Every IT leader knows this feeling. A critical issue lands. The team mobilises. Stakeholders are briefed. Decisions are made quickly. The most visible and urgent parts of the problem get resolved. And then, gradually, the crisis passes. The noise dies down. The team moves on to the next thing. And the backlog quietly absorbs everything…
GCHQ Director Anne Keast-Butler called for cybersecurity to be ten times more urgent at Bletchley Park today. Here is what it means for security leaders.
Last week I wrote about the governance gap in AI agent identity. The argument was that organisations are deploying autonomous agents with the same IAM frameworks built for humans, that those frameworks assume access is requested, granted, reviewed, and revoked through processes a person initiates, and that AI agents operate entirely outside those assumptions. Agents…
For most of the past decade, if you wanted to find a deep kernel-level flaw in Linux, you needed two things: significant expertise and significant time. The Linux kernel has been reviewed continuously by some of the best security researchers in the world. Dirty Cow, the 2016 privilege escalation vulnerability that affected every Linux kernel…
Last Friday, an AI agent deleted a company’s entire production database. It took nine seconds. The agent was Cursor, running Anthropic’s Claude Opus 4.6. It had been given a routine task in a staging environment. It hit a problem, decided on its own to resolve it, found an API token in an unrelated file, used…
On Monday, Google confirmed the first criminal use of AI to develop a zero-day exploit.
On Tuesday, Microsoft revealed an AI system that found 16 Windows vulnerabilities this month that human researchers had not found, including a wormable domain controller flaw.
Also on Tuesday, OpenAI launched Daybreak, a direct competitor to Anthropic’s Mythos, making AI-powered vulnerability discovery a publicly contested market.
Risky.biz put something plainly this week that is worth hearing: criminal organisations are structurally better positioned to adopt AI than legitimate businesses. No compliance overhead. No procurement cycles. No board approval. When a new capability appears, they can test it against live targets immediately.
The defensive tooling is arriving. The question is whether it can arrive fast enough, and into organisations that are ready to use it.
I have written about what this week actually tells us, why the asymmetry of adoption friction matters more than the technology itself, and what the honest question is for security leaders right now.
More of my insights are available at auravere.com/insights
The UK government’s consultation on a national digital ID system closes on 5th May 2026. Whether you support the idea or not, the security and governance questions it raises deserve serious attention from practitioners, because if this system is built it will become some of the most consequential digital infrastructure the UK has ever deployed….
Everyone was watching Rockstar Games this week. Just not for the right reason. The gaming world has been waiting for Grand Theft Auto 6 for years. The headline everyone hoped for from Rockstar was a confirmed release date, a new trailer, a launch. Instead the headline was a breach. ShinyHunters accessed Rockstar’s Snowflake servers through…
We have always known the bugs were there. Not the ones we found and patched, the ones nobody had found yet. The ones sitting quietly in code that was written before some of your security team were born, running in systems that have never been seriously tested, doing their job reliably enough that nobody thought…
I got a new coffee machine yesterday. Four espressos later, nothing was quite right and I did not know why. By morning I had worked it out. Two fundamental errors, hiding underneath everything I had been adjusting. There is a security culture lesson in there and it is a good one.
I started writing this post in the summer of 2018, about two months after GDPR came into force. Life got in the way and I never finished it. Reading it back now, what strikes me is not how much has changed. It is how much has not. So let me finish what I started, with…
In security and governance, the biggest risk is often not the threat itself. It is the absence of anyone willing to own the decision about what to do about it. After more than two decades working in information security across complex organisations, the pattern I see most consistently is not a lack of capability. It…
