Microsoft and Federal Agencies Shift Security from Best Effort to Verified Service Operation

[00:00:02] MSP Security has to become a regulated, continuously verified service operation. Because AI is compressing exploit timelines while attackers pivot to trusted collaboration tools plus remote assist, and regulators are turning patching and compliance from best practice into mandated deadlines. That combination forces MSP Security to become an operating system, not a checklist.

[00:00:28] This is the Business of Tech. I'm Dave Sopel. We'll start with the federal confirmation. The Hacker News reports that CISA has added two known vulnerabilities to its known exploited vulnerabilities catalog, CVE 2024-1708 in ConnectWise Screen Connect and CVE 2026-32202 in Microsoft Windows Shell,

[00:00:54] specifically because there's evidence of active exploitation. They note that Screen Connect issue carries a CVSS score of 8.4, and that federal agencies are required to apply mitigations by May 12, 2026. That's a concrete signal. Exploited flaws are not just being tracked, they're being turned into time-bound remediation requirements.

[00:01:17] Now, layer in what's happening on the ground. TechCrunch reports that hackers have exploited unpatched Windows vulnerabilities to breach at least one organization, according to Huntress. The piece names three Windows Defender-related flaws, Bluehammer, Undefend, and Red Sun, and notes that while Microsoft has patched Bluehammer, the other two were still unpatched at the time of the reporting.

[00:01:41] TechCrunch also highlights that Exploite Code was published publicly by a research using the name Chaotic Eclipse, and that real-world attackers moved quickly once that code was available. And the entry point isn't always malware-first anymore. TechRepublic reports that attackers are increasingly using Microsoft Teams to impersonate IT helpdesk staff, talking employees into granting access and launching remote sessions.

[00:02:08] Microsoft observed a nine-stage playbook that starts with a simple request and escalates through reconnaissance, payload delivery via DLL sideloading, persistence through registry changes, command and control over HTTPS, and then lateral movement and targeted data exfiltration. The key detail here is that it's happening inside a trusted collaboration channel using legitimate remote assist tooling.

[00:02:36] Finally, note what the platform vendors are doing in response. IT News reports Microsoft plans to embed Anthropic's Claude Mythos preview into its security development lifecycle, explicitly to identify vulnerabilities and develop fixes faster earlier in the cycle.

[00:02:54] Microsoft says it evaluated Mythos using its own open-source benchmark for real-world detection engineering tasks and saw substantial improvements versus prior models. Active exploitation is being formally tracked and deadline-driven. Real intrusions are occurring in the unpatched window. Social engineering is moving into trusted business chat. And major vendors are integrating AI into secure development because the pace is forcing it.

[00:03:25] If you're listening to this and you haven't hit follow yet, on Apple Podcasts, search the business of tech. It takes five seconds and you'll get the next episode automatically. If you run a managed services business, you've probably discovered something frustrating. Most PSAs are great for tickets, but not always great for managing projects. And as your business grows, that becomes a real problem. More engineers, more projects, shared resources, dependencies across timelines.

[00:03:55] Suddenly, the PSA project module that worked fine early on starts to break down. That's exactly where Movala fits in. Movala is a purpose-built, AI-driven project management platform designed specifically for service organizations. It integrates directly with tools like ConnectWise, Autotask, and Halo PSA. So your PSA remains your system of record where Movala handles the complex project planning and scheduling.

[00:04:20] The result is accurate timelines, clearer visibility, and projects that improve your margins. If you're ready for project timelines you can trust, visit Movala.com slash MSB Radio. That's M-O-O-V-I-L-A dot com slash MSB Radio to learn more. A quick heads up, Acronis is hosting a live event on May 13th called The Pivotal Point of IT, Building Services for the AI First Era.

[00:04:49] Their CEO will be laying out Acronis' vision for AI-first service delivery for MSPs, including a new partner program and what they're calling a major platform announcement. If you want to hear directly from Acronis on where they're taking all of this, registration link is at go.acronis.com slash Dave Sobel AI Era. No spaces. What's driving this shift is not that defenders suddenly got lazy or that attackers suddenly got smart.

[00:05:18] It's that the pace and volume of security-relevant output has crossed a threshold where the bottleneck isn't detection anymore, it's coordination. The hard part is turning a flood of findings, warnings, and edge cases into a clean, owned, repeatable operational motion that reliably ends in fixed, verified, and documented.

[00:05:40] The Verge frames the new reality bluntly in its look at AI-driven vulnerability discovery, tools that can find bugs and help generate exploit paths at a speed that used to require deep expertise and a lot of time. The story walks through how automated systems are finding more issues than teams can realistically patch, and how that collapse in time to exploit forces work to happen faster than traditional cycles were designed to handle.

[00:06:08] And then the Hacker News puts a finer point on the problem. Mythos didn't just increase discovery, it widened the discovery to remediation gap. The article describes findings that stall in spreadsheets, tickets, or PDFs with unclear ownership, and it argues that without centralized workflow, prioritization, and closed-loop verification, more discovery just means more unresolved critical exposure.

[00:06:35] Even in the best-case scenario, even if the AI is mostly right, the system still needs a place to put the output, a way to triage it against real risk, and a way to prove that the fix actually shipped. And governance is tightening at the same time. FedScoop reports NIST issuing final updates to its guidance for protecting controlled, unclassified information, emphasizing clarity, unambiguous requirements, and assemblable procedures.

[00:07:04] The direction of travel is towards security expectations that are meant to be implemented consistently and evaluated. For MSPs, the consequence is that security is becoming a verification and coordination service. But many are still packaging it as vague best effort, which means accountability and labor expand faster than scope, pricing, and contracts.

[00:07:29] Information Week describes this as an invisible labor crisis inside IT. As AI spreads across the stack, it splinters work into new, poorly defined responsibilities – prompt management, orchestration, evaluation, governance, monitoring – and none of it maps neatly to existing roles or reporting lines. The point isn't the org chart drama.

[00:07:53] The point is that critical operational work accumulates anyway, gets absorbed by already stretched teams, and the organization can't reliably see, measure, or staff it. In practice, that means the customer doesn't have a clean internal owner for make this secure, make this auditable, make this repeatable. They just have a growing pile of small failures, edge cases, and exceptions that keep showing up as tickets. Now add capability constraints.

[00:08:23] The Reveal 2026 IT Talent Survey says 8 in 10 tech leaders report talent shortages are already impacting operations, and it calls out the hardest-to-fill roles as AI engineers and cybersecurity engineers right at the top. That matters because it means the customer can't simply hire their way out of the invisible work problem, even if they admit it exists.

[00:08:47] The market doesn't have enough of the people who can do this work well, and even if you can find them, they're not cheap, and they don't magically integrate across teams. The choice? Either the MSP becomes the provider that runs and verifies the security operating layer, defining the operating roles, documents the workflows, sets the guardrails, monitors the system, and prices that as a managed service, or the MSP gets trapped being the sponge.

[00:09:17] This episode is supported by Zero Networks. Cyber resilience is no longer a security team problem. It's a board-level business imperative. When an attacker gets inside a network, the real questions become, how far can they move, can they get to the crown jewels, and how much of the business can they impact, and for how long? That's where Zero Networks comes in.

[00:09:39] Zero Networks helps organizations prevent attacks, minimize blast radius, and maintain business continuity, even when attackers get inside. Their micro-segmentation platform automatically builds segmentation policies based on how legitimate users and systems actually communicate, making every access and connection verified and intentional. The result for a threat actor is lateral movement is blocked, and threats are contained before they can cause damage.

[00:10:08] Because it's not the breach, it's the damage. Contain the breach before it spreads. The question isn't if attackers gets in, it's whether your business stays running when they do. Zero Networks was built for exactly that. Visit them at ZeroNetworks.com ZeroNetworks.com Why do we care?

[00:10:29] The real shift is that security is becoming a continuously verified service operation, and ownership ambiguity determines who ends up responsible for delivering it. When attackers use trusted tools and AI produces more findings than organizations can operationalize, the burden shifts from detection to execution, verification, and proof.

[00:10:50] For MSPs, the exposure point is that ownership is often unclear, so contractual accountability lands before contractual language catches up. The bad decision is to continue to sell security as a vague best-effort service while quietly absorbing remediation coordination, verification, and evidence production work that was never explicitly scoped or priced.

[00:11:15] In that environment, contracts with vague terms like best effort break down under deadline pressure, especially if patch SLAs, verification responsibilities, and exception handling are not explicitly assigned. The MSP that wins this environment is the one that stops being the sponge and starts being the operating system. Defined scope, documented workflows, priced governance, closed-loop verification. That's a business model.

[00:11:44] The alternative is absorbing the liability of an increasingly complex environment at a price point designed for a simpler one. Now what to consider? Reclassify Microsoft Teams as a social engineering vector in your security awareness program. The nine-stage playbook documented by Microsoft is operational, not theoretical. Update client training to include explicit scenarios where IT impersonation occurs inside Teams

[00:12:13] and establish out-of-band verification protocols for any remote session requests initiated through chat. Convert invisible labor into explicit contract scope. Conduct a scope audit against your current client agreements. Identify every governance, orchestration, and compliance task your team is absorbing without billing it. Price it, document it, and present it as a managed security operations tier.

[00:12:40] Or stop doing it and make the gap visible to the client. Use NIST CUI guidance updates as a sales trigger. NIST's emphasis on unambiguous, assemblable security requirements is a direct opening to reframe security conversations with clients in regulated verticals. Position your service as the operational layer that makes those requirements implementable, not just a vendor relationship.

[00:13:06] If this trend continues, MSP contracts will standardize around evidence obligations, time-bound patch remediation plus continuous verification artifacts, things like change logs, remote assist governance records, control attestations. And customers will treat refusal to provide that evidence as a disqualifying security risk. This is the Business of Tech. Want more from the Business of Tech?

[00:13:36] Join Business of Tech Plus for ad-free episodes, early interviews, extended cuts, subscriber-only shows, and exclusive member perks and analysis. Sign up at businessof.tech slash plus. And follow this show on your podcast app. And if you're on YouTube, hit subscribe and the bell so you never miss a story. Reviews and comments help spread the word, too. Interested in advertising? Head to mspradio.com slash engage.

[00:14:05] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. Thanks for listening. I'll see you on the next episode. Part of the MSP Radio Network.