AI's new battleground: Cost, efficiency, and control

AI vendors pivot from capability to cost, OpenAI eases GPT-5.6 usage limits, Enterprises scrutinize soaring AI bills, Chinese AI models gain enterprise traction, Anthropic data reveals how AI gets used, AI agents tackle business ops workloads, Open-source AI faces mounting policy pressure, much more

Share
AI's new battleground: Cost, efficiency, and control
Image by Elchinator from Pixabay

Don't miss my latest CSO feature that examines whether AI can narrow cybersecurity's class divide.


Metacurity is the cybersecurity industry's daily reality check—independent, agenda-free coverage that cuts through vendor hype, social media noise, and recycled talking points to explain what matters and why.

Trusted by thousands of cybersecurity professionals, including many of the industry's most influential security leaders, Metacurity delivers the context, analysis, and perspective that busy readers don't have time to assemble themselves.

If you find value in that work, please consider becoming a paid subscriber. Metacurity remains independent because its readers choose to support it.


The artificial intelligence industry spent the past week focused on a theme that would have seemed secondary only months ago: cost. While model capabilities continue to advance, leading AI vendors are increasingly competing on efficiency, pricing, and enterprise economics as organizations begin scrutinizing AI spending more closely.

For cybersecurity leaders evaluating AI deployments, the shift is significant. The conversation is moving beyond which model is smartest toward which model delivers the best operational value at scale.

That transition became increasingly visible since Friday as OpenAI, Meta, Anthropic, and a growing number of rivals emphasized efficiency, cost controls, and practical business value rather than raw benchmark performance.

OpenAI temporarily removed GPT-5.6 Sol's five-hour usage restrictions after demand surged for coding and agentic workloads, while simultaneously introducing improvements designed to reduce token consumption and extend available usage. The move comes as enterprises seek to extract more work from AI systems without seeing costs spiral upward.

The focus on efficiency is spreading across the industry. OpenAI says GPT-5.6 is designed to complete more work with fewer tokens. Elon Musk's SpaceXAI is promoting Grok 4.5 as significantly more token-efficient than competing models, while Meta is aggressively positioning its newest models as lower-cost alternatives to rivals.

The industry's newfound emphasis on economics reflects growing enterprise concerns over AI spending. After encouraging widespread adoption over the past year, many organizations are now confronting unexpectedly large invoices generated by usage-based pricing models. Some executives report AI bills reaching millions of dollars per month, prompting tighter governance and closer scrutiny of return on investment.

The pressure is also creating opportunities for new competitors. According to a Financial Times report, companies in the United States and Europe are increasingly evaluating Chinese AI models as a way to reduce costs, despite ongoing concerns about security, data governance, and geopolitical risk. The trend underscores how economic considerations are beginning to outweigh brand loyalty for some enterprise buyers.

For cybersecurity leaders, that development presents both opportunities and challenges. Lower-cost models may make AI adoption more affordable, but they also introduce questions about data sovereignty, regulatory compliance, software supply chain risk, and the security practices of foreign providers. As organizations adopt model-routing strategies that dynamically select among multiple AI providers, security teams may find themselves responsible for governing increasingly complex AI ecosystems.

Meanwhile, Anthropic released new data showing how enterprises are actually using AI agents in practice. Analysis of 1.2 million Claude Cowork sessions across more than 600,000 organizations found that approximately one-third of usage involved business operations tasks such as reporting, workflow coordination, onboarding, and administrative processes. Content creation accounted for another 16 percent.

The findings suggest that AI's greatest near-term enterprise value may lie less in replacing highly skilled specialists and more in eliminating the administrative burden that surrounds their work. For security teams, that could mean automating incident summaries, compliance reporting, documentation, remediation tracking, and other operational tasks that consume analyst time without directly improving security outcomes.

At the same time, policy tensions surrounding AI continue to intensify. Industry observers are closely watching reports that U.S. policymakers are considering restrictions on advanced open-weight AI models, particularly those originating in China. Supporters of open-source AI argue that such measures could limit competition and strengthen the market position of dominant closed-model providers. (Nathan Lamber / Interconnects, Mayank Parmar / Bleeping Computer, Lorelei Smillie and Rachel Metz / Bloomberg, Jonathan Kemper / The Decoder, Madhumita Murgia, Cristina Criddle, and Rafe Uddin / Financial Times)

Related: Simon Willison's Blog, Seoul Economic Daily, ClaudeHelp Net SecurityForbesThe Indian ExpressAndroid AuthorityImplicator.aiDigital Trends

The European Union and the United Kingdom jointly sanctioned dozens of Russian individuals and entities and accused Russia of coordinating a network of hacking groups responsible for attacks across Europe.

The Council of the European Union announced sanctions on nine individuals and four entities, including Russian military intelligence (GRU) officers and cybercriminals, while the UK separately sanctioned 24 individuals and entities, including senior GRU figures Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko, whom officials say directed cyber and hybrid operations.

Britain also sanctioned members of the IMPULS company, accused of recruiting hackers from Russian universities, as well as individuals tied to the Lumma Stealer malware operation, which UK authorities linked to at least 2,100 domestic victims over six months. Ten people connected to media outlet Rybar LLC were also designated for spreading anti-Ukraine narratives and alleged election interference in Moldova and Armenia.

The Council of the EU also publicly identified the 16th Centre of Russia's Federal Security Service (FSB) as controlling several cyber threat groups, including the notorious Turla hacking group.

Officials said the unit has spent years targeting government networks and critical infrastructure in France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania, and Finland, running cyberespionage campaigns against government and defense targets since 2010. (Sergiu Gatlan / Bleeping Computer)

Related: European Council, GOV.uk, France24, The Times of India, AFP

Dutch police said they had uncovered evidence suggesting that Dutch criminals were involved in the cyberattack on telecom provider Odido that exposed the personal data of more than 6 million customers earlier this year.

Authorities said a Dutch-speaking man posing as an Odido IT employee called the company's customer service department before the February attack, helping trick employees into granting access that enabled hackers to steal customer information.

Police are still trying to identify the caller, along with other possible suspects, and urged anyone with information to come forward. They added that a recording of the caller's voice could be released publicly at a later stage if necessary.

Dutch cyber authorities previously said the attackers gained access through a compromised customer contact system used by Odido, allowing them to download customer records. The company said the incident did not disrupt its operations.

Police said they had taken several servers used by the hacker group to distribute the stolen data offline shortly after the attack.

"Investigations like these are often complex and take time, but cybercriminals are vulnerable too and leave traces behind," Dutch police said in a statement. (Daryna Antoniuk / The Record)

Related: Politie, Bleeping Computer, Tech Times, SC Media, The Cyber Express, NL Times, Dutch News

Intelligence from the Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) – the Dutch services – illustrates that Russian state actors are systematically conducting digital espionage operations via IP cameras (cameras with internet access).

At least one Russian intelligence and security service is responsible for these operations that are taking place in the Netherlands, various other EU and NATO member states, and Ukraine.

This actor performs automated analysis of imagery through image recognition
software to conduct targeted searches for military vehicles and the military
cargo they are transporting.

This provides the actor with, among other things, relevant military data, such
as EU and NATO military transport routes, weapon deliveries to Ukraine, and the
locations of Ukrainian military personnel.

The information from IP cameras in Ukraine is used in attempts to neutralize
Ukrainian military personnel and to destroy their military materiel.

Furthermore, the Russian service is using the access to IP cameras to acquire
relevant military intelligence in European member states, including information
that is not directly relevant to the war in Ukraine. (Dutch General Intelligence and Security Service)

Related: Telegraph, Times of India, UA News, RBC-Ukraine, Euromaidan Press, UNN.ua, CyPro

Lidl is warning its customers of a cyberattack which may have affected some of their personal information stored with the company.

In a data breach notification published on its Netherlands, Belgium, and Germany websites, the German discount supermarket chain said an IT security incident at one of its IT service providers affected some of the data stored by Lidl Online Shop customers.

“We were informed of this incident at the beginning of the week,” a machine-translated notification reads. “Despite high IT security standards, unknown persons briefly gained access to a separately stored file with customer data and part of the data was stolen from it. The system of the online shop itself is not affected.”

Lidl said that the unnamed miscreants walked away with people’s full names, phone numbers, email addresses, dates of birth, and customer numbers. Passwords, billing and delivery addresses, bank details, and other payment information were allegedly not stolen. Customer accounts remained unaffected, as well. (Sead Fadilpašić / TechRadar)

Related: RetailDetail

The Argentine Football Association (AFA) confirmed that it was the victim of an alleged cyberattack after an email sent from an account linked to AFA Medios was leaked, questioning the performance of French referee François Letexier during the 2026 World Cup round of 16 match between Argentina and Egypt.

The message, which several accredited journalists received, stated that "Argentina did not win" and maintained that the national team's victory was the result of "corrupt refereeing decisions." Furthermore, the text praised the Egyptian team's performance and contained threatening statements related to the conflict in the Middle East.

The Argentine Football Association (AFA) denied the authenticity of the email and asserted that it was neither created nor authorized by the organization's communications department. They explained that the email was the result of unauthorized access to their computer systems.

Sources from the institution indicated that a group of hackers of Egyptian origin had breached part of the AFA database, obtaining email addresses, passwords, and IP addresses, information that was later offered in specialized forums.

The message's content echoed the criticisms publicly expressed by members of the Egyptian national team following their World Cup elimination. Both coach Hossam Hassan and player Mostafa Ziko had questioned the referee's performance, although footage of the match showed no refereeing errors that deliberately favored the Argentinian team. (La Calle Concepción del Uruguay)

Related: Hindustan Times, Daily Sabah, The Sunday Guardian

Researchers at Okta report that a threat actor they track as O-UNC-066, which operates an extortion operation known as Pink, has been targeting organizations across multiple sectors with voice-based fake security requests that ask Microsoft 365 users to enroll a new Entra passkey.

The attacker is taking advantage of a new capability Microsoft opened to administrators in May, allowing them to run “passkey registration campaigns” to entice users to enroll passkeys for more secure authentication.

The campaign has been running since April and involves calling targeted users and trying to convince them to register a new passkey under the attacker's control.

To mask the deception, the hacker directs victims to a phishing kit that imitates the legitimate Microsoft passkey enrollment process.

Okta says that O-UNC-066 has been targeting users at organizations in the food and beverage, technology, healthcare, automotive, construction, and aviation industries. (Bill Toulas / Bleeping Computer)

Related: Okta, SC Media, Cyber Daily, Tech Times, Help Net Security

Fake passkey creation page. Source: Okta

Researchers at Group-IB say a new version of the RedHook Android malware abuses the Android Wireless Debugging (Wireless ADB) mechanism in a novel way to gain shell-level privileges without requiring a computer connection.

Group-IB analyzed the new release of the mobile malware and says that it significantly expands its capabilities compared to the previous variant documented in 2025.

At the same time, the malware retains its remote access trojan (RAT) features, allowing it to stream the screen, intercept keystrokes, automate UI interactions, and steal credentials.

According to Group-IB's report, the current version of the malware supports 53 server-issued commands.

The latest version of RedHook is distributed through social engineering, via messages and phone calls where attackers impersonate government agencies or financial institutions to direct victims to fake Google Play sites. (Bill Toulas / Bleeping Computer)

Related: Group-IB, Cyber Security News, Cyber Press

RedHook malware attack chain. Source: Group-IB

A major credential leak spurred the Cybersecurity and Infrastructure Security Agency to strengthen protections for its sensitive materials, improve how researchers can report agency vulnerabilities and develop plans for similar incidents, the agency said in a forensic report.

The blog post outlines CISA’s response to the leak that the researcher who discovered it in May called one of the worst he had ever seen, which also drew congressional scrutiny.

“Sharing experiences from incident response activities help other organizations learn from such experiences and enables them to take necessary precautions to prevent similar incidents from happening in their environments,” wrote Preston Werntz, acting chief information officer and Brad Libbey, acting chief information security officer. “For years, CISA has said this type of information exchange is critical to identifying trends and contributing to broader national awareness. Now, it is our turn.”

On May 15, after learning about a contractor’s leak of privileged Amazon AWS GovCloud Keys on a public GitHub repository, CISA said it took steps to halt further harm. That meant taking the repository and its developer environment offline, and revoking the access of the person responsible for the leak.

CISA then analyzed the repository to get a sense of the scope of the leak. It also analyzed log files to learn that none of the leaked credentials were used outside of CISA, and that no customer or mission data was exposed.

The response benefited from taking the reported incident seriously, having good logging capabilities, and using zero-trust principles, the blog post states. (Tim Starks / CyberScoop)

Related: CISA, TechCrunch, SC MediaHackadayInfosecurity, TechRadar

Phia, an advertising startup co-founded by Phoebe Gates, daughter of billionaire Microsoft co-founder Bill Gates, bills itself as a “personal shopping assistant” that helps users find the lowest prices on a broad range of clothes and fashion accessories.

Download the Phia tool onto a web browser, use it while shopping and — voila — the so-called extension can quickly find discount codes for products. Businesses like these, known in industry parlance as affiliate marketing programs, typically collect a commission from retailers that make the resulting sale.

But according to Ben Edelman, an independent researcher and consultant who studies affiliate marketing, as well as Capital One Shopping, which makes a competing browser extension, Phia claimed credit for online sales it didn’t actually drive, in violation of many digital platforms’ policies.

Bloomberg tested the Phia mobile browser extension across more than 50 websites and found that during the checkout process, Phia opened a background tab without user interaction and injected its own referral code that overrode legitimate referrals from other publishers. These findings were consistent with Capital One Shopping and Edelman’s independent testing and code review. Testing involved using the extension like a regular shopper and observing how it communicates with other sites and its own servers. (Olivia Solon, Jeff Kao, and Priyanjana Bengani / Bloomberg)

Related: TechCrunch, Daily MailThe CutFeed Me, Ben Edelman

Citing data from the Korean defense ministry, Rep. Yu Yong-weon of the main opposition People Power Party said that cyberattack attempts against the South Korean military reached nearly 19,000 last year.

The military was targeted in 18,951 cyberattack attempts in 2025, compared with 11,700 in 2021, 9,115 in 2022, 13,599 in 2023 and 14,419 in 2024, according to Rep. Yu Yong-weon of the main opposition People Power Party, citing data from the defense ministry.

Among last year's cases, 18,792 were classified as attempts to compromise websites by trying to take over administrator privileges.

In its report to the lawmaker, the Cyber Operations Command said there were limitations in identifying the source of the attempts as malicious actors hide their tracks but noted North Korea appears to have recently advanced its hacking capabilities. (Chae Yun-hwan / Yonhap News)

Related: Intellinews, Databreaches.net, KoreaJoongAngDaily, The Korea Herald

The leaked internal communications of the Conti ransomware gang provide a rare look inside one of the world's most prolific cybercriminal organizations, with those messages, leaked after Conti publicly supported Russia following the invasion of Ukraine and then attempted to reverse course, exposing years of internal discussions, disputes, and operational details.

The leaks revealed how Conti operated, how members viewed their victims, and how disagreements over politics and targeting ultimately contributed to the gang's collapse.

One of the most striking revelations involves Conti's 2021 attack on Ireland's Health Service Executive (HSE), which crippled hospitals during the Covid-19 pandemic. The leaked chats show that some gang members actively advocated targeting healthcare organizations despite previous internal agreements to avoid the medical sector.

While certain members mocked the chaos such attacks could cause, others objected and argued hospitals should be off limits. After the HSE attack, the gang ultimately provided a decryption key, but recovery still took months and left patients and healthcare workers struggling through major disruptions. (Geoff White / BBC News)

Related: Crypto Briefing

A Guardian investigation describes a growing fraud technique in which scammers create highly convincing clones of legitimate news websites, including outlets such as The Guardian and the BBC, and populate them with fabricated articles promoting investment schemes.

The fake stories often feature well-known public figures such as Jim Ratcliffe, David Attenborough, or consumer advocate Martin Lewis and falsely claim they became wealthy through a secret investment platform or cryptocurrency opportunity. Victims who click through are directed to cloned trading sites that appear legitimate but are designed to steal money and personal information.

The scam infrastructure has become increasingly sophisticated. The cloned sites closely mimic the design, branding, and writing style of established news organizations, making them difficult for casual readers to distinguish from the real thing. Once victims register interest, scammers often contact them directly, encouraging larger investments and creating the illusion of growing profits. In reality, there is no investment activity taking place; the funds are simply transferred to criminals.

The Guardian notes that some of these operations are now using AI-generated content and other automation tools to create convincing fake articles at scale. (Shane Hickey / The Guardian)

Related: Full Fact

On July 8, journalist and media executive Ksenia Sobchak, widely known to be a propagandist for the Kremlin, announced that hackers had broken into her email account and briefly gained access to her Telegram channels.

Around the same time, screenshots showing fragments of her private correspondence appeared in the channels. Sobchak called them fakes and deleted them. The next day, however, the hacker group Black Mirror and the anonymous project VChK-OGPU published even more screenshots of Sobchak’s messages, along with some of her voice messages.

A couple of hours later, Sobchak said she had regained access to the channels: “Honestly, not a great experience. Seems like it’s time to go touch up the gray hair that just came in.” She added that the hackers had “made off with” her channels by breaking into her email, and she dismissed the screenshots of the correspondence — deleted by that point — as fakes.

The screenshots bore a watermark with the web address of the hacker group Black Mirror. The site is a “mirror” of Black Mirror’s Telegram channel, where the group announced that it had obtained Sobchak’s archive from 2015 to 2026 — more than 350 gigabytes — and was ready to sell it.

On July 9, more exchanges and videos, purportedly from the journalist’s archive, appeared on Black Mirror’s Telegram channel. VChK-OGPU, an anonymous project that publishes compromising material on figures tied to the Russian state, also released several voice messages received from the hackers.

If the hackers are to be believed, Ksenia Sobchak and Andriy Yermak, then Volodymyr Zelensky’s chief of staff, exchanged messages and spoke by phone in March 2022, shortly after Russia invaded Ukraine. Yermak called Sobchak smart and said they had many mutual acquaintances. (Meduza)

Related: Nasa Niva, New Voice of Ukraine

On-chain tracker Lookonchain traced the stolen funds across two wallets. The scheme mirrors a run of high-profile account takeovers aimed at promoting fraudulent tokens.

According to Lookonchain, the attacker promoted the SCATMAN meme coin after allegedly compromising the SpaceXAI and Starlink X accounts. Screenshots widely shared on social media appeared to show both accounts reposting content from the SCATMAN account.

Lookonchain said the attacker minted 10 trillion SCATMAN. They then sold the entire supply for 59 ETH, worth about $108,000.

The analytics platform also identified a second wallet linked to the same attacker that sold an additional 59.28 million SCATMAN tokens for 14.7 ETH, worth approximately $27,000. (Kamina Bashir / BeInCrypto)

Related: Yellow, Cyber Security News, Crypto Briefing

Established ransomware hackers are resorting to brand makeovers in a bid to throw off cybersecurity and law enforcement efforts by re-emerging with new identities—and often more menacing names.

Over the past three months, there were 1,885 ransomware and data-extortion attacks at organizations worldwide, up from 1,363 over the same period a year ago, and 1,186 in 2024, according to Zero Fox.

Though not a new tactic, rebranded cybercrime groups are popping up more frequently as artificial intelligence and other advanced security tools help defenders pinpoint patterns in attacks attributable to well-known hackers and quickly set targeted safeguards, cybersecurity experts say. (Angus Loten / Wall Street Journal)

A Brazilian gamer who lost his Microsoft account and all his digital games has won a court order forcing the company to hand it all back, after support staff told him to repurchase his library simply.

The user, who posts as Ordo_Liberal on Reddit, shared a screenshot of a small-claims ruling in the Xbox subreddit that gives Microsoft 15 days to restore access or face fines and roughly $400 (R$2,000) in damages.

He said the account had two-factor authentication enabled when it was flagged and permanently suspended, and that none of Microsoft's recovery options allowed him to regain access before he filed his lawsuit. (Luke James/ Tom's Hardware)

Related: Kotaku, Engadget, Games.gg, The Mac Observer, Notebookcheck

Best Thing of the Day: Insurers to the Rescue

More than 95% of average data breach losses and 90% of average first-party losses are adequately covered by insurance, according to a recent report by Willis, a WTW business.

Bonus Best Thing of the Day: More of This, Please

More than 300,000 Californians have demanded that hundreds of data brokers erase information about their locations, finances, health and personal lives as the state’s first-in-the-nation Delete Act requires brokers to start the mandatory process of removing data on Aug. 1.

Worst Thing of the Day: Chuck Dolan's Apple Fell Far From the Tree

An MSG database tracked and categorized hundreds of celebs, famous Knicks superfans, and even some of Taylor Swift’s wedding guests, with labels including “LGBTQIA,” “DO NOT HOST,” and low to high “risk.”

Closing Thought