Field Notes

Field Notes

Short, occasional updates — posted roughly every two weeks.

Notes on what we're seeing, shipping, or changing our minds about. No press releases, no filler.

July 6, 2026

Most SMBs already have security tools. Most still get breached anyway.

Recent industry data makes an uncomfortable point: SMBs mostly aren't failing on awareness or budget anymore — they're failing on process. CrowdStrike's 2025 Global Threat Report found 93% of SMBs say they're aware of cyber risk and 83% claim to have a plan, yet only 36% are actually investing in new tools and just 11% have adopted AI-powered defenses. For businesses under 50 employees, only 47% have any security plan at all. The sharper number: 92% of breached SMBs already had security tools in place when the attack happened (Proton AG SMB Cybersecurity Report, 2026). A tool without a process to patch it, review its output, and act on what it finds isn't protection — it's a false sense of coverage. Sophos's 2025 State of Ransomware report backs this up from a different angle: exploited, known, patchable vulnerabilities have been the #1 root cause of ransomware for three years running, with a median remediation time of 32 days. The fix usually already existed. It just wasn't applied on a defined schedule. This is the part of security that doesn't show up in a vendor pitch: who owns patch cadence, how vendor risk gets reviewed, what gets checked and how often. It's less exciting than a new detection platform, and it's the difference that actually matters.

July 6, 2026

The first ransomware attack with no human in the loop

Cloud security firm Sysdig documented what it calls the first fully agentic ransomware operation, dubbed JADEPUFFER. An autonomous AI agent — not a human operator — ran the entire attack chain against a production database: initial access through a known Langflow vulnerability (CVE-2025-3248), credential theft, lateral movement, privilege escalation, and a destructive extortion payload. What stood out wasn't just that it worked — the agent adapted mid-attack, recovering from a failed login and finding a working path through in under a minute. The practical takeaway hasn't changed: patch known CVEs promptly, don't expose management tools like Langflow to the internet without hardening, and assume automated reconnaissance is now cheap and constant. What has changed is how little time there is to notice before it's over.