OpenAI model shakes cyber stock sentiment

A stock selloff in cybersecurity started with a stranger signal than a breach: one frontier artificial intelligence model was so good at finding software flaws that its maker limited access to about 40 companies instead of releasing it broadly. Reuters reported Cloudflare, Okta, CrowdStrike, and SentinelOne fell between 4.7% and 7.7% on April 9, while Zscaler dropped 8.6%. (newsbreak.com) (channelnewsasia.com) The model at the center of that move was Anthropic’s Claude Mythos, which Reuters said had already found thousands of vulnerabilities, including some in every major operating system and web browser. Investors read that as a sign that artificial intelligence is moving from writing code to stress-testing the software stack underneath it. (newsbreak.com) (channelnewsasia.com) OpenAI is moving in the same direction. On February 5, OpenAI said GPT-5.3-Codex was its “most cyber-capable frontier reasoning model to date” and said these systems can now work autonomously for “hours or even days” on complex tasks, which is why it launched a restricted program called Trusted Access for Cyber. (openai.com) That phrase “Trusted Access” is the giveaway. OpenAI said cyber requests are hard to sort into good and bad because “find vulnerabilities in my code” can mean a defender patching a product or an attacker preparing an exploit, so it is using identity checks and monitoring instead of open access. (openai.com) Once a model can act for hours, the weak point stops being only the firewall and starts being the badge. In corporate software, that badge is identity: the login, token, or service credential that tells a system who is asking and what they are allowed to touch. (openai.com) (microsoft.com) That is why Okta has been talking less about employees and more about non-human identities, which means software entities like bots, service accounts, and now artificial intelligence agents. In its March 16 announcement, Okta said its new “Okta for AI Agents” product will be generally available on April 30 and is built to answer three questions: where agents are, what they can access, and what they are doing. (investor.okta.com) (secure.businesswire.com) Okta’s own framing shows how fast the problem changed. The company said recent research found 88% of organizations reported suspected or confirmed artificial intelligence agent security incidents, but only 22% treated those agents as independent identities with their own lifecycle and controls. (markets.financialcontent.com) (secure.businesswire.com) Microsoft is making the same bet from the other side of the market. On March 20, Microsoft said its Defender dashboard now tracks both human and non-human identities and launched Agent 365 as a control plane for agents, which is basically an air traffic tower for software workers that do not sleep. (microsoft.com) So the drop in names like Okta, Cloudflare, and Zscaler was not just a reaction to one flashy demo. It was the market pricing in a new race where models can discover flaws faster, vendors have to prove they can govern agent credentials in real time, and identity companies are being judged on whether they can keep up with machines acting like employees. (channelnewsasia.com) (openai.com) (investor.okta.com) The sharpest read on this week’s move is that Wall Street and security teams landed on the same question at the same time. If an artificial intelligence agent can scan code, call tools, and hold credentials, then the next security perimeter is not the office network but the identity layer wrapped around the agent itself. (openai.com) (microsoft.com)