AI-ML Security Brief — May 24, 2026

AI in security · AI for security · agentic AI in operations

This week at a glance

The week the agent-platform wars went enterprise. At Code with Claude London, Anthropic shipped self-hosted sandboxes and MCP tunnels for Claude Managed Agents — tool execution and MCP traffic now stay inside customer networks while orchestration stays at Anthropic. Anthropic also published the first quantified Project Glasswing results: ~50 partner organizations (AWS, Apple, CrowdStrike, Google, JPMorgan, NVIDIA, Palo Alto, Cloudflare, Mozilla and more) using Claude Mythos Preview have identified 10,000+ high/critical-severity vulnerabilities.

Microsoft AI Red Team open-sourced RAMPART and Clarity — a pytest-native adversarial test framework on top of PyRIT plus a structured design-review tool — pulling agent safety testing into CI. Google I/O 2026 launched Gemini 3.5 and 3.5 Flash with strengthened cyber/CBRN safeguards, expanded CodeMender into the Gemini Enterprise Agent Platform, and rolled out DLP-enforced Agent Gateway, identity and observability across the stack. And the NSA AI Security Center dropped a 17-page CSI on Model Context Protocol security design — filtering proxies, DLP, sandboxing, message integrity, output filtering, local MCP scans — the first primary-source MCP guidance from a U.S. signals-intelligence agency.

Underneath the platform launches, the agent-governance and runtime-control category exploded. Babel Street put tradecraft-trained agents into threat-intel investigations. ASAPP added Continuous Red Teaming on Promptfoo aligned to OWASP LLM Top 10 and NIST AI RMF. CTERA shipped InsightAI for agentic analysis of unstructured data. LangChain launched LangSmith Engine to close the agent debug loop. NanoCo AI raised $12M (turning down a $20M buyout) to scale NanoClaw — an open-source agent harness with a ~500-line auditable core in MicroVM Docker sandboxes. Help Net Security framed the underlying threat model: LLMs in operational roles as a confused-deputy problem, with prompt injection through tickets/wikis, retrieval poisoning and telemetry manipulation as the dominant agentic-AI attack vectors.

The bug-bounty economy buckled under AI-generated submissions: HackerOne slashed Internet Bug Bounty payouts 70–85% as valid-report rates fell below 5%, while Cisco Talos’s own test of LLMs for IR-report drafting cut drafting time 50% but produced cross-case data contamination, hallucinated IOCs and inconsistent style. And on the M&A side, Cyera acquired five-month-old Genie Security for ~$50M — Genie’s endpoint tech catches sensitive-data leaks via human action or via generative AI tools such as Claude, formalizing the GenAI-DLP category as its own vendor segment.

Strategic context for the 12-month roadmap: Dan Shipper’s 12 predictions for the AI work era (super-agent-in-Slack patterns, users-bring-own-tokens, forward-deployed engineers as the new essential role) and CIO’s 7 signs your data isn’t ready for AI both land squarely on the security architect’s desk — governance gaps become permissions gaps, shadow BI becomes shadow data exfil. With 25 articles across NSA primary source, vendor research, agent governance, Glasswing, Google I/O, Anthropic, bug-bounty stress, M&A, and strategic context, this is the issue to share with the AI security committee.

Entity graph — agents, harnesses, frontier labs, and how they cross-correlate

Every named entity extracted from this week’s 25 articles, with edges showing the agent-platform / governance / capital web.

Article index

NSA — MCP security design (primary source)

Microsoft AI red team — RAMPART and Clarity open-sourced

Anthropic — Code with Claude London, sandboxes & MCP tunnels

Anthropic Glasswing — first quantified results

Google I/O 2026 — Gemini 3.5 and the agentic Gemini era

AI policy — postponed Trump AI cybersecurity EO

Agent governance, runtime control, and the confused-deputy problem

Bug bounties buckle — the AI-slop crisis

M&A — AI-era DLP becomes its own vendor segment

Strategic context — AI work era, data readiness, monthly roundup

Detailed write-ups

NSA publishes Model Context Protocol security design considerations (May 20)

The NSA AI Security Center released a 17-page Cybersecurity Information Sheet on security design considerations for AI-driven automation leveraging MCP. The CSI walks through filtering proxies, DLP, sandboxing, message integrity, output filtering, and local MCP scans — the first primary-source MCP guidance from a U.S. signals-intelligence agency. Read it next to Anthropic’s MCP tunnels announcement: the agencies and the protocol’s authors are landing on a compatible threat model where MCP traffic stays inside customer perimeter, with structured controls in the proxy and gateway layers.

Sources: NSA

Microsoft AI Red Team open-sources RAMPART and Clarity (May 20–21)

RAMPART is a pytest-native adversarial test framework built on top of PyRIT — teams write pytest cases that simulate prompt injection, data exfiltration, jailbreaks and tool-abuse against agents in CI. Clarity is a structured design-review tool that bakes threat-modeling into the agent SDLC before code is even written. Together they pull AI red-teaming out of one-off security engagements and into the developer inner loop. Help Net Security’s coverage adds the operator angle: agent-orchestrated red-teaming where autonomous agents pick attacks, run them, produce structured findings — compressing weeks of testing into hours.

Sources: Microsoft Security Blog · Help Net Security (RAMPART/Clarity) · Help Net Security (red-teaming agents)

Anthropic ships self-hosted sandboxes and MCP tunnels at Code with Claude London (May 19)

Announced at the London developer day: self-hosted sandboxes (public beta) and MCP tunnels (research preview) for Claude Managed Agents. The enterprise-perimeter angle is the key story — orchestration stays at Anthropic, but tool execution, credentials, and MCP traffic all stay inside the customer’s network. MCP tunnels in particular let agents reach private MCP servers without exposing them to the public internet. This is Anthropic answering the same concern NSA put in writing the next day: how do you connect an external frontier model to internal systems without giving up control of the data plane.

Sources: Anthropic · InfoQ · 9to5Mac

Project Glasswing — 10,000+ critical vulnerabilities found (May 22–24)

Anthropic’s first quantified update: ~50 partner organizations using Claude Mythos Preview have identified 10,000+ high/critical-severity vulnerabilities. Disclosed partner list includes AWS, Apple, CrowdStrike, Google, JPMorgan, NVIDIA, Palo Alto Networks, Cloudflare, and Mozilla. Anthropic’s stance: Mythos-class models get general release only with stronger safeguards in place — the partner program is now serving as both a defensive proof-of-value and a public test of whether frontier-tier vulnerability discovery can be operated responsibly at scale. Read alongside the OpenAI Daybreak launch from last week’s bulletin: every frontier lab is now shipping a defensive program with a high-profile partner network.

Sources: Anthropic · TechTimes

Google I/O 2026 — Gemini 3.5, CodeMender, and the agentic Gemini era (May 19)

Sundar Pichai’s keynote launched Gemini 3.5 and 3.5 Flash with strengthened cyber and CBRN safeguards and pulled CodeMender — Google’s autonomous vulnerability-remediation agent — into the Gemini Enterprise Agent Platform. The Cloud-side announcements added DLP-enforced Agent Gateway, identity and observability components, and managed sandboxing — the same enterprise-perimeter pattern Anthropic shipped at Code with Claude London. CodeMender external API access is new this week, which puts an autonomous OSS-patch-submitting agent inside reach of any enterprise running Gemini Enterprise.

Sources: Google · Google Cloud Blog

Trump AI cybersecurity executive order postponed (May 21)

The White House pulled a planned executive order on AI cybersecurity at the last minute, with the President telling reporters the language “could have been a blocker.” The withdrawn draft, per earlier Axios reporting, would have required AI labs to share covered frontier models with the federal government 90 days pre-release and given critical-infrastructure providers early access. The pause leaves the U.S. policy posture on frontier-model access for cyber defense undefined while NSA, Microsoft, Anthropic, and Google all ship their own controls-by-design. Track this one for re-introduction with softer language — the underlying signal is that federal early-access to frontier models is no longer hypothetical policy.

Sources: TechCrunch

When your AI assistant has the keys to production — the confused-deputy problem (May 19–21)

Help Net Security framed this week’s underlying threat model bluntly: LLMs in operational roles are a confused-deputy problem. The dominant agentic-AI attack vectors are prompt injection through tickets and wikis (the agent ingests adversary-controlled content as instructions), retrieval poisoning (the RAG index has been seeded with hostile content), and telemetry manipulation (the agent’s observation surface gets gamed). This week’s vendor announcements all map directly onto that threat model: Babel Street’s tradecraft-trained agents add transparent research plans for investigative workloads; ASAPP’s Continuous Red Teaming on Promptfoo runs OWASP LLM Top 10 / NIST AI RMF aligned probes against jailbreaks, many-shot attacks and system-override attempts; CTERA InsightAI brings agentic analysis to unstructured data with audit-log and file-activity hooks; LangSmith Engine closes the agent debug loop by detecting, diagnosing, drafting fixes for, and regression-testing agent failures.

Sources: Help Net Security (confused deputy) · Help Net Security (Babel Street) · Help Net Security (ASAPP) · Help Net Security (CTERA) · VentureBeat (LangSmith Engine)

NanoCo raises $12M for verifiable-sandbox agent harness (May 20)

NanoCo AI turned down a $20M buyout and instead raised $12M seed to scale NanoClaw — an open-source agent harness whose ~500-line auditable core runs in MicroVM Docker sandboxes. The thesis: verifiable sandboxing is the differentiator that wins the enterprise-agent procurement. The story bookends the agentic-infrastructure thread — on one end, Anthropic shipping a managed enterprise perimeter; on the other, an open-source project betting that an inspectable, minimal core is the only acceptable trust boundary for production agents. Worth watching alongside the broader agent-harness ecosystem (OpenClaw, EnterpriseClaw, etc.).

Sources: TechCrunch · VentureBeat

Bug-bounty economics buckle under AI slop (May 18–22)

HackerOne cut Internet Bug Bounty payouts 70–85% as AI-generated submissions overwhelm triage. Valid-report rates have fallen below 5% on some programs. The original economics — humans hunting bugs, programs paying for verified, novel finds — presumed adversary effort would be the rate-limiter; LLM-assisted automated discovery has broken that assumption. Cisco Talos’s own LLM-in-IR-reports test rhymes with the bug-bounty story: drafting time fell 50% but the output produced cross-case data contamination, hallucinated IOCs, and inconsistent style — useful for the first 80% and dangerous for the last 20%. The lesson for AI-ML security architects: AI-generated security work product needs structured validation, not just acceleration.

Sources: The Register (HackerOne) · Technology.org · The Register (Cisco Talos)

Cyera acquires Genie Security — AI-era DLP becomes its own segment (May 20)

Data-security unicorn Cyera ($9B valuation, ~1,500 employees, deployed in 20% of Fortune 500) acquired five-month-old, five-employee Genie Security for ~$50M. Genie’s endpoint tech detects, in real time, attempts to leak sensitive information whether through human action or via generative AI tools such as Claude. The Genie team joins Cyera’s enterprise DLP division. Founders Nadav Noy (ex-Unit 8200) and Noam Dotan (ex-Matzov, ex-Legit Security founding team) were backed by Mensch Capital, Dynamic Loop, and angels including Assaf Rappaport (Wiz CEO). This is Cyera’s fifth acquisition in a year (after Ryft $100M, Trail Security $162M, Otterize, Shape AI) and a marquee signal that endpoint controls catching GenAI prompt-paste exfil are now a discrete vendor segment — not a feature line in an existing DLP product.

Sources: CTech / Calcalistech

Strategic context for the 12-month AI security roadmap

Two non-vendor pieces to share with the AI security committee. Dan Shipper’s 12 predictions for the AI work era (super-agent-in-Slack patterns, users-bring-own-tokens, forward-deployed engineers as the new essential role, CLIs over, automation as a “lie”) set up several security-relevant design questions: how do you do agent IAM and identity for a Slack-resident super-agent; what’s the DLP and credential-surface story when users bring their own AI tokens into apps; what does “building software for humans and agents together” mean for your access-control model. CIO’s 7 signs your data isn’t ready for AI pulls the parallel security threads: governance gaps become permissions gaps (“AI may access content it was never intended to see”); shadow BI workarounds are shadow data exfil paths; data debt is the hidden driver of hallucination and bad-decision risk in production agents. If your agentic deployments are running ahead of your data foundation, this is your evidence file.

Sources: Lenny’s Newsletter · CIO

Calls to action for the next 7 days

1. Adopt the NSA MCP CSI as your reference design. Map your current MCP deployments against filtering proxies, DLP, sandboxing, message integrity, output filtering, and local MCP scans — gap-list everything that doesn’t have a control owner today.
2. Wire RAMPART into CI for at least one production agent. Start with pytest cases that simulate prompt injection through user-supplied tickets/wikis and a credential-exfil tool-abuse probe. Use Clarity for the next agent design review.
3. Pilot self-hosted sandboxes and MCP tunnels if you run Claude Managed Agents in production — or the equivalent Gemini Enterprise Agent Gateway / DLP-enforced gateway pattern if you’re on Google. Move tool execution and MCP traffic inside the customer perimeter.
4. Stand up an AI-era DLP review in light of the Cyera/Genie deal — specifically endpoint controls that catch GenAI prompt-paste exfil and outbound traffic to consumer AI tools. Treat it as a separate vendor category, not a feature line in your existing DLP.
5. Update your AI-assisted security work-product policy. If your SOC or AppSec team is using LLMs for incident reports, triage notes, or bounty-report intake, build a validation step that catches cross-case data contamination and hallucinated IOCs (the Cisco Talos failure modes).
6. Inventory agent-shaped attack surface against the confused-deputy model: enumerate every place an agent ingests adversary-influenceable content (tickets, emails, wiki pages, RAG indices, telemetry feeds), and apply the OWASP LLM Top 10 / NIST AI RMF checks (ASAPP-style Continuous Red Teaming is one off-the-shelf option).

The AI-ML Brief · a Newshunter publication

Weekly news items are from the previous seven days. Foundational reading is refreshed each week.

Unsubscribe · View in browser

Newsletter design, layout, and editorial curation © 2026 Security Radar LLC. All rights reserved.

Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.