Claude Mythos broke vulnerability management in 72 hours

Heartbleed was a storm. Mythos is climate change. That's how Brad Hibbert (COO, Brinqa) framed this week's shift on the podcast and the news cycle proved him right within 72 hours.Active PAN-OS zero-day. 35,000 M365 users phished past MFA. 300,000 Ollama servers leaking API keys. Cisco dropping $400M on non-human identity.Every story this week hits the same nerve: the gap between vulnerability disclosed and vulnerability weaponized is no longer measured in months. The 30/60/90-day patch SLA your program runs on? It's already obsolete.

Author

Ashish Rajan
May 07, 2026

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter topic: Why CVSS Alone Won't Survive the AI Era (continue reading) 

This image was generated by AI. It's still experimental, so it might not be a perfect match!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week’s Cloud Security Newsletter

If the past week had a thesis, it's this: the gap between vulnerability disclosed and vulnerability weaponized is no longer measured in months. It's measured in days, sometimes hours, and the underlying cause isn't a single tool or actor — it's the AI-assisted offensive workflow that's now table stakes for advanced adversaries.

The news brief reflects it everywhere. Palo Alto Networks disclosed CVE-2026-0300 with state-sponsored exploitation already underway. Microsoft documented a three-day AiTM campaign that quietly stole post-MFA tokens from 13,000 organizations. Cyera's Bleeding Llama disclosure showed how default-permissive AI infrastructure is leaking the most sensitive secrets in the building. And Cisco put $400 million on the table to lock down non-human identities — the credential layer AI agents now use to act inside enterprises.

Against that backdrop, this week's conversation is with Brad Hibbert, COO and Chief Strategy Officer at Brinqa, hosted by Ashish Rajan of Cloud Security Podcast. The discussion is about Claude Mythos — Anthropic's frontier model now being tested in private programs against vulnerability discovery — and what it means for every existing vulnerability management program. Brad's framing is sharp: "Heartbleed was a storm. Mythos is climate change." [Listen to the episode]

⚡ TL;DR for Busy Readers

This week’s attacks didn’t break systems — they used them


🔥 PAN-OS CVE-2026-0300 is being actively exploited by a likely state-sponsored cluster — restrict Captive Portal to internal IPs now; patches start May 13.

🪪 Microsoft AiTM campaign stole post-MFA tokens from 35K users — non-phishing-resistant MFA is over; move M365 admins to FIDO2/passkeys this quarter.

🦙 Bleeding Llama (CVE-2026-7482) leaks heap memory from 300K Ollama servers, including API keys and prompts — inventory, upgrade to 0.17.1, rotate exposed secrets.

🤖 Cisco's $400M Astrix acquisition validates non-human identity as a top-tier security category — start your NHI inventory this month.

⏱️ Brad Hibbert's core argument: Stop measuring patch SLAs. Start measuring the exposure window — how long a vulnerability was actually exploitable in your environment..

📰 THIS WEEK'S TOP SECURITY HEADLINES

Each story includes why it matters and what to do next — no vendor fluff.

1. PAN-OS zero-day: state actors are already inside

Palo Alto Networks disclosed CVE-2026-0300 on May 6 — unauthenticated RCE on PA-Series and VM-Series firewalls. Unit 42 is tracking active exploitation by CL-STA-1132, a likely state-sponsored cluster. The pattern: RCE → log destruction → AD enumeration via firewall service account credentials.

CISA added it to KEV on May 6. Patches roll out May 13. Until then: restrict the User-ID Authentication Portal to internal IPs only.

The attackers had RCE for days before disclosure. Any defender measuring success by patch SLA had a green dashboard while their AD was being mapped, a textbook example of why "exposure window" matters more than "patch window."

2. 35,000 users. MFA didn't help.

Microsoft Defender Research disclosed a 3-day adversary-in-the-middle campaign (April 14-16) that hit 35,000+ users across 13,000 organizations. Healthcare and finance led the target list. The attackers proxied the legitimate Microsoft login flow in real time, capturing post-authentication session tokens — sidestepping passwords and SMS/app-based MFA entirely.

If you're still on non-phishing-resistant MFA for M365 admins, this is your wake-up call. FIDO2 or passkeys this quarter, not next.

3. Your AI inference servers are leaking secrets

Cyera's "Bleeding Llama" disclosure (CVE-2026-7482, CVSS 9.1) is the AI infrastructure story most cloud teams aren't tracking. Three unauthenticated API calls leak the entire Ollama process memory — including the API keys, database creds, and cloud secrets sitting in environment variables on your inference hosts.

300,000 servers exposed. Patched silently in 0.17.1, but the patch notes never flagged it as a security update — so most operators never upgraded.

The pattern: AI infrastructure deployed with localhost-tool defaults running as production servers, with the most sensitive credentials in the building sitting in 0.0.0.0-bound process memory.

4. Cisco bets $400M that non-human identity is the new perimeter

Cisco announced its intent to acquire Israeli identity-security startup Astrix Security for ~$400M on May 4. Astrix discovers and governs non-human identities (NHIs) — API keys, service accounts, OAuth tokens, machine credentials — across their lifecycle. Cisco will fold it into Identity Intelligence, Duo, Secure Access, and Splunk.

This is the first nine-figure security M&A explicitly framed around securing AI agents at the credential layer. Machine identities outnumber humans 10-to-1 in most enterprises, and they're the path of least resistance for AI-agent compromise and supply chain attacks.

Expect rapid consolidation across Okta, CyberArk, SailPoint, Wiz, and Palo Alto. Inventory NHIs now if you haven't.

🎯 Cloud Security Topic of the Week:

From Patch Windows to Exposure Windows — Why CVSS Alone Won't Survive the AI Era

The shift Brad Hibbert describes is structural, not tactical. For two decades, vulnerability management has run on a clear contract: a vendor publishes a CVSS score, your scanner picks it up, you classify by severity, and you remediate within an SLA — typically 30/60/90 days driven by PCI or another compliance regime. Patch SLA performance became the metric that boards and auditors rallied around.

That contract assumed two things that no longer hold: (1) attackers needed time and skill to weaponize disclosed vulnerabilities, and (2) the volume of meaningful CVEs would scale linearly. AI-assisted vulnerability discovery breaks both assumptions simultaneously. Brad describes the Mythos shift bluntly: "It's a persistent elevation of capability that the threat actors have, which is that they can discover vulnerabilities at machine speeds now."

The implication for cloud security leaders is that the yardstick itself has to change. The new metric is the exposure window how long a given vulnerability was actually exploitable inside your environment, taking into account business context, mitigating controls, network reachability, identity blast radius, and attack-chain composition. Patching faster doesn't get you there; some of the most consequential issues this week (PAN-OS, Bleeding Llama) were exploitable for weeks before patches existed.

That reframing forces a series of architectural and operating-model changes and it's the central thread running through this week's news as well as the conversation below.

Featured Experts This Week 🎤

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

  • Claude Mythos: Anthropic's frontier model currently in private testing for security and intelligence applications, including AI-assisted vulnerability discovery at scale. Brad describes it as a "climate change" shift versus prior temporal events like Heartbleed and Log4Shell.

  • Exposure Window: The duration a vulnerability is actually exploitable in your environment — distinct from the patch window. Driven by reachability, mitigating controls, and identity blast radius, not just CVSS severity.

  • CTEM (Continuous Threat Exposure Management): Gartner-defined program model that emphasizes continuous discovery, validation, prioritization, and mobilization. Brad argues the Mythos compression effectively forces every program toward CTEM-style operations on a compressed timeline.

  • EPSS (Exploit Prediction Scoring System): Probability score for whether a CVE will be exploited in the wild within 30 days. Useful as a complement to CVSS, but Brad's caveat lands: "if everything is exploited and everything's kind of ranked the same, how do you provide better guidance to your team?"

  • Attack Chain Analysis: The practice of evaluating multiple low/medium-severity findings together as a path-to-impact, rather than node-by-node. Mythos demonstrated chained privilege escalation across three medium CVEs to achieve root.

  • Non-Human Identity (NHI): Service accounts, API keys, OAuth tokens, machine credentials, and AI-agent identities — typically outnumbering human identities 10-to-1 in modern enterprises.

This week's issue is sponsored by Orca Security

Orca Security is hosting Cloud Security LIVE, a half-day virtual summit on Tuesday, May 12th. Join CISOs, security co-founders, and practitioners for unfiltered insight real stories and strategies from people securing the world's most complex cloud environments.

Sessions include:

  • The new standard for resilience: zero-breach to zero-impact

  • AI on both sides: securing models and APIs while using AI to defend your cloud

  • Mastering 3rd-party and supply chain risk

  • Security leadership panel on AI, risk, and driving change


    Join for a chance to win* a 64GB Beelink AI PC. *US-based attendees only.

💡Our Insights from this Practitioner 🔍

1. Heartbleed was a storm. Mythos is climate change.

Brad opens the conversation with a frame that's worth sitting with. Past high-profile vulnerabilities Heartbleed, Log4Shell were temporal. They caused intense activity, then closed out. The exploit cycle had a beginning, a middle, and an end.

"It's not just a temporal thing — it's a persistent elevation of capability that the threat actors have... your months went down to weeks, and in some cases down to seconds before these things can be exploited." — Brad Hibbert

What this changes for cloud security leaders is the planning horizon of the program itself. A program designed to handle 12 Heartbleed-class events per year fails when the underlying capability shift is permanent. The PAN-OS exploitation pattern this week successful RCE within a week of first attempts, log destruction inside the same operation is the normal tempo now, not the anomaly.

What to do with this: Audit your program's design assumptions. If your SLAs, change-control windows, and remediation handoff cadence were built when "manual vulnerability research at machine scale" was a contradiction in terms, those assumptions need an explicit refresh. Brad's framing for the board: "It's not about closing off your criticals in 30 days to meet PCI compliance. It's about how exploitable, what's that exposure window, and how am I showing that go down?"

2. The threat model isn't dead — but the assumptions inside it are

When Ashish asks whether existing threat models are still valid, Brad's answer is nuanced: the structure holds, but the embedded assumptions don't.

"The assumptions that sophisticated attacks required sophisticated attackers has kind of gone away." — Brad Hibbert

Three specific assumptions Brad calls out:

  1. Attacker scarcity. The cost of mounting a sophisticated attack has collapsed. The Mexican government breach earlier this year — where a single actor used Claude to steal 150GB across nine agencies validated this empirically.

  2. Time between discovery and remediation. PCI's 30-day window for criticals is an artifact of an era when 30 days was a reasonable gap before exploitation. It isn't anymore.

  3. CVSS as primary prioritization. Brad's point: when 40,000 highs become 80,000 highs and EPSS marks most of them as likely-exploited, prioritization based on severity scores degenerates into noise.

Practitioner translation: Run a tabletop exercise this quarter where the trigger is "a new CVE-2026-0300-class vulnerability is disclosed at 9am with public PoC by noon, mass exploitation by midnight." Where does your program fail? That's your investment list.

3. The new yardstick is exploitability and the exposure window

This is the core argument of the conversation, and the through-line back to the news.

"The biggest thing today is the biggest short-term thing that CISOs need to do is they need to focus on exploitability and explainability... what we've been talking about with a lot of companies right now is you have to get down to exploitability." — Brad Hibbert

Exploitability, in Brad's framing, isn't just "is there a public PoC?" It's the intersection of the vulnerability with your environment: reachability, mitigating controls (EDR, segmentation, identity guardrails), business context, and the existence of attack paths that chain it with other findings.

The exposure window is the operational consequence: how long was the vulnerability actually exploitable in your environment, end-to-end, until you reduced or eliminated that exploitability — whether by patching, segmenting, killing reachability, or applying a compensating control. Brad's distinction is critical: you don't always need to patch to close the exposure window. You need to make the path inactive.

That distinction maps directly to several stories this week. Bleeding Llama: the patch existed but wasn't flagged as security; the real fix for most enterprises was putting an auth proxy in front and binding Ollama to localhost. PAN-OS: patches don't ship until May 13 but restricting User-ID portal access to internal IPs collapses the exposure window today.

4. Stop ignoring the lows. Start mapping attack chains.

One of the sharpest moments in the conversation comes when Ashish acknowledges what most security teams have been quietly doing for years:

"90% of the time, a lot of the lows were just simply ignored because like, 'Hey, it's a low.' I don't know how many organizations have done this ever." — Ashish Rajan

Brad's response confirms the gap:

"Three medium vulnerabilities, leveraging privilege escalation, could give them root access to a machine versus one standalone critical CVE... you've got to back up and take a look at it not from a node lens, but from a network path lens and attack chain lens." — Brad Hibbert

This is what AI-assisted attackers do natively. Mythos demonstrated the ability to chain three medium CVEs into a privilege escalation that would not have triggered any individual high/critical SLA. Defenders running CVSS-only prioritization will keep missing these because the analytical lens is wrong; they're evaluating findings node-by-node when the attacker is reasoning over graphs.

Practical implication: This is one of the strongest arguments for the kind of unified exposure data plane Brad describes. You cannot compose attack chains across silos. If your CSPM, EDR, vulnerability scanner, and identity tools all run independent AI-driven prioritization, you get siloed AI decisions which are structurally weaker than what an integrated attacker is doing.

5. Remediation has been the forever-problem because the objective was misaligned

Ashish's question "why have we never solved remediation?" opens the most operationally useful section of the conversation. Brad's answer is that the security and remediation teams have been measured on different things:

"If you have two teams that are measured differently — one team's measured on how quickly they can identify and prioritize, the other team's measured on how quick a patch gets released — they're two different measurements. If you focus on the same outcome as a shared objective, which is to reduce the exploitability window, out of that will follow a bunch of other decisions." — Brad Hibbert

This is the kind of strategic-architectural insight senior cloud security leaders can act on without buying anything new. The fix is the operating model, not tooling: rewrite the shared OKR for security + cloud ops + dev so both sides are measured on reduction of exposure window rather than time-to-patch and time-to-detect respectively.

Brad also flags the friction layer that bottoms most programs out — the manual handoff:

"They wanna know why is A ahead of B? Why is B ahead of C? When you pass that information, if you have a shared objective and a shared understanding for how the security team is prioritizing, and an agreed upon approach... you have less of this 'let me export that to Excel, let me compare that to my scanner.'" — Brad Hibbert

Building shared explainability as to why a finding was prioritized, in language remediation teams trust  is the trust-building work that lets you eventually automate decisions. Without it, every prioritization becomes a negotiation.

6. Trust is a muscle. Automate incrementally, but start.

When Ashish presses on whether AI-suggested remediation can be trusted enough to automate, Brad's answer is staged but firm:

"You can automate things that are simple, that have very minimal impact, that are reversible. That's great. But if it's not reversible and can have an impact, then you start to get a little queasy in your stomach... they have to build up trust as they start to automate these processes through reasoning and through AI. They will start taking that 5% that they automate today, the 6%, the 10%, the 20%." — Brad Hibbert

The pattern he describes is small, reversible, low-blast-radius first, building toward more consequential decisions with explainability and audit trails throughout — matches what mature platform-engineering teams already do for production change management. The application of the same pattern to security remediation is the bridge that's been missing.

Cloud-security takeaway: Pick one cloud-native control where automation is reversible (e.g., revoking an over-privileged IAM role, blocking egress from a workload, rotating a service-account secret) and instrument it end-to-end with audit logging and rollback. That's your wedge for trust-building. Once the muscle exists, extending to less reversible actions becomes a policy conversation, not a technical one.

7. Don't boil the ocean pick one high-stakes asset and prove the model

When asked about quick wins, Brad is pragmatic:

"If you're gonna build on the top of the pyramid, don't try to do everything across the whole asset stack. Focus on a high-profile application that could have significant impact to the business, and maybe focus on your external attack surface first. Pick your poison... work the kinks out, work on that shared responsibility, kind of what the shared measurements are gonna be. Show the model working and then expand from there." — Brad Hibbert

This is the most actionable 30-60 day playbook from the conversation:

  1. Pick one high-business-impact application or one critical external attack surface segment.

  2. Define a shared exposure-window OKR across security and the relevant remediation team.

  3. Instrument the full lifecycle — discovery, enrichment, exploitability assessment, prescriptive remediation guidance, two-way ticketing integration, post-remediation verification.

  4. Measure exposure-window reduction, not patch volume.

  5. Use the working model as the proof case to expand scope.

8. The convergence problem: siloed AI is going to fail

Brad's closing observation is one cloud security leaders should plan for now:

"I think a lot of security vendors are gonna say, 'We have the solution, it's AI.' But then what you're gonna do is you have these siloed security products making siloed AI decisions. What organizations need is to bring all this information into a global exposure repository so they can understand everything from a global perspective." — Brad Hibbert

The Cisco/Astrix deal in this week's news is, in part, a bet on this convergence pulling NHI, identity intelligence, secure access, and SIEM (via Splunk) into a single context-aware control plane. Expect more consolidation along the same line over the next 18 months. For practitioners building their own roadmap, the design principle is to invest in data integration and unified context before adding more siloed AI features.

Podcast Episode

Question for you? (Reply to this email)

🤔  If you measured your program on exposure window reduction instead of patch SLA next quarter, which OKR breaks first — and what does that tell you?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

📬 Want weekly expert takes on AI & Cloud Security? [Subscribe here]”

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast