Last week, I asked Philippe Langlois, principal author of the 2026 Verizon DBIR, a simple question: if an MSP could only focus on one thing this year, what should it be? His answer, without hesitation: "Vulnerability management."

That tracks, as this is the first year in DBIR history that vulnerability exploitation has overtaken stolen credentials as the top breach entry point, jumping from 20% to 31%. Meanwhile, median time-to-patch climbed from 32 to 43 days, and only 26% of known exploited vulnerabilities got fully remediated.

As most know, NIST just overhauled how the National Vulnerability Database operates, moving to a risk-based triage model after CVE submissions jumped 263% since 2020. Joining us to unpack it is Steve Carter, CEO and co-founder of Nucleus Security, who's spent over two decades in vulnerability management

Today's session is one you genuinely don't want to miss. Every year, Verizon publishes what is arguably the most respected, data-backed snapshot of the global threat landscape, the Data Breach Investigations Report.

The 2026 edition is the 19th annual installment, and it just set a new record: over 22,000 confirmed breaches analyzed across 145 countries. The numbers don't just confirm what we suspected, they shift how we must implement our defense in depth strategies.

Joining us is Philippe Langlois, principal author of the 2026 DBIR and one of the minds behind how Verizon collects, interprets, and translates breach data into actionable intelligence.

We spent a decade building security around the network. Then five years around the endpoint. The whole time, sitting right in front of every user, every day the browser. Unmanaged. Unexamined. Trusted by default.

The 2026 Verizon DBIR makes it hard to look away anymore. Infostealers, session token theft, OAuth attacks almost every major attack pattern this year runs through the browser at some point.

Today's guest thinks about this problem at a scale very few people get to. He's going to help us understand what the MSP community is missing and what it actually means to secure the place where work happens.

Arunesh Chandra, Head of Product, Microsoft Edge for Business joins The CyberCall to discuss these topics and more.

This week we're doing something a little different. Instead of talking about CMMC in the abstract, we're putting an actual document on the table the CMMC Program FAQ, freshly updated to Revision 2.3.

It's the kind of document most contractors skim and most MSPs never read closely.

To help us read between the lines, we have one of the sharpest interpreters of CMMC in the industry. Jacob Horne has spent years doing exactly this — taking dense regulatory language and turning it into something a contractor can actually act on. Today we're going to put him to work, page by page, on what this document really says, what it quietly doesn't, and where the traps are hiding.

If you serve the defense industrial base, this is the episode to take notes on.

CMMC is no longer theoretical the rule is final, the clock is running, and every MSP in the DIB is about to find out whether the work they've done actually holds up under an assessment.

To cut through the noise, we have someone who sees this from angles almost nobody else does. Scott Singer is chair of the Cyber AB’s C3PAO Advisory Council, former CEO of CyberNINES and current President of ControlCase’s Federal Division and he runs two authorized C3PAOs, CyberNINES and ControlCase and a FedRAMP 3PAO. He's helping shape the rules, sitting across the table doing the assessments, and preparing companies to pass them.

We're going to demystify the C3PAO role, talk honestly about the backlog, and get specific about what separates MSPs setting their clients up to pass from the ones setting them up to fail.

For the past two weeks, we've been building what a Mythos-ready security program actually looks like. None of that matters if we can't walk into a business or boardroom and get the C-suite to buy in. Today is leadership call. How do MSPs earn the right to be in the boardroom on AI and stop being the vendor who fixes things and start being the partner who helps the business win. That's why I'm so excited about today's guest.

Joining us is Bob Zukis, the founder of the Digital Directors Network, lead author of The Great Reboot and the DOMINO Guide, and the world's leading voice on getting boards to actually lead on digital and cybersecurity risk.

Two weeks ago, Anthropic announced Claude Mythos. A model that autonomously found thousands of zero-days, generated working exploits, and broke out of its own containment sandbox.

The moment the industry has been warning about for years just arrived.

Within 48 hours, the Cloud Security Alliance pulled together more than 80 CISOs and security leaders Heather Adkins, Rob Joyce, Bruce Schneier, Jen Easterly and produced "The AI Vulnerability Storm: Building a Mythos-Ready Security Program." It's one of the most important security documents published this year.

My guest today is one of its authors. Sounil Yu CTO of Knostic, architect of the Cyber Defense Matrix, and one of the sharpest minds in cybersecurity.

The window between vulnerability and weaponization just collapsed to hours. The patch cycle is broken. And the architecture every MSP has built for their clients was designed for a world that no longer exists.

The cyber insurance market right now is the softest it's been since 2021. Premiums are flat. Capacity is abundant. Carriers are competing aggressively for MSP business, and your SMB clients are getting pricing their predecessors would have dreamed about three years ago.

Here's the problem. Loss frequency is up. Ransomware attack frequency rose 45% year-over-year. A single Cloudflare outage in November cost the economy somewhere between 5 and 15 billion dollars. AI-powered attacks are collapsing the window between a vulnerability existing and being weaponized from weeks to hours. And Anthropic just announced a model that found thousands of zero-days autonomously and then broke out of its own containment sandbox.

The market is soft. The threat is not.

So the question every MSP in this room needs to be asking is: what's the catalyst that flips this? When does the market go hard? What happens to your SMB clients when it does? And more importantly what should you be doing right now, while the window is still open, to make sure your clients are the ones who stay insurable? Reid Wellock, President and Co-Founder of UKON sat down with us to discuss these topics.