Bulletin — April 2026

April 2026 is the month of the trilogue that doesn’t arrive — the AI Act Omnibus closes without agreement on 28 April, three months from the Annex III deadline. Patch Tuesday closes 165 CVEs with a SharePoint zero-day under active exploitation. Anthropic publishes Claude Mythos and Project Glasswing, the first serious experiment in “frontier model that is not made generally accessible” to contain its offensive capability. Pwn2Own Berlin collapses before starting due to submission oversupply. M&S reaches its anniversary and reporting on the UK retail wave of 2025 consolidates into M-Trends. AESIA closes the month publishing technical guides 13 and 14.

EU AI Act Omnibus — second trilogue without agreement

28 April: the second political trilogue of the Digital Omnibus on AI closes without agreement after twelve hours of negotiation. As we cover in this month’s technical, the blocking point isn’t the Annex III stand-alone date — there’s tripartite convergence around 2 December 2027. What blocks is the conformity assessment architecture for Annex I systems: how AI obligations articulate with existing sectoral legislation (Machinery Regulation, MDR, IVDR, motor vehicles). Parliament defends keeping the AI Act as an independent body; Council and Commission push for wide carve-outs.

The full quarterly chronology: 13 March (Council, partial mandate), 18 March (IMCO/LIBE, joint report 101–9), 26 March (first trilogue), 17 April (Council, revised mandate via doc 8260/26), 28 April (second trilogue, no agreement). Third trilogue scheduled for 13 May. If it doesn’t arrive before 2 August, the original text applies.

What’s operational in either of the two scenarios is detailed in the Annex III technical post: dual plan, complete technical file, QMS extended to ISO/IEC 42001, contact with notified bodies for Annex III point 1.a systems (the most procedurally blocked).

Sources: https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/ · https://www.twobirds.com/en/insights/2026/digital-omnibus-on-ai-trilogue-stalls-ahead-of-the-ai-act-deadline · https://www.europarl.europa.eu/RegData/etudes/BRIE/2026/782651/EPRS_BRI(2026)782651_EN.pdf

Anthropic Claude Mythos + Project Glasswing

7 April: Anthropic announces Claude Mythos Preview and, in parallel, Project Glasswing. Mythos is the most capable model the lab has trained, with demonstrated capability to find and exploit zero-days autonomously in operating systems and browsers. The flagship example cited in the announcement is a 17-year-old RCE in FreeBSD discovered and exploited end-to-end by Mythos in a controlled environment.

The decision that matters: Anthropic does not make Mythos generally accessible. The model is released under Project Glasswing to a group of fifty organisations — launch partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks. Partners receive $100M in Anthropic credits to use Mythos defensively: scan their own software, find bugs before an attacker with an equivalent model does.

The framing is interesting for two reasons. First, it’s the first time a US frontier lab holds back general availability of a frontier capability model on explicit dual use offensive grounds. Capability evaluations with offensive uplift findings had triggered the RSP/Preparedness Framework before — Anthropic with Opus 4 in May 2025, OpenAI with o3-pro in September 2025 — but the response had always been “mitigation + GA with safeguards”. Mythos breaks the pattern: the mitigation is not giving wide access.

Second, it opens a two-speed market for cybersec. Glasswing partners will have access to an offensive-defensive capability the rest of the market doesn’t have during the preview period. For small defenders without access, the asymmetry is a concern — Bruce Schneier and Simon Willison publish notes in the following days with the same basic argument: “necessary, but leaves most of the market on the wrong side of the asymmetry”.

16 April: Anthropic completes the release matrix with Claude Opus 4.7 — public model, capabilities lower than Mythos per Anthropic’s own communication, but with additional safeguards that automatically detect and block requests with high-risk cybersecurity intent. Industry practice enters fully into the “capability ↔ safeguards” model as a visible negotiation.

Sources: https://www.anthropic.com/glasswing · https://red.anthropic.com/2026/mythos-preview/ · https://www.schneier.com/blog/archives/2026/04/on-anthropics-mythos-preview-and-project-glasswing.html · https://simonwillison.net/2026/Apr/7/project-glasswing/

Patch Tuesday — 165 CVEs, SharePoint zero-day active

14 April: Microsoft closes 165 CVEs in the second-largest Patch Tuesday in history (record still held by October 2025 with 183). Distribution: 8 critical, 2 zero-days. The accumulation of elevation of privilege as the dominant category continues — 93 patches (57%), above RCE (20, 12%).

The zero-days:

• CVE-2026-32201 — SharePoint Server Spoofing, CVSS 6.5. Improper input validation exploited actively in-the-wild before the patch. Cross-site scripting vector with escalation to integrity compromise. CISA adds it to KEV the same day, FCEB deadline 28 April. Relevant detail: it appears less than a year after SharePoint ToolShell CVE-2025-53770 — SharePoint remains a perennial target of campaigns associated with China-nexus actors thanks to the on-prem + poorly segmented perimeter combo.
• CVE-2026-33825 — Microsoft Defender Antimalware Platform Elevation of Privilege, CVSS 7.8. Publicly disclosed with PoC on GitHub on 3 April (BlueHammer), patched via auto-update. Local privilege escalation to SYSTEM.

The month’s critical isn’t either zero-day: CVE-2026-33824 in Windows IKE Service, CVSS 9.8, unauthenticated RCE via UDP packets on ports 500 and 4500. No reported exploitation at Patch Tuesday close but profile exactly like the 2025 IKE one — meaning it doesn’t stay unexploited for long. Any unpatched exposed VPN server is in queue.

Notable secondary block: CVE-2026-32190, CVE-2026-33114, CVE-2026-33115 in Microsoft Office (Word/Excel), CVSS 8.4, all exploitable via Preview Pane without needing to open the document. The phishing-to-RCE via attachment that pages through the preview remains a live operational category.

20 April and 22 April: CISA adds three additional batches to KEV that same month. Among the relevant high ones:

• CVE-2025-32975 (Quest KACE SMA), CVSS 10.0, improper authentication.
• Three CVEs in Cisco Catalyst SD-WAN Manager (CVE-2026-20122, 20128, 20133) — improper use of privileged APIs + passwords in recoverable format.
• CVE-2026-33825 (Defender) enters on 22 April after exploitation is confirmed.

Sources: https://msrc.microsoft.com/update-guide/releaseNote/2026-Apr · https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2026/ · https://www.thezdi.com/blog/2026/4/14/the-april-2026-security-update-review · https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog

OpenAI GPT-5.5 + GPT-5.5-Cyber

23 April: OpenAI announces GPT-5.5 less than two months after GPT-5.4. Iteration change (not generation) with improvements in agentic coding, computer use, and deep research. The operational novelty is the cadence: OpenAI has moved to a bimonthly release cycle with visible increments on agentic benchmarks. The competitive framing is explicit: release speed is OpenAI’s response to the Anthropic-Mythos / Google-Gemini pattern.

The same day, OpenAI announces GPT-5.5-Cyber — model trained specifically for defensive cybersecurity, initially distributed to a closed group of critical cyber defenders (Altman’s phrasing; the subset isn’t published). The parallel with Glasswing is obvious although the model isn’t explicitly positioned as a response — defensive capability handed to a restricted group, not GA. Operational difference: Anthropic commits $100M in explicit credits; OpenAI doesn’t put an equivalent figure in the announcement.

The Q2 2026 pattern coming out of Mythos + GPT-5.5-Cyber: frontier labs are moving to a per-user-tier model segmentation, with offensive-defensive capability restricted to institutional partners. Open question: what happens to the same capability level when it reaches open weights — DeepSeek-V5 rumours for Q3 2026 frame the answer.

Sources: https://www.cnbc.com/2026/04/23/openai-announces-latest-artificial-intelligence-model.html · https://officechai.com/ai/after-anthropics-claude-mythos-openai-releases-gpt-5-5-cyber-a-cybersecurity-focused-model/

Pwn2Own Berlin — capacity overflow as a pre-event news item

11 March: Zero Day Initiative announces Pwn2Own Berlin 2026 with ten categories and, for the first time, a serious expansion of AI targets: AI databases, coding agents (Claude, Copilot, Cursor), local inference (Ollama, LM Studio) and an NVIDIA-specific track (CUDA Toolkit, NV Container Toolkit, Megatron Bridge). Over $1,000,000 in announced prizes.

End of April: ZDI announces that submission volume has overflowed the event’s operational capacity for the first time in 19 years. More than 150 researchers with working zero-day RCE chains are left without a slot. Some start publishing their work as vendor pre-disclosure during the last weeks of the month: RCE chains in Firefox, Ollama, LM Studio, PyTorch, Linux KVM, NVIDIA, Docker and Claude Code appear in independent advisories and posts before the 14-16 May event.

The read for the AI category: the local inference and coding agent ecosystem has an attack surface comparable to a browser a decade ago. Local inference servers like Ollama and LM Studio are privileged processes with arbitrary consumption of user files; coding agents like Claude Code and Cursor are code execution with broad permissions. The Pwn2Own AI track isn’t marketing — it reflects a surface that has shown up in enterprise production without passing through serious threat modeling.

The event runs 14-16 May (covered in next month’s bulletin). What April leaves on the record: the problem is registered before the event happens — there are more published bugs than the contest can process.

Sources: https://www.thezdi.com/blog/2026/3/11/announcing-pwn2own-berlin-for-2026 · https://hackread.com/pwn2own-berlin-2026-hits-capacity-hackers-0-days/ · https://www.thezdi.com/blog/2026/5/13/pwn2own-berlin-2026-the-full-schedule

Mandiant M-Trends 2026 — hand-off window falls to 22 seconds

23 March (with dominant analysis in April): Mandiant publishes M-Trends 2026 over 500,000 hours of incident response from 2025. The headline number is the drop in the hand-off window between initial access and secondary operation: eight hours in 2022, 22 seconds in 2025. It’s what the industry has been calling flash-ransomware — an IAB compromises, sells or hands off access, and the ransomware operator is in almost immediately.

Other report milestones relevant for 2026:

• Global average dwell time rises to 14 days (it was 11 in 2024). It rises because BRICKSTORM-style backdoors with extreme persistence rise — the report cites cases with dwell time close to 400 days.
• #1 initial access vector: vulnerability exploitation at 32% for the sixth consecutive year. Email phishing drops to 6% (significantly down). Interactive vishing rises to 11%, picking up the helpdesk pattern that the UK retail wave of 2025 industrialised.
• AI threats: the report introduces two new-mode families: PROMPTFLUX and PROMPTSTEAL which query LLMs at runtime to evade detection, and QUIETVAULT which detects local AI CLIs on the compromised host. Mandiant’s framing: AI is still not a primary cause of breaches; it remains an amplifier.
• Ransomware recovery denial: current priority targets are backup infrastructure, identity services, virtualization management planes. AGENDA (Qilin) and REDBIKE (Akira) as paradigmatic cases.

Source: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/

AESIA — guides 13 and 14, post-market monitoring + incident reporting

28 April: AESIA confirms the publication of Technical Guides 13 and 14 of the AI Act compliance framework. Block detail:

• Guide 13 — post-market monitoring for providers of high-risk systems. Operationalises Art. 72 with templates and procedures.
• Guide 14 — serious incident reporting regime. Operationalises Art. 73, with criteria to qualify as a serious incident + deadlines.

With this, AESIA completes 16 technical guides + 2 introductory + a toolkit of checklists and templates published during 2025-2026. It’s the state of the art of national guidance on the AI Act in the EU. The guides cover the full cycle: conformity assessment, risk management, technical documentation, human oversight, data governance, transparency, accuracy, robustness, cybersecurity, record-keeping, post-market surveillance, incident management.

AESIA’s footnote on the guides: they’re subject to revision after Digital Omnibus approval if it arrives. The toolkit with templates applicable to Annex III remains in beta pending the definitive date.

Source: https://aesia.digital.gob.es/en/present/resources/practical-guides-for-ai-act-compliance

M&S — anniversary and consolidation of the helpdesk playbook

25 April: anniversary of the attack on Marks & Spencer that opened the UK retail wave of 2025 (Co-op, Harrods, Adidas downstream). Twelve months on, the UK Cyber Monitoring Centre keeps the combined M&S + Co-op classification as a single combined cyber event with aggregated impact in the £270M-£440M band. The operational guide M&S gave in May 2025 of ~£300M in operating profit for FY2025/26 is confirmed as a real reference during quarterly reporting.

What’s changed in twelve months on the outsourced helpdesk supply chain: TCS publishes a full revision of identity verification procedures for UK retail customers during Q4 2025; NCSC publishes specific guidance in May 2025 on out-of-band verification with minimum criteria; several UK retailers have moved tier-1 helpdesk to internal operation or imposed contracts with a minimum security baseline. The regression pattern, per Mandiant’s reporting: Scattered Spider keeps sustained activity against retail and financial services in EU, US and APAC, but UK retail targets show significantly better resistance in Q1 2026.

Source: https://www.cybermonitoringcentre.com/our-events/2024-2025-co-op-marks-and-spencer-cyber-event/

Rest of the month

• CVE-2025-32975 (Quest KACE SMA) — CVSS 10.0, improper authentication with active exploitation before the KEV add. The CVSS 10 line in systems management tools (Quest KACE, ConnectWise, N-able) remains a perennial category; any enterprise endpoint remote management tool is a priority target.
• Verizon DBIR 2026 preview — the 2026 edition covers events from 1 Nov 2024 to 31 Oct 2025. Final publication expected in May (second annual structural report). Pattern confirmable in advance: vulnerability exploitation keeps rising as an initial vector; supply chain breaches double to 30%.
• Frontier Model Forum — operational pivot (during April): the FMF (Anthropic, Google DeepMind, Microsoft, OpenAI) reorients its research and policy profile toward threat intelligence sharing operations among members. The inflection is consistent with the Mythos and GPT-5.5-Cyber capability uplift materialising model weights theft as an explicit threat actor objective in the labs’ own reports.
• EDPB / EDPS joint opinion on Omnibus (published in March, echo in April) — warn that the Omnibus’s proposed easing of special category data processing impacts GDPR purpose limitation. Document cited by the EP in the 18 March joint report.
• Microsoft Recall — one year on (April operational echo): Recall hits one year of the controlled relaunch on Copilot+ PCs with VBS enclave + Windows Hello binding + AES-256-GCM. In March, Swiss researcher Alexander Hagenah publishes TotalRecall Reloaded, showing that the operational pattern Microsoft announced as mitigated remains replicable under certain conditions. Parallel readings in GeekWire and Windows Central at end of January on Windows 11’s AI push pullback. The original 2024 analysis remains the starting point.
• Pwn2Own Automotive 2026 — operational echo (event of 21-23 January, patch follow-up): Tesla, Sony, Alpine and Phoenix Contact publish patches during February-April closing most of the awarded CVEs (76 unique bugs, $1,047,000 in bounties paid). The 90-day post-event disclosure window remains operational and advisories keep appearing during Q2.

Cross-cutting pattern — the frontier model as restricted citizenship

April leaves an operational read on AI deployment strategy: the most capable model stops being the most accessible. Anthropic with Mythos and OpenAI with GPT-5.5-Cyber have set the pattern. The capability frontier will split, during 2026, into two segments: a commercial frontier accessible via API with strict safeguards, and an institutional frontier accessible only to designated institutional partners.

For long-tail defenders (those who won’t be in Project Glasswing or OpenAI’s critical cyber defenders group), the read is uniform: the attacker with access to a comparable-capability open-weights model is one release away. What’s contained during the preview period is cadence, not eventual diffusion. DeepSeek-V4 showed in December that open frontier capability is three to six months behind the closed one. The real defensive asymmetry is the period between a closed release and an equivalent open release.

What can be operationalised meanwhile:

1. AI-assisted vulnerability discovery on your own stack with available models — the “scan your own code with the best model you can access, before someone else does” pattern generalises from Glasswing to the rest.
2. Patch hygiene on legacy high-impact components. SharePoint, Exchange, enterprise MFT, Citrix appliances, Windows IKE — the Q1 2026 list is the same as Q4 2025’s.
3. Helpdesk hardening completed in large organisations; pending in mid-market — out-of-band verification, manager checkpoint, configurable time-delay. The M&S playbook keeps working against organisations that haven’t updated.
4. Dual AI Act plan — prep as if the deadline is 2 August; execute at sustainable speed under the assumption the Omnibus does arrive. The third trilogue on 13 May is the next sensitive date.

May will bring two posts: the technical cyber on Pwn2Own Berlin 2026 (AI agents + local inference category, with material to analyse the state of the production agentic ecosystem) and the bulletin with the result of the third Omnibus trilogue, final Pwn2Own figures, and the Verizon DBIR 2026 when it publishes.