Top Cybersecurity News Stories From May 2026

May’s cybersecurity headlines made it clear that organizations are struggling to keep up with the speed and scale of modern threats.

AI is helping attackers find vulnerabilities faster than ever before. Ransomware attacks keep disrupting critical services. And governments are pushing for stronger oversight as technology environments grow more complex and more connected.

Every major story this month shared a common theme of resilience. Security teams are under intense pressure. They need to limit how far attacks spread once they get inside a network. They also need to maintain visibility across large, complicated environments.

This month’s news features insights from top security experts on these key topics:

• Microsoft’s new AI security tool and what machine-speed attacks mean for defenders
• A ransomware attack on Canvas and why limiting damage matters
• New federal rules pushing agencies toward centralized IT oversight

Microsoft’s MDASH raises the stakes in the AI cyber arms race

Forbes contributor Tim Keary recently wrote about how Microsoft is heating up competition in AI-powered cybersecurity. His article, Microsoft MDASH Beats a Key Mythos Benchmark. Here's Why That Matters, explains why every defender should pay attention.

Microsoft unveiled MDASH, short for Microsoft Security Multi-Modal Agentic Scanning Harness, just weeks after Anthropic’s Claude Mythos announcement shook up the cybersecurity world.  

While Mythos got a lot of attention, the data says that MDASH may be performing better.

CyberGym, which tests how well AI can find real software vulnerabilities in open-source projects, scored MDASH at 88.4%. Anthropic’s Claude Mythos Preview scored 83.1%.  

So what makes MDASH different?

Most AI security tools, including Mythos, use one model. MDASH uses more than 100 specialized AI agents that work as a team. Some agents hunt for flaws. Others check whether those flaws are real or false alarms. The agents even debate each other before sharing a result.

Microsoft tested MDASH on Windows. It found 16 unknown vulnerabilities. Four were critical flaws that could let attackers take remote control. Microsoft has since patched all of them.

Taesoo Kim, Microsoft’s vice president of security research, told Keary that teams are already adding MDASH to their security workflows.  

But the bigger story is what this race reveals about where security is heading.

AI can now find vulnerabilities faster than ever. That shrinks the window between discovery and exploitation. Attackers using AI can find and weaponize a flaw before defenders even know it exists.

Illumio CEO and founder Andrew Rubin told Forbes this is “the start of a true arms race, both between attackers and defenders.” He warned that attacks are moving to machine speed. That changes the threat landscape for every organization.

Rubin also said that when attackers move this fast, organizations can’t patch or detect their way out of danger. The math no longer works in the defender’s favor.

Tools like MDASH and Mythos show how fast AI is changing both offense and defense. But speed alone isn’t enough.

As attacks get faster, organizations need clear visibility across their environments. They also need containment strategies that stop threats from spreading once an attacker gets in.

Finding a vulnerability is one thing. Stopping an attacker from moving across your entire network after they exploit it is something else entirely.

Canvas ransomware attack shows why breach containment matters in education

Inc. reporter Chloe Aiello recently looked at the fallout from a major ransomware attack on Canvas, a widely used educational platform. Her article, Canvas Just Resolved a Major Hack. Here's How Your Company Can Avoid the Same Fate, breaks down what happened and what other organizations can learn from it.

Canvas parent company Instructure confirmed it reached an agreement with the cybercriminal group ShinyHunters. The attackers threatened to leak data tied to as many as 275 million users across nearly 9,000 schools. The attack landed during finals season, leaving schools scrambling to communicate with students and deliver coursework at one of the worst possible times of year.

The attackers claimed to have stolen more than 3.65 terabytes of data. That included student records, email addresses, student IDs, and private messages between students and faculty.  

Instructure said it recovered its data and received confirmation that the attackers destroyed their copies. But the company acknowledged there’s never complete certainty when dealing with cybercriminals.

The incident highlights the impossible position ransomware victims find themselves in once attackers get inside. Pay up, and you signal to other criminals that your organization is worth targeting. Don’t pay, and you risk losing critical data for good.

Illumio Public Sector CTO Gary Barlet explained why security professionals strongly advise against paying.  

Paying tells other threat actors that your organization will hand over money if they can steal your data. Once that reputation takes hold, it tends to invite more attacks. Barlet also warned that the same attackers may come back with new demands if they think you'll pay again.

At the same time, he was clear-eyed about the reality many organizations face during a major breach. Restoring systems from backups doesn’t solve the problem when large amounts of data have already been stolen.  

Getting systems back online is one challenge. Dealing with sensitive data in criminal hands is a completely different one. Recovery planning alone isn’t enough.

But the deeper lesson here goes beyond whether to pay. Organizations need to assume attackers will eventually find a way in. The real question is what happens next.  

If an attacker can move freely across your network after breaking in, one breach can spiral into a full organizational crisis. If their movement is restricted, that same breach might stay contained to one small part of your environment.

As Barlet put it, organizations should be asking whether their environments were built to limit the blast radius when an attacker gets in. That’s where network segmentation becomes critical.  

Isolating high-value assets and segmenting your network determines whether a breach becomes a manageable disruption or a runaway crisis. That difference often comes down to decisions made long before an attack ever happens.

The Canvas attack is another reminder that ransomware is about containing damage fast enough to protect your operations, your users, and your reputation before a breach spreads too far to control.

M-26-10: federal procurement overhaul pushes agencies toward centralized cybersecurity oversight

In his GovCIO Media & Research article, OMB Memo Forces Agencies to Rethink Procurement Oversight, Ross Gianfortune recently looked at how a new White House directive is changing the way federal agencies buy and manage technology.  

The Office of Management and Budget’s new M-26-10 memo requires chief information officers to review and approve IT contracts across major federal agencies. The directive has three core goals:  

• Cut duplicate software purchases
• Improve pricing transparency
• Strengthen oversight of how government technology dollars are spent

The memo reflects growing frustration with fragmented procurement.  

Some agencies were paying very different prices for the exact same software. Others had almost no visibility into what tools their own departments had already bought. In some cases, different offices within the same agency were purchasing the same products without knowing another team had already solved the same problem.

Illumio Federal CTO Gary Barlet said the memo puts a formal structure around a challenge many federal CIOs have been quietly dealing with for years.  

He knows it firsthand. Reflecting on his time at the U.S. Postal Service Office of Inspector General, Barlet described an environment where almost anyone could buy whatever technology they wanted, however they wanted to buy it. There was very little coordination and even less visibility into what was already in place.

To fix that, Barlet centralized purchasing authority under the CIO organization. Consolidating software purchases saved money, reduced duplicate tools, simplified renewals, and made procurement more efficient and accountable.  

The M-26-10 memo is trying to drive that same shift across the entire federal government.

But moving fast on a change this big carries real risks.  

Former DHS CISO and acting CIO Hemant Baidwan warned that centralized approvals could quickly become a bottleneck if agencies don’t build efficient review processes alongside the new rules. Large federal organizations with decentralized operations may struggle to balance oversight with the need to keep mission work moving.

Barlet shared those concerns directly. He said this is one of the rare cases where the government may actually be moving too fast.  

Slow or overly restrictive approval processes can not only create friction but also push employees toward shadow IT, where people turn to unauthorized tools because the official process is too slow or complicated. That outcome would make security worse and undermine the very goals the memo is trying to reach.

The memo also raises broader cybersecurity questions beyond procurement efficiency.  

Centralizing visibility across agencies is valuable. But it also creates a detailed picture of government systems, vendor relationships, and technology dependencies that would be very attractive to attackers.  

As agencies consolidate oversight, they need to make sure those centralized environments are themselves secure. A single point of visibility can also become a single point of failure.

The bigger takeaway is that modernization is about gaining real visibility into complex environments, cutting unnecessary complexity, and building stronger governance around how technology decisions get made.  

The M-26-10 memo is a meaningful step in that direction. But how agencies put it into practice will determine whether it actually improves security or just adds a new layer of bureaucracy.

Sicherheitslücken sind unvermeidlich, aber mit Illumio Insights können Sie Risiken in Echtzeit erkennen und Angriffe stoppen, bevor sie sich ausbreiten. Beginnen Sie Ihre 14-tägige kostenlose Testversion Heute.