Cyber Tools and Threat Alerts
New defensive and offensive cybersecurity signals landed this week: METATRON, an offline AI penetration-testing assistant for Linux, and Anthropic’s Project Glasswing aimed at defenders, while the FBI warned of Iranian actors targeting industrial PLCs. The co-occurrence of open-source offensive tooling, vendor-built defensive models, and state-actor advisories highlights a fast-moving threat landscape that mixes automated red-teaming and genuine infrastructure targeting. Organisations should track both tool availability and nation-state activity as connected operational risks. (x.com) (x.com) (x.com)
A programmable logic controller is the small industrial computer that tells a pump when to start, a valve when to open, or a conveyor when to stop. On April 7, 2026, the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, National Security Agency, and Environmental Protection Agency warned that Iranian-affiliated hackers are actively targeting internet-exposed controllers inside U.S. critical infrastructure. (ic3.gov) Those hackers are not just stealing files. The advisory says they are trying to tamper with project files and alter what operators see on human machine interface and supervisory control and data acquisition screens, which are the dashboards workers use to run physical equipment. (ic3.gov) The specific devices named in the warning include Rockwell Automation Allen-Bradley programmable logic controllers. The agencies said the attackers are looking for systems that are directly reachable from the public internet, which is the industrial equivalent of leaving a factory control panel on the sidewalk. (ic3.gov) At the same time, a new open-source tool called METATRON showed how fast offensive cyber tooling is being packaged for ordinary Linux users. Its GitHub page says it runs locally from the command line, uses standard reconnaissance tools like Nmap and Nikto, and sends the results to a local artificial intelligence model instead of a cloud service. (github.com) That design changes who can use it and where. Because METATRON runs offline with Ollama and stores scan history in MariaDB, a tester can probe a target network without sending target data to an outside application programming interface, which lowers both cost and visibility. (github.com) Anthropic moved in the opposite direction with a defensive project called Glasswing, announced on April 8, 2026. Anthropic said partners including Amazon Web Services, Apple, Cisco, Google, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation will use its gated Claude Mythos Preview model to find and fix previously unknown software flaws in critical systems. (anthropic.com) Anthropic also said it extended access to more than 40 additional organizations that build or maintain critical software infrastructure. The company framed Glasswing as a controlled program for defenders, not a public release, because the same model capabilities that help find bugs can also help exploit them. (anthropic.com) Put together, these are three different layers of the same week in cybersecurity. One layer is a state-linked campaign aimed at real-world equipment, one is an open-source assistant that automates parts of penetration testing on a laptop, and one is a vendor-run effort to give defenders similar machine speed under tighter controls. (ic3.gov) (github.com) (anthropic.com) The practical split is simple. If you run industrial systems, the April 7 advisory says to remove public internet exposure from operational technology, change default passwords, and segment control networks; if you build software, Glasswing shows large model vendors now see bug hunting as a frontline product category; if you defend enterprises, METATRON shows the same automation is already escaping into open repositories. (ic3.gov) (anthropic.com) (github.com)
