Something went wrong!

Hang in there while we get back on track

Castmagic Castmagic
Direnzic Briefing AI Adoption Glasswing Era
Sign up free
Highlights Chapters Takeaways Transcript More

Making IT Make Sense

Direnzic Briefing AI Adoption Glasswing Era

IH

Speaker

Ieshea Hollins

MC

Speaker

Miguel Clark

Plain text
.txt — clean reading copy
With timestamps
.vtt — for web video
Subtitles
.srt — for video editors
Audio

Miguel Clark, retired FBI agent with deep cybersecurity expertise, discusses AI adoption and evolving cyber threats in the federal sector. They explore the challenges of communicating risk to decision-makers and the need to measure security program effectiveness, highlighting the ongoing impact of AI and cybersecurity in government agencies.

✨ Magic Chat

Don't have time for the full episode?

Ask anything about this conversation — get answers in seconds, sourced from the transcript.

Try asking

Featured moments

Highlights

“The Founding of InfraGard North Texas: "So guy started that InfraGard chapter here in North Texas, and I was beside him as we were putting those things together to get that InfraGard chapter started.”
— Miguel Clark
“AI and Cybersecurity in the Federal Sector: "But a lot of the things AI is not new, these threats are not new. Right. And the combination of cybersecurity to AI, also not a new topic.”
— Ieshea Hollins
“But a lot of the things AI is not new, these threats are not new. Right. And the combination of cybersecurity to AI, also not a new topic.”
— Ieshea Hollins
“Valuable information for businesses to really recognize the risk that they run with their current network they may not have known about before today.”
— Speaker C
“Valuable information for businesses to really recognize the risk that they run with their current network they may not have known about before today.”
— Speaker C

Timeline

How it unfolded

Read along

Full transcript

Plain text
.txt — clean reading copy
With timestamps
.vtt — for web video
Subtitles
.srt — for video editors
Ieshea Hollins

Foreign. I do it every time. I knew I was going to do it. But I want to give an opportunity for Miguel, please take an opportunity to introduce yourself and tell us why you're here today.

Miguel Clark

Oh, wonderful. Thank you for starting the recording just before I spoke. I was hoping to get this part about talking about myself done before the recording. My name is Miguel Clark. I am a retired FBI special agent. I started my career in the FBI here in North Texas working computer. Well, started working violent crimes in Fort Worth and then moved over to working gangs and drugs. And I joined the Cyber Squad, the FBI Dallas Cyber Squad, in the year 2000 and 20.

Miguel Clark

And so during that time period, a buddy of mine by the name of Guy Ganester Walton, he was told about this director from FBI headquarters. And this directive was, we're going to start an InfraGard chapter. So guy started that InfraGard chapter here in North Texas, and I was beside him as we were putting those things together to get that InfraGard chapter started. And I'll take a little bit of an aside here, because one of the people that we were working with at FBI headquarters was a lady by the name of Linda Franklin. And Linda Franklin was actually one of the victims of the Washington sniper shooter. So this is a colleague of ours from the FBI. And so every time I think about InfraGard, I think about kind of where. What we've been able to do with Infragard over the past, let's say, 23, 24 years thereabouts, especially in the North Texas area.

Miguel Clark

I also do like to give a nod to Linda Franklin for the work and how instrumental she was in helping this chapter to move forward so that I did a bunch of other different cyber things who work computer intrusion investigations. I did get an opportunity to work on the September 11 investigation and did some things related to that. There is a company called American Flood Research in Plano, Texas. I was a case agent for a case where three other employees kind of went rogue and hacked the company and caused lots and lots and lots of damage. That was also back in 2001. So we can move this along and get to the meat of this conversation. I went up to headquarters and then came back to Dallas and started our National Security Cyber squad here. And I retired from the FBI, did some work with Infragard, retired at the end of 2001.

Miguel Clark

And I've been working in the cybersecurity space since that time. So that is my abbreviated intro.

Ieshea Hollins

Thank you so much. You were, as always, just so impressive. I know he likes to try to tone down what he's done. So that's why I say abbreviated. He doesn't want to give us the full, full scope. We'd be here all day. But Miguel has been very instrumental in this space and he's still being very instrumental to this day. And so he's.

Ieshea Hollins

That's one of the reasons why I wanted to reach out in this climate and what some of the things that we're talking about and dealing with. So know we've been talking all month long, if you guys have been following us on LinkedIn or any of our socials about the introduction of what has happened between, between Anthropics, Mythos and Glasswing and. But a lot of the things AI1 is not new, these threats2 are not new. Right. And the combination of cybersecurity to AI, also not a new topic. But in where Miguel specializes is in that federal space. So one of the things that I wanted you to kind of talk to us about this morning, Miguel, is how do you think the introduction of some of these vulnerabilities and threats, how do they impact the federal sector?

Miguel Clark

So when we think about the impact of these vulnerabilities and these threats, we've been seeing this threat growing since I've been looking at it for 26 and a half years roughly, it's scaling so quickly. Back in 2000, you didn't have any of these private services that were doing, you know, computer intrusion investigations and doing any of that incident response. It was just those teams that were on location, the net defenders there, and then maybe FBI, well, FBI for sure and Secret Service joining us in a lot of those investigations as well, coming up with the information, a lot of the analysis that we could turn around and use and then give right back to those victim companies so those companies would be able to make changes. We are providing IOCs. So now what we've seen is almost like a commercialization of all of that. And I shouldn't say almost. It is a black market commercialization of exploitation. Exploitation as a service and not a formal service, but it is a service.

Miguel Clark

And what we are starting to see is that everything is continuing to rise in that arena. Now one of the things that I think is also challenging in this is that all of us as security professionals talk about how bad things are, how bad they can get and these worst case scenarios. But much like in the year 2000, everybody remembers Y2K, right? And if we remember what we thought was going to happen, you know, and then we also remember what actually happened. And I think that we did lose a little bit of credibility with the world when it comes to that because we were predicting something that was really bad and for folks like us were like, hey, you know, this is a really good idea and we're happy that we were prepared. But to the rest of the world they're like, hey, you know, you said this guy was going to fall and sky didn't fall. And so this is a lot of what it is that I think that we're starting to see with a lot of these breaches is there's a fatigue that people have have because that, that end state, even when it's bad, it doesn't usually end up as ending our business bad. Right. And if you happen to be a federal agency, you know, you're a dot gov, you're in this sector, unless you're in a critical infrastructure where you're dealing with something like water, power, light delivery and then there's an outage that would cause a lot of like global outrage.

Miguel Clark

I don't see that there's a lot of blowback post breach. I think about the OPM breach way back in the. And I don't know that there was a whole lot of negative outcomes that, you know, came from that, except for the people who are victims of that. Like, you know, I know that the People's Republic of China has, all my information, has had it through various different breaches of things that they've stolen from the United States government. So I think that we're battling those things, things security professionals looking through an ever clearer lens as to what, you know, what the reality of things are looking like. But then the, so what doesn't always match the severity of the things that we as issues and problems.

Ieshea Hollins

Correct. I, what I'm seeing is a desensitate. Desensitization. That's not the word. Desensitivity.

Miguel Clark

Right.

Ieshea Hollins

We're desensitizing ourselves to the threats. Right. It's, you can only say for so long, you know, we can scare the people, but when we are protecting them from the inevitability, right. If we're doing our jobs correctly, they don't see what we see. If we're not doing our jobs correctly, then they do see it. But then they don't necessarily see and, or absorb the full impact of mitigation. Cleaning things up, getting those issues squared away. So it's kind of like, you know, you're running through the street screaming, the sky is falling, the sky is falling.

Ieshea Hollins

I'm going to say that a little later, but then you Know what happens when that sky does not fall. And it's kind of like even now we knew that there were vulnerabilities. We knew that AI was going to be able to move faster than the human would be able to move. But what should we be looking for? What should we be doing right now? Because as you said, AI is not new. This is not something that is just coming to light. For those of us that have been working in this space, we have been saying it for a while, right? You and I have in depth conversations all the time, right? So what are some of the things that you would tell people?

Miguel Clark

Well, so it depends on who my audience is. And right now I'm speaking to security professionals and folks that are in this space. And we have a desire to be better than we are, right. We are practitioners. And if you think of a practitioner of any particular art, we're willing to spend more time and more effort than others who are non practitioners of the art are willing to spend. Right? So but we also make our group, our tent is getting is small and we're okay with making it smaller. And what I mean by that is, you know, we talk, we speak a lot about tech and technology and those things. And there's a lot of folks that don't want to have that conversation and don't care that much.

Miguel Clark

And so I think the challenge to us is going to be how do we convert the things that we are seeing into a standardized language of risk that they can understand what they need to do. Everything we talk about is interesting, right? Because we like to geek out. Technology is super interesting to us. Threats and vulnerabilities and elegant solutions are really interesting to us. But most of the people that we talk to, the decision makers, just need the information that's decision useful. And I don't think that we're doing a very good job of communicating that because it's so easy to get into the weeds. So that's kind of the first thing that I was thinking about. The other thing is that I think we need to give ourselves a little bit of grace.

Miguel Clark

Because if you go back to the first board of directors came about in the 1800s, the first role reported CEO was right around like early 1900s. The first chief financial officer was in 1950, right around the 1950s, right. And then we start moving down there, right? Like our Chief Information Security officer, there's like one of them way back in like 1996 and didn't really become popular until 2005. So as a discipline, you know, when we're talking about cybersecurity and information risk.

Speaker C

Our.

Miguel Clark

Our baby is a teenager, right? Is not a grandpa or great grandpa. And so people aren't really thinking about us. Right. But if you think about in the 1920s, you didn't have financial conversations, right? I mean, what you probably did have is you had the people in accounting, right? You didn't have a chief financial officer. And so it's like, hey, I'll tell you what to do, and then you're going to do what I tell you to do. And it wasn't until we started to see, no, that chief financial officer needs to be elevated to sit as close to the CEO as possible. And so that's why I think our future really is if we can start speaking the language of the board of directors, which is money and risk. Right.

Miguel Clark

And I don't know that we do a very good job of, like, bridging that gap.

Ieshea Hollins

I love that you are so right on that. And we're still introducing board seats, right? I was literally just having a conversation. The newest seat now is the Chief AI Officer. Right. And how do you make sure that as we keep introducing these seats to the table, that the voices are being heard? Right. In other words, the seats aren't being created because the voice doesn't need to be at the table. But how do we make sure that once we're at the table, we're having and holding the right conversations? And you are correct. We have to be able to tie that risk back to a dollar amount that makes sense for the organization.

Ieshea Hollins

Where do you think we're missing that plug? Like, what would you. How would you.

Miguel Clark

I'm glad you asked. And we didn't practice this part either, Right. This is just off.

Ieshea Hollins

We never do.

Miguel Clark

So the part that's missing is real security performance. Right. Our security performance now is like, we see a bad number and it's big, and we apply security to it, and then that makes that bad number get smaller. Right? And then we're like, hey, look what we did. But what we're not really doing is you're not talking about the effectiveness and the efficiency of our cybersecurity programs. And to me, that is where huge advantages lie for us, when we think about it, because there's our current path doesn't give us the opportunity to answer the. The mythical question, right? And if I'm on a board, I'm going to answer, I'm going to ask this mythical question. And that is, let's just say we found an extra million dollars.

Miguel Clark

Where should we spend it and why? Yeah, our current plans don't give anybody the ability to answer that. So how can we advocate for that additional spending? Because we're a cost center.

Ieshea Hollins

Correct?

Miguel Clark

Right. And so at that, people are always looking, it's like, what can I reduce? What can I reduce? What can I reduce? And so we've got to change that mindset. And like. No, we are, yeah, I guess you could call us a cost center. But what we actually deliver is a certain level of protection. For your information. Right? And here's what that protection is at your current investment level. Ideally, this is exactly what we want to be able to say from a professional standpoint, at your current investment level, we can provide you, right now it's about 12 to 13 days worth of protection, right? That's what you've invested in.

Miguel Clark

You've invested in. Within 12, 13 days, we can identify an adversary, we can contain that adversary, and then we can get back to business as usual within 13 to 14 days for 90% of the things that we expect to find that are out there. That's your current level. Right. Now here's the part that you need to know. Bad guy's going to have access to your Systems for approximately eight days in that 13 days right now. Wow, that's so much different than, hey, we need to go, we need to get, you know, this edr. We need to go and get this backup system or something along those lines.

Miguel Clark

I'm like, look, our security system, how it works together, this is what we see. And we test it, right? Like we're testing ourselves. And this is what we have on average the last eight or nine times we've run these types of things, realistic scenarios. In these realistic scenarios, we've been able to detect ransomware attempts within four days. And then other more sophisticated things we've been able to detect and contain within eight days. Now if you give me an extra million dollars, I can shrink that 13 day window down to a seven day window. And that seven day window is better than 80 to 90% of the people in your industry. Now you have to decide, is that million dollars worth it?

Ieshea Hollins

Correct.

Miguel Clark

Right. Like that's the conversation that we want to have. And then as opposed to, oh, you're the CISO and I need a get out of jail free card because bad things are happening on my network because I asked you for money that you never, that the organization never intended to give me. Right. Because CISOs aren't usually the kings of budget. Right? It gets all the money they want to secure it. Nah, build the House. But can I have 10 extra dollars to put a lock on it? Like no, that's way too expensive.

Miguel Clark

$10 of locks on a million dollar house. I mean the math is really close to what security spending is. Security spending tends to be somewhere in the neighborhood, about 1% of revenue. Right? So this is what we're talking about. Between 1 and 2% of revenue is what we're talking about for security spending. And so the fact that it is so small and we have very, we're not very good at articulating the value of what security does and putting it into days and saying when we change our security posture, we're going to be able to respond more quickly. And then these are all the SLAs that we have in place and these are the hammers that we can use. The vendors don't do what they're supposed to do and then really just say this is how our security apparatus performs right now.

Miguel Clark

And we measure effectiveness and efficiency. Right. So your next investment is going to, either that's going to give us, that's going to make us more efficient, Right. Or it's going to make us more effective.

Ieshea Hollins

And here's how I love the reference to the $10 door knob on the million dollar house. Right. Because most people operate their security just that way. Right. Depending on my neighborhood will depend on the type of security that I have.

Miguel Clark

Yes.

Ieshea Hollins

Unfortunately, in, in this environment, I can't see what neighborhood I live in. Right?

Miguel Clark

You can, you can. It's a bad neighborhood.

Ieshea Hollins

Well, I was about to say that depending on who we are, right. But most of us, we haven't done the let's go a little. We send our realtor in, right? And that's really kind of the job we play. I'm going to let you know, this is where you live. This is the street you live on. You cannot be in this neighborhood without, with anything less than, than. Right? But again, because I can't visually see that. Right? Or as you were saying in one of our conversations, I live in a great neighborhood and nothing has ever, ever, ever happened to me.

Ieshea Hollins

And so I implement security once my neighbor has been violated, right? And then now my security is reaction, right? I'm reacting to something happened in my neighborhood. Let me put security in. And then did they just steal my jewels? Did they, did they take anything? Did they damage anything? Was someone murdered? And that's how we also, we want to rank. But if I tell you that my neighbor was murdered, you're mad at me, right? This is fear mongering. I'M very upset. Right? Don't tell me that. Right. So we, we want to make sure that when we're in these conversations, how do we make sure we are communicating? This is where you actually live.

Miguel Clark

So, I mean, every one of us that's on the Internet, we're living at an address that has 65,000 plus roads coming to it, right? So, you know, for the roads that you monitor, you think you live in a good neighborhood. So at the end of the day, I think it's really just explaining the risks.

Ieshea Hollins

Right.

Miguel Clark

And just do a better job explaining what those risks are. And our problem that we have is there's not probably a single person in this country who hasn't had their information exposed in a breach in one way or another. Right. And so we have iPhone and Android phones that, hey, scam likely. We all know somebody by the name scam likely, right? Yeah, a spam risk. And so there's all these tools to make our. The fact that we've been victimized, literally a thousand ways to make those things matter a little bit less to us. So to abuse another metaphor, it's like, hey, I don't have to live healthy as long as I have antibiotics, there's a pill that I can take and I can forget about it.

Miguel Clark

And this is, I think, the very big change that AI is going to force. It's going to force a behavior change at some point in time. And if it doesn't force a behavior change, we've got AI versus AI and we're going to be sitting in the middle. But behavior change is really difficult. If I were to ask every participant here, how often do we get all of the fruit and vegetable servings that we're supposed to get? Most of us are going to say, no. My hand's going to be the first one to go up. Say, no, I don't do that. And so that information has been available to us as human beings for decades, and we still aren't complying to that.

Miguel Clark

And it may have life and death consequences for us. Behavior change is really hard. And we're talking about cybersecurity. Just add that to the list of other things that I'm not doing right. So, you know, my wife and I had. There was a guy who had stolen some stuff out of our mailbox, and then he opened up an account. My wife's name. This was probably about nine, 10 years ago.

Miguel Clark

Obviously, the postal inspectors didn't tell me who the guy was, which is probably really good for me and for him. But as, as victims you know, it was, it was annoying.

Ieshea Hollins

Yes.

Miguel Clark

Right. And it didn't cost us so much that we are now paranoid about it.

Speaker C

Right.

Miguel Clark

Like, we do reasonable things. So. So that is really, I think the key is just figure out what reasonable things can you do that lower your rest, your risk to a level where it's acceptable. Right. You say, hey, and I can willingly accept this risk. Hey, do I have to shred every piece of document, Every document that I have? No, but, you know, anything, my Social Security number or bank. Yeah, I'm going to sh.

Ieshea Hollins

That.

Miguel Clark

And so we start telling people like, hey, these are really slight modifications that you can do to improve your risk posture. And I think that's, that's the best that we can hope for, just because we know a lot of people who know the right thing to do in whatever area and are not doing that, myself included.

Ieshea Hollins

Well, we have thoroughly enjoyed having you here. I don't think we got to your AI because I saw some slides, so. But what I wanted to do is I want to make sure that we keep everything moving on track. So if there was anything you wanted to say around today's topic, we have about seven more minutes with you or if there's any questions that want to be thrown out there, we'll address those as well. But go ahead.

Miguel Clark

Yeah, I'm open to any of the questions we have there. I mean, from a topic of AI, I'll give you the government perspective real quick here and I'll try to put this in, you know, three minutes or less. So for us, if we understand that there's a particular capability that's going to be harmful, we're going to ask that organization not to distribute or make that widely available. It is something that the governments have been doing for years. We have export control technologies. Those things are all there. I mean, there was a time period where we had some of our adversaries that are buying PlayStation 2 so that they could build missile defense systems way back in the early 2000s. Government stepping in and saying this is going to be an issue and we need to control access to it, and we're going to ask you to pull that back or we're going to say that we're going to control that in some way.

Miguel Clark

So that's one of the things that you're going to see from the government standpoint is some level of control. We have controlled substances. You're probably going to start to see controlled code going forward. Depending on who's in the White House, you may feel differently about the decisions that the government makes. But you will see that going forward. The other thing from a law enforcement standpoint, 10 years ago, law enforcement was really worried about how this is going to unbalance the equation. But in my view, the equation has already been unbalanced. And, you know, we have firms that do forensics, we have firms that, you know, we have Internet insurance.

Miguel Clark

You know, we have breach insurance. We've got breach council. We've got lots of different private resources that are available now that were not available in 2004, 2005. So we have, I think, successfully shifted the burdens back to the people for protecting themselves. Right. Same way that second Amendment, you know, it provides a level of protection for Americans where this is really a very similar thing. It's like, you know, you have to protect yourself, right? That's going to be. The onus is on you to protect yourself, and you're going to be on your own until help can arrive.

Miguel Clark

And if we're talking about breaches, there are way more breaches that are out there than we have investigators to be able to control or, you know, respond to or mitigate. So we pick the ones that are the most significant, and then we action on those. The other thing is that if you happen to be a victim of a breach, we treat victims of breaches a little bit differently in other, like, violent crime type of investigations. You know, we'll go back to the victim and say, hey, here's the progress that's been on your case. Here's happening with what's happening with the bad guy. That is not as much what we're seeing in the federal law enforcement space, because those victims, largely for the cases that the FBI, Secret Service works, those victims are corporate victims rather than individual victims. So that's a lion's share of our cases, are those things.

Ieshea Hollins

Thank you. Okay, everybody, we want you to thank Miguel for being here with us today. This has been very informative. I've enjoyed the conversation as always. Look forward to working with you again in the very near future. If there's nothing else, we're gonna ask you guys to. Are there any questions, I guess, for Miguel before we move on? He had a cop. He does have another conflict.

Ieshea Hollins

That's why we had to rearrange things so that we could get him out to his appointment. But we are going to be moving forward in just a moment. So I'm going to check the chat for questions if I don't see any. Thank you so much, Miguel. I appreciate you so much for being here.

Miguel Clark

My pleasure. Thank you.

Ieshea Hollins

Thank you. All right. Also, just a little bit of housekeeping. If you do have any questions or concerns, the QA chat is going to be at your. At the bottom. We'll try to make sure that we can kind of get to all of your questions, questions and answers before we conclude the briefing today. All right, I'm going to start sharing. Give me just one minute, please.

Ieshea Hollins

Let me know if you can see my screen. Let me know in the chat if you guys can see my screen. Too many things open. All right. Can you see my screen? I can't see the chat anymore. Let me see. There it is.

Speaker C

Showing up. Good.

Ieshea Hollins

Thank you. Thank you very much. I appreciate that. All right. So as I said, I want to take an opportunity to once again thank Miguel for being here. Thank him for his. His service. He has been in this space for quite a while.

Ieshea Hollins

We always, always enjoy interacting with him, having these conversations. He's been on several panels with me before in some of our other initiatives. He does have to step away to another commitment. So if you do have any questions or concerns that came up during his talk, if you email them to us, we will make sure that we get them over to him and we'll allow him to answer your questions. So I would ask again. Like I said, let's give him a round of applause. For those of you guys that can clap or have the ability to give the reaction, thank you so much. I am Aisha Hollins.

Ieshea Hollins

I am the founder of Direnzic Technology. And for the next about 45 minutes, I want to do something simple. I want to take you from a warning to the proof that the warning came true. Here is a question that every leader in this room needs to be able to answer before this summer is out. We call this the art of AI adoption in the Glass Wing era. And I'm going to take this time to show. To share with you and show you how or why. It starts with a warning.

Ieshea Hollins

And I want to be honest with you about where this story really begins, because it does not begin with Anthropic or with Project Glasswing or with any of the headlines that you have seen this year. It begins a couple of years earlier. So as we were saying earlier, this AI is not new. We've been seeing this, and the warnings have been there for a while with a We are a smaller firm, Right? And so we began to ring a bell that almost no one wanted to hear. This is the warning before the proof. So I want to ask for some of you guys, how many of you remember the art of AI adoption. Back in 2024, I started noticing a pattern and it worried me. I watched company after company bolt AI onto their tech stack and never once did they pick up the phone to call their own cybersecurity teams.

Ieshea Hollins

It went in fast because it was easy and because it made life simpler for the business. No one stopped to ask the cybersecurity teams what their AI was touching and could it provide exposure to any of the things that they had on the inside. And nothing looked broken. So the wrist stayed invisible, Quiet compliance gaps opened up underneath everyone. And that right there is exactly how scrapes and messes always begin. Not with a dramatic breach with easy, convenient technology that made us feel modern and a quiet decision not to ask who was watching the risk. Here is the shift almost everyone missed. I was speaking at a conference, and from the stage I pointed out that there was a time where the bad guys had to actually break in.

Ieshea Hollins

They had to find broken endpoints, they had to exploit failures in the patches, they had to bypass your, your network security, etc. Etc. All the things that we know that bad actors had to do. But now I just had to ask one, one thing, right? Ask the chatbot you trained and put on your own data, the one sitting on your website, the one on your phone lines, the one on your network, and it would tell me what your firewall never would. That is not a man in the middle, that is a non human in the loop error. An insider you trained, trusted, and never once supervised. And in 2024, almost no one was watching for it. We weren't playing the.

Ieshea Hollins

The part of the town crier running through the street screaming, as I said earlier, the sky is falling, the sky is falling. But that's how it felt for us. Or in some conversations when you're trying to tell people, look, we don't want you to not use AI, right? Just use it more strategically, right? Try. All we were saying was train your AI with this same diligence that you would train your staff. Do it strategically, purposefully and securely. But adoption kept accelerating and the AI kept advancing with almost no one watching, because who really knew what to watch for? So that was the alarm that I was ringing for two plus years, mostly two people who were being polite to me. They would nod or act like they understood or that they even cared, honestly. But no, you know, no one was really making shifts or making changes, as Miguel was saying, in behavior.

Ieshea Hollins

I know for a fact that I was not alone, because as Miguel and I said, and I have a couple other people who are on the call, the practitioners, your cybersecurity backbone. We were having these conversations, but what was changing in our mentality and how we did things. Then Anthropic built Mythos, and the warning stopped being mine alone. It became public. But let's slow down really quickly for one minute to address Mythos and what it is exactly. Anthropic set out to build the ultimate developer. A model that could reason through code better than almost any human alive. That is not what they got in testing.

Ieshea Hollins

It became something else entirely. The first AI capable of autonomous end to end cyber attack engineering not flagging simple bugs the way a scanner does. Finding the flaw, writing the exploit, running the attack all on its own, start to finish. And then Anthropic made a decision almost no company ever makes. They looked at what the head built and judged it to be too dangerous to release. So what does an AI like that actually do? Let's look at it. When the testers stopped theorizing and actually pointed Mythos at the world's most secure software, this is what they came back with. It found a flaw in the open bsd, one of the most hardened systems on earth that had been hiding in plain sight for 27 years.

Ieshea Hollins

It found another FFmpeg buried in the line of code that automated tools had scanned 5 million times and walked right past. Mythos caught it in the first look, and it didn't stop at findings. It chained four separate flaws together to break out of both the browser and the operating system's safety net. The very walls that were built to contain it. But here is the one that stopped the industry cold. This test was not run by Anthropic. It was run by the United Kingdom's AI Security Institute, a government body whose entire job is to be skeptical. Skeptical of claims exactly like this one.

Ieshea Hollins

They built a simulated corporate network. Not a toy, a full environment. The kind your organization runs on right now. And they set my thoughts loose at the front door. 32 steps later, it owned the building. Initial access, moving sideways from system to system, escalating its own privileges, covering its tracks all the way to total control, start to finish, with no human guiding it. The first AI in history to walk into a corporate network and walk out owning it. Now picture your network while I'm talking.

Ieshea Hollins

Every One of those 32 steps is a move a skilled human team would take weeks to pull off. My those did it all alone in one continuous run. So the question is not whether something like this could reach your environment. The question is who on your team would ever see it Happening. So Anthropic had built something too dangerous to sell. What do you do with that? You don't bury it right, because if they could build it, someone else could too. And the next lab may not be as careful. So Anthropic did the opposite.

Ieshea Hollins

They locked Mythos in a box and handed the key to the defenders. That is Project glasswing, a coalition that turns this AI on the world's own code to find and fix the flaws before an attacker ever gets the model or gets a model like this. And look who showed up to the table. There was Amazon, Apple, Google, Microsoft, Nvidia, CrowdStrike, JP Morgan Chase, and the Linux foundation, the companies that build and run the infrastructure the entire Internet sits on. When names like this are dropped, they dropped everything to sit at the same table. That tells you how serious this moment is. The name itself is deliberate. The glasswing butterfly survives by being transparent, hiding in plain sight.

Ieshea Hollins

That is exactly what these flaws have been doing inside of our systems for years. Glasswing's job is to finally make them visible. I want to be clear about something. This is not a study. This is not a pilot. It's. It's not a white paper that's just sitting on somebody's shelf. It's running right now.

Ieshea Hollins

At the scale of the Internet. In the first month alone, the coalition found more than 10,000 high critical vulnerabilities. You heard that right? 10,000 in 30 days. Every one of them a door standing open in software that you and I use every day. It started with 12 companies and it is now nearly 200 across 15 countries. This is not slowing down, it's accelerating. And anthropic. Put a hundred million dollars behind it.

Ieshea Hollins

When the most capable technology companies on Earth spend money like that to find flaws in their own code, they are telling you exactly how serious this is. Here's the part that got my attention. Cloudflare, which is one of the partners that was brought to the table, found 2,000 bugs in their own code. So I want you guys to pay attention to these slides too. All of the source information is provided. These things are Googleable, right? Don't just take my word for it. And the AI did it with a lower false positive rate than their human experts. Faster than people, and more accurate than the specialist whose entire job it is just to find them.

Ieshea Hollins

Now hold on to that thought as we move on. Every number on this slide is the defender's finding these flaws first. The same capability in the wrong hands finds the same doors. The only question is, who gets there first? Look Again, at who in that founding room, let's look at who was the one sitting at the table. The companies that built the world's software and its cloud. So now we've moved into cloud, right? We have Amazon and Apple and Google, Microsoft, the giants whose code run underneath everything. Now notice who was not in the room. The people who run water treatment plants, the power grids, the hospitals, the networks our communities depend on, the operators, the sectors many of you lead.

Ieshea Hollins

We were not at that first table. Sit with that for just a minute. Figure out what that means. The single most important defensive effort in the history of software began by securing the builder systems, not yours. The systems that keep water clean and the lights on were, at the start, a blind spot in the very effort built to protect the nation's software. And then deliberately, they brought critical infrastructure in. That was not a courtesy. It was a signal flare from the most authoritative room in this entire story that your sector is too exposed and too important to leave outside the wire.

Ieshea Hollins

So here is where it lands. That blind spot was just closed at the national level. The only question left is whether you have closed it inside of your own walls. For as long as I have been in this field, and it's a little long, the hard part was always finding the flaw, the needle in the haystack. That was the work we did that just ended. Maitho showed us that finding the flaws is now trivial. The haystack gives up its needles in seconds. So if finding is no longer the hard part, where did the hard part go? It moved.

Ieshea Hollins

And here is how we know. Inside Glasswing, the open source maintainers actually asked anthropic to slow down, to find fewer flaws because they could not write the patches fast enough to keep up. Let that sink in. The discoveries so badly outran the fixes that the people doing the fixing begged for less. So the bottleneck is no longer detection. It is the capacity and the maturity to respond. And that is not a technical problem. It's a leadership problem.

Ieshea Hollins

Which brings us to the only question that matters next. So let me put the question on the table. The same one we have carried into boardrooms and leadership teams for over two years now. Who owns governance maturity when AI adoption outpaces oversight. Read that again. Read every word of it. Because every piece of that sentence is doing work. Adoption is racing.

Ieshea Hollins

Your people are already using these tools today, whether or not you approved it. Oversight is the part that lags. The policy, the guardrails, the review. And maturity is the distance between the two. How ready you really are. Not how ready you feel. So the question is not whether you have adopted AI. You have.

Ieshea Hollins

The question is who in your organization owns the readiness? And when I ask that in a room of leaders, the honest answer is usually a very long pause. Because it assumes it belongs to compliance. Compliance assumes it belongs to it. The board assumes someone somewhere has it handled and the gap just sits there, unknown, unowned, widening by the day. That pause is the risk. So we went to work to give that pause. A structure, a way to see exactly where you stand. This is a structure that we at dirensic built.

Ieshea Hollins

We call it the acra, the AI Cyber Readiness Assessment. It covers nine domains. Take it in for a second. It runs from how AI is actually being used across your organization to your basic cyber hygiene, to the risk you inherit from your vendors and software, to some to where your data is exposed, all the way through to whether your business keeps running when something goes wrong. Here is how I want you to see this grid. These are not non boxes to just check off, right? That's one of the things that we started doing with compliance. It became a checklist. And as long as we could check off, we thought we were good.

Ieshea Hollins

They are non places where readiness is either won or lost. Lost. And they are connected. A weakness in one becomes an open door in another. Now, I could walk you through all nine and I am not going to. You will forget by lunchtime. And that is not how exposure actually works anyway. Exposure is never abstract, it is specific.

Ieshea Hollins

It is one gap on one ordinary day. So instead of walking you through these nine domains, let me show you two of these domains in motion. Two real stories. Watch how a single gap becomes a breach. Let me take you back to December 2021. A vulnerability surfaced in something called log4j. If you are not in it, you have never heard of it. Those of us that are, we have.

Ieshea Hollins

It's a small, unglamorous logging tool. And it was buried quietly inside millions of applications around the world, including almost certainly some of yours. Overnight, every organization on earth faced the same question. And most of them could not answer it. The question was simple. Do we even run this? And if we do, where? Think about that. The flaw was already public within hours. But the scramble lasted for months.

Ieshea Hollins

And here's the part that matters. Those months were not spent patching. They were spent hunting teams tearing through their own systems looking for code that they never knew that they were running. That is two of our non domains. Live, vendor and software risk knowing what is actually underneath you. And patching and vulnerability Management being able to move the moment the clock starts. The gap was never the fix. The gap was that no one had the map.

Ieshea Hollins

Now hold that up against what is coming. Log 4J was one library on a day no one saw coming. A Glass Wing report is that same scramble across everything on a date we already sort of kind of know. So the only question is whether when it lands, you spend those first few weeks hunting or you already know where you stand. Now the second story, this is one that comes all the way back to where we started in 2023. And for any of you guys that have been at any of my public briefings or some of our other trainings, this is an example that I have used in the past. So I'm sorry if you are sitting through me repeating myself. In 2023, Samsung engineers, good ones, smart people, were under a deadline to move faster.

Ieshea Hollins

They pasted proprietary source code and internal meeting notes into a public AI chatbot just to get help. The data left the building the instant they hit enter. It was not stolen, it was handed over. And here's the thing. There was no policy. No one had ever told them that they could or could not go into these tools. By the time the company wrote that rule, the exposure had already happened. Now remember what I told you at the very beginning.

Ieshea Hollins

The non human in the loop, the insider you trained and trusted and never once supervised. This is that made real. No one broke in, no firewall failed. An employee trying to be helpful simply gave it away. That is two more of our domains. AI tool usage. Do you actually know what your people are feeding these tools and data exposure? Do you know where that data goes once they do? And here's the uncomfortable part. Some version of this is almost certainly happening inside of your organization this week.

Ieshea Hollins

The only question is whether you have governed it or whether you find out the same way Samsung did. Everything I've shown you so far is what we already know. Now look at what is coming around. July Anthropic is expected to publish a full report of what project glasswing found. Right now these details are held back, even we don't know them. Right under embargo deliberately so vendors and maintainers can patch before the world can see the list. So none of us has seen it yet. And I want to be honest with you, that is not the weakness in what I'm telling you.

Ieshea Hollins

That is actually the whole point of what we're doing today. Because the day that report publishes, two clocks start at the very same time. Yours to close the gap. It names and theirs the adversaries to use the map it just handed them. A public vulnerability report is a roadmap, and it goes to everyone, including the people you less want, you least want holding it. Which means right now, today, you are standing in the quiet before the storm. This is the last stretch of time where your readiness is still something you choose, not something forced on you or someone else's schedule. So let me make this real, not hypothetical real.

Ieshea Hollins

Imagine that report lands in your organization next month and it names a tool or tools that you run. Who owns the fix? And before anyone reaches for an easy answer, let me sharpen it. Because whether that report is 70 pages, 700 pages, a single dashboard of findings, the leadership questions are exactly the same. Who validates the risks? Who looks at what was disclosed and decides what it actually means for you? Who coordinates the responses across it operations, leadership and your vendors? Who documents the decisions so that six months from now, there is a record of what you knew and what you chose to do. And who explains it to your board, your regulators, your insurance, or your insurer? Who explains it to the council, the community that depends on you. If you went around your leadership table right now and asked those four questions, would you get four clear names? Or would you get that very awkward pause I mentioned earlier? So let me leave you not with a fear, but with a choice. You do not have to wait for a report to find out where you stand. You can know it now before the clock starts, while readiness is still yours to choose.

Ieshea Hollins

This is why we built the ACRA Executive Snapshot. It's a clear, honest read on where your organization sits across nine domains. Today. It costs you nothing. It takes very little of your time, and there is no pitch attached to it. I know I've been you. I've been the person who signed up for a webinar, scared to death that I'm about to be held in some hostage. You must buy in order to, you know, gain access to what we provided today.

Ieshea Hollins

That is one of the things or the blessings of the National Internet Safety, our initiative. This tool for you is free to use. I promise the people who were helping to bring you into the room that you would not be sold today. And I mean it. This is simply the baseline every leader here should have in hand before July, a map of your own gaps while you still have the the quiet to close them. So here's my only ask. Take the snapshot. Close the gap on your terms before it is closed for you.

Ieshea Hollins

You can start right here and right now, before we close. I would Love for you to take two minutes of your time. If you could please scan the QR code. As I said, we host these briefings or conferences, symposiums, and every year, this is our fourth year hosting a conference in honor of National Internet Safety Month in October. If you guys join us and follow us, that will be our 11th conference in honor of National Cybersecurity Awareness Month, scanning these QR codes and providing us feedback. This is how we correct things, improve things, hear how you feel we did and. Or hear some topics that you feel that are important. Because just because we're bringing things to you doesn't mean that that's what's important and critical to you.

Ieshea Hollins

Give us some topics that you would like to hear us tackle for you. I don't want to move too fast there. I want to give you guys an opportunity to scan that QR code. So let me leave you with two things I most want you to carry out of this room. The gap is still open, and so is this window. Both are true today, and they will not both stay true for very long. You do not need a budget. You do not need permission to take the first step.

Ieshea Hollins

The only thing you need is to take an honest look at where you stand today. Thank you for your time and thank you to the partners who made this room possible. Thank you to our infragard chapters, both in Louisiana and in Texas. I'm going to take a moment in a. In a minute to see whether or not they are in the room. I'm not sure. And also thank you to our greater Southwest Black Chamber of Commerce. I told you at the start that I had been ringing a bell.

Ieshea Hollins

Well, now you have heard it. What you do next is part of what matters now. What I would like to do is take an opportunity. I'm gonna put the QR code back up again so that you guys could scan our QR code. But I do know that we have the president of the Greater Southwest Black Chamber of Commerce. I believe he is here with us. So let me take a moment and see whether or not we can pull Larry up, Mr. Hall up and see whether or not he would love to have any words.

Ieshea Hollins

Larry, are you there? There he is.

Speaker C

Good evening. Good evening. Good afternoon.

Ieshea Hollins

Hello. So how would you. How did you enjoy today's session?

Speaker C

Awesome session. Very good. Valuable information for businesses to really recognize the risk that they run with their current network they may not have known about before today. So thank you for bringing it to our attention. Thank you for sharing that information. I think it was very valuable for all the businesses that have attended today,

Ieshea Hollins

thank you very much. I don't see. Hold on. Would you like to address the chamber or give us any information about qnet at this time?

Speaker C

Sure. First, the Chamber, the Greater Southwest Black Chamber of Commerce, is. Part of the Southwest, part of the city. We represent DeSoto, Grand Prairie, Lancaster, Cedar Hill, Red Oaks area, and we support businesses and helping them recognize technology that's needed as well as the advocacy part of their businesses to grow and to stay involved with things that's going to help them with their businesses. And so we've been around since 2009, and we love to have those who are interested in becoming part of the Greater Southwest Chamber be a part of that. I'm also President CEO of qnet Managed Services. We're a technology services company. And our role in this whole technology infrastructure with AI and all the cybersecurity things is to provide the proper security around your business once you've identified those risks.

Speaker C

And we are the ones that can come in and help you patch it and fix it, put the right technology in place to prevent it. And so we've been around since 1999, and we'd love to support anyone on here who needs that type of support.

Ieshea Hollins

Thank you again so much for being here. I appreciate it.

Speaker C

Thank you for having us.

Ieshea Hollins

You're welcome. Bye Bye. Okay, so in these last few minutes, I'm going to take a look and see if there are any questions that we need to address. If you have any questions or concerns before, before we close out, please make sure you drop them in the QA chat. Yeah, QA chat. Also, we have recorded this session. It will be available or the replay will be available for those of you guys that did join or registered. So as long as you're registered, whether that's you and your team, the replay is scheduled to go out, so I'm going to take a moment because, you know, we like to quickly go through this part and see whether or not there are any questions.

Ieshea Hollins

Yes. Hi, precious. Do we have any questions?

Speaker C

Yes, ma'.

Ieshea Hollins

Am.

Miguel Clark

I see we have one question from Trey Robinson. How do you feel about the cost associated with how AI proceeds most of business today?

Ieshea Hollins

It.

Miguel Clark

How should we communicate those costs to the clients?

Ieshea Hollins

Ah, that's a great question. So ask the front part again because you gave me. You gave me a twofer.

Miguel Clark

Okay, let me get your first part. How do you feel about the cost associated with how AI proceeds most of businesses today?

Ieshea Hollins

You know, the cost of AI right now, I think it's. It's relative to what the, the various tools that are being introduced. Right. How we introduce that cost back to our client? It's the same way that we, we're introducing most of the tools that are in our tech stack. We can't run a lot of our businesses without the, the cost of being able to utilize something. Right. AI is really more or less being embedded into most of the tools that we're using anyway. So the cost share that goes back to our client, that is just a way that we help to improve the things that we're doing.

Ieshea Hollins

I need to hear the question again. I think there's two sides to that and I'm trying to answer the last. And I should have answered the front part.

Miguel Clark

The last part is how should we communicate those costs to the client?

Ieshea Hollins

It. Oh, exactly. That's what I was saying. Yeah. Once you're dealing with, with your client, it's just, for me, I believe it's just making sure that we articulate the value of the tool. We're not saying that there's something is wrong with AI. It's here. We're using it.

Ieshea Hollins

The. What you need to make sure that we are communicating back to our client is the STR or how we structure it. We do need to be communicating. Taking time to train your AI, taking time to set up that framework. It's the same conversation that we're having around your cybersecurity frameworks, your compliance. Right. It shouldn't just be a checkbox. We should very much so be deliberately putting things in place and there should be dollars associated and a assigned to how we implement certain things.

Ieshea Hollins

I don't think that we should just like with CrowdStrike or any of the tools, we bring them in and we have somebody on the outside set it up and they adjust our, our measurements. Right. So much of this, and we want to use this when we're going to turn this particular protocol off, we're going to get this particular report. But if at the end of it, we get a report that nobody in the organization knows how to read or understand, how useful was the tool that we had? That's the same way we have to look at utilizing AI within our organizations and the cost of it. If we don't take time to set it up, we don't take time to train it, and we don't take time to train our end users or our, our clients on how to properly use them, then, you know, it's, it's as good as not even having it at all. So it's important that we communicate that

Miguel Clark

does that answer your question, Trade officer?

Ieshea Hollins

Right. Let's see. That's a great question. It was a really good question.

Miguel Clark

That's all the questions that we have for a moment, too.

Ieshea Hollins

All right. I love it when we can give you back change. It is lunchtime, so I do appreciate you all for being here. I want to take a moment. Let's introduce you to my team. So we do have Mr. Precious here, as well as Jaden. They are with the technology for the moment.

Ieshea Hollins

So we appreciate you guys being here and for helping us to make sure that this was a successful event. If there are no other questions, I will not belabor your time. I will say again once more, thank you so much to Miguel, who helped to get us kicked off. I want to thank our partners with ampregard. As I don't think I mentioned it, I've been a member of Infragard. When Miguel was talking about, I was like. I didn't say anything. But I have been a member of Infragard, I want to say, since.

Ieshea Hollins

Oh, my gosh. I don't want to say how long either, but I do operate as the vice president of the North Louisiana chapter. I think I've been a member of Infragart since 2010. And then we want to also thank our Dallas affiliate affiliates. And then we want to thank also Mr. Larry Hall. I do. We do work very closely together on several projects as well, as I am a member of the Southwest Black Chamber of Commerce as well.

Ieshea Hollins

So we want to thank you guys all for being here and for the time that you took. We hope that this briefing was helpful for you. And as I said, be on the lookout in your inbox for the replay. Thank you guys so much for being here. You guys have an amazing day. Bye. Bye.

Also generated

More from this recording

💡 Speaker bios

During the early days of InfraGard's expansion, Miguel Clark worked closely with his friend Guy Ganester Walton to help establish the North Texas InfraGard chapter, following a directive from FBI headquarters. Along the way, they collaborated with Linda Franklin, a dedicated FBI colleague who would later become a victim of the Washington sniper attacks. Miguel’s commitment to InfraGard spans over two decades, shaping the program’s impact and growth in North Texas.

🔖 Titles
  1. Navigating AI Adoption and Cybersecurity Risks in the Glasswing Era

  2. From Mythos to Glasswing: How AI is Changing Cyber Risk and Readiness

  3. Leadership, Readiness, and AI Threats in the Glasswing Era

  4. When AI Outpaces Oversight: Closing Security Gaps Before Glasswing Hits

  5. AI in the Federal Sector: Risks, Readiness, and Glasswing’s Wake-Up Call

  6. Glasswing Era Briefing: Ownership, Vulnerabilities, and the New Face of Cyber Threats

  7. AI Cyber Risks and the Leadership Challenge: Lessons from the Glasswing Era

  8. Managing AI Adoption: From Hidden Risks to Executive Readiness

  9. Glasswing and Beyond: How AI Uncovers Hidden Cybersecurity Gaps

  10. Mythos, Glasswing, and the Urgency of AI Cyber Governance

🔖 Titles
  1. Navigating AI Adoption Risks in the Glasswing Era: Insights from Federal and Industry Leaders

  2. AI and Cybersecurity in the Glasswing Age: Closing the Governance Gap Before July

  3. From Warning to Action: AI Vulnerabilities and the Glasswing Coalition’s Impact

  4. Anthropic’s Mythos and Glasswing Project: What Every Leader Must Know About AI Risk

  5. AI Security in Critical Infrastructure: Protecting Against Invisible Threats in 2024

  6. Exposing Hidden Risks: AI-Driven Cybersecurity Gaps and the Lessons of Project Glasswing

  7. Accelerating AI Adoption Responsibly: Governance, Readiness, and Industry’s Response to New Threats

  8. Securing the Future: What Project Glasswing Reveals About AI and Organizational Readiness

  9. Governance and Readiness in the Age of AI: Lessons from Mythos and Glasswing

  10. AI Vulnerabilities Unveiled: How Glasswing and Federal Insights Shape Cybersecurity Leadership

💬 Keywords

AI adoption, cybersecurity, Glasswing, Anthropic, Mythos, vulnerabilities, risk management, federal sector, incident response, board governance, compliance, cyber threats, cyber hygiene, vendor risk, software risk, data exposure, patch management, readiness assessment, CISO, cyber insurance, information security, critical infrastructure, controlled code, breach response, technology adoption, threat detection, security investment, organizational maturity, AI governance, cybercrime

💡 Speaker bios

During the early 2000s, Miguel Clark teamed up with his friend Guy Ganester Walton to help launch the InfraGard chapter in North Texas, following a directive from FBI headquarters to expand the program. Working side by side, Miguel contributed to building the chapter from the ground up, collaborating closely with key figures at the FBI, including Linda Franklin—who would become one of the victims of the Washington sniper attacks. Over the past two decades, Miguel has remained actively involved in InfraGard, taking pride in the progress and impact the organization has achieved throughout North Texas.

💬 Keywords

AI adoption, cybersecurity, Anthropic, Mythos, Glasswing, vulnerabilities, threat detection, federal sector, risk management, incident response, exploitation as a service, breach fatigue, information exposure, IOCs (Indicators of Compromise), commercialized exploitation, critical infrastructure, OPM breach, data protection, cyber hygiene, governance maturity, board communication, cost of AI, AI tool usage, patch management, vendor risk, compliance gaps, risk posture, controlled code, breach insurance, AI-driven cyberattacks, ransomware detection

💡 Speaker bios

Miguel Clark played a foundational role in establishing the North Texas chapter of InfraGard alongside his colleague, Guy Ganester Walton, following a directive from FBI headquarters. Working closely with FBI staff, including Linda Franklin—who would later become a victim of the Washington sniper shootings—Miguel dedicated over two decades to building and growing InfraGard’s presence in North Texas, helping to strengthen partnerships between the FBI and the local community.

ℹ️ Introduction

Episode Introduction

Welcome to Making IT Make Sense. In today’s episode, “Direnzic Briefing: AI Adoption, Glasswing Era,” we dive into the fast-evolving intersection of artificial intelligence and cybersecurity in the federal and private sectors. You’ll hear from Miguel Clark, retired FBI special agent and seasoned cybersecurity expert, as he shares stories from his two-decade career—from launching North Texas’s InfraGard chapter to investigating headline-making breaches—and offers sharp insights into the changing threat landscape.

We’ll unpack the latest developments, including Anthropic’s Mythos AI and the urgent, industry-wide response known as Project Glasswing—a coalition uniting tech giants and defenders to battle emerging AI-powered cyber threats. You’ll discover why AI adoption is racing ahead of oversight, how new vulnerabilities are being uncovered at unprecedented speed, and why modern cyber risk is no longer just a technical issue, but a leadership and governance challenge.

Stay tuned for strategies to bridge the gap between cyber practitioners and decision-makers, guided by frontline stories and hard-won lessons on what it takes to protect your organization in the Glasswing era.

ℹ️ Introduction

Episode Introduction

Welcome to Making IT Make Sense. In this episode, we dive deep into the fast-evolving intersection of artificial intelligence and cybersecurity, exploring how recent breakthroughs—and vulnerabilities—are reshaping risk in the digital era. Join us as we hear from Miguel Clark, retired FBI Special Agent and longtime cybersecurity practitioner, who shares lessons from decades of defending federal systems and responding to national-scale threats.

We'll cover the latest industry alarm bells, from AI-powered exploits that outpace human defenders to Project Glasswing, the groundbreaking coalition mobilizing tech giants to defend against next-generation attacks. Discover why modern threats aren't just technical—they’re about leadership, governance, and closing the dangerous gap between AI adoption and organizational oversight. Whether you're a seasoned security professional, a leader driving digital transformation, or just curious about how AI is changing the landscape, this briefing will arm you with the context—and urgent questions—you need to face what’s next.

📚 Timestamped overview

00:00 The section discusses the evolution and commercialization of computer intrusion investigations, transitioning from limited on-site and federal efforts in 2000 to a widespread black market of exploitation services today.

05:09 The discussion highlights the challenge of maintaining credibility in security predictions, drawing parallels to the Y2K scare, and notes a growing fatigue over breach predictions as actual outcomes often don't match dire forecasts unless they affect critical infrastructure.

15:27 The discussion highlights that security spending is typically around 1-2% of revenue, likened to installing cheap locks on an expensive house, and emphasizes the industry's struggle to clearly communicate the benefits of security investments and measure their effectiveness in terms of responsiveness and performance.

18:40 The conversation highlights the widespread issue of personal data exposure and how people have become desensitized to security risks due to the availability of tools that mitigate their impact, similar to relying on antibiotics instead of maintaining a healthy lifestyle.

22:07 The speaker discusses the government's role in regulating potentially harmful AI capabilities by controlling their distribution, similar to export control technologies used in the past, such as restricting PlayStation 2 sales to prevent adversaries from using them in missile defense systems.

31:36 The speaker expressed frustration about their warnings on the strategic and secure adoption of AI being ignored while AI technology advanced rapidly without proper oversight or changes in behavior.

33:33 Mythos, an advanced AI developed by Anthropic for autonomous cyber attack engineering, identified a longstanding flaw in the highly secure OpenBSD system, leading Anthropic to deem it too dangerous for release.

40:08 The text discusses how the tech giants like Amazon, Apple, Google, and Microsoft are involved in software and cloud infrastructure decisions, highlighting the absence of representatives from critical infrastructure sectors such as water treatment, power grids, and hospitals.

48:28 The section discusses the unexpected impact of Log 4J compared to a Glass Wing report that predicts a known scramble, questioning whether one will be prepared or scrambling upon its release, and references how in 2023, Samsung engineers were pressured to work faster, as previously discussed in briefings and trainings.

52:31 The text discusses the importance of establishing clear ownership and accountability for addressing risks identified in reports, including tasks like validating risks, coordinating responses, documenting decisions, and communicating with stakeholders, to avoid confusion and improve readiness before such reports are received.

59:25 The Greater Southwest Black Chamber of Commerce, serving areas like DeSoto and Grand Prairie since 2009, supports business growth through technology and advocacy, while qnet Managed Services, led by the speaker, focuses on providing cybersecurity solutions.

01:04:27 The section discusses the importance of properly setting up, training, and communicating the use of tools like CrowdStrike or AI within an organization to ensure their effectiveness and usability.

01:06:34 The speaker is the vice president of the North Louisiana chapter of Infragart since 2010, collaborates with the Dallas affiliates and Mr. Larry Hall, and is involved with the Southwest Black Chamber of Commerce.

📚 Timestamped overview

00:00 The section discusses the evolution of threat response from local and federal teams, including the FBI and Secret Service, working with companies to counter vulnerabilities, to a modern scenario where cyber exploitation has commercialized into a black market service.

05:09 Security professionals face credibility challenges as they frequently predict dire scenarios similar to the Y2K situation, but the outcomes often don't match the severity anticipated, leading to a general fatigue among the public unless it impacts critical infrastructure.

15:27 The section discusses how security spending is typically 1-2% of revenue, highlighting the challenge of articulating the value of security measures and the performance of security apparatus when vendors fall short.

18:40 The text discusses the widespread exposure of personal information due to data breaches and the resulting desensitization to such risks, drawing an analogy to taking antibiotics as a quick fix instead of addressing underlying issues.

22:07 The government aims to restrict access to potentially harmful AI capabilities by controlling distribution and applying export control measures, as exemplified by past actions like limiting PlayStation 2 sales to adversaries for military application.

31:36 The text discusses the challenge of advocating for strategic and secure AI usage amid rapidly advancing AI adoption, while warning that many stakeholders are not heeding these cautionary messages or adapting their behaviors accordingly.

33:33 Anthropic built an AI named Mythos, capable of autonomously executing end-to-end cyberattacks, including discovering and exploiting vulnerabilities, and even identified a 27-year-old flaw in the highly secure OpenBSD system, leading Anthropic to decide against its release due to potential dangers.

40:08 The discussion highlights the absence of essential infrastructure operators from foundational decision-making meetings dominated by tech giants like Amazon, Apple, Google, and Microsoft, who develop the underlying software and cloud services.

48:28 The section discusses the anticipation of a major cybersecurity event, drawing a parallel between the unexpected Log4J incident and a predicted future scramble, and references a past example involving Samsung engineers under pressure in 2023.

52:31 The text discusses the need for organizations to identify specific individuals responsible for risk validation, decision-making, coordination of responses, documentation, and communication to stakeholders in anticipation of receiving impactful external reports on tools they use.

59:25 The Greater Southwest Black Chamber of Commerce supports businesses in the DeSoto, Grand Prairie, Lancaster, Cedar Hill, and Red Oaks areas by helping them adopt necessary technologies and advocating for their growth, while qnet Managed Services, led by the speaker, provides cybersecurity solutions to protect these businesses.

01:04:27 The discussion emphasizes the importance of setting up, training, and understanding tools like CrowdStrike and AI within organizations to ensure their effectiveness and avoid rendering them useless.

01:06:34 The speaker is the vice president of the North Louisiana chapter of Infragart, has been a member since 2010, collaborates closely with Mr. Larry Hall, and is also a member of the Southwest Black Chamber of Commerce, expressing gratitude to Dallas affiliates and Mr. Hall for their collaborations.

📚 Timestamped overview

00:00 Evolution of Cybersecurity Threats

05:09 Discussing cybersecurity fatigue

15:27 Understanding security spending limits

18:40 Discussing data breaches and risks

22:07 Government's role in AI regulation

31:36 AI adoption and strategic training

33:33 AI uncovers vulnerabilities in secure systems

40:08 Tech giants vs. critical infrastructure

48:28 Upcoming challenges and preparation

52:31 Assigning Responsibilities for Risk Management

59:25 Overview of Chamber and Services

01:04:27 Setting up and training AI tools

01:06:34 Vice president of North Louisiana chapter

📚 Timestamped overview

00:00 Emergence of Exploitation Services

05:09 Security breach fatigue discussion

15:27 Understanding Security Spending

18:40 Discussing data breach risks

22:07 Government perspective on AI control

31:36 Warning about unregulated AI use

33:33 AI discovers major security flaw

40:08 Tech giants vs essential operators

48:28 Anticipating future cybersecurity challenges

52:31 Clarifying roles for risk management

59:25 Greater Southwest Black Chamber overview

01:04:27 Setting up and training AI tools

01:06:34 Involvement in regional organizations

❇️ Key topics and bullets

Sequence of Topics Covered

1. Introduction and Speaker Background

  • Introduction of Miguel Clark

  • Miguel’s career path: FBI special agent, specialization in cyber, Infragard involvement

  • Personal anecdote about Linda Franklin and the founding of North Texas InfraGard

  • Overview of Miguel’s experience in cybersecurity post-FBI

2. Context for the Conversation

  • Motivation for inviting Miguel to speak

  • Recent developments in AI and cybersecurity: references to Anthropic, Mythos, and Glasswing

  • Statement: AI and related threats are not new topics

  • Emphasis on federal sector and Miguel’s expertise

3. Evolution of Cyber Threats and Federal Sector Impact

  • Historic look at cyber threats, comparison from 2000 to present

  • Evolution from internal/expert investigations to commercialization of exploitation services

  • Notion of “exploitation as a service”

  • Changes in attacker landscape and threat scaling

4. Cybersecurity Professionals’ Challenge: Bridging Risk Understanding

  • Security fatigue and public perception after frequent breach warnings

  • Psychological “sky is falling” reaction and desensitization to threat messaging

  • Disparity between actual incident outcomes and perceived danger

  • Difficulty communicating technical risk in business/decision-maker language

  • The need for translating technical insights into “decision-useful” risk terms

5. Maturity of the Cybersecurity Discipline

  • Historical evolution of executive roles: CEO, CFO, CISO timelines

  • Cybersecurity as a relatively young discipline (a “teenager”)

  • Comparison to evolution of financial oversight in organizations

  • Imperative to speak the language of money and risk to be heard in boardrooms

6. Challenges in Measuring and Communicating Security Performance

  • Critique of current security performance metrics (big/bad numbers, little practical context)

  • Fundamental board question: If given more money, where should it go and why?

  • Need for connecting investment to practical outcomes: detection/containment timelines, efficiency gains

  • Reframing infosec: from “cost center” to provider of protection/service-level outcomes

7. Security Investment Metaphors and Mindset

  • Security analogy: expensive house with cheap locks mirrors underinvestment in security

  • Challenge of assessing the true risk or “neighborhood” one operates in online

  • The tendency toward reactive rather than proactive security investments

8. Communication and Behavior Change in Cyber Risk

  • Ubiquity of personal data exposure; normalization due to constant minor breaches

  • Antibiotic metaphor: risky behavior offset by perceived safety nets

  • AI’s role heralding the need for real behavioral change in security

  • Example of personal victimization by cybercrime — the human impact

  • Emphasis on “reasonable” risk management, incremental changes for end-users

9. Federal and Government Perspectives on AI and Cyber Risk

  • Government approach to potentially harmful AI capabilities: restriction and export controls

  • Comparison to historical technology restrictions (e.g., PlayStation for missile guidance)

  • Anticipated trend of controlled code/substance policies for AI

  • Law enforcement’s shift of the burden to private organizations for their own cyber defense

  • Resource constraints: not enough investigators for all breaches, prioritization for significant cases

  • Distinction in handling corporate vs. individual cybercrime victims

10. Transition: A New Era in Cyber Risk—AI Adoption and the Glasswing Era

  • Foundation of the “art of AI adoption” in the Glasswing era

  • Context: AI adoption was rapid, with cybersecurity left out of the loop

  • Tech adoption created hidden compliance gaps and invisible risks

11. Mythos and the Transformation of Cyber Offense and Defense

  • Mythos model: end-to-end autonomous cyberattack capabilities

  • Anthropic’s responsible response: withholding release, focusing on defense

  • Real-world tests: uncovering long-hidden vulnerabilities in critical software (OpenBSD, FFmpeg)

  • Successful chained exploits in simulated corporate networks by AI

  • Non-human, unsupervised attack—dramatic shift in the security paradigm

12. The Glasswing Project and its Industry Impact

  • Project Glasswing: using the AI to find and fix flaws proactively

  • High-profile coalition partners: leading tech and infrastructure companies

  • Scale: tens of thousands of vulnerabilities found in the first month

  • Glasswing’s mission: transparency and exposure of invisible risks

  • Expansion from software builders to critical infrastructure operators

13. The Changing Bottleneck: Detection to Response

  • Flood of discoveries outpaces ability to patch vulnerabilities

  • Maintainers asking AI teams to slow down vulnerability discovery

  • The problem shifts from identifying flaws to responding (leadership/operational challenge)

14. Governance: Who Owns AI Risk Readiness?

  • Crucial question posed: who owns governance maturity as AI adoption outpaces oversight?

  • Gaps between adoption and policy/oversight readiness in organizations

  • Existence of tools: AI Cyber Readiness Assessment (ACRA) spanning nine domains

  • Shift from a compliance checklist mindset to a holistic, interconnected risk approach

15. Case Studies: Risk Domains in Action

  • Log4j: vulnerability exposure due to lack of inventory and patch management

  • AI data exposure: Samsung engineers leaking code via public chatbot due to policy gaps

  • Real-world impact of not governing non-human “insiders” (AI tools)

16. Imminent Threats and the Call to Action

  • Anticipation of a public “Glasswing” vulnerabilities report—race between defenders and attackers to act

  • Now is the “quiet before the storm” and the last chance for proactive readiness

  • Importance of taking a cyber readiness snapshot (ACRA)—offered free and without sales pitch

17. Closing, Engagement, and Community Resources

  • Request for feedback, participation in future events, and conference invitations

  • Emphasizing autonomy: readiness window still open for action

  • Thanks to partners: Infragard and community organizations

  • Local resource highlight: Greater Southwest Black Chamber and Qnet for assistance

18. Q&A Segment

  • Discussion of AI cost, tool value, and communicating these costs to clients

  • Importance of deliberate AI and security tool implementation and user training

19. Final Acknowledgments and Event Closure

  • Recognition of participants, partners, and supporting team members

  • Information about session replay availability

  • Final words of thanks and encouragement to act

❇️ Key topics and bullets

Comprehensive Sequence of Topics Covered

1. Introduction and Speaker Background

  • Brief start of recording and setting the stage

  • Miguel Clark introduces himself

    • Career as retired FBI special agent

    • Experiences in violent crimes, gangs, drugs, and cyber squad

    • Involvement in starting North Texas InfraGard chapter

    • Reference to Linda Franklin and the significance of InfraGard

    • Notable cyber cases and time with FBI headquarters

    • Transition to cybersecurity sector after FBI retirement

2. The Evolving Threat Landscape in the Federal Sector

  • Changes in cyber threats over the past 26+ years

  • Growth and commercialization of cyber exploitation

  • The rise of “exploitation as a service” and black market activity

  • Discussion of security “fatigue” and public desensitization

    • The Y2K effect: loss of credibility from “sky is falling” predictions

    • Limited fallout from breaches and minimal public outcry

3. Challenges in Communication and Risk Framing

  • Security professionals' role in communicating risk to decision makers

  • The difficulty in translating technical concerns into actionable business risks

  • The small and specialized security community

  • Importance of standardized language for risk communication

  • Historical perspective of executive roles (CFO, CISO, etc.)

  • Need for CISOs and security leaders to communicate in terms of money and risk, bridging the language gap with the board

4. Measuring and Articulating Security Performance

  • The need for clear security performance metrics beyond checklists

  • Discussion of investment, efficiency, and cost effectiveness in cybersecurity

  • Illustrations: cost of security in context (e.g., $10 lock on a million-dollar house)

  • Standard security spending estimates (1–2% of revenue)

  • The impact of clear articulation on budget advocacy and organizational understanding

5. Risk Perception and Behavioral Change

  • Discussion about the inability to visually assess cyber “neighborhoods”

  • Metaphors comparing physical neighborhood security to network security

  • Human tendency to only act after a visible threat surfaces

  • Difficulty in achieving and sustaining security-related behavior change

  • Personal anecdotes of breaches and the real-world impacts

6. Federal and Governmental Perspective on AI and Security

  • Government approaches to controlling dangerous technology (export controls, restricted code)

  • Past examples (PlayStation 2 for missile defense, controlled substances)

  • The limited capacity of law enforcement to respond to the overwhelming number of breaches

  • Shift in responsibility toward organizations and individuals for their own protection

  • Differences in treatment of breach victims by law enforcement—individual vs. corporate

7. AI Adoption Risks and Real-World Consequences

  • The haste of AI adoption in organizations without cybersecurity consultation

  • Risks of plugging AI in without risk assessments or oversight

  • The evolution from human attackers to AI “insider" threats

  • Example of AI chatbots inadvertently exposing sensitive internal information

8. Anthropic, Mythos, and the Glasswing Project

  • Explanation of Mythos AI’s capabilities (autonomous cyber-attack engineering)

  • Mythos finds vulnerabilities untraceable by humans and previous tools

  • Anthropic’s ethical decision not to release Mythos broadly

  • Collaboration with defenders through Project Glasswing

    • Coalition of tech giants (Amazon, Apple, Google, Microsoft, Nvidia, Crowdstrike, JP Morgan Chase, Linux Foundation)

    • Global scale and funding of the initiative

  • Glasswing’s findings: thousands of new, high-severity vulnerabilities discovered rapidly

9. Implications for Critical Infrastructure and Sector Blind Spots

  • Initial focus on systems run by major tech companies, not by utilities or critical infrastructure

  • The oversight and subsequent inclusion of sectors like water, power, and healthcare

  • The importance of closing similar gaps within organizations before adversaries exploit them

10. Shift from Detection to Response Capacity

  • Glasswing’s success means vulnerabilities are now easily found

  • The new bottleneck is the ability to patch and remediate quickly

  • Open source maintainers overwhelmed by speed of AI vulnerability discovery

  • Leadership and organizational maturity become central challenges

11. Governance and Accountability in AI Adoption

  • Framing the core leadership question: who owns AI governance and cyber readiness?

  • The maturity gap between rapid adoption and slower oversight/policy development

  • Introduction of the ACRA (AI Cyber Readiness Assessment)

    • Nine domains spanning AI use, cyber hygiene, vendor risk, data exposure, etc.

    • Emphasis on readiness and interconnected risks over mere compliance

12. Case Studies Illustrating Gaps and Breach Consequences

  • Log4j: organizations’ inability to quickly locate and patch at-risk systems

  • Samsung breach: employees unintentionally leaking proprietary data to public AI tools

  • The risks of unsupervised AI usage happening in most organizations

13. Preparing for Imminent Disclosure and Action Steps

  • Anticipated release of the Glasswing report and the urgency it creates for organizations

  • The dual race to mitigate vulnerabilities and adversaries exploiting new disclosures

  • Emphasis on proactive assessment using tools like ACRA before gaps are externally revealed

14. Recommendations and Immediate Actions

  • Take advantage of free tools (ACRA Executive Snapshot) to gauge readiness

  • Encourage honest internal self-assessment before external pressures force action

  • Emphasize readiness as a choice, not a response to crisis

15. Closing, Community Involvement, and Resources

  • Recap and reminders to use QR codes for feedback and future engagement

  • Acknowledgements of partners, organizations, and chambers involved

  • Invitation to share topics and help shape future discussions for the benefit of all attendees

16. Q&A — AI Costs and Client Conversations (01:01:58)

  • Question from audience about cost of AI adoption in business

  • Discussion on structuring, communicating, and justifying AI and cybersecurity investments to clients

  • Importance of proper setup, training, and end-user education for maximizing AI value

17. Event Conclusion

  • Gratitude to all speakers, partners, and attendees

  • Information about event replay availability

  • Final acknowledgments and session closure

🎬 Reel script

Today’s briefing pulled back the curtain on AI’s rapid adoption and the escalating cybersecurity risks that come with it. We explored how groundbreaking tools like Anthropic’s Mythos are uncovering thousands of hidden flaws in software we rely on, and the urgent need for organizations to shift from just detection to rapid, strategic response. The key takeaway: AI is moving faster than our ability to oversee it, making strong governance and readiness more critical than ever. Don’t wait for the next vulnerability report—take the initiative now to assess your risks and strengthen your defenses before the clock runs out.

🎬 Reel script

In today’s session, we broke down the realities of AI adoption in the face of rising cyber threats. Major tech giants are already leveraging powerful AI like Mythos to find vulnerabilities faster than ever—and now, the real challenge isn’t detection, it’s readiness and response. Is your organization moving as fast as the risks? The time for leadership and clear governance is now. Take an honest look at your gaps and close them on your terms, before someone else does. Stay proactive, stay protected, and let’s keep making IT make sense.

👩‍💻 LinkedIn post

🚨 Just wrapped the latest "Making IT Make Sense" Direnzic Briefing, diving deep into AI adoption and the Glasswing era—what an eye-opener for anyone in cybersecurity, IT leadership, or critical infrastructure.

Here are three key takeaways you need to know:

  • AI Adoption Is Outpacing Oversight: Most organizations are rapidly deploying AI without fully understanding what data it's accessing or the new risks it introduces. Without proper guardrails or even basic policies, exposure is happening faster than most can track.

  • Vulnerability Discovery Has Changed Forever: Tools like Anthropic’s Mythos (behind Project Glasswing) are finding thousands of previously undetected critical vulnerabilities in days—faster than human experts. The real bottleneck now isn’t detection; it’s whether your team can patch and respond before adversaries do.

  • Ownership and Governance Are Critical: The hard question every leader needs to answer NOW: Who owns your organization’s AI cyber readiness? Gaps in governance and maturity are the silent risks—often everyone assumes someone else has it covered.

If you’re on a leadership team or board, don’t wait for the next major flaw to go public. Assess your readiness, clarify roles, and make cybersecurity part of your AI adoption conversation—before someone else decides your timeline.

#AIsecurity #CyberReadiness #Leadership #Glasswing #Infosec #CISO #AIadoption #CriticalInfrastructure

👩‍💻 LinkedIn post

🔎 Just wrapped up an eye-opening Direnzic Briefing on AI Adoption in the Glasswing Era! As organizations rapidly embed AI into operations, we must rethink how we manage the risks and responsibilities that come with it. Here are my top takeaways for leaders and security practitioners:

3 Key Takeaways:

  • Adoption is outpacing oversight: Most organizations are already using AI, but formal policies and governance are lagging behind. Leaders need clarity on who owns readiness and risk as AI continues to evolve and integrate.

  • The threat has fundamentally shifted: With tools like Anthropic’s Mythos capable of autonomous, end-to-end cyberattacks, the challenge is no longer just finding vulnerabilities—it’s fixing them fast enough and ensuring systems and teams can respond effectively.

  • Readiness is now a leadership problem, not just a technical one: The bottleneck isn’t detection, but organizational capacity and maturity to coordinate and act. Ownership and clear accountability are essential—across compliance, IT, and the boardroom.

This moment is a call-to-action. The gaps are open, but so is the window to get ahead. Take an honest look at your AI adoption, risk posture, and governance now—before new vulnerabilities come to light.

#Cybersecurity #AIAdoption #RiskManagement #Leadership #GlasswingEra #DirenzicBriefing

🗞️ Newsletter

Making IT Make Sense — Direnzic Briefing: AI Adoption & The Glasswing Era


Subject: Are You Ready for the Glasswing Era? Essential AI & Cybersecurity Insights from Industry Experts


🚨 Executive Briefing Recap: AI, Risk, and Readiness in 2024

Has your organization adopted AI tools faster than your team can govern them? In our latest episode of Making IT Make Sense, we brought together top minds across cybersecurity and risk management to break down what AI adoption—and the coming "Glasswing Era"—really means for your business.

Key Takeaways:

  • AI & Cybersecurity: Not So New, Dangerously Advanced

    The integration of AI into business operations isn’t new, but the speed and scale we’re seeing today is unprecedented. As discussed, threats and vulnerabilities are commercializing and scaling quickly—many organizations are simply not keeping up.

  • Inside the Federal Mindset

    Miguel Clark, retired FBI Special Agent, provided a window into how government and federal agencies grapple with AI-driven risks. He emphasized that while threat levels are rising, many breaches result in less public blowback than we fear—but this creates danger: a growing sense of fatigue and desensitization among organizations and the public (04:03).

  • AI as Dual-Use Insider

    A critical warning: the real risk now comes from inside—the AI tools your team adopted without full oversight. These tools can unknowingly expose data and perform actions a skilled external attacker would struggle to execute (31:18).

  • Project Glasswing: The New Defense Frontier

    The AI dubbed Mythos demonstrated autonomous, end-to-end cyberattack capabilities—finding and exploiting vulnerabilities missed by human experts for decades. Its responsible containment through Project Glasswing marks a pivotal shift: industry leaders (Amazon, Apple, Google, and more) are uniting to proactively hunt flaws before attackers get there first (37:07).

  • Critical Infrastructure Still Catches Up

    The blind spot? Many essential sectors—water, energy, healthcare—were not initially included at the Glasswing launch, placing even greater responsibility on local leaders to close gaps internally (41:15).

Action Items for Leaders:

  • Close the Governance Gap Now

    AI adoption is outpacing oversight. The biggest risk isn’t just vulnerability in your tech—it’s not knowing whose job it is to lead the response, coordinate fixes, and communicate risk up and down your organization (44:44).

  • Use the ACRA Executive Snapshot

    Before July’s public release of the Glasswing report—a roadmap to newly-found software vulnerabilities—assess your organization’s readiness. The AI Cyber Readiness Assessment (ACRA) offers a free, no-pitch tool to map your current gaps and maturity across nine critical risk domains (54:22).

  • Train and Communicate

    Don’t leave AI governance and cybersecurity as a checklist exercise. Build frameworks intentionally, assign accountability, and make sure end users know what’s at stake and how to use AI tools safely (01:03:15).


📝 Quick Links:

  • Replay the full briefing (available to all registrants)

  • Take the free ACRA Executive Snapshot and close your readiness gap

  • Want to go deeper? Request a consultation


Upcoming Events

Join us this October for our 11th annual National Cybersecurity Awareness Month conference. Stay tuned for agenda and speaker announcements.


Thank you,
Team Making IT Make Sense


Questions or ideas for our next episode? Reply to this email with your suggestions!

🧵 Tweet thread

🚨AI, Cybersecurity & The Quiet Crisis No One Sees Coming

1️⃣ Imagine an AI so advanced it can break into secure networks faster than any human—with no human guidance at all. That’s not sci-fi. It just happened. Anthropic’s Mythos proved it: 00:35:04

👇

2️⃣ This isn’t about vague “AI risk.” In a major UK government test, Mythos autonomously found a flaw hidden in OpenBSD for 27 years, chained exploits, and owned a simulated corporate network in 32 steps—something a skilled human team would take weeks to achieve. 00:36:44

👇

3️⃣ The crazy part: When Anthropic realized what they’d built, they refused to release it. Instead, they locked it down and gave the “keys” to defenders. Enter #ProjectGlasswing—a coalition of tech giants using AI to patch flaws… before attackers can use models like Mythos against us. 00:37:07

👇

4️⃣ In its first month, Glasswing found 10,000+ critical vulnerabilities in the world’s most-used software. (Yes, you read that right. 00:38:35) Cloudflare alone found 2,000 bugs in their code that even their best humans missed!

👇

5️⃣ But here’s the kicker: The hardest part isn’t finding the flaws anymore. The new bottleneck? Actually fixing them fast enough. Maintainers BEGGED for the AI to slow down because they couldn’t keep up. 00:43:13

👇

6️⃣ So now, the REAL risk is this: When a public vulnerability report drops next month, BOTH good guys & bad actors will get the map at the same time. Who finds and fixes your organization’s holes first? 00:51:03

👇

7️⃣ Most orgs aren’t ready. When asked “WHO owns AI cyber risk here?” rooms go silent. Compliance thinks IT owns it. Boards assume someone else is on it. The gap widens. THAT PAUSE IS THE RISK. 00:44:51

👇

8️⃣ It’s time to get honest: Do you know WHERE your data lives, WHO’s using AI tools on it, and HOW you’ll respond when a critical flaw is named in public? Samsung learned the hard way when an engineer pasted proprietary code into ChatGPT—no policy, no supervision, instant exposure. 00:49:26

👇

9️⃣ You don’t need a huge budget. You do need an honest look at your AI cyber readiness NOW—while you still have the window to act, not react. There’s a free 9-domain assessment tool just for this. 00:55:17

👇

🔟 When the next AI-powered exploit drops, the public clock starts for everyone. The question isn’t if you’re exposed. It’s how fast you can close the gap.

The AI haystack just lost its needles. Are you ready for what’s next?

#AI #Cybersecurity #Leadership #ProjectGlasswing #AITwitter

🗞️ Newsletter

Making IT Make Sense: Direnzic Briefing AI Adoption Glasswing Era

Welcome to the latest edition of Making IT Make Sense! In this episode, we brought together cybersecurity leaders and innovators to dive deep into the realities of AI adoption, the risks it introduces, and what the era of Project Glasswing means for organizations of every size. Read on for key takeaways, critical questions, and next steps for your tech leadership journey.


IN THIS BRIEFING

💡 Guest Spotlight: Miguel Clark

A retired FBI special agent with decades of cybersecurity expertise, Miguel Clark shared hard-won wisdom from his years protecting the federal sector and leading national security efforts.

  • Key insight: “Our current path doesn't give us the ability to answer the mythical question: if we had an extra million dollars, where should we spend it in security, and why?” 13:00

⚡ The Urgent Risks of Unchecked AI Adoption

Organizations are bolting AI onto tech stacks rapidly—often without consulting cyber teams. It’s convenient, but it opens invisible risks, compliance gaps, and exposures most leaders never see until it’s too late 29:30.

🦋 Project Glasswing: When AI Outpaces Defenders

Anthropic’s Mythos model pushed the boundaries by autonomously finding, exploiting, and chaining vulnerabilities across complex networks 34:36. Real-world tests revealed thousands of critical flaws—many hidden for decades. The world’s largest tech companies teamed up to scan and patch at Internet scale, but the critical infrastructure that keeps our communities running wasn’t at the table at first 41:19.


WHAT DOES THIS MEAN FOR YOU?

1. Vulnerability Detection Has Changed Forever

Thousands of high- and critical-severity vulnerabilities can now be found in weeks, not years. The bottleneck is no longer finding flaws, but responding and patching fast enough to matter 43:13.

2. Readiness Is Leadership’s Responsibility

Who in your organization owns the gap when AI adoption races ahead of governance? If there’s silence—or finger pointing—around that question in your boardroom, you have a risk 45:14.

3. Action Step: Assess Your AI Cyber Readiness

Direnzic’s free ACRA Executive Snapshot evaluates your standing across nine crucial domains—usage, cyber hygiene, vendor risk, data exposure, and more 45:28. Now is the “quiet before the storm” to close your organization’s gaps.


QUICK QUOTES

“We’re desensitizing ourselves to the threats. If we’re doing our jobs, users don’t see the sky fall—and that breeds complacency.”
— Miguel Clark 07:12

“AI isn’t coming. It’s here. The only question is who gets to the open door first: the attacker, or you.”
— Direnzic Briefing 40:24


RESOURCES & NEXT EVENTS

  • Replay the episode: Available to all registrants directly via email!

  • Take the ACRA Snapshot: (Link/Instructions from the webinar)

  • Suggest a topic: Reply to this email or scan the QR code in the replay


We hope this episode helps you see the risks—and opportunities—more clearly!
Stay sharp,
The Making IT Make Sense Team

❓ Questions

Discussion Questions: "Direnzic Briefing AI Adoption Glasswing Era"

  1. How has the commercialization of cyber exploitation (“exploitation as a service”) shifted the landscape of threats faced by federal and private sectors in recent years 05:00?

  2. What are some reasons behind the general desensitization and “breach fatigue” occurring in both the public and private sectors when it comes to cybersecurity incidents 07:12?

  3. Discuss the challenges security professionals face when communicating technical risks and threats to non-technical decision makers. How can these conversations be improved 09:23?

  4. Why might organizations struggle to articulate the value of cybersecurity investment in terms that resonate with boards and leadership, and what metrics could make these conversations clearer 13:10?

  5. In the analogy of the "$10 lock on a million-dollar house," what does this reveal about typical cybersecurity budgeting practices and organizational risk perception 15:27?

  6. How did the Mythos AI model and Project Glasswing change the defensive paradigm for software and infrastructure, according to the episode 34:07?

  7. What are the implications of the fact that the initial Glasswing coalition did not include representatives from critical infrastructure sectors (like water, power, and healthcare) 41:15?

  8. With AI-driven vulnerability discovery now outpacing the ability to patch and fix flaws, what leadership and organizational shifts are required to address this new bottleneck 43:13?

  9. How can organizations determine "who owns governance maturity" as AI adoption accelerates ahead of policy and oversight 44:53?

  10. Reflect on the two real-world incidents discussed: the Log4j vulnerability and the Samsung AI data leak. What lessons can organizations learn about cyber readiness and governance from these examples 49:05?

🧵 Tweet thread

🚨 AI & Cybersecurity: The Storm Is Here. Are You Ready? 🧵

1️⃣ “AI threats aren’t new—but the scale is changing fast.”
For decades, cybersecurity pros have warned about cyber risks, only for many to take action AFTER being hit. But now, with AI-fueled attacks emerging, that lag could be catastrophic. 04:03

2️⃣ Remember Y2K panic?
The world braced for disaster… and the sky didn’t fall. Now, similar “breach fatigue” plagues organizations. People tune out the warnings—until the next big one hits. 05:46

3️⃣ The challenge is as much psychological as technical.
If you’re a security leader, you know:

  • Non-experts don’t want to talk tech

  • Most execs just want “decision-useful” facts, not jargon
    Translation: Speak their language—risk and money. 09:46

4️⃣ The bad news: We’re investing pocket change in security.
Most orgs spend 1-2% of revenue protecting their digital “million-dollar house”… and buy a $10 lock for the front door. You get what you pay for. 15:33

5️⃣ Here’s what your current investment actually buys you:
🔒 "We can ID & contain a breach in about 13 days. An attacker has access for 8 of those days."
Want a shorter window? Better invest more—plain and simple. 14:00, 14:49

6️⃣ Enter Mythos, the AI that changed the game.
It found bugs humans missed for decades, exploited multiple flaws at once, and in a simulated corporate network, gained total control—AUTONOMOUSLY. That’s not science fiction. That’s now. 35:15

7️⃣ The world’s largest tech firms—Amazon, Apple, Google, Microsoft, CrowdStrike & more—banded together for Project Glasswing: unleashing Mythos (safely) to find and patch vulnerabilities before attackers do.
First month: 10,000+ critical vulnerabilities found. 39:15

8️⃣ But most critical infrastructure—power, water, hospitals—WASN'T at the table initially.
Translation: The places you rely on daily were overlooked. They’re now being brought in, but the window is closing. 41:26

9️⃣ AI now finds flaws in seconds—but patching them is SLOW.
Teams even asked to "slow down" AI discoveries, because they couldn't keep up. The bottleneck is no longer detection—it’s response. And that is a leadership challenge, not a tech one. 43:15

🔟 Who owns readiness in YOUR org?
When the next big AI-aided flaw list is released, do you know…

  • Who validates the risk?

  • Who coordinates the fix?

  • Who answers to your board, regulators, and customers? 53:02

11️⃣ Don’t wait for disaster.
You can assess your AI cyber readiness NOW—before the next clock starts ticking. Waiting means you’re acting on someone else’s timeline (or aftermath). 54:08

12️⃣ TL;DR:
Cyber risk is no longer about if, but how fast.
🔑 Speak in business terms, not tech
🔑 Invest proportionally to your digital risk
🔑 Lead the response, don’t just react
🔑 The gap is open—but only for now

#Cybersecurity #AI #Leadership #Infosec #ProjectGlasswing #MythosAI
👇 Have a plan? Drop your thoughts or questions below!

🪡 Threads by Instagram

1.
AI isn’t new, but its adoption is outpacing oversight. Leaders: who owns your AI readiness? Don’t let policy and risk management fall between the cracks. The future belongs to those who close the gaps before crisis strikes.

2.
The biggest challenge isn’t finding flaws anymore—AI can reveal thousands instantly. The real test now: Can your organization patch and respond fast enough? Leadership, not just tech, defines resilience.

3.
Cybersecurity teams are used to warning about threats. But fatigue and desensitization have set in. Translate tech risks into clear business language so decision makers move from awareness to action.

4.
Critical infrastructure wasn’t at the table when the world’s AI defense coalition formed. Securing builders isn’t enough. Every sector must own gaps, demand a seat, and build readiness by design.

5.
Your employees are using AI tools—whether you’ve sanctioned them or not. Real security requires policy, training, and clear governance. Don’t wait for a breach to find out your policies are missing.

❓ Questions

Discussion Questions for "Making IT Make Sense" – Direnzic Briefing AI Adoption Glasswing Era

  1. How has the commercialization of cyber exploitation changed the landscape of security threats over the past two decades?
    What examples from the episode illustrate this shift, and how should organizations respond?

  2. Why is there widespread fatigue and desensitization to breach warnings and cybersecurity threats, especially in the federal sector?
    What can be done to reinvigorate awareness and urgency?

  3. What challenges do security professionals face when trying to communicate risk to non-technical decision makers?
    How can cybersecurity practitioners better speak the language of money and risk for board members and executives?

  4. How does the analogy of security spending being like putting a $10 lock on a million-dollar house help contextualize budget allocation for cybersecurity?
    How can organizations use this perspective to reassess their security investments?

  5. With AI tools like Anthropic's Mythos now able to autonomously identify and exploit vulnerabilities, what new risks emerge for businesses and critical infrastructure?

  6. Why were operators of essential services (water, power, hospitals, etc.) initially left out of major defensive coalitions like Project Glasswing?
    What risks does this pose, and how can these sectors catch up?

  7. The episode describes the AI Cyber Readiness Assessment (ACRA) and its nine domains.
    Which domain do you think is most overlooked in organizations, and why?

  8. How do stories like the Samsung engineers pasting proprietary data into chatbots highlight gaps in policy and governance around AI tool usage?
    What immediate steps should organizations take in response?

  9. How does the rapid pace of AI-driven vulnerability discovery (as shown by Mythos/Glasswing finding 10,000 flaws in 30 days) shift the bottleneck in cybersecurity from detection to remediation?
    What leadership or cultural changes are required to meet this new reality?

  10. When a major vulnerability report lands, who in your organization should be responsible for assessing risk, coordinating response, and documenting decisions?
    Why does a lack of clear ownership at the leadership level greatly increase organizational risk?

🪡 Threads by Instagram
  1. Are you ready for AI that can find hidden flaws in seconds? Glasswing’s coalition of tech giants is showing us how security must be led from the top—before the next wave hits. Who at your org is actually in charge of AI risk?

  2. Mythos isn’t just theory—AI cracked the world’s hardest software, then the world’s top firms scrambled to patch bugs faster than AI could find them. The threat is real, but so is this window to act. Don’t wait until the storm hits.

  3. The true cost of AI isn’t the tech—it’s the readiness gap. Adoption outpaces oversight, and compliance is just the starting point. If you can’t name who owns AI governance, your organization’s risk is flying under the radar.

  4. Samsung’s lost code shows it: risk isn’t always stolen, sometimes it’s handed over. AI needs policy, training, and leadership as much as it needs code. Are you governing your tech, or just reacting after the loss?

  5. In cybersecurity, prevention beats cure. Glasswing found 10,000 critical flaws in 30 days—patches can’t keep up. Success now depends on culture: a willingness to assess, respond, and lead, not just comply. Who’s leading your change?

💡 Speaker bios

Ieshea Hollins is a thought leader navigating the intersection of AI and cybersecurity, especially within the federal landscape. Engaged in timely discussions around emerging threats and partnerships—such as those between Anthropics, Mythos, and Glasswing—she leverages her platform on LinkedIn and other social channels to drive critical conversations. While recognizing that challenges in AI security are not new, Ieshea focuses on understanding and addressing how these evolving vulnerabilities impact the federal sector, often inviting experts to share insights on navigating this ever-changing field.

💡 Speaker bios

Miguel Clark played a key role in founding the InfraGard chapter in North Texas alongside his colleague, Guy Ganester Walton, after receiving direction from FBI headquarters. Working closely with individuals like Linda Franklin from the FBI—who was later tragically killed by the Washington sniper—Miguel helped organize and grow InfraGard in the region. For over two decades, Miguel has remained deeply involved with InfraGard, contributing to its development and success in North Texas.

Made with Castmagic

Turn any recording into a page like this.

Upload audio or video — interviews, podcasts, sales calls, lectures. Get a transcript, summary, key takeaways, and social-ready clips in minutes.

Google Apple
or

Or learn more about Castmagic first.

Ask anything

About this conversation — answers come from the transcript.

Magic Chat

Try asking