Summary6 min read

Podcast Summary: Risky Bulletin – Srsly Risky Biz: America's next top (cyber) model

Date: April 2, 2026
Host: Amberly Jack
Guest: Tom Uren (Policy and Intelligence Editor)
Podcast: Risky Business Media

Overview

In this episode, host Amberly Jack and policy editor Tom Uren dive into two major topics from the week’s “Seriously Risky Business” newsletter:

The explosive advancements in AI-powered vulnerability discovery, with a focus on Anthropic’s Claude model.
How Russian forces, cut off from Starlink in Ukraine, are making extensive use of U.S.-made Ubiquiti networking technology—despite efforts to restrict sales.

The conversation explores the national security, policy, and technological dimensions of these developments, with critical insight into strategic, regulatory, and operational implications.

Key Discussion Points & Insights

1. AI’s O-Day Gold Rush: Claude’s Leap in Vulnerability Discovery

Breakthrough capability:
Recent reports show Claude (the latest language model from Anthropic) can discover previously unknown software vulnerabilities (“0days”) with minimal prompt engineering. As Tom puts it:

“Claude has, with very little instruction, gone out and found previously unknown vulnerabilities.” — Tom Uren [01:02]
How it works:
- Even simple prompts (e.g., “You are playing in a CTF. Find a vulnerability and write the report text”) are enough for Claude to identify real, impactful bugs.
- This is a leap beyond previous workflows, which required scripting the work into many small tasks so AIs wouldn’t “trip up” logically.
Researcher example:
- Nicholas Carlini, a Claude researcher, used it to find hundreds of bugs in reputable open source projects after years of human auditing.
- Claude was even able to chain together steps to discover bugs like blind SQL injection and kernel-level exploits, which often defeat fuzzing and basic static analysis.
“Claude did that all by itself. So that is truly democratizing in a way that was not possible just a few months ago.” — Tom Uren [03:56]
Speed and skill:
- Claude’s bug-hunting surpasses many human researchers for some tasks, and does so at unprecedented speed.
- In practice, even tech editors (like team member James) have found success feeding Claude hints for bug-finding.
“Already it's a lot better than many vulnerability researchers, is my guess. Not all of them.” — Tom Uren [04:42]
Strategic Implications:
- The U.S. intelligence community (NSA, Cyber Command) relies on rapid vulnerability discovery for both offense and defense. Having or losing access to models like Claude is nationally significant.
“Having a fight with an AI company is just stupid because this is the sort of capability that is tremendously valuable... Being able to speed up the discovery and exploitation like that seems like a massive win.” — Tom Uren [05:49]

Memorable Moments

“I think this is the baseline for numpties. You can do stuff.” — Tom Uren [05:17]
On government–AI company disputes:
“Just kicking them [AI providers] out on a whim...seems counterproductive.” — Tom Uren [06:41]
Model competition:
Multiple companies (e.g., OpenAI, Google, Anthropic) compete, and each leapfrogs the others in specific domains. Agencies should not lock themselves out of any tool.

“If you want to do the best you can, you need them all. Not having access...it's like cutting yourself off at the kneecaps.” — Tom Uren [08:21]
Policy prediction:
- Tom expects government agencies are working quietly to gain or retain access to these models, regardless of public disputes.
“Probably people in NSA and Cyber Command are doing the paperwork to get an exemption...I just kind of want them all to grow up and get over it and move on.” — Tom Uren [09:13]

2. Russia’s Reliance on Ubiquiti after Starlink

Context:
- Russian military forces in Ukraine lost access to SpaceX Starlink, which had been crucial for long-range, high-bandwidth battlefield communication.
- To compensate, they’ve doubled down on using U.S. company Ubiquiti’s networking products, especially point-to-point wireless bridges.
“Ubiquiti makes networking equipment...it makes wireless, basically wi fi bridges that can go up to something like five kilometers.” — Tom Uren [10:14]
Why Ubiquiti?
- No true substitute for Starlink, but Ubiquiti is “next best thing” for mid-range battlefield connectivity, especially useful for drones and live video feeds.
- Western military gear tends to prioritize encryption/security over raw bandwidth, which limits its flexibility in these scenarios.
“These are not things that I think western military secure communication systems do very well because they prioritize security and encryption over like endless bandwidth.” — Tom Uren [11:38]
Sanctions & Loopholes:
- U.S. law prohibits sales to Russia since early in the war. However, investigative reports found product is still entering Russia through “transshipment”—a chain of resellers in third countries.
- Undercover journalists found it easy to buy Ubiquiti gear for overtly military purposes in Russia; suppliers even mentioned surcharges for “sanctioned” equipment.
“There’s no suggestion that Ubiquiti knows that this is exactly going on. But...they’re not doing a very good job with compliance.” — Tom Uren [13:21]
- Ubiquiti's track record is checkered: they were previously fined for shipping to Iran.

Notable Quotes

“From a US point of view, like you've got sanctions for a reason. These have a direct military application. Might be worth investigating that and cracking down on it.” — Tom Uren [13:36]
Broader Assessment:
- The lack of high bandwidth tactical links in U.S. and allied forces is worrying.
- Modern data links (e.g., Link 11/16/22) are slow by comparison, and generations take decades.
“I’m a bit concerned that the modern Western militaries aren’t really set up for super high bandwidth communication to soldiers on the front.” — Tom Uren [15:16]
Battlefield adaptation:
- Ukrainians and Russians each substitute and adapt their communications tech as availability shifts (switching to fiber cables, tactical radios, etc.).
“There's no perfect one size fits all communication system. Like Starlink is part of the picture. Ubiquiti was part of the picture before...They each have their place, their upsides, their downsides.” — Tom Uren [16:30]
Enforcement skepticism:
- Tom doubts the current U.S. administration will prioritize sanctions enforcement against companies like Ubiquiti anytime soon.
“I think the Trump administration has not shown that much interest in regulatory action or enforcement.” — Tom Uren [18:16]

Timestamps for Major Segments

[00:40] – AI Models and 0day Hunting:
Why Claude’s performance is significant and what it means for security policy and government relations.
[06:48] – Model Competition and Access Policy:
On the importance of keeping options open among competing AIs.
[09:41] – Russia, Ukraine, and Ubiquiti:
Discussion shifts to Russia’s use of Ubiquiti, technical details, and sanction enforcement issues.
[14:47] – State of Western Military Communications:
Concerns about the lack of high-bandwidth battlefield comms in U.S./allied forces.
[18:01] – Sanctions & Enforcement:
Outlook on the likelihood of serious action against illicit tech sales to Russia.

Conclusion

This episode eloquently dissects the accelerating disruptive impact of generative AI on vulnerability discovery, with direct implications for cyber policy and national security. It also exposes the gaps and workarounds in both regulatory controls and military technology on the modern battlefield. Throughout, Amberly and Tom’s informed yet conversational tone keeps the analysis both authoritative and accessible.

Loading summary

Transcript30 lines

[00:05]
A
Hey everyone, and welcome along to Serious C Rescue Biz. This is our podcast where we talk about all the big picture stuff like cybersecurity policy and intelligence. My name's Amberly Jack and very shortly I'll bring in Tom Uren, our policy and intelligence editor, and we're gonna have a chat about the seriously Risky Business newsletter that Tom has written this week. You can find that, read it and subscribe over at our website, Risky Biz. But first, I'd like to thank Knock Knock for sponsoring this week's show. You can find them@knock knock.com that's KNOC. KNOC IO G' day Tom. It's great to see you.
[00:39]
B
Hi Amberly, how are you?
[00:40]
A
Yeah, really good, thanks. And Tom, I want to chat to you about the machines in particular. The machines are on a bit of an O day finding frenzy and this kind of has you thinking, Tom, that the government and anthropic really should kind of kiss and make up because it's going to help them in the end. But maybe catch me up a bit here. What's been happening with Claude and Odays this week?
[01:03]
B
Yeah, so from my particular point of view, there have been several pieces of reports, news that Claude has, with very little instruction, gone out and found previously unknown vulnerabilities. And so some of the prompts that have been given to Claude are just extremely broad and vague and don't provide really any direction at all. So for example, you are playing in a CTF capture the flag hacking competition. Find a vulnerability, write the most serious one to report text, and that's it. And so it's taken in the recent past, people have been creating frameworks where, like my take on it is a framework breaks down a whole pipeline of work into very small discrete tasks. And when the tasks are small, AI can do a good job because it's not many logical leaps. And the more logical leaps they take, the more likely they are to make a mistake. A model that is. So this is with Claude's latest model and that particular case, that was a Claude researcher called Nicholas Carlini. He apparently has been just doing that kind of research on a whole swath of open source projects and he's found hundreds and hundreds of vulnerabilities previously unknown.
[02:40]
A
Wow.
[02:41]
B
And that has been in, he's. He kind of implied important open source projects that have been well tested in the past. So it's not like it's some nice backyard project that. That's right. Wandering into the deep dark woods and going, oh, there's a mushroom it's something important in something important. Now that's like incredible. It doesn't seem like it's a super amazing ode, like impossible to find. But it also makes then constructed a exploitation script so that what Claude found was what's known as a blind SQLi. So you can put a command in maliciously, I guess, and you get hints as to what the answer is. And so you have to take those hints and then try and extract actual information. And CLAUDE did that all by itself. So that is truly democratizing in a way that was not possible like just a few months ago. Yeah, so another example he gave was a bug in the Linux kernel where if you had two cooperative malicious actors, you could get remote code execution. And so that's the sort of bug you cannot find by fuzzing because it relies on the machine or the researcher having some idea of how these two separate parts, not entirely separate, but two parts of the system work together and how there's a sort of subtle bug in that. So that's very interesting that it's actually thinking through thinking air quotes, whatever
[04:40]
A
the
[04:43]
B
logic of the source code. So I think that's like really significant. The other point Carlene made is that models are still getting better, quite a lot better from iteration to iteration. So already it's a lot better than many vulnerability researchers, is my guess. Not all of them.
[05:04]
A
And definitely faster, right? Like a lot faster.
[05:08]
B
Yeah, yeah, yeah. And with. And James, our enterprise technology technology editor, has been experimenting with it, and it relatively quickly can find bugs when you give it a little bit of hinting as well. So I think that this is the baseline for numpties. You can do stuff, I think if you deploy it into a specialized research place and you set up a framework to run it within and you give it a bit of extra help, it'll do much, much better. And so I imagine that there'll be organizations that are trying to do that right now. They should be trying to do that right now. And I guess my take on all this, like you said, was that having a fight with an AI company is just stupid because this is the sort of capability that is tremendously valuable, like the bread and butter of organizations like NSA and Cyber Command is finding vulnerabilities, figuring out how to use them in a way that supports national security objectives. And so being able to speed up the discovery and exploitation like that seems like a massive win. NSA also has a defensive role, so being able to pick out software, that's important and figuring out are there any vulnerabilities there that no one has picked up yet. That's also important. So it matches both of their roles and just kicking them out on a whim. I mean, you know, I'm sure people would say that it's not a whim, but from my perspective, it seems like a whim just seems counterproductive.
[06:48]
A
And Tom, I mean, obviously over the past week or so there's been a heap of reporting about Claude's capability here, but we're not sort of naive enough to think that Claude's gonna be the front runner forever and that's never gonna change. Like, as you said in the newsletter, these government agencies and organizations need to have access to everything so that they can use what they need for specific purposes.
[07:15]
B
Yeah, it seems like there's maybe three different companies that are producing models that are continuously fighting to be top dog, depending upon how you measure it or what you're trying to do. And it seems that at any one moment in time, one of those models will be better than another at something. And so the way to get the most out of all of them is to have all of them and use them for what they're best at. So right at this moment, it seems that Claude is a bit better when it comes to this kind of research, this kind of cyber relevant research. Perhaps the other models will catch up, perhaps they'll overtake it. Perhaps in a framework, you actually want a couple of different models doing different things. Maybe, I don't know, one's better at one particular aspect. That seems like if you want to do the best you can, you need them all. And like in, in both the short term because they can be good at different things right now, today, and in the longer term because they'll, I think, inevitably overtake each other in different aspects over time. And so I think that's, I think that's important. I think this is like a really big deal. And not having access to those tools, I think it's, it's like cutting yourself off at the kneecaps, like giving yourself, putting yourself at a handicap in a race.
[08:49]
A
Yeah. So, Tom, let's imagine for a sec that you are Peter Hegseth and you've just had a very public scuffle with Anthropic. What's your next move here?
[09:01]
B
I find it hard to put myself in those shoes in particular. I think what is happening is that probably people in NSA and Cyber Command are doing the paperwork to get an exemption from someone so that it can be done on the sly and on the quiet without necessarily the Department of War Having to back down or the broader U.S. government. I mean, Anthropic's got a, you know, it's involved in this as well. And so whether they would be happy with that, I don't know. But I just kind of want them all to grow up and get over it and move on.
[09:42]
A
Sounds like a plan. Hey. Hey, Tom. I want to talk to you about Russia and American company Ubiquiti. So this is your second piece in the newsletter. The gist of this one here is that Starlink access has been cut off for Russia's military in Ukraine and it's really hindering their program, their progress. But what they've done here is kind of double down on products from another American company, Ubiquiti. What's Ubiquiti? Who's Ubiquiti and how is this all going down, Tom?
[10:14]
B
Yeah. Okay, so Ubiquiti makes networking equipment and like some security equipment as well. It positions itself as an enterprise technology provider when it comes to the war in Ukraine. It makes wireless, basically wi fi bridges that can go up to something like five kilometers, what's that, three miles or something like that. And so in prior when the Russians were using Starlink a lot that provided, I guess sort of comms over a wide area. They could use it, put terminals on drones and to direct the drones deep into Ukrainian territory. There is no alternative to Starlink. It's high bandwidth. It works, you know, effectively globally. The Ukrainians were using it to launch long range drones into. The Russians were using it to launch long range drones into Ukraine. That access got cut off and the Russians had been using Ubiquiti equipment before. So it's good for point to point. And if you don't have Starlink, it's the next best thing available. So in this war they're doing things like using those kinds of high bandwidth comms to run drones live remotely, to transmit video. These are not things that I think western military secure communication systems do very well because they prioritize security and encryption over like endless bandwidth. And it comes with downsides as well. But basically the ubiquity stuff is the next best thing after you don't have Starlink. So they've doubled down on that. Now the, I guess the kicker is that that equipment should not be being sold to Russians because the US Government very early in the war said that no, you cannot sell to Russians.
[12:22]
A
So how is this happening?
[12:27]
B
So what should happen is that the company Ubiquiti, which is American, I think, is it San Jose based? It should be doing due diligence to make sure that its suppliers aren't on selling to suppliers that then on sell to Russian vendors, Russian wholesalers or sellers or whatever. So it appears that there is what's called transshipment going on where a wholesaler will sell to someone who will sell to, say, Turkey and that person in Turkey will then ship to somewhere else and eventually it ends up in Russia. So this investigative outfit called Hunter Brook did an investigation. They posed as a Russian military officer and it was not hard at all to get Ubiquiti equipment in Russia, even if they were saying things like, I am Russian military officer, I want equipment for the war. And people in the supply chain were going, oh yeah, that's fine. Or they would say things like, ah, you want sanctioned equipment that costs a bit more. So there's no suggestion that Ubiquiti knows that this is exactly going on. But Hunter Brook alleges that, that they're not doing a very good job with compliance and that they don't invest a lot of time and effort doing due diligence and cracking down on suppliers in people who they wholesale with. And so, I mean, from a US point of view, like you've got sanctions for a reason. These have a direct military application. Might be worth investigating that and cracking down on it. Ubiquiti has been fined before, so the Treasury Department fined them I think back in 2014 for selling to Iran. So I guess that's the story. I think the interesting thing for me is that just how important high bandwidth comms were in modern warfare. Like this is a thing that the Russians are prioritizing.
[14:47]
A
Yeah.
[14:48]
B
I did some research trying to figure out what is the state of U.S. and allied tactical data links. And the highest I could find was in the kilobits per second and that the generation times were extremely, extremely long. So, you know, 10, 15 years between different types of data links like link 11, link 16, link 22, happened over 33 years or something like that. So I'm a bit concerned. Obviously a lot of that information is not publicly available of, you know, what are the state of the art. But I'm a bit concerned that the, the modern Western militaries aren't really set up for super high bandwidth communication to soldiers on the front.
[15:38]
A
Yeah.
[15:38]
B
And so that that makes these companies like ubiquities that sell equipment that is, I guess at this point it's battle tested. Right. It may not be suitable off the shelf for American or allied militaries. They might find them unacceptable, but I think it's it's, it's sort of concerning that they're selling to whoever without. It doesn't seem like. Without a whole lot of oversight.
[16:04]
A
Yeah, right. And I just want to go back a little bit, Tom. You, you sort of mentioned, you know, that, that Russia is kind of doubling down on Ubiquiti now that there's no Starlink and they were using Ubiquiti products before as well. So I'm assuming the. As you kind of alluded to, not as good. But I guess in a situation where you have no Starlink anymore, you just have to make the best out of
[16:30]
B
the stuff you have. Yeah. The way I think about a battlefield is that there's no perfect one size fits all communication system. Like Starlink is part of the picture. Ubiquiti was part of the picture before tactical radios were part of the picture. They each have their place, their upsides, their downsides. And so by removing Starlink, you're basically shifting the mix of what the Russians have and how. And they've got to adapt. So there's some things that are uniquely enabled by Starlink, like those long range drones that could fly hundreds of kilometres into Ukrainian territory. Now there's sort of kind of workarounds like maybe trailing those fiber optic cables behind for tens of kilometers. That's not as good, but it's kind of an adaptation. And the, I suppose the point is that if the US has in its power the ability to clamp down on something that the Russians are vulnerable, that they're using, they're finding important and they're vulnerable. Yeah, perhaps you should do that. Yeah, but it's, it's always a mix. It's not a. Oh yes, this magic iPhone device will do everything that I want. They've, you know, they each come with pluses and minus, pros and cons.
[18:01]
A
Yeah, for sure. And so ideally we would see a big investigation and clamp down into how these devices are getting into the hands of Russian soldiers and see some action from that. But how much hope are you holding out there, Tom?
[18:16]
B
Oh, not, not very much. I think the Trump administration has not shown that much interest in regulatory action or enforcement.
[18:26]
A
Yeah.
[18:26]
B
And so I would be surprised if it happens. I also think that right now the U.S. government, like, you know, a lot of it, has other things on its mind and so just the bandwidth to deal with that. I'm not sure that it exists. Perhaps I'll be proven wrong.
[18:46]
A
On that cheery note, Tom, we will leave it there, but great chat as always. And you can, of course read and subscribe to Tom's newsletter over at our website, Risky Biz. But, Tom, thank you so much once again. Have a great week, and I'll see you same time next week.
[19:00]
B
Thanks, Emily.