Rob T. Lee @robtlee

The executive order signed Tuesday asks AI developers to give the federal government up to 30 days with a frontier model before anyone else gets it. The draft floated 90. Security people wanted as much warning as they could get. The labs wanted less. At 30 days, nobody got what they asked for, which is usually how you know a compromise is real. (Both sides are now sufficiently disappointed. On schedule.) 30 days isn't a fix, though. It's a hurricane warning. You board the windows, you move the boat, and the storm still makes landfall. The buffer buys preparation, not prevention, and it only counts if you do something with it. The part nobody's arguing about: access to these capabilities is not equal, and it won't be. JPMorgan and Amazon will be fine. The order names rural hospitals, community banks, and local utilities as a concern, then leaves them a discretionary "where appropriate" while early access goes to trusted partners selected with the government. The hospital in Springfield sits at the back of that line. And closing your source code doesn't save you. Source code analysis is where Mythos is focused right now, which is why open source gets scanned first, but it does black box exploitation just as well. Nation-state teams have broken Microsoft, Apple, and Google for years without ever seeing their source. The vulnerabilities get found either way. (Adversaries don't wait for their tier assignment.) Under all of it is the oldest question in cyber defense: what is the government actually responsible for? The critical infrastructure everyone is worried about sits in private hands. The military can't defend a bank's network. The FBI takes the report after the breach. CISA runs real threat intelligence and coordination, but it doesn't have the authority to operate inside a private company and defend it. When Volt Typhoon and Salt Typhoon hit American infrastructure, they hit private companies, because that's where the front line is. (I came up through the military side. That gap still bothers me.) The order doesn't solve any of this. It documents the threat and starts the argument, and the risk now is that people read "signed" as "handled." The work is what the community builds during the buffer, which is why @gadievron, @rmogull, and I, with @cloudsa, @SANSInstitute, and [un]prompted, are running closed-door CISO sessions in DC (luma.com/jzr25473), New York (luma.com/kn2djk5v), and San Francisco. The people in the fight, writing the playbook before the vendors write it for us. If you're a senior security leader, you should apply to attend. Read the Mythos-ready security program paper: labs.cloudsecurityalliance.org/mythos-ciso CISOs: do you actually know where your organization sits in that access structure? If not, that's worth finding out this week.

@HALNine9sRel1k @anton_chuvakin This is awesome!!

Anthropic and roughly 50 partners used Claude Mythos Preview to find more than 10,000 high or critical severity vulnerabilities in the first month of Project Glasswing. Most partners found hundreds of high or critical issues in their own code. (One month. Let that sit for a second.) Of those 10,000-plus, 97 have been patched upstream as of May 22. That number is not a measure of how hard anyone tried. It is a measure of where the work now jams. The Glasswing update says it plainly: software security used to be limited by how fast you could find vulnerabilities, and now it is limited by how fast you can verify, disclose, and patch them. High and critical bugs are taking about two weeks each to patch. Several maintainers have already asked Anthropic to slow its disclosure rate, because they cannot keep up. Discovery is no longer the bottleneck. The humans in the pipeline are. The patch playbook itself, coordinated disclosure on a 90-day clock, monthly patch cycles, the quarterly review, was built for a world where finding a flaw was slow. That world is gone. The playbook is not strained. It is finished, and most of us have not said that out loud yet. (I would love to be wrong on this. Correct me, and tell me what planet still runs on a 90-day clock.) Rebuilding it is not a tooling purchase. It is a skills problem, and a specific one. Working at this volume means triaging AI-generated findings ten deep, judging which severity ratings hold up, and deciding what gets fixed in what order when the queue is a thousand items long. That is human judgment under machine-scale load, and almost nobody has trained for it, because the tools that create the problem are months old. You cannot hire your way out of this, because the talent pool does not exist yet. All of us are figuring it out at the same time. So the people who can help you most are already on your team. They are the ones who know your business, who have worked real incidents, who understand what a finding actually means in your environment. What they are missing is reps on AI tools under realistic pressure. The @SANSInstitute Find Evil! hackathon is one place to get those reps fast. Practitioners build autonomous incident response agents, run them against real case data, and watch where the AI is sharp and where it falls apart. That last part is the point. The skill that transfers is not the agent, it is the calibrated judgment of when to trust the machine and when to override it, and that is exactly the muscle the patch pipeline now needs. Find Evil! runs through June 15, with $22,000 in prizes, at findevil.devpost.com. If you manage defenders, here is the Monday version. Pick two people who know your environment cold. Give them protected time this month to put AI tools against your own findings backlog and report back on where the tools broke. That is the rewrite starting, in miniature, on your team. The Glasswing numbers should change what you do this week, not how well you sleep.

It’s 1 pm ET / 10 am PT, Fri. 22 May 2026, and there's no LIVE show. Replay #CXOTalk ep. 910 w guests: @RobTLee, #CAIO, @SANSInstitute + Co-host David Bray, PhD., @StimsonCenter talking about the #AI attack lifecycle in an age of intelligent threats. cxotalk.com/episode/the-ai… #DFIR #AIsecurity #CSO #CSIO #CIO

Builders and skeptics wanted to judge the FIND EVIL! Hackathon. DFIR, Al, cybersecurity, and open-source reviewers who can separate useful autonomous response tools from polished demos. Favor - this has a goal of a far-reaching community impact - could you please SHARE this in your personal feeds? Apply here: findjudges-9kvkxt6m.manus.space Takes two minutes. More than 3,500 entrants. Building autonomous Al agents on the SANS SIFT Workstation (200+ incident response tools on a single platform, 18 years of community development, 60K+ annual downloads). If you have expertise in these areas, I want to hear from you: Digital Forensics & Incident Response (DFIR) Al/ML engineering Agentic frameworks (Claude Code, LangGraph, AutoGen, CrewAl) Cybersecurity (offensive/defensive) Open-source development This is not a hackathon where you vote for your favorite demo. Judges review runnable open-source submissions, check required materials, and score evidence-backed autonomous incident response work. Winning entries released back to the community. Submissions close June 15. Judging runs June 19 through July 3. Decide who earned the $22,000 in prizes.

One in ten of you reading this have kids whose data is in the dump supposedly burned when Instructure paid the ShinyHunters ransom to avoid the liability of millions of minors' data hitting the field. 275 million records across 8,800 institutions in 50 countries, from kindergarten to Ivy League. Hard to trust that the data is destroyed when the hackers broke in a second time to post a ransom note across every school's Canvas login during the negotiation. First time that families saw a ransomware threat. I have twin teenagers. This just got personal. Criminals known for sophisticated social engineering are now capable of stitching the most credible spear-phishing ever assembled (student names and emails, schools and teachers, real message threads) onto WormGPT-class phishing at 93% success and SIM farms running thousands of numbers. You don't need to be a nation-state to run a convincing impersonation of a teacher, or to create illicit content and threaten to post to their social media accounts. You need a target list and a couple of hours. (And if it doesn't keep you up at night yet, ShinyHunters was responsible for the ADT breach and the AT&T breach, among many more in recent years.) What I would do now: 1. Freeze each kid's credit at all three bureaus. Block the long-tail identity attack that hits when the kid turns 18 and first applies for credit. Few parents have done this for their kids. 2. Set up a new email account for your kid's social media. Don't use that email address anywhere else.  3. Move 2FA off SMS and onto an authenticator app. If they didn't get contact numbers in this breach, ShinyHunters already had phone numbers from the AT&T breach. A SIM swap takes one social-engineered call. Google Authenticator and other apps are tied to the device, not the number.  4. Pick a family safe word. Make it weird, memorable, specific. Drill them often. Voice and video can be faked now, cheaply and fast. The word can't be faked unless the attacker is also at our dinner table. We told them AI was cheating at school. They are about to learn what it means to have AI used against them. We owe them a different conversation now.

@Google cloud.google.com/blog/topics/th…

The @Google Threat Intelligence Group report released today (11 May) identified a cyber crime group with a zero-day almost certainly built with AI: a 2FA bypass in a popular open-source admin tool. (I am not sure whether to be relieved GTIG caught this one or worried about the ones they did not.) The flaw was not memory corruption or input sanitization. It was a hardcoded trust assumption the developer left in the logic, the kind of dormant semantic gap fuzzers and static analyzers are not built to catch. We train people to recognize known patterns: known malware, known signatures, known bad behavior. You cannot pattern-match a logic gap that did not exist as a pattern until an AI reasoned its way to it. Defending against this requires humans who can run the same reasoning the attacker's AI did, which means operators who actually understand AI tools, know how to point them at the right data, interpret the output, and action on it. The @SANSInstitute 2026 Workforce Research Report @jameslyne and I presented at RSAC in March tells us whether those operators exist. 60% of organizations now say their bigger problem is skills, not headcount. That skills-versus-bodies differential was 4 points in 2025. It is 20 points now. 27% report breaches they trace directly to skills gaps. (Workforce report, case studies: sans.org/mlp/2026-evolv…) The bad news: This is not a "buy more AI" problem. It is a "we do not have the people to operate the AI we already have" problem. Two Fortune 500 companies can buy the same defensive AI tool. One team finds the threat in 10,000 tokens. The other burns 10 million and finds nothing. So defenders end up new to the tools, pointing AI at the wrong data with the wrong prompts, losing the cost war on top of the time war. The BAD bad news: There is no "AI security workforce" to hire from. It is a job category we are still inventing. The tool is not the bottleneck. The operator is. Without trained people, the budget burns and the threat still gets through. Train the team you have.

“We have startups today that are 4 people large that are reaching $10 million valuation,” says @robtlee, Chief AI Officer and Chief of Research at the @SANSInstitute, in a recent fireside chat with XBOW CEO @oegerikus. “If you’re able to do business that way, why can’t you similarly create an attack team?” Watch more of their conversation: bit.ly/422eZPo

Nearly 3,000 people are spending two months teaching AI agents to FIND EVIL in real DFIR data. Now we need judges willing to tell them how they actually did. Apply at sansurl.com/find-evil-judge Both kinds welcome: the true believers who think AI-augmented incident response is going to rewrite how we do DFIR, and the skeptics who have been waiting two years for someone to show them something that doesn't hallucinate its way to a conclusion. (Either way, you're going to see things in these submissions you didn't expect. I'll leave it at that.) The judging rubric was built for serious evaluation. Six equally weighted criteria: 1. Autonomous execution quality 2. IR accuracy 3. Analysis depth 4. Constraint implementation 5. Audit trail quality 6. Usability Every finding has to trace back to a specific tool execution. Hallucinations caught and flagged count. Confident-sounding wrong answers do not get partial credit. (This is not a hackathon where you vote for your favorite demo. Real forensic data. Real agent execution logs. Real consequences for the community toolset that winning code goes back into.) Submissions close June 15. Judging runs June 19 through July 3. $22,000 in prizes. Come see what the community built. Apply at sansurl.com/find-evil-judge Judges will have their pictures on the findevil website. We are looking for judges with real DFIR and AI experience. Skeptics. Proponents. Everyone. (Front-row seat to watch autonomous AI agents work through real incident response cases. Whether that excites you or makes you deeply curious about where it breaks, you belong in this room.)

Data poisoning = someone did it to you. Data pollution = you did it to yourself.  You can't poison what isn't clean to begin with. Is a fired employee still listed as active, informing an automated decision? Conflating poisoning and pollution is how orgs end up building defenses against adversaries when their actual threat is their own data mess. The approval process and AI-assisted cleanup aren't governance theater. They're how we get to a state where poisoning is even a relevant threat model. We have to earn the right to worry about poisoning by solving hygiene first. This is important enough to need a leader. Security has the most to lose if it doesn't get one. We aren't going to do this cleanup manually. (We weren't going to do it before AI either, which is why we're all here.) I've released a LinkedIn Learning course talking about a model for how business units can work with security to get AI tool approvals for the cleanup in front of you. Parts 1-4 are live now: (free, ungated) gettoolapproved.ai Thanks to Cynthia Brumfield @CSOonline for including my and @chrishvm's POV. Important topic (and killer title): Poisoned truth: The quiet security threat inside enterprise AI: csoonline.com/article/416617… @SANSInstitute

“I spend all day, every day, looking at folks who misuse our models and our products. I want to walk through all of you what I've been seeing on the ground and how this has changed in the past year.” - Jacob Klein, @AnthropicAI's head of threat intel at the @SANSInstitute AI Summit. And then came the heartburn line: “Almost everything I’m walking through can be used by a defender as well.” He’s right. Defenders can point AI at endpoints at scale, code at scale, vulnerabilities, and SOC signals. Every serious defender already knows the list. The hard part is the operating reality: usable data, investigations that don’t depend on manual glue work, remediation that moves fast enough, and AI you can actually trust. What makes this a tougher sell is the reliability of the tools in our hands right now and our own skill gaps. And consider: we still get to watch some of this play out in the open. That window closes as attackers move to their own private tooling and infrastructure. The only way we get ready is by starting now: working on our own skill gaps, building muscle with the tools we have, stress-testing them in real environments, forcing the workflow changes that make AI for defense operational. Work on this directly with us: Find Evil! is live. Protocol SIFT is what happens when you wire an AI agent into a forensic workstation full of trusted tools and tell it to behave. It's an early capability with real outputs, failure mode. Join our community effort to make it something defenders can deploy. 42 days to enter. An incredible 2,500+ builders and teams are in as of today. $22K in cash prizes. Sponsored by SANS Institute. findevil.devpost.com (You'll have to hear Jacob's full talk and the fireside chat with Bruce Schneier and Anne Neuberger: Are tech companies the new SOC? Check it out on the SANS Institute YouTube page.) Curious what you think. (And if you've entered in the hackathon?) #AIsecurity #cybersecurity #vulnops

@robtlee @anton_chuvakin @OpenAI @AnthropicAI At Aisle, we were able to find the same things cheaper and we documented it. aisle.com/blog/system-ov…

So excited to announce: Find Evil!, the first autonomous AI hackathon for incident response is live. More than 1,400 solo builders and teams registered as of this morning. IR professionals, AI engineers, developers, students. Most of what's on our feeds and agendas is how two frontier AI labs told the world that their own models are dangerous enough to need emergency defensive programs, and basically to go figure it out. Let's do something about it. Grab your team and sign up. Especially grab peers who keep saying "Why are you so obsessed with Claude Code?" (You cannot convince people with a deck. They have to put their hands on the tools and watch an AI agent reason through 200+ forensic tools in real time.) The hackathon is a two-month competition ($22K in prizes) to take Protocol SIFT, the proof-of-concept connecting AI agents to the SIFT Workstation’s 200+ open source forensic tools through MCP and to make it production-ready. You don't need to be an incident response expert. The SIFT Workstation handles the domain tooling. You need curiosity and building skills. Details and registration: findevil.devpost.com Sponsored by @SANSInstitute

What is the frontline of cybersecurity today? @robtlee, Chief AI Officer and Chief of Research at the @SANSInstitute, shares his thoughts in a fireside chat with XBOW CEO @oegerikus below. Watch more of their conversation. bit.ly/422eZPo

So @OpenAI basically took its latest model (not even a Frontier one) and re-released it after effectively removing guardrails. They are likely trying to enhance researchers' ability to find code vulnerabilities. But neither OpenAI nor @AnthropicAI is telling the cybersecurity community how to even accomplish this. We have heard from multiple folks with Mythos that they don't even know what specifically they're supposed to do with it. Point it at applications and say "find vulnerabilities" or what? It's not like it comes with a how-to manual or a man page. This is nothing more than one vendor trying to one-up another.  We need to start benchmarking how one AI model is able to find code vulnerabilities over another and how quickly they are doing it. There are real risks at stake here. Is the solution to this problem that people should do code analysis and vulnerability discovery through models without additional security? For the majority of defenders out there that do not have the offensive training for fuzzing or vulnerability discovery, what are they supposed to do in the meantime? How are they going to validate the individuals (and people at enterprises) asking for access? While we can applaud that all these models are released to defenders first, the real issue is: is everyone fully aware of what to do with them once they get their hands on them?

OpenAI @OpenAI

2 months ago

We’re expanding Trusted Access for Cyber with additional tiers for authenticated cybersecurity defenders. Customers in the highest tiers can request access to GPT-5.4-Cyber, a version of GPT-5.4 fine-tuned for cybersecurity use cases, enabling more advanced defensive workflows.

459 624 5K 2.0M 2K

AI is discovering vulnerabilities faster than defenders can patch them. This isn't a future risk — it's today's reality. Our new Mythos CISO briefing, "The AI Vulnerability Storm," gives security leaders a concrete playbook to respond. Authored by @gadievron, @rmogull, and @robtlee.