The Department of Know: Mythos Mayhem, critical infrastructure targeted, NVD changes

In this episode of Cybersecurity Headlines, Rich Trafalino and guests Andrew Storms of KiloCode and Eduardo Ortiz of Tektronic Industries dive into a high-stakes week of cybersecurity news. The discussion kicks off with the controversial decision by open-source scheduling platform cal.com to abandon its open-source model due to AI-driven vulnerability discovery, sparking debate over transparency versus security. Minnesota’s deployment of the National Guard after a cyberattack on Winona County underscores the growing blurring of lines between civilian and military cyber response, highlighting the need for robust incident escalation paths. The episode then turns to emerging AI threats, including new attack vectors like hidden prompt injections and Git forgery, which exploit AI-assisted development workflows. NIST’s changes to the National Vulnerability Database (NVD)—prioritizing risk-based processing and dropping enrichment for pre-2026 vulnerabilities—raise alarms about the impact on smaller organizations reliant on public data. The central theme of the episode is the rise of AI-powered threats, particularly Anthropic’s Mythos and OpenAI’s GPT 5.4 Cyber, which demonstrate unprecedented capabilities in autonomous attack simulation. Guests emphasize that while these tools pose existential risks, they also offer transformative opportunities for defense, urging organizations to shift from indicator-based to behavior-based detection and to treat AI as a new baseline. The episode closes with alarming reports of critical infrastructure breaches in Venice and U.S.-linked industrial control systems, underscoring the urgent need for better OT security, network segmentation, and long-term strategic investment in resilient systems. Key takeaways include: (1) AI is no longer a future threat—it’s actively reshaping attack surfaces and must be integrated into security strategy now; (2) the shift from IOCs to behavioral detection is essential for surviving AI-driven attacks; (3) supply chain risks are no longer just about code—runtime trust and continuous monitoring are critical; (4) smaller organizations are disproportionately impacted by NVD changes and must build custom resilience; (5) critical infrastructure remains dangerously exposed due to legacy systems and slow modernization cycles; (6) organizations must treat AI as a new baseline, not an emerging trend; (7) board-level communication about AI risk should focus on business impact and preparedness; and (8) proactive testing of AI agents in safe environments is now a necessity for security teams.