Threat Economics is a weekly Security Unlocked column that translates threat intelligence into market signals, tracking where capital, risk, and adversary behavior intersect.

Non-Human Identity Gets Its $24.6 Billion Proof Point

The investment thesis behind this year’s non-human identity (NHI) acquisition wave has been straightforward: machine credentials including API keys, OAuth tokens, service account passwords, and CI/CD pipeline secrets are proliferating faster than any organization can track them, and attackers know it. What Week 23 delivered was the proof point at operational scale.

The TeamPCP supply chain campaign, now in its tenth consecutive week, ran two simultaneous operations this reporting window: the Mini Shai-Hulud worm infected more than 170 npm and PyPI packages by hijacking GitHub Actions OIDC tokens and propagating through npm publish credentials, and the Megalodon operation injected 5,718 malicious commits into 5,561 GitHub repositories in six hours using infostealer-harvested developer credentials. The attack chain did not require exploiting a zero-day. It required harvesting machine credentials from developers who had previously been compromised, then using those credentials to authenticate as legitimate CI pipeline actors. The commits looked real because they were signed by real accounts. The attack bypassed registry signature detection entirely because it operated upstream of the signing step.

Cisco acquired Astrix Security in May for approximately $400 million. Oasis Security raised $120 million targeting NHI and AI agent credentials. Palo Alto Networks closed its CyberArk acquisition at $24.6 billion in February. All three deals cite the same underlying problem: most organizations have no real-time visibility into their machine identity population, and that population now includes not just service accounts but AI agent tokens, GitHub Actions OIDC grants, and ephemeral CI/CD credentials. Q1 2026 cybersecurity funding hit $4.62 billion, more than double Q1 2025’s $2.22 billion, with NHI-adjacent deals among the most active subcategories. TeamPCP’s Megalodon operation is a live demonstration of what happens when that visibility gap is weaponized at scale. The acquirers bought ahead of the proof point; the proof point arrived on schedule.

The AI Infrastructure CVE Cluster Is a Market Sizing Exercise

Starlette CVE-2026-48710, disclosed May 22 with a patch shipped one day earlier, affects 325 million weekly downloads and every Python AI serving framework built on the ASGI layer: FastAPI, vLLM, LiteLLM, and the majority of deployed MCP server implementations. A host-header authentication bypass lets any attacker reach protected endpoints by appending a single character to the HTTP Host header. The fix is a one-line library upgrade. The exposure window is every deployment that has not yet run pip install starlette==1.0.1, which, given that the vulnerability was entirely absent from automated feed collection, represents a large fraction of the affected population.

This is Week 23 of a six-week AI infrastructure CVE cluster that started with the Claude Code credential exposure in W18, progressed through PraisonAI (CVSS 9.8, Python eval() execution via unauthenticated A2A endpoint), vLLM’s trust_remote_code bypass, BentoML YAML injection, four simultaneous Open WebUI authorization failures, and now Starlette BadHost plus four MCP server-layer CVEs in a single reporting window. The progression follows the same pattern REST API exploitation followed in the mid-2010s: research attention consolidates on a productive attack surface, disclosure velocity accelerates, and the window between initial proof-of-concept and reliable exploitation tooling compresses to months.

The market signal embedded in this cluster is a product gap of measurable size. Trend Micro’s Vision One AI security product line is growing at 50% annually versus 3% for the company’s base security business. Fortinet raised its full-year 2026 revenue guidance to $7.8 billion and attributed outperformance partially to AI security demand. CrowdStrike’s ARR crossed $5.25 billion with guidance implying continued 24% growth. These vendors are selling into a market where the attack surface is expanding faster than organizational security programs can track it, and where a significant fraction of the exposure, Starlette BadHost was completely invisible to standard feed-based vulnerability triage, requires a different detection approach than MSRC-based patch management. The CVE cluster is not a threat summary. It is a product whitespace map.

Cyber Insurance Pricing Meets the Attack Surface It Did Not Underwrite

Global cyber insurance direct written premiums reached approximately $26.3 billion in 2025 and are projected to hit $33.4 billion in 2026. That growth figure coexists with an active multi-year premium softening cycle: rates are down roughly 22% from their 2022 peak, with Beazley reporting a 6.8% cyber-specific rate decline in H1 2025 alone. The softening reflects improved security hygiene among large enterprise buyers, reduced ransomware frequency from law enforcement operations, and competitive insurer capacity. What it does not reflect is the risk profile introduced by AI infrastructure and supply chain attack surfaces.

Supply chain attacks now account for more than 30% of all data breaches, and 37% of cyber insurance claims are fully or partially denied, with supply chain incidents generating the highest denial rate of any breach category. Insurers are requiring policyholders to declare use of specific high-risk vendors; undisclosed third-party infrastructure that causes a loss event is grounds for claim denial under standard policy language. Three new exclusion categories are being added to 2026 policies: shadow AI activities, non-consensual deepfake liability, and unmonitored AI agent actions. None of these exclusion categories existed when most multi-year cyber policies in the current market were written.

The TeamPCP coverage problem is acute. The Megalodon and Shai-Hulud attack chain runs through a foreign threat actor (potential war exclusion trigger), open-source package compromise (supply chain exclusion territory), infostealer-harvested credentials (unpatched system or unmonitored endpoint), and ransomware deployment via the Vect group (standard ransomware coverage, but contingent on the prior exclusions not applying). A single incident can touch every contested exclusion simultaneously. Confirmed downstream victims from the broader TeamPCP campaign include a European Commission breach (340 GB exfiltrated, 71 client organizations affected) and Sportradar (161 sports league and media clients, 328 leaked API key pairs), with Mandiant reporting more than 1,000 SaaS environments actively managing fallout. None of those organizations has publicly disclosed an insurance claim outcome. The combination of softening premiums and expanding exclusion language is a pricing dislocation. The loss events that close it are already in the system.

The First Criminal AI Zero-Day Changes Exploitation Economics

On May 11, Google Threat Intelligence Group confirmed that a criminal threat actor, not a nation-state research program, used an AI model to develop a zero-day exploit targeting a semantic logic flaw in a 2FA implementation. The evidentiary basis: every function in the exploit script carried educational docstrings at a verbosity no human attacker would include, a hallucinated CVSS score, and clean ANSI terminal output classes consistent with model-generated Python. Google assessed high confidence in AI involvement and disrupted the planned mass exploitation event through proactive disclosure.

The economic implication is not about volume. One AI-generated exploit does not mean zero-days become commodity overnight. The implication is about cost: semantic logic flaws in authentication flows were previously expensive to find because they require reasoning about developer intent rather than running a memory corruption fuzzer. An AI model that can read code and reason about what an authentication check is supposed to do is better positioned to identify the gap between intent and implementation than static analysis tools, which flag syntax errors, not semantic ones. The most exposed vulnerability categories are authentication logic, session management, and authorization flow failures in API-facing code. Those are also the exact categories generating most of the AI infrastructure CVE cluster discussed above, connecting the two patterns.

Artemis, an AI-versus-AI attack defense startup, raised $70 million in April 2026. Trend Micro’s Vision One AI security ARR is growing at 50% year-over-year. The confirmation that the capability has crossed from nation-state research (Google’s own BigSleep found a SQLite zero-day in late 2025) to criminal deployment compresses the timeline for when AI-assisted vulnerability discovery becomes a routine tool for mid-tier threat actors. Every AI security vendor raising capital in the current cycle has a marketing narrative that relies on this threat being real. Week 23 provided the primary source citation.

Federal Procurement: The Civilian Contraction and the Compliance Wave Below It

The federal civilian cybersecurity budget for FY2026 is $11.7 billion, down $900 million from FY2025’s $12.6 billion and $1.3 billion below the FY2024 peak of $13 billion. DoD cybersecurity spending is growing at 11.9% year-over-year, creating a visible divergence between civilian and defense budgets that is reshaping vendor revenue mix toward defense primes and away from civilian agency contracts.

Below the headline numbers, two compliance mechanisms are generating significant procurement demand. CMMC 2.0’s final rule took effect in November 2025, requiring cybersecurity assessments on every DoD contract across the approximately 300,000-organization defense industrial base. This creates a three-year phased wave of compliance-driven security spend that does not track with the civilian budget contraction at all; it is structural demand driven by contract requirements, not discretionary IT budget decisions. CISA’s BOD 26-02 edge device directive creates a parallel procurement forcing function for network visibility and inventory tools at federal civilian agencies, a segment where the budget is contracting but the compliance obligation is new.

The CISA KEV deadlines active this week illustrate a different procurement mechanism. The federal remediation deadline for Exchange CVE-2026-42897 passed May 29 with no permanent patch available. The Defender dual zero-day deadline is June 3. The GlobalProtect deadline was June 1. When a federal compliance deadline expires without a vendor-supplied patch, it creates an emergency procurement conversation for compensating controls, temporary network segmentation tools, managed detection services, and interim mitigation technology. That conversation happens at premium pricing. Vendors whose products address the gap between a KEV deadline and a missing patch are operating in a market segment with no price sensitivity.

Where the Money Points

Three mechanisms are validating the same thesis simultaneously this week: the NHI acquisition stack (Cisco, Oasis, Palo Alto/CyberArk) bought ahead of the TeamPCP proof point that developer machine credentials are the highest-value attack surface in enterprise environments. The AI infrastructure CVE cluster is generating the product whitespace that Trend Micro’s 50% Vision One growth and Q1 2026’s $4.62 billion funding figure are rushing to fill. And the Google AI zero-day confirmation is the primary source citation that every AI security vendor’s investment narrative now references.

The counter-signal worth tracking is the cyber insurance market. Premiums are down 22% from peak against a risk profile that expanded materially this week: AI infrastructure exclusions are new, supply chain coverage language was not written for the TeamPCP attack chain, and the gap between what policies cover and what the actual breach population looks like is widening. The soft market is being written against expanding exposure. Either a significant loss event reprices the market in the next 12 to 18 months, or insurers close the gap through exclusion language before claims force the issue. Both outcomes favor vendors who can demonstrate measurable risk reduction in the specific categories where coverage is contested: supply chain visibility, machine identity monitoring, and AI infrastructure security controls.