2026-05-12-cybercx-2026-hack-report

CyberCX 2026 Hack Report — Synthesis

Source: CyberCX Security Testing & Assurance (STA), Hack Report — Insights from CyberCX offensive security testing. Australia/New Zealand edition. Foreword: Jason Edelstein, Global Executive Director, Security Testing and Assurance, CyberCX. Lead author: Dimitri Vedeneev, Executive Director, Secure AI, CyberCX. Lead editor: Liam O’Shannessy. Section authors include Dexter Gillman, Raafey Khan, Kris Bergamaschi, Willem Mouton and Jeremy du Bruyn. Note on date: the report does not pin an exact publication date on the cover. The foreword references CyberCX’s 2026 DFIR Threat Report as having been released “In March 2026”, placing the Hack Report after that. The source_date here is the date the PDF was deposited to the Drive inbox (2026-05-12); the report itself is plausibly April–May 2026. Note on retrieval: Drive PDF was machine-read in full via the Drive MCP. No anti-bot chain was needed. Reading required a chunked read because the extracted text exceeded the single-call output budget; full text was reconstructed offline.

---

Headline message

The Hack Report is the offensive-security companion to the CyberCX DFIR Threat Report — same parent firm, different lens. Where the Threat Report counts incidents that happened, the Hack Report counts the vulnerabilities CyberCX’s pen-testers found before they could. The headline empirical claim: across 7,500+ engagements, 1,400+ customers and 70,000+ findings over 2023–2025, the share of security assessments containing at least one severe finding has fallen from 33.5% (2023) → 32.7% (2024) → 29.0% (2025) — a ~2.25% average annual improvement Edelstein characterises as real but losing the race. “To get ahead, defenders need to get better, and at a faster rate than attackers do … at this rate of improvement, defenders are falling behind.”

Three structural takeaways dominate. One, root causes are concentrated: 97.5% of severe findings cluster in just four themes (Configuration & Patch Management 33.4%, IAM 32.1%, Application & Development Security 21.1%, Data Security & Privacy 10.9%). Two, AppSec is the only category trending up — from 16% of findings in 2024 to 21% in 2025 — as patch and IAM hygiene improves, the residual moves to design-and-code. Three, AI-specific testing is now a service line, and the early numbers are bad: 50% of AI penetration tests contained at least one severe finding, almost double the 26% rate for web-application pen-tests. The foreword’s framing: “the widespread race to adopt and benefit from AI is seeing security considerations often overlooked and new risks introduced.”

The report carries the same explicit production-disclosure as its DFIR sibling: “0% of this whitepaper was created by generative AI.”

Key takeouts

• Severe-finding rate trending down but slowly. 29.0% of assessments had a severe finding in 2025 (vs 32.7% in 2024 and 33.5% in 2023); 7.3% had at least one critical finding (vs 8.9% / 9.7%); 28.4% had only low/informational findings (vs 25.1% / 26.0%). The improvement is real, the trajectory is not enough to outrun attacker capability uplift.
• Four root causes drive 97.5% of severe findings. Configuration & Patch Management (33.4%), IAM (32.1%), AppSec (21.1%), Data Security & Privacy (10.9%). AppSec is the only one trending up year-on-year; the others trend slightly down.
• AI systems fail testing at twice the rate of web apps. 50% of AI pen-tests found a severe vulnerability vs 26% for WAPT. Vulnerability classes observed: in-model IAM / excessive agency, weak or missing guardrails, prompt injection, lack of content filtering, system-prompt exposure, implicit bias, and insecure adoption of new standards like the Model Context Protocol (MCP) — “data can flow bi-directionally between servers and clients, meaning that traditional security controls implemented on the server side of an application must now be implemented on the client side too. This is creating a rise in authentication-related issues with MCP implementations.”
• The “soft chewy centre” persists. Active Directory assessments returned a severe finding 78% of the time; internal network pen-tests 71%. External network pen-tests improved sharply (22.3% in 2025, down from 28.5% / 28.3%). Defenders are hardening the perimeter; once an attacker is inside, the picture is unchanged.
• Social engineering wins 77% of the time — third-most-successful service after Active Directory and DDoS testing. CyberCX explicitly flags AI-powered social engineering (voice/video deepfakes) as a force multiplier; a case study has CyberCX deepfaking a CEO’s voice against a service desk, with the service desk holding the line because the organisation had recently hardened identity-verification procedures. “Most other organisations have not undertaken similar reviews of their processes and are unlikely to be as resilient against these types of attacks.”
• Adversary simulation (red/purple team) engagements doubled 2024 → 2025, reflecting customer demand for detect-and-respond assurance rather than vulnerability inventories. Observed defensive improvements: password-spray decline, application control, conditional access maturation, bulk-phishing reduction, PAM/PIM uptake, identity anomaly detection. Persistent attack-success areas: edge device misconfig, voice-based social engineering (Scattered Spider influence), spear phishing, web zero-days, insecure credential storage, weak service-account management, limited C2/exfil detection, and supply-chain / SaaS weaknesses.
• Government slightly outperforms non-government on data security and privacy (9.4% less likely to have severe findings in that category) but is more likely to have AppSec findings, reflecting that ISM AppSec uplift is forward-looking rather than retrospective. Overall severe-finding rates are near-identical between sectors (28.3% vs 28.8%).
• Enterprise vs SMB inverts in places. Large enterprises have more AppSec findings overall but fewer severe AppSec findings (more apps, but more mature SDLC); SMBs have fewer applications but build them to lower security maturity, so severe AppSec findings cluster there. IAM is uniformly worse in SMBs.
• “Vibe-coding to production” is happening. “CyberCX has conducted architecture reviews and penetration tests for a significant number of systems that were built primarily by AI. Often this is by organisations that have done no internal development prior.” Pen-testing requests for source-code-management (SCM) and CI/CD platforms more than doubled in 2025; many running default config.

Wider context

The Hack Report sits inside the same regulatory and threat environment captured elsewhere in this KB and provides controls-side empirical backing to claims the regulator letters and the sibling DFIR report can only assert.

• The APRA “preventative > policy” critique now has STA data, not just DFIR data, behind it. APRA’s 30 April 2026 letter argued regulated entities rely too heavily on policy and detective controls vs preventative technical controls ([[2026-05-08-apra-ai-governance]]). The Hack Report’s INPT/ADA numbers — Active Directory severe-finding rate of 78%, INPT of 71%, plus the persistent “soft chewy centre” framing year-on-year — is exactly the operational picture APRA’s critique describes.
• The Mozilla “defenders finally have a chance to win” thesis is being tested in CyberCX’s own AI service line, and not winning yet. Bobby Holley’s Firefox 150 post in [[2026-04-21-firefox-mythos-zero-days]] argued frontier AI now matches elite human researchers and rebalances offence/defence toward defenders. CyberCX’s own AppSec section confirms AI is “being used to streamline AppSec processes” (AI-supported threat modelling, AI-driven exploit PoC generation, AI-driven test-case generation) — but the same report records AI systems themselves failing security testing at twice the rate of web apps. The defender uplift is real, the defender liability surface is growing faster.
• MCP security is now a named risk class. This KB already has a dossier on Claude MCPs ([[claude-mcps]]) framed around capability and adoption. The Hack Report introduces MCP from the attack side: “new standards like Model Context Protocol (MCP) are being adopted, but are not yet secure, enterprise-ready implementations”, with authentication-related issues rising on the client side because of bidirectional data flow. For anyone building or deploying MCPs in regulated environments, the Hack Report’s framing is the first explicit treatment in this KB.
• As with its sibling, the Hack Report is silent on AU regulators. APRA, ASIC, OAIC, CPS 230, FAR, the Privacy Act — none appear. SOCI gets a single mention in the utilities-and-resources commentary. The Essential Eight is cited in the methodology framework list (along with NIST CSF, PCI DSS, ISO 27001, MITRE ATT&CK, AESCSF, OWASP Top 10). For an AU/NZ board audience in 2026 this is again a striking omission — and it is consistent across CyberCX’s two 2026 reports.

Section-by-section breakdown

1. Foreword (Jason Edelstein)

Sets the offensive-security frame. “CyberCX’s Security Testing and Assurance (STA) practice comprises one of the largest private sector teams of penetration testers, red teamers and offensive cyber security experts anywhere in the world.” Three-year dataset, “a globally unique vantage point from which to view and understand the state of vulnerabilities in organisations across the economy.” The strategic claim: collective security posture is improving, but slowly, and the four-theme concentration of severe findings “helps narrow down where defenders should focus their efforts.” Edelstein flags the AI-system finding rate as the signal that the adoption-vs-control gap is the most live risk in the dataset.

2. Methodology and data

• Scope. 2023–2025, 7,500+ engagements, 1,400+ customers, 70,000+ findings. Drawn from CyberCX’s reporting system; templated findings allow per-finding tracking.
• Risk-rating compression. “Severe” = critical + high (consequences could be severe); “non-severe” = medium + low + informational. Average 3–4 critical/high vulnerabilities per engagement.
• Categorisation framework. Seven top-level themes derived from NIST CSF, PCI DSS, ISO 27001, MITRE ATT&CK, Essential Eight, AESCSF, OWASP Top 10: IAM; Data Security & Privacy; Configuration & Patch Management; Application & Development Security; Operational Security & Incident Response; User Awareness & Training; Environment & Deployment Security.
• Year-on-year processing change. This year’s processing allowed service-level granularity (e.g. WAPT + ENPT in a combined engagement now split for analysis); historic data was re-processed for consistency, so side-by-side comparisons with the previous Hack Report can show inconsistencies.

3. Three-year severity trends

Metric	2023	2024	2025
Assessments with ≥1 critical finding	9.7%	8.9%	7.3%
Assessments with ≥1 severe finding	33.5%	32.7%	29.0%
Assessments with only low/info findings	26.0%	25.1%	28.4%

Average improvement ~2.25%/yr. Edelstein’s qualifier: “the rate at which threat actors increase their capability and impact is difficult to quantify, but no reasonable estimate would put this in the ‘low single-figure percentage’ range. At this rate of improvement, defenders are falling behind.”

4. Root-cause concentration

97.5% of severe findings fall into four themes:

Theme	Share of severe findings
Configuration & Patch Management	33.4%
Identity & Access Management	32.1%
Application & Development Security	21.1%
Data Security & Privacy	10.9%

Year-on-year, three of the four trend slightly down. AppSec is the only theme trending up (14.4% → 14.2% → 21.1% over 2023–2025). CyberCX’s explanation: patch and IAM gains can be unlocked by tooling and process, but AppSec issues are inherited from the past — improving how you build today does not retroactively fix legacy code.

5. Industry segment analysis

Industry	Severe-finding rate (2025)
Manufacturing & Construction	37.5%
Healthcare	36.8%
Logistics & Transport	35.1%
Agriculture, Forestry & Fishing	34.8%
Communications, Media & Technology	34.0%
Education	33.3%
Professional & Technical Services	29.9%
Utilities & Resources	29.7%
Retail & Entertainment	28.4%
State & Local Government	27.6%
Property & Property/Rental	25.8%
Federal Government	24.0%
Financial Services & Insurance	22.0%
Industry baseline	29.0%

The bookends matter. Operational-technology / heavy-machinery industries top the chart (legacy systems, long operational lifetimes, lower OT cyber maturity). Utilities & Resources buck the OT trend — CyberCX attributes this to SOCI Act regulation and resource-sector maturity. The most striking pairing: Financial Services & Insurance had the second-lowest severe-finding rate in the Hack Report but was the most-impacted sector in the DFIR Threat Report (18% of incidents, see [[2026-05-12-cybercx-2026-threat-report]]). CyberCX’s reading: “financially motivated threat actors select targets not just by the prevalence of vulnerabilities, but on their ability to monetise attacks. Financial services are an attractive target simply because that is where the money is.”

The heatmap of severe-finding distribution across the four root causes shows industry-specific patterns: Communications/Media/Tech and Professional Services skew toward IAM; Manufacturing/Construction skews toward AppSec; State & Local Government skews toward IAM; Federal Government skews toward Data Security & Privacy. The take-home: there is no one-size-fits-all priority list.

6. Government vs non-government, enterprise vs SMB

• Government overall severe-finding rate 28.3% vs non-government 28.8% — statistically indistinguishable. But composition differs: government 9.4% less likely to have data-security-and-privacy severe findings (stronger control frameworks); government more likely to have AppSec findings (ISM AppSec uplift is recent and forward-looking).
• Enterprise vs SMB inverts. Larger enterprises have more AppSec findings overall (more apps, more complex environments) but fewer severe AppSec findings (more mature SDLC). SMBs have fewer apps but build them at lower maturity, so severe AppSec findings cluster there. IAM is worse in SMBs uniformly.

7. Penetration-testing service analysis

Severe-finding rates by service type (top of table):

Service	Severe-finding rate
Active Directory Assessment	78%
Social Engineering Assessment	77%
DDoS Assessment	75%
Internal Network Pen-Test	71%
Thick Client Pen-Test	58%
Physical Pen-Test	51%
AI Penetration Test	50%
Bespoke Consulting	50%
Network Segmentation Review	47%
Endpoint Resilience Assessment	37%
Hardware / Embedded / IoT	37%
Restricted-Environment Breakout	37%
Secure Config – AWS	33%
Secure Config – Microsoft 365	27%
External Network Pen-Test	26%
Secure Architecture Assessment	26%
Web Application / Web Service Pen-Test	26%
Wireless Pen-Test	23%
Enterprise App Platform Assessment	19%
Internal Network Vulnerability Assessment	18%
Secure Config – Kubernetes	17%
Mobile Application Pen-Test	16%
Secure Config – Azure	14%

Top three services by volume are WAPT, ENPT and INPT, making up roughly three-quarters of CyberCX’s STA delivery (over 2,000 engagements annually).

• WAPT (24.3% severe rate in 2025, down from 27.5% in 2023). Top severe finding category: “insecure web application and API design and mismanagement” at 58.8% of WAPT severe findings (up from 45.9% in 2023). Top four WAPT severe-vuln categories: broken access control (26.0% in 2025), injection (18.9%), insecure file uploads (8.4%), inadequate MFA (6.9%). Within injection: XSS dominates at 55.8% (vs SQLi 30.8%, command/OS 8.7%, other 4.8%). CyberCX agrees with OWASP that broken access control is the top issue but disagrees with OWASP’s 2025 demotion of injection from #3 to #5 — still #2 in their data.
• ENPT (22.3% severe rate in 2025, down from 28.3%/28.5%). Most common finding categories (DNS/domain config 30.6%, weak/outdated crypto 13.0%) are almost never severe (combined <1% of severe findings). Top severe-vuln categories in ENPT: weak authentication 27.1%, exposed services without access controls 18.1%, insecure web app/API design 16.6%. Low-maturity flagged: internal services exposed to the internet, public management interfaces, MFA absence, unpatched software, unhardened WordPress.
• INPT (66.4% severe rate in 2025, down from 74.0% / 72.4%). Top three INPT severe findings in 2025: unencrypted sensitive data (#3 in 2024), insecure name resolution (#1 in 2024), misconfigured Active Directory Certificate Services (AD CS) (#2 in 2024). CyberCX observes that while all three can trivially escalate privileges, attackers in the wild prefer credential theft over name-resolution/AD-CS exploits because the latter are noisier — “in a future world where AI-enabled attackers can exploit vulnerabilities and achieve their objectives faster than defenders can stop them, the risk calculus used by attackers may change, and previously high-impact but easy to detect attack types may come into play.”

8. Hacking AI systems (Dimitri Vedeneev section)

The most consequential section for this KB. “The adoption of AI-enabled applications and products has moved at breakneck speed across almost all organisations. In the past two years, conversations with customers about security testing AI systems have moved from a handful in a year to a daily occurrence.”

Headline number: 50% of AI pen-tests find at least one severe finding — double the 26% WAPT rate. Cause framed as a process gap: traditional security patterns (threat modelling at design, pen-test before deployment) “are often not fit for the pace and urgency of AI development, meaning AI systems are deployed to production at a lower level of security maturity than other systems.”

Most common AI vulnerability classes:

• In-model IAM / excessive agency — “‘who is this action being performed for’ and ‘what are they allowed to access’ were part of the model context and could be overwritten with the right prompts.” Combined with no least-privilege scoping of model permissions, this lets prompted models perform actions on backend systems they shouldn’t have access to.
• Weak, missing or in-model guardrails — “AI systems can be exploited to provide commercial or sensitive information or perform privileged actions.” Guardrails are “extremely difficult to get ‘right’.”
• Prompt injection — “the LLM interprets malicious user input as an authoritative command,” leading to privilege escalation, exfiltration, data poisoning.
• Lack of content filtering — general-purpose models used for specialised tasks manipulated into profanity, hate speech, racism (reputational risk).
• System-prompt exposure — the hidden persona/constraint prompt elicited by clever prompting, revealing the logic behind AI-enabled functionality.
• Implicit model bias — gender/race/age/disability bias from training data plus confirmation bias.
• Fast adoption of new standards, insecurely — Model Context Protocol (MCP) — “new standards like Model Context Protocol (MCP) are being adopted, but are not yet secure, enterprise-ready implementations. In some instances, data can flow bi-directionally between servers and clients, meaning that traditional security controls implemented on the server side of an application must now be implemented on the client side too. This is creating a rise in authentication-related issues with MCP implementations.”

9. Adversary simulation trends (Willem Mouton section)

Red/purple team engagements doubled 2024 → 2025, attributed to customer recognition that pen-tests measure vulnerability presence but not detection-and-response capability.

Defensive improvements observed. External/initial access: reduced password-spray success (smart lockout + MFA + identity consolidation); maturation of Conditional Access; decline in bulk-phishing effectiveness (preventative controls + user awareness). Internal/post-exploitation: better application control; PAM/PIM uptake with JIT and MFA on privileged actions; better network segmentation; identity anomaly detection on human identities.

Persistent attack-success areas. External: edge-device misconfig in large estates (can bypass MFA, degrade detection because traffic looks internal); web zero-days, particularly into cloud; voice-based social engineering (vishing) — explicitly attributed to Scattered Spider influence; spear phishing still effective even as bulk phishing declines. Internal: insecure credential storage in file shares, SharePoint, code repos, Jenkins, Artifactory; internal-service misconfig (especially AD); weak service-account hygiene; insufficient supply-chain / SaaS assurance — “multiple engagements identified exploitable vulnerabilities in external platforms, enabling unauthorised access to sensitive data and, in some cases, the ability to pivot into internal environments”; limited detection of data exfiltration and C2.

10. Application security insights (Raafey Khan section)

Three sub-themes:

• Scaling AppSec. Integrated operating models — AppSec embedded inside engineering teams under “developer experience” / “engineering excellence” rubrics. AppSec tooling maturity: most orgs have automated security testing in dev workflows but few have enough tooling trust to break builds due to false-positive rates; CyberCX work has shifted to noise-reduction and fix workflows. Threat modelling remains aspirational; “architecture reviews” rising as a partial substitute. Secure-by-default — reference architectures and patterns as code. Developer workstation hardening (reducing full-admin reliance, sandboxed dev environments). Moving beyond SCA toward secure-by-default base images.
• Securing the software supply chain. SCM/CI-CD testing requests more than doubled in 2025. Many orgs run default config with little hardening; these gaps are exploited in CyberCX’s adversary simulations to harvest credentials and pivot. “Nearly every major supply-chain incident in the last 12 months involved stolen credentials from a developer or CI/CD system.” Case study: GitHub-focused pen-test where a non-admin developer could manipulate Actions to extract secrets from the enterprise key vault and push unauthorised production changes.
• Secure AI-enabled development. AI is itself being used to streamline AppSec: AI-supported threat modelling mapped to internal control frameworks; AI generating PoC exploits for AppSec tooling findings; AI-driven documentation and test-case generation for technical-debt reduction. “Are organisations vibe-coding to production? Yes. CyberCX has conducted architecture reviews and penetration tests for a significant number of systems that were built primarily by AI. Often this is by organisations that have done no internal development prior.”

11. “From insights to action” recommendations

CyberCX’s six closing recommendations:

1. Severe-finding rates are improving too slowly — start with root-cause concentration in the four themes.
2. No one-size-fits-all — industry, government/non-government, and enterprise/SMB distributions all differ.
3. AI introduces new risk if not adopted securely — develop AI governance that walks the line between security and transformation velocity; “learn lessons from the AppSec discipline.”
4. AppSec is the rising root cause — secure the SDLC, demand third-party suppliers verifiably demonstrate secure-by-design and contractually meet baseline criteria.
5. Social engineering remains a weak point; AI is turbocharging it via deepfakes — harden processes and controls against AI-driven attacks, not just user-awareness training.
6. Adversary simulation provides unique insight that pen-tests cannot — detect-and-respond assurance is the live gap; configuration drift in code repos and DevOps tooling is the live underbelly.

How this relates to the CyberCX DFIR 2026 Threat Report

The two reports are designed as mirror images — same parent, same data-collection window (calendar 2025 with three-year context in the Hack Report), same AU/NZ orientation, different lens.

Where they reinforce each other:

• Healthcare is hard on both sides. DFIR has Healthcare at #2 most-impacted (12% of incidents, down from 17% in 2024); Hack Report has Healthcare at #2 highest severe-finding rate (36.8%). The incident exposure and the controls exposure are aligned.
• Education is hard on both sides. DFIR has Education as #1 espionage target outside government and #3 overall; Hack Report has Education in the top six severe-finding sectors (33.3%). Both point to the “research environments + BYOD + low segmentation” pattern.
• MFA is no longer sufficient. DFIR: “every BEC incident where traditional MFA was enforced involved session hijacking”. Hack Report: “inadequate MFA” is the #4 severe WAPT finding; “MFA not used” is one of the strongest low-maturity correlates in ENPT. The Hack Report adds the empirical baseline behind the DFIR story.
• Active Directory remains a structural pivot. DFIR records ShadowPad-style espionage operating through AD-adjacent infrastructure; Hack Report records ADA returning a severe finding 78% of the time, the single highest service-level rate. CyberCX’s recommendation across both reports is consistent: AD-tier-model adoption and AD CS hygiene.
• Supply chain matters in both directions. DFIR records Shai-Hulud (npm worm) and DarkEngine (WordPress credential phishing) as 2025 systemic events; Hack Report records SCM/CI-CD testing requests doubling and supply-chain weakness as a persistent red-team success area.
• The “0% generative AI used” production disclosure is repeated. Both reports carry this disclaimer — a deliberate brand position.

Where they diverge or complement:

• Financial Services & Insurance. DFIR: most-impacted sector (18%). Hack Report: second-lowest severe-finding rate (22.0%). CyberCX’s reading is the most pointed line in the Hack Report: “a reminder that financially motivated threat actors select targets not just by the prevalence of vulnerabilities, but on their ability to monetise attacks. Financial services are an attractive target simply because that is where the money is.” Controls maturity ≠ incident frequency. This is the most useful single fact in this synthesis pair for AU regulator framing.
• AI: incident-side vs controls-side. DFIR has the first operational observation of offensive GenAI (one threat actor writing scripts with emoji and tutorial comments, target failed) and the first AI data spills as a DFIR engagement class. Hack Report has the first controls-side observation: AI systems fail security testing at 50% — twice the web-app rate — and adds a full taxonomy of AI vulnerability classes the DFIR report does not enumerate (in-model IAM, excessive agency, guardrails, prompt injection, content filtering, system-prompt exposure, bias, MCP authentication). The Hack Report is the more useful artefact for an AppSec or Secure-AI engineering team.
• MCP is named on the controls side only. DFIR is silent on MCP; Hack Report explicitly identifies “a rise in authentication-related issues with MCP implementations” due to bidirectional data flow making client-side controls a new requirement. This is the first treatment of MCP-as-attack-surface in this KB.
• Vibe-coding. DFIR doesn’t engage it; Hack Report does — “CyberCX has conducted architecture reviews and penetration tests for a significant number of systems that were built primarily by AI. Often this is by organisations that have done no internal development prior.” This is the operational mirror of APRA’s “use of enterprise AI tools outside approved control frameworks” critique applied to development, not consumption.
• Adversary simulation. Hack Report owns the red-team lens entirely; DFIR doesn’t engage it. The doubling of red-team engagements in 2025 is consistent with APRA’s expectation of continuous, integrated assurance approaches ([[2026-05-08-apra-ai-governance]]).
• Same silence on AU regulators. Neither report engages APRA, ASIC, OAIC, CPS 230, FAR, the Privacy Act. SOCI gets one sentence in the Hack Report (utilities/resources commentary). The Essential Eight is in the methodology framework basket. This is a consistent CyberCX editorial choice across both 2026 reports.

Action implications / open questions

• For AU regulated boards. Two CyberCX datasets now point at the same answer: controls policy without controls evidence is the wrong answer to APRA’s question. The Hack Report adds: even the controls evidence has to be tested as deployed (ADA at 78%, INPT at 66%, AI pen-tests at 50%), not assumed from architecture.
• For Financial Services specifically. Hack Report says Financial Services tests best (22.0% severe finding rate); DFIR says Financial Services is hit hardest (18% of incidents). APRA’s CPS 230 + AI letter and ASIC’s 8 May 2026 cyber letter ([[2026-05-08-apra-ai-governance]]) are predicated on the target value, not the controls maturity — which the Hack Report’s pairing makes empirically explicit for the first time in this KB.
• For anyone deploying MCPs in regulated environments. This is the first KB source flagging MCP-specific authentication risk. Client-side authentication controls become a new requirement; the existing [[claude-mcps]] dossier needs a security-considerations section seeded from this report.
• For Secure-AI / AppSec leaders. Half of AI pen-tests find severe issues. The recommendation is explicit: “learn lessons from the AppSec discipline” — embed AI security into the engineering workflow with low-friction tools, secure-by-default patterns delivered as code, and least-privilege scoping of model agency. The “vibe-coding to production” pattern (orgs with no prior development experience shipping AI-built systems) is the urgent variant — these orgs typically lack the AppSec primitives the Hack Report’s recommendations assume.
• For security strategy budgeting. Four themes drive 97.5% of severe findings, but the distribution across those four themes varies sharply by industry, sector and size. The Hack Report makes a strong implicit case for industry-specific control prioritisation rather than imported one-size-fits-all frameworks.
• Open question — defensive AI uptake. Like the DFIR report, the Hack Report does not name Anthropic’s Mythos, Mozilla’s Firefox 150 result, or any frontier-AI vulnerability-discovery deployment. It cites AI-supported threat modelling and AI-generated exploit PoCs as emerging AppSec practice. Whether CyberCX positions frontier-AI defensive analysis as keystone in next year’s report is the bellwether (cf. [[2026-04-21-firefox-mythos-zero-days]]).
• Open question — Why STA is silent on AU regulators while the regulator narrative is most active. This is now a consistent CyberCX editorial choice across both 2026 reports. Possible explanations: scope discipline (operational, not compliance); regulator-relations sensitivity; or the audience the reports are aimed at sits closer to security leaders than to the General Counsel / Risk / Audit committees who consume the MinterEllison-style coverage.
• Open question — Why “vibe-coded” systems are not yet a stated regulator-driven risk class. APRA’s “use of enterprise AI tools outside approved control frameworks” gap is about consumption. The Hack Report finds an arguably more dangerous mirror: production deployment of AI-built systems by orgs with no engineering function. The next regulator letter that names this pattern explicitly will be a useful trigger to refactor [[ai-governance-au]].

---

Links

• Topic dossiers: ai-governance-au · ai-security-defense · claude-mcps
• Entities: cybercx · jason-edelstein · dimitri-vedeneev
• Sibling synthesis: 2026-05-12-cybercx-2026-threat-report (DFIR / incident lens; pair-read)
• Related: 2026-05-08-apra-ai-governance (regulator framing the Hack Report’s empirical picture supports) · 2026-04-21-firefox-mythos-zero-days (defender-side AI counterpart; Hack Report’s “AppSec uses AI to streamline” is the early industrial cousin) · 2026-05-10-vizza-chrome-silent-llm (embedded-AI governance failure mode the Hack Report does not address directly)