On Natural Consequences
5–18–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, May 18, 2026, and it’s time for an update episode, or something my kids will tell you that I call “natural consequences.”
Right the top, worth mentioning for posterity that the war in Iran continues, with the Strait of Hormuz still closed.
Beyond that, though, plenty of new movement on items we’ve previously discussed, so let’s jump right in.
Natural Consequences: Breaches, Vulnerabilities, and More
We’ll start with Canvas maker Instructure, who disclosed last week on their Incident page that “Instructure reached an agreement with the unauthorized actor involved in this incident.”
In layman’s terms, it means that Instructure (or, perhaps more likely their insurance company) paid the ransom. As part of this agreement, Instructure claims that:
The data was returned to us.
We received digital confirmation of data destruction (shred logs).
We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
So, if you give them the benefit of the doubt view, they not only prevented the disclosure but also negotiated an agreement that covered all the schools and students involved, so kudos to them.
The US Government is also reportedly seeking testimony from Instructure leadership on the breach, which shouldn’t be a surprise.
For their part, the ransomware gang behind this attack (ShinyHunters) had to post a note on their own leak page saying:
“We have nothing to add on or comment regarding the recent situation at the LMS company. If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us, the matter has been resolved. The Company and it's [sic] customers will not further be targeted or contacted for payment. The data is nonexistent.”
Which is odd, to say the least, but here we are in the year of our Lord 2026.
Given the new influx of cash that ShinyHunters has, I would expect to either see them ramp up their operations considerably, or cash out and go dark, but hard to imagine their next steps are somewhere in-between.
Instructure also noted on their incident page that they’ve now “rolled out CrowdStrike’s Falcon Endpoint Detection & Response tool across the Instructure network” - indicating perhaps their EDR capabilities were not fully deployed prior to the incident.
Oh, and for the record, the FBI’s official position on paying a ransom is:
“The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
Meanwhile, other ransomware victims continue to feel the impact of their own incidents, with Jaguar Land Rover announcing annual profits had fallen 99%, due to both the ransomware attack and tariffs. Obviously not all of this drop is due to the cyber attack, but hard to imagine that it wasn’t the primary driver, given their extended downtime.
Meanwhile, we’re continuing to see news about the capabilities of the new AI models in finding cybersecurity vulnerabilities, with both Anthropic and OpenAI’s new security models working well beyond existing benchmarks.
The United Kingdom’s AI Security Institute writes in their report that “Mythos Preview and GPT-5.5 have since outperformed any trend lines the institute has measured.” They estimate this capability has exceeded their “doubling rate” trends - used to be every 8 months, now it’s every 4.7 months.
This exponential capability is already driving additional vulnerability discovery in core systems like Windows and Linux. Attackers are continuing their “supply chain” attacks - last week hijacking 84 open source software packages and injecting malware into them. Despite being only available for 20 minutes, they impacted tons of organizations, including OpenAI, and the attackers have open-sourced their attack code.
I know it feels like there’s a ton going on out there - because there is! And that trend is going to continue, so we need to find ways to adapt to this new normal, because I don’t think activity is going to decrease any time soon.
Fundraising
From a fundraising perspective, back to big totals, with $36.7B in newly committed capital, led by L'imad Holding of Abu Dhabi is launching a $30b-targeted fund focused on infrastructure investments, in partnership with BlackRock's Global Infrastructure Partners, Temasek, and Abu Dhabi National Oil Co.
Coming up quick on $200B for the quarter, and with SpaceX’s IPO coming as soon as Wednesday, these numbers sure seem to just get bigger.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.instructure.com/incident_update
https://www.nytimes.com/2026/05/12/us/canvas-instructure-hackers-deal.html
https://www.ransomlook.io/group/shinyhunters
https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/ransomware
https://cyberscoop.com/ai-autonomous-cyber-capability-benchmarks-broken-gpt5-claude-mythos/
https://www.aisi.gov.uk/blog/how-fast-is-autonomous-ai-cyber-capability-advancing
https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis/