A security researcher has released a new Microsoft Defender zero-day exploit named “RoguePlanet” just hours after Microsoft fixed two previously disclosed flaws during June 2026 Patch Tuesday.

The researcher, known as Nightmare Eclipse, says the new vulnerability affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition vulnerability.

The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after saying that GitHub and GitLab repositories hosting their exploits had previously been removed by Microsoft.

“The exploit is a race condition, so it’s a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others,” Nightmare Eclipse wrote in the repository.

The flaw was reportedly tested against Windows 11 Official and Canary builds, as well as Windows 10 systems with the June 2026 security updates installed.

When successful, a Windows command prompt will be spawned with SYSTEM privileges.

Cybersecurity firm ThreatLocker told BleepingComputer that they successfully reproduced the flaw in their testing and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, and shared a video demonstrating it.

“Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack,” Danny Jenkins, CEO of ThreatLocker, told BleepingComputer.

According to Nightmare Eclipse, RoguePlanet was originally developed as a remote code execution vulnerability that exploited Microsoft Defender’s handling of files hosted on remote SMB shares.

“In initial development, it was confirmed that this vulnerability was a remote code execution,” the researcher explained in a blog post.

“It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE.”

The researcher says another attack scenario could lead to remote code execution simply by coercing a victim into opening an SMB share if symlink evaluation settings were enabled.

However, the researcher claims Microsoft silently hardened Defender in mid-May by patching “mpengine!SysIO*” API, which blocked junction attacks.

“Rewriting RoguePlanet to make it functional again drained my soul and I couldn’t complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE,” the researcher wrote.

The release is part of an ongoing dispute between Nightmare Eclipse and Microsoft over the company’s vulnerability disclosure and bug bounty practices.

Over the past several months, the researcher has publicly released multiple Windows zero-days, including the BlueHammer, RedSun, GreenPlasma, and YellowKey flaws. Some of the zero-days targeted Microsoft Defender, while others targeted BitLocker and Windows components. 

Microsoft fixed the GreenPlasma and YellowKey flaws today as part of the June 2026 Patch Tuesday updates.

Microsoft previously reacted to the disclosures with warnings that it would work with law enforcement when people engage in “malicious activity causing real harm to our customers,” leading many in the cybersecurity community to think Microsoft was threatening the researcher.

Nightmare Eclipse claims Microsoft repeatedly targeted and removed previous repositories hosted on GitHub and GitLab, prompting the creation of a self-hosted code platform at projectnightcrawler.dev.

BleepingComputer has contacted Microsoft about the new zero-day and will update the story if we receive a statement.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Advertisement

Get the whitepaper

In 2021, I was a demoralized educator: not burnt out, but demoralized. As I shared in my first article for EdSurge, demoralization occurs when teachers “encounter consistent and pervasive challenges to enacting the values that motivate their work.”

That year, the pervasive challenges seemed obvious and communal. We were all navigating online platforms, figuring out how to replicate student services virtually and struggling to make up for lost time in instruction, social-skill development and relationship-building for when students returned to in-person schooling.

When I think about what feels most pressing now, it seems those challenges persist but are perhaps less obvious to society at large. As the authors of “Going the Distance: The Teaching Profession in a Post-COVID World (2024)” wrote:

A crisis is not merely an event: it’s the context in which an event takes place and the response to that event.” The global pandemic has ended, but how much has the context changed and did the response meet the needs?

Right now, I believe teaching is the most important thing we can do. When the world is on fire, what feels most pressing is teaching students to claim their humanity and helping educators understand how much the communal learning experience matters. Five years later, I have come full circle.

This time, I return to that same claim with a broader and deeper understanding of what makes a school. We use that old adage, “It takes a village…” More and more, I see that we, as school communities, are the village and the villagers that we need right now. What really makes a school more human is not just the principals and teachers, but the child welfare staff, paraeducators, campus supervisors, guidance counselors, cafeteria workers, coaches, librarians, custodians and secretaries. The list is long, but it feels necessary to name the people on campus who make students feel like they belong, support them and have their backs when students need it. These are the colleagues who have shown me what it is like to truly model humanity to our students.

The truth is that the onus is on all of us to create an environment in which mutual respect and empathy are the baseline expectations. So, as an instructional coach, as a leader and as a voice of change in this context, what can I do? How do I communicate to teachers that, while they have been beaten down and blamed for society’s ills, they also have the herculean task of helping students learn how to be human together?

In 2021, I said that I was demoralized. In 2026, I am revitalized and committed to my role as an educator, instructional coach and teacher advocate.

Since participating in the inaugural cohort of the Voices of Change fellowship, I have contributed essays to The California Educator, Edutopia and EdSurge. I have joined podcast panels to talk about social-emotional learning, culturally responsive teaching and civil discourse in the classroom.

This fellowship showed me the power of personal writing for representation and advocacy. I have started to write children’s books about my own neurodivergent children. I have presented at local and state conferences and will continue to use my voice and my words to advocate for students, for educators, for quality professional development and schools that model the best of humanity. Writing for the Voices of Change fellowship has helped me claim my voice, my humanity and my power.

At long last, a corporate training you might actually enjoy.

ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.

The company quietly warned impacted customers through a support bulletin and direct support cases after detecting “anomalous activity” related to the issue.

The bulletin, which is hidden behind ServiceNow’s customer support login portal, states that the company applied a security update to hosted customer instances on June 5, 2026.

“On June 5, 2026, ServiceNow applied a security update to hosted customer instances,” reads the support bulletin.

“The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”

The company says this security update changes the API endpoint configuration to limit access to authenticated users only.

ServiceNow also confirmed that attackers exploited this flaw to successfully query the customer instance tables.

While ServiceNow did not disclose which data was accessed during the attacks, instances commonly store sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.

Support case information has become an increasingly popular target for threat actors, as tickets can contain credentials, API tokens, internal documentation, and authentication secrets shared during troubleshooting.

According to the advisory, ServiceNow has now opened support cases with affected customers. If a customer has not received one, they are not believed to be affected by the incident.

While ServiceNow has not publicly disclosed technical details about the flaw, administrators discussing the incident on Reddit say the issue appears to be tied to a REST endpoint at ‘/api/now/related_list_edit/create‘.

One commenter claimed the endpoint was configured with ‘requires_authentication=false‘, potentially allowing unauthenticated requests to access instance data. The security update released on Friday was allegedly used to set requires_authentication to true.

Numerous admins shared indicators of compromise, including API requests from the IP address ‘51.159.98.241,’ advising other administrators to review logs for requests to the vulnerable endpoint.

The bulletin states the issue primarily impacts customers running the Australia platform release or customers on older releases who made certain configuration changes.

“The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia,” ServiceNow warned.

BleepingComputer contacted ServiceNow earlier today after a reader alerted us to the incident, asking how long the activity had been ongoing, what caused the issue, and whether customer data had been stolen. We did not receive a response before publication.

ServiceNow says it is still evaluating whether it will publish a CVE for the issue.

Administrators are advised to review ServiceNow logs for requests to /api/now/related_list_edit, particularly from the IP address 51.159.98.241.

Impacted organizations should review exposed tickets and records for sensitive information, rotate credentials or tokens shared through support workflows, and ensure API logging is enabled.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

When a verdict map is deleted from memory, catchall elements are deactivated and a chain’s reference counter is decremented. When errors occur the deletion can be reversed and the counter incremented. CVE-2026-53111 allows for that process to be altered. As a result, the exploit can decrement the variable an arbitrary number of times and then delete and free the chain when some objects still point to it.

“In this blog post, we have seen how one incorrect exclamation mark introduced a use-after-free vulnerability which can be exploited by an unprivileged user on Debian and Ubuntu to escalate privileges to root,” researchers from security firm Exodus Intelligence wrote Monday. “Although the exploit triggers the use-after-free vulnerability multiple times to leak the kernel base address, leak heap addresses, and hijack the control flow, the stability tests resulted in a stability of >99% on an idle system.”

The vulnerability was fixed in the kernel in February and subsequently back ported to major Linux distributions. Security firm FuzzingLabs demonstrated a proof of concept exploit in April. Exodus Intelligence, which discovered the bug, included its own PoC exploit in Monday’s post. It worked on Debian and Ubuntu.

CVE-2026-53111 is one of at least three potent elevation-of-privilege vulnerabilities to hit Linux in recent weeks. The vulnerabilities are serious, because, when chained to a separate exploit, they can be used to evade security defenses baked into the OS.

Here’s what Shopee collection point hosts really deal with

Shopee’s neighbourhood collection point network has quietly become part of Singapore’s daily landscape since 2023.

The e-commerce firm has established over 2,800 collection points across Singapore as of today, including residential addresses, convenience stores, and lockers—placing most homes within 250m of their nearest pickup option.

This kills two birds with one stone. 

For customers, it offers a more affordable and convenient delivery option, with savings of up to S$1.99 in delivery fees per item. For ordinary Singaporeans, it creates an opportunity to earn passive income by turning their homes or businesses into micro logistics hubs.

But what does running a Shopee collection point actually look like behind the scenes?

Easy passive income?

Shopee’s logistics arm, SPX Express, delivers parcels in bulk to registered collection points. For locker locations, customers can collect their orders independently.

At manned collection points—typically neighbourhood shops or residential addresses—the host stores the parcels, verifies customers’ identities using the Shopee app when they arrive, and hands over the items.

In return, hosts earn a fee for each parcel distributed. The role requires seemingly little: just sufficient storage space, an internet-connected device, and a commitment to the collection point’s operating hours.

Hosts generally earn between S$0.20 and S$0.30 per parcel. Channel News Asia also previously reported in 2024 that hosts earn at least S$90 per month. 

At the higher end, promotional information on Shopee’s app states that collection points that distribute up to 900 parcels a day can earn up to S$5,400 monthly, while 60 parcels daily can bring S$360 monthly. 

Sounds like easy passive income, right? Wrong.

The fine print

The commitment to turning your house into a Shopee collection point is far from passive.

Hosts must be open at least six days a week, for a minimum of 36 hours. On top of that, they must be present during operating hours to receive and hand over parcels, effectively tying the role to someone being at home consistently.

At first glance, the economics can look appealing. But at S$0.30 per parcel, the numbers only start to make sense at scale.

For example, handling 30 parcels a day translates to just S$9 in daily earnings. That’s already 30 separate customer handovers—yet it remains a modest payout for the time and space involved. Scaling up is where the workload intensifies significantly, with hundreds of daily parcels required to generate meaningful income.

Space is another major constraint. Many HDB flats have limited storage capacity, which can quickly become a bottleneck during peak delivery periods.

There is also little flexibility in scheduling. If hosts miss their operating hours, Shopee can impose penalties for non-compliance. At S$0.30 per parcel, even a S$50 fine effectively wipes out the earnings from more than 160 parcels.

Workload, risks & disruptions

Running a Shopee collection point means juggling the expectations of multiple parties: Shopee, customers, and even neighbours.

Complaints from hosts extend well beyond financial concerns.

Parcels arrive daily and are often left at the doorstep, making the host responsible for their safekeeping. Despite a stated weight limit of 6kg, some hosts have reportedly received bulkier items such as dumbbells, adding to storage and handling strain.

Some customers also arrive outside operating hours—occasionally as late as after 10PM—expecting collections regardless of the stated timing. Others treat the collection point like an extension of Shopee’s customer service, seeking assistance with orders, returns, and complaints that have nothing to do with the host.

“Operating a collection point is hard work and not a passive job like many think,” wrote the child of elderly parents who previously hosted a Shopee collection point at their home in a Reddit post.

Beyond the operational burden, some neighbours of residential collection points have also raised concerns about increased foot traffic outside their homes, citing potential security risks and a loss of privacy. The host is therefore not only managing their own household space, but also the flow of people in shared residential corridors.

“My post is just to let people know the realities of operating a collection point and not to trust the rosy picture that Shopee painted,” the same Reddit user added.

Who it actually makes sense for & why Shopee wins either way

It is important to note, however, that not everyone has the same negative experience. 

Generally, running a Shopee collection point would make more sense for shop owners. Two store owners whose shops became Shopee collection points in 2023 reported more customers than before.

At one store, many parcel collectors became regulars, while the other attracted new customers beyond its usual base. With the hours and foot traffic already there, the parcels become a free customer acquisition channel for their products on top of the per-parcel income.

For homemakers and retirees who are home throughout the day, the income genuinely adds up, especially if volume is high and the neighbourhood is a good fit.

But for someone already working or with young children at home, the intrusions can outweigh the returns quickly.

From Shopee’s perspective, the firm wins either way: collection points are an efficient logistics solution.

The company can expand its last-mile network without building warehouses or employing delivery staff as hosts absorb that cost in time and space, in exchange for a small per-parcel fee. 

For customers, collection points offer free shipping with no minimum spend, along with the convenience of a nearby pickup point—often just a short walk away.

While the model works for both Shopee and its customers, the question remains whether it works as well for those turning their homes or shops into collection points.

• Read other articles we’ve written on Singaporean businesses here.

Something to look forward to: Searching local files should be one of the simplest and most basic features an operating system offers, but Windows 11 still makes the process unnecessarily awkward. However, that may soon change for the better.

During a recent meetup with Windows enthusiasts enrolled in the Windows Insiders program, Microsoft showcased several search-related changes that are expected to arrive in a future update to Windows. Redmond engineers are working on a set of relatively small features that could have a significant impact, starting with the ability to disable Bing integration in local Windows search.

One of the longest-standing complaints about Windows 11 is that it does not allow users to easily search only locally stored content from the Start menu. Instead, search results are often mixed with web content and even Microsoft Store listings, adding extra layers that many users find unnecessary when they are simply looking for files on their own device.

According to a recent confidential preview, Microsoft is expected to add a new option in the Settings app that disables web (Bing) integration in search. In addition, the “Privacy & security” section may also include an option to exclude Microsoft Store apps from search results.

Microsoft’s decision to closely integrate Bing into Windows 11 has long been considered controversial among users. Power users have often resorted to workarounds, such as editing the Windows Registry, to reduce or remove web search integration from their PC experience, while Microsoft has continued efforts to expand Bing’s role within the operating system.

Microsoft is now aiming to regain goodwill among Windows users, which could signal a shift away from pushing Bing integration on those who prefer not to use it. The new search customization options are expected to arrive in a future Windows 11 Insider preview build, although no specific timeline has been confirmed.

During the meetup, Microsoft also confirmed that local search will be significantly faster, along with improvements to the File Explorer shell. The company said bulk delete operations have already achieved a 30% performance improvement in internal Windows builds. The new search changes are expected to complement previously introduced speed and taskbar customization improvements.

The race to secure power for AI data centers has spilled over into some unusual places, including the automotive world. 

Battery recycler Redwood Materials kicked off the trend last year with a new energy storage division and a project that attached old EV packs to a Crusoe data center in Nevada. Then, Ford said it was repurposing some of its battery manufacturing capacity to make grid-scale batteries. And now GM is announcing its own — arguably more ambitious — plans for an energy storage system (ESS). 

GM unveiled on Tuesday two new phases in its attack on the energy storage market. The biggest swing by far is GM’s new partnership with energy storage startup Peak Energy. For that partnership, GM is developing an entirely new sodium-ion battery chemistry tailored for grid-scale deployments.

Outside of China, no automaker has announced plans to build sodium-ion cells. 

“The way we’re getting into the market is the easy way, through ESS,” Kurt Kelty, vice president of battery and sustainability at GM, told TechCrunch. “The performance characteristics are just what is needed in that market.”

GM wouldn’t share with TechCrunch how much money it is investing in this energy storage effort. But we do know the company has committed $900 million to commercialize new battery chemistries, an investment that includes a new battery development center.

Sodium-ion batteries work similarly to lithium-ion, but they swap out key materials to make the cells cheaper, longer lasting, and less prone to overheating. The tradeoff is that sodium-ion batteries need to be larger and heavier to store the same amount of electricity. 

Peak Energy has already been working on energy storage systems that use sodium-ion batteries. Because sodium-ion batteries behave differently from lithium-ion, Peak has developed an energy storage system with that in mind. Its grid-scale batteries don’t have cooling systems or fire suppression systems because there’s less risk of overheating. The setup reduces upfront costs, and it should also eliminate costly maintenance, Paul Menson, director of energy storage commercialization at GM, told TechCrunch. 

“This is the manifestation of the hardest part to engineer is no part at all,” he said. “Eliminate the part, eliminate the problem.”

GM plans to sell sodium-ions cells to the startup, which will then integrate them into its products. But that won’t happen right away.

The first GM cells are expected to enter trial production at the company’s Battery Cell Development Center in 2028. TechCrunch was recently given an exclusive look at the new facility, which GM expects will cut about a year from the commercialization process for sodium-ion batteries, reducing costs in the process. 

GM’s sodium-ion cells are still years away from commercial production, however. In the meantime, the automaker will sell lithium iron phosphate (LFP) cells to LG Energy Solution for use in its energy storage systems. LG Energy Solution already works with GM through its Ultium joint venture, which makes batteries for the automaker’s EVs.

Alongside the partnerships with LG and Peak, GM announced that it was expanding its work with Redwood Materials, the battery recycling and energy storage startup founded by former Tesla executive J.B. Straubel. 

Redwood already buys scrap from GM’s battery factories and used battery packs from its EVs. GM has a pipeline of around 10,000 packs it’s sending to Redwood, and the startup has been operating a 12 megawatt/63-megawatt-hour migrogrid using second-life packs at a Crusoe data center in Sparks, Nevada. GM said it is buying a 7.2 megawatt-hour Redwood system for use at one of its plants in Michigan, which it estimates will save it around $3 million over its lifetime.

The GM installation is “a step one” for Redwood, Cal Lankton, chief commercial officer for Redwood, told TechCrunch.

Data centers, where Redwood already operates, and industrial sites like GM’s are “vastly different things,” he said. Where data centers might use batteries nearly continuously to absorb some of the power fluctuations from GPUs, industrial sites are more likely to use them to shave off peaks in power demand, which can lower monthly power bills, and use them to provide backup power in case of an outage.

“The factory is really excited because now we’ve got a more reliable factory,” Kelty said. “Ultimately, we’ll be having similar installations like this at all of our factories. It just makes good economic sense.”

Sony Electronics is making a massive upgrade to the humble meeting room screen. The company has just unveiled Crystal LED UNIFY, a massive 135-inch all-in-one direct-view LED display designed for boardrooms, meeting rooms, community spaces, and higher education environments.

At a glance, it might look like Sony’s next massive flagship living room TV, but it’s cutting edge display tech arriving to the office space. It is part of Sony’s professional display lineup and sits alongside its existing BRAVIA Professional Displays and Crystal LED portfolio. The model number is ZRL-135SG, and Sony is positioning it as a simpler way for organizations to add a large dvLED display without dealing with the usual complexity of custom LED wall projects.

An easy to setup up giant wall of screen

One of the biggest selling points for the Crystal LED UNIFY is its convenience. It arrives as a complete package with five pre-assembled display units and a control unit. So installation is a relatively straightforward process that can be completed by two people in about an hour. Since direct-view LED installations can get complicated, Sony’s version of the tech isn’t just promising solid visuals. The appeal is the simplified ordering, installation, maintenance, and day-to-day use.

The display units are mounted on wall brackets and connected to the included control unit, while a slide-out, front-serviceable design should make maintenance easier after installation.

Built for big bright rooms

Coming to the fun part, Crystal LED UNIFY uses a 1.5mm pixel pitch, Full HD resolution, and 800 cd/m² brightness. Sony has also added Anti-Reflection Surface Technology, which should help visibility in brightly lit rooms where projectors often struggle. The display also supports 4K input, works with Sony’s Device Management Platform, and offers a familiar interface for organizations already using Pro BRAVIA displays. In other words, it should also slot into conference rooms or multi-display setups with needing an IT team to learn an entirely new ecosystem.

Sony has also put effort in making it look clean on a wall. The Crystal LED UNIFY has ultra-slim bezels, a concealed slide-out control unit, and a depth of under 100mm, or less than four inches, when used with the included wall-mount brackets. So it should fit seamlessly in professional spaces.

The company expects Crystal LED UNIFY to be available in early 2027, with plans for an early showcase at the upcoming InfoComm 2026 event in Las Vegas from June 17 to June 19. Pricing has not been announced yet, but this is clearly aimed at businesses, institutions, and premium professional spaces rather than home theater shoppers with unusually large walls.

On-device AI models have stayed small because the entire weight set has to live in DRAM, capping practical parameter counts well below what server-side deployments use. Enterprise architects evaluating agentic workloads have had to choose between capable cloud-dependent models and limited on-device ones. Apple’s third-generation foundation models, announced at WWDC26, break that constraint by moving the weight set off DRAM entirely.

The AFM 3 family was developed in collaboration with Google and spans five models: two on-device and three server-based, all running within Apple’s Private Cloud Compute boundary. The server-side models, including AFM 3 Cloud Pro for agentic tool use and complex reasoning, run on Nvidia GPUs in Google Cloud. The on-device architecture is Apple’s own. AFM 3 Core Advanced is a 20-billion-parameter model that stores weights in NAND flash rather than DRAM.

“Instead of forcing the entire model into DRAM, the full model is stored in flash memory,” Apple’s research team wrote. “Because NAND-to-DRAM bandwidth is too slow to swap weights token by token, as standard MoE models require, AFM 3 Core Advanced makes routing decisions per prompt.”

How the architecture actually works

The memory wall Apple is working around is one every local AI developer runs into.

“You can’t put 20B parameters in RAM at any reasonable precision,” Awni Hannun, a researcher at Anthropic and former Apple research scientist, posted on X. “To make it work they are using pretty exotic architecture by today’s standards. A small model predicts from the query (or prompt) which experts to load from NAND into RAM.”

That prediction-and-load mechanism has three distinct components, each driven by the hardware constraints of consumer silicon.

The full 20B weight set lives in flash, not DRAM. AFM 3 Core Advanced stores its entire parameter set in NAND flash rather than active memory. Standard on-device deployments require the full model to fit in DRAM, which is what caps their parameter counts. Apple’s approach, which it calls Instruction-Following Pruning (IFP) and developed with its own researchers, treats flash as the model’s permanent home and DRAM as a working buffer for whichever experts a given prompt requires.

Expert routing happens once per prompt, not per token. In a conventional Mixture of Experts model, a router selects different experts for every token generated — which would require continuous weight movement between flash and DRAM at inference speed. NAND-to-DRAM bandwidth cannot support that. AFM 3 Core Advanced routes once at prompt time, selects a fixed expert set, loads it into DRAM alongside always-active shared experts, and generates all tokens from that same configuration.

“The key distinction from a typical MoE is that you do this once per query and then generate all the tokens with the same experts,” Hannun wrote.

Active parameter count scales from 1B to 4B depending on task complexity. Rather than running a fixed model size for every request, AFM 3 Core Advanced adjusts how many parameters it activates based on what the task requires — 1 billion for simpler operations, up to 4 billion for harder ones, all drawn from the 20-billion-parameter pool in flash.

What Apple has and hasn’t disclosed

The architecture paper is detailed on the memory design and sparse activation mechanism. It is less forthcoming on practical deployment constraints.

Apple’s profiling tools expose timing but not the metrics that decide production viability. “Energy, memory bandwidth, thermal? Not in the docs,” Marco Abis, who is building Ziraph, a profiler for local AI on Apple silicon, posted on X. “A notable gap, given those decide most of on-device performance.” 

Abis also did not find a statement in Apple’s documentation — across the Core AI docs, the Foundation Models docs or the Private Cloud Compute security post — of when an on-device request transparently offloads, or whether that routing is visible to the developer or the user. For enterprises that need to document where inference runs, that is a direct compliance problem.

Not all the information is currently available. Apple has indicated a full technical report with benchmarks is coming later this summer.

What this means for enterprise architects

Regulated industries evaluating agentic AI deployments now have a concrete architectural decision to make.

• The DRAM wall for on-device agents just moved. Enterprises evaluating agents that need to run without a cloud round-trip now have a 20-billion-parameter local option to evaluate. The constraint shifts from model capability to device hardware.

• The private/cloud boundary is now an architectural decision, not a default. Simpler requests stay on-device; complex agentic tasks route to AFM 3 Cloud Pro on Private Cloud Compute. Apple has not publicly specified when a request offloads or whether that routing is visible to the developer — a gap that complicates policy decisions for organizations that need to document where inference runs.

• The agentic server tier depends on Google Cloud. AFM 3 Cloud Pro runs on Nvidia GPUs in Google Cloud. The Private Cloud Compute guarantee covers data privacy. It does not eliminate the Google Cloud dependency for server-side inference.

AFM 3 Core Advanced gives enterprises a 20-billion-parameter on-device option that did not exist before WWDC26. Whether it is deployable at scale depends on answers Apple has not yet published. Those details are due in the summer technical report.