Jordan: This week, the attack surface got smarter before the defense did. And for CISOs running critical infrastructure, that's not a philosophical observation — it's an operational emergency.

Alex: Welcome to Cleartext's Week in Review. I'm Alex Chen. If you were heads-down this week and missed the daily show, here's what mattered and what it means going into the week ahead. We had four big themes converge simultaneously — and that convergence is the story. Iranian and Russian state actors escalated against U.S. infrastructure in ways that are now showing up in corporate earnings calls. AI fundamentally broke the vulnerability management model that your entire security program is probably built on. The federal safety net is being dismantled at exactly the wrong moment. And the financial system just told your CFO that bad cybersecurity has a price tag. Let's get into it.

Jordan: Start with the geopolitical piece, because this is the most urgent. The FBI, NSA, and CISA issued a joint advisory Tuesday warning of escalated Iranian cyberattacks against U.S. energy and water infrastructure. Not hypothetical. Active, ongoing attacks in the last month, directly tied to the U.S.-Israel strikes on Iran. They identified roughly 3,900 internet-exposed Rockwell Automation PLCs sitting on U.S. networks right now. If you are responsible for any OT environment, that number should make you uncomfortable.

Alex: And then Stryker filed the earnings warning that made this concrete for every board in America. A major medtech company, hit by an Iran-linked wiper attack in March, disclosing material impact to earnings. This is what geopolitical cyber escalation looks like when it lands on a publicly traded company. It's not hypothetical risk on a risk register anymore — it's a line item on a 10-Q. Boards that were still treating nation-state cyber operations as someone else's problem need to update that mental model immediately.

Jordan: A word on the ceasefire question, because I know people are watching the diplomacy. Dark Reading ran analysis this week on whether ceasefires slow cyberattacks, and the historical answer is basically no. Iranian cyber operations are conducted by actors who may not consider themselves party to whatever diplomatic arrangement gets announced. If anything, they can intensify during negotiations as leverage. Do not let any political headline lower your operational tempo on this.

Alex: Separate from Iran, the Russia story this week was technically remarkable. Operation Masquerade — the FBI disclosed they dismantled an APT28 espionage network spanning 18,000 SOHO routers across 120 countries. The technique here is what should get your attention. Forest Blizzard wasn't deploying malware in the traditional sense. They were modifying DNS settings on end-of-life routers to intercept and steal Microsoft Office authentication tokens in transit. No malware to detect. No signature to catch. Just silent traffic manipulation on devices nobody was watching.

Jordan: This is the edge device problem in its purest form. Those 18,000 routers were largely end-of-life hardware — small office, home office gear that's sitting in branch offices, in employee home networks, in third-party environments — and they became a global intelligence collection platform. The inventory and decommission conversation for EOL network devices is not a new one, but APT28 just put a very concrete case study behind it.

Alex: Now let's talk about what I think is the most strategically significant story of the week, and honestly maybe the most significant story we've covered this year. Project Glasswing. Anthropic launched an initiative with 45-plus organizations — Apple, Google, AWS, CrowdStrike, Cisco — built around a model called Claude Mythos Preview. And the benchmark numbers are not incremental improvements. They're a category break. On SWE-bench Pro, Mythos scores 77.8 percent versus 53.4 for the previous best model. On exploit writing for Firefox, 181 successes versus 2 for the prior generation. That's a 90x improvement. And then there's the OpenBSD story.

Jordan: The OpenBSD story is the one I keep coming back to. There was a bug in OpenBSD's TCP stack. It had survived 27 years of human code review. It survived fuzzers. It sat inside one of the most deliberately hardened operating systems ever built. Two packets could crash any server running it. Mythos found it. The full discovery campaign cost about $20,000. The specific model run that surfaced the flaw cost under $50 in compute. That's the number that reframes everything.

Alex: Here's the strategic implication for CISOs. Your patch management program, your vulnerability management program, your entire remediation cadence — it was built for a world where discovery was the bottleneck. Humans finding bugs slowly, vendors patching eventually, you prioritizing the queue. That model is broken. Discovery is now cheap, fast, and AI-automated. The bottleneck is remediation. And nothing in most security programs has been rebuilt around that reality yet.

Jordan: HackerOne made that explicit this week. They actually paused bug bounties. The reason they gave was a remediation bottleneck caused by AI-automated discovery. They said it directly: bounty programs fund discovery, not fixes. And when discovery is no longer the constraint, you've got a structural gap. Organizations are now surfacing more validated vulnerabilities than their engineering teams can absorb. That's not a patch management problem. That's a resource allocation problem, and it belongs in the budget conversation.

Alex: The Adobe Reader zero-day that's been actively exploited since at least December — and the FortiClient authentication bypass that Fortinet issued an emergency patch for this week — those fit the same pattern. High-sophistication exploitation of ubiquitous software and perimeter products, at a pace that outstrips enterprise response cycles. The Fortinet vulnerability in particular continues a pattern that should make any CISO with significant Fortinet exposure ask hard questions about compensating controls, not just patch timing.

Jordan: Storm-1175 is worth a mention here too. China-linked group, deploying Medusa ransomware using zero-days and n-day exploits at what Microsoft is calling "high-velocity." The interesting thing about Storm-1175 is that it blurs the line between nation-state espionage and ransomware operations. You can't cleanly separate your APT playbook from your ransomware playbook when the same actor is doing both. That complicates how you triage and respond.

Alex: Let me turn to the governance picture, because the federal landscape shifted in a significant way this week. The Trump administration's FY2027 budget proposal would cut CISA by approximately $700 million and eliminate nearly 900 positions. Specifically on the chopping block: vulnerability scanning services and field support. For large enterprises with mature security programs, this is a data point. For mid-size organizations, regional operators, municipal utilities — organizations that were relying on CISA's free scanning and advisory services — this is a planning crisis. The budget hasn't passed, but you should not build your 2027 security roadmap assuming those services exist.

Jordan: And that backdrop makes the cybercrime loss numbers from the FBI IC3 report land harder than they otherwise would. Twenty-point-nine billion dollars in reported losses in 2025. Up 26 percent year over year. Crypto scams alone over seven billion. And the FBI is explicit that actual losses are significantly higher because a large portion of victims never report. So you've got documented losses accelerating, federal support capacity contracting, and threat actors getting AI-powered offensive capability. That's a risk environment that requires some honest conversations with boards and CFOs.

Alex: The CFO conversation got a new data point this week. Studies published in BankInfoSecurity show that U.S. banks are charging up to ten extra basis points on loans to companies with poor cybersecurity posture. For a company with meaningful debt load, that's potentially hundreds of thousands of dollars in additional financing costs annually. Security is now being priced into cost of capital. That is the language CFOs understand, and it is a legitimate and data-backed argument for security investment that doesn't rely on hypothetical breach scenarios.

Jordan: Two other things worth flagging quickly. The Hims breach — telehealth data exposing treatments for weight loss, hair loss, erectile dysfunction — this is the compounding risk problem with healthcare PHI. It's not just HIPAA liability. It's targeted extortion potential using data that is deeply personal and embarrassing. If you're in telehealth or adjacent to it, your data classification and handling for sensitive health categories needs a hard look.

Alex: And on the positive side, Chrome 146 shipped Device Bound Session Credentials — DBSC — generally available on Windows. This directly addresses the infostealer pipeline that has driven a remarkable number of recent breaches. Infostealers exfiltrate session cookies, those cookies get sold and replayed, accounts get compromised without any credential involved. DBSC binds session cookies to TPM-backed keys on the specific device. You cannot replay them from a different machine. If you're managing an enterprise Chrome rollout, this deserves attention on your deployment timeline.

Jordan: One more: AI agents and zero trust. RSAC 2026 had four separate major keynotes — Microsoft, Cisco, CrowdStrike, Splunk — all independently land on the same message: zero trust must extend to AI agents. Cisco's framing was memorable. They described AI agents as "supremely intelligent teenagers with no fear of consequence." If you are deploying agentic AI in your environment, and most enterprises are starting to, credential isolation architecture is not optional. AI agents that co-locate credentials with untrusted code are the next major attack surface. The architectures to address this exist now. Use them before you have an incident that explains why.

Alex: So what was the defining character of this week? Here's my read. This was the week where several trends that security leaders have been tracking as "emerging" became "arrived." AI-powered vulnerability discovery went from theoretical capability to documented reality with price tags attached. Iranian cyber operations went from geopolitical background noise to corporate earnings disclosures. Federal cyber support went from politically uncertain to budgetarily specific. These are no longer things to monitor. They require decisions.

Jordan: My version of that is simpler. The cost of inaction just went up across the board this week. The cost of not patching your OT perimeter, the cost of not decommissioning your EOL routers, the cost of not building remediation capacity into your security program, the cost of not extending zero trust to AI agents — every one of those went up measurably this week. The threat environment moved. The question for every CISO going into Monday is whether your program moved with it.

Alex: Going into next week: if you're a critical infrastructure operator, the Iranian advisory is an action item, not a reading item. If you have Fortinet perimeter products, emergency patch timelines apply. And if you have a board meeting in the next thirty days, the IC3 loss numbers and the cost-of-capital data are the new centerpiece of your risk narrative. Get ahead of those conversations.

Jordan: And get your OT asset inventory in front of someone who can tell you how much of it is internet-facing before someone else does it for you.

Alex: That's the week. Daily show returns Monday. We'll be watching the geopolitical situation closely as the week opens, and we have more coming on the AI vulnerability management story — it's not going away. Thanks for listening to Cleartext. Stay sharp out there.