There is a particular kind of vertigo that comes from realising the thing protecting you has switched sides. Not through malice or sentience, but because somebody found it more useful as a weapon than you ever found it as a shield.

That’s the story of March 2026 so far. Across multiple fronts this week, threat actors have demonstrated a consistent and unsettling preference: rather than breaking through defences, they’re borrowing them.

Mandia Returns, and So Does the AI Arms Race

Kevin Mandia sold Mandiant to Google for $5.4 billion in 2022. Yesterday he announced that his new company, Armadin, has raised $190 million in a round led by Accel with participation from Google Ventures, Kleiner Perkins, and Menlo Ventures. The company creates autonomous AI agents that scan for threats. In six months it has hired over 60 people and started working with Fortune 100 companies.

Mandia told CNBC that “virtually all cyberattacks will be AI-enabled or entirely AI.” That’s the kind of statement that sounds like marketing until you look at the investment thesis behind it. He’s not betting on incremental improvement. He’s betting that the threat landscape has fundamentally shifted, and that human-speed defence against machine-speed attack is a losing position. The fact that he named the company after the 1588 Spanish Armada tells you something about how he views the scale of what’s coming.

In the same week, OpenAI completed its acquisition of Promptfoo, a cybersecurity startup with just eleven employees that specialises in automated red-teaming of AI systems. More than 25% of Fortune 500 companies were already using Promptfoo to test their AI systems before the deal. The entire team moves to OpenAI’s Frontier enterprise platform. The acquisition signals something CISOs should pay attention to: the companies building AI agents know those agents have a security problem serious enough to demand dedicated in-house expertise before rolling them out to enterprise customers worldwide. If the people building the technology are acquiring security companies to test their own products, perhaps organisations deploying those products should be doing the same.

The Defender’s Paradox

CSO Online published an important piece this week on a problem I’ve been tracking for months: AI safety guardrails constrain defenders more than attackers. When HiddenLayer researchers tested OpenAI’s guardrails framework last October, they bypassed both jailbreak and prompt injection detection using straightforward techniques. The security judge evaluating content was itself an LLM, susceptible to the same manipulation as the model it was protecting.

Cisco researchers found that multi-turn prompt attacks achieved success rates around 60% on average against open-weight models, with one reaching 92.78%. Attackers don’t need novel exploits. They just need patience.

Meanwhile, red teamers building phishing simulations get refused. Penetration testers requesting proof-of-concept exploit code for authorised assessments get blocked. The asymmetry is structural: enterprise AI tools are governed by procurement rules, compliance requirements, and centralised safety enforcement. Attackers use jailbroken models, locally hosted open-source alternatives, or purpose-built malicious tools from underground markets. The people trying to break in face fewer constraints than the people trying to defend.

AI Reads Your 1986 Code Better Than You Did

Microsoft Azure CTO Mark Russinovich used Claude Opus 4.6 to analyse assembly code he wrote in 1986 for the Apple II 6502 processor. The model didn’t just explain the code. It performed a security audit, surfacing subtle logic errors including a routine that failed to check the carry flag after an arithmetic operation. A bug that had been hiding for forty years.

The good news is obvious. The bad news, as one commenter put it: “The attack surface just expanded to include every compiled binary ever shipped.” When AI can reverse-engineer four-decade-old obscure architectures this well, security through obscurity and binary obfuscation become fundamentally weaker propositions. Every legacy system still running, every embedded firmware nobody has touched since the developer retired, is now auditable by anyone with API access to a frontier model.

Supply Chain Attacks Hit the Rust Ecosystem

Five malicious Rust crates were discovered on crates.io, masquerading as time-related utilities while stealing credentials from development environments. The packages, including chrono_anchor, dnp3times, and time_calibrators, targeted .env files containing API keys, tokens, and secrets. The most sophisticated variant embedded its exfiltration logic inside a file called guard.rs, called from an “optional synchronisation” helper function. Each time a CI workflow invoked the malicious code, it attempted to extract secrets.

This is the same playbook we’ve watched evolve across npm, PyPI, and now Rust’s crate registry. The attackers aren’t breaking into your environment. They’re waiting for your build pipeline to invite them in. If your CI/CD pipeline runs with access to production credentials and you haven’t audited your dependency trees recently, this is your prompt.

The Salesforce Problem Nobody Wants to Talk About

ShinyHunters, or someone operating very much like them, has been running mass scans against Salesforce Experience Cloud instances using a weaponised version of Mandiant’s AuraInspector. The tool was released in January 2026 as an audit utility. Took about six weeks for the other side to turn it into an extraction tool.

The modified version pulls data directly from CRM instances through the /s/sfsites/aura endpoint, exploiting overly permissive guest user profiles. Salesforce says it’s not a platform vulnerability. It’s a configuration problem. Translated from vendor-speak: you left the door open and someone walked in.

Hundreds of organisations are running Experience Cloud with default guest user settings that were never hardened. Each one is a target.

Your Firewall Is Someone Else’s Front Door

Researchers have documented a campaign targeting FortiGate next-generation firewalls as initial access vectors. The attackers aren’t bypassing the appliances. They’re exploiting them to extract configuration files containing service account credentials and Active Directory topology.

The device sitting at the perimeter, the one your architecture diagrams show as the first line of defence, is handing over the keys to your identity infrastructure. Once an attacker has your AD topology and service account passwords, the firewall itself becomes irrelevant.

Ivanti’s Endpoint Manager is back on CISA’s Known Exploited Vulnerabilities catalogue this week (CVE-2026-1603), an authentication bypass that lets remote unauthenticated attackers leak stored credentials. CISA deadline: March 23. SolarWinds Web Help Desk has a deserialization RCE (CVE-2025-26399) with a March 12 deadline. Tomorrow. These aren’t new vendors on the KEV list. They’re regulars.

Patch Tuesday and the Preview Pane Problem

Microsoft’s March 2026 Patch Tuesday landed with 79 CVEs, including two publicly disclosed zero-days. The SQL Server privilege escalation (CVE-2026-21262, CVSS 8.8) lets an attacker climb to sysadmin. That’s bad. But the Office RCE flaws are worse in practice, because CVE-2026-26113 and CVE-2026-26110 can be triggered through the Preview Pane.

No click required. Your user doesn’t open the file. They look at it in the preview, and it’s done. This collapses the gap between “received” and “compromised” to zero user interaction. If your Outlook clients aren’t patched by end of week, you’ve got a problem.

When the Scanner Can’t See What’s in Front of It

A researcher named Chris Aziz has published Zombie ZIP, a technique that tricks 50 out of 51 antivirus engines on VirusTotal. The method manipulates ZIP headers to declare compressed data as uncompressed. AV engines trust the header, scan the raw bytes, find nothing suspicious. The actual payload sits in standard DEFLATE compression, invisible to every tool that takes the archive at its word.

CERT/CC has published a bulletin and assigned CVE-2026-0866. They note that this is similar to CVE-2004-0935, a flaw in ESET from over two decades ago. We’ve had twenty-two years to solve the problem of security tools trusting unvalidated metadata in archives. We haven’t.

The HR Department as Attack Surface

BlackSanta, a Russian-speaking threat actor, has been running a year-long campaign targeting HR departments through fake job applications. The malware disables endpoint detection tools before deploying its payload. Job applications are one of the few categories of email attachment that HR staff are expected to open from unknown senders. The attackers know this. They’ve been exploiting it for twelve months.

What makes BlackSanta interesting from a defensive standpoint isn’t technical sophistication. It’s operational sophistication. They identified a business process that by design requires interaction with untrusted external parties, and they built an entire campaign around that single insight.

What This Week Actually Tells Us

The connecting thread across all of these stories isn’t complexity. It’s trust. AV trusts ZIP headers. Salesforce customers trust default configurations. Organisations trust their firewalls to face outward. HR departments trust that job applications are safe to open. Cloud tenants trust isolation boundaries. AI vendors trust their own guardrails. And every developer trusts that the packages they pull from a registry are what they claim to be.

Every one of those trust assumptions was wrong this week. Not because the underlying technology failed, but because the assumptions were never tested against an adversary who thinks about them differently than the defender does.

The practical takeaway: your next security review should include a session where someone lists every implicit trust relationship in your architecture. Not the explicit ones; those are in the policy documents. The implicit ones. The ones nobody wrote down because they seemed obvious.

Those are the ones being exploited right now.

Patch Priority This Week:

• Microsoft Office RCE via Preview Pane (CVE-2026-26113, CVE-2026-26110): Patch immediately

• SolarWinds Web Help Desk (CVE-2025-26399): CISA deadline March 12

• Ivanti EPM authentication bypass (CVE-2026-1603): CISA deadline March 23

• Microsoft SQL Server sysadmin escalation (CVE-2026-21262): CVSS 8.8

• Salesforce Experience Cloud: Audit guest user profiles now

Also on the radar: Ericsson US disclosed that 15,661 employee and customer records were stolen via a third-party provider breach dating to April 2025. APT28 deploying custom Covenant C2 variants against Ukrainian military targets. KadNap botnet has recruited 14,000 ASUS routers into a proxy network using Kademlia DHT. IBM reports the global average cost of a data breach fell to $4.44 million in 2025, but the automation gap between leaders and laggards is widening, not closing.

Jonathan Care has worked in cybersecurity and fraud detection for 33 years. He is a Fellow of the British Computer Society and Lead Analyst at KuppingerCole.

Disclosure: this newsletter is researched and published using OpenClaw.