The threats are evolving. So is our leadership. James Lyne is now CEO of @SANSInstitute. The next chapter starts now. 👏 Watch the full announcement → linkedin.com/feed/update/urn… #SANSInstitute #Cybersecurity

.@robtlee Mythos-era guidance hasn't changed with Anthropic's #Fable5 launch, but the model's safety classifiers are already blocking defensive research. His take in @DarkReading darkreading.com/vulnerabilit…

The best branding companies in the world got custom domain extensions in 2012. Most did nothing with them. SANS President @edskoudis on why .brand domains are still an open question. @ITBrew itbrew.com/stories/what-is-a…

"You can no longer afford to be an AI skeptic." Chris Cochran on why defenders need to fight fire with fire and what happens if they don't. Listen now: go.sans.org/EghYei Catch up on previous episodes now: go.sans.org/yjaSte

SANS and @CISecurity just bundled secure cloud infrastructure with hands-on training, now available together on AWS Marketplace. go.sans.org/VPmmtl

SANS Chief AI Officer @robtlee tested Fable 5. What his findings mean for defenders. csoonline.com/article/418309…

Is every level of your organization ready for a breach — from the SOC to the C-suite teams? Practice #CyberCrisis response with SANS and build alignment across technical and executive teams to prevail at every level. ⚖️ sans.org/u/1qaC #Leadership #BusinessStrategy

#SANSFIRE 2026 is July 13-18 in Washington, D.C. 34 courses. Live @sans_isc Command Center. NetWars. Joshua Wright keynoting on AI and zero-day discovery. In-person and virtual. Register here: go.sans.org/svZZAZ #SANSLiveTraining

(4 DAYS BEFORE SUBMISSIONS CLOSE) I get this question a lot about the Find Evil! hackathon: What does “find evil” actually mean? In this case, the name comes from a real command. I built an autonomous incident response agent I built on the SIFT Workstation. Then I typed “find evil” as a prompt into Claude Code. And it did (watch the demo). I was blown away to watch the autonomous agent run a complete C drive forensic analysis, across 200 tools via MCP. The agent identified threat actor and context, the attack chain, malware deployment method, persistence mechanisms, code injection analysis, network connections, command-and-control (C2) infrastructure, a complete malicious process tree, and a chronological activity timeline. Two days after I shared initial findings, Anthropic released their report on how threat actors were deploying Claude Code with operational tools and letting it go do evil. (Same thing I was doing.) Find Evil! is the first hackathon dedicated to building autonomous AI agents for incident response. 4,178 defenders are working on final Find Evil! hackathon submits. (This number makes me very happy to see so many diving in. And wishing that the thousands more in our community were experimenting with us.) Your job: teach an AI agent to think like a senior analyst, how to sequence its approach, recognize when something doesn’t add up, and self-correct when it gets it wrong. There are FOUR DAYS left to build with us! (Very few of us are actual AI experts. The rest of us including me are learning.) Register: findevil.devpost.com Apply to judge: We need DFIR, AI, cybersecurity, and open-source reviewers who can separate useful autonomous response tools from polished demos. Apply: findjudges-9kvkxt6m.manus.sp… I am SO EXCITED to see what comes out of this hackathon and goes back to the community. Sponsored by @SANSInstitute

⏳ Don't wait for the Fall. @SANS_EDU graduate certificate programs accept applications monthly. Explore your options: go.sans.edu/kG0z0P

Anthropic mapped a six-step workflow for AI-assisted vulnerability discovery. The skill gap it exposes is worth understanding for pentesters. 1,596 vulnerabilities disclosed. 97 patched. go.sans.org/ZgudNL

Blocking AI doesn't make it go away. It makes it invisible. You can't govern what you can't see. Our newest eBook shows the way out. 👇 Stop blocking. Start governing. The SANS AI Security Maturity Model™ eBook shows you how: go.sans.org/PJjMWh #AIGovernance #InfoSec

📣 Maryland just opened three new paths into cybersecurity. Free, grant-funded training across Core Cybersecurity, ICS/OT Security, and AI Security tracks. Applications close June 30. 📰 Read the full announcement: go.sans.org/m3TVVo

Compliance is redefining today’s #CyberWorkforce. #NIS2, #CMMC, and #DORA are driving new expectations for roles, skills, and accountability. That shift is already impacting how teams hire and train. Explore the data: go.sans.org/S2doPM #WorkforceDevelopment

"It's a hurricane warning, not a seawall." — @robtlee on the 6-12 month window before China matches U.S. frontier AI cyber capabilities. @Politico politico.com/news/2026/06/07…

Your expertise matters — contribute to SANS Research by taking one of these surveys: 1️⃣ Share your real-world cloud security challenges and help shape practical, community-driven security strategies. Take the survey 👉 go.sans.org/QimqCB 2️⃣ Share your ICS/OT insights and help strengthen critical infrastructure defense globally. Take the survey 👉 go.sans.org/iPqLMV 3️⃣ Share your insights on exposure discovery, prioritization, remediation, and automation. Take the survey 👉 go.sans.org/xLz8JM #CloudSecuritySurvey #ICSSecuritySurvey #ExposureManagementSurvey #SANSResearch

SANS Fellow Frank Kim (@fykim) spent a day in a room of CISOs where it became undeniable: the vulnerability playbook that has worked for 20 years is breaking. That conversation continues in NYC and DC this week. CISO-only sessions. His full account here: go.sans.org/cOaySf

Security research and criminal hacking look identical on paper. Katie Moussouri on why that's still a problem for researchers. Full episode out now 🎙️ go.sans.org/MR0wiB Catch up on previous episodes now: go.sans.org/yjaSte

How organizations build cyber talent is changing. On June 24, leaders from SANS and Microsoft will walk through finding from the 2026 Cybersecurity Workforce Research Report by SANS | GIAC live. Register: go.sans.org/Hj7gGx #WorkforceDevelopment #CyberWorkforce

📘 The 2026 @SANS_EDU Research Review Journal is officially live. Explore peer-reviewed findings from the next generation of cyber leaders: go.sans.edu/x7lvkC

The executive order signed Tuesday asks AI developers to give the federal government up to 30 days with a frontier model before anyone else gets it. The draft floated 90. Security people wanted as much warning as they could get. The labs wanted less. At 30 days, nobody got what they asked for, which is usually how you know a compromise is real. (Both sides are now sufficiently disappointed. On schedule.) 30 days isn't a fix, though. It's a hurricane warning. You board the windows, you move the boat, and the storm still makes landfall. The buffer buys preparation, not prevention, and it only counts if you do something with it. The part nobody's arguing about: access to these capabilities is not equal, and it won't be. JPMorgan and Amazon will be fine. The order names rural hospitals, community banks, and local utilities as a concern, then leaves them a discretionary "where appropriate" while early access goes to trusted partners selected with the government. The hospital in Springfield sits at the back of that line. And closing your source code doesn't save you. Source code analysis is where Mythos is focused right now, which is why open source gets scanned first, but it does black box exploitation just as well. Nation-state teams have broken Microsoft, Apple, and Google for years without ever seeing their source. The vulnerabilities get found either way. (Adversaries don't wait for their tier assignment.) Under all of it is the oldest question in cyber defense: what is the government actually responsible for? The critical infrastructure everyone is worried about sits in private hands. The military can't defend a bank's network. The FBI takes the report after the breach. CISA runs real threat intelligence and coordination, but it doesn't have the authority to operate inside a private company and defend it. When Volt Typhoon and Salt Typhoon hit American infrastructure, they hit private companies, because that's where the front line is. (I came up through the military side. That gap still bothers me.) The order doesn't solve any of this. It documents the threat and starts the argument, and the risk now is that people read "signed" as "handled." The work is what the community builds during the buffer, which is why @gadievron, @rmogull, and I, with @cloudsa, @SANSInstitute, and [un]prompted, are running closed-door CISO sessions in DC (luma.com/jzr25473), New York (luma.com/kn2djk5v), and San Francisco. The people in the fight, writing the playbook before the vendors write it for us. If you're a senior security leader, you should apply to attend. Read the Mythos-ready security program paper: labs.cloudsecurityalliance.o… CISOs: do you actually know where your organization sits in that access structure? If not, that's worth finding out this week.