Insights
Long-form analysis on frontier AI cyber risk.
Opinionated, source-cited pieces on the AI-era threat model — written for boards, CISOs, and risk leads making real decisions this quarter.
Insight · Issue 5 · 29 June 2026
NAB rebuilds SecOps as a data and software problem. Most of the market hasn't noticed yet.
NAB is re-staffing security with data engineers and developers and co-designing a new SIEM with Databricks. Why it's the right call, why the mid-market can't copy it, and the four moves a board should make this quarter.
Kelvin Zhou · ~5 min read
Read the piece →Insight · Issue 4 · 1 June 2026
The Zero Day Clock: a verification crisis, not a vulnerability crisis.
Median time-to-exploit has collapsed from 771 days to 4 hours. Why CrowdStrike's Five Steps arrive late, what the Zero Day Clock data actually says, and four moves an Australian board should make this quarter.
Kelvin Zhou · ~7 min read
Read the piece →Insight · Issue 3 · 22 May 2026
IT Assurance in the Agentic AI Era.
Why traditional IT assurance fails against agentic AI — eight control domains, a Big-4-style control matrix, the 2026 vendor landscape, and a 365-day plan for Australian boards.
Kelvin Zhou · ~14 min read
Read the piece →Insight · Issue 2 · 16 May 2026
Five days versus five years — Mythos, Apple's M5, and cyber's Manhattan moment.
Apple spent five years and a reported five billion dollars on Memory Integrity Enforcement. A nine-person team paired with Claude Mythos Preview walked through it in five working days. What it means for Australian patching, compensating controls, and AI-vendor risk.
Kelvin Zhou · ~12 min read
Read the piece →Insight · Issue 1 · 5 May 2026
ASD's frontier AI guidance, decoded for Australian boards.
ASD's 30 April 2026 update named Claude Mythos and GPT-5.5 as cyber inflection points, and APRA told banks they were behind. Eight steps every Australian board should run this quarter.
Kelvin Zhou · ~9 min read
Read the piece →