Faster Is Not Going To Be Enough
5–26–2026 (Tuesday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, May 26, 2026, and, at least as I’m recording this, the war in Iran continues and the Strait of Hormuz remains closed.
Faster is Not Going to be Enough
Are regular watchers of the show will no doubt be aware, we’ve been talking about the implications of the new security-specific models (Mythos, GPT-5.5-Cyber) and the amount of fear and trepidation they’re causing amongst both security and business leaders.
There were several articles last week about this continued worry, including a piece from the Financial Times on how Anthropic plans to brief global financial watchdogs on cyber flaws exposed by Mythos. That’s all well and good, but remains conceptual.
We’re now starting to get more details from the companies engaged in Project Glasswing and other early-access programs that shine a bit more light on what these models actually mean, and give us a few ways that we - as security practitioners- might need to adapt our thinking.
The first bit of insight comes from Palo Alto Networks, who reports that using these tools returned 10 - 15 times the number of exploitable vulnerabilities than they usually see in a given month. In particular, they note that “the models were able to identify ways to chain multiple flaws together into a working exploit path.”
“In several cases, Palo Alto Networks said, the individual flaws might not have warranted disclosure on their own but became high-severity vulnerabilities when combined together.”
They also flagged an approximately 30% false-positive rate, and disclosed that they spent significant time building an “AI-scanning harness” to leverage the models.
That’s the same thing we heard from Cloudflare, another Project Glasswing participant. They gave us significantly more detail, however, including their 8-step harness.
A harness is essentially a structure that manages the overall execution of the function, rather than just throwing the model at a repository.
In their work, the Cloudflare team has some real insights about how to get the most out of these tools, including some clever framing and mental models for both researchers and the models themselves.
They distinguish between "Is this code buggy?" and "Can an attacker actually reach this bug from outside the system?" as two separate questions, and conclude that just being “faster is not going to be enough.”
They go back to the core question, which is how do we “make exploitation harder for an attacker even when a bug exists?” This is a much broader question, beyond code - including architecture and logic, as well as monitoring and alerting.
This abstraction shift is going to be important, as any one cyber-specific model will soon be replaced. In fact, Microsoft announced that their new multi-model MDASH Agent, built by Microsoft’s Autonomous Code Security team, is now outperforming both Mythos and GPT-5.5-Cyber.
They’re also using the harness model to drive improvements, again indicating the need that our thinking about defensive approaches and tool use is going to continue to need to co-evolve alongside both our tools and threat environment.
Speaking of threats, there was a piece in the New York Times about the risk of those AI Notetakers you see in meetings, as a “ticking time bomb of legal risk.” That might be a bit overblown, but we’re also going to continue to encounter unintended consequences at an unprecedented rate.
Fundraising
More reasonable fundraising numbers this week, with $8.4B in newly committed capital.
We did, as predicted, see SpaceX’s S-1, and learned that Anthropic is paying them $1.25B (yes, billion) per month for access to the compute in their Colossus and Colossus II data centers. This deal is planned through May 2029, all of which is tightly interrelated to what we covered above. A good reminder that AI doesn’t happen in a vacuum.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.ft.com/content/7d309f94-3618-4511-9778-d1447799c5e4
https://www.axios.com/2026/05/13/palo-alto-networks-mythos-gpt-cybersecurity
https://blog.cloudflare.com/cyber-frontier-models/
https://www.nytimes.com/2026/05/09/business/dealbook/ai-notetakers-legal-risk.html
https://letsdatascience.com/news/spacex-s-1-reveals-anthropic-compute-deal-details-6ea1a260