1. Anthropic's Claude Mythos finds zero-days autonomously; Project Glasswing coalition forms to prepare defenders

On 8 April 2026, Anthropic disclosed that an internal model, Claude Mythos, had autonomously discovered and exploited previously unknown vulnerabilities across every major operating system and browser it was pointed at, including a 27-year-old flaw in OpenBSD. Rather than release the model, Anthropic restricted access and convened Project Glasswing, a defender coalition that includes AWS, Apple, Microsoft, Google, Cisco, CrowdStrike, JPMorgan Chase, NVIDIA, Broadcom, Palo Alto Networks and the Linux Foundation, backed by $100 million in model usage credits. The objective is to give defenders a head start before equivalent offensive capability becomes widely available. KSIB published a detailed analysis of what this means for Australian regulated industries: AI is now better at hacking than most humans.

So what for business leaders: This isn't a single threat to defend against - it's a structural shift in the economics of attack. The cost of finding and weaponising zero-day vulnerabilities is collapsing, while patching remains a human-paced process. Boards should ask whether the organisation's security program is calibrated to the now emerging threat model; whether reported patching timelines are competitive against an attacker operating at machine speed; and whether critical third parties are preparing for the same shift. CPS 230 makes that third-party question unavoidable for APRA-regulated entities.

So what for tech and cyber leaders: Vulnerability discovery and patch velocity are critically important program metrics. The window between vulnerability disclosure and patch deployment is the “kill zone” where AI-driven attackers will operate. Things to consider: audit the oldest unpatched vulnerabilities across the estate as a measure of program health; tighten attack surface management and asset inventory; and start running AI-assisted vulnerability discovery against your own systems and dependencies before someone else does. Watch for Project Glasswing outputs - the coalition has committed to publish defensive learnings.

2. Canvas hack disrupts Australian universities and schools

In early May 2026, education software company Instructure confirmed a "cybersecurity incident" affecting Canvas, the learning management system used by around 30 million students at over 8,000 institutions globally. The extortion group ShinyHunters claims to have stolen 3.65 terabytes of data covering roughly 275 million records, and on 7 May 2026 defaced Canvas login pages with a ransom message demanding payment by 12 May 2026. Australian universities including the University of Sydney, UTS, Adelaide, Melbourne, RMIT, Griffith, Canberra and Western Sydney have issued statements; UTS, Adelaide and the Queensland Department of Education temporarily disabled Canvas access. Tasmania's Department for Education, Children and Young People confirmed it was identified as impacted. The federal government's National Office of Cyber Security is coordinating the response.

So what for business leaders: This is a concentration risk story before it's a cybersecurity story. Most universities and many schools run a meaningful share of their day-to-day operations through Canvas, and the disruption hit during exam periods at some institutions. The same pattern shows up across other sectors where one cloud platform sits inside thousands of organisations. Boards should ask whether their organisation has a current map of single-vendor dependencies that could cause material disruption if breached, and whether continuity plans have been tested for the scenario where the vendor itself is offline for days, rather than helping with recovery.

So what for tech and cyber leaders: The reported attack path centres on identity compromise: privileged credentials were revoked and keys rotated, suggesting the attackers obtained access tied to an account with broad rights. For SaaS vendors that sit in your critical path, contractual security clauses are necessary but not sufficient. Pressure-test what your team would actually do if the vendor went dark for several days, including whether service delivery, payments, or operations could continue on alternative channels. Review monitoring of vendor-side identity activity and the breach notification chain.

3. Attackers used Claude and GPT to plan an OT intrusion at a Mexican water utility

Operational technology security firm Dragos published analysis in early May 2026 of an attack against a water and drainage facility in the Monterrey metropolitan area of Mexico that ran from approximately December 2025 through February 2026. Dragos examined around 350 artefacts associated with the intrusion, most of which were AI-generated. Anthropic's Claude was described as the "primary technical executor," handling planning, tool development and deployment; OpenAI's GPT models were used for analytical work and processing collected data in Spanish. Notably, the attackers had apparently no prior experience targeting operational technology environments. They used the models to read SCADA vendor documentation and to generate lists of default and known credentials for brute-force attempts. The compromise of the operational technology systems was ultimately unsuccessful, but the access pathway was real. Both vendors confirmed that the associated accounts had been banned.

So what for business leaders: The barrier to entry for attacking critical infrastructure has just dropped. Previously, attacking an industrial control system required years of specialist experience that few cybercriminals possessed. AI models compress that learning curve dramatically. For any organisation that operates physical infrastructure, including utilities, manufacturing, logistics, healthcare and resources, this should prompt a refresh of threat modelling. The question is no longer "would an attacker have the skills to target our operational systems?" but "would they need to?".

So what for tech and cyber leaders: Engagement between IT security teams and OT engineering teams needs to be closer than it usually is. Detection logic tuned for traditional adversary patterns may miss AI-assisted reconnaissance, which can look like clumsy but persistent probing rather than the smooth tradecraft of a seasoned operator. Inventory of internet-exposed OT interfaces, default credentials, vendor remote-access pathways and segmentation between IT and OT environments all warrant a fresh review.

4. Australia's ransomware payment reporting regime enters its enforcement phase

From 1 January 2026, the mandatory ransomware and cyber extortion payment reporting regime under the Cyber Security Act 2024 (Cth) moved from its "education first" Phase 1 into Phase 2: active compliance and enforcement. Reporting business entities (broadly, those with an annual turnover of AU$3 million or more, plus responsible entities for critical infrastructure assets under the Security of Critical Infrastructure Act 2018) must report any ransomware or cyber extortion payment to the Australian Signals Directorate within 72 hours of making it, or becoming aware that one has been made on their behalf. Failure to report attracts a civil penalty of up to 60 penalty units, currently approximately AU$19,800. The regime sits alongside, not in place of, OAIC Notifiable Data Breach obligations, and ransom payments can still create separate exposure under sanctions and anti-money laundering laws.

So what for business leaders: The 72-hour clock starts running before most boards would normally expect to be briefed. That means the playbook needs to be in place before an incident, including delegated decision-making authority for payment-related calls, named legal and forensic advisers, and clarity on who completes the report. Boards should also ask whether their organisation has a documented position on ransomware payment under different scenarios. Deciding policy under live extortion pressure is the worst possible time.

So what for tech and cyber leaders: Incident response runbooks need to be updated to reflect the new reporting obligation, including the specific data fields required by the reporting form and the workflow for capturing them while the incident is still active. The interplay with NDB notifications to the OAIC, AFP engagement, sanctions checks via DFAT's Australian Sanctions Office, and any contractual notification obligations to customers and insurers all needs to be tabletop-tested rather than improvised.

5. Prompt injection attempts up 340% year on year: most go undetected for days

On 1 April 2026, the Center for Internet Security published Prompt Injections: The Inherent Threat to Generative AI. Drawing on industry threat intelligence from the final quarter of 2025, the report documented approximately a 340% year-on-year increase in documented prompt injection attempts. Around two-thirds of successful attacks went undetected for more than 72 hours, with most discovered by tracing backward from a downstream symptom (a client complaint, an anomaly in a log review) rather than by any real-time detection system. The Open Worldwide Application Security Project continues to rank prompt injection as the top vulnerability for large language model applications. Independent research published by Google's security team in late April 2026 confirmed a 32% relative increase in observed indirect prompt injection content on the public web between November 2025 and February 2026.

So what for business leaders: Prompt injection is the AI-era equivalent of an unpatched flaw that traditional security tools cannot see. When an AI agent processes a document, email or web page, the content can contain hidden instructions that the agent treats as legitimate. If the agent has access to tools, files or systems, the consequences scale with that access. The board-level question is whether the organisation's AI risk register reflects the reality that AI systems have become a primary attack surface, not just an efficiency play.

So what for tech and cyber leaders: Standard security controls based on syntactic detection do not catch semantic manipulation. Inventory every AI agent in the environment, particularly any with access to email, file shares, customer systems, payment workflows, or code execution. Limit agent permissions to the minimum required, require human approval for high-impact actions, and add monitoring that surfaces anomalous downstream effects of agent activity, given that most successful attacks were caught after the fact, not in real time.

6. April's supply chain domino effect: one vendor compromise, multiple victims

April 2026 was notable for the density of third-party-driven breaches rather than for any single incident. Two major United States banks were posted on the Everest ransomware group's leak site on 20 April 2026, with both confirming the breach originated at a shared third-party vendor rather than at their own networks. Adobe was reportedly compromised through an Indian business process outsourcing support contractor, with a threat actor claiming access to 13 million customer support tickets and 15,000 employee records. McGraw Hill confirmed unauthorised access to data hosted in a Salesforce environment after a misconfiguration was exploited, with ShinyHunters listed as the actor. Vimeo confirmed an incident traced to a compromise at its data analytics provider Anodot. France's national identity portal (ANTS) disclosed unauthorised access affecting up to 11.7 million accounts.

So what for business leaders: Annual vendor security questionnaires are not keeping pace with how interconnected enterprise SaaS has become. A single supplier compromise now ripples through multiple downstream organisations within hours, and notification often arrives via media coverage rather than the vendor itself. Boards should ask whether the organisation has a current view of which vendors hold its most sensitive data, which vendors have privileged access to its systems, and how quickly the organisation would know if any of them were compromised.

So what for tech and cyber leaders: Third-party risk management needs to evolve from compliance artefact to live operational function. Continuous monitoring of vendor security posture, contractual breach notification timeframes with real teeth, and pre-agreed forensic and communications protocols all reduce the time between vendor compromise and informed action. For SaaS vendors holding sensitive data, push for evidence of segmentation between customer tenants and for visibility into administrative access activity.