In this month's Threat Briefing, Nathanael Iversen covers three stories shaping the security outlook heading into May - from a breakthrough AI model that finds zero-days at machine speed, to state-sponsored attacks on U.S. industrial controls, to a Windows Defender vulnerability serious enough to trigger a federal patch deadline.
AI-Powered Zero-Day Discovery Changes the Calculus
Anthropic released Claude Mythos Preview - a restricted AI model - to a limited group of critical industry partners under Project Glasswing. The model can autonomously find and exploit zero-day vulnerabilities across every major operating system and browser, including flaws that survived decades of human code review.
Unauthorized users gained access on the day of its announcement through a third-party vendor environment. Anthropic has opened an investigation.
The takeaway for defenders: attack surface elimination - fine-grained segmentation, tight access permissions, unused ports closed - is the control that holds when the offense can move this fast.
Iranian State Actors Targeting U.S. Industrial Controls
CISA, the FBI, NSA, and U.S. Cyber Command issued a joint advisory confirming that Iranian-affiliated APT actors are actively exploiting internet-facing Rockwell Automation and Allen-Bradley PLCs across U.S. critical infrastructure, including water and wastewater systems, energy, and government facilities.
Actors are accessing PLCs using legitimate vendor software over exposed ports - no zero-day required. Confirmed disruptions include manipulation of HMI and SCADA displays, operational outages, and financial loss.
Network isolation and strict access control are the required response. If your organization operates Rockwell or Allen-Bradley PLCs, review the full CISA advisory (AA26-097A) and assess your isolation posture now.
Windows Defender Zero-Day Drives Federal Patch Mandate
A privilege escalation vulnerability in Microsoft Defender, tracked as CVE-2026-33825 and dubbed "BlueHammer," was publicly disclosed in early April alongside working proof-of-concept exploit code. Microsoft patched it on April 14. CISA added it to its Known Exploited Vulnerabilities catalog and gave U.S. federal agencies two weeks to remediate.
The flaw allows a low-privileged local user to gain SYSTEM-level permissions by exploiting insufficient access control granularity in Defender's remediation engine. Active exploitation has been confirmed in the wild.
Key Takeaways