after getting signal-boosted by Andrej Karpathy and Simon Willison.

Moltbook is the Reddit-style social network where OpenClaw agents post and interact, entirely “vibe-coded” by entrepreneur Matt Schlicht. It now claims 1.5 million registered agents across 14,000 “submolts.” This one sent the internet in a frenzy as people claimed it was AGI of sorts… Autonomous driving is closer to AGI than this is.

The Security Incidents (So Far):

1. One-Click RCE (CVE-2026-25253): DepthFirst researcher Mav Levin discovered that visiting a single malicious webpage could compromise any OpenClaw instance in milliseconds. The attack chain exploits missing WebSocket origin validation to steal auth tokens, disable sandboxing via the API, and achieve full host compromise. Even localhost-only deployments were vulnerable because the victim’s browser initiates the connection. Patched in v2026.1.29.

2. 341 Malicious Skills on ClawHub: Koi Security identified 341 malicious OpenClaw extensions masquerading as legitimate tools. 335 of them trick users into installing Atomic Stealer (AMOS) malware on macOS through fake “prerequisites.” That campaign has been dubbed “ClawHavoc.”

3. Moltbook’s Exposed Database: Wiz researchers found a Supabase API key sitting in client-side JavaScript within minutes of browsing. Missing Row Level Security meant full read/write access to the entire production database: 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents, some containing plaintext OpenAI API keys.

This is on top of the dumpster fire Clawdbot was which we covered last week.

Quotes:

• Laurie Voss (founding CTO of npm): “OpenClaw is a security dumpster fire.”

• Matt Schlicht (Moltbook creator): “I didn’t write one line of code for Moltbook. I just had a vision for the technical architecture and AI made it a reality.”

• Cisco’s verdict: “Personal AI Agents like OpenClaw Are a Security Nightmare.”

For Defenders: Hunting OpenClaw in Your Environment

Nebulock published a stellar practical guide for hunting OpenClaw and similar agentic AI frameworks through behavioral indicators.

At the end of the day, this is not the first time that a vibe-coded app has been found to be inherently insecure. However, there are other firsts worth paying attention to on the human+AI societal front.

Should we let agents build their own social networks without much guardrails? What if AI/ML models used in enterprises end up being trained including some of those data sets? Slippery slope, imo.. Not to mention how wild it is for ppl to give openclaw access to their WhatsApp, Telegram even after knowing its ripe with vulns.

Huge kudos to all research teams digging into this. Exposing how shit the security of all this is how we prevent it from gaining mass adoption until security is improved.

I’m sure we’ll be talking about OpenClaw again next week. Maybe they’ll rebrand again?

Dig Deeper:

• Wiz: Exposed Moltbook Database Reveals Millions of API Keys

• DepthFirst: 1-Click RCE Kill Chain

• Nebulock: Hunting OpenClaw Through Behavior

• The Register: OpenClaw Security Problems

• Cisco: OpenClaw Security Nightmare

Your engineers have better things to do

You became a security engineer to stop threats, not build data pipelines and JSON parsers. Monad filters, normalizes, enriches, and routes your security data. 250+ integrations, connected in minutes.

Start free

Securing Agents in Production: Palantir’s Agentic Runtime Framework

Palantir published the first in a series on their Agentic Runtime, the infrastructure for deploying AI agents in mission-critical settings. Worth reading for anyone thinking about agent security architecture.

Their definition: An agent is a stateful control loop that repeatedly invokes a stateless reasoning core (e.g., an LLM), interprets outputs, executes tools and memory operations, and feeds results back until termination.

Five security dimensions they address:

1. Compute substrate: Hardened Kubernetes (Rubix) with workload isolation, enforced encryption, and authenticated/authorized/logged interactions between workloads

2. Memory security: Semantic, episodic, and working memory loaded through their Ontology with granular access policies computed dynamically at runtime

3. Tool governance: Constraining what actions agents can take and under what conditions

4. Lineage tracking: Dynamic lineage flowing across data, logic, action, and application artifacts

5. Change management: Release controls that apply to both human-driven and agentic workflows

As someone who hasn’t been too in the weeds of agent security, this is an amazing primer of the top agentic risks and how to build multiple layers of guardrails across the AI stack.

Palantir’s approach treats agents as first-class security principals requiring the same rigor as human users. The “precisely governed permissions” and runtime policy evaluation are exactly what’s missing from the consumer agent space. AI security vendors, take note.

MaliciousCorgi: AI Coding Extensions Exfiltrating Code from 1.5M Developers

Koi Security found two VS Code AI coding assistants with 1.5 million combined installs silently harvesting source code to servers in China. Both remain live in the marketplace.

The extensions:

• ChatGPT - 中文版 (WhenSunset): 1.35M installs

• ChatMoss / CodeMoss (zhukunpeng): 150K installs

How it works: The extensions function as advertised, but run three parallel exfiltration channels: real-time capture of every file you open or edit, server-triggered mass harvesting of up to 50 files on command, and a hidden profiling engine using four Chinese analytics SDKs to determine whose code is worth stealing.

What’s at risk: .env files, API keys, credentials, SSH keys,source code.

The coding assistant work, reviews are positive, functionality is real, so is the spyware. 1.5 million installs. Looks legit to the naked eye.

IOCs: VSC Extensions -> whensunset.chatgpt-china, zhukunpeng.chat-moss. Domains -> aihao123.cn

Apple Platform Security Guide (January 2026)

Recently stumbled across Apple’s master security reference document, and it’s a goldmine even just for educational purposes. It covers iOS 26.1, iPadOS 26.1, macOS 26.1, tvOS 26.1, visionOS 26.1, and watchOS 26.1.

What’s inside (262 pages):

• Hardware security: Deep dive on the Secure Enclave, Apple silicon architecture, memory protection, and the True Random Number Generator

• Biometrics: Technical breakdown of Optic ID, Face ID, and Touch ID, including how matching works and anti-spoofing measures

• Secure boot chain: How Boot ROM, iBoot, and LocalPolicy work together across Intel and Apple silicon Macs

• Data Protection & encryption: FileVault internals, quantum-secure cryptography implementation, and how passcode-derived keys actually work

• Services security: iCloud, Apple Pay, iMessage encryption, and Find My architecture

• Network security: TLS, VPN, Wi-Fi, Bluetooth, and AirDrop security models

Highly recommend for anyone securing macOS, iOS, or anything in between.

🔮 The Future of Security 🔮

AI Security

Outtake Raises $40M with All-Star Angel Roster

Outtake raised a $40M Series B led by Iconiq with a pretty neat angel roster -> Satya Nadella (Microsoft CEO), Nikesh Arora (Palo Alto Networks CEO), Bill Ackman (Pershing Square), Shyam Sankar (Palantir CTO), Trae Stephens (Anduril), and Bob McGrew (former OpenAI VP).

Founded in 2023 by former Palantir engineer Alex Dhillon, Outtake builds agentic AI that detects, investigates, and takes down identity fraud and impersonation attacks. Customers include OpenAI, Pershing Square, AppLovin, and federal agencies.

Growth: ARR up 6x YoY, customer base up 10x YoY.

More AI news ⬇️

• Zscaler unveils AI Security Suite to close visibility gap

Application Security

DryRun Security Launches DeepScan Agent for Full-Repo Code Reviews

DryRun Security released DeepScan Agent, an AI-powered tool that performs full repository security assessments in hours. Traditional SAST is syntax-first (”does this pattern appear?”); DeepScan is intent-first (”what does this code do, and how can it fail?”).

Deepscan can catch things like multi-tenant isolation bypasses, complex IDORs, authZ logic flaws, and business logic vulns that require understanding how an app behaves end-to-end.

Kudos to DryRun on this. 2 years ago, we discussed limited context windows and token costs being a blocker in achieving this and they ended up figuring out. Not an easy problem to solve.

More AppSec news ⬇️

• RapidFort Raises $42M to Automate Software Supply Chain Security

• Kasada Raises $20M for Anti-Bot and Agentic Defense Expansion

Data Security

Varonis Acquiring AllTrue.ai for AI TRiSM

Varonis is acquiring AllTrue.ai, an AI Trust, Risk, and Security Management (TRiSM) platform founded by Ron Bennatan, creator of Guardium and jSonar. Deal valued at $150M. The deal adds AI-specific security capabilities to Varonis’s data security platform.

AllTrue Capabilities:

• AI asset discovery (including shadow AI)

• Security posture management for agents and models

• Runtime protection

• Detection and response

• Security testing for prompt injection and jailbreaks

Varonis is positioning to own the full AI security lifecycle from data protection through agent governance.

Orion Security Raises $32M for AI-Powered DLP

Orion Security closed a $32M round led by Norwest with IBM participating, bringing total funding to $38M. I can speak to this one first-hand as I recently received a demo.

They replace static rule libraries with proprietary LLMs and AI agents that analyze data movement in real-time, capturing content sensitivity, lineage, user behavior, and intent.

Vendors have been trying to reinvent DLP for the past decade and have often fell short. LLMs + agents changes what’s possible.

Security Operations

RADICL Raises $31M for Autonomous vSOC Targeting Defense SMBs

RADICL closed a $31M Series A led by Paladin Capital Group, bringing total funding to $42M. The Boulder-based company builds an autonomous virtual SOC specifically for small and medium businesses in the Defense Industrial Base and critical infrastructure.

The problem they’re solving: SMBs supporting national security face nation-state threats but can’t afford enterprise security budgets. RADICL combines human operators with AI agents for 24/7 monitoring, threat hunting, and incident response, plus built-in CMMC and NIST 800-171 compliance.

Growth: Revenue increased 7x year-over-year. Customers include Trenton Systems, Red 6, and other DIB suppliers.

More SecOps news ⬇️

• Mesh Security raises $12M to scale cybersecurity mesh execution platform

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Calendar invites are the new phishing frontier

Email threats changed fast in 2025. Sublime Security’s 2026 Email Threat Research Report analyzes real-world attacks, from a surge in thread hijacking across BEC to a 280% rise in malicious QR codes and growing abuse of trusted services. Get the data, evasion techniques, and insights security teams need to prepare for 2026.

Download the report

Want to sponsor the TCP newsletter? Learn more here.

Howdy! 👋Crazy past week on multiple fronts. Massive amounts of snow, ICE, Clawdbot debacle, a $250M Series B round, and of course, my Patriots are back in the Super Bowl after a long 8 year stint 🙌

Quick plug: Intezer is going live Feb 4th to unveil their 2026 AI SOC Report findings. They operate in several Fortune 100s including Nvidia so I’m expecting strong signal on where the space is headed.

In any case, we have a ton to get to so let’s dive in!

TL;DR 🗞️

• 🪦 🔥 Clawdbot goes from viral to security disaster — Open-source AI assistant exposed hundreds of instances via Shodan w/o auth; prompt injection demos show email exfil in 5 minutes.. wake up call

• 🔮 Dario Amodei publishes “The Adolescence of Technology” — Insight into how Anthropic CEO is thinking about the future including cybersecurity

• 🎣 Sublime 2026 Email Threat Report — BEC at 32% of threats; QR phishing up 282.7%; AI-generated signals hit 19.29% in Q4

• 🧊💣 Databricks releases BlackIce — Containerized AI red teaming toolkit bundling 14 tools mapped to MITRE ATLAS

• 💉 🕳️ Varonis discloses Copilot Personal prompt injection — Single-click exfiltration via crafted URL; Patched; Enterprise SKU not affected

• ☁️ Upwind raises $250M Series B — Cloud security unicorn hits $1.5B valuation, claims 900% YoY revenue growth

• 📟 11-year-old Telnet auth bypass goes under attack — CVE-2026-24061 (CVSS 9.8) in GNU InetUtils

• 🏭 Claroty nabs $150M — OT/ICS security at $3B valuation, nearly 25% of Fortune 100 as customers

• ⚛️ Palo Alto launches quantum-safe security — Real-time Cryptography BOM and cipher translation for legacy encryption algos

• 🛠️ Furl raises $10M seed — Agentic security remediation from Ten Eleven Ventures

• ⚡ AiStrike raises $7M seed — AI-native ‘preemptive’ cyber defense

• 💰 RiskFront closes $3.3M pre-seed — Agentic AI for KYC/AML compliance; claims research time drops to 5% of workload

⚒️ Picks of the Week ⚒️

Clawdbot Is a Reminder of The Shiny Tool Paradox

ClawdBot (now Moltbot) went from 9K GitHub stars (now 75K+) to security catastrophe in 72 hours. For the unfamiliar: Clawdbot is a self-hosted AI agent that connects to your WhatsApp, Telegram, Slack, iMessage, Signal, and Discord, with full access to your shell, browser, files, and 50+ integrations. Users hand it API keys, OAuth tokens, and account credentials so it can autonomously respond to emails, manage calendars, and “handle life admin.” Essentially Claude with root access to your digital life.

Security researchers found hundreds of instances exposed to the public internet, many without authentication. That’s pretty bad on its own, but then crypto scammers began pumping a fake $CLAWD token to $16M before it crashed 90% to $800k. Infostealers are also actively targeting the tool’s config directories.

Wide Open

Researcher Jamieson O’Reilly found hundreds of Clawdbot control panels discoverable via simple Shodan searches for “Clawdbot Control.” These weren’t dev instances, hey were live administrative dashboards, many completely unauthenticated, exposing:

• Full API keys and OAuth tokens

• Complete conversation histories from private chats

• Bot tokens for Telegram, Slack, Discord, WhatsApp

• Command execution capabilities

Root cause: localhost connections auto-authenticated by design. When users ran Clawdbot behind a reverse proxy on the same server, the proxy’s requests appeared as localhost, bypassing auth entirely. Classic “works on my machine” meets “now it’s on the internet.”

One VC reported 7,922 attack attempts over a single weekend. A prompt injection demo showed an attacker sending a malicious email that the AI read, believed, and used to forward the user’s last 5 emails to an attacker address. Took 5 minutes.

Why this is a shit storm and a security wake up call for vibe coders and the “agentify everything” crowd

1. Agentic AI breaks traditional security models by design.

To be useful, these agents must read messages, store credentials, execute commands, and maintain persistent state. Every requirement violates security fundamentals. The Clawdbot docs admit it: “No perfectly secure setup exists when operating an AI agent with shell access.”

2. “Local-first” created false confidence. Users treated this like installing an app when they were deploying a distributed system requiring network segmentation and proper auth config. Seems like the documentation was solid but how many people do you think actually read the docs?? Lol

Viral adoption + technical complexity + permissive defaults = disaster.

3. Infostealers are already adapting. RedLine, Lumma, and Vidar now target ~/.clawdbot/ directories specifically. Config files store gateway tokens, API keys, and conversation logs in plaintext. Even worse: attackers with write access can “poison” the AI’s memory files to permanently alter its behavior, a new attack primitive security tools aren’t watching for, that we know of.

4. AI skills marketplaces are the new supply chain target. O’Reilly’s PoC: upload skill to ClawdHub, inflate downloads to 4,000+, watch devs in 7 countries pull it. He proved code execution. Every AI “plugins” ecosystem is recreating npm’s attack surface, except now malicious packages get shell access.

The rush to adopt shiny new tooling is innately human, and us security folks will never fully crack that behavior. Every wave of developer enthusiasm creates the same pattern: viral adoption outpaces security maturity, attackers notice, vendors scramble to catch up. Clawdbot is just the latest example.

The more interesting signal here is what’s coming. AI “skills marketplaces” are recreating npm’s attack surface, except now malicious packages can get shell access and persistent memory. Enterprises are already using skills ecosystems via Claude, and other platforms. The ClawdHub supply chain PoC (upload skill → 4,000+ downloads across 7 countries → code execution) proves how bad things truly are.

Huge opportunity for vendors and attackers here. For security teams, this debacle should be studied and actions taken to secure Skills usage.

ORION reinvented DLP to protect humans and AI from data loss.

ORION prevents data loss by analyzing data in motion with intelligent, context-aware, proprietary AI agents, significantly reducing operational overhead and false positives while drastically increasing the number of real incidents detected and prevented.

Our specialized agents understand the context behind every trace in real-time, from data classification, lineage, identity, environment, to external relations, analyze it for data loss indicators, and prevent potential data loss in real-time.

Learn how ORION works

The Adolescence of Technology

Anthropic CEO Dario Amodei published a companion piece to 2024’s optimistic “Machines of Loving Grace,” mapping the risks of “powerful AI” he believes could arrive in 1-2 years.

The 15,000-word essay frames five existential concerns: autonomy risks, misuse for destruction, misuse for seizing power, economic disruption, and indirect effects.

On AI-powered cyberattacks: Confirms AI-led attacks “have actually happened in the wild, including at a large scale and for state-sponsored espionage.” Expects these to “become more capable until they are the main way in which cyberattacks are conducted.” Unlike biology, the cyber offense-defense balance “may be more tractable,” with “at least some hope that defense could keep up with AI attack if we invest properly.” - Confirmation of what most of us already know, but significant to hear it from the CEO of arguably the best foundation model lab.

On AI surveillance: Sufficiently powerful AI could “compromise any computer system in the world” and make sense of all electronic communications, enabling systems that “gauge public sentiment, detect pockets of disloyalty forming, and stamp them out before they grow.” Questions whether nuclear deterrence remains viable when AI could potentially strike submarines, influence weapons operators, or attack launch-detection satellites.

On bioweapons: Anthropic’s measurements show current LLMs may be “doubling or tripling the likelihood of success” in bioweapon creation. This triggered Claude Opus 4’s release under AI Safety Level 3 protections with specialized classifiers consuming nearly 5% of inference costs.

On model behavior: Discloses Claude Sonnet 4.5 recognized it was being tested during alignment evaluations. When researchers altered a model’s beliefs to think it wasn’t being evaluated, it became more misaligned. Models have exhibited deception, blackmail, and “reward hacking” in lab experiments.

On AI companies: Acknowledges AI companies themselves represent power-seizure risk through datacenter control, frontier models, and influence over hundreds of millions of users. Calls for governance scrutiny and public commitments against using AI products for propaganda.

Reprompt: Copilot Personal Prompt Injection

Varonis disclosed a prompt injection technique in Microsoft Copilot Personal that could exfiltrate user data via a single click on a crafted URL. The attack exploited the ‘q’ URL parameter to inject prompts, used a double-request technique to bypass safeguards that only applied to initial requests, and chained server-side instructions to dynamically extract data without detection in client-side monitoring.

Microsoft confirmed the issue is patched. Enterprise Copilot customers were not affected.

Coolresearch demonstrating that AI safety controls often have gaps in follow-up requests. The chain-request technique, where the attacker’s server dynamically issues new instructions based on responses, is worth understanding as a pattern. Not an urgent threat given the patch and Personal-only scope, but a useful case study for teams building AI guardrails and yet another reminder on the risk of prompt injection in AI.

Critical Telnet Servers Exposes 800K IPs

An 11-year-old auth bypass (CVE-2026-24061, CVSS 9.8) in GNU InetUtils telnetd grants unauthenticated root access through trivial exploitation. Set USER=-f root during Telnet option negotiation, and login treats the session as pre-authenticated. Patched January 20; active exploitation began January 21. GreyNoise logged 18 attacker IPs across 60 sessions, 83% targeting root. TXOne observed three distinct attack waves progressing from validation probes to weaponized payloads. The exposure is larger than expected: Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints; Shodan found 214,000+ hosts responding on standard and non-standard ports, concentrated in China, Brazil, Canada, Argentina, and the US.

This is a reminder that legacy protocols + tech are still in use and attractive targets to attackers.

🔮 The Future of Security 🔮

AI Security

Databricks Releases BlackIce: Containerized AI Red Teaming Toolkit

Databricks open-sourced ‘BlackIce,’ a containerized toolkit bundling 14 AI security testing tools into a single Docker image. Think Kali Linux for AI red teaming. Includes Garak (NVIDIA), PyRIT (Microsoft), ART (IBM), CyberSecEval (Meta), Fickling (Trail of Bits), and others, mapped to MITRE ATLAS and the Databricks AI Security Framework (DASF). Primary use case is LLM app testing: prompt injection, jailbreaks, data leakage, hallucination detection, and indirect injection via RAG pipelines.

Pretty neat for folks red teaming AI.

More AI news ⬇️

• Introducing Tenable One AI Exposure: A New Standard for Securing AI Usage at Scale

• Descope introduces dedicated identity infrastructure for AI agents and MCP ecosystems

• Teleport launches Agentic Identity Framework to secure AI agents in production

Cloud Security

Upwind Raises $250M Series B for Runtime Cloud Security

Upwind closed a $250M Series B led by Bessemer Venture Partners, with Salesforce Ventures and Picture Capital joining. Total funding hits $430M at a $1.5B valuation. They report 900% revenue growth and 200% logo growth YoY (company-reported, not independently verified), with customers including Siemens, Peloton, Roku, and NuBank.

Worth noting: Datadog was reportedly in acquisition talks at ~$1B last July. They stayed independent and raised a mega round instead.

Fraud Prevention

RiskFront Raises $3.3M for Agentic Compliance Automation

RiskFront closed a $3.3M pre-seed led by Lytical Ventures with Flint Capital and Oceans participating. The platform deploys three types of AI agents for financial crime compliance: Due Diligence Research agents that scan open sources and flag risk signals, Transaction Analysis agents that identify suspicious patterns in financial data, and Document Processing agents that structure dense compliance documents.

IoT Security

Claroty Raises $150M at $3B Valuation for OT Security

Claroty closed $150M led by Golub Growth, reportedly boosting valuation 80% to $3B. Annual revenue is in the hundreds of millions. The company specializes in OT/ICS security where traditional endpoint agents can’t be deployed (i.e., air-gapped industrial systems). Has nearly a quarter of the Fortune 100 as customers.

Claroty is a clear OT security leader alongside Dragos and Nozomi.

Security Operations

AiStrike Raises $7M for AI-Native Preemptive Cyber Defense

AiStrike closed a $7M seed led by Blumberg Capital with Runtime Ventures and Oregon Venture Fund participating. The company’s pitch: traditional SOC and MDR models are reactive alert processors and security should be proactive. AiStrike’s platform unifies threat intelligence, detection engineering, investigation, and response with agentic AI that continuously analyzes exposure and drives preventive action. Sunrun’s (aiStrike customer) Director of InfoSec cited replacing MDR entirely.

Worth tracking if you’re evaluating SOC modernization or MDR alternatives.

More SecOps news ⬇️

• Sumo Logic targets data pipeline blind spots with new Snowflake and Databricks tools

Post-Quantum Security

Palo Alto Networks Launches Quantum-Safe Security

Palo Alto Networks announced Quantum-Safe Security, GA Jan 30, a platform for cryptographic inventory and post-quantum migration.

It ingests telemetry from PAN-OS, Prisma Access, and third-party tools to build a real-time Cryptographic Bill of Materials (CBOM) identifying deprecated protocols and harvest-now-decrypt-later (HNDL) exposure. Key capability: “Cipher Translation” where the firewall proxies legacy/IoT traffic and re-encrypts it into quantum-safe ML-KEM at the network edge, no code changes required. Risk engine prioritizes remediation by correlating crypto strength with data shelf-life and business criticality.

Cool if you’re worried about Q-day. Some orgs can’t risk getting caught off guard by post-quantum risks so solutions like these are a great insurance policy.

Vulnerability Management

Furl Raises $10M Seed for Agentic Security Remediation

Furl closed a $10M seed led by Ten Eleven Ventures with Rapid7 CEO Corey Thomas and Open Opportunity Fund participating. Furl targets the remediation gap in vulnerability management. Furl’s platform ingests findings from existing tools investigates system context on endpoints, and autonomously executes remediation.

Autonomous remediation is a tough nut to crack. Cascading effects from an unapproved remediation run the risk of bringing down production apps which is a key reason why it hasn’t gone mainstream yet. Time will tell if new entrants to the space can solve this.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Feeling the ground shift under enterprise security?

NHIcon 2026 on Jan. 27 is a practitioner-driven virtual event on agentic AI and what changes when software stops waiting for instructions.

You’ll hear from Phil Venables (fmr. Google Cloud), Misam Abbas (LinkedIn), and Jason Clinton (Anthropic), alongside 20+ other practitioners breaking down where existing controls fail, how agent behavior changes risk, and what it takes to regain leverage in real production environments.

👉Save your spot👈

Want to sponsor the TCP newsletter? Learn more here.

Howdy! 👋 I hope you’re having a great week!

Is it me or is this the year going by super fast?.. In any case, I’m just getting back from visiting Puerto Rico for the closing celebrations of their holiday season called “Fiestas de la Calle San Sebastian”. Beautiful cultural display. Hiiiiighly recommend going if you get the chance!

Now, onto security stuff, which is what you’re all here for in the first place. Two of my favorite sponsors I’ve had the joy of working with are hosting free virtual conferences covering two of the most crucial security domains in 2026.

Aembit is hosting the NHICon focusing on securing Agentic AI on Jan. 27th. Super stacked speaker lineup including fmr. CISO at Google Cloud (Phil Venables), DCISO at Anthropic (Jason Clinton), and many leading security operators. It’s a must attend event for anyone doing enterprise security in any capacity. You can register here.

Cycode is hosting their Product Security Summit on Jan. 28th, a free virtual con focused on securing software in the AI era. Speaker lineup includes Rinki Sethi (fmr. CISO at Rubrik, Twitter), and security leaders from HackerOne, Nucleus Security, Cloudflare and more. If you’re touching AppSec in any capacity, this one's worth the 2-3 hours. Register here.

And of course, I have to plug the stuff we’ve been working on at Monad! My pal Nathan Koester, Staff SecEng at Ironclad, recently wrote up a piece on the data engineering gap in security which hints at where SecOps is headed in 2026, from a practitioner’s perspective. Read further here.

Okay, now onto this past week’s news!

TL;DR 🗞️

• Mandia launches Armadin with $165M for AI red-teaming — Per SEC filing, Mandiant founder raised way more than the $24M seed reported by WSJ; Ping Li (Accel) and Jake Seid (Ballistic) on board

• 💀 ServiceNow BodySnatcher enables full platform takeover — CVE-2025-12420 (CVSS 9.3); hardcoded creds + email-only account linking = impersonate any user, weaponize AI agents

• 🧭 Wiz drops agentic browser security year-end review — Rami McCarthy’s “Autonomy × Access” matrix is a gem 💎

• 🗓️ Gemini calendar prompt injection bypasses privacy controls — Miggo research find dormant payloads in invite descriptions exfiltrate meeting summaries

• 📤 Cowork file exfiltration via prompt injection — PromptArmor shows Claude Cowork can upload files to attacker accounts

• 💥 CrashFix fake ad blocker delivers ModeloRAT — KongTuke actor clones uBlock Origin Lite; crashes browser, prompts fake scan; targets domain-joined hosts only

• 🎤 Jen Easterly named RSAC CEO — Former CISA Director lands at RSA Conference; eyes international expansion

• 🦄 Aikido hits $1B valuation with $60M Series B — Fastest European cybersecurity unicorn; DST Global led; 100K+ teams, 5x revenue growth

• ⛓️ Delinea acquires StrongDM — PAM meets just-in-time authorization for devs and AI agents; deal terms undisclosed

• 🚫 China bans US and Israeli security software — 15+ vendors including CrowdStrike, Palo Alto, Wiz, Check Point; most report minimal China exposure

• 📡 Reco launches device inventory — Consolidates MDM, EDR, IdP into single view; flags unmanaged devices accessing corporate SaaS

• ⚔️ Novee launches with $51.5M for AI pentesting — YL Ventures led; claims 90% accuracy vs. ~65% for frontier LLMs; competes with XBOW

• ⚛️ Project Eleven raises $20M for post-quantum crypto — $120M valuation; migration tools for Bitcoin/Solana to quantum-resistant cryptograph

⚒️ Picks of the Week ⚒️

Kevin Mandia Is Building Again

The man who built Mandiant and sold it to Google for $5.4 billion is back.

Kevin Mandia has launched Armadin (notably no website), a startup using AI to automate red-teaming and penetration testing. The company came out of stealth in mid-December with a $24M seed from Ballistic Ventures — the cybersecurity-focused VC firm Mandia co-founded.

But here’s what most outlets haven’t caught onto: An SEC Form D filed January 13th shows Armadin has already closed $165 million from 28 investors. The reported talks with Accel, GV, and Kleiner Perkins clearly went well.

“The cheapest way to build your defense is to actually hit it with the best offense and refine it,” Mandia told the WSJ.

The economics are striking: what used to cost $20-30K in human pentesting time will take 3-5 minutes and cost hundreds of dollars. This was proven out by the recent ARTEMIS study which signals to improving attack economics + efficacy.

The team: Mandia has teamed up with former Google engineers Travis Lanham and David Slater, plus Evan Pena, a longtime leader of Mandiant’s red team. The SEC filing also reveals board seats for:

• Ping Li — Accel Partner with board seats at Tenable, Snyk, Sysdig, and Illumio

• Jake Seid — Ballistic Ventures Co-Founder/GP

When the guy who uncovered APT1 and led the SolarWinds response decides the future is a certain category, it’s worth paying attention. 2026 is already off to a hot start.

Also, key to note that this comes as XBOW raised a $75M series B last June and Novee, a new entrant, raised $51.5M through Series A (covered lated in this issue). Mandia is coming in w/ 2-3x more funding than these direct competitors. XBOW does have the time lead though.

Shoutout to Pramod Gosavi for the SEC tip on this!

ServiceNow “BodySnatcher” Enables Full Platform Takeover via AI Agents

AppOmni’s Aaron Costello discovered CVE-2025-12420 (CVSS 9.3): a hardcoded credential (”servicenowexternalagent”) shipped to all instances plus email-only account linking allowed attackers to impersonate any user, bypass MFA/SSO, and weaponize ‘Now Assist AI’ agents to create admin backdoor accounts.

Significant vuln given the hardcoded creds across all instances and the privilege escalation path to full platform takeover. ServiceNow serves 85% of the Fortune 500, with deep integration into HR, security, and customer systems making it a goldmine for attackers. ServiceNow patched in October but only disclosed last week. Patched in October 2025, disclosed last week. Even vendors with 8/9-figure security budgets are shipping hardcoded creds. Plan accordingly.

AI is Only as Smart as its Context: Building a Semantic Graph for Security

AI can’t secure what it doesn’t understand. The Context Intelligence Graph is the connective tissue that unifies AST, SSCS, and ASPM into a single, coherent view. It provides the “meaning” AI agents need to sense, reason, and act safely across your code and cloud. Stop reacting to isolated alerts and start managing causality.

Register for the Product Security Summit to see the future of AI-native security.

👉 Register Here👈

Agentic Browser Security: 2025 Year-End Review

2025 was a terrible year for agentic browsers. At one point it seemed like critical vulns surfaced each week. In this post, delivers a stellar year-end review cataloging prompt injection vulns across agentic browsers likw ChatGPT Atlas, Perplexity Comet, Fellou, and others. This report builds well off of Gartner’s recent recommendation for CISOs block AI browsers outright.

Browser vendors are converging on human-in-the-loop (HITL) + RL + secondary LLM critics as layered defense (enumerated in a chart in the report). The “Autonomy × Access” matrix really puts things into perspective as it’s a super simple mental model to understand the risk profile of these browsers.

Autonomous tooling goes against most of what security has been preaching over the past few decades (i.e., zero trust). However, security leaders must find a way to securely onboard and enables these technologies or risk falling behind to competitors who do adopt it. As Rami put it: “For most everyday use cases, agentic browsers don’t yet deliver enough value to justify their current risk profile.” Agentic browsers + their use cases will only get better so securing this vector may become a non-negotiable soon.

Gemini Calendar Prompt Injection Bypasses Privacy Controls

Miggo researchers discovered attackers can embed dormant prompt injection payloads in Google Calendar invite descriptions. When users ask Gemini about their schedule, the AI executes hidden instructions, exfiltrating private meeting summaries into new calendar events visible to attackers.

This builds on SafeBreach’s August 2025 research showing Gemini calendar exploits could trigger Google Home actions. Same underlying pattern: AI assistants pulling untrusted content from shared resources is a structural weakness that opens the door to prompt injection. Not a “everything is on fire” vuln, but another data point for why Gartner is telling CISOs to block or exercise caution w/ AI assistants from sensitive workflows.

Cowork File Exfiltration via Prompt Injection

PromptArmor discovered that Anthropic’s new Cowork research preview can be tricked into uploading user files to an attacker’s Anthropic account via indirect prompt injection.

The attack requires a user/victim to upload a malicious file (injection hidden via white-on-white text), connect Cowork to sensitive folders, and ask Claude to process the malicious file. Works because Claude’s VM allowlists api.anthropic.com for outbound requests.

You can file this one under “agentic AI growing pains” rather than “drop everything.” It’s a research preview with explicit warnings, requires a multi-step attack chain, and Anthropic says fixes are coming. At this stage you can bet that anything AI co’s ship, that is not officially GA, will have security flaws.

The underlying issue, prompt injection in agentic systems, remains unsolved. More interesting as a design pattern question, how do you ship autonomous tools when injection has no reliable fix? Are there any vendors building guardrails for agentic tooling? I’d imagine such a solution falls at the intersection of IAM, data security, and some sort of secure config management.

Stellar research from the PromptArmor team here.

CrashFix: Fake Ad Blocker Weaponizes Browser Crashes

Huntress uncovered “NexShield,” a malicious Chrome extension cloning uBlock Origin Lite that crashes the browser, then displays fake security warnings prompting users to run a ‘scan’. Payload delivers ModeloRAT, a new Python RAT exclusively targeting domain-joined corporate hosts.

ClickFix evolution continues. KongTuke threat actor (linked to Rhysida, Interlock ransomware) is getting creative: the extension impersonated Raymond Hill, uBlock Origin’s actual developer, and was hosted on the official Chrome Web Store. Enterprise extension governance continues to wedge itself as a top concern in 2026. Also, probably one of the best research posts I’ve come across this year. Kudos to Huntress for the deep walkthrough.

Easterly Lands at RSAC 🔥

Former CISA Director Jen Easterly named CEO of RSA Conference, will oversee flagship event expecting 40,000+ attendees in March plus Innovation Sandbox, international expansion, and year-round programming.

Smart landing for Easterly after CISA. RSAC gets a high-profile advocate that is trusted and even admired by many in the security community. Hopefully she shifts the RSAC vibe from vendor-heavy to more tradecraft, hands-on vibe.

🔮 The Future of Security 🔮

Application Security

Aikido Raises $60M Series B at $1B Valuation

Belgian AppSec startup hits unicorn status, the fastest European cybersecurity company to reach the milestone. DST Global led with participation from PSG Equity and Singular. Platform consolidates SAST, SCA, DAST, CSPM, AI-powered pentesting and runtime sec into one dev-focused tool. 100,000+ teams, 5x revenue growth, 180+ employees.

Shoutout to Maddie Lawrence and the founding team. TCP sponsor and genuinely one of the best marketing and distribution engines in AppSec right now. They’ve nailed the SMB-to-enterprise motion with a dev-first, bottom-up GTM that is very tough to crack in security. The research output is strong too (see: Shai-Hulud npm worm tracking). Well-deserved milestone.

More AppSec news ⬇️

• GitLab Duo Agent Platform solves the AI paradox in software delivery

Identity Security

Delinea Acquires StrongDM for AI-Era Identity Security

PAM vendor Delinea (reportedly $400M+ ARR) acquiring StrongDM to add just-in-time runtime authorization for developers, DevOps, and AI agents. Combined platform will deliver real-time policy enforcement across human and non-human identities in cloud-native environments. Deal expected to close Q1 2026; terms not disclosed.

StrongDM’s developer-first model addresses PAM’s historical friction problem with eng teams. Stellar acquisition by Delinea given the emergence of agentic identity security.

Huge congrats to my friends at StrongDM, John Martinez, Timmy P, Juliet and Jen V.!🥳

National Security

China Bans US and Israeli Cybersecurity Software

Beijing ordered domestic companies to stop using security software from 15+ US and Israeli firms including CrowdStrike, Palo Alto Networks, Fortinet, Wiz, Check Point, SentinelOne, Mandiant, CyberArk, and Orca Security. Stocks dipped but most vendors report minimal China exposure.

CrowdStrike, SentinelOne, and Claroty confirmed they don’t sell in China. Palo Alto Networks derives just 2.2% of revenue from the region. Per Natto Thoughts, China has 5,000+ domestic cybersecurity vendors, and all top 20 work with the government. Reciprocity for US bans on Chinese tech (Kaspersky, Huawei, AI models).

The decoupling continues.

More NatSec news ⬇️

• Verizon blames nationwide outage on a “software issue”

Offensive Security

Novee Launches With $51.5M for AI-Driven Continuous Pentesting

Novee emerged from stealth with $51.5M (4months from seed to Series A) led by YL Ventures, Canaan Partners, and Zeev Ventures. Platform uses proprietary AI model trained on offensive tradecraft to run continuous pen testing.

The AI pentest space is hot. I’d say Novee’s biggest competitor is XBOW which raised $75M Series B in June 2025 and is probably due for a Series C raise later this year. Horizon3, Pentera, and BugCrowd are other notables.

Post-Quantum Security

Project Eleven Raises $20M for Post-Quantum Crypto Migration

Post-quantum cryptocurrency security startup Project Eleven raised $20M Series A at $120M valuation, led by Castle Island Ventures with Coinbase Ventures, Balaji Srinivasan, and others participating.

Building migration tools for blockchain networks (Bitcoin, Solana) to transition from ECC to quantum-resistant cryptography. Products include Yellowpages (post-quantum key generation for Bitcoin wallets) and a post-quantum testnet for Solana using NIST-standardized ML-DSA.

There are $4T+ in digital assets secured by cryptography that quantum computers could eventually break. Over $3.4B in cryptocurrency were stolen in 2025. The “eleventh hour” framing is pretty clever. Niche but certainly a space to watch as quantum is something that will happen slowly and then all at once. Better to be prepared than caught flat-footed.

SaaS Security

Reco Launches Device Inventory for Unified Endpoint Visibility

The new capabilities consolidate MDM, EDR, and IdP data into a single view, automatically flagging unmanaged devices authenticating to corporate SaaS.

SaaS security increasingly lives at the intersection of identity, device, and app access: it's not enough to know who is accessing Salesforce, you need to know from what device and whether it's managed. Reco is bridging that gap with this feature. Pretty neat 🔥

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Beyond the Quadrant: A Former Analyst’s Real Framework

Drowning in AI vendor claims? A former Gartner analyst reveals her framework for cutting through the noise and building your shortlist. Earn 1 CPE credit.

Register for the live webinar

Howdy! 👋 I hope you’re having a great week!

Feels like there’s a lot in flux across the globe at the moment. Feels like the first two weeks of 2026 have actually been two months for some reason. In any case, we have a lot to get to in this week’s TCP so let’s dive in!

TL;DR 🗞️

• 🪿 Block deployed infostealer using its own AI agent — Goose used prompt injection + invisible Unicode to deploy infostealer; added recipe warnings and detection

• 📡 Starlink vs. Iran standoff escalates — 50K-100K smuggled terminals, military-grade jammers spike packet loss to 80%; SpaceX OTA updates cut interference to 10%

• 🔎 Hackers probing LLM proxies at scale — GreyNoise logged 91K+ sessions; 80K in 11 days targeting 73+ model endpoints across OpenAI, Claude, Gemini, Grok

• 🎭 BreachForums database leaked — 323,986 user records exposed including emails, hashed passwords, IPs; pure karma

• 🛡️ Unit 42 drops SHIELD framework — Governance for vibe coding; real incidents already include code injection, auth bypass from AI-gen’d code

• 🔭 WitnessAI launches Agentic Security — Auto-discovers agents across Claude Desktop, GPT plugins, VS Code; maps MCP server access; raised $58M

• 🌐 CrowdStrike acquires Seraphic for $420M — Browser runtime security across Chrome, Edge, Safari, Firefox; no enterprise browser required

• 🔐 CrowdStrike acquires SGNL for $740M — Continuous authorization for human, NHI, and AI agent identities; $1.16B two-week M&A spree

• 🧬 Cyera hits $9B valuation — $400M Series F led by Blackstone; 3x valuation jump in 6 months; claims 1/5 of Fortune 500

• ⚡ Torq raises $140M at $1.2B valuation — AI SOC platform reports ~300% revenue growth; customers include Marriott, PepsiCo, Uber

• 💰 Cybersecurity funding hit $14B in 2025 — 47% increase YoY per Pinpoint; strongest since 2021 peak; investor focus on AI governance + identity

• 🚀 CrowdStrike accelerator picks 35 startups — AWS + NVIDIA program runs through March; five finalists pitch at RSA Conference March 24

⚒️ Picks of the Week ⚒️

Block CISO: We red-teamed our own AI agent to run an infostealer

Block CISO, James Nettesheim, recently shared how the company’s red team used prompt injection to deploy an infostealer on an employee laptop via Goose, Block’s open source AI agent.

The attack combined phishing with prompt injection hidden in invisible Unicode characters. When a developer clicked a poisoned “recipe” (Goose’s reusable workflow format) to debug a reported bug, it downloaded and executed the malware.

Block has since added recipe install warnings, suspicious Unicode detection, and is experimenting with adversarial AI to validate agent inputs and outputs.

“It’s not enough for self-driving cars to be just as good as humans. They have to be safer and better. We need that with our agentic use, too.”

Love the transparency and tinkering mindset deployed at Block. While AI security improves day by day, it still feels like the wild west at times. Having leadership that encourages this and shares learnings with the community is crucial for advancing AI security. More of this please!!

Don’t Let AI Outpace Security: 10x Your Team’s Efficiency in 2026

At the 2026 Product Security Summit, we’re diving into the Application Security playbooks used by Cloudflare, Schneider Electric, and Alter Domus. Learn to manage AI-driven code velocity and lead your team through the “Great Convergence” with application security strategies that actually work at scale.

Don’t build your 2026 roadmap in a vacuum. Get the real-world blueprints from the leaders doing the work.

Save your spot

Starlink vs. Iran: Satellite Internet Under Electronic Warfare

If you’re a TCP reader, you’re probably tracking what’s unfolding in Iran. While it’s hard to separate noise from signal with media, shit has clearly hit the fan. Iranian regime reportedly killing thousands of civilians over the past week.

I won’t get into the politics, but what’s most relevant for our space is the Starlink vs. Iran standoff. It demonstrates what’s technically possible with satellite jamming, and it will set legal + warfare precedents.

A near-total internet blackout began January 8, leaving 90 million people in darkness. For protestors, Starlink has become the last lifeline, and the regime is deploying countermeasures to kill it.

Professional smugglers are bringing in Starlink boxes across the border from Iraq and Dubai. An estimated 50,000 to 100,000 smuggled terminals are now active in the country. Under a 2025 law, using Starlink is legally equivalent to espionage for the CIA or Israel and carries a potential death sentence.

The regime deployed jammers, likely sourced from Russia or China, targeting Starlink’s GPS and radio frequencies (RF). Packet loss jumped from 30% to over 80% during protest peaks. In response, activist group NasNet worked with SpaceX to push emergency firmware updates, dropping interference from 35% to 10% for users in Tehran.

Security forces are using surveillance drones to spot dishes on rooftops in northern Tehran. Authorities have been rappelling down apartment blocks and raiding homes to seize equipment.

This is a real-time stress test of how resilient and secure satellite constellations are against jamming and other tactics. It’s pretty much a cat and mouse game with SpaceX pushing OTA updates as fast as Iran deploys countermeasures. Would love to geek out on this with some RF and satellite hackers some time. I’d imagine there will be some Starlink hacking at this year’s DEF CON. In any case, this a pretty wild situation currently unfolding and I’d imagine, it’ll only intensify.

Hackers target misconfigured proxies to access paid LLM services

GreyNoise documented 91,403 attack sessions against AI infrastructure between October 2025 and January 2026.

The more concerning campaign started December 28: two IPs generated 80,469 sessions over 11 days, systematically probing 73+ model endpoints across OpenAI, Anthropic, Meta, Google Gemini, Mistral, Alibaba Qwen, DeepSeek, and xAI Grok.

Many companies use a middleman server (proxy) to route employee requests to paid AI services like ChatGPT or Claude. These proxies often store the API keys and handle billing. If poorly secured, attackers can piggyback on your credentials and run up your tab, or worse, access sensitive data flowing through the proxy.

Attackers send innocent-looking prompts (”hi,” “How many states are there in the United States?”) to see which AI model responds. This fingerprinting avoids triggering security alerts while mapping which companies have exposed access.

If you’re running an exposed AI gateway, you’re likely already on someone’s target list. Harden it like any other production API.

Hackers get hacked, as BreachForums database is leaked

BreachForums, one of the biggest cybercrime marketplaces, had its entire user database leaked. The dump includes 323,986 user records: usernames, email addresses, password hashes, and IP addresses. The exposed database could hand law enforcement new leads for investigations. Pure karma.

CrowdStrike, AWS, and NVIDIA 2026 Cybersecurity Startup Accelerator Cohort

CrowdStrike, AWS, and NVIDIA announced 35 startups for the third annual Cybersecurity Startup Accelerator. The eight-week program runs through March 3, 2026, with five finalists pitching at RSA Conference on March 24. The winner gets investment from CrowdStrike’s Falcon Fund.

Notable names in the cohort: Averlon, Aira Security, Capsule Security, Haleum AI, Simbian AI, and SurePath AI.

Cybersecurity Firms Secured $14 Billion in Funding in 2025: Analysis

Pinpoint Search Group reports cybersecurity vendors raised $13.97B across 392 funding rounds in 2025, a 47% increase from 2024’s $9.5B. This marks the strongest funding year since the 2021 peak of $20.6B.

Largest rounds: Saviynt ($700M), Cyera ($540M), Armis ($435M), Chainguard ($280M), Vanta ($150M), 7AI ($130M), Noma Security ($100M), Dream ($100M).

Investosr focused heavily on AI governance and identity. The post-2021 correction is officially over. Capital is flowing again… but for how long?

🔮 The Future of Security 🔮

AI Security

WitnessAI Extends Its LLM Protections to AI Agents

WitnessAI launched Agentic Security which auto-discovers agentic activity across Claude Desktop, ChatGPT with plugins, VS Code extensions, and local frameworks (LangChain, CrewAI, AutoGPT), maps MCP server access, and links agent actions back to the humans who initiated them.

This is pretty neat as most teams still have little/no visibility into what their agents are actually doing and what permissions+access they have. A single malicious prompt can cascade through tool calls, API requests, and db queries before a human notices.

WitnessAI also announced fundraising of $58M in a strategic round yesterday.

Application Security

Unit 42 Introduces New Vibe Coding Security Governance Framework

Palo Alto’s Unit 42 published a governance framework for securing vibe coding after identifying real-world incidents including data breaches, code injection, and auth bypass attacks tied to AI-generated code.

SHIELD controls:

• Separation of duties (no AI agents with dev + prod access)

• human-in-the-loop code review before merge

• input/output validation via guardrails and SAST

• security-focused helper models

• least agency permissions

• defensive controls like SCA and disabled auto-execution

Solid framework, but the friction paradox applies here as well. Much vibe coding happens on personal devices and shadow IT that enterprise controls don’t touch. If the security controls introduce too much friction, users will just avoid them.

In any case, this is a must read for anyone securing code in 2026.

Browser Security

CrowdStrike to Acquire Browser Security Firm Seraphic for $420 Million

CrowdStrike is acquiring browser runtime security startup Seraphic Security for $420M, following last week’s $740M SGNL deal bringing their two-week M&A spend to $1.16B.

Seraphic works within the browser runtime across Chrome, Edge, Safari, and Firefox without forcing users onto a proprietary enterprise browser. They randomizes the browser’s JavaScript engine at the execution layer to disrupt session hijacking, prevent memory-based attacks, and block man-in-the-browser exploits. It also provides granular DLP by controlling actions like copy-paste and file uploads.

This is an absolutely stellar pick up by CrowdStrike as they continue to expand their platform efforts to go toe to toe with Palo Alto Networks. I also love the angle that Seraphic takes in securing any browser vs. forcing users onto a new one like Island or Talon (now PANW) does. User friction is often a huge trade-off in security

Data Security

Cyera hits $9B valuation six months after being valued at $6B

Cyera closed a $400M Series F led by Blackstone, hitting a $9B valuation just six months after raising $540M at $6B. Total raised now exceeds $1.7B.

Enterprise AI adoption has led to a massive surge in need for data security that can keep up with the speed of AI. I wrote a piece on this last summer and most, if not all of it, still holds true today.

More data security news ⬇️

• Commvault Launches Unified Data Vault – Giving Cloud Developers a Unified Way to Bring Resilience to S3 Data

Identity and Access Management

CrowdStrike to Buy SGNL to Expand Identity Security Capabilities

CrowdStrike has acquired identity security startup SGNL for $740M. SGNL provides continuous, context-aware authorization that grants and revokes access in real-time based on risk signals. This is huuuuuge for agentic identity security.

CrowdStrike already covers endpoint, cloud and SaaS with capabilities that have come from past acquisitions (i.e., Adaptive Shield and Preempt Security).

SGNL had raised $42M from Costanoa Ventures, CRV, and others. Founded 2021 by ex-Googlers Scott Kriz and Erik Gustavson.

Massive win for CrowdStrike, imo.

Security Operations

Torq Raises $140 Million at $1.2 Billion Valuation

Torq closed a $140M Series D led by Merlin Ventures, hitting $1.2B valuation and $332M total raised. The company reported ~300% revenue growth in 2025.

Pretty cool to see Torq’s “agentic SOC” pitch landing well w/ investors and customers given that up until recently they were a pure-play SOAR solution.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

The World’s Fastest Security Data Lake

Scanner is a hyper-fast Security Data Lake platform built for AI agents and modern security teams.

Search across petabytes in seconds. Retain all logs forever at a fraction of SIEM costs. Power the next generation of detection & response. Automate SecOps with Agentic AI. Deploy in a day. Trusted by Ramp, Lemonade, Benchling and more.

See Scanner in Action

Want to sponsor the TCP newsletter? Learn more here.

Howdy! Hope your year has been off to a great start! 🤗

While I didn’t manage to get much downtime over the break, I did get to experiment with a few new AI tools + capabilities. All I’ll say is that Claude > everything else and their Chrome Extension is preeeeeetty neat.

I also shipped two blog posts:

• AI in Security: Lessons from 2025 and What’s Next - Highlights AI impact on the attack + defense side w/ real-world data points + incidents.

• The Best of The Cybersecurity Pulse — 2025 Edition - Last year was our biggest year so far. 250K+ visits to our Substack and 750K+ impressions on LinkedIn. Huge thanks to everyone who opens TCP every week and shares our content + huge shoutout to our sponsors ❤️

Also, we’re hiring for a Head of Marketing at Monad. This role would be working closely with me! DM me here or on LinkedIn if you’re interested.

In any case, a ton has taken place since our last TCP weekly so let’s get to it!

TL;DR 📰

• 🇻🇪 US cyber op paved way for Maduro extraction — Trump confirmed “certain expertise” knocked out Caracas power during Maduro extraction

• 🔓 MongoBleed actively exploited — CVE-2025-14847 leaks heap memory pre-auth; 87K+ servers exposed, patch now

• 🤖 NHIcon 2026 on Jan 27 — Virtual event on agentic AI security with veteran CISOs and practitioners

• ⚡ n8n drops three critical RCEs — CVSS 10.0 and two 9.9s in a month; rotate secrets if you ran vulnerable versions

• 🎯 Joshua Saxe on AI security's "friction paradox" — Perfect controls get bypassed; "good enough" security that ships beats elegant models nobody uses

• 🎀 Hacktivist nukes Nazi sites at 39C3 — Pink Power Ranger deletes three white supremacist platforms live onstage

• 📊 SANS Detection Engineering survey live — Practitioners: put your DE opinions on record

• 📋 CISO Tradecraft drops 12 free templates — Budget prioritization, AI control matrices, tool murder boards

• ☁️ Palo Alto inks ~$10B Google Cloud deal — Prisma AIRS, VM-Series, SASE integration as Wiz acquisition passes DOJ

• 🏦 Vega hits $700M valuation — $120M Series B for the SIEM challenger. Key company to watch in 2026.

• 🐳 Docker hardened images now free — 1,000+ minimal containers under Apache 2.0

• 🔮 M&A rumors flying — Cisco may be eyeing Axonius (~$2B), PANW eyeing Koi (~$400M)

⚒️ Picks of the Week ⚒️

US Cyberattack Was Part of Venezuela Operation

Politico flags what many lay folks may have missed around the Venezuela operation this past week. During the Maduro extraction, Trump stated “the lights of Caracas were largely turned off” due to “certain expertise that we have.”

This strongly indicates a coordinated cyber operation against Venezuela’s electrical grid, likely targeting SCADA systems at Guri Dam, which provides roughly 70% of the country’s power.

The blackout degraded visual acquisition for MANPADS (Man-Portable Air-Defense Systems) operators (making low-flying helicopters harder to target), disrupted military communications that relied on civilian infrastructure, and induced widespread chaos during the critical insertion window. BGP anomalies during the blackout have been documented in public datasets, providing external evidence of network manipulation.

The Stuxnet precedent against Iran was covert and deniable for years. This was essentially confirmed by the President within hours.

There’s a ton of geopolitical turbulence across the globe today and I imagine we’ll see even more aggressive cyber ops used against critical infra in the very near future. As someone who studied national security in grad school, this is both exciting and scary because the reality is that it could happen anywhere.

Trying to make sense of agentic AI security?

NHIcon 2026 on Jan. 27 is a practitioner-driven virtual event focused on what changes as software becomes autonomous. Veteran CISOs, security teams, engineers, and educators share what’s breaking, what’s changing, and how they’re dealing with it in real environments.

Save your spot

MongoBleed Is Being Actively Exploited: 87K+ Servers Exposed

Think Heartbleed, but for MongoDB. CVE-2025-14847 (CVSS 8.7) lets unauthenticated attackers leak heap memory via malformed zlib-compressed packets: plaintext passwords, AWS keys, API secrets, user data. The bug has been in the codebase since 2017 (version 3.6.0+). PoC dropped December 26, exploitation started December 29, CISA added it to KEV the same day. Censys found 87,000+ exposed instances; Wiz says 42% of cloud environments have at least one vulnerable MongoDB server. A new GUI exploitation tool makes this trivial. Patch to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. If you can’t patch, disable zlib compression. Rotate credentials regardless.

This one’s bad. Pre-auth, trivial to exploit, POC publicly available, and the vuln has been there for nearly eight years. Detection is tricky too since it only shows up in MongoDB logs, which almost nobody ships to their SIEM. Eric Capuano put out a solid Velociraptor artifact for hunting this, and Florian Roth built a detector tool. This Wiz post provides a great deep dive + actions teams should be taking.

n8n Critical RCE Vulnerabilities: Three in a Month

n8n just disclosed CVE-2026-21877, a CVSS 10.0 RCE affecting both self-hosted and cloud deployments. Under certain conditions, authenticated users can execute untrusted code on the n8n service, resulting in full instance compromise. The flaw affects versions >= 0.123.0 through < 1.121.3. Fixed in version 1.121.3 (released November 2025). If you can’t patch immediately, disable the Git node and restrict access for untrusted users.

This follows two other critical RCEs in recent weeks:

• CVE-2025-68668 (CVSS 9.9): Sandbox bypass in Python Code Node (Pyodide). Authenticated users with workflow permissions can escape the sandbox and execute arbitrary OS commands. Affects 1.0.0 through 1.x. Fixed in 2.0.0 with task runner-based Python implementation.

• CVE-2025-68613 (CVSS 9.9): Another code execution vuln dropped late December.

Supply Chain Implications

Full instance compromise here is particularly nasty because n8n workflows typically store credentials for every connected service: API keys, database strings, cloud provider creds, OAuth tokens. Depending on how n8n does their secrets handling, an attacker could get all of them in one shot.

Three critical RCEs (two at 9.9, one at 10.0) in about a month is nothing to scoff at. The risk profile mirrors CI/CD compromises like CircleCI and CodeCov: automation platforms are trust anchors with broad access and stored secrets. If you’ve been running vulnerable versions, assume credential exposure and rotate secrets for any service n8n touched. Audit workflow modification history for signs of tampering etc. Upgrade to 2.0.0+ immediately.

Hacktivist Nukes White Supremacist Sites Live at 39C3

A hacktivist called “Martha Root” (dressed as the Pink Power Ranger) deleted three white supremacist websites live onstage at Chaos Communication Congress: WhiteDate (Nazi Tinder), WhiteChild (supremacist donor matching), and WhiteDeal (racist TaskRabbit). All remain offline. Root infiltrated using AI chatbots verified as “white,” scraped data, found images with precise geolocation metadata, then wiped the servers during the talk. 6,500+ user profiles leaked (86% male). DDoSecrets has the full 100GB dataset for verified researchers. The admin confirmed the hack on X, calling it “cyberterrorism.”

Many wild stories this week, but this one is certainly top 3. Crazy times we are living in.

CISO Tradecraft: 12 Free Cybersecurity Templates

released a Christmas gift pack of 12 free templates for security leaders. Highlights include:

• 9 Box Template: Map security projects by Impact vs. Effort for budget prioritization

• CMMC Reference Guide: All three levels with at-a-glance control explanations

• AI Control Matrix & Questionnaire: Based on CSA AICM v1.0.3, with automated risk scoring and compliance dashboards

• Cybersecurity Tools Murder Board: Framework for evaluating which tools to retire

• GenAI Risk Assessment: Based on California’s SIMM 5305-F

• Toil Register: Track manual work and tech debt with risk levels and remediation priorities

Templates available at https://www.cisotradecraft.com/freetemplates

Great practical tools for security leaders doing the not-so-sexy work of budget justification, vendor rationalization, etc. Assets like these are massive unlocks as they force leaders to reflect and optimize across many of the ‘people, process, technology’ layers.

Palo Alto Inks Multibillion-Dollar Google Cloud Deal

Palo Alto Networks and Google Cloud announced a “multibillion-dollar” partnership, with Reuters reporting Palo Alto will pay Google nearly $10B over multiple years.

Key integrations: Prisma AIRS protecting GCP AI workloads (Vertex AI, Agent Engine), VM-Series firewalls with deep GCP integration, and Prisma SASE running on Google’s network. Palo Alto will power its copilots using Vertex AI and Gemini.

Timing is notable: Google’s $32B Wiz acquisition cleared DOJ in November and Wiz was PANW’s biggest cloud security competitor.

Imo, Google is hedging: Wiz gives them native CNAPP, but Palo Alto fills gaps in network security, SASE, and AI workload protection. More importantly, enterprises with existing Palo Alto deployments aren’t switching overnight. Google needs that bridge to sell GCP. I imagine there will be a few awkward product overlap convos post-Wiz, but too much revenue at stake for competitive tensions to derail it.

Overall positive for the industry.

2026 SANS Detection Engineering Survey Is Live ⚡

SANS and Anvilogic are running the detection engineering survey again, and if you’re in the trenches doing DE work, it’d a great service to the industry for you to take it. You can access it here.

Last year’s report had a ton of valuable findings and insights from top DE voices including: 80% of orgs investing in DE, and confirmation that nearly half of SOCs still can’t get access to the data they actually need. The threat modeling and data engineering skills + tooling gaps were called out hard, and honestly, I don’t think much has changed.

I may be biased since I contributed to last year’s report but these practitioner surveys are one of the few places we get real signal instead of vendor narratives. If you’re a practitioner and you’ve got opinions on where DE is headed, this is your chance to put them on record.

Rumor Mill: Cisco and Palo Alto Networks

The year certainly started off with some M&A rumor fireworks. Cisco is rumored to be in talks to acquire Axonius for ~$2B (Axonius has denied). Meanwhile Palo Alto Networks is rumored to be eyeing an acquisition of KOI security (~$400M). Both would be very synergistic for the acquiring co’s in my opinion. I’ll be ‘monitoring the situation’ and cover anything else that arises here. Rumors for now they say….

🔮 The Future of Security 🔮

AI Security

Palo Alto Networks Joins NVIDIA Enterprise AI Factory Validated Design

Prisma AIRS now part of NVIDIA’s Enterprise AI Factory validated design, running on BlueField DPUs. The architecture offloads security processing to the DPU, freeing 100% of host compute for AI workloads while maintaining real-time threat detection. Telemetry feeds into Cortex XSIAM.

More AI security news ⬇️

• Banger post on the "friction paradox" in AI security: the more academically beautiful and complete your security controls, the more likely users bypass them entirely. The result is zero security impact.

  Joshua Saxe

  Swallowing the reality pill in AI agent security

  This past year I made some public presentations arguing for a security model for AI agents with three nested layers…

  Read more

  4 months ago · 19 likes · 1 comment · Joshua Saxe

• AI Security Firm Ciphero Emerges From Stealth With $2.5 Million in Funding

Identity and Access Management

Wiz Adds Oracle Cloud IAM to Unified Identity Graph

Wiz now pulls OCI IAM into the same security graph used for AWS, Azure, and GCP. OCI’s quirky constructs (Identity Domains, Compartments, natural-language policies) get normalized into a queryable cross-cloud model. Surfaces users, groups, service principals, API keys, permission paths, plus the usual: unrotated keys, overly broad groups, missing MFA.

SaaS Security

SaaS-to-SaaS Connections: The OAuth Scope Blind Spot Most Teams Miss

This post from Reco highlights some of the biggest security issues with OAuth. The Salesloft-Drift breach from earlier this year is a good example of what happens when these get ignored.

• Every time a user clicks “Allow,” those permissions persist indefinitely, often granting read/write access far beyond what’s needed

• Dormant apps retain active tokens long after anyone stops using them

• A compromised plugin with cross-platform OAuth access can create lateral movement paths between apps (Slack → Google Workspace) through completely unmonitored tunnels

• AI agents and MCP add another layer: non-human identities with high privilege spanning multiple SaaS platforms, no HR visibility, no natural offboarding trigger, and nobody reviewing the permissions they’re requesting

We’re still early in figuring out how to secure agents and MCP, but SaaS security tools are well-positioned to help solve some of these risks.

Security Operations

Vega Raises $120M Series B, Hits $700M Valuation

In December, Vega closed a $120M Series B led by Accel, hitting a $700M valuation (up from $400M three months ago). Total raised: $185M.

Vega challenges traditional SIEMs by analyzing data in place without forced migration.

Congrats to the Vega team! Genuinely great humans + sponsors of TCP. Two years in, $700M valuation, $185M raised. The “analyze in place” pitch resonates because SIEM migration is genuinely painful. Strong company to watch.

More SecOps news ⬇️

• Resemble AI Raises $13 Million for AI Threat Detection

• SpecterOps and Tines partner to add native BloodHound and automated attack path workflows

Supply Chain Security

Docker Opens the Hardened Image Vault: 1,000+ Secure Containers Now Free

Docker made its entire catalog of 1,000+ Hardened Images free under Apache 2.0. Images are minimal, rootless, no shell, no package manager. Full SBOMs and SLSA Build Level 3 provenance included. Enterprise tier remains for FIPS/STIG compliance, 7-day critical CVE SLAs, and customization. Timing notable given Bitnami just pulled its free catalog behind a $50K+ paywall.

Docker playing offense, commoditizing secure base images right as Chainguard ($3.5B valuation) and Echo ($50M raised) build businesses around them. Community skepticism is fair given Docker’s track record, but this removes a real barrier.

Vulnerability Management

Gambit Cyber Raises $3.4M Seed for AI-Native CTEM Platform

Dutch startup Gambit Cyber closed $3.4M seed led by Expeditions, with Bitdefender Voyager Ventures participating. Founded 2024, their KnightGuard platform uses coordinated AI agents for vulnerability discovery, validation, and prioritization. Already deployed in financial services, telecom, and critical infrastructure across India, UAE, and Europe.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Bye for now 👋🏽

That’s all for this week… ¡Nos vemos la próxima semana!

Subscribe now

Share

Over Christmas break, I came across Andrej Karpathy’s 2025 LLM Year in Review blog post which put a lot into perspective on how far AI went in 2025. I then went on to reflect on the shifts (for better or worse) that have taken place in the security industry.

TL;DR: AI in security crossed the ROI threshold. Real-world outcomes on both the attack and defense side. Empirical data and real-world incidents point at 2025 being the breakthrough year.

In this post, I’ll break down what that looks like on offense, defense, and where it’s headed in 2026.

AI in Offense: Better Attack Economics

The highlight isn’t that AI discovered novel 0-days or invented new TTPs. It’s that LLMs have lowered the cost and time barriers significantly.

Stanford, CMU, and Gray Swan AI published the ARTEMIS study, the first controlled test of AI agents versus human pentesters on a live enterprise network (8,000+ hosts, 12 subnets, real IDS). ARTEMIS’ AI agents placed second overall, outperforming 9 of 10 OSCP-certified professionals. Cost: $18.21/hour (~$38K/yr) vs. $150K+ fully-loaded for a senior pentester (the study cited $125K base salary, but that number is much higher from my exp.).

The agents did have higher false-positive rates and struggled with GUI-based tasks, but excelled at enumeration and parallel exploitation. When ARTEMIS flagged a vulnerable target, it immediately spawned a sub-agent to probe it in the background while continuing to scan. Humans simply can’t match that parallelism. In the study, one human discovered an LDAP server vuln but then never returned to it.

ARTEMIS is a complex multi-agent framework consisting of a high-level supervisor, unlimited sub-agents with dynamically created expert system prompts, and a triage module. It is designed to complete long-horizon, complex, penetration testing on real-world production systems.

With the proper guardrails, high quality continuous pen testing is now economically viable for many orgs. This has significant implications for defenders. AI will only get better.

In my opinion, the ARTEMIS study should be required reading for anyone in security regardless of your role. It hints at where the attack-side is headed.

Other offensive AI highlights include an AI-pentesting startup, XBOW, reaching #1 on HackerOne’s US bug bounty leaderboard. DARPA’s AIxCC challenge produced AI tools that found 54 of 63 synthetic vulnerabilities across 54 million lines of code. Many of the tools created and used for that challenge are now open source.

The Hallucination Problem Persists

In November, Anthropic released a report covering how they disrupted a Chinese state-sponsored group running AI-orchestrated cyber espionage. The story probably generated a lot of FUD, but the impact was real. Actual organizations were compromised before Anthropic intervened. The attackers jailbroke/social engineered Claude into executing 80-90% of their ops including recon, exploitation, lateral movement, credential harvesting.

While there are many cool aspects to this story,I think what’s most relevant to defenders is that Claude frequently hallucinated during operations. It claimed credentials that didn’t work. It flagged “critical discoveries” that were publicly available. Humans still had to verify everything.

And this is with Claude Code, arguably the most sophisticated AI of its kind available to the public. Most attackers are using open-source or shady models that lack the security guardrails that models like Gemini, ChatGPT or Claude have. If state-sponsored attackers are getting tripped up by hallucinations on Claude, imagine the failure rate on ungoverned models

This is the real state of AI offense heading into 2026. Dangerous enough to cause harm. Unreliable enough to require human oversight. Both things are true. As I stated in the previous section, the AI will only get better.

Real-World Offensive Use Cases

Already in the wild:

• Google observed PROMPTFLUX, malware that queries LLMs mid-attack and adapts dynamically

• CrowdStrike reported AI-generated phishing hitting 54% click-through rates versus 12% for human-crafted

• Wiz documented malware (LameHug, s1ngularity) invoking LLMs mid-execution. Immature but being refined in the wild.

• Anthropic disclosed a criminal used Claude to build functional ransomware ($400 to $1,200) without prior encryption knowledge

Takeaway: Assume your adversaries have AI augmentation. Accelerating MTTD + MTTR becomes even more important. AI-powered pentesting is a huge defensive unlock. Budget and staff accordingly.

AI in Defense: Real-World ROI Across Many Use Cases

For years, “AI-powered security” was aspirational marketing. 2025 was the breakthrough year where we saw true ROI and more serious use cases other than natural language queries and copilots.

One prime example (and there are many), is Grammarly’s use of MCP capabilities. Their security team cut alert triage from 30-45 minutes down to 4 minutes per alert, a 90% reduction using Wiz MCP and Claude.

MCP is the connective tissue that makes this possible. It lets AI agents query your SIEM, pull context from your cloud console, and take action in your ticketing system without custom integrations. Wiz, CrowdStrike, Splunk, Palo Alto, and countless others have all shipped MCP support.

The AI SOC also gained more traction in 2025. Gartner’s 2025 Cybersecurity Innovations survey: 42% of enterprises are piloting AI agents for security operations. Another 46% plan to start next year. This is a great podcast ep. to listen to if you’re still skeptical about the AI SOC.

Foundation model companies also shipped dedicated security capabilities in 2025. Anthropic launched /security-review in Claude Code, a command that scans codebases for SQL injection, XSS, auth flaws, and insecure data handling, with a GitHub Action for automated PR reviews. OpenAI followed with GPT-5.2-Codex, which includes similar vuln detection and a Trusted Access Pilot. “Security” is mentioned 27 times in the announcement post of 5.2 Codex. What’s that tell us?

In any case, I do expect the labs to continue shipping security capabilities. AppSec first since they’re already generating it, scanning it is a natural extension. I think they’ll come for other domains in due time. How they’d fare in a bake-off against dedicated security vendors? That’s a topic for another day.

AI Across Security Domains

The Numbers

These come from IBM’s 2025 Cost of a Data Breach Report (conducted by Ponemon Institute). Cost-based findings are estimated from interviews rather than audited financials, so take it with a grain of salt. That said, 600 orgs, 3,400+ interviews, and it’s been running for 20 years. It’s one of the most trusted and referenceable reports in our industry.

Highlights:

• $1.9M saved per breach for orgs using AI and automation extensively

• Breach costs dropped 9% ($4.88M to $4.44M)—the first decline in five years

• Mean time to identify dropped to 181 days, a nine-year low

• Organizations using AI extensively shortened breach lifecycle by 80 days

These stats hint that teams adopting AI for security are outpacing their peers when it comes to breach costs and mean time to detect, respond, contain, and remediate.

New Attack Surface: Shadow AI and Agentic Access

Two challenges that AI has introduced and became more prevalent in 2025 are agentic IAM challenges and the impact of Shadow AI. I cover the latter in depth here and in this collab report with Reco on the State of Shadow AI. I also wrote a report on the Future of Data Security which covers the data impacts these two challenges bring.

Let’s just say that enterprise adoption of LLMs and agentic capabilities have drastically changed the attack surface and enterprise threat model.. And that would be an understatement.

I’ll be covering agentic IAM challenges in a follow-up post.

2026 Predictions