Security, Decoded: Insights from Suzu Labs

The Company Reviewing Your Meta Glasses Footage Has a Security Problem

Mike Bell — Fri, 06 Mar 2026 14:30:00 GMT

Last week, Swedish journalists revealed that Meta sends video footage from Meta Ray-Ban smart glasses to human data annotators at Sama, a San Francisco-based outsourcing company that runs its annotation workforce out of Nairobi, Kenya. Workers described seeing footage of people in bathrooms, bedrooms, and intimate situations. The UK's Information Commissioner opened a probe. The story dominated privacy news for days.

Nobody asked the obvious follow-up question. How secure is Sama?

We did. And the answer isn't reassuring.

Sama Credential Exposure on the Dark Web

Suzu Labs ran dark web intelligence against Sama's corporate domain (sama.com) using our threat intelligence platform. Within the last 90 days alone, we identified 118 credential entries tied to sama.com circulating across Telegram channels, underground forums, and breach databases.

Of those 118 entries, 57 are unique email addresses. Twenty-two of them appear to be legitimate corporate employee accounts. The employee names are consistent with Sama's known operations in both the US and Kenya, and several match naming patterns typical of the company's Nairobi-based annotation workforce.

Eighty-three of those entries included plaintext passwords.

Sama Employee Password Security Is Poor

We analyzed the 32 unique plaintext passwords found in the dataset.

88% fail basic complexity requirements (8+ characters with uppercase, lowercase, and a digit)
56% are under 10 characters
22% are under 8 characters, which wouldn't pass the minimum bar at most organizations
Only 9% include a special character
19% are digits only
The most reused password in the dataset appeared across 10 separate entries

These aren't passwords from 2015. The credential entries in our dataset were posted between December 2025 and February 2026. Some were shared on Telegram just weeks before the Swedish investigation broke the glasses story.

Info-Stealer Malware Is the Primary Source

Most of these credentials didn't come from some third-party breach where Sama employees happened to have accounts.

Roughly 87% came from info-stealer malware logs. That means malware was running on machines used by people with sama.com email addresses, pulling credentials and session tokens directly off the endpoint. The stealer takes everything on the machine. It doesn't filter by importance.

The stealer logs captured credentials for Google accounts, sales platforms, and ISP portals on those machines. If any of those infected endpoints were also used to access Sama's internal annotation platforms, the footage review pipeline could be exposed.

The remaining credentials appeared in named data breaches, including the Crunchbase breach and credential combo lists traded on BreachForums and Telegram distribution channels.

Risk to AI Training Data and Other Sama Clients

Sama isn't just a Meta contractor. The company is one of the largest data annotation providers in the world. Their clients have historically included some of the biggest names in AI. When you train a model, the training data goes through companies like Sama, and the people labeling that data operate on endpoints that, based on what we found, are not locked down.

The credential exposure we identified doesn't prove that Sama's annotation platform was compromised. But employee machines have been infected with info-stealer malware. The resulting credentials are being traded on the dark web right now. And the password hygiene across those accounts is poor. For an organization trusted with intimate video footage from millions of consumers, that should concern every client they have.

What Meta and Sama Should Do Now

Meta should be asking Sama hard questions about endpoint security and whether any of the compromised accounts have access to the annotation pipeline. If Meta conducted a third-party security assessment of Sama before handing over user footage, the results should be reexamined given what's now circulating on the dark web.

Sama should be running its own leaked credential monitoring. Every one of the accounts we found needs a forced password reset and MFA verification. The endpoints those credentials were stolen from need to be checked for active infections. Info-stealer logs from Sama employee machines are circulating freely. That's not a hypothetical risk. It already happened.

For other companies using third-party data annotation services, your vendor's security is your security. If you're sending sensitive data to an annotation provider and you haven't checked whether their employees' credentials are already on the dark web, you're making assumptions you can't afford to make.

How We Did This

We identified these credentials through dark web intelligence research. Password analysis was performed on the extracted plaintext credentials. No accounts were accessed, tested, or exploited during this research.

The Death of the CTF: How Agentic AI Is Reshaping Competitive Hacking

Jacob Krell — Tue, 03 Mar 2026 18:58:57 GMT

View White Paper

Abstract:

Agentic AI systems are compressing competitive hacking timelines faster than the cybersecurity community has acknowledged. This paper analyzes first blood data from 423 Hack The Box machines released between March 2017 and October 2025, finding that root blood times have declined approximately 16% per year in log-space (p < 1e-10), with the sharpest drops concentrated after the emergence of large language models and agentic exploitation frameworks. All four difficulty tiers show statistically significant compression in the Post-LLM era (p < 0.05), with magnitude scaling from 27% at Hard to 67% at Insane.

The implications extend well beyond competitive scoreboards as AI-driven acceleration reshapes penetration testing economics, lowers the barrier to offensive capability, and positions CTF platforms as de facto benchmarks for national AI cyber capabilities. Drawing on the historical transition to engine assisted play in chess, the paper argues for instrumentation of AI usage, the creation of separate competition tracks and standardized benchmarking of AI-augmented offensive capability. It also outlines the redesign of security training and certification pipelines to reflect compressed skill acquisition timelines.

1. Introduction

Capture The Flag competitions occupy a unique position in cybersecurity. From DEF CON's storied finals to Hack The Box's weekly machine releases, CTFs serve simultaneously as training grounds, hiring filters, and competitive arenas. At their core, they test a specific set of cognitive abilities, the capacity to parse unfamiliar systems, synthesize information from disparate sources, recall relevant techniques from a vast body of knowledge, and chain observations into a working exploit. For over two decades, performance in this environment has been primarily a function of unaided cognition. The scoreboard measured who among a field of human competitors was the most elite operator.

Agentic AI systems possess structural advantages in each of these capacities. They parse output without misreading. They have access to the entirety of publicly documented vulnerability research, tooling documentation, and exploit techniques, not as something to be recalled under pressure, but as something perpetually available. They synthesize across information sources without cognitive fatigue, context-switching cost, or the bandwidth limitations of human working memory. This paper argues that these structural advantages are sufficient to fundamentally reshape the nature of CTF competition, shifting the axis of differentiation from who is the best hacker to who designs the best agentic AI system.

This shift does not eliminate the human element. It redefines it. The competitors who will succeed in an AI-augmented CTF landscape are not those who resist the technology but those who learn to leverage it, directing AI agents toward the tasks where they hold categorical advantages while focusing human effort on the areas where intuition, creativity, and adversarial reasoning remain superior. The hacker in the loop remains the ultimate differentiator, but the nature of the loop changes. The skill being tested is no longer purely operational. It becomes architectural, and the question is: how effectively can a competitor design, configure, and orchestrate an AI system to do the work that was once done by hand?

The implications extend beyond individual competitors. As this transition accelerates, CTFs themselves will shift in character. Challenges that once tested a human operator's ability to enumerate, exploit, and pivot will increasingly function as benchmarks for AI agent systems. The competition between hackers becomes, in significant part, a competition between the agentic architectures and tools they bring to the table. CTF platforms will serve as proving grounds not just for human skill but for AI capability, and the leaderboard will reflect engineering and development decisions as much as operational technique.

We examine this thesis through multiple lenses. We analyze first blood time data across 423 competitively released Hack The Box machines spanning March 2017 through October 2025, stratified by difficulty and operating system, and find that both user and root first blood times are declining at approximately 16% per year on a multiplicative basis (log-linear model, p < 1e-10), with a statistically significant step-down in the Post-LLM era across all four difficulty tiers. We situate this analysis within a rapidly growing body of research in which agentic systems have won dedicated CTF competitions, autonomously exploited real-world vulnerabilities, and achieved meaningful solve rates on platforms like Hack The Box without human intervention. We conclude with a set of recommendations for CTF platform operators, training organizations, certification bodies, and policymakers, drawing on lessons from chess's two-decade experience with the same problem and anchored by a proposal for voluntary AI usage instrumentation designed to establish ground truth while the distinction between human and AI-augmented performance is still observable.

2. Author Background

The author holds the OSCE3 certification and works professionally in offensive security and AI system development. He has extensive practical experience with the Hack The Box platform, including participation across all difficulty tiers. This dual perspective informs the framing of the problem examined in this paper; however, all empirical claims are derived from the longitudinal dataset and statistical analysis presented in the following sections.

3. Related Work: AI in Offensive Security

The research trajectory over the past three years documents a rapid escalation in AI offensive capability, from early demonstrations that LLMs could assist with security tasks, to autonomous systems that competed with and outperformed human players, to production-grade offensive tooling built on the same foundations. While these studies primarily reported solve rates and task completion rather than time-to-compromise, they establish the capability context in which the longitudinal trends presented in this paper should be interpreted.

The first wave established that large language models were not just passively useful for security work but actively underutilized. Palisade Research demonstrated that a simple ReAct-based agent architecture with plan-and-solve prompting achieved 95% on the InterCode-CTF benchmark, up from a prior state of the art of 72%, fully solving the General Skills, Binary Exploitation, and Web Exploitation categories [2]. Their central finding was that LLM capabilities in this domain were underelicited, not fundamentally limited. Stanford's CyBench benchmark confirmed this from a different angle, as strong models solved professional-level CTF tasks at speeds comparable to 11-minute human solves [7]. The AIRTBench autonomous red teaming benchmark reported Claude 3.7 Sonnet achieving a 61% solve rate on black-box challenges, with models solving tasks in minutes where humans required hours [12].

The second wave moved from benchmarks to real vulnerabilities. The Fang et al. research series established that LLM agents can autonomously exploit real-world CVEs. Given vulnerability descriptions, GPT-4 successfully exploited 87% of 15 one-day vulnerabilities, while in their evaluation, every other tested system, including open-source models, ZAP, and Metasploit, scored zero [14]. A follow-up demonstrated that teams of LLM agents using hierarchical planning outperformed single agents by up to 4.3x on 14 real zero-day vulnerabilities [15]. Google's Project Zero and DeepMind collaboration produced Big Sleep, an LLM-powered system that discovered the first publicly documented AI-found exploitable bug in real-world software, a stack buffer underflow in SQLite, a vulnerability in production code that had evaded human auditors and traditional fuzzing tools [27].

The third wave saw benchmarks and exploits converge into competition. In 2025, the Cybersecurity AI agent won the Neurogrid CTF with 41 of 45 flags and a $50,000 prize pool, reached Rank 1 early at the Dragos OT CTF before finishing 6th after being paused, and was the top-performing AI team in Hack The Box's "AI vs Humans" competition [1]. The authors concluded that Jeopardy-style CTFs are effectively solved by well-engineered AI agents. Meanwhile, the translation into practical offensive tooling accelerated, as PentestGPT demonstrated a 228.6% improvement in task completion over GPT-3.5 baselines on Hack The Box machines (USENIX Security 2024, Distinguished Artifact) [16]. D-CIPHER achieved a 44% solve rate on Hack The Box with 65% more MITRE ATT&CK coverage than prior approaches [17]. xOffense, built on a fine-tuned Qwen3-32B model, reached 79.17% subtask completion [18]. And DARPA's AI Cyber Challenge yielded four open-source Cyber Reasoning Systems across the competition [29], and the fourth-place team alone autonomously discovered 28 real-world vulnerabilities including six zero-days [34].

Taken together, these results show a rapid progression from LLM-assisted workflows to autonomous competitive performance. In under three years, the field moved from "LLMs can help with CTF challenges" to "agentic systems can win CTF competitions outright." These results establish that AI systems now operate at timescales comparable to or faster than expert human solves, providing a plausible mechanism for the longitudinal compression in first-blood times measured in this study.

4. Data and Methodology

The dataset consists of 423 competitively released Hack The Box machines spanning March 2017 through October 2025, covering all four difficulty tiers, Easy (124), Medium (143), Hard (98), and Insane (58). The operating system split is predominantly Linux (288) and Windows (121). For each machine, two first-blood metrics were collected from timestamps scraped from 0xdf's publicly archived writeups [42], specifically user blood (time from machine release to the first recorded foothold) and root blood (time from release to full system compromise), both measured in minutes. Machines with missing or inconsistent timestamps were excluded. The gap between them is effectively the privilege escalation time for the fastest competitor on that challenge.

To structure the analysis around AI capability, two eras were defined. The Pre-LLM era covers everything before ChatGPT's public launch in November 2022, giving us 286 machines representing the pre-LLM baseline. The Post-LLM era covers November 2022 onward, encompassing both the initial period of LLM-assisted work and the subsequent emergence of dedicated agentic exploitation frameworks, covering 137 machines. An earlier version of this analysis used a three-era split (Pre-LLM, LLM, and Agentic), but the Agentic era's small sample sizes at higher difficulty tiers (Hard n=17, Insane n=5) produced era-level comparisons that lacked statistical power. Consolidating into two eras yields sample sizes sufficient for significance testing across all four difficulty tiers. For visual analysis, finer milestone markers for individual model releases are overlaid on the time-series charts.

Linear regression on log-transformed blood times establishes the overall trend and yields a directly interpretable metric, percentage change in solve time per year. Era medians quantify the magnitude of change between periods. Non-parametric significance tests (Mann-Whitney U, one-sided, reflecting the a priori hypothesis of decreasing solve times) determine whether observed differences are statistically significant. Everything is run independently on both user and root blood, and stratified by operating system. More fundamentally, first-blood times identify the earliest successful solve but do not reveal the methods used. The data establishes temporal correlation with AI capability milestones, not direct causation. Given multiple stratified comparisons, p-values are interpreted conservatively. That limitation is what motivates the "Solved with AI" proposal in Section 8.

5. Results

Across all 423 machines, both user and root first blood times (in minutes) show a statistically significant downward trend over the eight-and-a-half-year period. Root blood times are declining at 16.5% per year on a multiplicative basis (linear regression of log-transformed solve time against release date, R² = 0.12, p = 1.7e-13). User blood times decline at 16.0% per year under the same log-linear model (R² = 0.09, p = 2.7e-10). Every difficulty tier shows a negative longitudinal slope, indicating that the downward trend is not driven by a single category.

The scatter plot tells the story visually. Each dot is a machine, colored by difficulty tier, with trendlines fit per tier. The vertical dashed lines mark major LLM and agent capability milestones. The downward slope is visible across all four tiers, with a visibly steeper trend in the Post-LLM period.

Era Comparison

The era-level breakdown is where the compression becomes concrete. Median root blood times by era

	Pre-LLM (n)	Post-LLM (n)	Change	p-value
Easy	54.8 min (81)	28.9 min (43)	-47%	0.0001
Medium	106.0 min (96)	72.5 min (47)	-32%	0.0011
Hard	261.1 min (66)	191.1 min (32)	-27%	0.0279
Insane	926.6 min (43)	302.5 min (15)	-67%	0.0350

Median user blood times by era

	Pre-LLM (n)	Post-LLM (n)	Change	p-value
Easy	21.5 min (81)	12.7 min (43)	-41%	0.0018
Medium	56.0 min (96)	40.3 min (47)	-28%	0.0050
Hard	107.1 min (66)	110.9 min (32)	+4%	0.19 (n.s.)
Insane	271.5 min (43)	211.9 min (15)	-22%	0.22 (n.s.)

For root blood, the Post-LLM era is faster across all four tiers, with compression scaling by difficulty. Easy machines dropped 47%. Medium dropped 32%. Hard dropped 27%. Insane machines dropped 67%, from a median of over 15 hours to approximately 5 hours. All four root blood tiers reach statistical significance at p < 0.05 for the Pre-LLM vs Post-LLM comparison (Mann-Whitney U, one-sided), with Easy and Medium reaching p < 0.002. User-blood compression is significant at Easy (-41%, p = 0.002) and Medium (-28%, p = 0.005) but does not reach significance at Hard or Insane.

User Blood vs. Root Blood

The dual blood metric reveals something the aggregate numbers miss. User blood captures the foothold phase, specifically reconnaissance, vulnerability identification, initial exploitation. Root blood captures the full kill chain including privilege escalation. Comparing the two across eras isolates how each phase is compressing independently.

An important methodological note is that on Hack The Box, user blood and root blood are separate races. Different competitors frequently win each. One player might find an initial foothold fastest while a different player achieves full compromise first via a different approach. This means naively subtracting one from the other does not measure a single competitor's privilege escalation time. To isolate privilege escalation behavior, per-machine privesc time was computed as root blood minus user blood. For this analysis only, 37 machines where this value was zero or negative were excluded; these machines remain in all other analyses. A zero-minute cutoff was used to remove race artifacts while retaining conventional two-stage solves. Negative privesc indicates that root was blooded before user, a race artifact in which a different competitor bypassed the foothold step entirely or took a single exploit chain directly to root.

After filtering, the privilege escalation compression becomes clean and consistent across all four tiers

Median implied privilege escalation time by era (machines with privesc > 0 min)

	Pre-LLM (n)	Post-LLM (n)	Change
Easy	15.2 min (71)	11.1 min (43)	-27%
Medium	34.0 min (87)	22.2 min (47)	-35%
Hard	105.1 min (60)	61.5 min (32)	-41%
Insane	175.9 min (35)	108.0 min (11)	-39%

The privilege escalation phase is compressing faster than the foothold phase. After excluding machines where privesc time was zero or negative (race artifacts where root was blooded before user), median privesc times dropped 27% at Easy, 35% at Medium, 41% at Hard, and 39% at Insane from the Pre-LLM to the Post-LLM era. Meanwhile, user blood (the foothold phase) only compresses significantly at Easy (-41%, p=0.002) and Medium (-28%, p=0.005). At Hard and Insane difficulty, foothold times show no statistically significant change.

Operating System Breakdown

Stratifying by operating system reveals that the compression is not platform-uniform. Windows machines show steeper declines than their Linux counterparts at nearly every difficulty tier. Pre-LLM to Post-LLM, Windows Medium machines dropped from a median of 118.6 minutes to 45.9 minutes, a 61% reduction that is statistically significant (p=0.0003). Windows Easy dropped 22% (p=0.037). Linux machines show consistent but smaller compression, with Linux Easy dropped 36% (p=0.003), Linux Medium 12%, and Linux Hard 11%. Linux Insane dropped 77% (p=0.018), though with small Post-LLM samples.

One plausible explanation is that Windows and Active Directory environments contain more extensively documented, repeatable attack patterns such as Kerberoasting, token impersonation, and service misconfigurations. Linux privilege escalation tends to involve more heterogeneous, system-specific configurations. The possible relationship between attack-surface structure and amenability to AI is examined in Section 6.

The data tells a consistent story across every analytical lens applied to it. Solve times are compressing. The compression scales with difficulty. It affects both the foothold and privilege escalation phases, with privesc compressing faster. It is more pronounced on Windows than Linux. And the step-change at the Pre-LLM to Post-LLM boundary is statistically significant across all four difficulty tiers for root blood times.

6. Discussion

The longitudinal trends in Section 5 establish that time-to-compromise is decreasing across all difficulty tiers. The remaining question is which mechanisms are capable of producing a reduction of this magnitude and structure over the observed period. Each candidate explanation implies a different phase structure for time-to-compromise.

Several alternative explanations must be considered.

Community growth increases the number of attempts per machine at release and therefore the probability of an early solve. This mechanism predicts a roughly uniform acceleration across difficulty tiers, because the number of competitors affects all machines equally. Instead, the data shows compression that scales with difficulty, with the largest proportional reduction at the Insane tier. A participation-driven model does not naturally produce this pattern.

The expansion of publicly available writeups improves pattern recognition and reduces time to initial foothold when new machines resemble previously documented vulnerabilities. This mechanism predicts the strongest effect in the foothold phase. The observed data shows the opposite structure, as privilege escalation compresses more rapidly than foothold acquisition. A writeup-driven explanation is therefore incomplete.

Improvements in non-AI tooling contribute to the gradual downward trend visible throughout the Pre-LLM period. Enumeration frameworks and automated analysis tools reduce the time required to collect and interpret system state. However, the largest inflection in the time-series data occurs after the public release of high-capability language models rather than at the introduction of specific enumeration or post-exploitation tools. Tooling alone explains the baseline trend but not the post-2022 acceleration.

These factors are also not independent of AI capability. The rate at which writeups are produced, documentation is generated, and tools are developed has itself increased through AI-assisted workflows. Treating these as separate variables understates the total effect of AI on the ecosystem in which CTF performance occurs.

Taken together, the alternative mechanisms account for portions of the observed trend but do not reproduce its full structure. The participation hypothesis does not explain scaling by difficulty. The writeup hypothesis predicts faster foothold compression than privilege escalation. The tooling hypothesis explains the long-term baseline but not the post-LLM inflection. The remaining explanation that is consistent with the timing, magnitude, and phase specific structure of the data is the introduction of high-capability AI systems, amplified by secondary effects that are themselves partially AI-enabled.

This does not establish causation at the level of individual solves. Direct measurement of AI-assisted performance would require platform telemetry that is not currently available. What the analysis shows is that the observed compression follows the pattern expected from AI-accelerated workflows and is not fully explained by previously identified factors.

7. Implications

The data presented in this paper describes what is happening on a CTF scoreboard. But CTFs do not exist in a vacuum. They are simplified models of real offensive operations, and the forces reshaping competition on Hack The Box are the same forces reshaping enterprise security, the security workforce, and ultimately the global landscape of cyber capability.

The following implications are interpretive and extend beyond the scope of the measured dataset. A sustained 16% annual reduction in time-to-compromise implies a roughly sixfold decrease within a decade, fundamentally altering any security model that assumes human scale attacker timelines.

For Competitors

From inside the competition, this is not surprising. At the highest levels of competition, first-blood performance increasingly requires AI-assisted workflows. This is the natural progression of a dynamic that has always existed at the top level, the real game was never about manually running commands. It was always about building optimized automation scripts for enumeration and exploitation. The best competitors have always been the ones who automated the repetitive phases and focused their human attention on the creative gaps. AI agents are the next iteration of that same competitive logic, dramatically more powerful and dramatically more accessible.

Consider the privilege escalation data. A 40% compression in privesc times at Hard and Insane difficulty does not mean the competitors got substantially better at privilege escalation in three years. It means someone figured out how to hand the post-foothold enumeration to an agent that does not miss output, does not forget to check a file it found twenty minutes ago, and does not lose focus at 3 AM during a weekend release. The human contribution shifts from executing the methodology to designing it.

For the Security Industry

The compression visible in CTF solve times is a leading indicator of what is coming for enterprise security. AI agents already excel at the enumeration phase of real engagements, including massive parallelization of low-impact commands, systematic service discovery, automated credential checking, configuration analysis. The literature reviewed in Section 3 confirms that agentic systems can find real vulnerabilities in real environments today. They are still poor at operational security, at the subtle tradecraft decisions that determine whether an attacker is detected, but those limitations are narrowing with every model generation.

The practical consequence is that the defender's one structural advantage, time, is eroding. Security has always been asymmetric, as defenders must be right everywhere, attackers only need to find one gap. But defenders have historically benefited from the fact that attackers are slow. Human operators conducting reconnaissance, pivoting through a network, escalating privileges, all of which take hours or days. That timeline is the window in which detection, response, and containment happen. When an agentic system collapses the kill chain from days to hours to minutes, the window for human defenders to detect and respond shrinks proportionally. Dwell time assumptions built into detection architectures need to be revisited.

These trends suggest that the penetration testing model will deliver decreasing marginal security value. As dwell times for real threat actors remain long enough that point in time assessments offer diminishing insight into actual defensive readiness, the gap between what a periodic assessment measures and what an organization actually faces widens. The logical industry response is a shift toward continuous threat hunting and assume breach postures rather than periodic exploitation engagements. And any vulnerability that is openly exploitable should increasingly be assumed exploitable nearly instantly. The implicit assurance that a network "survived a skilled human spending X hours" means less every year when the threat model includes agents that do not sleep, do not context-switch, and do not stop enumerating.

For the Workforce

The democratization of offensive capability is perhaps the most consequential real-world implication of AI-accelerated CTFs, and it cuts both ways. Historically, becoming genuinely dangerous as an offensive operator required years of study, practice, and failure. The learning curve was steep. That steep curve served as a natural barrier that kept the population of highly capable attackers relatively small. AI is flattening that curve rapidly.

The capability gap between a junior operator with a well-designed agent pipeline and a senior operator working manually is collapsing. And the tooling is compounding, and an AI agent integrated with a Ghidra MCP server for binary analysis is a categorically different capability than a standalone model answering questions about disassembly. Each new tool integration multiplies the effective skill of the human operator, regardless of their experience level.

This is positive for the security industry in one sense, as it lowers the barrier to entry for security careers and makes scarce expertise more accessible. It is dangerous in another, as it lowers the same barrier for threat actors. Both of these are true simultaneously, and the policy response needs to account for both.

The workforce itself will undergo the same kind of transformation that previous industrial revolutions imposed on other skilled trades. The trajectory is from operators to automation engineers. Junior security professionals will not spend their early careers learning to run tools manually. They will learn to operate AI agents, to understand what the agents are doing well enough to intervene when something goes wrong, and to design the workflows that the agents execute. The analogy to modern aviation is apt, as pilots are still in the cockpit, but they are there primarily for the situations that automation cannot handle. The day-to-day operation is managed by systems they supervise. Over the next decade, the offensive security field appears likely to follow this exact trajectory, with operators progressively moving from direct users of frameworks and tools to managers of AI agents that themselves create and use the underlying tooling.

For Platform Operators

The competitive dynamics of CTF platforms are changing whether platform operators acknowledge it or not. First blood times are compressing. The leaderboard increasingly reflects who has the best AI tooling as much as who has the best hacking skills. A platform that ignores this does not avoid the shift. It just has no data on how the shift is unfolding.

The practical consequence is that platform operators who do not instrument AI usage will find their competitive metrics becoming uninterpretable. If first blood times continue to compress at 16% per year, within a few years the Easy and Medium tiers will hit floor effects where blood times are dominated by network latency and spawning delays rather than solve skill. At that point the leaderboard measures infrastructure, not hacking. Platforms that have been tracking AI usage throughout this period will be able to contextualize these trends. Platforms that have not will simply watch their competitive signal degrade without understanding why. Section 8 details specific instrumentation and track separation proposals that address this directly.

For Security Hiring

Hiring managers who use CTF performance as a signal face a growing calibration problem. Consider a candidate who presents a top-100 Hack The Box ranking. In 2020, that ranking almost certainly reflected deep manual exploitation skill, including enumeration discipline, creative privilege escalation, comfort across multiple operating systems and attack surfaces. In 2026, that same ranking might reflect those skills, or it might reflect that the candidate built an excellent agentic pipeline that handles reconnaissance and structured exploitation while the human focuses on the creative leaps. Both are genuinely valuable in a professional security context. But they are different skills, and a hiring pipeline that assumes CTF performance maps only to traditional security expertise is increasingly miscalibrated. Organizations that want to hire for manual exploitation skill specifically will need to test for it specifically, rather than treating a leaderboard rank as a proxy. The certification redesign discussed in Section 8 addresses how the industry can build assessments that distinguish between these skill sets.

CTFs as Global AI Capability Benchmarks

The implications extend beyond the security community entirely. As CTF competitions shift from purely human contests to contests between AI-augmented operators, they become something they were never designed to be, standardized benchmarks for offensive AI capability.

This is already happening in a research context. CyBench [7], InterCode-CTF [9], and the NYU CTF Benchmark [8] all use CTF-style challenges to evaluate agentic AI systems. But public platforms like Hack The Box provide something these closed benchmarks cannot, a live, continuously updated, adversarially designed evaluation environment with a global participant pool and real-time scoring. A research benchmark can be overfitted. A platform releasing new machines every week, designed by human creators actively trying to challenge the best players in the world, cannot.

The geopolitical dimension of this is underappreciated. AI export restrictions are increasingly fragmenting the global model landscape. Operators in the United States work with systems like GPT, Claude, and Grok. Operators in China work with DeepSeek, Qwen, and other domestically developed models. European competitors may increasingly work with models like Mistral that fall under different regulatory frameworks. As AI-augmented competition becomes the norm on global CTF platforms, the leaderboard becomes a de facto comparison of these different AI ecosystems applied to a common adversarial task. A country whose models consistently underperform on offensive security benchmarks has a measurable signal about a gap in its AI capabilities that extends well beyond CTF.

This is not hypothetical. The AI Cyber Challenge at DEF CON, funded by DARPA with $29.5 million in prizes [29], already frames autonomous cyber capability as a national security priority. The winning teams' cyber reasoning systems are required to be open-sourced, and DARPA has allocated additional funding to integrate the technology into real critical infrastructure. Public CTF platforms provide a continuous, peacetime version of the same signal. The death of the CTF as a purely human competition is simultaneously the birth of the CTF as a global AI capability benchmark, and the policy implications of that transformation deserve attention from audiences well beyond the infosec community. Section 8 explores how platforms can formalize this benchmarking role and how governments can leverage it through structured competition programs.

8. Recommendations

The measured compression in time-to-compromise implies that existing competition, training, and evaluation models will lose interpretability unless they are redesigned for an AI-augmented environment. The implications outlined above are broad, but they converge on a set of concrete actions that CTF platforms, training organizations, and the security community can take now rather than after the shift is complete.

Learn from Chess

Chess confronted the same fundamental problem two decades earlier and its response is instructive. After Garry Kasparov lost to Deep Blue in 1997, the chess community did not pretend engines did not exist. It adapted. Three distinct competitive categories emerged, pure human chess, pure engine chess, and "advanced" or "centaur" chess where human-computer teams compete. Kasparov himself introduced the advanced chess format in 1998, arguing that the combination of human intuition and computer calculation would produce the highest quality games. Research confirmed this, as freestyle (centaur) teams consistently outperformed both solo humans and solo engines in tournament play through the mid-2000s.

The enforcement problem followed immediately. Chess.com has spent over a decade building a Fair Play system that analyzes over 100 gameplay factors per game using statistical models to detect engine-assisted play. The system closes large numbers of accounts for fair-play violations each month and estimates that fewer than 1% of players cheat online. For prize events, Chess.com now requires all participants to run Proctor, a monitoring program on the player's machine, and has reported significantly fewer instances of engine cheating since making it mandatory.

The critical parallel for CTFs is that chess had a structural advantage that CTFs do not, in that every move is recorded and analyzable after the fact. A chess engine's influence can be detected because the move sequence itself contains the signal. In a CTF, the platform has almost no visibility into how a competitor arrived at a solution. There is no move log. There is no replay. The platform sees a flag submission and a timestamp. This means the chess approach of statistical detection after the fact is largely unavailable to CTF platforms. Given the absence of move level telemetry, meaningful enforcement of human-only competition appears feasible primarily in proctored environments where the competitor's screen and tooling can be directly observed. For online platforms, the honest conclusion is that AI-assisted competition cannot be meaningfully prevented. It can only be embraced, structured, and measured.

Instrument AI Usage

The first and most immediately actionable recommendation is for CTF platforms to implement a voluntary "Solved with AI" self-report mechanism. This is not about enforcement. It is about data collection. A simple toggle at flag submission, where the competitor indicates whether AI tools assisted their solve, produces ground truth that does not currently exist anywhere. The data does not need to be perfectly accurate to be valuable. Self-reporting will be imperfect and subject to strategic misreporting, but even noisy adoption data is strictly more informative than the current absence of ground truth. Even a rough self-reported signal would allow platforms to track adoption rates over time, correlate AI usage with solve speed, compare AI-assisted and unassisted performance distributions, and identify which challenge categories are most affected. This is the data that is currently unavailable in platform telemetry and that motivated the correlation-not-causation limitation in this study.

Separate the Tracks

As AI-assisted competition becomes the norm, platforms should consider formalizing the distinction that chess formalized decades ago. An unranked or separately ranked "AI-augmented" track, running alongside the traditional human track, would let competitors who want to push the boundaries of human-AI teaming do so without distorting the signal for competitors who want to test their manual skills. This is not about stigmatizing AI use. It is about preserving the interpretability of both signals. A first blood on the human track means something specific. A first blood on the augmented track means something different but equally valuable. Conflating the two helps no one.

Standardize AI Capability Benchmarking

The market for standardized evaluation of AI offensive tools is emerging rapidly and CTF platforms are uniquely positioned to serve it. Hack The Box launched its AI Range in December 2025 [40], the first controlled environment specifically designed to benchmark autonomous AI security agents against live adversarial challenges. The platform tests models including Claude, GPT-5, Gemini, and Mistral against real challenges, running each model ten times per challenge with fresh instances to account for non-deterministic behavior. Early meta-benchmarks have already revealed a significant gap between AI models' security knowledge and their practical multi-step adversarial capabilities.

This is where the commercial opportunity meets the research need. Organizations evaluating AI security products currently have no standardized way to compare them. A buyer considering two AI-powered penetration testing tools has no equivalent of a SPEC benchmark or an MLPerf score. CTF platforms can fill this gap by offering structured evaluation environments where vendors and researchers run their systems against a common, continuously updated set of challenges under controlled conditions. The data produced is valuable to everyone, as vendors get credible third-party validation, buyers get comparison data, researchers get reproducible benchmarks, and the platforms themselves gain a new revenue stream and strategic position in the AI security ecosystem.

Redesign Training Pipelines

Security training programs need to acknowledge that the skill they are developing is changing. Bootcamps and entry-level certification programs that teach people to run nmap, linpeas, and manual exploitation workflows are training for the role as it existed five years ago. The junior security professional of 2028 needs to understand what those tools do, but their primary operational skill will be designing, configuring, and orchestrating AI agent pipelines that run those tools. Training programs should be teaching students to build agentic workflows, to evaluate when an agent is producing useful output versus hallucinating, and to intervene effectively when automation breaks down.

The certification landscape reflects this tension. Proctored, human-only examinations remain one of the few mechanisms for directly verifying manual exploitation skill. That signal is still valuable, and proctored human-only certifications should continue to exist for roles where manual skill matters. But the industry also needs certifications that test what real-world operators actually do, leveraging every available tool, including AI, to achieve objectives under realistic constraints. Hack The Box's certification model already moves in this direction. Their exams impose no AI restrictions. Instead, they make the assessment genuinely difficult, requiring extensive documentation and demonstrating that the candidate understands the full attack chain at a depth that cannot be faked by an unsupervised agent. The result tests real-world competency more faithfully than a controlled environment where half the candidate's actual toolkit is prohibited.

Government and Institutional Adoption

DARPA's AI Cyber Challenge demonstrated that the competition model works for accelerating AI security development at national scale [29]. A $29.5 million prize pool attracted seven world-class teams whose cyber reasoning systems collectively discovered 28 unique vulnerabilities, including six zero-days, in real open-source software, with the winning systems required to be open-sourced for public benefit. This is a model for how governments can outsource AI capability development to the private sector through structured competition rather than traditional procurement.

The opportunity extends beyond one-off competitions. Public CTF platforms, operating continuously with global participation, provide something that a periodic DARPA challenge cannot, a standing, adversarially maintained evaluation environment that produces real-time signal about the state of AI offensive and defensive capability. Governments and defense organizations that formalize relationships with these platforms, whether through funded challenge series, benchmark partnerships, or structured data sharing agreements, gain continuous visibility into a capability domain that is evolving faster than any traditional assessment cycle can track.

9. Conclusion

The CTF is not dead. But what it measures is changing, and the pace of that change is accelerating.

Across 423 Hack The Box machines spanning over eight years, both user and root first blood times are declining at approximately 16% per year. The compression is universal across every difficulty tier. It scales with complexity, and the hardest machines, once requiring the best competitors in the world over 15 hours, now show a median of about 5 hours in the Post-LLM era, a 67% reduction that is statistically significant (p=0.035). The privilege escalation phase, the most structured and information-dense portion of the kill chain, is compressing faster than the foothold phase. Windows machines, with their well-documented and repeatable attack surfaces, show steeper declines than Linux. And the inflection points in all of these trends visually align with the public availability of increasingly capable AI systems. A sustained 16% annual reduction corresponds to a roughly sixfold decrease in time-to-compromise within a decade, a rate that fundamentally breaks security models built around human-speed operations.

None of this proves that AI is the sole cause. But the timing, magnitude, and structure of the observed patterns are consistent with AI-driven acceleration and are difficult to explain through previously identified factors alone, and the confounding factors most commonly cited, community growth, writeup availability, better tooling, are themselves increasingly AI-enabled. The confounders are not independent of the primary variable.

The implications reach well beyond the scoreboard. The same capabilities compressing CTF solve times are compressing real-world attack timelines, eroding the defender's window to detect and respond, and lowering the barrier to expert-level offensive capability for both security professionals and threat actors. The observed compression implies a shift in the security workforce from direct tool operation toward the design and supervision of automated workflows. Certifications and training programs designed for the previous era need to adapt or become irrelevant. And CTF platforms, whether they intended it or not, are becoming the world's first continuously maintained, adversarially designed benchmarks for national AI cyber capability. This paper does not measure AI capability directly. It measures the rate at which the attacker's clock is shrinking.

This analysis is limited to a single platform and a single performance metric, and direct measurement of AI-assisted solves remains an open data problem. The title of this paper is deliberately provocative. The CTF as a purely human competition between operators is ending. What replaces it is not nothing. It is a richer, more complex, and more consequential competition, between the humans who design AI systems and the AI systems they build, tested against challenges that grow harder every week, on platforms that span the globe. The organizations, competitors, and governments that recognize this transition earliest and adapt most effectively will define the next era of cybersecurity. The ones that pretend nothing has changed will be left wondering why the scoreboard no longer makes sense.

10. References

AI Agents Solving CTFs

[1] Cybersecurity AI team, "Cybersecurity AI: The World's Top AI Agent for Security CTF," arXiv:2512.02654, 2025. https://arxiv.org/abs/2512.02654

[2] Palisade Research, "Hacking CTFs with Plain Agents," arXiv:2412.02776, 2024. https://arxiv.org/abs/2412.02776

[3] Abramovich et al., "EnIGMA: Interactive Tools Substantially Assist LM Agents in Finding Security Vulnerabilities," ICML 2025 (arXiv:2409.16165). https://arxiv.org/abs/2409.16165

[4] Amazon Science, "CTF-Dojo: Training Language Model Agents to Find Vulnerabilities," arXiv:2508.18370, 2025. https://arxiv.org/abs/2508.18370

[5] Tsinghua / Huazhong University, "Multi-Agent Framework for CTF Challenges," MDPI Applied Sciences, 2025. https://www.mdpi.com/2076-3417/15/13/7159

[6] Evolve-CTF team, "Capture the Flags: Family-Based Evaluation via Semantics-Preserving Transformations," arXiv, 2025. https://arxiv.org/html/2602.05523v1

CTF Benchmarks

[7] Andy K. Zhang, Neil Perry et al., "CyBench: Framework for Evaluating Cybersecurity Capabilities of Language Models," arXiv:2408.08926, 2024. https://arxiv.org/abs/2408.08926

[8] NYU-LLM-CTF team, "NYU CTF Bench: Scalable Open-Source Benchmark for LLMs in Offensive Security," NeurIPS 2024 (arXiv:2406.05590). https://arxiv.org/abs/2406.05590

[9] "InterCode: Standardizing and Benchmarking Interactive Coding with Execution Feedback," NeurIPS 2023. https://openreview.net/forum?id=fvKaLF1ns8

[10] "CTFusion: CTF-based Benchmark for LLM Agent Evaluation," OpenReview / ICLR, 2026. https://openreview.net/forum?id=2zQJHLbyqM

[11] "CTFTiny," arXiv:2508.05674, 2025. https://arxiv.org/abs/2508.05674

[12] "AIRTBench: Autonomous AI Red Teaming Benchmark," arXiv:2506.14682, 2025. https://arxiv.org/abs/2506.14682

LLM Exploit Capabilities

[13] Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, Daniel Kang, "LLM Agents can Autonomously Hack Websites," arXiv:2402.06664, 2024. https://arxiv.org/abs/2402.06664

[14] Fang, Bindu, Gupta, Kang, "LLM Agents can Autonomously Exploit One-day Vulnerabilities," arXiv:2404.08144, 2024. https://arxiv.org/abs/2404.08144

[15] Zhu, Kellermann, Gupta, Li, Fang, Bindu, Kang, "Teams of LLM Agents can Exploit Zero-Day Vulnerabilities," arXiv:2406.01637, 2024. https://arxiv.org/abs/2406.01637

Automated Penetration Testing

[16] Deng et al., "PentestGPT: Evaluating and Harnessing LLMs for Automated Penetration Testing," USENIX Security 2024 (Distinguished Artifact), arXiv:2308.06782. https://arxiv.org/abs/2308.06782

[17] "D-CIPHER: Dynamic Collaborative Intelligent Multi-Agent System for Offensive Security," arXiv:2502.10931, 2025. https://arxiv.org/abs/2502.10931

[18] "xOffense: AI-Driven Autonomous Penetration Testing," arXiv:2509.13021, 2025. https://arxiv.org/abs/2509.13021

[19] "VulnBot: Autonomous Penetration Testing Multi-Agent Framework," arXiv:2501.13411, 2025. https://arxiv.org/abs/2501.13411

[20] "PentestAgent: Incorporating LLM Agents to Automated Penetration Testing," AsiaCCS 2025 (arXiv:2411.05185). https://arxiv.org/abs/2411.05185

[21] "Construction and Evaluation of LLM-based Agents for Semi-Autonomous Penetration Testing," arXiv, 2025. https://arxiv.org/html/2502.15506v1

[22] "AutoPentest / Structured Attack Trees on HackTheBox," arXiv:2505.10321, 2025. https://arxiv.org/abs/2505.10321

Automated Exploit Generation

[23] Harbin Institute of Technology, "PwnGPT: Automatic Exploit Generation Based on Large Language Models," ACL 2025. https://aclanthology.org/2025.acl-long.562/

[24] UNSW Sydney / CSIRO, "Good News for Script Kiddies? Evaluating LLMs for Automated Exploit Generation," arXiv:2505.01065, 2025. https://arxiv.org/abs/2505.01065

[25] "From Rookie to Expert: Manipulating LLMs for Automated Vulnerability Exploitation," arXiv:2512.22753, 2025. https://arxiv.org/abs/2512.22753

Google Project Zero

[26] Google Project Zero, "Project Naptime: Evaluating Offensive Security Capabilities of LLMs," 2024. https://projectzero.google/2024/06/project-naptime.html

[27] Google Project Zero + DeepMind, "From Naptime to Big Sleep: Using LLMs to Catch Vulnerabilities in Real-World Code," 2024. https://projectzero.google/2024/10/from-naptime-to-big-sleep.html

DARPA Competitions

[28] Avgerinos, Brumley et al. (ForAllSecure), "The Mayhem Cyber Reasoning System," IEEE Security & Privacy, 2016/2018. https://users.umiacs.umd.edu/~tudor/courses/ENEE657/Fall19/papers/Avgerinos18.pdf

[29] DARPA, "AI Cyber Challenge (AIxCC)," 2023-2025. https://www.darpa.mil/research/programs/ai-cyber

Capability Assessments

[30] Bhatt, Chennabasappa et al. (Meta), "Purple Llama CyberSecEval (1, 2, 3)," arXiv:2312.04724, 2023-2024. https://arxiv.org/abs/2312.04724

[31] MITRE, "OCCULT: Evaluating LLMs for Offensive Cyber Operation Capabilities," arXiv:2502.15797, 2025. https://arxiv.org/abs/2502.15797

[32] "Catastrophic Cyber Capabilities Benchmark (3CB)," arXiv:2410.09114, 2024. https://arxiv.org/abs/2410.09114

Vulnerability Detection

[33] "LLM4Vuln: Unified Evaluation for LLMs' Vulnerability Reasoning," arXiv:2401.16185, 2024. https://arxiv.org/abs/2401.16185

[34] "All You Need Is A Fuzzing Brain," arXiv:2509.07225, 2025. https://arxiv.org/abs/2509.07225

[35] "SecLLMHolmes: LLMs Cannot Reliably Identify Security Vulnerabilities (Yet?)," IEEE S&P 2024, arXiv:2312.12575. https://arxiv.org/abs/2312.12575

Competitions and Datasets

[36] Debenedetti, Rando et al. (ETH Zurich), "Dataset and Lessons from 2024 SaTML LLM Capture-the-Flag Competition," NeurIPS 2024 (arXiv:2406.07954). https://arxiv.org/abs/2406.07954

[37] Schulhoff et al., "HackAPrompt: Exposing Systemic Vulnerabilities of LLMs via Global Prompt Hacking Competition," EMNLP 2023. https://arxiv.org/abs/2311.16119

[38] "DEF CON 31 AI Village CTF," Kaggle, 2023. https://www.kaggle.com/competitions/ai-village-capture-the-flag-defcon31/

Sociology of CTFs

[39] "Cybersecurity Knowledge and Skills Taught in CTF Challenges," Computers & Security (Elsevier), 2020. https://www.sciencedirect.com/science/article/abs/pii/S0167404820304272

HackTheBox + AI

[40] Hack The Box, "HTB AI Range Launch," 2025. https://www.hackthebox.com/blog/htb-ai-range-launch

[41] "Artificial Intelligence as the New Hacker: Developing Agents for Offensive Security," arXiv:2406.07561, 2024. https://arxiv.org/abs/2406.07561

Data Source

[42] 0xdf, "Hack The Box Writeups," 0xdf.gitlab.io. https://0xdf.gitlab.io/ (First blood data collected for 423 machines, March 2017 -- October 2025)

Anthropic and Claude: 2026 AI Powerhouse

Hannah Perez — Thu, 26 Feb 2026 18:02:17 GMT

In early 2026, the image of Anthropic as a cautious, safety-oriented "research lab" has effectively been replaced by its reality: a $380 billion enterprise software powerhouse.

Between a massive release of new models and a high-stakes standoff with the U.S. government, Anthropic is currently navigating the most volatile month in its history. Here is the breakdown of what is actually happening.

The Tech: Claude Now "Operates" Computers

Anthropic just released Claude 4.6 (Sonnet and Opus), and the focus has shifted from conversation to Computer Use.

While previous models could browse the web, Claude 4.6 is built to visually interpret a computer desktop. It doesn’t just call an API; it looks at a screen, moves the cursor, and clicks buttons.

To support this, Anthropic acquired Vercept this week, a startup that specialized in AI perception. The goal is to move Claude toward 100% reliability in navigating standard office software like spreadsheets, internal databases, and CRM tools that were not built for AI. Current benchmarks show Claude’s success rate in these environments has jumped from 15% to over 72% in the last year.

The Business: A $14 Billion Run-Rate

The company recently closed a $30 billion Series G funding round, valuing it at $380 billion. This puts Anthropic in the same valuation league as SpaceX and Coca-Cola.

The growth is driven by a pivot toward workhorse tools:

Claude Code: This specialized engineering tool is now generating $2.5 billion in annual revenue, doubling its size since January 1st.
Ad-Free Commitment: Anthropic made a point to announce that Claude will remain ad-free, positioning itself as a clean infrastructure provider for enterprises that don't want their data used to fuel a marketing engine.
The 1M Token Context: Both new 4.6 models now support a one-million-token window, allowing businesses to feed entire technical libraries or legal archives into a single prompt with high retrieval accuracy.

The Conflict: The Pentagon Standoff

The most significant story right now isn't about code; it's about national security. Anthropic is currently the only AI provider allowed on the U.S. military’s classified networks, and tensions have reached a breaking point.

The Venezuela Incident: Reports surfaced that Claude was utilized during the operation to capture Nicolás Maduro in January. This sparked a conflict between Anthropic’s red lines, specifically its ban on using AI for autonomous targeting or domestic surveillance and the Pentagon’s desire for "unfettered access."
The Ultimatum: Defense Secretary Pete Hegseth has given Anthropic a deadline of Friday, 5:00 PM, to lift these restrictions. If they don't, the government has threatened to label Anthropic a "supply chain risk," which would effectively bar them from any federal contracts and potentially disrupt their private sector partnerships.

The Policy: Responsible Scaling 3.0

In the midst of this, Anthropic updated its Responsible Scaling Policy (RSP) to Version 3.0.

The new version is noticeably more pragmatic. It explicitly states that Anthropic will no longer delay development of powerful models unilaterally if it believes its competitors are moving forward. It’s a "competitor-contingent" policy: they will be as safe as the market allows them to be without losing their lead.

Critics have called this a safety loophole, but for Anthropic, it’s a necessary adjustment to a 2026 reality where AI is now central to global economic and military power.

Simply Offensive Podcast: Exploring AI Vulnerabilities in Cybersecurity with Mike Bell of Suzu Labs

Phillip Wylie — Thu, 12 Feb 2026 18:08:04 GMT

In today’s rapidly evolving technological landscape, the convergence of artificial intelligence (AI) and cybersecurity is becoming increasingly significant. In this episode of Simply Offensive, host Phillip Wylie converses with Mike Bell, CEO and founder of Suzu Labs, an innovative firm specializing in cybersecurity consulting and AI software. Together, they explore pressing issues in AI security and share invaluable insights for businesses looking to fortify their defenses.

Understanding Cybersecurity in the AI Era:
Mike Bell begins by discussing the current state of the consulting business, particularly in the fourth quarter when companies scramble to finalize budgets and secure their assets. He emphasizes the importance of maintaining an accurate inventory of applications and assets, which is crucial for effective security measures. As Bell notes, "the first thing in any security program should be an accurate asset inventory of whatever you're trying to secure."

The Evolution of Security Threats:
As a former military personnel with extensive experience in cyber and IT, Bell shares his journey from military service to building AI systems. He highlights the convergence of security and AI, where many companies are either focusing on one or the other. At Suzu Labs, they strive to bridge this gap, offering clients a comprehensive perspective on both fields. Bell’s technical background, reinforced by certifications like OSCP, allows him to engage deeply with both the coding and strategic aspects of cybersecurity.

The OWASP Top 10 for LLMs:
A significant portion of the discussion revolves around the OWASP Top 10 for Large Language Models (LLMs). Bell explains that OWASP, the Open Web Application Security Project, has developed a list of vulnerabilities that AI systems can face, which now includes prompt injection, training data poisoning, and sensitive information disclosures among others. He elaborates on the concept of prompt injection, particularly indirect prompt injection, where attackers manipulate AI behavior through crafted inputs to extract unauthorized data. This highlights the critical need for robust defenses against such vulnerabilities.

RAG Systems and Their Vulnerabilities:
Bell introduces the concept of Retrieval Augmented Generation (RAG), which combines vector databases with LLMs to enhance the AI's contextual understanding. However, he warns that this approach can introduce vulnerabilities, especially if the RAG database contains poisoned data. "Attackers don’t necessarily need to control the user’s input; they just need to inject poisoned data into the database," Bell explains. This emphasizes the importance of securing not just the AI model itself, but also the data it utilizes.

Key Takeaways:
As businesses increasingly rely on AI technologies, understanding the associated security risks becomes paramount. Maintaining a comprehensive asset inventory is essential for effective cybersecurity. The OWASP Top 10 for LLMs provides crucial guidance on potential vulnerabilities that organizations must address. Additionally, the integration of systems like RAG can enhance capabilities but also requires careful consideration of data integrity and security measures.

Conclusion:
In conclusion, the intersection of AI and cybersecurity presents both opportunities and challenges for organizations. As highlighted by Mike Bell, proactive measures and continuous vigilance are vital in navigating this complex landscape. By understanding the latest security threats and implementing robust strategies, businesses can better protect themselves against the evolving nature of cyber threats.

YouTube

Spotify

Under Armour Breach: What The Forum Data Actually Shows

Mike Bell — Fri, 30 Jan 2026 16:09:25 GMT

On January 18, 2026, the Everest ransomware group made good on their threat and released Under Armour customer data to BreachForums. Two months earlier, Everest had added Under Armour to their leak site with a seven-day deadline. The company didn't pay. Now 72.7 million email addresses are sitting in Have I Been Pwned, and Under Armour still hasn't publicly acknowledged the incident.

We analyzed the leaked data and the forum discussion around it. Here's what we found.

The Initial Announcement

The forum post from user "thelastwhitehat" claimed 343 GB of sensitive data including "full names, email addresses, geographic locations, genders, purchase histories and preferences, employee contact details, and more." Everest's original claims were even broader, including phone numbers, physical addresses, loyalty program details, and preferred stores.

That's a significant amount of PII if accurate. But forum users who actually downloaded and analyzed the data found something different.

What's Actually In The Leak

Within 24 hours of the data hitting the forums, users started reporting discrepancies. User "ThinkingOne" noted: "there do not appear to be any phone numbers in here. There is a phone number header in some of the files, but no actual phone numbers. Also, few/no last names, no addresses."

That's a meaningful distinction. Headers exist for sensitive fields, but the data isn't there. What Everest claimed and what they actually exfiltrated are two different things.

The File Structure

The leaked archive contains 29 CSV files totaling 191,577,361 records. The largest files are mobile push notification exports (69M and 71M records respectively), followed by Bluecore marketing exports and loyalty customer data.

The file naming convention tells the story. These are marketing system exports, not production database dumps:

Bluecore exports - Email marketing platform data
MobilePush_TotalGenderData - Push notification targeting
NorthAmerica_MasterPush_Segmentation - Marketing segmentation
Customer_360_SFMC_Preferred_Store - Salesforce Marketing Cloud data
RatingsAndReviews_SourceData - Customer review data
RetailPurchases_Last30_SourceData - Recent transaction data

This is marketing tech infrastructure. Email addresses, purchase behavior, marketing preferences. Valuable for targeted phishing campaigns, but not the full PII profiles Everest advertised.

What This Means For Affected Customers

The 72.7 million unique email addresses are real. If you've shopped at Under Armour, your email is likely in this dataset along with your purchase history and marketing preferences. That's enough for convincing phishing attempts that reference your actual buying behavior.

What's probably not exposed: your home address, phone number, or payment information. The forum analysis suggests those fields either weren't captured by the marketing systems that were compromised, or weren't populated in the exports Everest obtained.

What This Means For Under Armour

Two months of silence while a class action lawsuit gets filed and millions of customers check breach notification services is a communications failure regardless of what's in the data. Customers are making assumptions, and those assumptions are probably worse than reality.

More importantly, this breach reveals something about their security posture. Marketing platforms sit at the edge of the network. They integrate with everything. They often get stood up by marketing teams without going through normal security review processes. Most security programs have better visibility into production databases than they do into martech, and that blind spot is exactly what Everest exploited here.

Understanding where the initial access came from and why these systems were accessible is what prevents the next incident. Cleanup without root cause analysis is just waiting for round two.

About Everest

Everest has been operating since 2020, making them unusually long-lived for a ransomware group. According to security researchers, they run three parallel revenue streams: double extortion ransomware, network access brokerage (selling access to other crews), and an insider recruitment program. Under Armour was one target in a portfolio that includes aerospace contractors, power grid operators, and government agencies.

Timeline

Date	Event
November 15, 2025	Breach occurs (per forum claims)
November 2025	Everest adds Under Armour to leak site with 7-day deadline
November 24, 2025	Class action lawsuit filed
January 18, 2026	Data published on BreachForums
January 19, 2026	Forum users report phone number fields are empty
January 21, 2026	HIBP ingests 72.7M records
Present	Under Armour has not publicly acknowledged the incident

Brightspeed Breach: Crimson Collective and the Infostealer Problem

Mike Bell — Tue, 20 Jan 2026 00:07:21 GMT

Recently Crimson Collective claimed they breached Brightspeed and grabbed 1 million+ customer records. The list of data they claim to have accessed includes names, billing addresses, partial payment data, and more. There was a class action filed three days later. Brightspeed says they're investigating. No confirmation of data exfiltration yet.

Most coverage stops there, but understanding who Crimson Collective is tells us more about what's actually at risk than the headline numbers.

Crimson Collective's Track Record

This group emerged in September 2025 and hit Red Hat's internal GitLab the following month. 570 GB from 28,000+ repositories. The alleged haul included Customer Engagement Reports with infrastructure designs, authentication tokens, and database connection strings. They've gone after Nintendo and Nissan with similar attacks.

Based on our research they target cloud-hosted environments and development infrastructure, not customer databases. They're after the systems that build and maintain applications, not the applications themselves.

If the Brightspeed claims are legitimate, Crimson Collective probably didn't limit themselves to exporting a customer table. The attack surface could extend into operational infrastructure. That's a different kind of problem than a standard PII breach.

The Infostealer Correlation Problem

Vidar infostealer logs with Brightspeed customer credentials were already circulating on Russian Market before Crimson Collective posted anything. Discord logins, Netflix, Verizon Wireless, Spotify, Roblox. Credentials harvested from compromised customer devices over the past year.

Now those same people potentially have their billing addresses and service records exposed in a separate incident.

Cross-reference the two datasets and you've got everything needed for targeted phishing. The infostealer logs tell you what services someone uses. The breach data tells you where they live and how they pay. Attackers know how to combine data sources. Defenders often don't think about the correlation problem until it's too late.

This is the compounding effect that doesn't make headlines. A breach looks bad. A breach combined with existing credential leaks is worse. The people affected aren't just dealing with one exposure. They're dealing with a more complete picture of their digital lives being assembled from multiple sources.

Infrastructure Red Flags

Brightspeed IP addresses are appearing in active SOCKS proxy lists being sold on dark web forums.

This could mean a few things:

Compromised customer devices being used as proxy nodes.
Broader infrastructure compromise beyond customer data.
Residential proxy networks leveraging Brightspeed's network for anonymization.

Any of these scenarios warrants investigation beyond standard breach response. If customer devices are being recruited into proxy networks, that's an ongoing problem that doesn't end when the breach investigation closes. Those devices stay compromised. The proxy operators keep using them.

The Investigation Trap

Brightspeed is stuck in a difficult position. They can't confirm or deny without completing forensics. But every day of silence lets the narrative build. Crimson Collective knows this. The Telegram posts and data samples are designed to create pressure.

The company has to balance thorough investigation against reputational damage from appearing unresponsive. There's no clean answer. Move too fast and you risk making statements you have to walk back. Move too slow and the court of public opinion renders its verdict without you.

The class action filing three days after unverified claims is aggressive. Brightspeed hasn't confirmed data exfiltration. The plaintiffs are either confident the breach is real or they're positioning early to lead the litigation when confirmation comes.

Either way, it puts pressure on Brightspeed to disclose faster than their forensics team might want or deserve.

Why Telecom Providers Are Targets

Telecom providers sit on valuable data by default. They have billing relationships with millions of customers. Names, addresses, payment methods, service records, appointment history. All in one place.

That data is useful for fraud. The customer base is large enough that even unverified breach claims generate headlines and regulatory attention. And unlike a retailer where customers might shop once and disappear, telecom customers have ongoing relationships. Monthly billing. Service calls. Equipment records. Years of data on each customer.

The attackers know this. The regulators know this. The class action lawyers know this. Telecom providers need breach response playbooks that account for all of these pressures simultaneously balancing threat actor tactics, legal exposure, regulatory requirements, and public perception. Technical forensics is one piece. Managing the other three is where most organizations struggle.

What Happens Next

If Crimson Collective's claims are legitimate, expect additional data samples to surface. That's their playbook. Pressure through incremental disclosure. Each new sample extends the news cycle and increases pressure on Brightspeed to respond.

Brightspeed customers should assume their data is compromised until proven otherwise. That means watching for phishing attempts that reference their service details. Being skeptical of calls claiming to be from Brightspeed support. Monitoring financial accounts for fraud.

For organizations watching this unfold, the lesson is about data correlation. Your customers' exposure doesn't exist in isolation. It exists alongside every other breach, every infostealer log, every credential dump they've been caught in. Defenders need to think about that aggregate picture, not just the breach in front of them.

When Grid Data Goes Dark Web

Mike Bell — Mon, 19 Jan 2026 23:15:56 GMT

Inside a threat actor's critical infrastructure targeting

In January 2026, 139 gigabytes of engineering data from a U.S. power infrastructure company appeared for sale on an underground forum. The seller wanted 6.5 Bitcoin. The data included LiDAR point clouds of transmission line corridors, substation configurations, and vegetation mapping for three major utilities.

The seller explicitly noted the data was "suitable for infrastructure analysis, modeling, risk assessment, or specialized research."

That language matters. The actor understands exactly what this data enables.

What the Data Contains

The breach targeted an engineering firm that provides surveying and design services to electric utilities. The stolen files include:

800+ LiDAR point cloud files mapping transmission corridors
High-resolution orthophotos of substations
MicroStation design files with line configurations
Vegetation analysis along rights-of-way

For a utility or engineering firm, this is operational data. For an adversary, this is reconnaissance gold. The files map exactly where power lines run, how they're configured, what vegetation threatens them, and where substations connect to the grid.

Why This Matters

Grid infrastructure has become a high-value target. Physical attacks on substations have increased in recent years. Cyber-physical attacks that combine digital intrusion with physical action remain a persistent concern in the intelligence community.

Data like this enables detailed planning. An adversary could identify vulnerable transmission corridors, understand redundancy patterns, or map critical interconnection points. The threat model here extends beyond financial cybercrime.

The Access Method

This wasn't a sophisticated attack on industrial control systems. It wasn't a supply chain compromise or zero-day exploit. According to public reporting on the same threat actor, the likely access method was testing infostealer-harvested credentials against cloud file-sharing platforms.

Someone at the company had their browser credentials stolen by commodity malware. Those credentials weren't protected by MFA. The threat actor logged in and extracted 139GB of sensitive engineering data.

The Pricing Signal

At 6.5 Bitcoin (roughly $600,000 at current prices), this is the highest-value individual listing we’ve observed from this actor. Compare that to a law firm breach listed at 0.09 Bitcoin or a furniture manufacturer at $1,500.

The pricing reflects what the actor believes the data is worth to potential buyers. Critical infrastructure data commands a premium. The buyer pool for this data includes parties with resources and motivations beyond simple financial crime.

Defensive Lessons

Organizations handling sensitive infrastructure data should treat that data like it's already being targeted. Specific recommendations:

Segment sensitive project data. Engineering files for critical infrastructure shouldn't sit on the same file-sharing platform as general corporate documents.

Enforce MFA without exception. Especially for any system accessible from the internet. The credential that got tested was probably years old. MFA would have made it worthless.

Monitor access patterns. Bulk downloads of sensitive files should trigger alerts. 139GB doesn't exfiltrate quietly unless no one is watching.

Vet third-party security. Utilities often rely on engineering contractors who have weaker security postures. Your security extends to everyone with access to your data.

Assume the perimeter is porous. Design controls assuming credentials will eventually leak. Because they will.

The Broader Pattern

This actor has listed data from 50+ organizations across 15 countries. Aviation. Healthcare. Government. Construction. Critical infrastructure is one target category among many. The common thread is opportunistic access via stolen credentials and absent MFA.

The infostealer economy doesn't discriminate. It harvests everything. Threat actors like Zestix specialize in identifying the high-value targets within that ocean of compromised credentials.

Critical infrastructure organizations need to understand they're operating in this environment. The threat isn't hypothetical adversaries with nation-state resources. It's financially motivated actors selling grid data to the highest bidder.

Mike Bell is Founder and CEO of Suzu Labs, building AI-powered platforms for meeting intelligence, business intelligence, and secure document processing. He brings a security-first perspective to threat analysis based on over two decades in cybersecurity spanning penetration testing, incident response, security architecture, and AI security.

The $150,000 Password

Mike Bell — Mon, 19 Jan 2026 23:08:12 GMT

How one threat actor turned stolen credentials into a global breach portfolio

Between December 2025 and January 2026, a single threat actor posted 25 data sales listings on a Russian-language cybercrime forum. The victims spanned 15 countries and every major sector from aviation to critical infrastructure. Prices ranged from free to $150,000.

The actor goes by "Zestix." And despite the sophisticated pricing and global reach, the attack method is almost embarrassingly simple.

No zero-days. No advanced malware. No chained exploits. Zestix parses old infostealer logs for cloud credentials and tests each one until something works. When MFA is absent, they walk right in through the front door.

The Infostealer Economy

Infostealers like RedLine, Lumma, and Vidar have become commodity malware. An employee downloads a pirated game or clicks a malicious link. The malware quietly harvests every saved password from their browser. Those logs get sold in bulk on underground markets. Buyers like Zestix sift through them looking for corporate file-sharing URLs.

ShareFile. Nextcloud. OwnCloud. These platforms hold sensitive documents. They're often exposed to the internet. And they're frequently protected by nothing more than a username and password.

The barrier to entry is essentially zero. Parse the logs for corporate URLs, try the credentials, take whatever access you get.

The Victim Portfolio

The scale is remarkable. We’ve seen Zestix's forum activity since the public reports emerged in early 2026 spanning back to just September of 2025. The confirmed victims include:

A U.S. engineering firm with LiDAR mapping data for major power utilities (listed for 6.5 Bitcoin, roughly $600,000)
A European airline with 77GB of aircraft maintenance programs and fleet configurations ($150,000)
A Canadian transit infrastructure project with geotechnical reports and construction risk assessments (1.8 Bitcoin)
A Brazilian military police healthcare provider (2.3 terabytes of medical records)
An Algerian logistics company with 123GB of customer data

The common thread across all 50+ confirmed breaches? Lack of MFA on externally accessible file-sharing platforms.

Beyond Credential Theft

Forum intelligence reveals Zestix operates at multiple capability tiers. The credential harvesting is volume play. But the actor has also shared detailed EDR evasion techniques for bypassing SentinelOne, provides operational support for investment fraud schemes, and claims to run real-time deepfake systems for video call social engineering.

The credential harvesting funds the operation. The higher-tier capabilities are available for high-value targets.

The Uncomfortable Truth

These companies weren't hacked by nation-state actors with unlimited resources. They weren't targeted by custom malware or sophisticated exploit chains. They were compromised because an employee's device got infected with commodity malware, and the organization never rotated the password or enabled a second factor.

Every single breach was preventable with basic security hygiene.

What Organizations Should Do

Enable MFA everywhere. Not SMS-based. FIDO2 keys or passkeys. Every externally accessible system, no exceptions.

Rotate passwords regularly. Some credentials in Zestix's portfolio sat in infostealer logs for years before exploitation. A malware infection from 2022 became a data breach in 2025.

Monitor for credential exposure. Services exist that scan dark web markets and infostealer dumps for your organization's credentials. When exposure is detected, immediate password reset and session revocation.

Assume breach. If you're running cloud file-sharing without MFA, operate under the assumption that someone already has the password.

The infostealer economy has made credential theft scalable and cheap. The only defense is making those credentials worthless through proper authentication controls.

Mike Bell is Founder and CEO of Suzu Labs, building AI-powered platforms for meeting intelligence, business intelligence, and secure document processing. With over two decades in cybersecurity spanning penetration testing, incident response, security architecture, and AI security, he brings a security-first perspective to threat analysis.