SANS Institute

The burglar who used to spend days searching a thousand houses for two unlocked doors? That search takes seconds now. Every time. SANS Fellow Frank Kim spent a day in a room with the CISOs running the most advanced security programs in the world. No vendor decks. No polished keynotes. People comparing notes on work they actually shipped. What came out of it was uncomfortable: the vulnerability playbook that has worked for twenty years is breaking, and most of the industry hasn't felt it yet. Medium-severity findings you used to manage in the queue are a different animal when AI closes the discovery gap overnight. CVEs, CVSS, the open-source dependency model, all of it is under pressure in ways that are easier to feel in person than to describe in a report. That conversation happened in San Francisco. It continues June 8 in New York at Google and June 9 in Washington at Microsoft. Read Frank's full account and register: https://go.sans.org/X8ZrJN

🚨 New course alert! This one teaches how to #pentest enterprise AI systems from an adversary perspective. You will attack the systems organizations are actually deploying. Learn how adversaries steal model weights, exploit RAG pipelines and APIs connected to LLMs, abuse agents, defeat vision systems, and more through techniques including prompt injection, jailbreak persuasion, and model manipulation. Every attack comes with defensive context, so you walk away knowing not just how to break things but how to stop them. #SEC536 Adversarial AI - Penetration Testing AI Systems carries the field experience and knowledge from two incredible cybersecurity professionals, Foster Nethercott and Mick Douglas. ❤️🔥 Join Foster at #SANSFIRE, in person or virtually, and help shape the first public delivery of SEC536! 👉 https://buff.ly/e0QRYj4

250 CISOs co-authored a strategy paper on AI security in a single weekend. This Monday in New York, the work continues. SANS Chief AI Officer Rob T. Lee and SANS Technology Institute President Ed Skoudis join leading CISOs at the Google-hosted AI Storm Strategy Summit to turn that paper into action. Short lectures, peer discussions, and working sessions focused on scoping the next round of strategy papers and building a standing CISO community that carries the work forward. The discussions will also build on the questions raised by Mythos and the AI Vulnerability Storm paper: what happens when vulnerability discovery accelerates faster than most security programs can adapt? If you want a say in what the next round covers, this is where that gets decided. Working CISOs, CSOs, and CROs only. The papers flow back to the wider community after the series. Spots are limited. Request yours: https://luma.com/kn2djk5v

Bruce Schneier, Fellow and Lecturer at the University of Toronto, makes the case directly that attacks are happening at AI speed, and defenses need to match. His argument isn't speculative. Automatic bug finding, vulnerability scanning, SOC assistance, the work that used to require a human at every step is now something AI can support across the board. The question for security teams isn't whether to adopt AI-assisted tools, it's how fast they can do it responsibly. That timeline pressure is real. Waiting for the technology to mature further while adversaries are already running AI-assisted attacks is not a neutral position. How is your organization thinking about AI on the defensive side? #AISummit #AI #AISecurity

The technical activity is the same. The intent isn't. And the law still can't always tell the difference. Katie Moussouris on why security researchers are still operating in legally murky territory, years after attitudes started to shift. More acceptance, yes. But also under-educated organisations and municipalities who can still make life very difficult for the people trying to help. "It's kind of up to the local authorities on whether or not they're going to take up a case." Full episode out now 🎙️ https://go.sans.org/S6QnkT Catch up on previous episodes here: https://go.sans.org/yjaSte

How organizations build and sustain cyber talent is changing fast. On June 24, industry leaders from SANS and Microsoft will walk through the 2026 Cybersecurity Workforce Research Report by SANS | GIAC and discuss what it means for how you hire, train, and build teams right now. The webcast covers AI's impact on cyber roles, the regulatory pressure reshaping hiring qualifications, and the shift away from headcount toward skills-based planning. If you manage a team or are trying to grow your career, both angles are covered. Register: https://go.sans.org/slI4pt #WorkforceStudy #WorkforceDevelopment #AI #CyberWorkforce

We asked speakers at the SANS AI Cybersecurity Summit what makes it worth showing up. Practitioners, government representatives, and corporate security leaders kept coming back to the same thing: the conversations that happen between sessions. The ability to sit across from someone facing the same problems, compare notes on what is actually working, and pressure-test your thinking against people who will tell you when you are wrong. The AI conversation in security moves fast enough that what was uncertain six months ago is operational today, and what sounds certain today may not age well. A summit is one of the few places where you can hear what practitioners are actually doing, not what vendors are selling or analysts are predicting. What brings you to a SANS Summit? And what do you walk away with that you could not have gotten otherwise? #AISummit #AISecurity #AI

The executive order signed Tuesday asks AI developers to give the federal government up to 30 days with a frontier model before anyone else gets it. The draft floated 90. Security people wanted as much warning as they could get. The labs wanted less. At 30 days, nobody got what they asked for, which is usually how you know a compromise is real. (Both sides are now sufficiently disappointed. On schedule.) 30 days isn't a fix, though. It's a hurricane warning. You board the windows, you move the boat, and the storm still makes landfall. The buffer buys preparation, not prevention, and it only counts if you do something with it. The part nobody's arguing about: access to these capabilities is not equal, and it won't be. JPMorgan and Amazon will be fine. The order names rural hospitals, community banks, and local utilities as a concern, then leaves them a discretionary "where appropriate" while early access goes to trusted partners selected with the government. The hospital in Springfield sits at the back of that line. And closing your source code doesn't save you. Source code analysis is where #Mythos is focused right now, which is why open source gets scanned first, but it does black box exploitation just as well. Nation-state teams have broken Microsoft, Apple, and Google for years without ever seeing their source. The vulnerabilities get found either way. (Adversaries don't wait for their tier assignment.) Under all of it is the oldest question in cyber defense: what is the government actually responsible for? The critical infrastructure everyone is worried about sits in private hands. The military can't defend a bank's network. The FBI takes the report after the breach. CISA runs real threat intelligence and coordination, but it doesn't have the authority to operate inside a private company and defend it. When Volt Typhoon and Salt Typhoon hit American infrastructure, they hit private companies, because that's where the front line is. (I came up through the military side. That gap still bothers me.) The order doesn't solve any of this. It documents the threat and starts the argument, and the risk now is that people read "signed" as "handled." The work is what the community builds during the buffer, which is why Gadi Evron, Rich Mogull, and I, with Cloud Security Alliance, SANS Institute, and [un]prompted, are running closed-door CISO sessions in DC (luma.com/jzr25473), New York (luma.com/kn2djk5v), and San Francisco. The people in the fight, writing the playbook before the vendors write it for us. If you're a senior security leader, you should apply to attend. Read the Mythos-ready security program paper: https://lnkd.in/g2G-x9q4 CISOs: do you actually know where your organization sits in that access structure? If not, that's worth finding out this week.

60% of security leaders cite the skills gap as their #1 workforce challenge in 2026, up from 52% last year (2026 SANS Cybersecurity Workforce Research Report). That gap extends beyond the security team. Business-side security skills matter just as much. SANS Field CISO and VP of AI Security Chris Cochran puts it plainly: "Closing the gap comes down to one word: intention." Training can't be a checkbox or a one-time event. It requires deliberate investment in the human layer across the organization, building continuous learning into how teams operate, not just how they onboard. Read Mary K. Pratt's full piece in CSO Online for the other five gaps every CISO should be addressing now. https://lnkd.in/eKGB2A2y