Everyone loves a “trusted app” until it turns into a long-lived permission slip with better branding.

The platform can stay technically unbroken and you still get cleaned out. That gap is the problem.

Everyone wants the AI bug hunter.

Fewer people want the patch clock that comes with it.

That’s the part getting buried under the stage fog: if the models are better at finding and understanding real bugs, your org does not get safer by applause. It gets safer if it can move before somebody else does.

Everyone saw the PLC headline and immediately built their whole Iran take around exposed controllers. Cool. The nastier question is what happens when the next move comes through identity, admin planes, or some target class nobody staffed for.

A lot of orgs “secured” GitHub Actions by pinning to tags, which is a fun strategy if you enjoy finding out your trusted scanner now has initial access. CI trust is getting weird in ways most runbooks still don’t cover.

“Fraud” makes it sound random. It isn’t. It’s identity infrastructure with a cash-out layer. Same proofing gaps, same rails, same reusable parts. People keep chasing claims instead of the production line.

Everyone’s hunting “AI attacks.” Meanwhile the ugly money is still in trusted pages, stolen sessions, and users politely pasting the command for them.

Iran cyber risk is not about whether they’ll be active. They will. The real question is whether the next 8 weeks produce a publicly attributed, materially disruptive hit with a new twist beyond the usual password-spray sludge. Tenant sabotage is the part to watch. 👀🔥