All Episodes

May 5, 2026 40 mins

Summary

In this episode of the Blue Security Podcast, hosts Andy Jaw and Adam Brewer discuss significant topics in cybersecurity, including the discovery of a critical Linux vulnerability known as Copy Fail, the introduction of Cloud Security in public beta, and Microsoft's comprehensive AI security strategy. They explore how AI is revolutionizing vulnerability scanning, the implications of the Copy Fail bug, and the proactive measures organizations can take to enhance their security posture. The conversation emphasizes the importance of timely patching and the evolving landscape of cybersecurity driven by AI advancements.

----------------------------------------------------

YouTube Video Link: https://youtu.be/5Hrt9QdI7bY

----------------------------------------------------

Documentation:

https://www.theverge.com/tech/922243/linux-cve-2026-3141-copy-fail-exploit

https://copy.fail

https://claude.com/blog/claude-security-public-beta

https://www.microsoft.com/en-us/security/blog/2026/04/22/ai-powered-defense-for-an-ai-accelerated-threat-landscape/

----------------------------------------------------

Contact Us:

Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://bluesecuritypod.com

Bluesky: https://bsky.app/profile/bluesecuritypod.com

LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/company/bluesecpod

YouTube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/c/BlueSecurityPodcast

-----------------------------------------------------------

Andy Jaw

Bluesky: https://bsky.app/profile/ajawzero.com

LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/andyjaw/

Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠andy@bluesecuritypod.com⁠

----------------------------------------------------

Adam Brewer

Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajbrewer

LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/adamjbrewer/

Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠adam@bluesecuritypod.com

Listen
Watch
Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:06):
Welcome to the Blue Security Podcast, a weekly podcast for
information security defenders where we bring you discussions
on best practices, tools, and implementation for enterprise
security. Now here are your hosts for
today's show, Andy JA and Adam Brewer.
Welcome to this week's episode of the Blue Security.
Podcast, I'm Andy, your host. I'm Adam, your Co host.

(00:29):
All right, we have 3. Topics that we wanted to.
Talk about today. We're going to talk about the.
Copy fail bug that was. Found in Linux, and then we're
also going to talk. About cloud security which?
Is now in public beta. And then finally, at the end of
the show, we're going to talk about how Microsoft is using AI

(00:51):
in how they defend the company. And so since we are going to
talk about Microsoft, let's justget that disclaimer right out of
the. Way, let's do it.
Andy and I both work for Microsoft in our field security
sales. However, we record the show
outside of work on our own time.As I speak we are recording this
at 9:20 AM on a Saturday morning.

(01:12):
So the show is labor of love, not a work product of Microsoft.
So with that said, the opinions you're about to hear expressed
are those of Adam Brewer and Andy Jaw and do not necessarily
reflect those of Microsoft Corporation.
And with that, on with the show.All right, so there was this
nearly decade old. Linux bug. 32 bytes of.

(01:36):
Python And every major distribution is going to be
vulnerable. To this called copy fail, so
that dropped. This week.
And the big thing is, is that AIwas the one that found it.
So what is copy fail? It is a local privileged
escalation vulnerability, so meaning any unprivileged local
user can escalate to. Root.

(01:57):
Without needing network. Access.
Or special kernel features and it affects every Linux
distribution that has shipped since 2017.
And unlike most. Local.
Privilege escalations. It requires no race window and
no kernel. Specific offsets.
It's a straight. Line logic.
Flaw that works the. Same way every single time and

(02:21):
the exploit. Itself is just. 732 bytes of
Python using only standard library modules and the same
unmodified script which was demonstrated in routing, Ubuntu,
Amazon Linux, RHEL and sussy in a single take.
So the technical breakdowns, if you're a Linux person, I know
like basic Linux. So some of the stuff is probably

(02:43):
not like high school. On the weeds, isn't it?
Yeah, but. If you are a Linux person and
you understand this. That's great.
So the bug. Lives in Authsense, which is
auth ENCESNA component of the Linux kernel crypto subsystem,
and it gets chained through the AF under score.
ALG. Which is the.
Kernel, user space, crypto API and splice.

(03:06):
To achieve A4. Byte write into the page cache.
The Four. Byte write is enough to corrupt.
The suit. ID binary which is the SU in
memory, not on disk, so it won'tsurvive.
A reboot, but it does. Hand you a real root shell in
the meantime, and so the AF under score ALG ships enabled in

(03:31):
essentially every mainstream distro's default configuration,
which is why the entire window from 2017 to patch is in.
Scope out-of-the-box. So who's at risk, really?
Any multi tenant Linux host thatshare unlike a shared dev.

(03:51):
Box or. Jump, host, or build servers are
all at risk. Any user on those systems can
become root. Kubernetes clusters are
particularly dangerous. Because the page cache is shared
across the host. Meaning a compromise pod can
then cross tenant boundaries andtake over the entire node.

(04:13):
That's bad. Yeah, that's bad.
CI runners, GitHub action self host runners, Git lab runners,
Jenkins agents are. Also high risk because.
They execute untrusted. PR code as regular users.
On a shared kernel, meaning a malicious pull request could
become root on the runner. So you know, one of the things

(04:35):
that was interesting as I. Read through this was that?
It was discovered by an AI scanner, so.
Copy fail was discovered by. Zint code that's spelled XINT
and it's an AI powered vulnerability scanner after
about an hour of scan time, and it pointed at a Linux crypto
subsystem with no custom harnessand just one operator prompt.

(04:58):
This is a. Significant discovery because
traditional. Security would have required.
You know, like a skilled human researcher spending days or
weeks manually auditing current code to find a bug like.
This. And the same scan also.
Surfaced other. High severity bugs that are
still in coordinated disclosure.So this is just the.
First one out the door, but there's more to come.

(05:20):
And so, you know, we've been talking about AI in the last
couple of shows and this is justanother example that really
shows that vulnerability scanning, especially AI powered
one, is no longer theoretical. It's finding production
exploitable, decades old bugs and critical infrastructure.
So no, like, you know, real discovery here, the primary fix

(05:44):
is really just patching. So look for a main mainline
commit. Which will revert.
The 2017 optimization that was induced introduced with this
flaw, and if you can't patch immediately, you can disable the
AL GIF under score amid module as a stop gap.
For most systems, this won't break any measurable anything

(06:05):
that's measurable. Because there are very few.
Applications that actually call the AF under score ALG.
Directly. So for untrusted workloads like
containers and CI runners, you can also block the AF under
SCORE ALG socket creation via seccomp, and that's recommended
regardless. Of the patch status.
As well. Really interesting stuff.

(06:26):
If you're a Linux nerd, this probably all makes sense to you.
To me, I'm just like. OK, this is really bad.
I got to look at all my Linux distros and look for a patch and
get that done as soon as possible.
We talked about AI vulnerabilityscanning and AI finding new
vulnerabilities, and one of the specific things we pointed out

(06:47):
is that AI is far better at finding chained vulnerabilities
than humans are because it's so iterative.
Humans lack, I mean, we we need to sleep, we need to eat, we
need to do other things, we needto stay interested very
systematically testing differentchaining combinations for
weaknesses as such a strength ofmachines.

(07:08):
And so this is a chained vulnerability.
To be clear, you kind of walk through it when we first started
talking about it, Andy. So it's a great example of that
risk. And so ultimately, I, I think
the reaction here just needs to be measured and and this is
where we just say, OK, you know,this is no longer a flying car.
This is a real thing. And thankfully, the way we

(07:31):
handle this is the same way we handle anything else that's been
disclosed through coordinated responsible vulnerability.
We patch in a timely fashion, but we don't scream the sky is
falling. We we patch, we move forward,
and we await the next one. And apparently more are coming.
And ultimately, if the rate of change becomes unsustainable, we
will develop alternatives at that time.

(07:52):
The one thing is necessity is the mother of all invention.
And so for right now we patch our Linux based systems and we
move forward. And This is why we're being
conscientious about this and about the deployment and
disbursement of new models like Mythos that will find these and,
and giving the Linux Foundation and other very major critical

(08:13):
technology providers are the opportunity to get out in front
of this. And I know we'll talk a little
bit more about what Microsoft's doing in this space as well
later on. Our employer, who I think brings
an interesting perspective to the table as I mean, I think
it's pretty fair to say Microsoft has issued more
security patches than any other security vendor in the world.
And it, and it's gotten it down to a very sustainable,

(08:34):
predictable cadence and, and patching 1.6 billion Windows
endpoints around the world everysingle month on the second
Tuesday of the month without really any notable disruption or
impact or anything else is, is pretty impressive.
So you know, the Apple does a great job patching billions of
iOS, Mac OS derivative devices as well.

(08:55):
And, and obviously Google does agreat job.
They weren't at first I was highly critical of them, but now
patching billions of Android endpoints around the world.
So it's, it's something we've gotten a lot better at and do a
lot better at scale. So you know, fingers crossed
that all that muscle we have built for many, many years just
carries forward and we just kindof keep doing the same thing.
And you know, if we have 0 days,we'll address those.

(09:17):
Otherwise, if they're kind of routine coordinated responsible
disclosure, we'll patch them on our predictable cadence and
we'll move on. So interesting, but kind of not
interesting at the same time, right.
So in terms of interesting, in terms of it's novel and new and
different, but uninteresting in terms of our response, it is the
same way we would respond to anyother vulnerability discovered

(09:37):
any other way and onward and upward.
So let's keep going. So Cloud security is now in
public beta. And so anthropic.
Just shipped A dedicated security.
Product and it is different thanwhat we had, you know, talked.
About a few weeks. Ago, which was Mythos, which was
that kind of frontier model thatthey're not releasing to the

(09:59):
general public, but this one is and so.
Cloud Security is a code. Vulnerability scanner that's.
Powered by Cloud Opus 4. .7 which is kind of like their most
powerful language that's out in production day.
It's available directly through cloud.
AI sidebar or at cloud? Dot AI security.
It doesn't require any API integrations or custom agent

(10:22):
build. It's in public beta for Cloud
enterprise customers, with access for team and Max
customers coming soon. It was previously known as Cloud
Code Security and already has been tested by hundreds of
organizations during a limited. Research preview.
And so all of their feedback kind of.
Shaped this specific release. Pretty simple to use all you

(10:45):
need to do. Is select a repository.
Scope it down to. A specific directory or.
Branch and then you can kick offa scan rather than matching
known vulnerability patterns. Clawed reasons over the code.
Like a security researcher would.
And it understands how components interact across
files, modules, tracing data flows and reading the source.

(11:06):
To build up a picture. Of what could go wrong.
Each finding comes with a confidence rating, a severity
assessment, likely impact reproduction steps, and
generated patch that you can openly direct directly in cloud
code. To work through a fix.
In the context, you can also schedule scans on a regular

(11:28):
cadence and scope. It to a specific directory.
Directory within a repo. You can dismiss findings with
documented reasons so future reviewers know.
That prior triage? Was intentional and you can
export findings as CSVS or markdowns for existing tracking
systems. There are also webhooks and then
you can pipe scan directly into Slack.

(11:48):
JIRA or other tools? That your security team already
lives in. So that closes the gap.
Between your finding the discovery and then having that
engineer. Aware of it so.
You know, like I said in the beginning here.
It is a separate. Kind of tool.
Then the Cloud Mythos preview which is a more powerful model.

(12:10):
That is supposed to. Surpass like the most elite
human experts, that one right now is only being released to
some vetted partners to that project last ring that we
talked. About whereas cloud security
here is broadly available, it's.An enterprise grade.
Product it puts Opus. .7's capability.
To work across your code base. For practical vulnerability

(12:31):
scanning patch generation without requiring any kind of
control controlled access that Mythos normally has in the
partner ecosystem. Crowdstrike, Microsoft Security,
Palo Alto Networks, Sentinel, One Trend AI Wiz.
They're all embedding Opus 4.7 into their existing security.
Tools. So organisations can access

(12:52):
these capabilities through the platforms they already run and
then on the services side like Accenture, Deloitte, PwC,
they're all helping enterprises deploy cloud integrated security
solutions for vulnerability management.
Secured code review. And incident response.
I think this is great. You know, if you're already
using Cloud code, I think this integrates, you know, seamlessly

(13:13):
into that workflow. I'm really curious though how
this will compete with other code scanning like tools that
have been traditionally if you have an apps app SEC program and
you're already using code scanning like something like I
used a product like Veracode in the past, there's GitHub
Advanced Security and you know how those are going to be

(13:33):
integrated into maybe either usethis or how this is going to
compete. With stuff like that, so.
I think this is anything that increases the security of code.
I think is good. I'm just.
Curious how this will shake. Out in the security kind of
solutions industry because it issomething that you have.
To pay for with. Cloud Enterprise.
Yeah, and Opus 4.7 is more than is a general purpose deep

(13:59):
thinking reasoning model. So it's it's used for all those
scenarios. In fact, in in our world, in the
Microsoft 365 Copilot ResearcherAgent Opus 4.7 is now available
as a model you can use for for doing research Funny.
Enough. You mentioned that I used it
recently this week and what it did.

(14:19):
Was. It used.
ChatGPT. The ChatGPT.
Model to 1st generate an output and then it used Opus to then
refine it. So it used multiple models
within the researcher agent. Which I thought was pretty cool.
Yeah, that that feature recentlyshipped.
It's like effectively peer review where it runs it with the

(14:40):
GPT model 5.5 now and then it will review it with the
Anthropic model. Or you can also do what's called
Model Council, which sounds liketribal council to me, But it'll
actually it'll run the query across both like an anthropic
and open AI model at the same time and then give you like dual
output side by side and you can compare like how they both did.

(15:01):
So if you, if you want to do that, it's a really clean way to
get multiple outputs and see which one you like better and
which ones better tailored do what you were aiming for.
So that's, you know, neither here nor there, but just an
interesting side note that I want to point out.
Opus 4.7 is a general purpose, you know, deep thinking
reasoning model and it's being used in this scenario to analyze

(15:26):
code and and Mythos is we're also comparing it to will never
ship. They have said that Mythos is
not a product that's designed tomove to production.
It's it's designed to be a research preview to help inform
production releases. And apparently Opus 4.7 is
pretty close already to Mythos capability set and expect that I

(15:47):
I would expect more iterative updates to Opus and, and
eventually they'll say, yeah, weare now at Mythos level
capability is kind of how this will proceed.
That's just me reading the tea leaves, but that's my
prediction. You know, this is specifically
code scanning, not necessarily him at a point you at a system
where I don't have access to thecode code and I want you to
reason through how you would attack this or or anything else.

(16:08):
Obviously code scanning is highly important right now and
that's a lot of reason why organizations got access to
Mythos, especially companies that are not open source like
our employer. Run it against the Windows code
base, see what you come up with,and then we can start
proactively fixing stuff. Not to say I, I know or can
confirm or deny that's been donethat I'm not, you know, read

(16:30):
into that, but I assume something like that is happening
anyhow. So this is this is cool and
we'll continue to see this develop.
And This is why I think I said either last week or the week
before, I continue to be bullishthat in the long run, this AI
will actually be a great equalizer for the good guys, for
the blue hats of the world, for our blue security podcast

(16:51):
listeners, because it gives us as it gives us basically that
equalizing capability through effectively money.
We all are our security teams are reasonably well funded and
gives us the chance to kind of get out in front of these.
Even if we may not have headcount or long term advantage
from a human capital perspective, we can gain an

(17:13):
advantage. That's that's consistent and
persistent and durable through the use of these tools in the
long run. And I I think it will actually
be difficult and I'm optimistic for the bad guys to keep up
here. But in the short term, yes,
there's going to be pain as we first transition to this world
and we have a flurry of new vulnerabilities announced all at
once. Yeah, It may be difficult for

(17:35):
the next couple of years, but then we will reach a steady
state where all major code baseshave been reviewed, all the
major, the quote UN quote low hanging fruit has been found and
has been patched. And at that point moving
forward, if we're running these types of vulnerability scanners
against new code before it ever ships, we are shipping defect

(17:55):
free, security free code from the get go.
And then there's just less opportunity or less need to go
back and patch it later. So again, short term pain here.
The sky is not falling, althoughthings might suck for a little
bit. But in the long run, the goal is
that code just leaves, leaves the door and it's secure by
design and secure by default. And there's a lot less we have

(18:19):
to do as defenders to run aroundand patched up after the fact.
And that will be a great day. It's not to say we'll never do
it again, but I bet it'll becomeless frequent because I think a
lot more code is going to ship in a lot better state with a lot
more security review from beforeit ever ships.
So that's why tools like this I'm very optimistic about in the
long run, even if there is some short term pain.

(18:41):
Yeah, I did see. Something like or.
I had a colleague mentioned earlier this week that
essentially all the information that has been generated has
already been reasoned over with the current AI models.
Like there's nothing that has been generated, like all the
information of the Internet has already been, you know, sucked
into these models and reasoned. Over so so we're.

(19:04):
At a point where you know it's only new information or it's
reasoning over like existing information and on itself.
So like I think it like you're saying at some point all these
discoveries will eventually. Be less.
Frequent we're going to have everything patched up and then
only new stuff will. Will exist.
Yeah, you get to a steady state.Here we are.
We are in a inflection point right now where there is a rapid

(19:27):
rate of change and sure, publicly facing information on
the Internet has all been ingested and incorporated into
models. Private code bases, especially
massive private code bases, may not have been fully reasoned
over yet. Maybe partially, maybe in in
wide swaths, but not all of it. And then as models continue to

(19:48):
evolve the state-of-the-art and they get better at reasoning and
thinking and discovering vulnerabilities, even though
they've seen the code base before, they can take a fresh
look at it, a fresh swag at it and do a better job discovering.
So I think we're saying the samething that the steady state is
coming, but we are not in the steady state right now.
We are getting there. We are, we are climbing the
difficult side of the mountain right now, but we will reach

(20:10):
that summit, we will level off at some point.
But right now is we are in the hard times right now before we
get to the summit and it we're coming down the other side of
the mountain and it gets a lot easier.
But this is the hard part right now.
So don't lose faith, don't lose hope.
I get it. This is, this is going to be,
there's going to be a lot of patching.

(20:31):
There just is, there's going to be a lot of 0 days.
There's going to be a lot of high level, high severity
vulnerabilities that we have to address very rapidly.
Lot of fire drills. Let's just prepare for it.
Let's get really crisp on, on how we patch and we should
already be, although it, we're always getting better.
We, we have that growth mindset,the continuous improvement
mindset and we'll continue to get better at it.

(20:54):
But I do think it is not hard toimagine a day three years from
now, Andy before the turn of thedecade where where we patch a
lot less frequently and patchingis a lot less of security
strategy. I, I do think that day comes and
it shifts back to probably picking off some of these last
like human based changes that organizations have been hesitant

(21:16):
to bite off. Things like getting back to fish
resistant MFA and getting that fully deployed.
And those are challenges we haven't bit off because they're
not really technology challenges.
The technology is solved. It's a human challenge.
And so when do you have management buy in?
When do you have employee based buy in to make those changes and
implement them? We may, we may have to shift our
focus temporarily as we deal with a lot of these discovered

(21:39):
vulnerabilities. And then when we're doing less
patching, then we'll have more time theoretically to focus on
again those human impacting changes that we still need to
make and still need to get done.I am not, by the way, I'm not
encouraging you to delay your fish resistant MFA deployment
for three more years. You should go do it tomorrow.
But if you don't have managementby and if you don't have the

(22:00):
headcount, if you don't have thebandwidth, I get it.
But I just want to be clear, I'mnot advocating for that, but I
get it. Some orgs, they're going to be
so heads down with some of thesepatching exercises right now.
Some of this work may get delayed that they've been
meaning to do. All right, our final topic, I
wanted to talk about Microsoft'sAI security.
Strategy because we published. A full road map and it's a multi

(22:23):
layered security strategy and not really like a.
Specific. Product announcement or anything
like that, It's a. Little product announcement
sprinkled in there like a littletease, but yes, overall this was
much more. This was on the SRC blog so the
Microsoft off security. Research Center.
Research Center, Thank you. Yes.
So I mean explicitly not a product group, not a revenue

(22:47):
generating part of the company, a A-Team who has a relatively
altruistic purpose of protect our world, protect Microsoft,
protect our world, protect our customers, that that is their
focus. So this is very explicitly not
designed to make money or generate revenue.
It's designed to keep people safe and articulate how we're
going to do that. Yeah.

(23:08):
And so at the front of the. Blog, I should say.
They talk about how recent AI advances now mean that models
can autonomously discover weaknesses.
They can chain multiple. Lower severity issues.
Into working end to end exploits, things that we've
talked about on our show before.And now you're essentially AI is

(23:28):
significantly compressing that window from vulnerability
discovery to exploitation. And so Microsoft's argument is
that these same capabilities that are giving attackers an
edge can also create a genuine opportunity for defenders.
It's almost like we are talking about the blog in the previous
few minutes of this show, like Adam, you were making the same
point, right? And so Hive.

(23:50):
Mind is well at work. That, you know over the past two
years Microsoft has had this secure future initiative and
through that they've been strengthening their security
foundations through AI to accelerate vulnerability
discovery and remediation and now there's even more so in.
This they published the three pillars of the strategy.

(24:11):
One is AI LED vulnerability discovery.
So Microsoft plans to incorporate advanced AI models
like Claude Mithos. Preview through project.
Glasswing directly into their security development life cycle
to identify vulnerabilities and develop medications early in the
process. That were previously possible.
AI assisted discoveries will flow through existing MSRC

(24:33):
processes, including Patch Tuesday.
So the. Distribution mechanism stays
predictable even though the discovery model becomes more
powerful. I totally said that earlier in
the the thing and I did not meanto, but that that was exactly my
point is, even though there may be more discoveries, the way we
deal with them remains the same and it's consistent and

(24:53):
predictable. And it's that second Tuesday of
the month you're going to get your Windows updates.
And that that should be reassuring to everyone that
unless it rises to that need of this is going to be an out of
band patch, it's going to be through that same process.
So if you're really good, you'reusing your Windows auto patch,
you're using Windows hot patch, you're all set to deploy patches

(25:14):
at scale through deployment rings and you're not
individually approving every patch, which my God, why are you
still doing that? You're in really good shape now.
If you still have some bumps in every patch, Tuesday's painful.
Maybe now is a good time to try to streamline that process.
And this is something that we also talked about South in this
blog. Microsoft says that they're
going to use AI to proactively scan open.

(25:37):
Source code bases which? Will identify issues handled
through coordinated vulnerability disclosure.
You made that point, Andy. Yeah.
And so like, like I said, because we have access to the
stuff and Microsoft is also using open source code, you
know, obviously they're going toscan the code that you're using
and then, you know, try to coordinate and get those.
Fixed because they're. Using it in the code base so.

(26:01):
Yep, and I think you'll see the Apples and and Googles of the
world doing the same where any libraries they're importing into
their code. Obviously Mac OS and iOS are
both Unix derivative systems. They're importing a lot of open
source modules, and Android's built on Linux, so they also
have a vested interest in makingsure that all those downstream

(26:21):
components are being scanned, not just their closed source
code as well. And then the second pillar is AI
ready posture management. So Microsoft has identified 5
dimensions where AI driven attacks gain disproportionate
advantages. Patching open source software
customer source. Code.

(26:43):
Internet facing assets and baseline security hygiene.
So there's a new Secure Now Blade, and this is what you're
talking about in the Microsoft Security Exposure Management,
which is available today at security.microsoft.com/secure
Now, which gives customers guidance and tooling to access
their current state, prioritize actions and models.

(27:06):
The quote UN quote what if scenarios and then applies
automation to remediate at scale.
The tool set will span attack surface discoveries via
Defender, external attack surface management, code
scanning via Github's Advanced Security with Copilot Auto Fix
and Microsoft Baseline Security models for applying foundational

(27:26):
controls across the M3. 65 services with.
Impact simulation before enforcement.
So that's pretty cool. Yeah, the Secure Now Blade in
security exposure management is not for sale.
We don't sell that. It's included with any level of
usage for Microsoft security products.
So that's why I was making the point this is not a new revenue

(27:49):
generating announcement or anything like that.
This is baked into existing features.
You cannot buy Microsoft security exposure management.
We don't sell it. It's just included with anything
you're using in the Defender portal.
So you can go over there. And the more tools you have on
boarded, the more valuable this gets.
For sure. If you're using things like
external attack service management, you get more
visibility than if you're not. But none of those are

(28:10):
requirements to take advantage of this Secure Now Blade and to
go check it out. So security.microsoft.com slash
secure now. And then finally.
The third pillar is. AI powered solutions at
enterprise scale. And so Microsoft plans to
produce an internal internally developed multi model AI driven

(28:31):
scanning harness and it will make it available to customers
with preview expected in June 2026, which is like a month
away. Yeah.
So it internally developed multimodel AI driven scanning harness
and it's going to be productizedand made available to customers.
So that's sometimes that's wherestuff comes from at Microsoft.

(28:53):
A lot of times is we will scratch our own itch.
Obviously being a company of software developers make
something to help ourselves and then say, you know, customers
would like this too. We should we should turn this
into a product and go sell it tothem.
Microsoft Sentinel, as an example, was originally
developed in the Xbox organization and then was turned
into a full on product that now is used by hundreds of thousands

(29:14):
of customers around the world. So this is another example.
And harnesses are always, I think the current
state-of-the-art where the most interesting development is
happening as a lot of these models have reached relative
parity with one another and they're all pretty gosh darn
good and amazing. You know, tomato, Tomato GPT 5.5
or Opus 4.7 or whatever. The harness is where the

(29:36):
innovation is because this is the part that actually spawns
like all the, the agents that are issuing multiple prompts.
So you issue a prompt into a harness and it's like I need 10
agents spun up. Each of these agents is going to
run these prompts in these chains, in these orders to go
accomplish a given task. And so you think you've issued
one prompt, but under the covers, potentially hundreds if

(29:58):
not thousands of prompts will beissued.
That's why these models like Copilot Co work, clawed Co work
open claw. They're harnesses and they, they
generate an exponential increasein, in token consumption
compared to just issuing like traditional prompt and response
models, like a chachi BT type experience.
And so that's, that's the thing to keep in mind is this is

(30:20):
potentially really, really powerful, really, really
interesting being a, a harness that's going to leverage
multiple models. Also to your point, Andy, what
if this says, hey, Opus 4.7 and GPT 5.5, both of you go bang on
this and tell me what you come back with and then compare notes
with each other. Incredibly powerful and
something you can really only get from a Microsoft as opposed

(30:42):
to open AI or, and Tropic's not going to offer that 'cause
they're going to be just focusedon just their models.
So I think that's also interesting when you can go to
that multi model, multi vendor approach within a single tool
from a single vendor is kind of uniquely differentiated.
So I look forward to hearing more about that and gosh, next
month already exciting times forsecurity researchers.

(31:03):
Yeah, in in the article it says that.
The goal is to pair. Model output with contacts and
prioritize prioritization so that large volumes of findings
don't just overwhelm developmentteams.
The solutions designed to deliver actionable outcomes and
not just raw results and then rapidly deployed defender
detections. Or.
AI discovered vulnerabilities will also ship alongside the

(31:27):
corresponding security updates. So protection and disclosure
will happen together. And then they did talk about
because I think this. Was released, right?
Around the same time that ClaudeMythos was announced as well.
So Microsoft says that through Project Glasswing, they're
working closely with Anthropic to test cloud Mythos preview and
then identify, mitigate vulnerabilities early,

(31:48):
coordinate this defense responseacross the industry.
Microsoft is evaluating Mythos using a CTI Dash realm, their
open source benchmark for real world detection engineering
tasks and saw substantial improvements relative to prior
models. And then also importantly
enough, Microsoft is taking deliberately a multi model

(32:09):
approach. So they're evaluating models
from multiple providers and not a single model defining their
strategy. And that you know, we talked
about that here with the chat G.PTGPT. 5.5 and and I'm sure
there's some other model that maybe Open AI has that that
maybe hasn't been announced so but yeah overall like you know
throughout this entire. Episode it's it's really just.

(32:29):
About one AI vulnerability scanning and how that's speeding
things up, and then how like defenders can take advantage.
Of that right, so. I think we're, we're rapidly
into this. I think the technology is
normalizing. We're still in a area of
innovation. But we're really.
Discovering how we can use. AI for security.

(32:50):
In a meaningful way. And yeah, if if you haven't
really like jumped on the AI train, I think now is a good
time to really start diving in and we're going to have a guest
on in a couple. Of weeks to really talk about.
Some more creative ways to use AI for you know, if if you're a
security person. But yeah, this is this.

(33:13):
Is all to me extremely interesting because it's you can
literally see the industry kind of evolving in front of your
eyes, right? Yeah.
I, I mean, the closest in analogto for most of us would be the
smartphone revolution in the late thousands and early 20s
when there was an incredible pace of innovation there from

(33:33):
2007 to, I don't know, maybe let's say 2015, Maybe for that
eight-year stretch or so, when every year the new Android
phones and the new iPhones were exponential leaps year over
year. They got so much faster, the
cameras got so much better and then they you know, it levelled
off right. Today we say, well, it's boring.

(33:54):
The new iphone's hardly any different and you go, you go
look at like a picture from taking on a smartphone in O
eight O 9 and it's clear, immediate smartphone picture,
you know, and then we reached a point and it was about the mid
twenty 10s when all of a sudden they all look pretty good.
And you you can't dramatically go well, that's clearly from an
iPhone 17 versus that's an iPhone 15.

(34:15):
Like you. You can't tell easily unless
you're a absolute guru in this stuff.
Because the the rate of change leveled off, right?
The the rate of innovation slowed as a lot of the easier
wins all got rung out of the system.
And we're still in that phase ofrapid innovation and rapid
change right now. But it's we are starting to see
the levelling off, right. We're starting to see who are

(34:36):
clearly the players. Is there going to be a lasting
differentiated Moat in terms of frontier model capability?
Probably not. It seems to be about a three,
four horse race. Maybe.
You've got you've got your googles, you've got your open
AIS, you've got your anthropics,Microsoft AI.
Do not sleep on us. We have an incredible team with
Mustafa Soleiman leading the wayand we can literally have the

(35:00):
rights to leverage open AIS IP to train our own models.
That was in the announcement earlier in the week actually.
And if you don't haven't followed frontier model
development, it's incredibly iterative.
It's you, you distill your previous model to make your next
model in some ways. And you you use your old model
to train your new model. So like the first model was the

(35:21):
hardest one to make. And then they get easier in in
scare quotes, right? But with time as you're able to
kind of draft off your previous learnings.
Well, effectively Microsoft getsto draft off of open AI as all
their work on to create a frontier model.
And, and we very openly said Maiis coming with a frontier model
of its own and it's already shipped speech generation model.

(35:43):
That's incredible image generation models that are
really, really darn good. And so there's more to come in
this space too. So I would not sleep in
Microsoft either. But anyhow, the point is, I
think you summarized it well, Andy, that yes, AI is
compressing this timeline from discovery to exploitation to
patching. And there will be a period of
time where we have kind of I think a more intensive patching

(36:07):
process for a while. Then I think we emerge the other
side and that levels off. However, now technologies like
Claude Security are bringing this availability not just to a
select few, but to all enterprises that are willing to,
you know, buy in. And then our employer, Microsoft
is, is weaving AI throughout thesystem, not just from
discovering vulnerabilities, butAI ready posture management and

(36:31):
then using AI to enable solutions at enterprise scale
and, and global scale and beyondin terms of accelerating not
just the the patching, but the detections as well and building
those into the Defender product at the same time as the patch is
built in the windows. And that's the benefit you get
when you develop Defender, friend point and Windows side by

(36:52):
side. You can do both.
Let's develop the patch and let's develop the detections
together. And so I think you're going to
see more like that to come from everyone.
But ultimately, I think Andy, you and I are both, if you're in
cybersecurity, you have a natural skepticism, a healthy
skepticism. And, and it's important that
everyone keeps that moving forward.

(37:13):
But I really do take a bullish positive view on, on where our
industry is headed. And it's been, it's been kind of
dark, man. We've had some dark
conversations about like the rate of attacks keep growing.
And you know, the defensive teams are not getting more
funding, they're not getting more budget.
It's it's getting harder to protect all the different
workloads we're getting to protect.
We need a hero to come save the day.

(37:35):
We need some, some inflection point to come, even the scales.
And all of a sudden that's arrived.
And in some ways, there's a certain class of people who want
to look at their nose down on it.
This is not not the silver bullet, not the savior, but this
is a tool that can help us kind of even even the fight.

(37:55):
And that is something I'm reallyexcited about because being in
cybersecurity, I really kind of got in this game in 2017 and
through about 2022, the story just kept getting worse every
year. And now it feels like there is
some hope that we can turn the tides and make this a manageable
problem without burning out humanity on it.
I'm, I'm excited about that. Why would I not be?

(38:18):
So I, I, I choose to take the positive viewpoint.
I am not ignorant to the fact orhave my head in the sand that
there's going to be pain along the way.
There always is. And look at, you know, I, I
compared this to smartphones. Let me tie back to that for a
second. We are dealing with the negative
outcomes from smartphones, from social media certainly has I, I
think impacted our ability to have positive discourse and to

(38:42):
discuss things in a healthy and civil way.
It is impacted that and you havesmartphone addiction that is
impacting a lot of people, shockingly a lot of by the way,
in my life, in my experience, the previous generations, a lot
of them boomers. I see, I see.
I have several boomers in my life who have struggling with
smartphone addiction today and it's a real problem and they

(39:05):
just dooms going on their phone all day long.
And, and we have the impacts in schools with cyberbullying and
everything else, just with everypositive technology where it is
amazing that I can beam picturesof my children to their
grandparents, you know, with thesnap of a finger and they can
feel like they're more connectedand watch them grow up in ways

(39:25):
my grandparents never got to seewith me.
That's amazing and beautiful andwonderful and bringing humanity
together. There's been all these negative
impacts too. This will be no different.
There will be downsides to this,but I think there are tremendous
upsides too. And I'm choosing to focus on
those. And I think this show is a great
example of all the positive things that AI can bring to
security defenders lives now andin the future.

(39:46):
Great wrap up there. Adam, all right, well, thanks
for watching and listening as always.
That's. Our show for this week.
Our contact information as well as the links.
To the articles that we used forthe show will.
Be in the show notes. If you have any questions or
topics you want us to talk aboutin the future, just e-mail us.
Thanks. We'll talk to you guys next
week. Thank you for listening to the

(40:08):
Blue Security Podcast. Please check out the show notes,
catch up on episodes you may have missed, and subscribe so
you don't miss any future episodes.
Find Andy on Twitter at a Jaw Zero and Adam at AJ Brewer.
See you at our next episode.
Advertise With Us

Popular Podcasts

Dateline NBC

Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com

Hey Jonas!

Hey Jonas!

Hey Jonas! The official Jonas Brothers podcast. Hosted by Kevin, Joe, and Nick Jonas. It’s the Jonas Brothers you know... musicians, actors, and well, yes, brothers. Now, they’re sharing another side of themselves in the playful, intimate, and irreverent way only they can. Spend time with the Jonas Brothers here and stay a little bit longer for deep conversations like never before.

Betrayal Weekly

Betrayal Weekly

Betrayal Weekly is back for a new season. Every Thursday, Betrayal Weekly shares first-hand accounts of broken trust, shocking deceptions, and the trail of destruction they leave behind. Hosted by Andrea Gunning, this weekly ongoing series digs into real-life stories of betrayal and the aftermath. From stories of double lives to dark discoveries, these are cautionary tales and accounts of resilience against all odds. From the producers of the critically acclaimed Betrayal series, Betrayal Weekly drops new episodes every Thursday. If you would like to share your story, you can reach out to the Betrayal Team by emailing them at betrayalpod@gmail.com and follow us on Instagram at @betrayalpod and @glasspodcasts. Please join our Substack for additional exclusive content, curated book recommendations, and community discussions. Sign up FREE by clicking this link Beyond Betrayal Substack. Join our community dedicated to truth, resilience, and healing. Your voice matters! Be a part of our Betrayal journey on Substack.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2026 iHeartMedia, Inc.

  • Help
  • Privacy Policy
  • Terms of Use
  • AdChoicesAd Choices