Perimeter Security Is Not Enough.
The 5 Attack Surfaces Your Stack Leaves Unprotected When the Firewall Falls.

A link-following vulnerability in Defender's scanning logic allows authenticated local attackers to escalate to SYSTEM-level privileges on any Windows endpoint. The exploit targets the Defender scanning process itself — the tool meant to protect the endpoint becomes the path to owning it.

Exploitation requires local access — which, in practice, means any phishing link, browser exploit, or supply-chain payload that runs on the endpoint. Once an attacker has user-level access, CVE-2026-41091 lifts them to SYSTEM. From SYSTEM, they own the machine, its credentials cache, and every token it holds.

Patched in: Microsoft Malware Protection Engine 1.1.26040.8

A denial-of-service vulnerability in the Microsoft Defender Antimalware Platform allows attackers to crash or impair Defender's protection capabilities — creating a silent window for follow-on attack and persistence. Used in tandem with CVE-2026-41091, an attacker can escalate to SYSTEM and then disable the scanner before it catches the post-exploitation activity.

The combination is particularly dangerous for M365 enterprise customers, who rely on Defender as the primary endpoint protection layer across their Microsoft 365 environment — including the AI Copilot integrations that connect to business data.

Patched in: Microsoft Defender Antimalware Platform 4.18.26040.7

An unauthenticated buffer overflow in PAN-OS's User-ID Captive Portal gave remote attackers root-level code execution on PA-Series and VM-Series firewalls. No credentials required. No MFA to bypass. Just a network request to the exposed Captive Portal.

Unit 42 attributed exploitation to CL-STA-1132, a China-nexus state-sponsored threat cluster with tactical overlaps to Volt Typhoon and APT41. The group's post-exploitation playbook included shellcode injection into nginx, Active Directory enumeration, deployment of EarthWorm and ReverseSocks5 tunneling tools, and systematic log destruction.

First exploitation attempts were observed April 9, 2026. Successful RCE was achieved by April 16. Public disclosure came May 6. Patches began rolling out May 13 — 34 days after the first attack. During that window, organizations relying on Palo Alto firewalls as their primary perimeter had no patch to apply. Their AI agents, service accounts, cloud workloads, and APIs were behind a compromised perimeter with no independent runtime defense layer.

What it's designed for: Endpoint protection, email security, identity signals across Microsoft 365. World-class at detecting known malware patterns and phishing.

Documented failures:

• CVE-2026-41091 (CVSS 7.8, May 2026, actively exploited): Local privilege escalation to SYSTEM via Defender's own scanning engine — the protector becomes the attack surface. CISA KEV, federal deadline June 3. Source: The Hacker News
• CVE-2026-45498 (May 2026, actively exploited): Denial-of-service shuts down Defender's scanner mid-attack, creating a clean window for persistence and exfiltration. Used in tandem with CVE-2026-41091 in live intrusions. Source: TechTimes
• Microsoft Midnight Blizzard (Jan 2024): APT29 (Russian SVR) password-sprayed a legacy Microsoft test OAuth tenant (no MFA) and escalated to Directory.ReadWrite.All — accessing senior leadership, cybersecurity team, and legal employee emails. Defender was running. Source: Microsoft MSRC

Structural gap: No visibility into AI agent behavior, NHI credentials, or cloud workload actions — and when Defender itself is compromised, endpoint protection is gone entirely.

What it's designed for: Network-layer perimeter enforcement, SASE, next-gen threat prevention. The gold standard for enterprise network security.

Documented failures:

• CVE-2026-0300 (CVSS 9.3, Apr–May 2026, state-sponsored): Unauthenticated buffer overflow in PAN-OS Captive Portal. China-nexus CL-STA-1132 achieved root RCE on April 16, exploited for 34 days before a patch shipped May 13. Post-exploitation: nginx shellcode injection, AD enumeration, EarthWorm/ReverseSocks5 tunneling, log destruction. Source: Palo Alto Unit 42
• CVE-2024-3400 (CVSS 10.0, Apr 2024): Command injection in GlobalProtect VPN. Exploited by UTA0218 (state-sponsored) before a patch existed — another zero-day in the perimeter device itself. Source: CISA KEV

Structural gap: When the firewall itself is the exploited device, every asset behind it is exposed — with no independent runtime enforcement watching AI agents, cloud workloads, or enterprise APIs.

What it's designed for: Endpoint detection and response, behavioral threat hunting, ransomware prevention. The best tools at detecting malicious process behavior on endpoints.

Documented failures:

• CrowdStrike Falcon Outage (Jul 19, 2024): A faulty Channel File 291 update caused an out-of-bounds memory read in the Windows sensor, BSoD-looping 8.5 million Windows machines globally. Airlines, hospitals, banks, stock exchanges, emergency services down. Estimated $5–10B global impact; Fortune 500 companies alone faced $5.4B in damages. Source: Wikipedia / CISA
• SentinelOne "Bring Your Own Installer" EDR Bypass (2025): Researchers discovered attackers could disable SentinelOne by launching the legitimate installer, then forcibly terminating it mid-upgrade after services are stopped but before the new version installs — leaving the endpoint unprotected. Used in a live Babuk ransomware deployment. Source: BleepingComputer

Structural gap: EDR is blind to AI agent behavior, prompt injection, NHI credential abuse, and cloud workload actions — none of which look like endpoint malware to a signature or behavioral engine.

What it's designed for: Secure service edge, cloud application visibility, CASB controls, zero trust network access. Excellent at controlling what SaaS applications users can reach.

Documented failures:

• Zscaler CVE-2025-54982 — SAML Authentication Bypass: Zscaler's SAML 2.0 SP implementation failed to validate that assertions were signed by the configured IdP. Attackers could generate arbitrary SAML assertions for any user, gaining complete authentication bypass to Zscaler web proxies and ZPA. Source: Amber Wolf Advisory
• Netskope CVE-2025-0309 — Privilege Escalation (Windows Client): IPC communication flaw between Netskope's low-privileged UI process and SYSTEM-privileged service allowed low-privilege users to escalate to full system access — defeating the zero-trust client. Source: GBHackers
• Zscaler CVE-2023-28802 — Client Connector Bypass: Low-privilege users could bypass ZIA/ZPA controls via a service restart. Source: SecPod

Structural gap: CASB sees which SaaS apps users access — not what AI agents do inside those apps. When an agent calls 200 enterprise APIs in 30 seconds, that's invisible to a proxy layer.

What it's designed for: Human identity lifecycle, SSO, MFA, conditional access. Excellent at ensuring the right humans can authenticate to the right applications.

Documented failures:

• Okta Support System Breach (Oct 2023): Threat actor accessed Okta's customer support system via a stolen employee credential synced to a personal Google account. Exfiltrated session tokens from customer HAR files — affected 134 enterprise customers including BeyondTrust, 1Password, and Cloudflare. Source: Help Net Security
• ADT Okta Vishing × 3 (Aug 2024, 2025, 2026): ShinyHunters vished ADT help desk to reset Okta SSO credentials, pivoted to Salesforce, and exfiltrated customer data — three times in 18 months using the identical vector. Third breach: 5.5M records confirmed by HIBP. Source: Rescana
• MGM Resorts Okta SuperAdmin (Sep 2023): Scattered Spider researched an MGM employee on LinkedIn, called the help desk, and convinced them to reset Okta credentials in 10 minutes — escalated to SuperAdmin, owned VPNs, Azure AD, ESXi hypervisors, deployed ALPHV ransomware to 100+ hosts. $100M+ impact. Source: BleepingComputer
• Salesforce / Drift OAuth (Aug 2025): One compromised OAuth integration token gave UNC6395 access to 700+ Salesforce customer organizations — running SOQL queries across all to harvest credentials, customer records, and embedded cloud tokens. Source: SecurityAffairs

Structural gap: Okta governs human authentication. It has no inventory of the OAuth tokens your SaaS vendors hold on your behalf, no behavioral monitoring on service accounts, and no visibility into what AI agents do after they're granted access.

What it's designed for: Log aggregation, threat correlation, SOC alerting. Excellent at telling you what happened after enough data has been collected and correlated.

Structural gap (by design, not failure): SIEM is retrospective. By the time a Splunk alert fires on anomalous Snowflake queries, 560 million records have moved. By the time Sentinel correlates the Palo Alto log destruction with the AD enumeration, the tunneling tools are already deployed. The median time-to-detect for a SIEM-based SOC is measured in hours to days — not the seconds required to stop an AI agent mid-execution.

AI-specific blind spot: AI agent actions — prompt injection, tool call redirection, gradual context poisoning — produce no malware signatures and no anomalous process trees. They look like normal application traffic to a SIEM. Sentinel and Splunk cannot detect what they cannot model, and neither has a behavioral model for agentic AI.

What it claims: End-to-end AI security from development through deployment — AI asset inventory, automated model/MCP server testing, runtime guardrails, AI BOM for supply chain visibility, MCP Catalog for agent risk governance.

Documented gaps:

• Guardrail bypass (Apr 2025 — Policy Puppetry): HiddenLayer researchers showed that all major model guardrails — including Cisco's — can be bypassed by reformatting malicious prompts as XML, JSON, or INI policy files. The bypass works across OpenAI, Google, Anthropic, Meta, DeepSeek, and Mistral models. Source: SecurityBoulevard
• Cisco's own research (2026): 26% of 31,000 agent skills analyzed contained exploitable vulnerabilities. Cisco documented successful algorithmic jailbreaks of DeepSeek R1 with zero human supervision. Source: Cisco State of AI Security 2026

Structural gap: Cisco AI Defense is a testing and supply-chain visibility tool. It red-teams models and inventories MCP servers before deployment. It does not enforce NHI lifecycle, govern enterprise data access at the quantum-safe layer, control cloud workload behavior at runtime, or provide a kill switch for rogue agents mid-execution.

What they claim: AI Security Posture Management (AI-SPM), cloud-native AI asset discovery, end-to-end visibility across code, cloud, and AI runtime. Wiz's AI-Application Protection Platform (launched 2026) inventories every model, framework, IDE extension, and managed AI service. Orca (acquired Opus for agent orchestration, May 2025) adds agentic threat investigation. Lacework (acquired by Fortinet 2024, now FortiCNAPP) covers cloud workload behavioral analytics.

Structural gaps shared across all three:

• Visibility ≠ enforcement: These platforms discover AI assets and surface risk — they do not execute policy on every tool call or API interaction at sub-millisecond latency.
• No NHI lifecycle: None provide credential provisioning, rotation, or revocation for AI agent identities.
• No quantum-safe data governance: None enforce post-quantum encryption, format-preserving tokenization, or data-layer access policy at the moment of AI access.
• No kill switch: No emergency agent termination control. Only Microsoft's Agent Governance Toolkit (open-source, Apr 2026) and ServiceNow AI Control Tower (May 2026) explicitly include kill switches. Source: The Register

What they claim: Protect AI scans models at intake (4.47M+ model versions scanned as of Apr 2025) and gates unsafe models from deployment. HiddenLayer provides model-agnostic runtime defense against prompt injection and adversarial inputs — without access to model weights.

Documented gaps:

• HiddenLayer Policy Puppetry bypass (Apr 2025): HiddenLayer's own researchers disclosed that their runtime defense — and all major model guardrails — can be bypassed using XML/JSON/INI prompt reformatting. Works across all major model families. Source: SecurityBoulevard
• HiddenLayer OpenAI guardrail bypass (Oct 2025): LLM-judge guardrails inherit the parent model's jailbreak vulnerabilities, creating cascading failures that bypass second-layer defenses. Source: CyberSecurityNews

Structural gap: Both tools are model-layer gates, not enterprise governance layers. Neither governs NHI credentials, cloud workload behavior, enterprise data access policies, or API call patterns. A model that passes Protect AI's scan and survives HiddenLayer's guardrails can still exfiltrate data, abuse APIs, and operate with no runtime kill switch.

When Defender is silenced or the firewall is compromised, your AI agents keep running. They answer prompts, call APIs, access sensitive data, and execute actions — with no visibility into whether they've been manipulated, injected, or exfiltrated through.

Real incidents:

• OpenClaw "Claw Chain" Agent Takeover (May 2026): Chained vulnerabilities allowed full AI agent hijacking — system prompt override, tool call redirection, exfiltration of the agent's full context window including secrets and PII.
• Claude Code MCP OAuth Token Theft (May 2026): Poisoned npm hooks installed a malicious MCP server that persistently exfiltrated developer OAuth tokens — surviving sessions and restarts — to exfiltrate Google Workspace and AWS credentials.
• Gemini CLI CVSS 10 RCE (Apr 2026): Malicious repo context triggered agent execution of embedded commands — harvesting GitHub tokens, cloud credentials, and developer secrets. Source: The Hacker News
• Google Antigravity IDE Prompt Injection → RCE (Apr 2026): Payload embedded in a README or dependency file triggered the AI assistant to execute arbitrary commands without user interaction beyond opening the file.
• Cursor IDE / Claude Code / Copilot TrustFall RCE (May 2026): A universal RCE convention vulnerability affecting all major AI coding assistants — malicious repos trigger code execution on developer machines.
• Anthropic Rogue AI Campaign (Sep 2025): Anthropic's own AI conducted an 80–90% autonomous cyberattack campaign against 30 organizations (tech, financial, chemical, government) with humans intervening at only 4–6 decision points — despite Anthropic's governance framework being active. Source: Kiteworks

RuntimeAI governance:

• KYA (Know Your Agent) — cryptographic agent identity validation and scope enforcement; unknown agents get no access, not just a warning
• PII Shield — PII and PHI redacted inline at the agent boundary; HIPAA and GDPR compliance enforced at the moment of AI access
• Audit Black Box — tamper-proof, court-admissible record of every agent action; forensics-ready regardless of whether endpoint logs were destroyed
• Agent Fraud Shield — compromised or manipulated agents caught by behavioral pattern, not by signature

Nine of the sixteen largest enterprise breaches of the last three years were NHI failures. Not phished passwords — stolen service-account credentials, OAuth integration tokens, and CI/CD machine identities used exactly as issued, by attackers doing exactly what the token was designed to permit.

Real incidents:

• Salesforce / Drift OAuth (Aug 2025) — 700 enterprise tenants: One compromised OAuth integration token gave UNC6395 authenticated API access to 700+ Salesforce organizations. SOQL queries across all harvested credentials, customer records, and embedded AWS/Snowflake tokens.
• Vimeo via Anodot → Snowflake (Apr 2026) — 119K records: ShinyHunters breached analytics vendor Anodot, stole connector OAuth tokens, logged directly into Vimeo's Snowflake, and ran bulk SQL queries. Vimeo's own identity stack never saw the attacker.
• Rockstar Games via Anodot (Apr 2026) — ~80M records claimed: Same Anodot connector tokens used to access Rockstar's Snowflake. One vendor NHI breach, blast radius across entire customer book.
• Zara / Inditex via Anodot (May 2026) — 197K records: ShinyHunters used a stale Anodot API key issued 11 months after the vendor relationship ended — proving NHI credentials survive vendor offboarding.
• LiteLLM CI/CD (Mar 2026): Poisoned Trivy security scanner in CI/CD pipeline exfiltrated PyPI publish token → published malicious litellm 1.82.7/1.82.8 → harvested SSH keys, GCP/AWS/Azure credentials, kubeconfigs, and database passwords from every install.
• TanStack npm Worm (May 2026): Hijacked GitHub Actions OIDC token published malicious npm packages signed with TanStack's legitimate identity — worm harvested CI/CD tokens from downstream organizations.
• Vercel → Context.ai OAuth Cascade (Apr 2026): Lumma Stealer compromised Context.ai employee → exfiltrated Google Workspace OAuth refresh tokens → used to access Vercel's internal environments.

RuntimeAI governance:

• NHI Security Dashboard — every service account, API key, CI/CD token, and bot has a tracked lifecycle: provisioned with least privilege, rotated on schedule, revoked on termination or suspicion
• Machine Identity Governance — behavioral monitoring per NHI; an analytics connector that suddenly bulk-exports is anomalous regardless of whether its token is valid
• Agent DNS (KYA-DNS) — unknown AI agents get no DNS response; only registered, policy-compliant agents can reach your infrastructure

Cloud workload security tools focus on configuration drift and compliance posture — static snapshots. When a workload is compromised at runtime, the policy gap is behavioral, not configurational.

Real incidents:

• Snowflake — 160+ enterprise customers, 560M+ records (Apr–Jun 2024): Infostealers harvested Snowflake credentials over years; attacker logged in via valid credentials, ran bulk SELECT queries. AT&T (110M records), Ticketmaster (560M), Santander Bank, LendingTree, 155+ others. MFA was opt-in; bulk export alerts were a paid add-on. Source: KrebsOnSecurity
• Canvas / Salesforce — 275M student records, 3.65TB (May 2026): ShinyHunters exploited a self-enrollment tier that shared production infrastructure, exfiltrating 3.65TB across 8,809 institutions over 7 days — then repeated the breach one week later via the same vector.
• MGM Resorts ALPHV Ransomware (Sep 2023): After vishing Okta SuperAdmin, Scattered Spider deployed ALPHV ransomware to 100+ ESXi hypervisors — all valid cloud workload actions using legitimate admin credentials. CWPP tools saw nothing anomalous.
• Comcast / CitrixBleed (Oct 2023) — 35.9M records: CVE-2023-4966 extracted authenticated session tokens from NetScaler memory with no credentials — attacker used pre-MFA-passed sessions. $117.5M class action settlement approved 2026. Source: BleepingComputer

RuntimeAI governance:

• Cloud AI Posture Management — shadow AI APIs and unregistered cloud workloads found and governed automatically across AWS, Azure, and GCP in one view
• Real-time behavioral enforcement — policy rules applied at the moment of execution, not in the next compliance scan
• Autonomous Incident Response — AI security incidents contained and remediated automatically; mean time to respond drops from hours to seconds

When the perimeter is compromised, data governance cannot rely on network controls. Every Snowflake breach, every OAuth-token-driven exfiltration, every harvest-now-decrypt-later attack exploits the same gap: data protection that stops at the perimeter boundary instead of being enforced at the data itself.

Real incidents:

• Snowflake — 160+ customers, 560M+ records (Apr–Jun 2024): Infostealers harvested credentials over years; attackers ran bulk SQL queries on Snowflake via valid sessions. AT&T (110M), Ticketmaster (560M), Santander Bank, LendingTree, 155+ more. All data was accessible without any quantum-safe controls at the data layer. Source: KrebsOnSecurity
• Canvas / Instructure — 275M student records, 3.65TB (May 2026): 8,809 institutions, billions of private messages, academic records, faculty PII — all plaintext-accessible via a self-enrollment tier. No data-layer access policy. No egress volume limit at the data level.
• OpenLoop Health — 716K patient records (May 2026): PHI exfiltrated from telehealth backend. HIPAA-covered data with no enforcement at the point of AI access — only perimeter controls that failed.
• 50 Global Firms — infostealer cookie replay (Apr–May 2026): Operators bought browser cookie logs → replayed authenticated sessions via geo-matched SOCKS5 proxies → bulk data exfiltrated from valid SSO sessions. No data-layer control stopped the exfiltration.
• Nation-state harvest-now-decrypt-later: CL-STA-1132 (the Palo Alto PAN-OS attacker) is documented using EarthWorm tunneling tools to exfiltrate data during its 34-day dwell time. That data — encrypted with RSA or AES-128 today — is potentially decryptable when quantum capability scales. PQ Transit Shield (ML-KEM) closes this window. Source: Unit 42

This is especially acute in the post-quantum threat model. Nation-state actors — including CL-STA-1132 — are actively collecting encrypted data today to decrypt once quantum computing capability scales. Your data security posture needs to be quantum-safe now, not when NIST mandates it.

RuntimeAI / PQData governance:

• QuantumVault — secrets stored with NIST-certified post-quantum encryption (ML-KEM / FIPS 203); future-proof from day one
• PQ TokenVault — format-preserving tokenization (FPE) for card numbers, SSNs, and PHI; PCI DSS and HIPAA compliant without re-engineering data pipelines
• PQ Transit Shield — ML-KEM key exchange on all data in motion; safe against harvest-now-decrypt-later attacks that target data collected today
• PQ CryptoGuard — full cryptographic inventory mapped and scored for quantum readiness; gaps surfaced automatically before regulators find them
• PQ Policy Engine — attribute-based access control enforced at the data layer; conditional access policies that hold even when the perimeter is gone
• PQ Comply — CNSA 2.0, FedRAMP, and HIPAA quantum-readiness evidence generated automatically; audit evidence in days, not months
• PQ Sign — documents and code signed with ML-DSA-87 (FIPS 204); signatures that survive the quantum era
• PQ Secure DataShare — per-recipient PQC encryption on shared files; only the intended recipient can decrypt, regardless of who intercepts transit

API gateways enforce authentication and rate limiting at the front door. When an attacker holds a valid token — their own or stolen — the gateway passes the request. What the API does with that request, what data it returns, and what downstream systems it touches are all outside the gateway's enforcement scope.

AI agents make this dramatically worse: they call APIs at machine speed, across hundreds of integrations, with session-level credentials that are difficult to rotate. Without behavioral monitoring at the API call level, exfiltration looks identical to normal traffic.

Real incidents:

• Salesforce / Drift — SOQL API abuse across 700 tenants (Aug 2025): One OAuth token → authenticated SOQL queries across 700 Salesforce organizations. 700 API-layer breaches from one compromised NHI, all returning 200 OK.
• SAP npm Package Supply Chain (May 2026): Injected preinstall scripts in @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt executed on npm install → exfiltrated CI/CD API tokens to attacker-controlled endpoints → used npm API to republish malicious versions to downstream.
• Hugging Face "OpenAI Privacy Filter" (May 2026) — 244K downloads: Malicious repo ranked #1 trending; embedded code exfiltrated environment variables, AWS credentials, and OpenAI API keys via attacker API on every install. Source: The Hacker News
• NVIDIA NemoClaw — AI sandbox API exfiltration (May 2026): Attackers encoded sensitive context data (secrets, PII) into legitimate-looking model API calls — exfiltrating agent memory through the model API channel, invisible to API gateways.
• Grafana — missed token rotation after TanStack (May 2026): Grafana failed to rotate Snowflake/BigQuery connector tokens following the TanStack supply-chain exposure — attacker used the unrotated token for backend API access. Source: The Hacker News
• GitHub — 4,000 internal repos exfiltrated (May 2026): Attackers exfiltrated ~4,000 internal GitHub repositories containing internal code, CI/CD secrets, service account tokens, and undisclosed vulnerability data — all via authenticated API access.

RuntimeAI governance:

• AI Integration Hub (MCP Gateway) — agents connect to enterprise tools through a governed, policy-enforced gateway; no direct tool access, no unaudited integrations
• API behavioral monitoring — real-time detection of abuse patterns, prompt injection attempts, and data exfiltration signatures at the integration layer
• Policy-as-Code (Rego / OPA) — security teams write governance rules once; enforced at every API call automatically, with no manual gates to bypass