“Your AI? It’s my AI now.” The line came from Etay Maor, VP of Threat Intelligence at Cato Networks, in an exclusive interview with VentureBeat at RSAC 2026 — and it describes exactly what happened to a U.K. CEO whose OpenClaw instance ended up for sale on BreachForums. Maor’s argument is that the industry handed AI agents the kind of autonomy it would never extend to a human employee, discarding zero trust, least privilege, and assume-breach in the process.

The proof arrived on BreachForums three weeks before Maor’s interview. On February 22, a threat actor using the handle “fluffyduck” posted a listing advertising root shell access to the CEO’s computer for $25,000 in Monero or Litecoin. The shell was not the selling point. The CEO’s OpenClaw AI personal assistant was. The buyer would get every conversation the CEO had with the AI, the company’s full production database, Telegram bot tokens, Trading 212 API keys, and personal details the CEO disclosed to the assistant about family and finances. The threat actor noted the CEO was actively interacting with OpenClaw in real time, making the listing a live intelligence feed rather than a static data dump.

Cato CTRL senior security researcher Vitaly Simonovich documented the listing on February 25. The CEO’s OpenClaw instance stored everything in plain-text Markdown files under ~/.openclaw/workspace/ with no encryption at rest. The threat actor didn’t need to exfiltrate anything; the CEO had already assembled it. When the security team discovered the breach, there was no native enterprise kill switch, no management console, and no way to inventory how many other instances were running across the organization.

OpenClaw runs locally with direct access to the host machine’s file system, network connections, browser sessions, and installed applications. The coverage to date has tracked its velocity, but what it hasn’t mapped is the threat surface. The four vendors who used RSAC 2026 to ship responses still haven’t produced the one control enterprises need most: a native kill switch.

The threat surface by the numbers

Maor ran a live Censys check during an exclusive VentureBeat interview at RSAC 2026. “The first week it came out, there were about 6,300 instances. Last week, I checked: 230,000 instances. Let’s check now… almost half a million. Almost doubled in one week,” Maor said. Three high-severity CVEs define the attack surface: CVE-2026-24763 (CVSS 8.8, command injection via Docker PATH handling), CVE-2026-25157 (CVSS 7.7, OS command injection), and CVE-2026-25253 (CVSS 8.8, token exfiltration to full gateway compromise). All three CVEs have been patched, but OpenClaw has no enterprise management plane, no centralized patching mechanism, and no fleet-wide kill switch. Individual administrators must update each instance manually, and most have not.

The defender-side telemetry is just as alarming. CrowdStrike’s Falcon sensors already detect more than 1,800 distinct AI applications across its customer fleet — from ChatGPT to Copilot to OpenClaw — generating around 160 million unique instances on enterprise endpoints. ClawHavoc, a malicious skill distributed through the ClawHub marketplace, became the primary case study in the OWASP Agentic Skills Top 10. CrowdStrike CEO George Kurtz flagged it in his RSAC 2026 keynote as the first major supply chain attack on an AI agent ecosystem.

AI agents got root access. Security got nothing.

Maor framed the visibility failure through the OODA loop (observe, orient, decide, act) during the RSAC 2026 interview. Most organizations are failing at the first step: security teams can’t see which AI tools are running on their networks, which means the productivity tools employees bring in quietly become shadow AI that attackers exploit. The BreachForums listing proved the end state. The CEO’s OpenClaw instance became a centralized intelligence hub with SSO sessions, credential stores, and communication history aggregated into one location. “The CEO’s assistant can be your assistant if you buy access to this computer,” Maor told VentureBeat. “It’s an assistant for the attacker.”

Ghost agents amplify the exposure. Organizations adopt AI tools, run a pilot, lose interest, and move on — leaving agents running with credentials intact. “We need an HR view of agents. Onboarding, monitoring, offboarding. If there’s no business justification? Removal,” Maor told VentureBeat. “We’re not left with any ghost agents on our network, because that’s already happening.”

Cisco moved toward an OpenClaw kill switch

Cisco President and Chief Product Officer Jeetu Patel framed the stakes during an exclusive VentureBeat interview at RSAC 2026. “I think of them more like teenagers. They’re supremely intelligent, but they have no fear of consequence,” Patel said of AI agents. “The difference between delegating and trusted delegating of tasks to an agent … one of them leads to bankruptcy. The other one leads to market dominance.”

Cisco launched three free, open-source security tools for OpenClaw at RSAC 2026. DefenseClaw packages Skills Scanner, MCP Scanner, AI BoM, and CodeGuard into a single open-source framework running inside NVIDIA’s OpenShell runtime, which NVIDIA launched at GTC the week before RSAC. “Every single time you actually activate an agent in an Open Shell container, you can now automatically instantiate all the security services that we have built through Defense Claw,” Patel told VentureBeat. AI Defense Explorer Edition is a free, self-serve version of Cisco’s algorithmic red-teaming engine, testing any AI model or agent for prompt injection and jailbreaks across more than 200 risk subcategories. The LLM Security Leaderboard ranks foundation models by adversarial resilience rather than performance benchmarks. Cisco also shipped Duo Agentic Identity to register agents as identity objects with time-bound permissions, Identity Intelligence to discover shadow agents through network monitoring, and the Agent Runtime SDK to embed policy enforcement at build time.

Palo Alto made agentic endpoints a security category of their own

Palo Alto Networks CEO Nikesh Arora characterized OpenClaw-class tools as creating a new supply chain running through unregulated, unsecured marketplaces during an exclusive March 18 pre-RSA briefing with VentureBeat. Koi found 341 malicious skills on ClawHub in its initial audit, with the total growing to 824 as the registry expanded. Snyk found 13.4% of analyzed skills contained critical security flaws. Palo Alto Networks built Prisma AIRS 3.0 around a new agentic registry that requires every agent to be logged before operating, with credential validation, MCP gateway traffic control, agent red-teaming, and runtime monitoring for memory poisoning. The pending Koi acquisition adds supply chain visibility specifically for agentic endpoints.

Cato CTRL delivered the adversarial proof

Cato Networks’ threat intelligence arm Cato CTRL presented two sessions at RSAC 2026. The 2026 Cato CTRL Threat Report, published separately, includes a proof-of-concept “Living Off AI” attack targeting Atlassian’s MCP and Jira Service Management. Maor’s research provides the independent adversarial validation that vendor product announcements cannot deliver on their own. The platform vendors are building governance for sanctioned agents. Cato CTRL documented what happens when the unsanctioned agent on the CEO’s laptop gets sold on the dark web.

Monday morning action list

Regardless of vendor stack, four controls apply immediately: bind OpenClaw to localhost only and block external port exposure, enforce application allowlisting through MDM to prevent unauthorized installations, rotate every credential on machines where OpenClaw has been running, and apply least-privilege access to any account an AI agent has touched.

1. Discover the install base. CrowdStrike’s Falcon sensor, Cato’s SASE platform, and Cisco Identity Intelligence all detect shadow AI. For teams without premium tooling, query endpoints for the ~/.openclaw/ directory using native EDR or MDM file-search policies. If the enterprise has no endpoint visibility at all, run Shodan and Censys queries against corporate IP ranges.

2. Patch or isolate. Check every discovered instance against CVE-2026-24763, CVE-2026-25157, and CVE-2026-25253. Instances that cannot be patched should be network-isolated. There is no fleet-wide patching mechanism.

3. Audit skill installations. Review installed skills against Cisco’s Skills Scanner or the Snyk and Koi research. Any skill from an unverified source should be removed immediately.

4. Enforce DLP and ZTNA controls. Cato’s ZTNA controls restrict unapproved AI applications. Cisco Secure Access SSE enforces policy on MCP tool calls. Palo Alto’s Prisma Access Browser controls data flow at the browser layer.

5. Kill ghost agents. Build a registry of every AI agent running. Document business justification, human owner, credentials held, and systems accessed. Revoke credentials for agents with no justification. Repeat weekly.

6. Deploy DefenseClaw for sanctioned use. Run OpenClaw inside NVIDIA’s OpenShell runtime with Cisco’s DefenseClaw to scan skills, verify MCP servers, and instrument runtime behavior automatically.

7. Red-team before deploying. Use Cisco AI Defense Explorer Edition (free) or Palo Alto Networks’ agent red-teaming in Prisma AIRS 3.0. Test the workflow, not just the model.

The OWASP Agentic Skills Top 10, published using ClawHavoc as its primary case study, provides a standards-grade framework for evaluating these risks. Four vendors shipped responses at RSAC 2026. None of them is a native enterprise kill switch for unsanctioned OpenClaw deployments. Until one exists, the Monday morning action list above is the closest thing to one.

Kia’s combustion-powered Seltos has grown up and glowed up with more space and bigger tech inside.

Antuan Goodwin

Antuan started out in the automotive industry the old-fashioned way, by turning wrenches in a driveway and picking up speeding tickets. He now has nearly 20 years of expertise and experience behind the wheel of hundreds of cars, including electric, hybrid, plug-in hybrid, hydrogen, and traditional combustion vehicles.

For each car he tests, Antuan covers more than 200 miles behind the wheel and evaluates driving dynamics; acceleration and braking performance; range; and efficiency.

Antuan’s goal is to use his extensive car knowledge to educate CNET readers and help with their next car-related buying decision. Whether you’re EV-curious, an EV-enthusiast or a combustion-car loyalist, Antuan will bring you the unbiased advice, reviews, best lists and news you need.

You can reach Antuan at antuan.goodwin@cnet.com

Eighteen months ago, Legora was a Stockholm startup with a handful of law-firm clients and roughly $1 million in annual recurring revenue. On Tuesday, the company told Business Insider that it has crossed $100 million in ARR, a milestone that in enterprise software typically takes the better part of a decade. Max Junestrand, Legora’s 26-year-old cofounder and chief executive, framed the number as a reflection of demand rather than salesmanship. “This is a reflection of how quickly our customers are pushing the industry forward,” he said in a statement. “They’re redefining how legal work gets done, and AI is becoming the core infrastructure for the profession.”

The claim, if verified independently, would place Legora among the fastest-growing software companies in European history and firmly establish it as the most serious challenger to Harvey, the San Francisco-based legal AI company that currently leads the market. Harvey, which was last valued at $11 billion after raising $200 million in late March, said it had crossed $200 million in ARR and now serves more than 100,000 lawyers across 1,300 organisations. Legora’s customer base has grown to more than 1,000 firms and legal teams, according to the company, up from around 800 at the time of its Series D financing in early March.

The revenue figure helps explain a valuation that, until now, looked difficult to justify on the numbers alone. Legora raised $550 million in a Series D round led by Accel on 10 March, with the round pricing the company at $5.55 billion. At the time, its publicly disclosed ARR was approximately $23 million, putting the valuation at a staggering 240 times revenue. If the company was already running closer to $100 million, the multiple drops to roughly 55 times, still aggressive but within the range investors have accepted for high-growth vertical AI businesses. Among the backers in that round were Benchmark, Bessemer Venture Partners, General Catalyst, ICONIQ, Redpoint Ventures, Menlo Ventures, Salesforce Ventures, Bain Capital, and Y Combinator, which backed Legora in its Winter 2024 batch. Total funding now stands at $816 million.

Junestrand’s biography reads like a case study in the argument that Europe should bet bigger on young founders. He was 23 when he started Legora with Sigge Labor, the company’s chief technology officer, and August Erséus, having previously competed in professional gaming, studied machine learning and business at KTH and the Stockholm School of Economics simultaneously, and worked at McKinsey. None of the three founders had practised law. They met Labor’s early prototype of software that could automate simpler legal tasks during the pandemic, but the state of large language models at the time limited what it could do. When the models improved, Legora launched.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The product now covers the full arc of legal work that firms have historically staffed with junior associates: tearing through data rooms during due diligence, comparing contracts clause by clause, drafting briefs, and running multi-document reviews. In November 2025, the company launched Portal, a platform designed to let law firms productise their expertise and deliver it to in-house legal teams through custom AI workflows and intelligent document sharing. Design partners on Portal include Linklaters, Cleary Gottlieb, Goodwin, Deloitte, and Bird & Bird, with general availability scheduled for the first quarter of 2026. On 12 March, days after closing the Series D, Legora acquired Walter AI, a Canadian startup building agentic legal workflows, integrating its nine-person team into Stockholm and establishing a Toronto office under Walter’s former chief customer officer.

Legora’s trajectory has been shaped by a legal industry that appears to have moved past the question of whether AI belongs in the practice of law. A Thomson Reuters survey published in January found that law-firm spending on technology and knowledge-management tools grew 9.7 and 10.5 per cent respectively in 2025, the fastest real growth the sector has recorded. Separate research suggests that 55 per cent of lawyers are already using AI in some form. The global legal AI market, estimated at between $2.7 billion and $5.6 billion depending on whose definition of “legal AI” you accept, is projected to grow at compound annual rates of 17 to 22 per cent through the end of the decade.

The competitive landscape is narrowing. Harvey and Legora have emerged as the two dominant platforms for large law firms, with most other entrants either acquired, consolidated, or relegated to niche applications. Harvey’s advantage is depth of penetration: its tools are embedded in the daily workflows of some of the world’s largest firms, including those in the Am Law 100 and Magic Circle. Legora’s advantage is breadth and speed. The company expanded from 250 firms in May 2025 to more than 1,000 in less than a year, growing its headcount from 40 to more than 400 and opening offices in London, New York, and Sydney alongside its Stockholm headquarters. It became the fastest Y Combinator company to reach unicorn status, hitting $1.8 billion in its Series C in October 2025, just 13 months after its YC batch.

That speed carries risks. Legora’s valuation has roughly tripled every five months since its Series B, a pace that leaves almost no margin for a revenue deceleration. The $5.55 billion price assumes the company will continue scaling at rates that would place it in the top fraction of enterprise software businesses globally. If the $100 million ARR figure is accurate and growth sustains through 2026, Legora’s investors will look prescient. If the legal market’s appetite for AI tools plateaus, or if firms begin consolidating around a single platform rather than running both Harvey and Legora in parallel, the arithmetic gets considerably harder.

The broader question is what the legal AI boom tells us about the acceleration of AI adoption across professional services. Law was supposed to be resistant to automation: high-stakes, relationship-driven, riddled with jurisdictional complexity, and governed by professional regulators who move slowly. Instead, it has become one of the fastest-adopting verticals in enterprise AI, driven partly by the economics of the billable hour, which makes the value of time savings immediately and precisely quantifiable. A tool that lets a junior associate complete a document review in two hours instead of ten does not merely improve productivity. It changes the unit economics of the firm.

The European deep-tech paradox, in which the continent produces world-class research but struggles to build world-scale companies, finds an unusual counter-example in Legora. A Swedish company, built by founders in their mid-twenties with no legal background, has raised more than $800 million, grown to $100 million in ARR in a year and a half, and is now competing head-to-head with a Silicon Valley rival that has the backing of Sequoia, GIC, and the OpenAI ecosystem. Whether Legora can sustain that trajectory, or whether the extraordinary growth rates of 2025 and early 2026 represent a peak rather than a baseline, will depend on something no language model can yet predict: whether the lawyers who adopted these tools in a rush of enthusiasm will still be paying for them in three years’ time.

For now, the numbers suggest they will. The legal profession, it turns out, has been waiting for someone to automate the parts of the job that nobody enjoyed doing in the first place. Legora and Harvey are both betting that the parts nobody enjoyed doing also happen to be the parts that generated most of the revenue. That tension, between efficiency and economics, between the promise of AI and the structures it disrupts, is the real story behind the $100 million milestone. The software works. The question is what the profession looks like once everyone is using it.