Skip to content
Chimera readability score 97 out of 100, Quantum Electrodynamics reading level.

Risky Business Podcast
May 06, 2026
Risky Business #836 -- You can't patch the bugpocalypse
Presented by
Technology Editor
CEO and Publisher
On this week’s show, Patrick Gray and James Wilson are joined by special guest co-host Brad Arkin. They discuss the week’s cybersecurity news, including:
- The US Government says we just have to patch faster, but…
- Bugs in cPanel, MoveIt and all Linux distributions this week show that patching alone isn’t enough
- James gets mad about lame AI Agent adoption advice from the US and Australian Governments
- James Kettle and Niels Provos both showed us that any model can find 0day like Mythos
- And the cyber-assisted theft of cargo results in an astonishing loss of $725 million dollars
This week’s show is sponsored by SpecterOps. Their CTO, Jared Atkinson, chats to Pat about the big changes in the threat landscape, brought about by AI, that are causing a pivot away from detection and remediation, and toward prevention.
This episode is also available on Youtube.
Brought to you by SpecterOps
Know Your Adversary
Show notes
Federal agencies must patch cPanel bug by Sunday, CISA says | The Record from Recorded Future News
cPanel zero-day exploited for months before patch release (CVE-2026-41940) - Help Net Security
The most severe Linux threat to surface in years catches the world flat-footed - Ars Technica
New MOVEit vulnerabilities prompt urgent patch warning | Cybersecurity Dive
US and allies urge ‘careful adoption’ of AI agents | Cybersecurity Dive
careful_adoption_of_agentic_ai_services.pdf
User just tricked Grok and Bankrbot to send tokens with Morse code - Cryptopolitan
Finding Zero-Days with Any Model
(1872) Sponsored: James Kettle built an AI hacker - YouTube
Feature Interview: Nicholas Carlini, Anthropic - Risky Business Media
Trellix investigating breach of source code repository | Cybersecurity Dive
Popular DAEMON Tools software compromised | Securelist
Komari Red: The Monitoring Tool with a Built-in Reverse Shell | Huntress
Hackers earning millions from hijacked cargo, FBI says | The Record from Recorded Future News
Congress punts FISA renewal to June | The Record from Recorded Future News
Cops Use Apple Data And Car Bluetooth To Identify Crypto Robbery Suspect
Stewart Baker, outspoken voice on cybersecurity and national security law, dies at 78 | IAPP

Facts Only

The US government, via CISA, mandated federal agencies patch a cPanel zero-day vulnerability (CVE-2026-41940) by May 11, 2026.
The cPanel vulnerability was exploited in the wild for months before a patch was released.
A severe Linux threat, described as one of the most significant in years, emerged unexpectedly.
New vulnerabilities in MOVEit software prompted urgent patching warnings.
US and Australian governments issued joint guidance urging "careful adoption" of AI agents.
Researchers James Kettle and Niels Provos demonstrated AI models capable of discovering zero-day vulnerabilities.
A cyber-assisted cargo theft operation resulted in losses totaling $725 million.
The FBI reported hackers earning millions from hijacked cargo shipments.
Congress delayed the renewal of FISA surveillance authorities until June 2026.
Law enforcement used Apple data and car Bluetooth records to identify a suspect in a crypto robbery.
Stewart Baker, a prominent figure in cybersecurity and national security law, died at age 78.
Trellix is investigating a breach of its source code repository.
DAEMON Tools software was compromised in a supply chain attack.
The monitoring tool Komari Red was found to contain a built-in reverse shell.

Executive Summary

This week's cybersecurity news highlights the persistent challenges in vulnerability management and the evolving threat landscape. The US government has issued urgent directives for federal agencies to patch critical vulnerabilities in cPanel (CVE-2026-41940), which had been exploited for months before a fix was released. Simultaneously, severe Linux threats and new MOVEit vulnerabilities have underscored that patching alone is insufficient for comprehensive security. The discussion also critiques recent government guidance on AI agent adoption, with experts arguing that current recommendations lack practical depth. Meanwhile, researchers like James Kettle and Niels Provos demonstrated how AI models can identify zero-day vulnerabilities, raising concerns about the democratization of exploit discovery. A notable incident involved cyber-assisted cargo theft resulting in a $725 million loss, illustrating the financial stakes of digital crime. Additionally, the episode features insights from SpecterOps' CTO on shifting cybersecurity strategies toward prevention amid AI-driven threats.
The conversation reflects broader tensions in cybersecurity: the gap between policy directives and operational realities, the arms race between offensive and defensive AI capabilities, and the escalating financial and logistical consequences of digital vulnerabilities. While patching remains critical, the recurring theme is that reactive measures are no longer sufficient in an environment where threats evolve faster than defenses can adapt.

Full Take

The narrative presented here leans into a familiar cybersecurity paradox: the tension between policy mandates and operational feasibility. The strongest version of this story—its steelman—highlights legitimate concerns about the inadequacy of patching as a standalone defense, the accelerating pace of vulnerability discovery (including AI-assisted methods), and the staggering financial costs of cyber-enabled crime. These are real, documented challenges that warrant attention. However, the framing risks amplifying a sense of inevitability—what some might call "security nihilism"—where the sheer volume of threats renders proactive defense futile. This aligns with a subtle but detectable pattern of **ARC-0024 Ambiguity**, where the complexity of the problem is emphasized without proportional discussion of mitigating strategies beyond the shift to "prevention" advocated by SpecterOps.
The root cause of this narrative is a broader paradigm in cybersecurity discourse: the assumption that technological advancement (e.g., AI) inherently outpaces human or institutional capacity to adapt. This echoes historical patterns of "technological determinism," where tools are framed as autonomous drivers of change rather than extensions of human agency. The implication is that organizations are perpetually playing catch-up, which may inadvertently discourage investment in foundational security practices like asset management, least privilege, and threat modeling—measures that remain effective regardless of the threat landscape's evolution.
For human agency and dignity, the question is whether this framing empowers or disempowers practitioners. Who benefits from the narrative of an unstoppable "bugpocalypse"? Vendors selling AI-driven prevention tools, certainly, but also threat actors who rely on defender fatigue. The second-order consequence is a potential erosion of trust in public-sector guidance, given the critique of government AI adoption advice as "lame" or impractical. This could further fragment an already siloed cybersecurity community.
Bridge questions to consider: What evidence would it take to shift the conversation from "patching isn't enough" to "here’s how we layer defenses effectively"? How might the focus on AI-driven threats obscure lower-tech but equally damaging attack vectors, like social engineering? And if the goal is resilience, why does the discourse so often center on failure rather than adaptive success?
Counterstrike scan: If this were part of a coordinated influence campaign, the playbook would likely involve exaggerating the scale of threats to create urgency around specific solutions (e.g., AI prevention tools) while undermining confidence in existing defenses. However, the content here does not structurally align with such a pattern. The critique of government guidance and the inclusion of diverse perspectives (e.g., researchers, vendors, law enforcement) suggest a genuine attempt to grapple with complexity rather than manipulate it. The tone is skeptical but not cynical, and the focus remains on actionable insights rather than fear-mongering.
Patterns detected: ARC-0024 Ambiguity (subtle emphasis on complexity without proportional mitigation discussion)

Sentinel — Human

Confidence

The text appears to be a human-compiled summary and source list for a podcast episode, characterized by specific, verifiable references rather than generalized, synthetic language.

Signals Detected
low severity: Varied structure of titles, list formatting, and direct quotes (implied by the list format). Not the uniform rhythm of typical LLM prose.
low severity: High coherence; the text is a well-structured summary of a specific topic (cybersecurity news and podcast episode) with logical flow.
low severity: The bulleted list and embedded source links are highly coordinated, reflecting a clear organizational structure (show notes/metadata).
low severity: References to specific CVEs (CVE-2026-41940), named individuals, and specific news sources suggest grounded, verifiable data, not pure fabrication.
Human Indicators
The inclusion of specific, complex references (e.g., CVE numbers, specific names like James Kettle and Niels Provos, and specific legal events like FISA renewal) indicates human-compiled or highly specific source input.
The informal, slightly agitated framing of discussion points (e.g., 'James gets mad about lame AI Agent adoption advice') introduces a specific, idiosyncratic voice.