58% of buyers now start their research in ChatGPT or Gemini, not Google. Most startups aren't showing up there yet.

The ones that are get cited by the AI tools their buyers, investors, and future hires already use. And they convert at 3×.

Download the free AEO Playbook for Startups from HubSpot and get the exact steps to start showing up. Five minutes to read.

Get the free playbook

This week's theme: trust nothing, patch everything, and maybe audit every OAuth integration your clients have ever approved. A supply chain attack tore through the CRM data of a dozen security vendors, Cisco just hit its seventh SD-WAN zero-day of 2026, and Microsoft set a new all-time record for vulnerabilities patched in a single month. Let's get into it.

The newly emerged Icarus extortion group exploited a dormant legacy OAuth token in market intelligence platform Klue to steal Salesforce CRM data from at least nine organizations — including HackerOne, Huntress, BeyondTrust, LastPass, Recorded Future, Snyk, and Tanium. The attack, which began June 11, leveraged a compromised service account credential to push a malicious code update that harvested customers' OAuth tokens. Salesforce disabled the Klue integration within 24 hours, but the data was already out the door.

The Icarus group — active only since April 2026 — threatens public data dumps unless victims enter negotiations, and has already leaked partial data to prove it's serious.

Why it matters to you: This is textbook supply chain via SaaS integration — the OAuth connector nobody's auditing. If your clients use Klue or any third-party CRM connector, now's the time to review what tokens are live and what they can access. The darkly ironic part: security companies — including breach responders and threat intel vendors — got hit. If it can happen to them, your clients are exposed. BleepingComputer | The Register | SecurityWeek

Cisco disclosed on June 5 that CVE-2026-20245 — a command injection flaw in Cisco Catalyst SD-WAN Manager — is being actively exploited in the wild. Attackers with netadmin privileges can upload a crafted file and execute arbitrary commands as root. Mandiant discovered and reported the flaw to Cisco; in observed cases, exploitation resulted in malicious configuration changes pushed to edge devices. Patches shipped June 12.

Why it matters to you: This is the seventh Cisco SD-WAN zero-day exploited so far in 2026. That's no longer a product issue — it's a product pattern. MSPs managing Cisco SD-WAN for clients should have applied the June 12 patch immediately. If that hasn't happened, stop reading and go do that. Seriously. SecurityWeek | Help Net Security

June Patch Tuesday was a monster: Microsoft addressed roughly 200 vulnerabilities — the largest monthly release in years — including 6 zero-days (5 publicly disclosed, 1 actively exploited in the wild). Highlights: CVE-2026-45657, a Windows Kernel RCE rated CVSS 9.8 that allows unauthenticated remote code execution at SYSTEM level; and CVE-2026-41091, a Microsoft Defender Elevation of Privilege flaw with confirmed in-the-wild exploitation. A researcher going by "Nightmare Eclipse" disclosed multiple flaws across BitLocker and Defender. Microsoft also absorbed 360 Chromium CVEs into its Edge browser update.

Why it matters to you: Nearly a third of patches target elevation of privilege — the classic attacker-already-inside move. The Defender EoP with active exploitation should be at the top of your priority queue. The sheer volume of CVEs is also a signal: AI-assisted vulnerability research is accelerating disclosure faster than the patch cycle can comfortably absorb. Expect this trend to continue. BleepingComputer | CyberScoop

OpenAI rolled out the full version of GPT-5.5-Cyber on June 22, hitting 85.6% on CyberGym — the highest score ever recorded by a single model. The model performs deep codebase analysis, vulnerability validation, and automated patch generation at machine speed. Access is gated to vetted organizations including Akamai, Cisco, CrowdStrike, Fortinet, and Palo Alto Networks. The new Daybreak Cyber Partner Program extends API access to 30 security vendors and MSPs, letting them embed the model into products clients already use.

Why it matters to you: This is the signal that AI-native security tooling is past the hype phase and into deployment. The Daybreak Partner Program is explicitly designed for MSSPs and security vendors — if your platform partners are in the program, expect AI-powered analysis to show up in your stack sooner than you think. For clients asking "when does AI actually help in security ops?" — point them here. OpenAI | Axios

At Pax8 Beyond 2026, Check Point unveiled a major MSP platform expansion: new AI security capabilities, a multi-tenant Management Control Plane (MCP) for unified management, and simplified bundled licensing. Separately, analysts are flagging AI governance as the next big MSP/MSSP revenue opportunity — a Black Duck survey found 97% of enterprise engineers use AI coding assistants, but only 30% have full governance in place, with nearly 90% reporting problems from AI-generated code.

Why it matters to you: Two plays. One: Check Point is making a serious run at MSP wallet share — simplified licensing is a real differentiator if it holds up. Two: AI governance is the new compliance gap. Your clients are already exposed and don't know it. MSSPs who build a governance-as-a-service offering now — covering AI code review, model access controls, shadow AI — will be ahead of the wave when the first major AI-governance breach makes headlines. IT Security Guru | Channel Insider

A quick scan of this week's ransomware activity: ShadowByt3$ claimed a Nintendo attack, alleging 859 MB of employee data stolen. Medical device maker iRhythm detected unauthorized access June 8 and was contacted by an extortionist the next day. And The Gentlemen — now the second-most-active ransomware gang by victim count — are reportedly offering affiliates a 90% revenue share to recruit top-tier operators.

Why it matters to you: The 90% affiliate cut is the number to watch. It's a bidding war for skilled ransomware operators, which means better tooling, more sophisticated TTPs, and harder-to-detect intrusions hitting your clients' environments. iRhythm is another reminder that healthcare devices are a soft, high-value target. MSPs with medical or OT clients: update your threat model accordingly. SharkStriker | BlackFog

---

That's your byte for today. Stay patched, audit your OAuth tokens, and remember: if a security vendor can get owned through a legacy CRM integration, your clients definitely can.

— The ChannelBytes Team