Insights

Long-form analysis on frontier AI cyber risk.

Opinionated, source-cited pieces on the AI-era threat model — written for boards, CISOs, and risk leads making real decisions this quarter.

Insight · Issue 5 · 29 June 2026

NAB rebuilds SecOps as a data and software problem. Most of the market hasn't noticed yet.

NAB is re-staffing security with data engineers and developers and co-designing a new SIEM with Databricks. Why it's the right call, why the mid-market can't copy it, and the four moves a board should make this quarter.

Kelvin Zhou · ~5 min read

Read the piece →

Insight · Issue 4 · 1 June 2026

The Zero Day Clock: a verification crisis, not a vulnerability crisis.

Median time-to-exploit has collapsed from 771 days to 4 hours. Why CrowdStrike's Five Steps arrive late, what the Zero Day Clock data actually says, and four moves an Australian board should make this quarter.

Kelvin Zhou · ~7 min read

Read the piece →

Insight · Issue 3 · 22 May 2026

IT Assurance in the Agentic AI Era.

Why traditional IT assurance fails against agentic AI — eight control domains, a Big-4-style control matrix, the 2026 vendor landscape, and a 365-day plan for Australian boards.

Kelvin Zhou · ~14 min read

Read the piece →

Insight · Issue 2 · 16 May 2026

Five days versus five years — Mythos, Apple's M5, and cyber's Manhattan moment.

Apple spent five years and a reported five billion dollars on Memory Integrity Enforcement. A nine-person team paired with Claude Mythos Preview walked through it in five working days. What it means for Australian patching, compensating controls, and AI-vendor risk.

Kelvin Zhou · ~12 min read

Read the piece →

Insight · Issue 1 · 5 May 2026

ASD's frontier AI guidance, decoded for Australian boards.

ASD's 30 April 2026 update named Claude Mythos and GPT-5.5 as cyber inflection points, and APRA told banks they were behind. Eight steps every Australian board should run this quarter.

Kelvin Zhou · ~9 min read

Read the piece →