Hackers have been exploiting a critical vulnerability (CVE-2026-22679) in the Weaver E-cology office automation since mid-March to run discovery commands.

The attacks started five days after the software vendor released a security update to address the issue, and two weeks before disclosing it publicly.

Researchers at threat intelligence company Vega documented the malicious activity and reported that the attacks lasted roughly a week, each with several distinct phases.

Weaver E-cology is an enterprise office automation (OA) and collaboration platform used for workflows, document management, HR, and internal business processes. The product is primarily used by Chinese organizations.

CVE-2026-22679 is a critical unauthenticated remote code execution flaw affecting E-cology 10.0 builds prior to March 12.

The flaw is caused by an exposed debug API endpoint that improperly allows user-supplied parameters to reach backend Remote Procedure Call (RPC) functionality without authentication or input validation.

This lets attackers pass crafted values that are ultimately executed as system commands on the server, effectively turning the endpoint into a remote command execution interface.

According to Vega, the attackers first checked for remote code execution (RCE) capabilities by triggering ping commands from the Java process to a Goby-linked callback, and then proceeded to multiple PowerShell-based payload downloads. However, all these were blocked by endpoint defenses.

Next, they attempted to deploy a target-aware MSI installer (fanwei0324.msi), but this failed to execute properly, and no follow-up activity was observed.

After those failed attempts, the attackers reverted to the RCE endpoint, using obfuscated and fileless PowerShell to repeatedly fetch remote scripts.

Throughout all attack phases, the threat actors executed reconnaissance commands, such as whoami, ipconfig, and tasklist.

Vega explains that although the attackers had the RCE opportunity by exploiting CVE-2026-22679, they never established a persistent session on the targeted host.

Users of Weaver E-cology 10.0 are recommended to apply the security updates available through the vendor’s site as soon as possible.

“Every attacker process we observed is parented by java.exe (Weaver’s Tomcat-bundled Java Virtual Machine), with no preceding authentication,” explained Vega, adding that “the vendor fix (build 20260312) removes the debug endpoint entirely.”

No alternative mitigations or workarounds are listed in the official bulletin, so upgrading is the only recommendation.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.

Claim Your Spot

Sony, owner of the PlayStation brand, has been accused of antitrust practices. The lawsuit was originally settled in 2024 but was rejected twice during the approval process. Last week, a judge approved a preliminary reopening of the settlement.

The suit, brought before the San Francisco division of the United States District Court for the Northern District of California, accuses the company of allegedly limiting third-party retailers from selling PlayStation titles via “game-specific vouchers.” That means preventing customers from buying games elsewhere and forcing them to make digital purchases solely on Sony’s PlayStation Network, where it controls prices without worrying about competitors.

The settlement means the company won’t admit to any wrongdoing, but it will have to pay nearly $8 million to affected players. Unfortunately, that might take quite a while.

Here’s what to know about the settlement and whether you’ll be able to get any money out of it. (The full details are at the PlayStation Digital Games Settlement website.)

REL Acoustics is taking aim at one of the biggest reasons people avoid subwoofers: placement. The new Planar Series moves the sub off the floor and onto the wall with two thin models, the PL-1 and PL-2, each measuring just 5.7 inches deep and using a mix of active and passive drivers to generate low-frequency output without the usual big black cube parked in the corner like it pays rent. The larger PL-2 uses an 8-inch active woofer with a 10-inch passive radiator, while the smaller PL-1 uses dual 6.5-inch active drivers with the same 10-inch rear passive radiator.

That makes the concept especially interesting for hi-fi and home theater users who want bass support without sacrificing floor space or triggering a domestic zoning dispute. But the idea also raises real questions about installation, wall vibration, apartment and rental use, and whether on-wall bass can deliver the impact and integration REL is known for.

Both units weigh under 50 pounds, making DIY wall mounting a realistic option for users who are comfortable with the installation. REL also offers an optional cart wheel, allowing the Planar models to be moved more easily before final placement or mounting.

Update: In our conversation with a REL representative, we have confirmed a few things. Both REL Planar subwoofers include built-in wireless connectivity and come with an AirShip Direct transmitter module ($399 value). The wireless receiving module is cleverly concealed in the side panel, and swappable should technology change.

A wall-mount is included with purchase, but the cart/wheel/stand will cost extra (price TBD). Wall-mounting is the preferred implementation because it sets the wall gap for maximum performance. Alternatively, cart setups for floor placement solve two issues: wall spacing and stability. An included spacer ensures ideal proximity to back wall, while the cart/stand raises the unit off the floor for improved fidelity.

How low can they go? Because the PL-1 and PL-2 are designed for proximity-to-wall or on-wall placement, REL uses that boundary reinforcement to its advantage. The PL-2 is rated down to 27Hz, while the PL-1 reaches 38Hz, both measured at -6dB. That gives the larger model a clear advantage for deeper bass extension, while the smaller model is aimed more at systems where space, placement flexibility, and visual discretion matter just as much as output.

REL Planar Subwoofer Comparison

The Bottom Line

REL’s Planar PL-1 and PL-2 are not just “thin subwoofers.” They rethink where a subwoofer can live in a hi-fi or home theater system. With walnut or white grille options, a 5.7-inch-deep cabinet, on-wall placement, active/passive driver designs, and claimed extension down to 27Hz or 38Hz depending on model, the Planar Series is clearly aimed at listeners who want real bass support without a large box taking over the room like it won the lease in court.

What we don’t know yet matters: pricing and how they perform in real rooms. Although they can be connected wirelessly, they are not completely cable-free solutions because its power cable still requires a nearby outlet. Custom integrators, however, should have a field day with these. For homeowners building cleaner media rooms, living rooms, or lifestyle-friendly hi-fi systems, REL may have found a smarter way to hide the subwoofer in plain sight.

Price & Availability

REL Acoustics’ all-new Planar PL-1 and PL-2 subwoofers will be available May 20, 2026. However, pricing has yet to be announced. We’ll update this story as soon as it’s released.

For more information: rel.net

Related Reading:

• Silicon Ranch tests cattle grazing beneath active solar power infrastructure
• Software-controlled panels create space for large livestock movement safely
• Cattle rotation enables simultaneous grazing and electricity generation across paddocks

This small solar farm in Christiana, Tennessee, looks like many others from a distance – but beneath its black panels lies lush pasture instead of gravel.

The 40-acre facility, owned by Silicon Ranch, allows a small herd of cattle to spend their days munching grass and resting in the shade.

Image model releases are driving growth for AI mobile apps, generating 6.5x more downloads than traditional model updates, according to a new report from app intelligence provider Appfigures.

This marks a shift from earlier days, when the release of new models powering the conversational experiences drove more demand, alongside the new features like a voice chat interface.

For instance, ChatGPT and Gemini each added tens of millions of new downloads after releasing their respective image models, Appfigures found.

For Google’s Gemini, the release of its image model Nano Banana drove an additional 22+ million downloads in the 28 days following the introduction of the Gemini 2.5 Flash image model last August. This launch lifted the app’s downloads by more than 4x over that period, the data showed.

Meanwhile, ChatGPT added more than 12 million incremental installs in the 28 days after the introduction of its GPT-4o image model in March of last year. That’s roughly 4.5x more downloads than it saw for its GPT-4o, GPT-4.5, and GPT-5 model releases, Appfigures pointed out.

Other model releases followed similar trends, though on a smaller scale. Meta AI’s introduction of its AI video feed Vibes added an estimated 2.6 million incremental downloads in the 28 days after its September 2025 release. (Yes, technically, this is a video model, but it’s ultimately about visual content, not just text.)

Still, the report cautioned, additional downloads don’t always translate into increased mobile revenue.

Instead, new image model releases give people a reason to install the app and try out its improved image-generation capabilities. That doesn’t mean they’ll necessarily convert to paying subscribers. For example, Appfigures noted that Nano Banana drove only $181,000 in estimated gross consumer spending during the 28-day window following its release, even though it produced a larger spike in downloads than ChatGPT’s 4o image model release.

Meta AI’s launch of Vibes also led to additional downloads, but no meaningful revenue.

Among the three, only ChatGPT turned the increased attention into actual dollars.

OpenAI’s 4o image-generation model led to an estimated $70 million in gross consumer spending over the 28 days after its launch, compared with its prior baseline, Appfigures said.

The company also looked at DeepSeek in its analysis, but it didn’t fit the pattern.

While DeepSeek R1 drove 28 million downloads after its January 2025 release, it wasn’t a typical model comparison event. This was DeepSeek’s breakout moment, when it went from being relatively unknown to an overnight sensation as the tech industry learned about the techniques it used to train its AI models at a fraction of the cost of its competitors. This case highlights how curiosity can drive downloads — though in this instance, the interest wasn’t tied to an image model.

The Geneva-based chipmaker has shipped over 5 billion RF antenna chips to Starlink and now expects its low-Earth-orbit business alone to deliver more than $3bn in cumulative revenue between 2026 and 2028. Orbital data centres are an option for later.

When STMicroelectronics first qualified its chips for the European Space Agency in 1977, the satellite business was a different category of operation. Programmes were government-led, hardware was bespoke, and the small fraction of the semiconductor market that flew to orbit was structured for one-off missions, not commodity supply.

Almost half a century later, the Geneva-based chipmaker is now running what its own road map describes as a phase of unprecedented growth in that business. On Monday, it told investors how unprecedented.

STMicro is targeting more than $3bn in cumulative revenue from its space semiconductor business between 2026 and 2028, according to a Reuters report wired through TradingView from the company’s dedicated investor call. The trajectory the figure implies is unusually steep.

ST’s low-Earth-orbit revenue, the line the company breaks out separately, was around $175m in 2021. By 2025 it had reached roughly $600m. By the end of 2026, on the company’s own forecast, it is expected to be close to $1bn. The $3bn cumulative ask, in that context, looks more like a continuation of momentum than a stretch goal.

Where the revenue actually comes from

The driver, as ST executives have described it, is the structural shift from government-led space programmes to commercial constellation operators. SpaceX’s Starlink dominates the customer concentration.

ST has shipped more than five billion RF antenna chips to Starlink user terminals in roughly a decade, with its executives publicly forecasting that figure could double to roughly 10 billion by 2027 as constellation expansion accelerates. Other commercial operators, including Amazon’s Kuiper and OneWeb, sit behind Starlink in the queue.

The company also flagged contracts on the European side that pay differently but matter strategically. ST is supplying components for inter-satellite laser communication links on future SpaceX platforms, and is working with Thales and Eutelsat on the European Union’s planned Iris² sovereign satellite constellation, a project that has been one of the principal vehicles for European technological-sovereignty policy.

TNW has covered the broader European satellite race in detail, and Iris²’s expected switch-on, currently scheduled towards the end of the decade, makes ST one of the operationally indispensable suppliers in the European programme.

The same engineering capability that wins it Starlink volume also wins it Iris² qualifications.

Beyond the headline customers, ST’s space business spans a wider product portfolio than the public conversation around the company tends to register. Radiation-hardened logic, voltage regulators, mixed-signal ASICs, and rad-hard discrete components for satellite platforms are all part of the existing line.

The economics of those products differ across the customer base, but the underlying engineering, building chips that will function reliably in vacuum, in extreme thermal cycles, and under sustained radiation, is one of the higher-margin specialisations in semiconductor manufacturing.

New Space, in plain English

What changed the maths, in ST’s framing, was the arrival of New Space. Until roughly 2018, the standard radiation-hardened chip for a satellite was a custom part priced for a customer that intended to build a single, $200m geosynchronous bird.

Constellation operators, building hundreds or thousands of identical low-cost satellites, needed something different: rad-hard parts that came in plastic packages, in volume, at prices that did not destroy the unit economics of a 1,200-spacecraft constellation.

ST released its first economical rad-hard line for New Space in 2022, in cost-effective plastic packaging across power, analog, and logic categories. Four years later, that early commitment looks unusually well-timed.

The wider market context fits the trajectory. Independent market sizings of the space semiconductor sector put global revenues somewhere between $5bn and $7bn currently, with mid-single-digit annual growth across most forecasts.

ST’s own LEO revenue trajectory implies it is capturing a disproportionate share of that growth. The $3bn cumulative target, divided across three years, is consistent with the company holding around a quarter of global space-semiconductor revenue at peak.

Orbital data centres, on the optionality list

ST executives also identified orbital data centres as a possible future market, but, importantly, said they had not included any related revenue in the current 2026–2028 target. The hedging is sensible. TNW reported earlier this year on SpaceX’s own pre-IPO disclosures, in which the company warned investors that orbital AI data centres rely on “unproven technologies” and may never achieve commercial viability.

SpaceX’s S-1 framing was startlingly candid for a company that had previously promoted orbital compute as a near-inevitability. The thermal economics, in particular, remain unforgiving: radiating one megawatt of heat at 20°C in orbit requires roughly 1,200 square metres of radiator surface, the area of four tennis courts. The technical premise of the business model is, in 2026, an open question.

ST’s posture, including orbital data centres in the conversation but excluding them from the revenue model, is the right one for an established public company. Investors want to know the optionality exists. They do not, on the current evidence, want it priced. STMicro has chosen to disclose the upside without booking it. That is, on this category of bet, the more credible position.

The Monday announcement comes against a wider backdrop in which Europe has been struggling to articulate a coherent commercial space strategy. TNW has covered Europe’s broader spacetech difficulties consistently, with the dominant story being one of fragmented funding, slow procurement, and dependence on US launch infrastructure.

Inside that frame, ST’s announcement is a counter-data point. A European semiconductor company, headquartered in Geneva and listed in Paris and Milan, is now one of the most consequential commercial suppliers to Elon Musk’s Starlink and to Europe’s own sovereign constellation programme simultaneously.

That is the kind of dual-track win European tech-sovereignty policy has been asking for, and not consistently getting.

It also matters at the level of the company itself. STMicro is in the middle of a difficult guidance reset, having pushed its $20bn+ revenue ambition out from an earlier target to 2030. Q1 2026 revenue came in at $3.10bn, beating consensus, but the broader auto-and-industrial cycle has been less generous than the company once expected.

ST’s separate €5bn Italian EV-chip fab investment, which TNW has tracked, is the company’s bet on the next phase of automotive electrification. The space business, in that context, is one of the rare lines that is unambiguously growing and unambiguously high-margin.

The risks behind the target

The space business is not without exposure. The first risk is customer concentration. With more than five billion chips already shipped to a single Starlink programme and another five billion projected by 2027, ST’s space revenue depends to an unusual degree on SpaceX’s continued constellation expansion, on the durability of Starlink’s commercial economics, and on SpaceX’s willingness to keep a single supplier at this scale of dependence.

TNW has reported on Europe’s small but growing low-Earth-orbit ecosystem, but the alternative customer set, even taken together, does not match Starlink’s chip demand.

The second is qualification timelines. New Space rad-hard products move faster than legacy government programmes, but they still require flight heritage, certification with launch and operator partners, and acceptance into bills of materials that take quarters to update. Slippage anywhere in that chain compresses the achievable run-rate.

The third is geopolitical. STMicro’s European listing and Geneva headquarters insulate it, in part, from the US-China semiconductor export-control regime, but a meaningful share of its supply chain and customer base sits inside that regime.

Any tightening that affects rad-hard or RF antenna components specifically would change the trajectory. The company’s exposure is manageable but not zero.

Where the trajectory points

Three indicators will signal whether the $3bn target lands or slips. The first is Starlink shipment volumes through 2026 and 2027, which ST will disclose at quarterly checkpoints. Yahoo Finance flagged the doubling-of-Starlink-deliveries detail when ST first signalled the trajectory, and the slope of the line will be visible quarter by quarter. The second is the cadence of Iris² procurement: when contracts firm up and shipments begin, the European side of ST’s space business moves from optionality to revenue.

The third is whether the orbital-data-centre market, on which ST is publicly noncommittal, develops a customer base that justifies retroactively pulling it into the revenue model. By the company’s own framing, three years is the soonest meaningful orbital-compute deployment becomes a real conversation.

What was confirmed on Monday is that one of Europe’s largest semiconductor companies has decided that LEO is no longer a hobby line. Seeking Alpha framed the targets as a commitment to the 2028 milestone, and the company’s road map has, on the available evidence, the engineering and customer relationships to support that commitment.

The wider question, whether a satellite-constellation boom can support multiple chip suppliers at this scale or whether Starlink’s near-monopoly customer position makes ST’s lead difficult for any rival to displace, is the one investors will be asking through the rest of the year.

For now, the figures speak. From $175m in 2021 to nearly $1bn in 2026, with a $3bn cumulative target through 2028, and an investor call hosted to detail the strategy. A 49-year-old space-chip business, in other words, is suddenly one of the most interesting growth lines in European semiconductors.

The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective.

Although the resource has been leveraged for malicious activity in the past, the current spike may be due to a large number of AWS Identity and Access Management access keys exposed in public assets.

Because it is a legitimate, trusted resource, phishing operations can leverage Amazon SES to send out malicious emails that pass authentication checks.

Kaspersky researchers note in a report today that they’ve “observed an uptick in phishing attacks leveraging Amazon SES” to deliver links that redirect to a malicious site.

The researchers believe the main driver of this abuse is the increasing exposure of AWS credentials in GitHub repositories, .ENV files, Docker images, backups, and publicly accessible S3 buckets.

Finding the access keys is typically done in an automated way using bots built on the open-source TruffleHog utility, which is designed to scan for leaked secrets.

Threat actors now rely on automated attacks that streamline secret scanning, permission validation, and email distribution, enabling unprecedented levels of abuse.

“After verifying the key’s permissions and email sending limits, attackers are equipped to spread a massive volume of phishing messages,” Kaspersky explains.

Based on their findings, the researchers say that the phishing quality is high, featuring custom HTML templates that mimic real services and realistic login flows.

The observed attacks include fake document-signing notifications that imitate DocuSign to lead victims to AWS-hosted phishing pages, as well as more advanced business email compromise (BEC) attacks.

Attackers fabricate entire email threads to make the phishing messages appear more convincing and send fake invoices to trick finance departments into making payments.

By leveraging Amazon SES, attackers no longer need to worry about authentication checks such as the SPF, DKIM, and DMARC protocols.

Additionally, blocking the offending IP addresses that deliver the phishing emails is not an acceptable solution because it would prevent all emails coming through Amazon SES.

Kaspersky recommends that companies restrict IAM permissions based on the “least privilege” principles, enable multi-factor authentication, regularly rotate keys, and apply IP-based access restrictions and encryption controls.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.

Claim Your Spot

Microsoft last week took Agent 365, its management platform for AI agents, out of preview and into general availability — a move that signals the software giant believes the governance challenge around autonomous AI is no longer theoretical but operational and urgent.

The product, first announced at Microsoft’s Ignite conference in November, positions itself as a unified control plane that lets enterprise IT and security teams observe, govern, and secure AI agents wherever they run: inside Microsoft’s own ecosystem, on third-party cloud platforms like AWS Bedrock and Google Cloud, on employee endpoints, and increasingly across a sprawling ecosystem of SaaS agents built by partner software companies.

But the most striking element of the launch isn’t the general availability milestone itself. It’s Microsoft’s aggressive push into discovering and managing local AI agents — the coding assistants, personal productivity tools, and autonomous workflows that employees are installing on their own devices, often without IT’s knowledge or blessing. Microsoft calls this phenomenon “shadow AI,” and it is an entirely new category of enterprise security risk that most organizations are only beginning to grapple with.

“Most enterprises are trying to figure out how to harness the potential of autonomous agents,” David Weston, Corporate Vice President of AI Security at Microsoft, told VentureBeat in an exclusive interview. “They’re trying to find a balance between what we call YOLO — just let anything run — and ‘oh no,’ where nothing works at all.”

Why Microsoft says rogue AI agents are already a security crisis inside the enterprise

The timing of Agent 365’s general availability reflects an uncomfortable reality: AI agents have already outpaced the governance infrastructure designed to manage them. Enterprises that spent years building controls for cloud applications and SaaS software now face a fundamentally different kind of sprawl — one where autonomous software can invoke tools, access sensitive data, chain together with other agents, and take actions on behalf of users or entirely on their own.

Weston described three specific categories of security incidents that Microsoft is already observing across its enterprise customer base. The first, and most common, involves developers rushing to connect agents to backend systems and inadvertently exposing sensitive infrastructure. “A canonical thing we’re seeing a lot across the board is these MCP servers that are then being connected to a sensitive back end system and then exposed unauthenticated to the internet,” Weston said. “That can lead to PII or data leaks.”

The second category involves what security researchers call cross-prompt injection — attackers embedding malicious instructions in data sources like software tickets, websites, or wikis that an agent is likely to ingest. “We are seeing attackers use untrusted data sources to put in what we call cross-prompt injection prompts, which will basically direct your agent to do whatever the attacker wants,” Weston explained. While he noted this attack vector remains less common, “when we do see it, it’s higher impact.”

The third and perhaps most pervasive issue is more mundane but no less dangerous: agents connected to data sources and DLP systems that simply aren’t designed to understand agentic access patterns. “Data sources and DLP systems that are not agent-aware are exposing high-sensitive data down to maybe a vendor,” Weston said, adding that such incidents carry “a lot of costs and a lot of risk.”

Inside Agent 365, the $15-per-user control plane for governing AI agents at scale

At its core, Agent 365 functions as a centralized registry and policy engine for AI agents. It provides IT administrators with a single view of every agent operating within their environment — whether that agent was built with Microsoft Copilot Studio, deployed on AWS Bedrock, running as a SaaS integration from a partner like Zendesk or SAP, or installed locally on a developer’s Windows machine.

The platform supports three distinct categories of agents, each with different availability status at launch. Agents working on behalf of users through delegated access — such as an inbox organizer operating with a user’s permissions — are now generally available within the control plane. Agents operating behind the scenes with their own access credentials, like an autonomous system triaging support tickets, are also generally available. A third category, agents participating in team workflows with their own access, enters public preview today.

Agent 365 is available as part of the new Microsoft 365 E7 suite or as a standalone product priced at $15 per user per month. Each license covers an individual who manages, sponsors, or uses agents to work on their behalf. The pricing model is designed to scale predictably: organizations pay per person who interacts with the agent ecosystem, not per agent — a structure that acknowledges the reality that agent counts are a moving target in most enterprises.

How Microsoft hunts for unauthorized AI tools hiding on employee laptops

Perhaps the most significant new capability in today’s launch is Agent 365’s ability to discover and manage local AI agents — the tools that developers and knowledge workers are installing directly on their Windows devices, often without any oversight from IT.

Starting today, organizations enrolled in Microsoft’s Frontier program can use Agent 365, powered by Microsoft Defender and Intune, to detect OpenClaw agents running on managed Windows devices. Administrators can view which devices are running OpenClaw, and they can apply Intune policies to block common execution methods. A new “Shadow AI” page in the Microsoft 365 admin center serves as the central dashboard for this discovery process.

The choice to begin with OpenClaw was deliberate. “Our criteria is simply customer demand,” Weston told VentureBeat. “We’re hearing across the board that enterprises understand OpenClaw represents a new type of software. They want to be on the frontier, they want to leverage all the benefits, but they also want the deterministic control that lets them establish a clear boundary in their enterprise.”

Microsoft plans to expand local agent discovery to 18 different agent types by June 2026, including GitHub Copilot CLI and Claude Code. The company is leveraging its existing endpoint telemetry to identify applications calling inference endpoints, then surfacing that information to IT and security teams. “Using our visibility on the endpoint, we can see the variety of apps that are basically calling inference endpoints,” Weston explained. “And then we can give a collection of that to the IT and security folks, and they can decide whether that’s appropriate or something that’s putting them at risk.”

Microsoft Defender maps the ‘blast radius’ when an AI agent goes wrong

Starting in June, Microsoft Defender will provide what the company calls “asset context mapping” for each discovered agent. This feature builds a relationship graph showing which devices an agent runs on, which MCP servers it connects to, which identities are associated with it, and which cloud resources those identities can reach. The goal is to let security teams assess the potential blast radius if an agent is compromised or misbehaves.

Weston explained the technical underpinning: “Blast radius is computed by taking an asset inventory and converting each asset into a node in a graph. The edges represent how different assets or data sources are connected.” The system overlays contextual detail onto each node — for instance, flagging that a particular device runs an untrusted AI agent and is simultaneously connected to a critical business database or a machine with thousands of user accounts.

“It’s highly accurate because it’s computed from an asset graph that’s typically cloud-based, or built from endpoint data if you’ve got something like NDE deployed,” Weston said. “We’re computing it based on what you already have — which is essentially ground truth.” This kind of exposure mapping is precisely what CISOs are asking for, Weston added. “One of the first things you want to know when assessing agent risk is: what is this connected to? Is it connected to something I care about, or is it something moderate?”

The platform doesn’t stop at visibility. Agent 365 introduces policy-based controls that let administrators set guardrails for what agents can and cannot do. If a managed agent exhibits malicious behavior patterns — such as attempting to access or exfiltrate sensitive data — Microsoft Defender can block the agent at runtime and generate alerts with rich incident context for investigation. Weston emphasized that Defender’s existing classification capabilities translate directly to the agentic world. “Injecting code into the process that manages logins, whether you’re OpenClaw or browser, that’s always going to be a strong signal,” he said. Context mapping, policy-based controls, and runtime blocking will enter public preview through Intune and Defender in June 2026.

Agent 365 reaches into AWS and Google Cloud to govern agents across rival platforms

In a notable competitive move, Microsoft is extending Agent 365’s governance reach to rival cloud platforms. A new public preview of Agent 365 registry sync enables IT teams to connect with AWS Bedrock and Google Cloud (specifically, Google Gemini Enterprise Agent Platform, formerly Google Vertex AI). Through these connections, administrators can automatically discover and inventory agents running on those platforms and perform basic lifecycle governance actions such as starting, stopping, or deleting agents.

“If we’re going to be a single control plane, we have to meet customers where they are, and many of them are multi-cloud,” Weston told VentureBeat. He acknowledged that the depth of available controls varies somewhat by cloud provider. “Once you know it’s there, what kind of guardrails or blocking can you provide? And that’s going to be slightly different depending on what the cloud provider works with.” But he added that the platforms offer “pretty comparable capabilities” in most scenarios and expressed optimism that cross-cloud consistency will improve over time.

Also generally available today: Agent 365 extends Microsoft Entra network controls to cover agent traffic from Microsoft Copilot Studio agents and local agents like OpenClaw. These controls let security teams inspect agent network activity, identify unsanctioned AI usage, restrict connections to approved web destinations, filter risky file transfers, and help block malicious prompt-based attacks at the network layer before they result in harmful actions. The combination of cloud registry sync and network-layer enforcement gives Microsoft an unusually broad governance surface — one that spans cloud, endpoint, and network in a way few competitors currently match.

Windows 365 for Agents gives enterprises a sandbox for high-risk AI workloads

For organizations that want the productivity benefits of autonomous agents but aren’t comfortable running them directly on employee endpoints, Microsoft is also launching Windows 365 for Agents in public preview, currently limited to the United States. The offering creates a new class of Cloud PCs purpose-built for agentic workloads, managed through Intune, and governed by the same identity and security controls applied to human employees.

Weston framed the capability as a segmentation play. “From a security principle standpoint, the more segmentation you can achieve, the better,” he said. “If you don’t want this on your endpoint, but you still want the capability, you can choose to have it sandboxed, isolated. We’ve seen large companies like Nvidia talk about doing this. We’re creating this pattern for everyone.”

How critical that isolation is, Weston added, depends on context. “If you’re working in a military installation, it goes without saying, you probably want to segment away that information. If you’re working in a company that’s primarily creative and you have a little higher risk tolerance, you may not want to do that.” The public preview requires an Agent 365 license, an Intune license, and an active Azure subscription.

Microsoft builds a broad partner network to manage the agentic AI ecosystem

Microsoft is positioning Agent 365 not as a walled garden but as an open management layer. The company announced that ecosystem partner agents from Genspark, Zensai, Egnyte, Zendesk, and agents built on platforms including Kasisto, Kore.ai, and n8n are now fully enabled for management through Agent 365 — with no integration work required from IT teams. Additional software development company launch partners include Adobe, SAP, Manus, Nvidia, and Celonis.

For partner-built SaaS agents, onboarding begins with identity. “We have the ability for you to simply give it an identity and or use our SDK depending on the level of capability you need,” Weston explained. “Just starting with the identity, we’re able to basically see, especially for Entra users, what capabilities the application needs and what constraints should be put on that.” Deeper SDK integration provides richer observability data, but identity alone gives the platform substantial governance leverage.

On the services side, Microsoft has enlisted firms including Accenture, KPMG, Capgemini, Protiviti, Slalom, and nearly two dozen others as Agent 365 Launch Partners. These firms have collaborated with Microsoft engineering to build offerings around inventory assessment, least-privilege enforcement, compliance, multi-platform threat analysis, and ongoing lifecycle management.

Microsoft’s bigger bet: agents are the new apps, and they need the same enterprise controls

Microsoft’s bet with Agent 365 arrives at a moment when the enterprise software industry is racing to define what the “agentic era” actually looks like in production. Competitors including Google, Amazon, and Salesforce are all developing their own agent orchestration and governance tools, but Microsoft’s approach — leveraging its deeply entrenched position in endpoint management (Intune), threat detection (Defender), identity (Entra), and productivity (Microsoft 365) — gives it an unusual cross-surface advantage.

For enterprises considering Agent 365, Weston outlined a phased adoption model. “First things first, they’ll get visibility and an inventory — you can’t really secure what you don’t know about,” he said. “The next thing they’re able to do is assign identities and start to manage the access those agents have, which is a huge first step in managing the risk.” The deeper capabilities — isolation through Windows 365 for Agents, runtime blocking, blast radius mapping — come next. “Crawl is inventory. Walk is getting identity and access. Run is getting isolation, better control, deeper visibility,” Weston summarized. “I think that’s something that’s reasonable in a 90-day period.”

Whether enterprises actually move that fast will depend on the maturity of their existing security infrastructure and the pace at which shadow AI proliferates within their walls. A live “Ask Microsoft Anything” session on Agent 365 is scheduled for May 12, giving IT and security professionals a chance to press the engineering team on specifics.

But the most telling detail from the interview may have been the most offhand. “I have 18 agents running behind my team chat right now,” Weston said. If even Microsoft’s own security chief has a small army of autonomous agents operating in his daily workflow, the question for every other enterprise is no longer whether to govern the agentic workforce — it’s whether they can do it before the workforce governs itself.