Palo Alto Networks published its latest Defender’s Guide on May 13, claiming that scanning its own product code with Anthropic’s Mythos model under Project Glasswing produced a vulnerability disclosure cycle several times the volume of a typical month.

Today’s advisory covers 26 CVEs (representing 75 issues) versus our usual volume (typically less than 5 CVEs in a month); none of which are being exploited in the wild.

And then their own advisory feed at security.paloaltonetworks.com contradicts their guide in at least three ways. The CSV at security.paloaltonetworks.com/csv is authoritative for severity, CVSS scores, product, version constraints, problem descriptions, and publication dates. I rely on it as the primary source for everything that follows. Basically showing that Palo Alto disagrees with Palo Alto.

The CSV report for May 13 returns twenty-three CVE-numbered entries plus one informational bulletin numbered PAN-SA-2026-0007 covering the monthly Chromium passthrough update for Prisma Browser.

The blog said twenty-six. That’s a mystery gap of at least three. The CVE-2026-02XX sequence spans 0238 through 0265. The following give me an HTTP 404 with no redirect on the PSIRT portal:

• CVE-2026-0252
• CVE-2026-0253
• CVE-2026-0254
• CVE-2026-0255
• CVE-2026-0260

I can’t figure out yet whether these are being withheld pending coordinated disclosure with another vendor or assigned to a CVE Numbering Authority other than Palo Alto. I went looking for three and got stuck here.

All that being said, here’s the read-out. Severity is by Palo Alto. CVE-2026-0300 is included for context, but please note it does not get AI-credit and was disclosed eight days earlier. I’ll get to that in a second.

CVE/SA	CVSS	Severity	Product	Class	Note
CVE-2026-0300	9.3	CRITICAL	PAN-OS	Buffer overflow	active exploitation by CL-STA-1132; CISA KEV (added 2026-05-06); unauthenticated; disclosed 2026-05-05
CVE-2026-0265	9.2	HIGH	PAN-OS	Authentication bypass	CAS enabled on network-reachable mgmt iface; unauthenticated
CVE-2026-0264	9.2	HIGH	PAN-OS	Buffer overflow (RCE)	unauthenticated; DNS proxy/server
CVE-2026-0263	9.2	HIGH	PAN-OS	Remote code execution	unauthenticated; IKEv2
CVE-2026-0262	8.7	MEDIUM	PAN-OS	Denial of service	unauthenticated; Threat Prevention signatures block
CVE-2026-0261	8.6	MEDIUM	PAN-OS	Command injection	admin-auth required
CVE-2026-0248	8.6	MEDIUM	Prisma Access Agent	Certificate validation bypass	AitM positioning required
CVE-2026-0242	8.6	MEDIUM	Trust Protection Foundation (ex-Venafi)	SQL injection	CyberArk-owned product line
PAN-SA-2026-0007	8.6	MEDIUM	Prisma Browser	Chromium passthrough	upstream Chromium bundle
CVE-2026-0251	8.5	MEDIUM	GlobalProtect App	Privilege escalation	local access required
CVE-2026-0247	8.5	MEDIUM	Prisma Access Agent	Authorization bypass
CVE-2026-0246	8.5	MEDIUM	Prisma Access Agent	Privilege escalation	local access required
CVE-2026-0258	8.3	MEDIUM	PAN-OS	SSRF	unauthenticated; IKEv2 cert URL fetching
CVE-2026-0257	7.8	MEDIUM	PAN-OS	Authentication bypass
CVE-2026-0250	7.7	MEDIUM	GlobalProtect App	Buffer overflow
CVE-2026-0244	7.7	MEDIUM	Prisma SD-WAN	Certificate validation bypass	AitM positioning required
CVE-2026-0249	7.6	MEDIUM	GlobalProtect App	Certificate validation bypass	AitM positioning required
CVE-2026-0240	7.4	MEDIUM	Trust Protection Foundation (ex-Venafi)	Information disclosure	CyberArk-owned product line
CVE-2026-0241	7.2	MEDIUM	Trust Protection Foundation (ex-Venafi)	Authorization bypass	CyberArk-owned product line
CVE-2026-0259	7.1	MEDIUM	WildFire WF-500	Arbitrary file read/delete
CVE-2026-0243	7.1	MEDIUM	Prisma SD-WAN	Denial of service	unauthenticated
CVE-2026-0239	7.1	MEDIUM	Chronosphere Chronocollector	Information disclosure	third-party (Chronosphere)
CVE-2026-0256	6.9	MEDIUM	PAN-OS	Stored XSS	admin-auth required
CVE-2026-0245	6.8	MEDIUM	Prisma Access Agent	Information disclosure
CVE-2026-0238	4.8	LOW	Broker VM	Improper input validation	admin-auth required

That gives us zero Critical, three High, twenty Medium, and one Low. The highest CVSS score in the AI-credited cohort is 9.2 for the three highs: an IKEv2 remote code execution flaw, a heap buffer overflow in DNS proxy and DNS server components, and a Cloud Authentication Service authentication bypass (see preconditions below).

Nine of the twenty-four include exploitability preconditions in the per-advisory Problem text:

• Authenticated administrator access required (3): CVE-2026-0261 command injection, CVE-2026-0256 stored XSS, CVE-2026-0238 Broker VM input validation
• Local privilege escalation against an attacker already on the endpoint (2): CVE-2026-0246, CVE-2026-0251
• Adversary-in-the-middle positioning against certificate validation (3): CVE-2026-0244, CVE-2026-0248, CVE-2026-0249
• Cloud Authentication Service enabled on a network-reachable management interface (1): CVE-2026-0265, a configuration the vendor’s own best-practice guidance has long advised against

These vulnerability classes are all very familiar to anyone with experience in static analysis tools running against a network appliance codebase. Buffer overflow in protocol parsers? Check. Certificate validation gaps? Check. Command injection behind administrator authentication? Check. Stored cross-site scripting in web consoles? Come on. Information disclosure in agent logs? Zzzzz. These findings are what commercial static analyzers like Coverity have produced against this product class for over twenty years. Palo Alto has written a post suggesting that the same-old same-old is suddenly a generational capability leap. But why?

The CyberArk Carve-out

The post explicitly excludes CyberArk vulnerabilities from the AI-credited count, on the grounds that CyberArk’s product security organization handles its own disclosure process. I guess I can go along with that carve-out. Except then I see three of the May 13 CVEs are issued against Trust Protection Foundation, the former Venafi product line that CyberArk acquired and that became part of Palo Alto Networks through the CyberArk acquisition:

• CVE-2026-0240, sensitive information disclosure
• CVE-2026-0241, multiple authorization bypass paths
• CVE-2026-0242, SQL injection

Each carries a Palo Alto-assigned CVE identifier inside the Palo Alto May 13 advisories. The exclusion claim and the headline figure just crashed into each other. If the exclusion is meant to be real, then an AI-credited total drops to twenty CVEs. And we have even less reason to believe the 26 claimed.

Non-AI Takes the Cake

Let’s just take a moment to also dwell on CVE-2026-0300, disclosed by Palo Alto eight days before the Defender’s Guide post. The advisory describes an unauthenticated buffer overflow in the User-ID Authentication Portal that allows a remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. The User-ID Authentication Portal, also called the Captive Portal, maps IP addresses to authenticated user identities for traffic the firewall cannot otherwise attribute. By design it accepts connections from unauthenticated users at the network edge.

CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) catalog the following day. Federal civilian executive branch agencies operating under Binding Operational Directive 22-01 had until May 9 to remediate.

Unit 42 attributed the activity to a cluster designated CL-STA-1132 and characterized it as likely state-sponsored. Shodan identified approximately 225,000 internet-facing PAN-OS instances at the time of disclosure. The Unit 42 threat brief then records the first observed exploitation attempt against a Palo Alto device on April 9. Successful remote code execution followed approximately one week later. Project Glasswing launched on April 7. Is there any evidence at all that Mythos or any AI of any kind is to credit here? Palo Alto doesn’t seem to think so.

The patch for CVE-2026-0300 shipped on May 13, the same day Palo Alto published the Defender’s Guide claiming twenty-six AI-credited findings with none exploited in the wild. The CVE that drove the federal mandate was disclosed eight days earlier, attributed to attackers in production rather than to Mythos, and excluded from the twenty-six.

Think about it. We have seen this repeatedly since the Mythos FUD-balloon was launched. The most critical, most impressive finds have been reported by humans and not the Anthropic tools, inverting the headlines.

Cartel

Anthropic restricted Mythos to a vetted consortium of approximately forty enterprises on the grounds that its vulnerability discovery capability exceeded what general availability could safely support. The launch was accompanied by one hundred million dollars in Anthropic usage credits to participating organizations. On April 7, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an unannounced meeting at Treasury headquarters with the chief executives of the largest United States banks to discuss Mythos and the cyber risks it represents.

It read at the time like some kind of top-down business corruption, but we should all be patient to see if that’s what it really is.

The technical capability claim is the basis for the billionaire-consortium structure, the access restrictions, and the urgency framing that has since compressed from six to eighteen months in the April Defender’s Guide to three to five months in the May Defender’s Guide, with no methodology or science accompanying the contraction.

The first full month of Glasswing produced a Patch Wednesday batch consistent with what a competent static analysis pass produces against a network appliance codebase. It also produced a state-aligned remote code execution against the same product family that the AI scanner missed. The marketing text frames the first as evidence of generational defensive advantage. The second is disclosed eight days earlier and buried, even though it’s the one that counts the most.

The operational damage from the marketing trend is concerning.

Palo Alto customers reallocating budget on the basis of the urgency framing are moving spending away from operational basics like patch cadence, management interface segmentation, and captive portal exposure review, toward AI-flavored product spend that addresses a threat the cycle did not demonstrate.

I’m especially annoyed that Post Quantum is not getting sufficient attention these days.

The Defender’s Guide is so thick with “funnel” framing that it maps each recommendation to a Palo Alto SKU: Cortex Xpanse for attack surface management, Cortex XDR for endpoint detection, Prisma AIRS and the recently acquired Koi product for agentic endpoint security, Cortex XSIAM for the security operations center, and the new Unit 42 Frontier AI Defense service for the consulting tail. The SEC forward-looking-statements disclaimer at the bottom of the post gives away the true audience.

The institutional damage from the marketing trend is even more concerning.

The KEV catalog value to defenders depends on a listing being taken as the strongest available indicator of active exploitation at scale. The Defender’s Guide narrative depends on readers treating the May 5 disclosure and May 6 KEV listing as separable from the May 13 claim of a novel capability, that the evidence doesn’t support. On what real basis should Palo Alto depreciate the KEV signal?

Anthropic’s Glasswing has the substance of a marketing partnership. The model vendor restricts access to a vetted consortium. The consortium attests to the capability that justifies the restriction to the consortium. The model vendor pays the consortium one hundred million dollars in usage credits. The consortium sells the products that follow from the attestation.

Mozilla, and now Palo Alto, have only cemented the view that Mythos is not really what is being sold to the public.

Sources.

• Palo Alto Networks May 2026 Defender’s Guide: paloaltonetworks.com/blog/2026/05.
• April 2026 Defender’s Guide: paloaltonetworks.com/blog/2026/04.
• Primary advisory feed: security.paloaltonetworks.com/csv.
• CVE-2026-0300 advisory: security.paloaltonetworks.com/CVE-2026-0300.
• CVE-2026-0262 advisory: security.paloaltonetworks.com/CVE-2026-0262.
• Unit 42 threat brief: unit42.paloaltonetworks.com/captive-portal-zero-day.
• CISA KEV JSON feed: cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json.
• Rapid7 brief on CVE-2026-0300 (Shodan exposure figure): rapid7.com/blog.
• CNBC on April 7 Treasury meeting: cnbc.com.

As I read a new paper about the effects of AI, I couldn’t help but notice the authors stumbled onto a clean withdrawal demonstration and could not see it because the field rewards sensationalist “AI assistance reduces persistence“.

That is the kind of “novel” framing that gets you into Nature Human Behaviour or the equivalent. Saying something more authentic like “brief variable-reinforcement exposure produces measurable extinction-phase behavior” gets you into a time-machine for a 1970s journal nobody reads. Same data, totally different career path.

Let’s look carefully at the premise the entire paper is built upon. They have a designed experiment that administers a reliable hit of an engineered substance for ten minutes, then yanks it. The reliable hit is not “AI” in any general sense. It is an answer-vending machine pre-loaded with the solution, instructed to greet warmly, available on every problem.

The participant types a single word and receives a correct answer. That is not assistance. That is reinforcement delivery on a fixed-ratio schedule with one hundred percent reliability, which is the cleanest possible conditioning protocol short of direct electrode stimulation.

Bzzzt. Bzzzt. Bzzzt.

Then withdrawal. No taper, no warning, no transition. The instrument reliably answering every query for ten minutes evaporates. Now the participant is asked to perform on three problems while the experimenters measure the gap. The gap is real. The gap is also exactly what any conditioning protocol produces at the moment of extinction. Calling it “impaired independent performance” frames the post-withdrawal state as the true measure of capacity, when it is the measure of the withdrawal itself. The participant’s actual capacity was visible before the conditioning began. In Experiment 2’s pretest, the eventual direct-answer subgroup, the hints subgroup, the didn’t-use-AI subgroup, and the control group were statistically indistinguishable on both solve rate and skip rate.

This is cruel.

The IRB approved this as low-risk because the tasks are “short cognitive exercises” and nobody got hurt. By the standard ethical frame of physical harm, that is true. By the frame of what was actually done, the participants were placed in a brief but real conditioning-and-withdrawal cycle, told their performance was being measured, and then had their post-withdrawal behavior reported as evidence of cognitive damage they sustained from a technology.

The participants were told the AI was there to help them work through problems. They were not told the AI had been pre-loaded with the answer key for every problem they would see. That is the manipulation the entire effect rests on, and it was concealed from the subjects.

The mechanism the authors propose in the conclusion, hedonic adaptation on effort reference points, is correct and undermines their own framing.

Reference-point shifting under reliable access is the formal description of dependence formation. If a ten-minute exposure shifts the reference point measurably, what they have demonstrated is the speed of dependence onset under engineered conditions, not a property of AI use in the wild where access is intermittent, the assistant is not pre-loaded with answers, the responses are variable in quality, and no experimenter is about to remove the tool mid-task while measuring you.

There is a real phenomenon to study, if you use some common sense. Endoscopists whose unaided detection rates drop after months of routine AI-assisted colonoscopy, which is the Budzyń study the authors cite. Surgeons whose unaided technique degrades after years of robotic assistance. Pilots whose manual flying skills atrophy under decades of autopilot dependence. Those settings involve sustained exposure over months or years, naturalistic conditions, and outcomes that matter. A ten-minute Prolific session with a primed bot is not that. It is an analog model so simplified that it represents an unfair representation.

What the paper is actually giving us is the within-subject pretest-to-test panel for the direct-answer subgroup, which shows that conditioning a person to expect immediate answers and then removing the source produces a measurable behavioral shift relative to where that person started ten minutes earlier.

No shit.

That is a withdrawal study finding.

If you admit what’s really going on and read it as a withdrawal study finding, it is interesting and consistent with eighty years of such operant literature. Got it, nothing novel here.

However, read as the title wants you to read it, there is huge overreach dressed in causal-RCT vocabulary. I’m no fan of the institutional affiliations, precisely because they are the kind of “authority” appeal that will bleed this nonsense into policy discussions where the methodological failures will not be sufficiently exposed.

Apparently winning against no competition has led to even worse things.

Palantir was awarded the FDP contract after winning a succession of pandemic-era deals, worth a combined £60 million, without competition.

How bad? Here’s the no competition winner readout.

Under previously agreed rules, Palantir staff working on the FDP could only access the National Data Integration Tenant (NDIT), a data repository for patient data before it is transferred to the “pseudonymized” analytics system, if they apply to access for specific data sets.

A document released by NHS England says that Palantir staff can get a new “admin” role and access the NDIT and its identifiable patient data. Other consultants working on the FDP will get similar access.

The briefing document, seen by the FT and confirmed by The Register, said granting access to the data to Palantir staff and others could “risk of loss of public confidence” in its assurances about “safeguarding patient data and ensuring appropriate use and access to it.”

What sits inside the NDIT? The medical history of roughly fifty million people, that’s all. And so you might ask why is the body certifying appropriate use doing the opposite, giving away the access it was meant to constrain?

Well, first of all, it’s shocking the UK has anything to do with Palantir. The company posted a manifesto, line-by-line Nazi propaganda, calling for the postwar denazification of Germany to be undone. The position requires treating Allied victory as an overcorrection. Yeah, Palantir is openly saying Hitler should have won and England should be speaking German today. Their CEO boasts that he spends much of his time talking with, in his own words, real Nazis. We can assume he means Peter Thiel.

There’s no reason for anyone to have any confidence in Palantir. None. Their software is a mess of moats to trap customers, as they peddle fear to amass data and seize control over entire nations. Consider that the pandemic procurement that placed Palantir inside the NHS was billed as an emergency, just so they could suspended competition. Palantir hates competition. The suspension allowed expansion of an operational footprint from which the FDP bid was later scored. The FDP contract then supplied the platform inside which a new admin role could be defined. Each authorization reduced public protection from Palantir.

Second, anyone who read Thiel’s bio, childhood in a German enclave with continuing Nazi sympathies into the 1980s, the father’s career building uranium infrastructure for apartheid’s clandestine nuclear weapons program, saw this coming. Public confidence in Palantir shouldn’t be discussed like losing it would change anything. The UK government rammed the most toxic, least transparent, company into their health system without any justification. Officials wrote into the procurement file that the public would object if the public knew, because Palantir, and authorized the harmful state anyway.

Third, the original restriction was a real thing that was meant to be defended instead of handed over to a company whose published manifesto endorses Hitler winning, or at least reversing the postwar denazification of Germany to make Nazism great again. Pseudonymization inside the NDIT existed because access to identifiable patient records is a category Parliament treats differently from access to aggregated statistics. The whole public case for the FDP rested on that restriction. The restriction is gone.

The Attorney General’s office in California has released a statement about encrypted messages sent via WeChat, used to file charges against a mayor.

For example, in June 2021, a PRC official contacted Wang and other individuals via the WeChat encrypted messaging application with pre-written news articles, including a PRC official-written essay in the Los Angeles Times that stated: “China’s Stance on the Xinjiang Issue – There is no genocide in Xinjiang; there is no such thing as ‘forced labor’ in any production activity, including cotton production. Spreading such rumor to do defame China, destroy Xinjiang’s safety and stability, weaken local economy, suppress China’s development[.]”

Minutes later, Wang posted the article on her own website and responded to the PRC official with a link to the article on her website. The others in the group chat did the same. The PRC official responded: “So fast, thank you everyone.”

In August 2021, Wang and three other members of the same group chat shared links to the same article on their respective “news” websites, after which the PRC official thanked them for their “reporting.” At the PRC official’s request, Wang made edits to the article, sent the official a link to the article reflecting the requested change, then sent the official a screenshot showing the article had been viewed 15,128 times. In response, the official messaged, “Great!,” Wang replied, “Thank you leader.”