Agentic AI finds 10,000+ vulnerabilities as security gaps widen and adversaries close in

Agentic AI Is Transforming Defense, But Only Secure IT Infrastructure Will Maximize It

Over the past several weeks, the cybersecurity community has been reminded how quickly frontier AI can challenge our assumptions. When Anthropic's Claude Mythos model was made available to a limited set of organizations as a technical preview, it was reported that an unauthorized group claimed that it had gained access within hours. The incident, if true, was more than a possible breach. It was a warning. The White House's June 2 Executive Order on Advanced AI and Security is well-timed. The potential impact of advanced AI on U.S. defense and intelligence networks is significant. As the U.S. government moves to deploy AI capabilities on classified networks, the opportunity is clear: advanced AI can help accelerate decision superiority for American forces. But the risks are expanding just as quickly, particularly as agentic AI begins to operate across sensitive networks, data environments, and mission workflows. AI adoption is not simply about deploying powerful models. It requires the right security, governance, and resilient infrastructure around them. AI is only as trustworthy as the data it uses, the networks it touches, and the controls that determine who and what can access it. In classified environments, that challenge is compounded by the need to move information securely across classification levels, compartments, coalition boundaries, and operational environments. For AI to rapidly deliver the expected decision advantage, three important areas must be considered: 1. What is entering the model? Training data and commercial models must move quickly but securely into classified environments. Without proper inspection, even the strongest AI model can become a liability by processing stale information or ingesting 'poisoned' content that leads to compromised assessments. 2. Who and what can access the AI? Cleared analysts, coalition partners, edge operators, and AI integration teams will all require governed access that enforces security boundaries without inadvertently 'collapsing' networks together. 3. Where is the AI agent reaching back out? Every model call to a database, mission system, or coalition partner must preserve the integrity of the classification layer. If AI is going to compress operational timelines, the security boundary cannot become the first point of failure. All of this depends on the network layers beneath the models. Everfox is enabling defense and intelligence agencies to keep pace with revolutionary changes in AI without compromising mission speed and security. Our technologies provide a secure network fabric built on cross-domain capabilities and hardware-enforced protection that is purpose-built for classified environments and the tactical edge, all so AI can be securely and confidently deployed at a mission scale. AI introduces risk across every layer: system components, integrations, downstream outputs, and mission workflows. As defense and intelligence organizations accelerate adoption, AI tools will increasingly operate across domains, compartments, and operational theaters. In these environments, trusted infrastructure, strict access controls, and strong data governance are not optional. They are mission-critical. Sensitive data must be able to move securely across classification boundaries, with threats and policy violations identified before they ever reach a model. If we want to deploy AI responsibly at scale, we have to build security in from the start, not bolt it on after the technology is already embedded in mission operations. Frontier AI will be an important engine of future mission advantage. But without a secure network fabric to carry it, even the best models cannot be trusted to operate where and when they matter most.

AI finds 10,000 vulnerabilities. China is copying the models.

Frontier AI models can now find thousands of vulnerabilities in weeks, but China is distilling those same capabilities through industrial-scale campaigns. The US response is a voluntary 30-day review that was weakened before it was signed. In May, Google's Threat Intelligence Group confirmed the first known case of an AI system discovering and weaponising a zero-day exploit that was then deployed in the wild. A criminal actor used a frontier model to find a two-factor authentication bypass, build a working exploit, and use it before any defender knew the vulnerability existed. That single incident compressed what used to take skilled hackers weeks into a process measured in hours. It is the clearest illustration yet of the dual-use problem at the heart of frontier AI: the same capabilities that let Anthropic's Mythos find more than 10,000 high-severity vulnerabilities through Project Glasswing can, in the wrong hands, generate an equivalent number of exploits. The defensive side Project Glasswing is Anthropic's showcase for what frontier models can do for cybersecurity defence. Since launch, Claude Mythos Preview has surfaced thousands of zero-day vulnerabilities across every major operating system and web browser, some of which had survived decades of human review. Anthropic has expanded the programme to approximately 150 organisations in more than 15 countries, including Samsung, SK Hynix, NATO, and the EU's cybersecurity agency ENISA. The bottleneck, as Anthropic has noted, has already shifted from finding vulnerabilities to patching them fast enough. That sounds like a success story. It is, until you consider that the same class of model is accessible, or soon will be, to adversaries who have no interest in patching anything. The distillation problem The White House released a policy memorandum in April accusing China of conducting "deliberate, industrial-scale campaigns" to extract frontier AI capabilities from American labs. Distillation does not require stealing model weights. A distiller feeds thousands of carefully constructed queries to a frontier model, collects the responses, and uses them to train a cheaper rival that approximates the original at a fraction of the cost. Anthropic published evidence naming three Chinese laboratories. DeepSeek conducted more than 150,000 exchanges with Claude focused on foundational logic and alignment techniques. MiniMax generated over 13 million exchanges. Moonshot AI produced more than 3.4 million targeting agentic reasoning, coding, and computer vision. Across the three, Anthropic identified approximately 24,000 fraudulent accounts and 16 million total exchanges, using jailbreaking techniques and commercial proxy services to circumvent geofencing. By early April, OpenAI, Anthropic, and Google had begun sharing distillation threat intelligence through the Frontier Model Forum. That three fierce competitors agreed to cooperate on anything is itself a measure of how seriously they take the threat. The policy gap On 2 June, Trump signed an executive order asking AI companies to voluntarily submit frontier models for government cybersecurity testing up to 30 days before public release. The order was originally drafted with a 90-day window, but the White House pulled it in May over concerns it would blunt US competitiveness against China, then cut the period to 30 days in the final version. The word "voluntarily" is the operative constraint. No company is legally required to participate. The order gives the government no power to block a release. It is, by admission of multiple officials, the closest thing the United States has to an AI oversight system, and it was weakened before it was signed. Meanwhile, Anthropic has embedded approximately six engineers inside the NSA to adapt Mythos for operational applications, according to reporting from TechTimes. Sources familiar with the arrangement said the model could be used for offensive cyber operations targeting networks in countries including China and Iran. The same company that found 10,000 defensive vulnerabilities is reportedly helping the US government use the same technology offensively. The race nobody can win cleanly The structural problem is clear. US frontier models are the best in the world at finding software vulnerabilities. Chinese labs are distilling those same capabilities, months behind but closing. If the US restricts access to protect the models, it slows diffusion of defensive tools to allies. If it does not restrict access, it accelerates the transfer of offensive capabilities to adversaries. Anthropic says it does not plan to make Mythos generally available until cybersecurity safeguards can detect and block the model's most dangerous outputs. But those safeguards do not yet exist. And as the Google incident demonstrated, criminal actors are already using frontier-class models to develop exploits in the wild, without waiting for anyone's permission. The AI cybersecurity arms race is not a future scenario. It is the present operating environment. The question is whether governance can keep pace with a technology that finds vulnerabilities faster than institutions can patch them, regulate them, or even agree on who should have access.

Virtual barbarians at the gate: securing the AI blind spot

Many companies have quickly moved to adopt artificial intelligence in their systems, embedding it into virtually everything from customer apps to internal systems. That speed has created new pressure for security teams, because AI-enabled applications can introduce unfamiliar attack surfaces, unpredictable behavior, and new ways for attackers to manipulate inputs, access data, or chain weaknesses across systems. Traditional security approaches still matter, but static checks, periodic penetration tests, and basic vulnerability scans were not built for this pace of change. They can miss issues that only appear when applications are tested dynamically, in context, and from an attacker's perspective. As AI accelerates development and expands the attack surface, platforms like XBOW are becoming more important. With continuous pentesting and autonomous offensive security, XBOW helps teams find, validate, and prioritize exploitable vulnerabilities before attackers do. Protecting AI Systems Through Continuous Testing Washington State University explains how AI can be a double-edged sword. "Adversarial attacks exploit vulnerabilities in AI models to manipulate their behavior. By making subtle modifications to input data, attackers can deceive AI systems, leading to incorrect outputs or decisions." AI doesn't just turn your system into a target; it completely changes the whole security game. In addition to looking for classic flaws like buffer overflows or weak firewalls, security professionals now have to worry about brand new vulnerabilities, such as prompt injection, data leakage, and adversarial inputs that can manipulate the model. Teams must evolve their strategy for this broader, more dynamic attack surface that traditional testing methods are not always equipped to evaluate. Platforms such as XBOW enable continuous testing to better protect complex systems that are easily manipulated by new forms of attack. The big challenge is in security AI, given its dynamic and often unpredictable nature. In traditional software, a specific command always yielded the same results, making defense, if not easy, at least a set of predictable bulwarks. AI models, however, can be subtly influenced or tricked in ways that bypass conventional security controls, and the general lack of human oversight can make this problem even worse. How Agentic Testing Is the New Adaptive Approach to AI Security Security teams need a new approach. Testing AI for vulnerabilities needs to be continuous, adaptive, and focused on how the system behaves, not just something that gets run once in a while. Teams can no longer afford to rely on simple scheduled assessments. The speed at which AI deploys its executables means a security process needs to be faster and even more flexible to predict breaches ahead of disasters. Which is where agentic testing comes in. It uses AI itself to simulate sophisticated, real-world attacks both persistently and realistically. This systematic "fight fire with fire" approach goes beyond checking for known bugs and actively testing the system's resilience by mimicking the creative nature of a human or a human combined with an AI attack. The Next Generation of AI Security Modern platforms, including XBOW, use AI to simulate attacks and help security teams find exploitable weaknesses. These agentic testing platforms use autonomous "agents" that can systematically probe the AI system's defenses. These agents don't follow a script. Instead, they learn from the system's response, adapting their tactics and relentlessly looking for the weakest point in the AI setup, like a giant game of cat and mouse that never ends. As an example, a basic test might check if an obviously problematic command is blocked. An agentic test, on the other hand, will use a series of subtly crafted, conversational prompts to trick a Large Language Model (LLM) into revealing sensitive data or even ignoring its built-in safety rules. An agent might start with a harmless request, analyze the LLM's response, and then slowly escalate its game until the system performs an unauthorized action. By running these simulations, your team can "teach" the security system to up its game in response. Integrating the Human Factor Into AI This does not mean the human factor has been cut out. In fact, this ongoing simulation is important because it lets the human security team find and fix vulnerabilities before they are exploited by a real attacker. And by ranking risks based on their level of exploitability, companies can focus their limited time and resources on the most important and damaging flaws. Integrating AI testing also means that security becomes part of the system from the moment of its inception. Security isn't treated as the final stage at the end of development. Instead, it runs throughout the lifecycle of the system, from development and deployment to retirement, while also properly meeting security compliance guidelines. Anticipating the AI Threat With Adaptive Security Platforms like XBOW give security teams the means to achieve such a deep integration. They provide the sophisticated weapons needed to keep up with rapidly evolving threats. Even better, they can act as a proactive shield before the threat even reaches your doorway. Automatic and continuous agentic testing can put your security team back at the front gates so they can identify the enemy. The age of AI is here, and it's showing no signs of going away. It requires a security system that can not only keep up but anticipate its next move before it even knows it. Moving from static checks to adaptive, behavior-driven defense can help your team flip that script and more easily manage the new (and next) generation of security risks that are growing out in the AI wilderness.

What the OpenClaw vulnerability reveals about the future of agentic AI security

When employees and developers adopt new tools independently, IT management often discovers them only after they are deeply embedded in daily workflows. OpenClaw, a widely used AI agent, illustrates this point clearly. On the surface, it provides convenience, managing tasks, sending messages, and automating repetitive workflows. Behind the scenes, it operates with broad authority, holding credentials, executing commands, and connecting across systems without oversight. The vulnerability identified by our Threat Research Team is a window into a larger truth: AI agents are now operational actors rather than simple productivity tools. They act autonomously and silently, representing a new class of enterprise risk. Security leaders can no longer ignore the risks these agents pose. They must understand how and why compromises occur. The Rise of OpenClaw OpenClaw became widely adopted almost immediately after release. It runs locally on machines, connects to messaging platforms, developer tools, and calendars, and can manage complex workflows independently. Its architecture consists of a local gateway that coordinates connected nodes. These nodes can execute system commands, access files, and interact with other platforms. Users control the agent through web interfaces or command-line terminals, but once configured, the agent operates without direct oversight. This adoption reflects a broader reality. AI agents are becoming the operating layer of the enterprise. Governance is not keeping pace, and that gap is what separates organizations that will scale from those that will struggle to control what they have deployed. According to Deloitte, 74% of companies plan to deploy agentic AI within two years, while only 21% have a mature governance model in place. That gap is precisely what makes agents like OpenClaw so dangerous. They are powerful, often invisible to IT teams, and operating well ahead of the policies meant to contain them. What the Oasis Threat Research Team Discovered Our Oasis Security Research Team uncovered a vulnerability that illustrates the risks of under-governed AI agents. In OpenClaw, any website visited by a developer could silently take control of the local agent. No extensions, plugins, or user action were required. The attack exploited OpenClaw's local WebSocket gateway. Malicious JavaScript could connect to the gateway, brute-force the password, and register as a trusted device. Once authenticated, the attacker could access configuration data, enumerate connected nodes, read logs, and execute commands across connected systems. Compromising a single AI agent could effectively compromise an entire workstation. OpenClaw maintainers issued a fix within 24 hours, but the vulnerability highlights a systemic risk. Autonomous agents operating outside governance create opportunities for attacks that are difficult to detect and contain. A New Security Category AI agents are not traditional business software. They are autonomous entities with privileges across enterprise systems. They require identities to take action, and can perform multi-step actions, and interact with internal and external environments without supervision. AI agents respond dynamically to input and can operate continuously. This autonomy makes attacks such as agent hijacking and prompt manipulation more consequential. OpenClaw illustrates how misplaced trust assumptions, such as allowing local connections broad privileges, can be exploited. Similar risks exist wherever autonomous agents are deployed without clear governance. The Emerging Risk of "Shadow AI" Many AI agents are deployed without IT or security awareness. This shadow AI exists on developer machines, storing credentials, connecting to messaging platforms, and executing actions independently. The danger is tangible. Shadow AI may carry elevated access to sensitive systems with no oversight to match. As adoption grows, organizations face increasing risk from autonomous agents that act silently. The next breach may originate not from a person, but from an AI system trusted to perform work on their behalf. What Organizations Should Do Now The window for getting governance right is closing fast. PwC finds that 79% of organizations have already deployed AI agents at some level. The organizations that will scale AI successfully are the ones building governance infrastructure now: 1. Gain visibility. Inventory AI agents, autonomous assistants, and local LLM servers across developer environments. Unseen agents are ungoverned agents. 2. Patch without delay. Vulnerable agents, including OpenClaw, must be updated immediately. Treat these updates with the same priority as critical security patches. 3. Scope access carefully. Agents hold credentials often with elevated permissions. Audit these privileges and enforce least privilege wherever possible. 4. Govern non-human identities rigorously. Treat agents as identities. Implement intent analysis to understand proposed actions, enforce deterministic policies to prevent unsafe operations, grant just-in-time scoped access, and maintain full auditability linking human intent to agent action. These measures allow organizations to balance safety with innovation. The Lesson of OpenClaw OpenClaw has been patched, but Oasis' discovery serves as a warning. AI agents are operational actors, not tools. Organizations that continue to treat them as productivity features are operating in the dark and inviting risk. AI agents are already part of enterprise workflows. The question is no longer whether to govern them, but whether your organization will build that capability before an incident arises. Organizations that enforce policy, maintain full audit trails, and govern agentic identities will be the ones that scale AI with confidence. Those that fail to adapt will find that the next enterprise compromise originates not from a human, but from the very autonomous systems they trusted to accelerate work. We list the best internet security suites. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

AI doesn't break security. Complexity does

Too often, the history of enterprise security has been a history of making things harder to use. A new threat emerges, a new control gets bolted on, and somewhere in the process, people start working around the very systems designed to protect them. Over the course of my career, I've seen firsthand that security adoption rarely fails because people don't care about security. It fails because the secure path feels harder than the insecure one. In the age of AI, that lesson matters more than ever. AI expands the attack surface and raises the ceiling on what attackers can do, which makes simplifying security even more critical. Security controls that require effort or inconvenience eventually get ignored. People find workarounds. The answer is to make the secure path the easiest path. Security works best when it gets out of the way When security is easier to use than to avoid, people adopt it. Years ago, when the industry was rolling out two-factor authentication at scale, the biggest challenge wasn't building the security itself, but the friction that came with using it. People had to stop what they were doing, grab a phone, launch a VPN, enter codes, and interrupt their workflow just to log in. What ultimately drove adoption wasn't policy, compliance requirements, or security training. It was simplicity. Now that it's as easy as a fingerprint or a face scan, people use it without hesitation. The same principle drove browser makers to make security more visible and intuitive for everyday users. Rather than expecting people to manually inspect URLs, modern browsers prominently flag non-HTTPS sites as insecure, helping guide users toward safer behavior by default. Security became stronger in part because the secure path also became the easier and more obvious one. Where complexity shows up in AI Agent permissions are a good example of where this plays out in AI systems. Employees accumulate numerous permissions over time through a project here, a system access there, a role that never got cleaned up after a team change. Humans know which access is relevant to a task even if the system doesn't actively enforce it. Agents lack that judgment. An agent assigned to a problem will probe every available path. If it can access 12 systems but the task requires only two, it might still explore the other 10. It's just being thorough, but the result is a potential attack surface far larger than the task required. The temptation is to put a human in the loop by flagging significant actions and asking for approval before proceeding. But in practice, an agent may prompt a human to approve a deeply technical action without enough context to judge whether it's appropriate. In most cases, they'll approve it simply to keep the workflow moving. This only adds friction and a false sense of oversight. What's really needed is a permissioning model built around intent. The agent should have only the credentials it needs for a specific task, and they should expire when it's done. The industry is already beginning to move toward better models. Standards like OAuth are evolving to support agentic AI, allowing agents to carry the identities scoped to a specific task, rather than a user's full permission set. Making AI security easy to use Ease of use starts with visibility, so the first priority is knowing what's actually happening. Where are your agents connecting? What data are they touching? What permissions are they exercising? Many enterprises are surprised by the answer when they first look. Most organizations operate with roughly 80% visibility and control. The problem is the remaining 20%, because that's where the real risk tends to live. AI is going to find those gaps far faster than humans can. Start with monitoring, even if you're not ready to enforce anything yet. Use AI to sift through what you find and prioritize the highest-risk behaviors. Then close those down systematically. On the identity side, move toward workload identity wherever you can. The old model of creating service accounts, downloading keys, and distributing them across your infrastructure is fragile and hard to audit. Modern cloud environments offer a better approach: a workload's identity is established at deployment and credentials are never distributed as static keys. The management burden drops and the attack surface shrinks with it. For agents specifically, resist the temptation to give them broad permissions on the assumption that human approvals will catch problems before they happen. Scope agent access to the task at hand and ensure those permissions expire once the work is complete. For teams managing multiple agent-to-tool connections, MCP gateways are emerging as a practical way to encode governance rules centrally rather than tool by tool. Keep a human in the loop for consequential actions, not every action, particularly those where the blast radius of a mistake is meaningful. The pace of risk is accelerating In the AI era, the gap between exposure and exploitation is rapidly disappearing, collapsing from days to hours and, in some cases, minutes. CrowdStrike's 2026 Global Threat Report documents that the average attacker breakout time has accelerated by 65% year over year. As AI becomes more capable of autonomously identifying weaknesses, security teams relying on manual response processes will fall behind. The answer, though, hasn't changed. Security that creates friction will eventually get bypassed. Security embedded directly into the architecture, enforced by default and invisible in practice, is the kind that actually holds. AI raises the stakes, but the principle remains the same: security only works when the secure path is also the easiest one. Mayank Upadhyay is Chief Security & Trust Officer at Snowflake. Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they're always clearly marked. For more information, contact [email protected].

Mythos enters the chat

From November 2025-February 2026 at least nine Mexican government organizations were breached. Gambit Security reported that millions of confidential records were stolen from hundreds of servers. This is categorically bad, but scary security news is abundant. For instance, Supply Chain attacks are becoming increasingly common, exposing the tooling that should keep software components reliable and trustworthy. But when source code is compromised, the impact of that damage is widespread and cascading. Supply Chain compromise is the latest issue to keep the security profession up at night. Against that backdrop, why are the findings from the Mexican government breach so noteworthy? Generative exploitation This brutal campaign sets precedent for the scale of real-world exploitation with commodity Generative AI. After building a map of resources, server data was passed through OpenAI's APIs to GPT-4.1 for analysis, producing ~2500 reports which were fed back into Claude Code for exploitation. ~400 custom scripts were written to broaden and accelerate the attack. Roughly 75% of the commands were generated and executed by Claude Code's tools, including creation of a data exfiltration API and a complex tax certificate forgery tool. The report is clear that safety measures slowed the attack routinely, but never comprehensively enough to prevent it. This is a view of offensive capability with a very capable scaffold and models released in 2025. AI helped the attacker move faster, discover weaknesses, build custom tools to exploit the weaknesses, and finally exploited more of those weaknesses. In the interval between this attack and the Mythos Preview announcements, models such as GPT-5.3-Codex and Opus 4.6 already made measurable progress beyond 2025 models on Multi-Step Cyber Attacks. Is Anthropic's decision to withhold Mythos Preview a marketing stunt? Withholding a model has been a long-standing lever in Frontier Lab safety plans. Before Mythos Preview and Glasswing, OpenAI launched their Trusted Access for Cyber program for GPT-5.3-Codex (their first model to reach "High" cybersecurity capability). Anthropic have now launched their similar Cyber Verification Program. What's unique in Mythos Preview? The UK AI Security Institute (AISI) put it best with this summary, "Mythos Preview represents a step up over previous frontier models in a landscape where cyber performance was already rapidly improving". The AISI recently created an evaluation which tests model capability on a network attack simulation spanning 32 stages of an attack chain (estimated to take a human 20 hours to complete). Mythos Preview is the first model to solve this challenge from start to finish, succeeding on 3 of 10 attempts with a 100 million token budget. AISI expect greater budget would improve results further. Mythos Preview excels at lengthy orchestrated tasks. Anthropic has been explicit that Mythos Preview wasn't explicitly trained for cybersecurity capabilities; this leap stems from training for coding, specifically by focusing on improvements for long-running execution. This is the first lesson we should take from Mythos Preview: coding capability and cybersecurity capability are equally linked to context, reasoning and orchestration. If we review the rest of what can be disclosed (comprising roughly 1% of all findings in the Mythos Preview cybersecurity assessment), some other themes emerge. Mythos Preview is better at finding and exploiting vulnerabilities, capable of finding things where humans wouldn't look (scaling in ways that humans won't), capable of finding things in code that humans have looked at thousands of times (but haven't identified for decades), produces more accurate vulnerability findings and severity assessments, and is better at recommending fixes to the vulnerabilities it finds. The Project Glasswing question This final point brings us to Project Glasswing, Anthropic's coordinated effort to share Mythos Preview vulnerability findings with the "world's most critical software" vendors before the fuller findings are published. This collaboration aims to remediate, "thousands of high-severity vulnerabilities, including some in every major operating system and web browser." Anthropic has committed up to $100 million in Mythos Preview usage credits to the Glasswing vendors (for additional scanning and remediation) and $4 million in donations to OSS organizations. With this level of mutual commitment (backed by messages from these vendors) we can be clear that this is not a marketing stunt. We will learn much more about the current findings once they can be disclosed. Project Glasswing also seeks to produce concrete recommendations for a new era of AI-driven vulnerability discovery and remediation, possibly encompassing processes like vulnerability disclosure and software updates mechanisms (including OSS and wider supply chains), secure development practices, industry-specific standards, and automation for triage and scaling. Anthropic concludes the Mythos Preview announcement by contrasting the difficulty of this moment with the last twenty years of, "stable security equilibrium". Most cybersecurity practitioners would take issue with that characterization. To cite a counterexample from the UK Government's Cyber Action Plan, "Nearly a third (28%) of the government technology estate is estimated to be legacy technology, and therefore highly vulnerable to attack." But another of the closing statements sets the scene well, "we should prepare with the belief that the current trend is likely to continue, and that Mythos Preview is only the beginning." Anthropic's report is bold, but their claims are backed by some of the most trusted voices in cybersecurity, including CSA (co-authored by Bruce Schneier, OWASP and SANS), NCSC and NIST. If this is only the beginning, what's next? The post-Mythos Preview developments have already begun. As promised with the Mythos Preview, Anthropic have launched their first newer model with cybersecurity de-training in Opus 4.7. When defenders have access to the fully trained model, this forms a two-prong strategy to advantage defenders. However, we can expect other Frontier AI Labs to release their own more powerful models, and that less strictly controlled models will continue to improve their offensive cybersecurity capabilities. Two unrelated Anthropic events will also shape the future. The Claude Code source code leak will yield a global uplift in AI capability, because many capability improvements come from this scaffold, rather than in the models. The success of some of those (often simple) approaches will certainly be mimicked widely, which will effectively democratize cybersecurity improvements. Also, the DeepSeek, Moonshot, and MiniMax distillation attacks might have already been a factor in Anthropic's decision to withhold the Mythos Preview release. If true, release rates might slow even while the rate of improvement accelerates. AI as the differentiator for defenders Some security experts have suggested that true cybersecurity tradecraft is found in chaining everything together, or evading discovery, or they emphasize that the human was still needed. While that is all true, the barrier to carrying out attacks like these has been lowered dramatically, and the number of facets requiring human expertise are shrinking rapidly. As an example, the bug bounty profession has already changed dramatically. It's encouraging that Anthropic, the Project Glasswing vendors, and the authorities like CSA are all singing from the same hymn sheet. Generative AI will accelerate remediation, and new security technologies will help defenders in some of the same ways it helps attackers, but all parties agree that security fundamentals will be the meaningful differentiator, even when some of the authors represent security vendors. For many organizations, this should catalyze effort where it is often de-prioritized. The unglamorous work of improving these fundamentals may finally have its moment. Using AI tools to accelerate those adaptations may be the crucial differentiator for defenders. We've featured the best encryption software. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Why visibility is the new frontline of cybersecurity

Unlike simple chatbots, modern AI agents are capable of independently executing actions and orchestrating workflows. In a security context, this allows them to correlate information and respond to incidents much faster than humans can react. As such, Security Operations Centres (SOCs) are increasingly relying on AI agents to manage the sheer volume of digital threats. These tools allow teams to detect and resolve security incidents quickly, significantly cutting down the time it takes to stop a live attack, explains, Michelle Abraham, senior research director in the International Data Corporation's Security and Trust Group. Overcoming blind spots The ability for AI agents to observe all relevant data, agent actions and system states in real time - with few blind spots - is a baseline requirement, Abraham continues. This includes transparency to correlate signals across domains such as identity, endpoint, network, cloud and SaaS. "AI agents require zero blind spot visibility in order to detect lateral movement, privilege escalation and multi-stage attacks, in order to provide auditable, explainable and reversible actions," she says. "Relying on fragmented data and control planes means agents operate with partial context, which leads to missed detections, increased false positives and negatives, and the inability to track agent actions or explain outcomes." This shift necessitates a pivot away from legacy pricing that rations data and towards a model where AI is grounded in the organisation's full, searchable data foundation. The legacy model of charging per endpoint has left many Australian enterprises with blind spots in their network due to budget constraints, says Mike Nichols, general manager of Security at search AI platform Elastic. Along with eliminating per-endpoint pricing to facilitate oversight across the enterprise, Elastic's search and analytics capabilities also ensure AI agents are across data stored in a wide range of environments, including long-term cost-effective object stores like AWS S3 and Google Blob. Context is king for real-time response As threat actors leverage AI efficiencies to attack smaller targets, Nichols says zero blind spot visibility is not just a concern for the big end of town. "No matter what your size, you cannot have an agentic SOC if the AI can only see half of your environment," he says. "You must remove the per-endpoint barrier and provide access to all data environments, to ensure the AI has the complete context required to respond to threats in real time." "This must be done in a way that isn't only in-cloud but also operates offline, to not only support geographically remote environments but also environments which remain air-gapped due to extremely low-risk tolerance." In the defence and government sectors, where air-gapped security is non-negotiable, having an AI partner that can operate across all isolation levels is a game-changer. It also marks the beginning of a broader shift in how security teams interact with their environments. Bringing the work to the worker For decades, productivity has been tied to navigating a click-path of complex user interfaces and nested dashboards across siloed applications. But Elastic says they are now seeing a collapse of this model. By leveraging the Model Context Protocol (MCP), the AI platform is delivering the first embedded security experiences inside tools like Claude and other AI services. This allows an SOC analyst to not just ask questions of AI, but also to execute a full investigation workflow, from query to remediation, without ever leaving their AI interface. "By embedding critical workflows directly into the AI tools where teams already live, the distance between a question and a remediation action disappears," says Nichols. "Instead of forcing a security analyst to travel to a specific software destination to be productive, the data and the ability to act on it find the user exactly where they are." Keeping humans on the loop Nichols asserts that keeping humans on the loop to oversee AI agents is also important when it comes to transparency and accountability, similar to the way human analysts work under supervision. "We are huge proponents of the fact that AI does not replace people," Nichols says. "I don't believe in the idea of a people-less autonomous SOC." "You wouldn't let a junior security analyst handle a major incident completely unsupervised, and it's the same when it comes to AI agents - they still require oversight and approval from humans to ensure accountability," he explains. "However, I think AI replaces a lot of the drudgery when you're trying to search for a needle in a stack of needles." For more information, visit www.elastic.co/security.

A live operational risk: Why AI agents are outrunning your security

The excitement was real, and enterprises moved fast on AI agents. Governance did not. Deloitte's recent report found that only 21% of organizations have mature governance for autonomous AI agents, while 73% say they are concerned about AI security and data privacy risks. Most people frame this as a resourcing lag. It's something far more uncomfortable than that. It is a self-assessment problem. Organizations that were running agent pilots in 2024 are now pushing those systems into live security operations, customer workflows and internal decision pipelines. Today, 23% of companies are using agentic AI at least moderately. Within two years, nearly three in four companies expect to reach that level. But governance did not make the same jump. That gap is a live operational risk, not a planning exercise for next quarter. Policy wrote the check. Enforcement never cashed it. AI governance programs tend to stall at the same point: the handoff from policy to enforcement. Organizations write principles, publish guidelines and establish review boards. What they rarely build is the technical infrastructure to make any of that enforceable at runtime, where agents are actually making decisions and taking actions. The underlying mismatch is architectural. Traditional governance was designed around human decision-makers and deterministic software with predictable, auditable behavior. Agentic AI operates differently. These systems interpret instructions, infer intent and act across systems in sequences that no policy document anticipated. Governance built for the old model does not port cleanly. The category itself has shifted, and most governance frameworks haven't caught up. "AI agent" has become a catch-all term, but many of the systems entering production today operate less like reactive chat tools and more like persistent digital workers. They run continuously, operate under their own accounts, have defined access to enterprise tools and pursue ongoing objectives. Governance designed for session-based tools begins to strain when systems become continuous operational actors inside the enterprise. The checklist trap Since 2023, the AI governance industry has produced a steady stream of frameworks, standards and guidance documents. Organizations adopted them quickly, in many cases faster than they have adopted the technical controls the frameworks describe. This is the checklist trap. The framework exists. The box is checked. The risk register shows "mitigated." And the agent is still running with broad permissions and no behavioral monitoring. Governance theater is not a neutral outcome. It is actively dangerous because it creates false confidence in controls that have never been technically enforced. Consider a digital worker deployed to handle customer support tickets. It can issue refunds, access customer records and update billing systems. On paper, its permissions are scoped. In practice, it operates continuously across multiple systems, making decisions at machine speed. Without enforced boundaries and active monitoring, it becomes a cross-system actor whose effective reach is broader than anyone intended. That drift may not be visible until something goes wrong. Publishing a policy that mirrors an industry standard and deploying agents that actually operate within enforced boundaries are two entirely different things. The industry has conflated them. Governance is infrastructure, not documentation Mature governance is not a static artifact. It is a live system. Enforced controls mean permissions that cannot be exceeded at runtime, not permissions documented as scoped. Monitored behavior means anomaly detection tuned to agent-specific baselines, not log files reviewed after an incident. The organizations in that 21% treat agent governance the same way strong security organizations treat privileged access management. It is continuous, instrumented and accountable to a named owner. Every production agent has a defined scope, a defined owner and a defined boundary. When it drifts outside that boundary, something fires. Organizations do not need to gut their existing governance frameworks. The principles are sound. They need to extend identity, access, monitoring and lifecycle controls to explicitly include non-human actors, much like they already do for privileged users. This is fundamentally a technical infrastructure problem. It requires investment in tooling, in monitoring architecture and in the organizational capacity to act on what the monitoring surfaces. Policy documents cannot substitute for any of it. What security leaders need to do now Audit what is running, not what was approved. Most organizations know which agents were approved for deployment. Far fewer have current visibility into what those agents are actually doing in production. Start there. Replace permission assumptions with permission verification. "Analyst-level access" is not a scope definition. Map every agent to a specific, tested list of actions it needs to perform. If that list cannot be written down and validated, the agent has wider access than its governance accounts for. Build agent-specific behavioral baselines and treat deviations as incidents. Human SOC monitoring and agent monitoring require different models. Agent behavior outside its defined task pattern is signal, not noise. Instrument accordingly. Treat AI systems as first-class identities. If a system operates under its own account and can act autonomously, assign it a named owner, scope its access narrowly, monitor its behavior continuously and include it in your lifecycle processes from onboarding to decommissioning. The gap compounds The risk is not only that something goes wrong. It is that something goes wrong inside a governance structure that gave everyone involved confidence it would not. Closing that gap requires shifting from governance on paper to governance in operation by auditing what agents actually do, tightly verifying their permissions, monitoring their behavioral patterns and treating them as accountable identities within the enterprise. Every quarter that agent deployments scale without enforcement infrastructure is a quarter where the gap between documented governance and operational reality widens. It does not stay static. It compounds. The 21% are not just ahead on compliance. They are building on a foundation that the other 79% will eventually have to construct anyway, under worse conditions and with less time to get it right. We've featured the best AI tool. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

The next evolution of the penetration test must include agentic AI

When a CISO tells the board "we tested that system last quarter," it sounds reassuring. But in today's threat landscape, it's a measurement that no longer maps to reality. Recent industry research shows that while 95% of organizations prioritize penetration testing, only 32% of their attack surface is actually tested. The problem isn't that penetration testing is broken. It's that the word "tested" no longer means what organizations think it does. Penetration testing used to involve a small team of humans spending a limited amount of time in a system - mapping what they could reach, identifying vulnerabilities within that window, and compiling results into a static report. That model was already under pressure from the pace of change. Then AI broke it. "Tested" simply isn't pulling its weight anymore. Agentic AI is rewriting the rules For more than a decade, automation was the advantage. Mass scanners and automated reconnaissance ran constantly, but they were noisy and required security teams to sift through the output. Defense was slower, but more precise where it mattered. Humans could chain findings, understand business context, and stay one step ahead of attackers. The economics weren't always favorable, but they were workable. That trade has now broken down. Agentic AI is compressing reconnaissance from days to hours. These frontier models reason about endpoints that aren't visible in the UI and they can chain low-impact findings into business-logic exploits. The time between a CVE's public disclosure and the first observed threat-actor exploitation has collapsed to a matter of hours. That isn't a faster scanner. It's a creative attacker that never sleeps, never gets bored, and runs at the cost of compute. Now consider what an annual pentest actually buys you against that threat. It's a snapshot of an attack surface that's changing by the hour, against an adversary that doesn't wait for the next audit. Your board doesn't know that. Your auditors don't know that. And it is increasingly the structural reason why organizations get breached between audits. What "tested" needs to mean now The only way defenders can win is by fighting AI with AI. The next evolution of the penetration test must include agentic AI on the defense side. Here's what that looks like. "Tested" stops being a calendar event and becomes a posture - continuous validation against the latest exploit techniques, on the assets that actually matter, with humans focused on the findings only humans can produce. The test needs to explain what's exploited and confirmed. While a scanner can tell you a vulnerability might exist; agentic AI can tell you whether it actually fires in your environment. That distinction, at scale, is the difference between a six-figure ticket queue your team will never burn down and a short list of things that will kill you next Tuesday. We have found that roughly 40% of the vulnerabilities we find are critical or high. The signal is there. Most teams just can't get to it fast enough. And it stops being a humans-or-machines argument. It is both, and they're deployed differently. AI handles the breadth, the speed, the chained reasoning attackers are already running against you. Humans handle the creativity, the business logic, the things an algorithm has yet to model. Customers running this combined model cut average remediation time on critical vulnerabilities from 63 days to 38 in a single year, a 47% reduction across severity levels. That doesn't happen because they bought more tooling. It happens because their definition of "tested" became continuous. The talent question, reframed The cybersecurity skills gap is real, but the issue isn't a shortage of practitioners. It's a lack of senior judgment, applied where it matters. Much of the work consuming our industry's most experienced researchers is reconnaissance, triage, retesting, and sifting scanner output. That is the exact work agentic AI is now good enough to take on. Redefining "tested" frees that talent. It puts senior researchers back on the problems machines can't solve: novel attack paths and business-logic abuse - the chains that a creative human spots and a model can't reason its way to. While the UK government has set out a vision for defensive AI that operates at machine speed, the talent piece of that vision only works if we stop asking humans to do machine-speed work. What I'd ask a CISO today Pick the system in your environment that, if compromised, would put you on the front page. Now answer this: when was it last exploited under controlled conditions - not scanned, not reviewed -but actually attacked and confirmed? If the answer is "in our last annual pentest," the word "tested" in your security program has stopped meaning what you need it to mean. Fix the word, and the rest of the program has a chance to follow. We feature the best internet security suites for PCs, Macs and mobile devices. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Fortifying the Future: Enterprise Security for the AI Execution Layer

Enterprise security has always had a comforting assumption baked into it: systems do what they were built to do. Sometimes badly. Sometimes insecurely. Sometimes in ways that make auditors develop a nervous twitch. But still, the basic shape was understandable. Applications processed requests. Databases stored data. APIs connected systems. Users clicked things they probably should not have clicked. Then AI arrived and made the whole thing a little weird. AI did not introduce one neat new risk category. Security teams are very good at turning new risk categories into taxonomies, dashboards, and meetings with names like "working group." The real change is that AI cuts across the categories we already had. Employees use AI tools to summarize, analyze, code, create, and make decisions faster. Developers embed models into applications connected to customers, documents, databases, and internal systems. Agents retrieve information, call tools, invoke APIs, and take action across workflows. AI is no longer sitting politely inside a single application boundary. It is becoming a new execution layer across the enterprise. A prompt entered in a browser can shape a business decision. A retrieved document can manipulate an application response. A model output can trigger an agent action. A tool call can move data, change a record, or initiate a workflow before a human has time to review what happened. In other words, language has become executable. That does not mean every prompt is code. It means natural language can now influence how systems behave, what they access, what they generate, and what actions they take. This is already showing up in real security research. Check Point Research has disclosed vulnerabilities in AI developer tooling, including command injection in OpenAI Codex CLI and critical flaws in Claude Code that could expose API keys and redirect authenticated traffic. Researchers have also documented how hidden instructions in AI workflows can manipulate agents into exposing secrets or taking attacker-controlled actions. That is why enterprises need an AI Defense Plane. The AI security gap is architectural Most enterprises understand that AI changes the risk model. The harder question is whether they have the architecture to control it. According to Check Point's 2026 Cloud Security Report, 77% of organizations have changed their security strategy in response to AI, but only 26% say they have the architecture to enforce it. This creates a familiar enterprise pattern: the strategy has moved on, but the architecture is still looking for its shoes. Policies get written. Governance boards are formed. Acceptable-use rules are published. Teams deploy filters, model safeguards, data controls, or testing processes. All of that matters. But it does not automatically create a coherent control model. AI risk does not stay inside one layer. It moves between employees, applications, models, data, tools, APIs, and agents. It appears through interaction, context, intent, and behavior. The issue is not whether an organization has AI policies or point solutions. The issue is whether it can enforce them across the places where AI is used, embedded, and allowed to act. Point controls do not see the full path Point controls can solve narrow problems. They can inspect a traffic path, filter an input, monitor a tool, or test a model at a specific moment in time. But AI systems rarely fail in only one place. A single AI workflow may begin with a user request, pull in retrieved context, pass through a model, generate an output, and trigger an action through an agent or tool. Every step may look legitimate in isolation. The risk often appears in the chain. That is where fragmentation becomes a problem. One team may manage employee AI usage. Another may secure AI applications. Another may review models. Another may own identity and access. Another may manage data protection. Each sees part of the picture. None sees the full execution path. If AI risk travels through the system, security cannot sit in a corner and wait for it to arrive. What is the AI Defense Plane? The AI Defense Plane is a unified security architecture for discovering, protecting, governing, and validating AI behavior across the enterprise. It is not one control point. It is a coordinated control model across three connected planes: employees using AI tools, applications embedding AI into workflows, and agents that access data, invoke tools, call APIs, and take action. Across those planes, the AI Defense Plane brings together four capabilities: discovery, protection, governance, and assurance. Discovery shows where AI is used, what data flows through it, and where it can act. Protection prevents prompt-based attacks, data exposure, unsafe outputs, tool misuse, and out-of-policy behavior at runtime. Governance enforces policy consistently across users, applications, agents, and environments. Assurance continuously tests whether AI systems and controls behave safely as models, prompts, tools, permissions, and workflows change. These capabilities need to work together. Governance without enforcement turns policy into guidance people can acknowledge, admire, and then route around. Testing without runtime control exposes weaknesses but does not stop production misuse. Runtime protection without assurance can drift as systems evolve. Only 14% of organizations say they have AI security policies that are both enforced and audited. The AI Defense Plane connects these functions into one operating model. The three planes of enterprise AI risk These planes are useful because they show where AI enters, where it runs, and where it acts. But they are not hard walls. That is part of the problem. A copilot-powered workflow created by an employee can start to look a lot like an AI application built by a development team. It may access corporate data, combine context from multiple systems, and trigger actions across business tools. The owner may be different. The risk pattern is not. Employees: AI enters through the normal path of work For many organizations, employee AI use is where the risk shows up first. People use AI tools to summarize documents, write code, analyze data, draft customer responses, and troubleshoot problems. Much of that usage happens through browsers, SaaS tools, personal accounts, copilots, and productivity applications. The risk is not only malicious behavior. Often, the bigger issue is ordinary work happening faster than existing controls can follow. Only 5% of organizations report full visibility into AI tool usage, data access, and data movement. As Adam Ely, GM of AI Security at Check Point, put it: "A mistake that somebody makes has a bigger blast radius." Workforce AI Security needs to operate where employees actually use AI: across sanctioned and unsanctioned tools, uploads and downloads, browser sessions, SaaS applications, and workflows where sensitive data moves. Applications: AI changes how software behaves AI applications are different from traditional applications because their behavior is shaped dynamically at runtime. Prompts are assembled. Context is retrieved. User input is interpreted. Model outputs are generated in real time. The same application can behave differently depending on the prompt, retrieved data, system instructions, tools, and state. This is where traditional application security starts to feel like it has been handed a very confident intern who keeps making decisions no one explicitly approved. The request may be syntactically valid and still unsafe. The response may appear helpful while leaking sensitive information. Retrieved content may manipulate the model without the user ever seeing the instruction Securing AI applications requires runtime protection in the path where prompts, context, outputs, and actions are evaluated. Agents: AI becomes an actor inside the enterprise Agents represent the sharpest version of the shift from response to action. They do not only generate text. They retrieve data, make decisions, invoke tools, use credentials, call APIs, and execute tasks on behalf of users, teams, applications, or workflows. The 2026 Cloud Security Report found that 64% of organizations already have AI agents in pilot or production, and 12% have granted agents privileged access to core systems. Or, as Adam Ely put it: "We've never had this non-human workforce that is autonomous or semi-autonomous." Least privilege remains essential, but incomplete. An agent can be allowed to access a tool and still use it at the wrong time, for the wrong reason, with the wrong context. AI Agent Security needs to control the execution layer: prompts, data flows, outputs, tool calls, and actions. Runtime is where AI risk becomes real AI security has to operate at runtime because runtime is where AI behavior is determined. A static review can evaluate a system design. A policy can define what should be allowed. A model safeguard can reduce known categories of unsafe output. But AI behavior depends on the live interaction: the user's prompt, retrieved context, available data, connected tools, agent instructions, permissions, and environment state. Only 17% of organizations have broadly deployed runtime LLM controls, even as GenAI workloads and agentic systems move into production. That is why detection after the fact is not enough. A prompt can lead to a tool call. A tool call can change data. A changed record can trigger another workflow. By the time an alert is reviewed, the action may already have happened. Runtime protection extends existing controls into the semantic layer where AI behavior is shaped. It asks questions traditional controls were not built to answer: What is the user or system trying to get the AI to do? Is sensitive data being exposed? Is the agent action aligned with user intent and business policy? Is the tool call appropriate given the context? These questions require controls that understand language, context, and behavior, not only files, packets, identities, or API calls. From testing to enforcement AI security cannot be treated as a one-time deployment gate. Models change. Prompts change. Applications change. Agents gain tools. Permissions shift. Attack techniques evolve. A system that behaved safely last month may behave differently after a model update, new integration, or workflow change. 56% of organizations have no formal GenAI security testing process or test only ad hoc. This is the part of AI security that makes "we tested it before launch" sound a little like "we checked the weather in March, so the whole year should be fine." AI Red Teaming helps teams understand how AI systems can be manipulated under realistic conditions. AI Agent Security applies runtime control in production, helping prevent prompt-based attacks, data leakage, unsafe behavior, and out-of-policy tool use before they turn into business impact. Together, they create a feedback loop: red teaming reveals realistic failure modes, runtime protection turns those lessons into controls, and production signals inform future testing. The goal is not to certify an AI system once. The goal is to keep security aligned with how the system actually behaves over time. The path forward Enterprises do not need a new disconnected AI control. They need a security model that matches how AI now operates. AI is already embedded in employee workflows. It is already entering applications. It is already moving toward agents that can retrieve data, invoke tools, and take action across business processes. That means discovering AI usage across the enterprise, protecting the runtime paths where AI behavior is shaped, governing policy consistently, and continuously validating whether AI systems and controls behave as intended. For CISOs and security leaders, this creates a path to say yes to AI with greater confidence. For platform and application teams, it creates a way to deploy AI without treating security as a blocker. For governance teams, it turns policy into enforceable control. AI has moved from language to action. Security now needs to move from fragmented controls to a unified AI Defense Plane.