By Samuel Odekunle, Managing Partner

April 2026 will be remembered as the month the cybersecurity industry crossed a Rubicon. Anthropic announced an AI model so capable at finding software vulnerabilities that the company refused to release it publicly. Iran-affiliated actors moved from rhetoric to demonstrable disruption of US critical infrastructure. RSA Conference 2026 confirmed that agentic AI security has become the dominant product category in enterprise security. And whilst the industry talked about machines, criminals continued to extract devastating losses from old-fashioned identity compromise.

The themes converging this month are not new—but the pace at which they are converging is unprecedented. For security leaders, April marks the point at which the question shifts from “is this happening?” to “are we keeping up?”

Project Glasswing: A Watershed Moment for Cybersecurity

On 7 April, Anthropic announced Claude Mythos Preview alongside Project Glasswing—a coalition of twelve major technology and finance companies including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, and Nvidia. The headline claim was extraordinary: Mythos has already identified thousands of high-severity zero-day vulnerabilities across every major operating system and web browser. The oldest discovery was a 27-year-old bug in OpenBSD, an operating system widely regarded as among the world’s most secure. A 17-year-old remote code execution vulnerability in FreeBSD’s NFS implementation (CVE-2026-4747) was, according to Anthropic, fully autonomously identified and exploited by the model.

Anthropic’s decision not to release the model publicly is itself remarkable. The company committed $100 million in usage credits and an additional $4 million in donations to open-source security organisations, restricting access to a vetted group of partners and approximately forty additional organisations maintaining critical software.

The strategic reasoning is straightforward: AI capabilities have crossed a threshold where defenders need a head start. As Cisco noted in joining the project, “the old ways of hardening systems are no longer sufficient.” The question dominating boardroom conversations this month is what happens when these capabilities proliferate beyond actors committed to deploying them safely.

Three observations matter for security leaders. First, the gap between vulnerability discovery and exploitation has collapsed further—what once took months now happens in minutes when AI is involved. Second, this favours defenders if they act quickly; finding vulnerabilities for patching purposes is materially easier than chaining them into operational exploits. Third, the proliferation timeline is short. Within a week of Anthropic’s announcement, OpenAI announced a similarly capable model under similar restrictions. By 22 April, reports emerged that unauthorised users had reportedly gained access to Mythos through a third-party vendor environment.

The Mythos era has begun whether organisations are ready or not.

Iran’s Escalation: From Rhetoric to Industrial Control Systems

The Iran cyber campaign that dominated March’s report has matured significantly. On 7 April, CISA, FBI, NSA, EPA, DOE, and US Cyber Command issued a joint advisory warning that Iranian-affiliated APT actors have been actively disrupting programmable logic controllers across multiple US critical infrastructure sectors—including Government Services and Facilities, Water and Wastewater Systems, and Energy.

The targeting has focused on Rockwell Automation Allen-Bradley PLCs, with Unit 42 tracking the activity as CL-STA-1128 (also known as Cyber Av3ngers or Storm-0784). The attackers have moved beyond their historic focus on Unitronics PLCs—the same group responsible for the November 2023 attack on the Municipal Water Authority of Aliquippa, Pennsylvania—to Rockwell devices. This represents a deliberate expansion of capability, with attackers reportedly installing FactoryTalk software on virtual private server infrastructure to enable their exploitation efforts.

The pattern is clear. Iran lacks symmetric conventional response options against the United States and Israel, so cyberspace becomes the primary theatre of retaliation. The pro-Iranian hacking group Ababil of Minab claimed responsibility for a March hack on the Los Angeles County Metropolitan Transportation Authority, with the transit agency confirming unauthorised activity that forced network restrictions.

Perhaps most concerning is research from DomainTools Investigations describing activity attributed to Homeland Justice, Karma, and Handala Hack as a “single, coordinated cyber influence ecosystem” aligned with Iran’s Ministry of Intelligence and Security. These personas function as interchangeable operational veneers applied to a consistent underlying capability—deliberately complicating attribution while maintaining strategic coordination.

For organisations operating critical infrastructure, the implications are immediate. Internet-exposed PLCs remain a primary attack vector. The basic hygiene measures matter enormously: removing PLCs from direct internet exposure, changing default credentials, segmenting OT networks from IT networks, and implementing strong authentication for remote access. The advisory should be treated as operational guidance, not advisory reading.

Stryker’s Aftermath and the Endpoint Management Reckoning

The full scope of March’s Stryker incident became clearer in April. A single stolen credential, abused by the Iran-linked Handala group through Microsoft Intune, wiped approximately 80,000 devices across the company’s offices in seventy-nine countries. Hornetsecurity’s analysis notes that device management platforms are now a tier-one attack surface—a categorisation that would have seemed alarmist twelve months ago.

For any organisation running Microsoft Intune, Microsoft Endpoint Configuration Manager, or comparable mobile device management platforms, the questions are uncomfortable but unavoidable. Who holds administrative access? Are those accounts protected with phishing-resistant multi-factor authentication? Do device wipe commands require additional out-of-band authorisation before execution? The blast radius of a compromised MDM administrator account is no longer theoretical—it is documented across seventy-nine countries.

The Medusa ransomware compromise of the University of Mississippi Medical Center provides a parallel case study. The attack forced UMMC—the state’s only Level I trauma centre and only children’s hospital—to shut down 35 clinics, suspend elective surgeries, and lose access to its Epic electronic health records system for nine days. Healthcare remains a high-value target with real patient safety consequences.

The Supply Chain Battlefront

April brought stark reminders that the supply chain remains the soft underbelly of enterprise security. North Korean threat actors, attributed by Microsoft as Sapphire Sleet and by Google as UNC1069, published two malicious versions of the Axios npm package on 31 March. Axios is one of the most widely used JavaScript HTTP client libraries in existence, with over 70 million weekly downloads. The malicious versions contained an injected dependency that downloaded remote access trojan payloads from North Korean command-and-control infrastructure. The packages were live for approximately three hours before detection and removal—but the potential reach of even brief exposure in a library this ubiquitous is substantial.

Vercel disclosed on 19 April that it had identified a security incident involving unauthorised access to its systems, caused by the compromise of Context.ai, a third-party tool. Attackers claimed to have stolen access keys, source codes, API keys, credentials to internal deployments, and database data. By 23 April, Vercel had identified additional compromised customer accounts. The Bitwarden CLI npm package was also compromised in mid-April, with attackers leveraging a compromised GitHub Action in Bitwarden’s CI/CD pipeline to steal GitHub tokens, SSH keys, environment variables, shell history, and cloud secrets.

Most strikingly, malicious images were pushed to the official “checkmarx/kics” Docker Hub repository, with threat actors managing to overwrite existing tags. The bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version—creating serious risk for teams using KICS to scan infrastructure-as-code files containing credentials.

The pattern across these incidents is consistent: trusted distribution channels, automated update mechanisms, and CI/CD pipelines have become the preferred entry points. Software composition analysis and provenance verification are no longer optional capabilities.

RSA Conference 2026: Agentic AI Takes the Floor

RSA Conference 2026, held in late March, set the agenda for the year. The dominant product category was not endpoint detection, cloud security posture management, or traditional SIEM—it was AI agent security: the tools, frameworks, and identity systems needed to govern autonomous software acting on behalf of humans inside enterprise networks.

The vendor announcements clustered around three themes: identity (who is the agent?), runtime enforcement (what is it allowed to do?), and detection (when something goes wrong, how do we know?). Cisco extended Zero Trust Access to AI agents through Duo IAM, registering non-human identities and binding them to accountable human owners with time-bound permissions. Microsoft launched Microsoft 365 E7: The Frontier Suite, bundling Copilot, Entra identity services, and Agent 365—a governance platform for AI agents. CrowdStrike announced the Charlotte AI AgentWorks ecosystem with Anthropic, OpenAI, and others as launch partners.

The numbers tell the story. Cisco’s own survey found that 85% of large enterprises are experimenting with AI agents, but only 5% have moved them to production. Research suggests non-human identities already outnumber human users by a factor of seventeen. Gartner predicts 33% of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024.

Mandiant’s M-Trends 2026 report, released alongside the conference, captured the operational reality: cybercriminals are increasingly operating like highly-efficient businesses, establishing partnerships that have collapsed the window for defenders to intervene from hours down to twenty-two seconds at initial access points.

For organisations, the message is unambiguous: identity governance must extend to non-human identities. The traditional model—where security focuses on human users and “service accounts” are an afterthought—cannot scale to environments where machines outnumber humans by an order of magnitude.

April Patch Tuesday and the Vulnerability Cadence

Microsoft’s April 2026 Patch Tuesday was the second-largest on record, addressing 167 vulnerabilities across Windows, Office, SharePoint, and related products. Notable highlights include CVE-2026-32201, a SharePoint Server zero-day actively exploited in the wild, allowing unauthenticated remote attackers to present falsified information within trusted SharePoint environments. CISA added it to the Known Exploited Vulnerabilities catalog and urged immediate patching.

SAP’s CVE-2026-27681 (CVSS 9.9) stood out among other vendor patches for its potential to allow arbitrary SQL command execution. Fortinet and Adobe also released critical patches.

The Zscaler ThreatLabz 2026 VPN Risk Report, released during RSA, found that 51% of organisations experienced a VPN-related security incident in the past twelve months. Only 5% trust their VPN infrastructure to detect and stop AI-enabled threats, and only 6% can deploy a critical VPN patch within twenty-four hours. The latter figure is particularly concerning given that the exploitation window for critical vulnerabilities is now measured in hours, not weeks.

Notable Incidents This Month

Drift Protocol lost over $280 million in user assets through an attack discovered on 1 April that had been planned at least six months in advance. The incident underscores how patient and well-resourced cryptocurrency-focused threat actors have become.

Booking.com confirmed unauthorised third-party access to reservation information including names, addresses, booking dates, and special requests. The data is now prime fuel for highly targeted phishing campaigns.

Basic-Fit, Europe’s largest gym chain, suffered a cyberattack compromising data of 200,000 members in the Netherlands and exposing bank details of one million members across multiple countries.

Signature Healthcare Brockton Hospital in Massachusetts experienced a ransomware attack by the Anubis group, forcing emergency room ambulance diversion and patient care delays.

Minot, North Dakota Water Treatment Plant suffered a ransomware attack that forced reversion to manual management processes—the kind of operational impact that turns cyber incidents into public safety incidents. The FBI launched Operation Winter Shield to combat rising ransomware attacks on public utilities.

Active ransomware groups this month have included Qilin, ShinyHunters, CoinbaseCartel, and TheGentlemen, with municipal governments, professional services, and manufacturing remaining the primary targets.

Strategic Imperatives for May 2026

The convergence of AI-augmented vulnerability discovery, geopolitical retaliation against critical infrastructure, and supply chain compromise demands recalibrated priorities:

Treat the Mythos era as an inflection point. The capabilities Anthropic has demonstrated will proliferate. Organisations need patch management programmes that can respond in days, not months. The 6% of organisations that can deploy a critical VPN patch within twenty-four hours represent the new minimum standard, not a stretch goal.

Audit non-human identities ruthlessly. If non-human identities outnumber human users by seventeen to one—and your governance focuses primarily on humans—you have an architectural problem, not a tooling gap. Service accounts, API keys, AI agents, and machine identities require the same lifecycle management as human accounts.

Disconnect operational technology from the public internet. The Iranian PLC campaign succeeds because internet-exposed industrial control systems remain depressingly common. This is not a sophisticated attack vector. It is a configuration failure that adversaries have industrialised.

Verify your software supply chain. Software composition analysis, package provenance verification, and CI/CD pipeline security are no longer mature-organisation luxuries. The Axios, Vercel, Bitwarden, and Checkmarx incidents this month demonstrate that any of these vectors can compromise downstream organisations regardless of their own security posture.

Test endpoint management blast radius. If a single compromised admin account can wipe 200,000 devices across seventy-nine countries, your incident response plan needs to address that scenario explicitly. Phishing-resistant MFA, just-in-time privilege elevation, and out-of-band authorisation for destructive actions are essential.

Looking Ahead

April 2026 demonstrated that the threat landscape and the defensive capability landscape are evolving at unprecedented pace—often in the same direction, but not always at the same speed. The same AI capabilities that enable Project Glasswing’s coalition to find decades-old vulnerabilities will inevitably enable adversaries to find and exploit similar flaws elsewhere. The window is narrow.

The Iran conflict shows that geopolitical events translate to cyberspace within hours, with consequences extending to organisations far from the kinetic theatre. Critical infrastructure operators—particularly water, energy, and transit—should assume targeting is ongoing.

The supply chain incidents reinforce that perimeters are increasingly meaningless. Your security posture is the product of every organisation that touches your software, your data, and your identity systems. Trust must be earned through verification, not extended by default.

Most importantly, the agentic AI era has arrived in production. Whether your organisation is prepared to govern autonomous systems is no longer a strategic question for 2027 planning—it is an operational question for May.

The defenders who thrive will be those who recognised these shifts early and acted with conviction. The clock is no longer ticking quietly.

Samuel Odekunle is Managing Partner at MustardTree Partners, specialising in cybersecurity strategy, identity and access management, and digital transformation.

State of Security is published monthly. Subscribe for the latest analysis on the evolving threat landscape.