Foxconn is on fire, an MSP-only VC just closed a fund, Anthropic is rationing Claude, and Sophos says identity is now the most expensive way to get owned. Let’s go.
🏭 Foxconn confirms ransomware hit on North American factories
Foxconn confirmed Tuesday that the Nitrogen ransomware crew breached its US operations, with the gang claiming roughly 8TB of data — over 11 million files allegedly including confidential Apple and Nvidia project documents, per The Register and Cybernews. Foxconn says production has been restored, but isn’t disputing the data theft itself.
Why it matters to your channel: stop reading this like it’s a Tier 1 manufacturer problem. Read it like a supply-chain problem. Nitrogen’s been hitting mid-market IT shops and contractor environments for over a year using malicious Google Ads for Advanced IP Scanner, AnyDesk, and Slack installers — the exact tools your techs Google at 11pm. If you run an MSP, you are closer to Nitrogen’s actual day-to-day target than Foxconn is. Two things to do this week: kill end-user software installs that aren’t packaged through your RMM, and add a “no downloading admin tools to client endpoints from search results” line to your AUP. Then turn this story into a QBR slide for every manufacturing and logistics customer you have — “the company that builds iPhones got hit, here’s what we’re doing for you” is a 15-minute conversation that justifies a year of security spend. Bonus angle: if you sell IR retainers, this is the week to send the reminder email. Manufacturing CFOs read TechCrunch headlines too.
💰 Top Down Ventures closes $28M fund aimed entirely at MSP software
Top Down Ventures — founded by former N-able execs and a handful of MSP operators — closed its Founders Fund I at $28M, oversubscribed past a $25M target, with 12 portfolio companies already funded since 2024. The thesis is narrow on purpose: early-stage, AI-native software built specifically for MSPs. Per the Carta data they cited, the fund is tracking top-decile for 2024 vintage venture funds on early DPI.
Why it matters: this is the second MSP-focused capital pool to land in two months (Slide raised $70M for BCDR in March). When ex-N-able people raise an oversubscribed fund explicitly for AI-native MSP tooling, two things happen next. One, expect a wave of tiny vendors knocking on your door in Q3 and Q4 with “co-pilot for [PSA workflow]” pitches — most will be junk, a few will be real, all will offer aggressive early-partner terms because that’s the only way they get logos. Two, your incumbent stack vendors (ConnectWise, Kaseya, NinjaOne, Syncro) now have visible competitive pressure on the AI-feature roadmap, which means the “we’re adding AI automation in the next release” line you’ve been getting on QBRs has to start showing up as actual shipped product. Make them prove it before your next renewal — and if you want a free option, take three of the new entrants for 30-day pilots on a single client each. You’ll find out very quickly which ones can integrate with your PSA and which ones just have a slick demo.
🤖 Anthropic tightens Claude limits, OpenAI Codex moves in
Anthropic announced new caps on what paying Claude subscribers can do with agent workloads, and OpenAI is openly using the moment to pull power users over to Codex, per Axios. The framing matters: Anthropic is signaling that “all-you-can-eat” AI subscriptions don’t survive the agent era — software can burn tokens orders of magnitude faster than a human typing prompts ever could. Translation: every flat-rate AI plan you’ve seen in the last 18 months was a marketing-acquisition price, not a sustainable one.
Why it matters: the AI line item in your client proposals is about to get weird. If you’ve been quoting flat-rate “AI co-pilot included” pricing — whether it’s Copilot resold, an embedded Claude integration in a PSA, or a homebrew agent on your stack — the underlying vendor economics are shifting toward metered or capped. Pass-through risk lands on you. Two moves: pull every active client agreement that mentions AI features and check whether you have language to reprice on vendor changes, and start quoting new AI-adjacent SKUs with explicit usage tiers instead of “unlimited.” The MSPs who get burned in the next 12 months will be the ones who built a fixed-fee Copilot bundle in 2025 and watched margins compress every time Microsoft, Anthropic, or OpenAI moved a pricing lever. 🚨
🔐 Sophos: 71% of orgs hit an identity breach this year, $1.64M to clean it up
Sophos dropped its State of Identity Security 2026 report this morning (May 14): 71% of organizations surveyed had at least one identity-related breach in the past year, the average cleanup cost is $1.64M, and orgs with weak non-human identity (NHI) management saw recovery costs roughly $147K higher on average, per Help Net Security’s writeup. Smaller orgs — the 100-to-250 employee band — were called out specifically as the resource-gap zone.
Why it matters: that 100-250 band is your bread and butter, and “we don’t have time to manage every service account” is exactly the customer you sell to. The $1.64M number isn’t a scare stat — it’s a slide. Three concrete plays that print money off this report: one, an NHI/service-account audit as a fixed-fee engagement (most clients have no inventory of theirs and you’ll find dead privileged accounts in the first hour). Two, a conditional access + ITDR (identity threat detection and response) bundle for any client still running plain MFA on M365 — this is the upsell from “security stack” to “identity-first stack.” Three, tie the $1.64M figure into cyber insurance renewal conversations; carriers are already asking about NHI controls, and clients who can’t answer are quietly being repriced. Identity is the line item that grew faster than EDR in 2025, and Sophos just handed you the numbers to keep growing it in 2026.
⚡ Quick hits
🩹 Microsoft’s May Patch Tuesday landed Tuesday with 30 critical CVEs in a 120-flaw release, including DNS and Netlogon flaws CrowdStrike flagged for priority. No actively exploited zero-days in the batch, but the volume of criticals is unusually high for a quiet month — push your patch rings now, don’t let this one slip a week.
📚 Instructure paid the ransom to ShinyHunters to stop a 3.65TB Canvas data leak affecting thousands of schools. The hackers say the data was “returned.” Nobody believes that. If you support K-12 or higher-ed clients running Canvas, expect awkward parent-and-board conversations this week — have a one-pager ready on what your tenant exposure looks like and what your incident-response retainer covers.
📱 Ivanti EPMM is being actively exploited again (CVE-2026-6973). If any client is still self-hosting Ivanti EPMM, that’s your call this afternoon. The pattern of repeat zero-days in this product line is now a real conversation about whether the platform belongs in a managed stack at all.
That’s the week. Patch, repackage, reprice.
