Viruses With Wings and Brains: The Worm You Cannot Patch

// elusive thoughts // malware // ai security

Gary McGraw gave this whole problem the only label it needs. If the old worms were viruses with wings, the next ones are viruses with wings and brains. That is not a marketing line. It is a precise description of what a group of researchers just built on purpose, and of what is almost certainly being built right now by people who will not publish a paper afterwards.

What they actually built

A team spanning the University of Toronto, the Vector Institute, ServiceNow and Cambridge wired up a proof-of-concept agentic worm. The crucial detail is what it does not contain. It does not ship a fixed exploit. A classic worm carries one trick and dies the day you patch that trick. This thing replaces the fixed payload with goal-directed reasoning. It lands on a host, reads the environment, identifies whatever is weak on that specific box, writes an exploit for it on the spot, steals the secrets it finds, and then moves to the next machine and starts the loop again, adapting as it goes.

Our adaptive worm cannot be stopped this way. It uses a recursive reasoning loop to detect and exploit diverse vulnerabilities as it propagates.

Read that twice. The entire muscle memory of vulnerability response, find the bug, ship the patch, contain the spread, assumes the malware is committed to a specific door. This one is not committed to any door. Patch the bug it used on the last host and it simply reasons its way to a different one on the next. The researchers ran it with small free models driving the decision-making, which means the brains are cheap and getting cheaper.

This is not science fiction with a long runway

BeyondTrust's chief security architect put a clock on it: an AI-powered worm in the wild within six months to a year. His read on the target set is the part that should make every engineer reading this uncomfortable, because the target is us.

It is going to target developers and engineers who have broad access, and will pivot through cloud, and many companies will not recover.

We have already seen the warm-up acts. Shai-Hulud squirmed through NPM in September 2025, harvesting developer credentials and secrets to poison new packages. A month later Glassworm rode VS Code extensions to compromise developer machines. Neither of those had the adaptive brain yet. They were the wings arriving before the brains caught up. The brains are catching up.

The bad news about the guardrails

You might hope the foundation models refuse to help build this. They do, sort of, on the surface. Searches with obvious terms like malicious worm get blocked. But the BeyondTrust researcher found trivial workarounds, including a meta-skill script that scrubbed the scary words out of his own prompts before they hit the model. Do not build your threat model on the assumption that model-level refusals will hold. They are a speed bump, not a wall.

There is one genuine piece of good news, and it is physics, not policy. An open-weight model running on a victim machine is loud. Tens of gigabytes resident in VRAM and a machine-learning runtime spinning up on a host that has no business running inference does not fade into the background. Cryptojackers learned to hide in spare cycles. A worm dragging a model around with it is an order of magnitude more obvious. Detection has a real seam to work with here.

What actually helps, and it is not new

The researchers were blunt about their own test conditions. Their worst case was a flat network, and they said plainly that even basic segmentation would have substantially limited the reach. The worm thrived on the things we already know are wrong and keep tolerating anyway. Over-privileged roles. Standing human access to production. Secret sprawl across repositories. Every one of those is a finding you have probably closed as "accepted risk" at some point.

So the defence reads like a list you have heard a hundred times, and that is exactly the point:

• Least privilege, enforced and audited, not aspirational
• Network micro-segmentation so a single foothold cannot reach the whole estate
• Zero-trust style continuous authentication to throttle lateral movement
• Aggressive endpoint and cloud telemetry, wired to auto-remediation that acts on the first signals
• Secrets management that assumes the repo will be read by something hostile

None of that is exciting. None of it will headline a conference. It is the difference between being in the group the researcher thinks will not recover and the group that does. The brains are coming. The wings are already here. The only part of this still fully in your control is whether your network is a flat field or a maze.

#Malware #AIsecurity #SupplyChain #ZeroTrust #AppSec

Reporting: Robert Lemos, Dark Reading, "Adaptive, Agentic AI Worms Loom as Next Enterprise Threat" (Jun 2026). Research cited: University of Toronto et al., "AI Agents Enable Adaptive Computer Worms." Analysis and commentary are my own. Read the original.

"AI as Enabler, Not Replacer" Is True. It Is Also Half the Story.

// elusive thoughts // secops // ai security

Zoom's CISO, Sandra McLeod, gave the reassuring version of the AI question in a recent Dark Reading interview, and I want to be clear up front: she is right. Her view is that AI is an enabler for human security teams, not a replacement. It automates the repetitive grind inside the SOC and it helps build systems that can stand up to AI-powered attacks. As someone who has watched good analysts burn out on tier-one triage, I am not going to argue with any of that. The framing is correct, it is humane, and it should be the default posture for any team standing up agentic tooling.

My problem is not with what she said. My problem is with where most people stop listening.

The enabler half is real, so use it

Point the agents at the toil. Alert triage, enrichment, correlation, the soul-destroying tier-one queue that exists mostly to be cleared rather than understood. That is exactly the work that should be automated, and automating it buys back the one thing your senior people never have enough of, which is attention for the hard problems. A SOC that runs agents on the boring path so humans can think about the interesting path is a stronger SOC. No notes.

AI serves as an enabler, not a replacement, for human security professionals.

The half that never makes the keynote

Here is the part that gets quietly dropped. The exact capability that lifts your defenders is the capability that arms the other side and grows your own attack surface. Every agent you deploy is a new thing with credentials, with access, with the ability to be talked into doing something it should not. The same reasoning engine that triages your alerts can be prompt-injected through a poisoned ticket, jailbroken through a crafted input, or hijacked as a propagation host by the next generation of adaptive malware.

This is not hypothetical hand-waving. There were 2,130 AI-related CVEs disclosed in 2025, up around 35% year on year. Every agent you wire into production with standing credentials and broad scope is another entry on a list that is already growing faster than the staff meant to watch it. The enabler and the liability are the same object. You do not get one without the other.

Holding two true things at once

Maturity in this space is the ability to hold both statements in your head simultaneously. AI is an enabler for security. AI is a fresh attack surface for security. Junior thinking picks one and builds a slide deck around it. The optimists ship agents everywhere and budget nothing for the blast radius. The cynics refuse to touch any of it and quietly fall behind. Both are wrong in the same way, which is that they only looked at one half of the object.

The practical version looks boring, because the practical version always looks boring:

• Deploy agents on toil, but scope their credentials like you would scope a contractor you do not fully trust
• Treat every agent as an identity with least privilege, not a magic helper with god mode
• Red-team your own AI deployments before you celebrate them
• Instrument the agent's actions with the same telemetry you would demand of any other privileged account

The leadership read

McLeod also described her own arc from technical firefighter to business strategist, from stabilising the posture to anticipating and enabling. That is the right journey, and it maps onto this exact tension. The strategist's job is not to pick the comforting half of the AI story for the board. It is to fund the uncomfortable half. Anyone can sell "AI makes us faster." The actual work is making sure the thing that made you faster did not also hand an adversary a faster way in. Enabler and attack surface. Same object. Budget for both, or you only secured the half that was easy to talk about.

#CISO #AIsecurity #SecOps #Leadership #AppSec

Reporting: Kristina Beek, Dark Reading, "Heard It From a CISO: Zoom CISO: AI as Security Enabler, Not Role-Replacer" (Jun 2026), featuring Sandra McLeod. Analysis and commentary are my own. Read the original.

The Premium Dropped. So Did Your Coverage.

// elusive thoughts // cyber risk // ciso

Good news arrived at the Gartner Security and Risk Management Summit, and like most good news in this industry it came wrapped around a knife. Cyber insurance is getting cheaper. Carriers spent years bleeding on claims they mispriced, and they have finally tuned their models. Rates are softening across the board, and there are even discounts for organisations that can prove a real security posture. If you renew this year, the number on the quote will probably make you smile.

Then you read the policy, and the smile goes away.

The exclusion list is eating the policy from the inside

The single most important shift in this market is not the price. It is the steadily growing list of things your policy will not pay out on. Per Gartner's read, the exclusions now routinely include:

• Employee actions, which in some policies sweeps in social engineering
• Outdated or unpatched software
• Failure to maintain stated security controls
• Incidents tangled up in mergers and acquisitions

Look at the first one again, because it is the landmine. The carrier logic goes like this. If an attacker talks your finance team into wiring a million, and never breaks into a single system, never takes control, never impersonates a machine, then the carrier's position is that no cybercrime occurred. It was a failure of your internal controls. Your problem, not theirs.

Why that one exclusion matters more than the rest

Because social engineering is not a corner case. It is the main event. ClickFix-style attacks, where a victim is convinced to run malicious commands to fix a fake error, made up 52% of what Huntress observed across 2025. That is the majority of real incidents living in the exact category your policy may now decline. You can run a clean tabletop, file the claim, and discover that the most common attack on the planet is the one your insurer files under "not our problem."

That is not a cybercrime. That is a failure of your internal controls.

That sentence, said out loud by an analyst describing how carriers think, should be printed and taped to the wall of every risk meeting.

The fine print nobody reads until it is too late

It gets more textured below the headline exclusions. War clauses have hardened. Lloyd's published cyber-war definitions that most carriers adopted, and they can carve out certain nation-state activity entirely. Mass cyber events, the kind where a major cloud provider falls over and takes half the internet with it, can see payouts cut by as much as half. There are sub-limits hiding inside the big number too. A 10 million policy does not mean 10 million you can hand to a top-tier DFIR firm. There are caps on how much goes to a breach coach, caps on incident response spend, caps you will only find if you go looking.

And then there is the timing trap. Tail coverage. If you switch carriers on the first of the month, then discover last month you were already breached, the new policy will not cover an attack that predates it, and the old one expired the day before. Without tail coverage you fall straight through the gap at the worst possible moment.

What to actually do

This is not a "buy more coverage" post. It is a "know what you bought" post. Sit down with the underwriter, not just the broker, and ask the ugly direct questions. If I get hit by a nation-state actor, am I covered. If the answer is "it depends," then go through what it depends on, line by line, until there are no surprises left. Map your most likely incident scenarios against what the policy will and will not pay on. Most teams I talk to have never done that exercise. They priced the premium and never read the exclusions.

Curiously, AI has not reshaped this market yet. Carriers are watching the rogue-agent horror stories closely, but the policies have not moved much. Enjoy that lull. It will not last, and when it ends, the new exclusions will not arrive with a warning email either.

#CyberRisk #CISO #CyberInsurance #SocialEngineering #ClickFix

Reporting: Rob Wright, Dark Reading, "Cyber Insurance Rates Are Dropping, but Exclusions Widen" (Jun 2026). Analysis and commentary are my own. Read the original.

Four Threats, One Confession: The Attacker Has the Advantage

// elusive thoughts // appsec // ai security

Every now and then an analyst says the quiet part into a live microphone. That happened at the Gartner Security and Risk Management Summit, where the verdict on four headline threats was not "emerging" or "watch this space." It was that on all four, enterprise defences are overmatched and the attacker holds the advantage. The tooling is not up to the job yet. Sit with that for a second, because vendors do not usually let their favourite conference admit the products do not work.

The four sitting at the top of the 2026-27 ThreatScape are deepfakes, software supply chain, prompt injection, and AI application compromise. If you have read this blog before, none of those will surprise you. What is worth your time is the shape of each problem, and why "buy a box" is the wrong reflex for all of them.

Deepfakes and the death of trusting your eyes

Gartner's figure is that 62% of organisations have already taken a deepfake hit tied to social engineering or bypassing voice and face recognition. The honest engineering insight buried in the panic is this: you do not need to detect the deepfake to stop the attack. You need an authentication path that does not collapse just because the voice sounds right. A failed second factor kills a flawless fake. The detection arms race is a trap. The control that survives is layered authentication plus tooling for caller-ID spoofing and SIM-swap, because identity is the real battlefield and the fake face is just the delivery mechanism.

Supply chain: still bleeding, now automated

Supply chain attacks are not new. What changed is the automation. Self-propagating worms turned credential theft into a force multiplier, sweeping secrets and pivoting into the next repo without a human at the wheel. The Gartner read on the ecosystem was characteristically diplomatic about NPM, which is to say it called it a mess. None of the fixes are exotic. Strong version-control policy. Secrets scanning that people actually leave switched on. Least privilege bolted onto your CI/CD pipelines instead of service accounts that can do everything. The features mostly exist. Teams skip them and ship secrets anyway.

Prompt injection: the part you cannot patch

This is the one that should keep AppSec people up at night. Indirect prompt injection rose 32% in a single quarter on Google's numbers. An attacker plants a malicious instruction in a webpage and waits for your agent to read it. No exploit, no payload in the classic sense, just text that your model treats as a command. And once you move to autonomous, agentic flows, the failure mode is brutal:

Once the execution chain is poisoned, the whole thing goes downhill, and you cannot really recover from that.

The vendors selling "prompt injection detection" that quietly just greps for scary keywords are not going to save you. There is no clean 100% block for injection or jailbreaking, and pretending otherwise is how you end up owned with a green dashboard. The grown-up answer is to red-team your own AI systems. Pen test the agent. Find the indirect injection paths before someone external does it for the cost of a crafted webpage.

AI application compromise: more surface, more CVEs

There were 2,130 AI-related CVEs disclosed in 2025, up roughly 35% year on year. Memory poisoning, insecure infrastructure, the usual sins reappearing in a new layer of the stack. And then the detail I cannot ignore, because I run this stuff myself: analysts noted you can still scan the internet and find OpenClaw instances exposed with admin rights. A popular agent framework, a known stack of critical vulnerabilities, deployed wide and deployed badly. We keep wiring powerful automation to the public internet faster than we secure it, then act surprised.

The pattern under all four

Strip the AI glitter off and the same lesson is sitting underneath every one of these. The attacker advantage is not built on genius. It is built on the controls we keep deferring. Authentication that actually holds. Least privilege that is real instead of aspirational. Adversarial testing of the things we ship instead of trusting a marketing slide. None of it is new. All of it is unglamorous. That is precisely why it still works, and precisely why most shops still have not done it.

#AppSec #AIsecurity #PromptInjection #SupplyChain #ThreatScape

Reporting: Rob Wright, Dark Reading, "4 Critical Threats Where Attackers Have the Advantage" (Jun 2026). Analysis and commentary are my own. Read the original.