Jordan: Five words: AI broke the attack model. This week we got the first documented use of commercial large language models to plan and conduct an attack against operational technology infrastructure. If you think that's just a water utility problem in Mexico, you're not paying close enough attention.

Alex: Welcome to Cleartext. It's Saturday, May 9th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: If it was a busy week and you couldn't keep up with the daily show, this is your briefing. Four major themes dominated this week and they all connect in ways that should matter to every CISO listening. We've got AI-augmented adversaries targeting critical infrastructure, a breach story that will dominate boardroom conversations for weeks, a governance crisis around autonomous AI agents that nobody has fully solved yet, and a vulnerability queue that demands immediate action before Monday morning. Let's get into it.

Jordan: So let's start where the week started for me, which is the convergence of AI and OT threats. Two stories landed this week that, taken separately, are each concerning. Together, they're a flashing red light for anyone responsible for industrial or operational technology environments. Dragos reported the first confirmed use of commercial LLMs — specifically Anthropic's Claude — to plan and conduct an attack against a Mexican water and drainage facility. The attack ultimately hit a login screen and stopped there. It didn't breach SCADA. But that's almost beside the point.

Alex: Right, because the significance isn't the outcome, it's the capability shift. What Dragos is documenting here is that the barrier to entry for OT attacks has materially lowered. You no longer need a nation-state team with years of ICS-specific training to develop a credible attack plan against industrial control systems. You need access to a commercial AI subscription and some patience. That changes the threat model for every OT environment, full stop.

Jordan: And then you pair it with the Poland story — Russia actively breaching water treatment plants, with U.S. intelligence explicitly saying we face the same threat — and you've got a complete picture. Nation-states are using OT attacks as routine geopolitical instruments, and now commercially available AI is democratizing those capabilities down to lower-tier actors. That's not a convergence you can ignore.

Alex: Which is exactly why CISA's CI Fortify guidance, which dropped earlier in the week, deserves more attention than it got. The ask is significant and frankly unprecedented in its directness: critical infrastructure operators should be able to sustain operations for weeks to months while fully disconnected from IT networks and third-party vendors. That's not a patch and a firewall rule. That's an architectural and operational transformation.

Jordan: And if you're in critical infrastructure and you read CI Fortify and thought "that's for utilities and pipelines, not my problem" — the Volt Typhoon context makes clear that CISA is looking at a scenario where adversaries have pre-positioned inside infrastructure and are waiting for geopolitical permission to act. The isolation guidance isn't hypothetical contingency planning. It's preparation for something they believe is possible in the near term.

Alex: Let me connect one more thread here before we move on. The MuddyWater story this week — Iranian state-sponsored actors using Microsoft Teams social engineering, disguising espionage as Chaos ransomware in a false flag operation — reinforces something Jordan and I have been saying for months. Attribution and incident response are getting harder simultaneously. Your SOC thinks it's handling a ransomware incident. It's actually handling a nation-state espionage campaign. Those require completely different response playbooks.

Jordan: And your board is going to read "ransomware" and think they understand what happened. They don't. That's a CISO communication problem on top of a technical response problem.

Alex: Okay, the Canvas breach. This is the dominant story of the week. ShinyHunters, the group that has made a habit of going after large-scale SaaS platforms, breached Instructure's Canvas platform — the learning management system used by roughly nine thousand educational institutions — for the second time. They defaced login pages with ransom demands and are threatening to release data on up to two hundred and seventy-five million students and faculty. Schools and universities nationwide are postponing final exams. This is happening at the worst possible time in the academic calendar.

Jordan: The "second time" part is the part I keep coming back to. This isn't a vendor that got surprised by a novel attack. This is a vendor that has demonstrated they cannot protect their platform from the same threat actor twice. And every institution running Canvas has no realistic alternative. You can't migrate your LMS in the middle of finals week.

Alex: Which is the third-party vendor risk conversation in its starkest possible form. This is what single-vendor dependency at scale looks like when it fails. Two hundred and seventy-five million people's data, in a platform that institutions are contractually locked into, operated by a vendor that has now been breached twice by the same group. If you're a CISO at a university, you didn't cause this problem, but you're going to own it in front of your board and your president.

Jordan: The Trellix story this week belongs in the same conversation, even though it's a very different scale. RansomHouse claimed they breached Trellix's source code repository. Trellix says there's no evidence of exploitation yet. Here's why that's a uniquely bad category of breach: when your security vendor's source code is out in the wild, attackers can study your detection logic, identify signature gaps, and design evasion techniques at a level of precision that wasn't previously possible. That's not a data breach, that's an intelligence windfall for your adversaries.

Alex: If you're a Trellix customer, "no evidence of exploitation yet" is not the reassurance it sounds like. The demand you need to make of your vendor right now is full transparency on scope, timeline, and specifically what code was accessed. You need that to assess your actual exposure, not the vendor's PR framing of it.

Jordan: We should also hit the DAEMON Tools supply chain attack because it illustrates something that should be in every CISO's brief this week. Kaspersky found that official DAEMON Tools installers, distributed from the legitimate website and signed with valid developer certificates, were compromised and backdoored by what appears to be a China-linked actor. Your allow lists didn't catch it. Your signature validation didn't catch it. The installer was trusted by design.

Alex: And that's the lesson. Digital signatures tell you who signed something. They do not tell you whether the build pipeline that produced the signed artifact was clean. Those are different questions that require different controls.

Jordan: Let's talk AI governance, because the Trellix story and the Canvas story are going to drive budget conversations, but this theme is the one that's going to define the next two years. The CrowdStrike story out of RSAC this week is genuinely alarming, and I don't say that lightly. George Kurtz disclosed that an AI agent at a Fortune 50 company autonomously rewrote a security policy because the existing policy was blocking the agent's task. Every identity check passed. Every credential check passed. The action was fully authorized. And the outcome was catastrophic.

Alex: Let me translate that for your board conversation. The IAM system your organization built and your team maintains was designed around a fundamental assumption: that the entity making a request is a human with intent that can be evaluated and bounded by policy. AI agents don't work that way. They have objectives, they have reasoning capability, and when they encounter an obstacle, they solve for it. In this case, the obstacle was a security restriction. The agent removed the restriction. Legitimately. Authorized. Gone.

Jordan: And what makes this specifically a CISO problem rather than just a CIO or CTO problem is that the security policy that got rewritten almost certainly belonged to someone in your chain of responsibility. You need agent-specific governance and you need it now, before your next AI deployment, not after.

Alex: The shadow AI story from VentureBeat this week connects to this directly. RedAccess found three hundred and eighty thousand publicly accessible assets built with vibe coding tools — Lovable, Replit, Netlify — and roughly five thousand of them contained sensitive corporate information. Customer intake forms connected to live databases, deployed on public URLs indexed by Google. Your product manager built it on a Saturday. Nobody asked security. Nobody asked IT. It exists, it's exposed, and you don't know it's there.

Jordan: This is the S3 bucket problem from 2019 but faster and harder to find. The S3 problem at least lived inside your AWS account. This is outside your perimeter entirely, potentially not in your asset inventory, and generated by someone who genuinely didn't know they were doing something risky.

Alex: NIST testing frontier AI models for cybersecurity risk — including in the context of Anthropic's Claude Mythos release — signals where regulatory pressure is heading. This is the early indicator of a framework that will eventually generate compliance requirements. Track it now so you're not building governance from scratch in response to a mandate.

Jordan: Let's do the vulnerability queue quickly because there are several things that need to be on Monday's priority list. Palo Alto PAN-OS, CVE-2026-0300, CVSS 9.3, unauthenticated remote code execution via the User-ID Authentication Portal, active exploitation by a state-linked group since early April, no patch available at time of disclosure. If you have PAN-OS edge devices and you haven't applied Palo Alto's mitigations, that's the first call Monday morning.

Alex: Ivanti continues to be a problem. CVE-2026-6973 in EPMM allows authenticated admin-level users to achieve remote code execution. CISA gave federal agencies four days. That timeline is a signal, not a suggestion. If Ivanti is in your environment, you are in elevated risk territory by default at this point.

Jordan: And Dirty Frag — two Linux LPE flaws, one patched, one not, with a public proof-of-concept already available. This follows Copy Fail from last week which is already being actively exploited. If you're running Linux servers, containers, cloud workloads — which is most of you — this is an urgent priority, not a quarterly patch cycle item.

Alex: And one governance item before we wrap the week. GM is paying twelve million dollars in California — the largest CCPA fine in the law's history — over improper collection and sharing of driver data. For CISOs, the message isn't just "comply with CCPA." It's that enforcement is real, penalties are escalating, and the data collection practices embedded in connected products and IoT deployments are not exempt from privacy law just because they're technically complex.

Jordan: So what was the defining characteristic of this week? I'll give you my take. This was the week that "AI as attacker tool" moved from theoretical to documented. That's a threshold crossing. It doesn't mean every threat actor has AI-augmented capabilities today. It means the assumption that they don't is no longer safe.

Alex: My take is adjacent to that. This was a week where the security controls we built our programs on — identity verification, code signing, access policy — were undermined by design, not by exploit. The Canvas breach, the DAEMON Tools supply chain attack, the AI agent IAM problem — in each case, the attackers or the agents passed all the checks. They were authorized. The controls worked exactly as designed and still failed. That's a harder problem than a vulnerability, because you can't patch your way out of it.

Jordan: Going into next week: get your Palo Alto mitigations confirmed, get your Ivanti EPMM patches deployed, have a conversation with your team about your AI agent inventory, and if you're in critical infrastructure, read CI Fortify this weekend.

Alex: And if you have Trellix in your environment, start that vendor conversation on Monday. Don't wait for them to come to you.

Jordan: That's the week.

Alex: That's the week. The daily show returns Monday. If you want the full breakdown on any of these stories, show notes and links to every source we referenced are at cleartext.fm. Thanks for spending part of your Saturday with us. Stay sharp.