Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

We have thousands of internal apps at Cloudflare. Some are things we’ve built ourselves, others are self-hosted instances of software built by others. They range from business-critical apps nearly every person uses, to side projects and prototypes. All of these apps are protected by Cloudflare Access. But when we started using and building agents — particularly for uses beyond writing code — we hit a wall. People could access apps behind Access, but their agents couldn’t.

In automotive and manufacturing, digital transformation is no longer a future ambition—it’s operational reality. Connected vehicles, smart factories, and increasingly complex supply chains have introduced a new dependency: trusted device identity and secure key management at scale. And yet, many organisations are still: This gap is no longer just a technical issue—it’s a business risk.

The revolution is here, but it’s not what we expected. AI coding assistants have transformed software development, with developers shipping code faster than ever before. GitHub Copilot, Amazon CodeWhisperer, and Claude Code have become as essential to modern development as Git itself. The productivity gains are undeniable; what once took hours now takes minutes. But there’s a dangerous blind spot in this revolution: security.

For decades, security leaders have optimized defenses in two dimensions. Doors, locks, fences, cameras, access badges, identity systems, and multi-factor authentication have all been designed to control who and what moves through physical and digital perimeters. But as experts discussed during RSAC 2026, something fundamental has changed: the threat landscape has gone airborne.

Anthropic just released Claude Mythos Preview. They did not make it publicly available. That decision alone should tell you everything you need to know about what this model can do. During internal testing, Mythos autonomously discovered and exploited zero-day vulnerabilities across every major operating system and web browser. It found a 27-year-old bug in OpenBSD. A 16-year-old vulnerability in a widely used media codec.

In the fifth installment of SafeBreach’s AI-First series, VP of Development Yossi Attas explores how the development team’s AI-First philosophy is being extended to the customer frontier and improved upon through the Anti-Hallucination Protocol.

Python AWS Lambda functions are ephemeral and highly distributed, which creates security visibility gaps that traditional perimeter defenses and proxy-based controls struggle to fill. Techniques such as credential stuffing, SQL injection, and server-side request forgery (SSRF) can look like legitimate application traffic, making them difficult to identify without visibility inside the application itself.

By Roger A. Grimes and Matthew Duren AI agents can deliver incredible productivity gains, but their operational complexity makes effective threat modeling harder than ever, including for developers, administrators and especially end users. At the same time, both developers and non-developers are increasingly vibe-coding, or using AI to generate functional software from natural language prompts.

Today, we’re introducing Justification Coach, a new AI-powered capability that helps users write better access request justifications in real time, so admins get the context they need for audits and investigations without having to chase people down after the fact.

There is a version of AI SOC that most security teams are familiar with. It summarizes alerts. It surfaces recommendations. It tells an analyst what to look at next. It is useful in the way a well-organized report is useful: it saves time reading, but the work still happens at a human pace. That version of AI is not what this blog is about. For MSSPs and SecOps teams operating at scale, advisory AI is not a destination. In fact, it presents a bottleneck in a different form.