Titles we almost went with this week

• AWS Console Gets a Makeover Nobody Asked For
• From Eight Hours to 22 Seconds, Hackers Got Fast
• AWS Spring Cleaning Hits Nine Services Hard
• Trivy Pursuit Turns Into a 500K Credential Heist
• Skip the Consultant, AWS Security Now Hacks Itself
• AWS Pen Testing Agent Pokes Your Cloud Around the Clock
• Your Cringey Gmail Address Gets a Second Chance
• Stop Babysitting Servers, Let Google Handle MCP
• AI Agent Untangles Your Kubernetes Networking Spaghetti
• One Bad Actor Poisons a Hundred Million Downloads
• Lambda Finally Hits the Gym with 32 GB
• From GPU Hype to Production Inference Without the Hyperscaler Headache

Follow Up

01:28 Hegseth, Trump had no authority to order Anthropic to be blacklisted, judge says

• A US District Judge granted Anthropic a preliminary injunction blocking the Department of War’s blacklisting, ruling the designation was First Amendment retaliation rather than a legitimate national security action.
• The court found officials lacked authority to blacklist Anthropic without considering less restrictive alternatives or providing evidence of an urgent security risk, noting the designation was triggered by Anthropic’s “hostile manner through the press.”
• The practical business impact was already substantial before the ruling, with three trade deals cancelled and other potential partners delaying negotiations, representing potentially billions in lost contracts over five years.
• Anthropic continues to balance the legal fight with maintaining its government relationships, publicly emphasizing alignment with the Department of War’s mission around safe AI deployment even while litigating against it.
• For cloud and AI vendors, this case establishes a notable precedent around government procurement decisions and First Amendment protections, with implications for how companies publicly challenge federal contracting positions.

02:35 Jonathan – “I’m guessing Anthropic is super busy with all the people coming to them for deals right now, because it seems to me that Anthropic is getting all the business customers and OpenAI are getting the personal customers.”  

04:08 Delve Announces Changes and New Customer Support Measures 

• Delve has responded to allegations from an anonymous Substack post by denying claims of faked evidence, clarifying that independent AICPA-accredited auditors, not Delve, issue SOC 2 reports and ISO 27001 certifications. 
• The company published a formal rebuttal and is now rolling out operational changes to address customer concerns.
• To support customers facing questions from their own clients and procurement teams, Delve is offering complimentary re-audits through independent auditors, complimentary grey-box penetration tests, and formal engagement letters from auditors, all at no cost.
• On the transparency side, Delve is moving auditor communications directly into customer Slack channels or shared email threads, so customers have full visibility into the audit process rather than relying on Delve as an intermediary.
• The platform is also adding clearer disclosures to templates and forms to explicitly identify them as guidance tools aligned to industry standards, addressing a core point of confusion raised in the controversy.
• For cloud practitioners, this situation highlights the importance of understanding the distinction between compliance automation platforms and the independent auditors who issue attestations, a boundary that procurement teams are increasingly scrutinizing when evaluating vendor security posture.

06:12 Justin – “I think the reality is that, and we talked about this last week, is that SOC 2 audits are very heavily templatized. That’s how these companies make them, and they work them. They do need to be edited, reviewed, and approved, and the right things need to be done, but they can’t always start as a template. A template’s not the problem. It’s what appears to be the automation and then the rubber-stamping by these auditors.”

06:39 Delve – Fake Compliance as a Service – Part II – Day 1 of 5

• This article covers allegations against Delve, a compliance automation startup, and represents a follow-up to earlier reporting. It does not directly relate to cloud platform news typically covered on The Cloud Pod, but here are the relevant talking points for context.
• A whistleblower from Delve provided internal screenshots and recordings after the initial article, including conversations suggesting the company’s auditing partner, Accorp, may not conduct thorough evidence reviews before issuing SOC 2 reports.
• Internal communications indicate Delve built an automated report generation tool, which contradicts the company’s public claim that it does not generate compliance reports on behalf of clients.
• Leaked internal notes from Karun Kaushik, dated November 2024, acknowledge that Delve’s platform had not released any new compliance frameworks since January 2025, a period that overlaps with the company’s Series A fundraise, raising questions about the accuracy of investor materials.
• Delve has transitioned clients to a new auditing firm called Ezzy and Associates, telling clients they will not need to restart SOC 2 Type 2 observation periods despite the auditor change, which compliance professionals would generally consider irregular, given the reported evidence quality concerns.
• For cloud practitioners, this situation is a reminder that compliance automation tools require scrutiny of both the underlying audit processes and the third-party auditors involved, as the validity of certifications like SOC 2 depends on the rigor of evidence collection and review.

06:57 Justin – “It’s just getting worse. I don’t know that Delve actually survives this.” 

General News 

08:17 NVIDIA GTC 2026 Recap: Tokens & Inference

• Jensen Huang reframed how AI infrastructure ROI should be measured, shifting from raw compute specs to tokens per watt and token speed at a fixed power budget. 
• Vera Rubin is projected to deliver approximately 5x more revenue potential per gigawatt compared to Blackwell, which has direct implications for how cloud operators and enterprises evaluate hardware investments.
• The Vera Rubin platform integrates the acquired Groq 3 LPX chip alongside the Rubin GPU, with NVIDIA’s Dynamo software splitting inference workloads between the two chips. This heterogeneous approach delivers 35x more throughput per megawatt for latency-sensitive workloads compared to running Vera Rubin GPUs alone.
• NVIDIA introduced OpenClaw, an open-source agentic AI framework, alongside an enterprise-hardened version called NeMo Claw that adds policy enforcement, network guardrails, and a privacy router to prevent data exfiltration. The security layer addresses a real concern for organizations deploying agents with access to internal infrastructure.
• NVIDIA released six domain-specific open model families, including Nemotron for language tasks, BioNeMo for drug discovery, Cosmos for robotics simulation, and Earth2 for climate forecasting, positioning these as the foundation for sovereign AI deployments where organizations want to avoid dependence on a small number of external model providers.
• The DSX digital twin platform uses Omniverse to simulate thermal, electrical, and network conditions before a data center is physically built, with NVIDIA estimating roughly a factor of two in recoverable efficiency across a typical AI factory deployment through better design and live operational optimization.

09:51 Dave – “Being in technology, that is a great place to go to put your finger on the pulse of where things are.” 

27:28 GTC 2026 Confirmed It: The Inference Era Is Here 

• DigitalOcean is positioning itself specifically around production inference workloads, announcing a new Richmond data center built with NVIDIA HGX B300 systems and a 400 Gbps non-blocking RDMA fabric designed for reasoning and agentic use cases.
• The company is bringing NVIDIA Dynamo 1.0 to its Kubernetes offering and expanding model access for reasoning, long-context, multimodal, and agentic workloads, which addresses the operational complexity developers face when moving AI from experimentation into production.
• DigitalOcean reported over 43,000 OpenClaw deployments since launch, suggesting meaningful developer adoption for always-on assistant and agentic application use cases on their platform.
• The broader industry signal from NVIDIA GTC 2026 is that cost per token, time to first token, and uptime are becoming as important as model quality, shifting infrastructure conversations from raw compute to full-system optimization, including CPUs alongside accelerators.
• For smaller AI builders and startups, DigitalOcean’s focus on reducing setup friction through tools like 1-Click Droplets for NemoClaw and direct deployment from build.nvidia.com to Serverless Inference represents a practical alternative to hyperscaler complexity for running agents at scale.

27:42 Dave – “They are talking about a bubble – the people I’ve been talking to – but one of the neoclouds I was talking about said, ‘when we get to the point when we don’t have the need, we’re going to start powering the neighborhoods for free, so we’re just going to start giving out power for free’ so hopefully the good neighbor will extend out there.” 

28:12 You can finally change the goofy Gmail address you chose years ago

• Gmail turns 22 years old on April 1, and Google is marking the occasion by finally allowing US-based users to change their Gmail username without creating an entirely new account, addressing a long-standing limitation of the platform.
• The change is limited to once every 12 months per account, which Google has not formally explained but likely serves as a spam mitigation measure to prevent abuse of the feature.
• For cloud and IT professionals managing Google Workspace environments, this raises practical questions around identity management, email routing, and how username changes interact with existing integrations and third-party services tied to a Gmail address.
• The feature is rolling out gradually in the US, so not all accounts will see the option immediately, and it remains to be seen when international users outside the initial test group will get access. You can check here to see if the feature is available to you. 
• This highlights a broader tension in long-lived identity platforms where usernames chosen decades ago become liabilities, and how platforms balance user flexibility with the operational complexity of allowing address changes at scale.

30:00 TeamPCP Attack

• On March 19, threat actor group TeamPCP compromised Trivy, a widely used open-source vulnerability scanner from Aqua Security, by injecting credential-stealing malware into 75 GitHub Action tags, Docker images, and CI/CD pipelines, turning the security tool itself into the attack vector.
• The malware collected SSH keys, cloud credentials, Kubernetes secrets, and environment files from affected systems, with attackers then using those stolen credentials to pivot into LiteLLM, a Python framework for AI model API management, pushing two malicious versions to PyPI that executed automatically on Python process startup.
• The LiteLLM compromise reportedly yielded approximately 500,000 stolen credentials, and the attackers deployed privileged pods across Kubernetes clusters and installed persistent backdoors on nodes, demonstrating how a single supply chain entry point can cascade across entire production environments.
• This attack illustrates a notable pattern in modern supply chain compromises where each set of stolen credentials unlocks the next target, moving from CI/CD pipelines to public package repositories to production infrastructure in a deliberate escalation chain.
• Organizations relying on open-source security tooling in automated pipelines should audit recent Trivy and LiteLLM usage, check for the specific compromised versions noted, and review whether any credentials or secrets were exposed in affected environments.

Con’t Update: Ongoing Investigation and Continued Remediation

• The Trivy supply chain attack began in late February 2026 when attackers exploited a GitHub Actions misconfiguration to extract a privileged access token, then used residual credentials after an incomplete rotation to publish malicious artifacts on March 19, affecting version 0.69.4 and 76 of 77 trivy-action version tags.
• The attack’s most notable technique was force-pushing existing version tags to point at malicious commits, meaning CI/CD pipelines referencing those tags continued running without any visible indication of change, while the payload silently exfiltrated cloud credentials, SSH keys, Kubernetes tokens, and other secrets before legitimate scanning logic executed.
• Any organization that ran affected versions during the compromise window should treat all secrets accessible to those pipeline environments as exposed and rotate them immediately, including cloud provider credentials, container registry tokens, Git credentials, and NPM publish tokens, which researchers confirmed are being actively weaponized across the NPM ecosystem.
• The core hardening lesson from this incident is to pin GitHub Actions to full immutable commit SHA hashes rather than mutable version tags, since version tags can be silently redirected to malicious code without any workflow changes on the consumer side.
• Aqua’s commercial platform was isolated from the compromise because it uses a separate build system with no shared GitHub infrastructure, CI/CD pipelines, or signing systems, and its controlled integration process meant the malicious release was never incorporated into commercial products.

30:51 Hacker hijacks Axios open-source project, used by millions, to push malware

• A hacker compromised a maintainer account for the Axios JavaScript library on npm, pushing malicious versions that included a remote access trojan targeting Windows, macOS, and Linux users. 
• Axios receives over 100 million weekly downloads, making the potential exposure substantial.
• The attack window was approximately three hours before being detected and stopped, but security firm Aikido advises anyone who downloaded Axios during that period to treat their system as compromised. The self-deleting malware complicates forensic investigation and detection.
• Account takeover was the entry point here, with the attacker replacing the legitimate maintainer’s email to delay recovery. This highlights how a single compromised developer credential can weaponize a widely trusted package against an entire downstream ecosystem.
• This is another example of a software supply chain attack, a pattern that has affected SolarWinds, Log4j, and Polyfill.io in recent years. Developers and security teams should be reviewing dependency monitoring practices and considering tools that detect unexpected package version changes automatically.
• For cloud-focused teams, any CI/CD pipeline or serverless function that auto-installs npm dependencies without version pinning or integrity checks is a potential exposure point. Locking dependency versions and using tools like StepSecurity or Aikido for supply chain monitoring are practical mitigations worth discussing.

31:49 Jonathan – “I just can’t believe how much trust, blind trust, dumb trust, if you want to call it that, is involved in an awful lot of open source projects. I mean, the entirety of PyPy – I’ve got a module on PyPy – I could commit some bad code to my repo in 15 minutes; if somebody installs my package, it’s going to run. I’m not aware of a great deal of security checks that happen automatically on the backend there, but that entire ecosystem is built on trust. It’s not good at all.”

AI Is Going Great – Or How ML Makes Money 

34:06 Entire Claude Code CLI source code leaks thanks to exposed map file

• Anthropic accidentally shipped Claude Code npm version 2.1.88 with an exposed source map file, revealing nearly 2,000 TypeScript files and over 512,000 lines of code for the CLI tool. 
• Anthropic confirmed it was a packaging error, not a security breach, and stated that no customer data or credentials were exposed.
• The leaked code has already been archived, posted to a public GitHub repository, and forked tens of thousands of times, meaning the codebase is effectively public regardless of any takedown efforts. 
• This gives competitors and developers a detailed look at how Anthropic built its agentic coding tool.
• Developers analyzing the code have surfaced technical details about Claude Code’s memory architecture, including background memory rewriting and memory validity verification steps. 
• These implementation details were previously undocumented and give insight into how the tool manages context across long coding sessions.
• For cloud developers and teams evaluating AI coding tools, the leak provides an unusually transparent view into the engineering decisions behind a production agentic CLI, which could inform how teams build or evaluate similar tooling. It also raises a practical reminder about source map hygiene in npm package publishing pipelines.

35:51 Jonathan – “The question is, did you really need the unobfuscated source code anyway? You’ve got AI tools. You can literally point Claude at it and say, hey, how does this work? I know because I did it a year ago.”

AWS

37:39 Customize your AWS Management Console experience with visual settings including account color, region and service visibility

• AWS introduced User Experience Customization (UXC) in August 2025 and is now expanding it with the ability to hide unused Regions and services from the console, reducing visual clutter for teams working in scoped environments.
• Account color coding is a practical multi-account management tool, letting administrators assign colors like red for production and orange for development to reduce the risk of accidental changes in the wrong environment.
• The visibility settings are cosmetic only and do not restrict access via AWS CLI, SDKs, or APIs, so teams should not confuse this with a security or governance control like Service Control Policies.
• Administrators can manage these settings programmatically using a new AWS CloudFormation resource type AWS::UXC::AccountCustomization with visibleServices and visibleRegions parameters, making it deployable at scale across accounts.
• There is no additional cost mentioned for UXC customization features, and they are available today in the AWS Management Console with configuration options accessible through the unified settings gear icon.

39:26 AWS Lambda supports up to 32 GB of memory and 16 vCPUs for Lambda Managed Instances

• Lambda Managed Instances now supports up to 32 GB of memory and 16 vCPUs, tripling the previous limits of 10 GB and roughly 6 vCPUs, which opens the door for workloads like media transcoding, large-scale data processing, and scientific simulations to run serverlessly.
• A notable addition here is the configurable memory-to-vCPU ratio at 2:1, 4:1, or 8:1, giving developers actual control over resource balance rather than the fixed proportional scaling that standard Lambda has always used.
• Lambda Managed Instances run functions on managed EC2 instances with built-in routing, load balancing, and auto-scaling, so customers get specialized compute configurations, including the latest-generation processors and high-bandwidth networking without taking on operational overhead.
• Pricing will be worth watching closely since Lambda Managed Instances sit in a different cost tier than standard Lambda, and teams should evaluate whether the compute gains justify the cost difference compared to running equivalent workloads on ECS or EKS.
• Configuration is available through the AWS Console, CLI, CloudFormation, CDK, and SAM in all regions where Lambda Managed Instances are generally available, so adoption fits into existing infrastructure-as-code workflows without requiring new tooling.

40:18 Jonathan – “Lambda’s already pretty cheap to begin with, though. I wonder quite how much they could charge for managing the control plane, and are you still paying for the compute? Not a lot, I would think. Maybe they charge per host, or a small fixed fee per invocation, or something. It’s going to be interesting.”

41:56 AWS launches frontier agents for security testing and cloud operations | Artificial Intelligence

• AWS has launched two generally available frontier agents: AWS Security Agent for autonomous penetration testing and AWS DevOps Agent for incident resolution and SRE tasks. 
• These differ from typical AI assistants in that they operate independently for hours or days without constant human direction to complete complex, multi-step workflows.
• AWS Security Agent ingests source code, architecture diagrams, and documentation to identify attack chains that traditional scanners miss, compressing penetration testing timelines by over 90% according to early customers. This shifts pen testing from a periodic, cost-constrained activity to an on-demand capability available 24/7 across an entire application portfolio.
• AWS DevOps Agent integrates with a broad set of existing tools, including CloudWatch, Datadog, Dynatrace, Splunk, GitHub, and Azure DevOps, making it usable across multicloud and on-premises environments. Preview customers report up to 75% lower MTTR and 94% root cause accuracy, with WGU cutting one incident resolution from two hours to 28 minutes.
• The DevOps Agent can work alongside tools like Kiro and Claude Code to not only identify root causes but generate validated fixes that feed back into CI/CD pipelines, moving the capability beyond investigation into actual remediation.
• Pricing details are not specified in the announcement, so teams evaluating these services should check the AWS Security Agent and AWS DevOps Agent product pages directly for current cost information before planning adoption.

43:07 Jonathan – “Let me just scratch DevOps off my list of potential jobs.” 

46:22 Amazon Bedrock AgentCore Evaluations is now generally available

• Amazon Bedrock AgentCore Evaluations is now generally available, offering automated quality assessment for AI agents through two modes: online evaluation that continuously samples and scores live production traffic, and on-demand evaluation that plugs into CI/CD pipelines for regression testing.
• The service ships with 13 built-in evaluators covering response quality, safety, task completion, and tool usage, reducing the need for teams to build custom scoring logic from scratch before they can start measuring agent behavior.
• For teams with domain-specific needs, custom evaluators can be configured using your own prompts and model choice for LLM-based scoring, or implemented as Python or JavaScript functions hosted in Lambda for code-based evaluation logic.
• Ground Truth support lets developers measure agents against reference answers, behavioral assertions at the session level, and expected tool execution sequences, giving teams a structured way to define and validate what correct agent behavior actually looks like.
• AgentCore Evaluations integrates with AgentCore Observability for unified monitoring and real-time alerts, and is available across nine AWS regions, including US East, US West, multiple Asia Pacific regions, and two European regions. Pricing details are not specified in the announcement, so check the AWS pricing page for current costs.

47:17 Justin – “I like the idea of this, but then if you’re continuously monitoring it and it degrades, what do you do? What’s step two? Like, we detected it, cool, now what?”

57:10 Build a FinOps agent using Amazon Bedrock AgentCore

• AWS published a reference architecture for building a FinOps agent using Amazon Bedrock AgentCore that consolidates data from Cost Explorer, AWS Budgets, and Compute Optimizer into a single conversational interface, giving finance teams natural language access to cost analysis without navigating multiple consoles.
• The solution uses five CDK stacks to wire together AgentCore Runtime, Gateway, Memory, and Identity components alongside the Strands Agent SDK and Model Context Protocol servers, showing how these newer AgentCore building blocks fit together in a production-style deployment that takes roughly 15-20 minutes to stand up.
• AgentCore Memory retains 30 days of conversation context, which means users can ask follow-up questions like “what about the second one?” without re-explaining prior context, a practical improvement for teams doing iterative cost investigations.
• The architecture transforms open-source AWS Labs MCP servers from stdio transport to streamable HTTP, builds them as ARM64 Graviton container images, and hosts them on AgentCore Runtime with JWT authorization, which is a useful pattern for teams looking to adapt existing MCP tooling for hosted agent environments.
• Pricing for this solution involves multiple services, including Bedrock model inference with Claude Sonnet 4.5, AgentCore Runtime and Memory, Cognito, CodeBuild, and ECR, so costs will vary based on query volume and conversation history retention rather than a flat rate.

58:31 Dave – “I can’t wait to kick the tires on that one!” 

59:03 Building an AI-powered system for compliance evidence collection

• AWS published a reference architecture for automating compliance evidence collection using Amazon Bedrock with the Amazon Nova 2 Lite model and a browser extension for Chrome and Firefox. 
• The solution replaces manual screenshot workflows by executing pre-defined JSON workflows that navigate web applications, capture timestamped screenshots, and store organized evidence in S3.
• The AI layer operates in three modes: chat for ad-hoc compliance questions, designer mode for generating workflow JSON from uploaded compliance documents, and report generation mode that produces an HTML report delivered via Amazon SES after workflow completion.
• Authentication uses Amazon Cognito with AWS STS to provide scoped, least-privilege credentials to the browser extension, meaning the extension only gets access to Bedrock, S3, and SES rather than broad account permissions.
• The entire infrastructure deploys via a single CloudFormation template that creates the Cognito user pool, identity pool, S3 bucket with encryption and versioning, IAM roles, and Lambda functions in minutes. The sample code is available at the aws-samples GitHub repository.
• Costs will vary based on Amazon Bedrock Nova 2 Lite inference usage, S3 storage for screenshots and reports, and SES sending volume, so organizations with frequent audit cycles should model their expected workflow execution frequency before deploying at scale.

1:00:00 Jonathan – “Screenshots? Why are we using screenshots in 2026?” 

GCP

1:00:46  TurboQuant: Redefining AI efficiency with extreme compression

• Google Research has published TurboQuant, a vector quantization algorithm that compresses LLM key-value cache data to as low as 3 bits without requiring model retraining or fine-tuning, while maintaining accuracy on standard benchmarks like LongBench and Needle In A Haystack using Gemma and Mistral models.
• The core technical approach combines two sub-algorithms: PolarQuant, which converts vectors to polar coordinates to eliminate normalization overhead, and QJL (Quantized Johnson-Lindenstrauss), which uses a single sign bit per value to achieve zero memory overhead error correction.
• Performance results show 4-bit TurboQuant achieves up to 8x speedup in computing attention logits compared to 32-bit unquantized keys on H100 GPUs, and reduces key-value memory footprint by at least 6x, which is relevant for teams running inference at scale.
• For vector search use cases, TurboQuant outperforms existing methods like PQ and RabbiQ on recall ratios without requiring dataset-specific tuning or large codebooks, making it a practical option for semantic search systems operating over billions of vectors.
• Google notes this research applies directly to Gemini’s key-value cache bottlenecks and large-scale search infrastructure, though no specific GCP product integration or pricing details have been announced alongside the research publication.

1:02:28 Jonathan – “What’s funny about this whole technology is that the video game industry has been using exactly the same algorithms for 25 years. And this is just a new application of the same technology. It’s kind of funny. Hey guys, we’ve got a new paper out!”

1:03:41 AI Tools for Sustainable Infrastructure and Reporting

• Google published an open-source AI playbook for sustainability reporting, documenting how they used Gemini to cross-reference environmental claims against internal policies and NotebookLM to turn their static Environmental Report into a queryable knowledge base. 
• The playbook includes specific prompts and lessons learned, making it a practical resource for teams building similar workflows.
• Equinix built a sustainability data lake in BigQuery that automatically ingests data from 240+ global sites, reducing their reporting cycle from weeks of manual spreadsheet work to on-demand insights. This was driven by a 46% year-over-year increase in customer sustainability data requests, which made manual processes unsustainable at scale.
• The Equinix case illustrates a cost and efficiency argument for serverless architecture, where moving to BigQuery eliminated idle compute resources, reduced energy consumption, and improved performance per watt. Google frames this as a triple win of price, performance, and environmental footprint.
• Google is connecting this work to their Well-Architected Framework sustainability pillar, using a 4Ms model covering Machine, Model, Mechanization, and Map as a structured approach for customers designing efficient AI and data infrastructure. 
• The WAF sustainability pillar documentation is available here.
• The practical takeaway for GCP customers is that sustainability reporting can shift from a manual compliance exercise to a data product with strategic value, particularly for organizations managing large real estate or infrastructure footprints where energy and resource data is already being collected across many sites.

Azure

1:04:36 Public Preview: AI Agent for container networking troubleshooting

• Azure has launched a public preview of an AI agent designed to help engineers troubleshoot Kubernetes networking issues through a lightweight web-based interface, addressing the common problem of logs and metrics being scattered across multiple tools.
• The core value here is reducing manual correlation work during incidents, where engineers typically have to jump between kubectl, Azure Monitor, and other diagnostics tools to piece together what went wrong in a cluster network.
• This fits into Microsoft’s broader push to embed AI assistance directly into operational workflows rather than requiring engineers to leave their environment and consult separate documentation or support channels.
• Target users are platform and DevOps engineers running containerized workloads on Azure Kubernetes Service who deal with networking incidents and want faster root cause identification without deep networking expertise.
• The feature is currently in public preview, so pricing details are not yet confirmed, and teams should evaluate it with that in mind before building it into critical incident response workflows. More details are available at the Azure Updates page at azure.microsoft.com/en-us/updates with ID 557887.

1:05:33 Dave – “Well, my first thought on this is that if most teams, at least that I’ve built, are already pulling all that data in there and finding a way to correlate the data and we resolve those issues quicker. So good for them for just automating that.”

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• SOC 2 It to Me Delve Fires Back 
• Shell Yeah Bedrock Agents Just Got Command Line Powers
• When Your SOC 2 Report Is Just Fan Fiction
• uv, Ruff, and ty Walk Into an OpenAI Acquisition
• Hash Field Expiration Is Here, and It’s No Redis Herring
• Stop Paying Full Price for Tokens You Already Bought
• Fake It Till You Audit It
• Cache Me If You Can CNCF Sandbox Edition
• Microsoft Learns Consent Matters in Copilot Rollout
• Microsoft’s Stinky Cloud Gets Federal Seal of Approval
• When Your Audit Trail Leads to a Blog Fight
• Ping Your AI Agent on Discord Like a Millennial
• Twenty Years of AWS and the Bill Never Stops
• The LLM hack that feels a lot like Node Shift Left Package issues
• Claude Code Auto Mode Lets AI Work Unsupervised
• Stop Babysitting Your AI Claude Code Goes Solo
• Auto Mode Gives Claude Code the Keys to the Car
• Java comes to the coffee shop with AI

General News 

01:21 Customer Updates: Stryker Network Disruption 

• Stryker confirmed a cyberattack on March 11, 2026, that disrupted their internal Microsoft corporate environment, affecting order processing, manufacturing, and shipping, but notably not their connected medical devices or cloud-hosted products.
• The attack vector was specific to Stryker’s Microsoft environment, which meant products running on AWS (Vocera Edge, Vocera Ease) and Google Cloud Platform (care.ai) were architecturally isolated and unaffected, demonstrating a practical benefit of multi-cloud separation.
• Stryker explicitly stated this was not ransomware or malware, and government agencies, including CISA, FBI, and the White House National Cyber Director, were engaged, with domain seizures linked to threat actors already executed.
• The incident highlights how healthcare organizations can architect medical device and cloud product infrastructure to be independent of corporate IT environments, as every product from Mako to SurgiCount to LIFEPAK operated normally due to network segmentation.
• Real-world patient impact was limited but present, with some personalized implant cases rescheduled due to shipping delays, underscoring that even contained corporate IT incidents can have downstream effects on physical supply chains.

02:30 Justin – “HugOps to the entire Stryker team; I couldn’t imagine having to rebuild my entire Windows estate at a company the size of Stryker in the middle of trying to do business and everything else.” 

05:00 Federal cyber experts called Microsoft’s cloud a “pile of shit,” and approved it anyway

• FedRAMP authorized Microsoft’s Government Community Cloud High despite internal reviewers finding insufficient security documentation, issuing an unusual “buyer beware” notice to agencies considering the product. 
• This raises questions about the integrity of the federal cloud authorization process when commercial pressures intersect with security evaluations.
• The GCC High offering is specifically designed to handle some of the US government’s most sensitive data, making the documentation gaps particularly consequential, given that Microsoft had already been linked to two significant federal breaches involving Russian and Chinese state actors.
• The core technical concern was Microsoft’s inability to adequately document how data is protected as it moves between servers within their cloud infrastructure, leaving reviewers unable to assess the system’s overall security posture with confidence.
• For cloud practitioners and federal agencies, this situation highlights the risk of relying on vendor-provided security documentation without independent verification, especially for high-sensitivity workloads where compliance approval does not necessarily equal verified security.
• The outcome has broader implications for FedRAMP’s credibility as a security benchmark, since agencies selecting cloud providers often treat authorization as a meaningful security signal rather than a conditional or incomplete endorsement.

06:00 Ryan – “If you can’t adequately explain how basic things like encryption and security controls are handled in your environment, that’s not good, right? Because while it’s not completely indicative of a security problem, it’s highly suspect.” 

06:51 Delve – Fake Compliance as a Service – Part I 

• A detailed investigation alleges that Delve, a compliance automation platform, fabricates audit evidence, including board meeting records and test results, then uses Indian certification mills operating through US shell entities to rubber-stamp reports rather than conduct independent verification.
• The core technical concern is that Delve reportedly generates identical audit reports across all clients, meaning the auditor independence required by AICPA and ISO standards is structurally violated since Delve itself is effectively acting as both platform and auditor.
• Companies using Delve for HIPAA or GDPR compliance may face significant regulatory exposure, as the article claims the platform skips major framework requirements while telling clients they have achieved 100% compliance, potentially creating criminal liability under HIPAA and fines up to 4% of global revenue under GDPR.
• The investigation highlights a broader issue in the compliance automation space where AI and automation claims may not reflect actual product capabilities, with the article describing Delve as essentially a template pack with a SaaS wrapper rather than a genuinely automated compliance tool.
• For cloud-focused companies evaluating compliance platforms, this case underscores the importance of verifying auditor independence credentials, requesting evidence of actual testing procedures, and understanding whether a platform produces genuinely customized documentation or pre-populated templates adopted with minimal review.
• Interested in reading the leaked spreadsheet? Find those here and the leaked documents here. 

08:47 Ryan – “I’m not a big fan of checkbox security and having that around just for compliance purposes. But it’s also like, this is really a misrepresentation. You look at things and, and it’s certified by Delve; it’s not certified by these other companies. And if all that evidence, the specifics they listed in the report are crazy, just how, like, this is not cool. It’s just generated. It’s not even real in the slightest.”

11:37 Response to Misleading Claims 

• Delve is a SOC 2 compliance automation platform serving over 1,700 customers, and this response addresses a Substack post making claims about the legitimacy of its audit processes. 
• The core distinction Delve makes is that it automates evidence collection and provides templates, while independent licensed auditors retain sole authority to issue final reports.
• The debate touches on a broader industry practice where compliance platforms provide standardized control sets based on AICPA and ISO frameworks, meaning structural overlap across reports is expected rather than evidence of fraud. 
• This is worth discussing because buyers of compliance software often do not fully understand where the platform ends and the auditor begins.
• Delve claims 120+ automated integrations, which is a notable gap from the 14 cited in the original criticism, and speaks to how quickly compliance tooling has evolved in the cloud ecosystem. 
• For cloud-native companies pursuing SOC 2, the depth of integrations directly affects how much manual evidence collection is required.
• The use of pre-filled templates for board minutes and policies is standard practice across compliance platforms, but it raises a legitimate question about whether customers treat these as starting points or simply submit them unchanged. 
• This is a real risk area for organizations where compliance becomes a checkbox exercise rather than a genuine security posture.
• The competitive compliance automation market, which includes players like Vanta and Drata, means disputes like this are likely to continue as vendors differentiate on auditor quality, automation depth, and pricing. 
• Listeners evaluating compliance tools should independently verify auditor accreditation regardless of which platform they use.

13:08 Ryan – “I would argue the use of pre-filled templates is common…prefilled and direct copied templates from between companies.” 

19:04 Supply Chain Attack in litellm 1.82.8 on PyPI

• Litellm versions 1.82.7 and 1.82.8 on PyPI were found to contain a malicious .pth file that executes automatically on every Python process startup, with no corresponding release on the official GitHub repository, indicating the PyPI account was likely compromised.
• The malware follows a three-stage attack pattern: collecting SSH keys, cloud credentials, .env files, and Kubernetes configs; encrypting and exfiltrating them to a domain unrelated to legitimate litellm infrastructure; then attempting persistent backdoor installation via systemd and privileged Kubernetes pod creation.
• The attack was discovered because a bug in the malware caused an exponential fork bomb through a recursive .pth file, triggering, which crashed the host machine and made the compromise visible rather than silent.
• Any developer or CI/CD pipeline that pulled litellm as a transitive dependency after March 24, 2026, should treat all credentials on that machine as compromised and rotate SSH keys, cloud provider tokens, API keys, and database passwords immediately.
• This incident highlights the risk of supply chain attacks through transitive dependencies, where a package you never directly installed can introduce malicious code into your environment, making dependency auditing and package integrity verification important practices for cloud-connected development workflows.

21:21 Justin – “Yeah… that’s bad too.” 

KUBECON EU

23:24 GKE and OSS innovation at KubeCon EU 2026

• GKE Autopilot is no longer a cluster-level decision made at creation time. Standard clusters can now enable Autopilot compute classes on a per-workload basis, removing the need to create entirely new clusters when workload requirements change.
• Google is open-sourcing the GKE Cluster Autoscaler, one of the core infrastructure provisioning components, with the goal of making it available to the broader Kubernetes community as a vendor-neutral tool.
• llm-d, a Kubernetes-native distributed inference framework built with Red Hat and NVIDIA, has been accepted as a CNCF Sandbox project. It addresses inference-aware traffic management, multi-node replica orchestration, and KV cache offloading in a hardware-agnostic way.
• Google released an open-source DRA driver for TPUs, coordinated alongside NVIDIA, donating their own DRA driver, establishing Dynamic Resource Allocation as a shared standard for describing specialized hardware across Kubernetes workloads.
• TPU support is coming to Ray v2.55 with backing from both Google and Anyscale, and a new Ray History Server in alpha allows users to debug completed or terminated RayJobs using persisted logs, state, and metrics through the Ray Dashboard on GKE.

24:29 Ryan – “It’s super nice of them to open source that, because it does seem like a very powerful thing to use. I love the idea of having individual workloads on a cluster, and be able to delegate to managed and unmanaged… it’s kind of neat.”  

24:49 llm-d officially a CNCF Sandbox project

• llm-d has been accepted as a CNCF Sandbox project, with Google Cloud as a founding contributor alongside Red Hat, IBM Research, CoreWeave, and NVIDIA. 
• The project aims to extend Kubernetes for LLM inference workloads under an open-source model with no vendor lock-in, available at llm-d.ai.
• The core technical contribution is model-aware request routing through the llm-d Endpoint Picker, which considers KV-cache hit rates, in-flight requests, and queue depth to direct traffic to optimal backends. 
• In production testing on Vertex AI, this approach reduced Time-to-First-Token latency by over 35% for coding workloads and improved P95 tail latency by 52% for bursty chat workloads.
• A notable outcome of the routing intelligence was doubling Vertex AI’s prefix cache hit rate from 35% to 70%, which directly reduces re-computation overhead and lowers cost-per-token for high-volume inference deployments.
• Google leads development of the Kubernetes LeaderWorkerSet API, which llm-d uses to orchestrate prefill and decode disaggregation across independently scalable pods, supporting both TPU and GPU fleets at scale.
• Google has also extended vLLM natively for Cloud TPUs with a unified PyTorch and JAX backend, delivering up to 5x throughput gains over the initial release. Pricing for running llm-d workloads depends on underlying GKE and accelerator costs, which vary by instance type and region.

26:21 What’s new with Microsoft in open-source and Kubernetes at KubeCon + CloudNativeCon Europe 2026 

• Dynamic Resource Allocation has reached general availability in Kubernetes, and Microsoft’s DRANet now includes upstream support for Azure RDMA NICs, meaning GPU-to-NIC topology alignment is handled at the scheduler level rather than through manual configuration. 
  • This matters for teams running distributed training workloads where network topology directly affects performance.
• AI Runway is a new open-source project under the KAITO umbrella that provides a common Kubernetes API for inference workloads, with a web interface, HuggingFace model discovery, GPU memory fit indicators, and real-time cost estimates. 
  • It supports multiple runtimes, including NVIDIA Dynamo and KubeRay, giving platform teams a single control plane for model deployments without requiring end users to know Kubernetes.
• AKS networking gets several notable updates, including Azure Kubernetes Application Network for identity-aware mTLS and traffic telemetry without a full service mesh, WireGuard encryption at the node level via Cilium, and Pod CIDR expansion that lets clusters grow IP ranges in place rather than requiring a full rebuild. 
  • Pricing for Advanced Container Networking Services features like Cilium mTLS is not specified in the announcement.
• On the observability side, AKS now surfaces GPU utilization directly into managed Prometheus and Grafana, closing a monitoring gap that previously required manual exporter configuration.
  • A new agentic container networking interface also lets operators run natural-language diagnostic queries against live telemetry, reducing time to identify network issues.
• Blue-green agent pool upgrades and agent pool rollback are now available in AKS, letting teams provision a parallel node pool with the new configuration, validate it, and revert to the previous Kubernetes version and node image if problems appear. 
• AKS Desktop also reached general availability, giving developers a local environment that mirrors production AKS configuration.

27:42 Ryan – “And if you’ve ever debugged an issue on Kubernetes, then you know that there’s logs everywhere that you have to go and review and correlate across each other, so having an agent that can go and look across all those places and diagnose issues is fantastic.” 

AI Is Going Great – Or How ML Makes Money 

28:22 Project SnowWork: The easiest way for business users to get work done

• Snowflake announced Project SnowWork in Research Preview, an agentic AI platform targeting business users in finance, sales, marketing, and operations who need to complete multi-step data workflows without writing code or relying on technical teams.
• The platform differentiates itself from general AI assistants by grounding outputs in an organization’s existing Snowflake data and automatically enforcing existing RBAC and governance policies, meaning users only see data they are already authorized to access.
• Project SnowWork ships with pre-built persona profiles for specific business functions, so a finance user gets workflows tuned to FP&A KPIs and close narratives while a sales user gets pipeline risk summaries, rather than a one-size-fits-all interface.
• Practical use cases highlighted include compressing financial close storytelling from days to a single workflow and replacing manual pipeline rollups with automated executive briefs, which gives listeners a concrete sense of the time savings being targeted.
• Access is currently limited to a select group of customers in a collaborative research preview, so this is not a general availability release, and organizations interested in early access would need to engage directly with Snowflake.

27:42 Ryan – “I do like the idea of bringing AI to the data rather than the data to the AI, which is a common problem, especially in enterprise platforms. I worry a little bit;  The RBAC and authorization in Snowflake is very complex, and I wonder if people are actually going through and actually defining those in a way that would be proper segmentation? But I guess, you know, they have access to it today, they just have to know how to query it.”

30:10 OpenAI to acquire Astral 

• OpenAI is acquiring Astral, the company behind three widely adopted Python developer tools: uv for dependency and environment management, Ruff for linting and formatting, and ty for type safety enforcement. 
• The Astral team will join the Codex team after the deal closes, pending regulatory approval.
• Codex has reached over 2 million weekly active users, with 3x user growth and 5x usage increase since the start of 2025. This acquisition appears aimed at deepening Codex’s ability to operate across the full Python development lifecycle rather than just generating code snippets.
• The stated goal is to move Codex toward participating in complete development workflows, including planning changes, modifying codebases, running tools, verifying results, and maintaining software over time. Integrating Astral’s tooling directly into that workflow gives Codex agents access to infrastructure developers already use daily.
• OpenAI has committed to continuing support for Astral’s open source projects after closing, which matters to the Python community given how widely these tools are already embedded in developer workflows. Developers using uv or Ruff should not expect immediate disruption to those projects.
• For cloud and platform teams, this signals a trend toward AI coding agents that are tightly coupled with language-specific toolchains rather than operating as generic code generators, which could influence how development environments and CI/CD pipelines are structured going forward.

30:47 Justin – “I don’t know why they needed to buy the company to do all this, it is open source already.” 

32:50 Anthropic just shipped an OpenClaw killer called Claude Code Channels, letting you message it over Telegram and Discord 

• Anthropic released Claude Code Channels in version 2.1.80, enabling developers to connect their Claude Code sessions to Telegram and Discord bots, shifting from a synchronous chat model to an asynchronous, persistent agent that can work autonomously and notify users when tasks are completed.
• The feature is built on Anthropic’s open-source Model Context Protocol, which acts as a standardized bridge between Claude Code and external messaging platforms. 
• The setup uses the Bun JavaScript runtime to run a polling service that injects incoming messages as session events, allowing Claude to execute code, run tests, and reply back through the messaging app.
• Practically, this eliminates the need for developers to maintain dedicated hardware like a Mac Mini running open-source agent frameworks 24/7, since Claude Code itself now handles session persistence when run in a background terminal or on a VPS.
• The plugin architecture is open, with official Telegram and Discord connectors hosted on GitHub under Anthropic repositories, meaning the community can build additional connectors for platforms like Slack or WhatsApp without waiting for Anthropic to ship them natively.
• The feature remains tied to Anthropic’s commercial subscriptions (Pro, Max, and Enterprise), so while the MCP layer is open, the underlying Claude model and Claude Code harness are proprietary, which is an important cost and vendor-lock consideration for teams evaluating this against self-hosted alternatives.

33:50 Justin – “I tried to use this, and it don’t work for me, but I didn’t have enough time to test it, I had too many Claude sessions going, and I needed to kill all of them and update properly to the 2.1.80 version. But I am curious to play with it a little more.”      

35:34 Put Claude to work on your computer 

• Anthropic has launched computer use capabilities in Claude Cowork and Claude Code, now in research preview for Pro and Max subscribers on macOS. Claude can directly control a browser, mouse, keyboard, and screen to complete tasks when no direct connector exists, with no setup required.
• The feature follows a tool priority hierarchy, reaching for service connectors like Slack or Google Calendar first, then falling back to direct computer control. Claude requests explicit permission before accessing new applications and can be stopped at any point.
• Anthropic has built in prompt injection safeguards by scanning model activations during computer use sessions. They acknowledge that the capability is still early and recommend users avoid sensitive data and start with trusted applications only.
• Dispatch, released alongside this update, enables a continuous conversation thread between mobile and desktop, letting users assign tasks from their phone and pick up completed work on their computer. 
  • Use cases include automated morning email checks, scheduled metric pulls, and triggering Claude Code sessions for pull requests.
• The combination of Dispatch and computer use means Claude can execute multi-step workflows on a desktop while the user is away, such as making IDE changes, running tests, and submitting a PR. 
• Current limitations include macOS-only support, slower execution compared to direct integrations, and occasional need for retries on complex tasks.

36:28 Ryan – “I didn’t know this was macOS only, because I was going to put it on my Linux server so I could get compute that wasn’t my laptop.” 

38:32 Auto mode for Claude Code

• Anthropic launched auto mode for Claude Code in research preview for Team plan users, with Enterprise and API access coming soon. It works with both Claude Sonnet 4.6 and Opus 4.6, offering a middle ground between the default conservative permission prompts and the risky dangerously-skip-permissions flag.
• The core mechanism is a classifier that reviews each tool call before execution, automatically blocking potentially destructive actions like mass file deletion, sensitive data exfiltration, or malicious code execution, while letting safe actions proceed without interruption.
• This directly addresses a practical developer workflow problem: Claude Code’s default mode requires frequent human approvals that prevent truly unattended long-running tasks, and auto mode allows developers to kick off extended jobs without babysitting the process.
• Anthropic is transparent about the limitations, noting the classifier may still allow some risky actions when user intent is ambiguous, and may occasionally block benign ones. They continue to recommend using it in isolated environments rather than treating it as a fully safe alternative.
• There is a small performance tradeoff to be aware of, as auto mode adds some overhead to token consumption, cost, and latency per tool call due to the classifier running before each action.

AWS

41:21 Amazon Bedrock AgentCore Runtime now supports shell command execution

• Amazon Bedrock AgentCore Runtime now includes InvokeAgentRuntimeCommand, an API that lets developers execute shell commands directly inside a running agent session, streaming output in real time over HTTP/2 and returning exit codes without custom container logic.
• The practical benefit here is that AI agents frequently need to run deterministic operations like tests, dependency installs, or git commands alongside LLM reasoning, and previously, developers had to build all that process management themselves inside their containers.
• Commands run in the same container, filesystem, and environment as the agent session and can execute concurrently with agent invocations without blocking, which simplifies architectures for coding agents, CI/CD automation, and similar workflows.
• The feature is available across 14 AWS regions, including major US, European, and Asia Pacific locations, giving teams broad geographic coverage for latency-sensitive or data-residency-constrained workloads.
• Pricing details are not specified in the announcement, so teams evaluating this should check the AgentCore Runtime pricing page directly before building cost models around heavy command execution workloads.

42:11 Ryan – I do get the advantages of this. Most of my use cases in GitHub Autopilot or Cloud Code it’s running Shell to do lots of things, especially executing tests, and so for CI-CD type workflows, you couldn’t do anything without it. I’m really curious how teams were working around this; people that were previously using Agent Core, because I bet that is ugly. But yeah, it’s going to be dangerous.”

42:56 Amazon Inspector expands agentless EC2 scanning and introduces Windows KB-based findings

• Amazon Inspector now supports agentless EC2 scanning for a broader range of software, including WordPress, Apache HTTP Server, Python packages, and Ruby gems, plus Windows OS vulnerabilities, with no configuration changes required for existing customers.
• The new Windows KB-based findings consolidate multiple CVEs addressed by a single Microsoft patch into one finding, surfacing the highest CVSS score, EPSS score, and exploit availability, which reduces noise and makes remediation more straightforward.
• All existing CVE-based Windows OS findings will automatically transition to KB-based findings, meaning security teams will see fewer duplicate alerts and can map findings directly to specific Microsoft patches via included KB article links.
• The agentless approach lowers the operational overhead for security teams managing large EC2 fleets, particularly in environments where installing and maintaining agents is restricted or impractical.
• Both capabilities are available across all AWS Regions where Amazon Inspector is currently offered, and pricing follows the existing Inspector model based on instance scanning volume, so customers should review the Inspector pricing page for current rates.

43:33 Justin – “I’m actually shocked this wasn’t already there, because CVE is really just the generic way that you would find these, but typically they’re always linked to a knowledge-based article which then typically links you to the patch, so I don’t know how people got from the CVE to the patch without this before, other than maybe the CVE mentions the KB articles.”

22:53 Amazon ECR now supports pull-through cache for Chainguard

• Amazon ECR pull-through cache now supports Chainguard as an upstream registry source, allowing customers to automatically sync Chainguard container images into ECR without building custom synchronization workflows.
• Chainguard images are known for their minimal attack surface and security-focused builds, so pairing them with ECR’s native image scanning and lifecycle policies gives teams a more integrated security posture for their container supply chain.
• The practical benefit here is operational simplicity: teams using Chainguard images at scale no longer need separate tooling to keep images current, as ECR handles the sync automatically and frequently.
• Cached Chainguard images inherit standard ECR capabilities, including lifecycle policies for cost management and image scanning, which means customers get consistent governance across both their own images and upstream Chainguard images.
• The feature is available in all AWS regions where ECR pull-through cache is supported, and pricing follows standard ECR storage and data transfer rates with no additional charge specific to the Chainguard integration. Full details are in the ECR pull-through cache documentation here. 

46:22 Matt – “It’s massive, but checks a box for your security team, right, that doesn’t want to understand how containers work. Just use this one, and you’ll have to worry about it. It’s like, but I can install anything I want on it. So is it actually going to help?”

47:57 AWS at 20*: Inside the rise of Amazon’s cloud empire, and what’s at stake in the AI era

• AWS turns 20 this month, growing from 10 cents per compute hour in 2006 to nearly $129 billion in annual revenue, which would place it in the Fortune 500 top 40 as a standalone company. 
• The article traces how S3 and EC2 established the pay-per-use primitive model that directly undercut Oracle-style licensing and reshaped enterprise IT economics.
• Bedrock has become the fastest-growing service in AWS history, surpassing 100,000 customers and generating multi-billion dollar revenue with 60% quarter-over-quarter spending growth. AWS built it as a multi-model platform rather than pushing a single in-house option, following the same pattern it used with CPUs and GPUs by offering AMD, Intel, Graviton, Nvidia, and Trainium alongside each other.
• Project Rainier, an AI compute cluster powered by over 500,000 Trainium2 chips in Indiana, represents AWS attempting to reduce dependence on Nvidia by building its own silicon stack from chip to data center. 
• The OpenAI partnership, worth up to $100 billion in cloud commitments over eight years, brings OpenAI workloads onto Trainium chips, making it the second major AI lab after Anthropic to commit to Amazon’s custom silicon.
• AWS still leads cloud revenue at over $116 billion annually, but Azure at $75 billion and Google Cloud at $50 billion annual run rates show the gap narrowing, particularly in AI workloads. 
• Corey Quinn’s Cisco analogy is worth discussing: AWS could remain profitable and essential while becoming less central to where AI innovation actually happens.
• Jassy has publicly projected AWS could reach $600 billion in annual revenue by 2036 with AI as the driver, backing that with $200 billion in capital expenditure planned for this year alone, which would consume nearly all of Amazon’s operating cash flow.
• Happy Birthday 

49:37 AWS MCP Server (Preview) now with enhanced monitoring and semantic search capability

• AWS MCP Server in preview now automatically publishes metrics to CloudWatch under the AWS-MCP namespace at no additional cost, covering invocation counts, success rates, client errors, server errors, and throttling for individual tools like the AWS API caller and Agent SOP retriever.
• Agent SOPs are pre-built, tested workflows that guide AI assistants through complex multi-step AWS tasks, and the documentation search tool now uses semantic similarity so agents can discover the right SOP through natural language queries rather than exact keyword matching.
• The CloudWatch integration addresses a previous gap where customers had no visibility into agent-driven changes, enabling teams to track usage patterns, identify permission issues, and configure alarms when error rates exceed defined thresholds.
• The service is currently available only in US East (N. Virginia) in preview, which is worth noting for teams with data residency requirements or those operating primarily in other regions.
• For listeners building AI-assisted infrastructure automation, this update provides a practical observability layer for MCP-based agents, which is increasingly relevant as teams adopt AI assistants for AWS operations tasks.

50:26 Ryan – “Why did everything go offline? Now you can find out!” 

GCP

50:59  CloudSQL read pools support autoscaling 

• Cloud SQL read pools, now generally available for Enterprise Plus edition, let you provision up to 20 read replicas behind a single load-balanced endpoint for MySQL and PostgreSQL, removing the need to manually manage multiple replicas or reconfigure applications when nodes are added or removed.
• The new autoscaling feature dynamically adjusts node count based on CPU utilization or database connection thresholds, with users defining minimum and maximum node counts so the pool scales within those bounds automatically during traffic fluctuations.
• Pools with two or more nodes are backed by a 99.99% availability SLA that covers maintenance downtime, and configuration changes like VM type or database flag updates are applied across all nodes with near-zero downtime.
• From a cost perspective, autoscaling helps avoid over-provisioning by scaling in during low-traffic periods, meaning you pay only for nodes actively in use rather than maintaining a fixed fleet sized for peak load.
• Retail and other industries with variable workloads are a natural fit, and teams can get started via gcloud CLI, Terraform, or the REST API, with a 30-day free trial available at cloud.google.com/sql for hands-on access to Enterprise Plus features.
• Want to sign up for a free trial of Cloud SQL? You can do that here. 

52:29 Matt – “The feature here I actually like is that it autoscales reads… nothing I’ve seen will do auto scaling on the reads for SQL and scale it out horizontally in that way. Like, even Aurora, if you’re on the normal one, you build a read replica, you have to build each read replica, and then either route or round robin to those ones. So if it’s actually going to do automatic adding and removing based on capacity needs, that’s a pretty nice feature because it can save you a lot of money.” 

53:35 Design UI using AI with Stitch from Google Labs

• Google Labs has evolved Stitch (stitch.withgoogle.com) into an AI-native design canvas that converts natural language descriptions into high-fidelity UI designs, targeting both professional designers and non-designers who want to move from concept to prototype quickly.
• The updated tool introduces an infinite canvas, a design agent that reasons across a project’s full history, and an Agent Manager for running multiple design directions in parallel, which addresses a common pain point of managing divergent design explorations.
• DESIGN.md is a notable addition that lets users extract and export design systems as an agent-friendly markdown file, making it easier to apply consistent design rules across projects or share them with other tools without starting from scratch each time.
• Stitch connects to developer workflows through an MCP server and SDK, with export options to AI Studio and Antigravity, positioning it as a handoff layer between design and development rather than a standalone tool.
• Pricing details are not specified in the announcement, so listeners interested in using Stitch for production workflows should check the documentation at stitch.withgoogle.com for current access and cost information.

55:20 Ryan – “I was developing something for my family, and it looks like you would expect, and so I can’t wait to try this out. And it was really impressive how fast, and how little feedback you gave it.” 

Azure

56:12 Microsoft at NVIDIA GTC: New solutions for Microsoft Foundry, Azure AI infrastructure and Physical AI 

• Microsoft Foundry Agent Service and Observability in Foundry Control Plane are now generally available, giving enterprise teams a unified platform to build, deploy, and monitor AI agents with end-to-end visibility into agent behavior across tools, data, and workflows.
• Azure is the first hyperscale cloud to power on NVIDIA Vera Rubin NVL72 systems in its labs, with rollout planned to liquid-cooled datacenters over the coming months, following deployment of hundreds of thousands of Grace Blackwell GPUs in under a year. 
• This positions Azure as a target platform for inference-heavy and reasoning-based workloads at scale.
• NVIDIA Nemotron models are now available through Microsoft Foundry, and the Fireworks AI integration allows customers to fine-tune open-weight models into low-latency deployments that can be distributed to the edge. 
• Pricing for these models is not specified in the announcement and would vary based on usage.
• Microsoft is extending NVIDIA Vera Rubin platform support to Azure Local, allowing organizations in sovereign and regulated environments to run next-generation AI workloads while maintaining Azure-consistent governance through Azure Arc and Foundry Local.
• A new Physical AI Toolchain, available via a public GitHub repository, integrates NVIDIA Physical AI Data Factory with Azure services, enabling developers to build robotics and physical AI workflows that connect physical assets, simulation environments, and cloud training into repeatable enterprise pipelines.

57:38 Justin – “Skynet is VERY excited.” 

59:06 Microsoft 365 pauses Copilot creep after admins cry foul

• Microsoft has paused the automatic deployment of the Microsoft 365 Copilot app to desktop users, halting a rollout that had already slipped twice from its original October 2025 target date. 
• The pause has no specified end date, and existing installations remain unaffected.
• The core admin complaint was that the opt-out default model increased IT workload by forcing organizations to set policies on Microsoft’s timeline rather than their own. Admins who want to proceed with deployment can still do so manually through other available methods.
• European Economic Area customers were already excluded from this rollout, likely reflecting ongoing regulatory considerations around default software installations in that region.
• This pause aligns with broader reported changes to Microsoft’s approach of embedding Copilot across Windows 11 surfaces, suggesting some recalibration of how aggressively the assistant is pushed to end users. 
• For IT decision-makers, the key takeaway is that centralized control over AI tool deployment remains a practical concern, and Microsoft’s willingness to halt the rollout signals that enterprise admin feedback carries weight in deployment decisions.

59:45 Justin – “Don’t force your IT people to do things. That’s not good. They’re already overworked and stressed.” 

1:00:46 Advancing agentic AI with Microsoft databases across a unified data estate 

• Microsoft announced a savings plan for databases at SQLCon 2026, offering up to 35% savings versus pay-as-you-go pricing on a one-year hourly spend commitment, automatically applied across eligible Azure database services, including Azure SQL.
• GitHub Copilot is now generally available in SQL Server Management Studio 22, bringing chat and T-SQL code assistance directly into SSMS for developers and DBAs who already use Copilot in Visual Studio and VS Code.
• Azure SQL Database Hyperscale gained new public preview features, including a SQL MCP Server for connecting SQL data to AI agents, larger 160 and 192 vCore options, and enhanced vector indexes with full insert, update, and delete support requiring no code changes.
• SQL database in Fabric reached general availability for several enterprise security features, including SQL Auditing, Customer-Managed Keys, and Dynamic Data Masking, with workspace-level Private Link in preview, targeting customers with strict governance and compliance requirements.
• Microsoft introduced the Database Hub in Fabric, now in early access, providing a single management plane across Azure SQL, Cosmos DB, PostgreSQL, MySQL, and Arc-enabled SQL Server, with agent-assisted monitoring that surfaces estate-wide signals and recommended actions. 
• Interested in signing up for Database Hub? You can do that here. 

1:01:37 Matt – “There’s a lot of ‘things’ in this blog post; the biggest one for me is the savings plan for databases… It’s just built in there now. It really means you can get those savings; you don’t have to commit or be a hyperscaler.” 

1:03:28 Generally Available: Versionless key support for transparent data encryption in Azure SQL Database 

• Azure SQL Database now supports versionless keys for transparent data encryption, meaning customers can point to a key in Azure Key Vault without pinning to a specific version, and the database will automatically use the latest key version as it rotates.
• This reduces operational overhead for teams managing customer-managed keys, eliminating the manual step of updating TDE configurations each time a key is rotated in Azure Key Vault or Managed HSM.
• The practical benefit is improved reliability around key rotation workflows, since missed version updates previously could cause access disruptions to encrypted databases, a real risk in regulated industries with frequent rotation policies.
• This feature is generally available and integrates with existing Azure Key Vault and Managed HSM setups, so customers already using bring-your-own-key TDE can adopt versionless references without rebuilding their encryption architecture.
• No additional cost is associated with this feature beyond standard Azure Key Vault or Managed HSM pricing, making it a straightforward operational improvement for any Azure SQL Database customer using customer-managed keys.

1:04:10 Justin – “There’s no additional cost for this, and thank god, because this is the dumbest feature I’ve ever heard of in my entire life. Why does it not just do it automatically?”  

1:06:24 Microsoft Launches Azure Skills Plugin to Give AI Coding Agents Real Azure Expertise

• Microsoft released the Azure Skills Plugin, available at aka.ms/azure-plugin, which bundles over 19 curated Azure workflow skills, the Azure MCP Server with 200+ tools across 40+ Azure services, and the Foundry MCP Server into a single install for AI coding agents. 
• The goal is to move agents beyond generic code suggestions toward actual Azure deployment actions like provisioning, cost optimization, and live diagnostics.
• The skills layer is the core differentiator here, encoding decision trees and sequencing logic for real Azure workflows rather than simple prompt snippets. Key skills include azure-prepare for generating infrastructure code, azure-validate for pre-flight checks, azure-deploy for orchestrating through the Azure Developer CLI, and azure-diagnostics for troubleshooting using logs and KQL queries.
• The plugin is designed to be portable across agent hosts, including GitHub Copilot in VS Code, Copilot CLI, and Claude Code, with configuration handled automatically through a .mcp.json file and a .github/plugins/azure-skills folder. Teams using multiple agent tools do not need to maintain separate configurations for each.
• Microsoft is explicit that this setup requires real credentials and real Azure resources, recommending least-privilege access, explicit tool approvals, and skills sourced only from trusted repositories. This positions the agent as a supervised collaborator rather than an autonomous actor, which is a practical consideration for teams evaluating security posture.
• Prerequisites include Node.js 18 or later, Azure CLI authenticated via az login, and optionally the Azure Developer CLI for deployment workflows. No specific pricing is listed for the plugin itself, though costs will vary based on the underlying Azure services and resources the agent provisions during use.

1:07:48 Matt – “I’m actually most excited for the KQL feature because writing KQL is like writing SQL, but harder, but also I’m terrible at both, so don’t judge that one statement. But if I can live, just tell it to search the logs in a certain way, because right now I just have this terrible workflow of Claude – this is what I’m looking for in KQL. Copy-paste, take the screenshot, put it back over here, copy-paste, and iterate through this very slow cycle. So if I can have it understand KQL, so much better.” 

1:08:56 Azure DevOps Remote MCP Server Lands in Microsoft Foundry, Giving AI Agents Direct Access to Your DevOps Data

• Microsoft launched the Azure DevOps Remote MCP Server in public preview on March 17, followed by its integration into Microsoft Foundry two days later. 
• The server gives AI agents a hosted, authenticated connection to Azure DevOps data, including work items, pull requests, pipelines, repos, and wikis via a single URL endpoint at mcp.dev.azure.com.
• Authentication runs entirely through Microsoft Entra, meaning organizations apply their existing identity policies, conditional access rules, and permission boundaries to agent access without building separate integrations. Notably, only Entra-backed Azure DevOps organizations are supported, leaving MSA-backed and on-premises deployments without this option for now.
• Two access control headers stand out for enterprise use: X-MCP-Readonly restricts agents to read-only operations, and X-MCP-Toolsets lets teams scope which tool categories an agent can access. This shifts the governance conversation from whether agents should touch DevOps data to defining the specific conditions under which they can.
• The Foundry integration connects Azure DevOps data to Foundry’s full agent development lifecycle, including model access, orchestration, evaluation, and deployment. Teams can add the server through the Foundry tool catalog and control which specific operations each agent is permitted to perform.
• Current limitations worth noting include client support restricted to Visual Studio and VS Code without extra setup, while Claude Desktop, GitHub Copilot CLI, and ChatGPT require additional OAuth configuration in Entra before connecting. Microsoft has also indicated plans to eventually archive the local MCP Server in favor of this remote version, so teams on the local server should begin evaluating migration. No separate pricing has been announced beyond standard Azure DevOps and Foundry costs. 

Oracle

1:11:13 Oracle Releases Java 26 

• Java 26 ships 10 JDK Enhancement Proposals covering AI integration, cryptography, and language simplification, including HTTP/3 support in the HTTP Client API and a fourth preview of primitive types in pattern matching. None of these are final features yet, with several JEPs still in preview or incubator status after multiple rounds.
• The Ahead-of-Time Object Caching feature from Project Leyden is worth noting as it extends startup time improvements to work with any garbage collector, including ZGC, which addresses a practical pain point for cloud-native Java deployments where cold start latency matters.
• Oracle is launching the Java Verified Portfolio, a bundled support offering covering JavaFX, Helidon, and the VS Code Java extension, included free for Java SE subscribers and OCI customers running Java workloads. For everyone else, pricing is not explicitly stated beyond noting that many components remain free for a wide range of use cases.
• The Applet API removal in JEP 504 is notable mainly as a cleanup item, having been deprecated since JDK 17, and signals Oracle is willing to break legacy compatibility when features have been sufficiently warned about over multiple release cycles.
• Helidon is being proposed as an OpenJDK project and aligned to the Java release cadence, which tightens Oracle’s control over the microservices framework ecosystem while keeping it open source, a pattern Oracle has used with other technologies in its portfolio.

1:11:21 Justin – “They brought AI to Java, and all is going to be lost.” 

1:12:21 Oracle Unveils AI Database Agentic Innovations for Business Data

• Oracle announced a bundle of agentic AI capabilities for Oracle AI Database at its AI World Tour in London, centered on keeping AI workloads closer to the data rather than moving data to external AI systems. 
• The headline additions include the Autonomous AI Vector Database in limited availability on free and low-cost developer tiers, a Private Agent Factory for no-code agent building, and a Unified Memory Core for storing agent context across multiple data types in a single engine.
• The security angle is notable here. Oracle Deep Data Security and the Private AI Services Container are positioned to address prompt injection and data leakage risks by enforcing least-privilege access at the database layer rather than in application code, which is a practical concern for enterprises deploying agents against sensitive business data.
• Oracle Trusted Answer Search takes a conservative approach to reducing hallucinations by matching user questions to pre-built reports via vector search rather than letting an LLM answer directly, which trades flexibility for determinism and may suit regulated industries but limits open-ended query use cases.
• The open standards additions, specifically Vectors on Ice for Apache Iceberg support and an Autonomous AI Database MCP Server, are worth noting because they reduce some of the lock-in concerns that typically follow Oracle announcements, though customers still need to be running Oracle AI Database to benefit.
• Pricing details are sparse in the announcement. The Autonomous AI Vector Database is available through the Oracle Cloud free tier or a low-cost developer tier, with a one-click upgrade path to full Autonomous AI Database, but Oracle has not published specific per-unit costs for the new agentic capabilities.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• S3 Bucket Names Finally Stop Being a Global Hunger Games
• One Million Tokens Walk Into a Context Window
• SLO Down and Smell the Reliability Metrics
• CloudWatch Finally Watches Your Whole Cloud Organization
• S3 Turns 20 and Still Buckets the Competition
• Azure SRE Agent Goes GA So You Don’t Have To
• Twenty Years of S3 and No Signs of Object Permanence
• One Rule to Monitor Them All Across AWS
• One Flag to Secure Them All on Cloud Run
• SaaSpocalypse Now Atlassian Layoffs Hit the Jira
• No More Bucket Name Bingo with S3 Regional Namespaces
• A Picture Is Worth a Thousand Claude Tokens
• One Command to Rule Your Autonomous AI Agents
• AI Fixes Your Incidents Before Your Boss Notices
• The CloudPod is only recording this week “Because of AI”
• Amazon begs users to leave Simple DB with another migration tool

Follow Up

00:54 Microsoft’s brief in Anthropic case shows new alliance and willingness to challenge Trump administration

• Microsoft filed an amicus brief in Anthropic’s lawsuit against the U.S. Department of War, urging a federal judge to temporarily block the Pentagon’s designation of Anthropic as a supply chain risk, citing substantial costs to government contractors that rely on Anthropic models.
• The brief arrived one day after Microsoft launched Copilot Cowork, built on Anthropic’s Claude, and four months after Microsoft committed up to $5 billion in Anthropic as part of a deal requiring Anthropic to spend at least $30 billion on Azure, making the legal filing directly tied to concrete commercial dependencies.
• Microsoft highlighted a procedural inconsistency in the government’s approach: the Pentagon gave itself six months to transition off Anthropic’s models while making the supply chain designation effective immediately for contractors, creating an unequal compliance burden.
• Amazon, which has invested $8 billion in Anthropic, has not publicly responded to the lawsuit or the designation, creating a notable contrast in how two major cloud providers with similar financial exposure are handling the situation.
• OpenAI announced its own Pentagon deal on the same day the Anthropic designation was issued, and 37 researchers from OpenAI and Google separately filed an amicus brief supporting Anthropic, indicating the case is drawing broad attention across the AI and cloud industry with potential implications for how AI guardrails are treated in government contracts.

01:37 Justin – “Oh, yeah, there’s a vested interest in the lawsuit which we did not mention last week, so I wanted to follow up on that, because that explains very clearly why Microsoft is throwing in with Anthropic on this.” 

General News 

02:37 Atlassian to shed ten percent of staff, because of AI 

• Atlassian is cutting roughly 1,600 employees, about 10 percent of its workforce, citing AI-driven changes to required skill sets and a need to self-fund further AI and enterprise sales investment.
• The company’s market cap has dropped from a peak of around 112 billion dollars in 2021 to approximately 20 billion dollars today, providing financial context for why cost restructuring is happening alongside the AI narrative.
• The SaaSpocalypse concept is worth discussing here, as Atlassian is among the SaaS vendors analysts flag as potentially vulnerable to organizations replacing traditional tools with AI-generated or vibe-coded alternatives.
• Atlassian points to 25 percent cloud revenue growth, 600 customers spending over 1 million dollars annually, and 5 million users on its Rovo AI suite as indicators that the business is still growing, which creates an interesting tension with the layoff announcement.
• For cloud practitioners, this is a concrete example of how AI adoption is beginning to visibly reshape headcount decisions at established SaaS vendors, not just startups, which has implications for how enterprises evaluate vendor stability and long-term support commitments.

03:18 Justin – “I’ve seen Rovo, which is Atlassian’s AI suite, and if that’s the best they can do… I have fears for the long-term health and viability of Jira in general. I’m kind of over the whole let’s blame AI for our bad business decisions. That’s going to get old real quick.” 

AI Is Going Great – Or How ML Makes Money 

06:18 Claude builds interactive visuals right in your conversation

• Anthropic has launched in beta a new inline visualization feature for Claude that generates interactive charts, diagrams, and other visuals directly within chat conversations, available across all plan tiers at no additional cost.
• These visuals are distinct from Claude’s existing artifacts system in a notable way: they are temporary and contextual, appearing inline rather than in a side panel, and they update or disappear as the conversation evolves rather than serving as persistent shareable documents.
• Claude determines autonomously when a visual would aid comprehension, but users can also prompt it directly with natural language requests like “draw this as a diagram” or “visualize how this might change over time,” and can request adjustments iteratively within the same conversation.
• The feature is part of a broader set of response format improvements Anthropic has been rolling out, including purpose-built layouts for recipes and weather queries, as well as direct in-conversation integrations with third-party tools like Figma, Canva, and Slack.
• For developers and enterprise users, the practical implication is that Claude can now serve as a lightweight data visualization layer within workflows without requiring users to export data to separate charting tools, which could reduce friction in analytical and educational use cases.

07:27 Ryan – “Kind of excited when Claude decides that the monkey making the queries needs bigger pictures because the text isn’t working out, so it’s like, I get you, Claude. I see what you’re doing.”

07:38 Jonathan – “Anthropic’s Claude: Now with crayons.” 

08:50 Introducing Genie Code 

• Databricks has launched Genie Code as a generally available product, positioning it as an agentic AI system built specifically for data teams rather than general software development. 
• It handles end-to-end tasks, including pipeline building, dashboard creation, ML model training, and production monitoring, directly within Databricks notebooks, SQL editor, and Lakeflow Pipelines.
• The system claims to outperform a leading coding agent by more than 2x on real-world data science tasks, with the key differentiator being deep Unity Catalog integration that gives it access to data lineage, usage patterns, governance policies, and business semantics rather than just reading raw code.
• Genie Code routes tasks across multiple models automatically, selecting from frontier LLMs, open source models, or custom Databricks-hosted models depending on the job, removing the need for users to manually choose models for different tasks.
• A notable upcoming capability is background agents, which will proactively monitor Lakeflow pipelines and AI models, triage failures, handle routine Databricks Runtime upgrades, and auto-fix issues like schema mismatches in a sandboxed environment before alerting the team.
• The governance angle is worth discussing for enterprise cloud users: Genie Code enforces Unity Catalog access controls during all operations, meaning it only surfaces data assets a user is authorized to see and respects existing lineage rules when building pipelines, which addresses a common concern with agentic systems operating on sensitive production data.

10:05 Ryan – “I don’t think it will kill Glue or any of the ETL things, but hopefully it will just do it for you, and then I don’t think I care anymore.”  

11:19 1M context is now generally available for Opus 4.6 and Sonnet 4.6

• Anthropic has moved 1M context windows to general availability for Claude Opus 4.6 and Sonnet 4.6, with standard pricing applying across the full window and no long-context premium. 
• Opus 4.6 is priced at $5/$25 per million input/output tokens, and Sonnet 4.6 at $3/$15, meaning a 900K-token request costs the same per-token rate as a 9K one.
• On the performance side, Opus 4.6 scores 78.3% on MRCR v2, a benchmark measuring recall and reasoning across long contexts, which Anthropic claims is the highest among frontier models at that context length.
• Practical use cases include loading entire codebases, thousands of pages of contracts, or full agent traces with tool calls and intermediate reasoning, eliminating the need for lossy summarization or manual context management that long-context workflows previously required.
• Claude Code users on Max, Team, and Enterprise plans now get 1M context automatically with Opus 4.6, meaning fewer session compactions and more conversation history retained without consuming extra usage credits.
• The 1M context window is available natively on the Claude Platform and through Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry, making it accessible across the major cloud provider ecosystems that developers are already using.

19:46 Introducing GPT-5.4 mini and nano

• OpenAI released GPT-5.4 mini and nano, two small models positioned for high-volume, latency-sensitive workloads. 
• GPT-5.4 mini runs more than 2x faster than GPT-5 mini while approaching GPT-5.4 performance on benchmarks like SWE-Bench Pro and OSWorld-Verified.
• Pricing is notably lower than larger models: GPT-5.4 mini costs $0.75 per 1M input tokens and $4.50 per 1M output tokens, while GPT-5.4 nano comes in at $0.20 input and $1.25 output per 1M tokens, with a 400k context window on mini.
• The models are designed for multi-model orchestration patterns where a larger model like GPT-5.4 handles planning and coordination while GPT-5.4 mini subagents execute narrower parallel tasks, a pattern OpenAI has built directly into their Codex product.
• In Codex specifically, GPT-5.4 mini uses only 30% of the GPT-5.4 quota, giving developers a cost-effective path for simpler coding tasks like codebase navigation, targeted edits, and debugging loops without sacrificing too much capability.
• GPT-5.4 nano is API-only and recommended for classification, data extraction, ranking, and simpler subagent tasks, making it a practical option for cloud workloads where cost and throughput matter more than deep reasoning.

21:00 Ryan – “I’m a fan of these little models for certain things; as part of that tuning, my agent definitions have gotten a lot more complex. A lot of times, I’m breaking out agent definitions so that I can specifically use one of the smaller models for certain types of tasks. Data extraction being a big one.” 

AWS

22:53 Twenty years of Amazon S3 and building what’s next 

• S3 turns 20 years old this month, growing from 1 petabyte of capacity and 15 cents per gigabyte in 2006 to hundreds of exabytes storing over 500 trillion objects at just over 2 cents per gigabyte today, representing roughly an 85% price reduction over two decades.
• A notable engineering detail is that code written for S3 in 2006 still works today unchanged, with AWS maintaining complete API backward compatibility through multiple infrastructure generations, which is why the S3 API has become a de facto standard across the storage industry.
• On the technical side, AWS has spent 8 years progressively rewriting performance-critical S3 components in Rust for memory safety and performance, and uses formal methods with automated proofs to mathematically verify consistency in the index subsystem and cross-region replication.
• AWS is positioning S3 as a universal data foundation with three newer capabilities worth noting: S3 Tables for managed Apache Iceberg analytics, S3 Vectors for native vector storage supporting up to 2 billion vectors per index at sub-100ms latency, and S3 Metadata for centralized object cataloging, all priced at standard S3 cost structures rather than specialized database pricing.
• The maximum object size has grown from 5 GB to 50 TB, and AWS reports customers have collectively saved over $6 billion in storage costs through S3 Intelligent-Tiering compared to S3 Standard storage class pricing.

24:08 Justin – “I am a big fan of the S3 vectors because we use it for Bolt.” 

25:39 Introducing account regional namespaces for Amazon S3 general-purpose buckets

• AWS S3 now supports account regional namespaces for general-purpose buckets, where bucket names automatically include your account ID and region as a suffix, such as mybucket-123456789012-us-east-1-an. 
• This solves the long-standing problem of bucket name collisions in the global namespace, particularly useful for large organizations managing buckets at scale across multiple regions.
• The feature integrates with IAM and AWS Organizations service control policies via the new s3:x-amz-bucket-namespace condition key, allowing security teams to enforce that employees only create buckets within their account’s namespace. 
  • This gives enterprises a straightforward governance mechanism to prevent naming conflicts and unauthorized bucket creation.
• Existing global namespace buckets cannot be renamed to use the account regional namespace, so this is a forward-looking change for new bucket creation only. S3 table buckets, vector buckets, and directory buckets already operate in account-level or zonal namespaces, so this update brings general-purpose buckets in line with those patterns.
• CloudFormation support is included via the BucketNamespace property and pseudo parameters AWS::AccountId and AWS::Region, making it straightforward to update existing IaC templates. CLI and Boto3 support is also available using the x-amz-bucket-namespace header or BucketNamespace parameter.
• The feature is available across 37 AWS regions, including AWS China and GovCloud, at no additional cost, making it a low-friction adoption for teams looking to simplify bucket naming conventions without budget impact.

27:17 Jonathan – “What’s really annoying is your account number is part of the public S3 bucket name! I wish a security person had been in the room there.” 

28:17 Amazon CloudWatch Application Signals adds new SLO capabilities

• Amazon CloudWatch Application Signals now includes three new SLO capabilities: SLO Recommendations, Service-Level SLOs, and SLO Performance Report, addressing longstanding gaps in data-driven reliability management for AWS customers.
• SLO Recommendations analyzes 30 days of historical P99 latency and error rate data to suggest appropriate reliability targets, reducing the manual guesswork that previously led to misconfigured thresholds and alert fatigue.
• Service-Level SLOs give teams a consolidated view of reliability across all operations within a service, making it easier to align technical monitoring with business objectives without stitching together multiple dashboards.
• The SLO Performance Report adds calendar-aligned historical reporting at daily, weekly, and monthly intervals, which is useful for teams that need to present reliability data to stakeholders in business-friendly formats.
• Pricing is usage-based, tied to inbound and outbound application requests plus SLO charges, with each SLO generating 2 application signals per service level indicator metric period. The features are available in all regions where CloudWatch Application Signals is supported.

29:11 Jonathan – “So instead of fixing your product, you just use a tool that tells you that you should turn down your commitments to your customers. Ok…” 

29:57 Amazon SimpleDB now supports exporting domain data to Amazon S3

• Amazon SimpleDB, one of AWS’s oldest database services dating back to 2007, now supports exporting domain data directly to S3 in JSON format, giving long-time users a practical path to migrate away from the service or archive data for compliance purposes.
• The export tool introduces three new APIs (StartDomainExport, GetExport, and ListExports) with background processing that avoids any performance impact on the running database, which matters for users who cannot afford downtime during data extraction.
• Cross-region and cross-account support, along with multiple encryption options, make this useful for organizations with strict data governance requirements who need to move SimpleDB data into modern storage or database systems.
• Rate limiting is set at 5 exports per domain and 25 per account within a 24-hour window, so teams with large numbers of domains should plan their migration timelines accordingly rather than assuming bulk exports can happen all at once.
• The tool itself is free to use, but standard S3 data transfer charges apply, so cost planning should account for data volume when scoping a migration or archival project.

30:53 Justin – “SimpleDB gets a new feature!” 

32:19 Amazon CloudWatch introduces organization-wide EC2 detailed monitoring enablement

• CloudWatch now supports organization-wide rules to automatically enable EC2 detailed monitoring, shifting metrics collection from a per-instance manual task to a centralized policy-driven configuration across the entire AWS Organizations.
• Rules can be scoped to the full organization, specific accounts, or individual resources using tags, so teams can target environments like production workloads without enabling the feature universally and incurring unnecessary costs.
• The 1-minute interval metrics that detailed monitoring provides are particularly relevant for Auto Scaling groups, where faster data collection means scaling policies can respond more quickly to utilization changes rather than waiting for the default 5-minute interval.
• The feature covers both existing and newly launched instances within the rule scope, which closes a common gap where new instances spun up after policy creation would otherwise miss monitoring configuration.
• Detailed monitoring costs apply per instance per metric per month per CloudWatch pricing, so organizations should evaluate tag-based scoping carefully to avoid unexpected billing increases when rolling this out broadly.

33:17 Ryan – “I mean, what’s wrong with the previous method of waiting until you  had an outage, not having the data, and THEN turning it on for your project?” 

GCP

33:47 Why context is the missing link in AI data security 

• Google Cloud’s Sensitive Data Protection is now generally available with new context classifiers for medical and finance data, plus image object detectors for faces and passports, moving beyond simple keyword matching to understand the semantic meaning of data.
• For AI training workflows on Vertex AI, SDP can scan unstructured image data using OCR and object detection to find sensitive content like credit card numbers or photo IDs, then generate redacted versions rather than discarding the data entirely, preserving training dataset quality.
• The context-aware approach addresses a practical problem with traditional regex-based detection: the same number sequence can be treated differently depending on surrounding words, so “order number” passes through while “wallet number” triggers financial context classification and redaction.
• SDP serves as the underlying engine for several other Google Cloud products, including Model Armor, Security Command Center, and Contact Center as a Service, meaning improvements here propagate across those services automatically.
• Organizations in regulated industries like healthcare and finance are the most direct beneficiaries, as the tool helps ensure AI agents only access data appropriate to their function during both training and live user interactions. Pricing details are not specified in the announcement, so teams should check cloud.google.com/security/products/sensitive-data-protection for current rates.

35:16 Ryan – “I don’t really think that’s usually where the sensitive data is. It can be, in some workloads, but probably not the majority, so there’s so many false positives, so I really like the idea that they’re having context be a part of that decision.”

37:16 Welcoming Wiz to Google Cloud: Redefining security for the AI era

• Google has completed its acquisition of Wiz, a cloud and AI security platform, which will retain its brand and continue supporting multicloud environments, including AWS, Azure, and Oracle Cloud Platform, alongside Google Cloud.
• Wiz connects code, cloud, and runtime into a single context, allowing security teams to map application architecture, permissions, data flows, and runtime behavior in real time to identify and prioritize exploitable attack paths before they reach production.
• The combined offering integrates Wiz’s cloud security platform with Google Security Operations, Mandiant Consulting, and Google Threat Intelligence under the Google Unified Security umbrella, with Gemini AI assisting in threat hunting, remediation workflows, and audit documentation.
• A notable focus of the acquisition is AI-specific security, addressing threats that target AI models and those generated by AI systems, which is increasingly relevant as organizations deploy AI agents fed with business-critical data.
• Pricing details for the combined platform have not been announced, but Wiz products will remain available through existing partner channels, system integrators, and managed security service providers, suggesting continuity for current Wiz customers during the transition.

38:16 Justin – “Typically on these acquisitions, it takes about a year for Google to figure out how to package them properly, and most likely they’ll want a separate contract for it anyways because that’s how all the integration acquisitions they’ve done are.”

39:22 IAP integration with Cloud Run

• Google Cloud Run now supports direct Identity-Aware Proxy integration in general availability, allowing developers to enable IAP authentication with a single UI click or the –iap flag in gcloud, eliminating the previous requirement to configure load balancers manually. IAP carries no additional cost beyond standard Cloud Run charges, with limited exceptions noted in the pricing docs.
• IAP on Cloud Run supports enterprise authentication features, including user and group identity policies, context-aware access controls based on IP, geolocation, and device status, and Workforce Identity Federation for external identity providers. This makes it practical for organizations that need to secure internal web applications without building custom authentication layers.
• A separate change allows Cloud Run services to disable the default IAM invoker check by selecting “Allow Public access,” which resolves a long-standing friction point for teams trying to host public-facing applications while also enforcing Domain Restricted Sharing org policies.
• The two features address different scenarios: IAP is the recommended path for internal business applications requiring user authentication, while the public access option suits public websites, store locators, or private microservices where network-level controls like Cloud Armor handle security instead.
• Real-world adoption examples include L’Oreal using IAP across their Google Cloud application portfolio and Bilt Rewards disabling IAM invoker checks on multi-regional Cloud Run services to simplify edge routing while relying on Cloud Armor for security enforcement.

39:57 Ryan – This is a neat little feature. I don’t know how widely known it is, but it’s something that I’ve been using for a while.”  

42:09 Multi-cluster GKE Inference Gateway helps scale AI workloads

• Google Cloud has launched a preview of multi-cluster GKE Inference Gateway, which extends the existing GKE Gateway API to enable model-aware load balancing for AI inference workloads across multiple GKE clusters and regions. 
• This addresses practical limitations of single-cluster deployments like GPU/TPU capacity caps and regional availability risks.
• The system introduces two core Kubernetes custom resources, InferencePool and InferenceObjective, which group model-server backends and define routing priorities, respectively. 
• This allows the gateway to intelligently multiplex latency-sensitive and lower-priority inference requests across a distributed fleet.
• A notable technical capability is the GCPBackendPolicy resource, which enables load balancing decisions based on real-time custom metrics such as KV cache utilization on model servers. 
• This is more inference-specific than traditional request-count or latency-based routing approaches.
• The architecture uses a dedicated config cluster to manage a single Gateway configuration that routes traffic to multiple target clusters, simplifying operations for teams running globally distributed AI services. Supported use cases include disaster recovery, capacity bursting, and heterogeneous hardware utilization.
• Pricing for this feature is not separately detailed in the announcement, so costs would likely follow existing GKE and Cloud Load Balancing pricing structures. Teams evaluating this should factor in multi-cluster networking and potential cross-region data transfer costs alongside their GPU/TPU resource expenses.

43:06 Ryan – “Simplify. Sure…” 

44:35 More transparency and control over Gemini API costs

• Google AI Studio now supports Project Spend Caps, letting developers set monthly dollar limits per project directly from the Spend tab. 
• There is a roughly 10-minute enforcement delay, so users remain responsible for any overages incurred during that window.
• Usage Tiers have been redesigned with lower spend qualifications, automatic tier upgrades based on payment history, and system-defined billing account caps that increase as you move to higher tiers. This reduces manual intervention for developers scaling their API usage over time.
• Three new dashboards have been added to Google AI Studio covering rate limits, costs, and usage. The rate limit dashboard tracks RPM, TPM, and RPD per project, while the cost dashboard offers a daily breakdown filterable by model and time range going back up to a full month.
• Billing setup can now be completed entirely within Google AI Studio, including linking billing profiles to projects, removing the previous need to navigate across multiple Google Cloud console windows. 
• This consolidation is particularly useful for teams managing several projects under one billing account.
• Developers building with Imagen and Veo now have dedicated usage graphs alongside standard request metrics, giving multimodal workloads the same observability previously available only for text-based Gemini API calls.

45:13 Justin – “If you’ve ever tried to figure out who is using what models and what they’re doing with them and how much it costs, you know that this is all terrible – and this doesn’t actually improve it all that much.”  

Azure

47:35 Generally Available: Azure SRE Agent with new capabilities 

• Azure SRE Agent is now generally available as an AI-powered operations tool designed to help teams diagnose incidents faster and automate response workflows, to reduce downtime and manual operational work.
• The GA release introduces deep context gathering capabilities, meaning the agent can pull together relevant signals and telemetry during an incident rather than requiring engineers to manually correlate data across multiple tools.
• This fits naturally into teams already using Azure Monitor, Application Insights, and related observability tooling, as the agent is positioned to work within existing Azure operations workflows rather than requiring a separate platform.
• The primary target audience is operations and SRE teams managing production workloads on Azure who are looking to reduce the time between incident detection and resolution without adding headcount.
• Pricing details were not included in the announcement, so teams evaluating this should check the Azure pricing page directly here before planning adoption, as AI-powered agent services on Azure typically carry consumption-based costs.

48:25 Jonathan – “All right, so they run the services, which are going to have problems. And now they want me to pay for another service so that I can use that tool to troubleshoot the problems with the other tools that I’m already paying for. OK…” 

55:59 Many agents, one team: Scaling modernization on Azure 

• Azure announced two new public preview offerings: the Azure Copilot migration agent and the GitHub Copilot modernization agent, designed to automate discovery, assessment, planning, and deployment for organizations moving workloads to Azure. 
• The migration agent targets servers, virtual machines, applications, and databases, while the modernization agent orchestrates code upgrades at scale across multiple applications simultaneously.
• The two agents are designed to work together, with GitHub Copilot scanning application code to produce assessment reports that Azure Copilot’s migration agent then ingests to inform cloud infrastructure planning. This integration aims to close the historical gap between developer-level code work and infrastructure decisions around landing zones, networking, and governance.
• Early customer results show a 70% reduction in total modernization effort using GitHub Copilot modernization capabilities, and Ahold Delhaize is cited as a customer that reduced complexity and accelerated delivery using these agentic workflows across discovery, assessment, and execution.
• Microsoft is pairing these agentic tools with a structured delivery program called Cloud Accelerate Factory, a no-cost benefit under Azure Accelerate where Microsoft experts work alongside customers from discovery through production. Pricing for the agents themselves is not specified in the announcement, so listeners should check Azure pricing pages directly for cost details.
• According to a Forrester Q1 2026 survey of 223 global IT leaders, 91% view application modernization as necessary for enabling AI in their business, which provides context for why Microsoft is investing in automating what has traditionally been a slow, manual planning process.

52:32 Ryan – “I keep waiting for someone to tout the success of how they did it, they’ve migrated all their terrible legacy code into this new thing, and it all works – but I haven’t seen it…”  

53:28 Announcing Fireworks AI on Microsoft Foundry

• Microsoft Foundry now integrates with Fireworks AI’s inference cloud, giving customers access to models like DeepSeek v3.2, Kimi K2.5, and OpenAI’s gpt-oss-120b through both pay-per-token and provisioned throughput deployment options. 
• This is currently in public preview and requires an opt-in through the Azure portal’s Preview features panel.
• Pricing follows a per-million-token model for serverless deployments covering input, cached input, and output tokens, with US Data Zone availability across six regions, including East US and West US. 
• Default quota limits start at either 250K or 25K tokens per minute, depending on subscription type, with additional quota available via a request form.
• A notable addition is custom model support, allowing teams who have fine-tuned models from families like Qwen3-14B, DeepSeek v3, or Kimi K2 to import and deploy those weights directly into Foundry projects. 
• The Azure Developer CLI has been updated with an azd ai models create command to facilitate the weight transfer process.
• Fireworks-hosted models are distinct from Azure Direct models in that they skip Microsoft’s Responsible AI safety assessments, so teams needing safety evaluations will need to use Foundry’s built-in risk and safety evaluator tools separately.
• Model retirement for serverless deployments comes with at least 30 days’ notice, and customers can extend usage past retirement dates by switching to provisioned throughput deployments, which use existing Global PTU quota and reservation commitments.

54:30 Justin – “Sounds like it’s a cross-connect that they’ve done to Firework’s cloud basically, to provide this to you, so it’s sort of interesting.” 

56:02 Announcing Copilot leadership update 

• Microsoft is reorganizing its Copilot efforts by merging consumer and commercial teams into a single unified org, structured around four pillars: Copilot experience, Copilot platform, Microsoft 365 apps, and AI models. 
• Jacob Andreou will lead the combined Copilot experience as EVP, reporting directly to Satya Nadella.
• Mustafa Suleyman is shifting focus exclusively to what Microsoft calls its “superintelligence” effort, concentrating on frontier model development, enterprise-tuned model lineages, and reducing inference costs at scale over the next five years.
• The restructuring reflects a product direction where Copilot moves from individual features toward an integrated system connecting agents, apps, and workflows, with recent announcements like Copilot Tasks, Copilot Cowork, and Agent 365 representing early examples of this approach.
• For enterprise customers, the key practical implication is that commercial and consumer Copilot capabilities will converge, meaning IT and governance controls will need to account for a more unified product surface rather than separate consumer and business tracks.
• The Copilot Leadership Team now includes Suleyman, Andreou, Charles Lamanna, Perry Clarke, and Ryan Roslansky, signaling that Microsoft 365 app development and platform infrastructure will be tightly coordinated with model development rather than operating independently.

57:23 Ryan – “Noticeably missing is Github’s Copilot…” 

After Show 

55:59 Washington state hotline callers hear AI voice with Spanish accent 

• Washington state’s Department of Licensing accidentally routed Spanish-language callers to an AI voice speaking English with a Spanish accent for several months, a direct result of a misconfiguration by DOL staff using Amazon Web Services Polly.
• AP journalists were able to replicate the issue by selecting the AWS Polly voice named “Lucia,” which is designed to mimic Castilian Spanish, highlighting how easy it is to misconfigure AI voice services when teams lack familiarity with the underlying platform options.
• The incident is a practical reminder that deploying AI-driven customer service tools across multiple languages requires thorough testing and quality assurance, particularly for government agencies serving diverse populations with real accessibility needs.
• Amazon provided the platform but declined interview requests, raising a recurring question in cloud deployments about where vendor responsibility ends and customer configuration responsibility begins when things go wrong in production.
• The story went viral with around 2 million TikTok views, which illustrates how public-facing AI failures in government services can quickly become reputational issues, adding pressure on agencies to treat AI deployment with the same rigor as other critical infrastructure.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• ✍️ Cloudflare Spent $1100 to Rewrite Next.js in a Week
• One Pipe to Rule All Your OpenTelemetry Data
• ☑️ Check Yourself Before Google Wrecks Your Cloud Config
• Copilot Takes Jira Tickets So You Don't Have To
• ‍✈️ GitHub Copilot Agent Joins Your Jira Workflow Uninvited
• When AI Agents Network, Meta Swipes Right on Moltbook
• ️ Sixty Controls Walk Into a Terraform Repository
• One Security Console to Rule All Your Clouds
• AI Ate My Lock-In, and I Feel Fine
• ⛅ Oracle Sees $90 Billion Future Cloudy With a Chance of GPUs
• Your API Has Trust Issues, and We Can Prove It
• Stop Running Three Pipelines Like a Telemetry Hoarder
• From Database Dinosaur to AI Cash Cow
• ☠️ Meta: Target acquired; must kill Moltbook
• Meta saw Moltbook and said, “WE MUST OWN IT AND KILL.”

Follow Up

00:51 Where things stand with the Department of War 

• Anthropic has been designated a supply chain risk to US national security by the Department of War, a designation the company is challenging in court as legally unsound under 10 USC 3252.
• The practical scope of the designation is narrow, applying only to the use of Claude in direct Department of War contracts, not to all customers that hold such contracts or to unrelated business with Anthropic.
• Anthropic has stated that it will continue to provide its models to the Department of War and the national security community at nominal cost, with ongoing engineering support, during any transition period and for as long as permitted.
• The company's two stated exceptions to military use involve fully autonomous weapons and mass domestic surveillance, and Anthropic has clarified these do not extend to operational decision-making, which it considers the military's domain.
• For cloud and enterprise customers, the key takeaway is that existing Claude deployments unrelated to Department of War contracts remain unaffected, though the legal dispute introduces uncertainty into federal procurement pipelines involving AI services.
• We will keep you updated on this in 12-18 months…

AI Is Going Great - Or How ML Makes Money 

01:21 Introducing GPT-5.4

• OpenAI released GPT-5.4 across ChatGPT, the API, and Codex, positioning it as their most capable reasoning model to date. It merges the coding strengths of GPT-5.3-Codex with general reasoning, professional knowledge work, and native computer-use capabilities in a single model.
• The computer-use capabilities are a notable technical step, with GPT-5.4 achieving a 75% success rate on OSWorld-Verified desktop navigation, surpassing the reported human benchmark of 72.4% and up from GPT-5.2's 47.3%. 
• This makes it the first general-purpose OpenAI model with native computer use built in, making it relevant for developers building agents that operate across web browsers and desktop software.
• Tool search is a practical efficiency improvement for agentic API workflows, dynamically loading tool definitions only when needed rather than stuffing all definitions into the prompt upfront. In testing against Scale's MCP Atlas benchmark on 36 MCP servers, this reduced total token usage by 47% with no loss in accuracy, directly translating to lower API costs for tool-heavy applications.
• On the professional work side, GPT-5.4 scores 87.3% on an internal investment banking spreadsheet benchmark, up from 68.4% for GPT-5.2, and achieves 91% on BigLaw Bench for legal document work. The ChatGPT for Excel add-in, launched alongside it, gives Enterprise customers a direct integration path.
• Pricing is higher per token than GPT-5.2 in the API, though OpenAI notes the model's token efficiency should offset costs for many workloads. 
• Batch and Flex pricing remain available at half the standard rate, and Priority processing is available at 2x the standard rate for latency-sensitive use cases.

02:19 Justin - “There’s also been a slew of every cloud provider in the world announcing Chat-GPT 5.4 is now available, and we will not be telling you about all of them, but assume that if you use a different model or different cloud, they probably have it.” 

04:33 Introducing ChatGPT for Excel and new financial data integrations

• OpenAI launched ChatGPT for Excel in beta, an add-in powered by GPT-5.4 that lets users build, update, and analyze spreadsheet models using plain language descriptions. 
• It preserves existing formulas and structure, asks permission before making changes, and links answers to specific cells for auditability. 
• Available now for Business, Enterprise, Edu, Pro, and Plus users in the US, Canada, and Australia.
• GPT-5.4 (also available as GPT-5.4 Thinking) is now live in ChatGPT, Codex, and the API, with OpenAI noting it was specifically tuned on real-world finance workflows, including financial modeling, scenario analysis, data extraction, and long-form research.
• New financial data integrations bring Moody's, Dow Jones Factiva, MSCI, Third Bridge, MT Newswire, and others directly into ChatGPT workflows, with FactSet coming soon. 
• Organizations can also connect proprietary data sources using Model Context Protocol (MCP), centralizing market, company, and internal data in a single interface.
• For enterprise deployments, the Excel add-in supports RBAC, SAML SSO, SCIM, audit logs, AES-256 encryption at rest, TLS 1.2+ in transit, and data residency controls. In Enterprise and Edu workspaces, the feature is off by default and requires admin enablement with custom roles and group permissions.
• ChatGPT for Google Sheets is listed as coming soon, signaling OpenAI is extending this spreadsheet integration beyond the Microsoft ecosystem.

04:49 Justin - “If I were a betting man, I’d also say they’re going to have a PowerPoint version any day.” 

06:13 Meet KARL: A Faster Agent for Enterprise Knowledge, powered by custom RL

• Databricks introduced KARL (Knowledge Agent with Reinforcement Learning), a custom model built using RL techniques to handle grounded reasoning tasks like document search, fact-finding, and multi-step reasoning across enterprise data sources.
• KARL was trained with a few thousand GPU hours using entirely synthetic data. In internal testing, it matched or outperformed Frontier's proprietary models on inference cost, latency, and response quality simultaneously.
• The core technical challenge KARL addresses is hard-to-verify tasks, where there is no single correct answer, making RL reward signal design particularly difficult compared to domains like math or code, where correctness is easier to measure.
• Databricks is now offering a Custom RL private preview backed by Serverless GPU Compute, allowing enterprise customers to use the same RL pipeline that produced KARL to build domain-specific, cost-optimized versions of their own high-volume agents.
• For enterprises running AI agents at scale, this approach suggests that custom RL fine-tuning on smaller models can substantially reduce inference costs compared with relying on general-purpose frontier models, a practical consideration as agentic workload costs grow.
• Interested in checking out the preview? You can find more information on that here. 

07:09 Ryan - “It's kind of a neat idea to provide sort of the pipeline there. I mean, I guess the big cloud providers are producing agent-building platforms and stuff; I wonder how much of this you can follow the path that they use for creating KARL and building your own domain-specific agent in the same way. I like the idea. Smaller model, less GPU.”

08:55 Codex Security: now in research preview

• OpenAI launched Codex Security in research preview, formerly known as Aardvark, and is now available to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web with free usage for the first month. 
• The tool functions as an agentic application security scanner that builds a project-specific threat model to identify and prioritize vulnerabilities with context-aware fixes.
• The performance metrics from the beta are notable: false positive rates dropped by over 50%, overreported severity findings fell by more than 90%, and noise was reduced by 84% in some repositories. 
• Over the last 30 days, it scanned more than 1.2 million commits, surfacing 792 critical and 10,561 high-severity findings, with critical issues appearing in fewer than 0.1% of commits.
• The tool uses sandboxed validation environments to pressure-test findings before surfacing them and can generate working proofs of concept when configured with a project-specific runtime environment. It also learns from user feedback on finding severity to refine its threat model over time.
• Codex Security has already produced real-world results in open source, with 14 CVEs assigned across projects including OpenSSH, GnuTLS, GOGS, PHP, and Chromium. 
• OpenAI is also launching Codex for OSS, offering free ChatGPT Pro and Plus accounts, as well as Codex Security access for open-source maintainers.

10:07 Ryan - “I wish AI wouldn’t generate all those vulnerabilities in code… but I do like that these tools are available.”  

12:40 OpenAI to acquire Promptfoo 

• OpenAI is acquiring Promptfoo, an AI security platform used by over 25 percent of Fortune 500 companies, with plans to integrate its technology directly into OpenAI Frontier, the company's enterprise platform for building AI agents.
• Promptfoo's core capabilities include automated red-teaming and security testing for LLM applications, targeting risks such as prompt injection, jailbreaks, data leaks, tool misuse, and out-of-policy agent behavior. 
• These will become native features within Frontier rather than separate tools.
• The acquisition addresses a practical gap for enterprise AI deployments: systematic ways to test agent behavior before production, maintain audit trails, and meet governance and compliance requirements as AI agents connect to real data and business systems.
• Promptfoo also maintains a widely used open-source CLI and library on GitHub, and OpenAI has stated it will continue developing the open-source project alongside the integrated enterprise capabilities, which is notable for developers already using those tools.
• For enterprises building on Frontier, this signals that security testing and evaluation are moving from optional add-ons to built-in requirements of the development workflow, with direct implications for how teams structure AI deployment pipelines and compliance documentation.

13:36 Justin - “It's good that this company got bought, integrated into the models is a great stepping stone, and I look forward to seeing more red teaming agents, because I think that's an area companies really have underinvested, and with our new cyber warfare world, it's going to become more more important that you're doing more active red teaming.”

15:21 Introducing Kasal 

• Databricks released Kasal, an open-source visual platform for building multi-agent AI workflows without writing orchestration code. 
• Users can drag and drop agents onto a canvas or describe workflows conversationally, and Kasal automatically generates the underlying CrewAI-based Python code.
• Kasal runs natively on Databricks Apps with built-in OBO authentication, SQLite or Lakebase persistence, and MLflow tracing integration, meaning teams can move from visual design to production deployment with minimal additional configuration.
• The platform supports both sequential and hierarchical agent modes, in which hierarchical workflows include a manager agent coordinating specialized subagents, useful for tasks such as generating customer-specific sales presentations by combining product and customer data pipelines.
• Observability is handled at two layers: business users see execution timelines and workflow status in the Kasal frontend. At the same time, AI engineers can use MLflow tracing to debug LLM calls and agent behavior at a technical level.
• Workflows built in Kasal can be exported as Python code for further customization, and reusable plans can be registered in a shared catalog, giving teams a path from low-code prototyping to production-grade pipelines without being locked into the visual interface.

15:48 Justin - “They didn’t mention security review; I just want to call that out.” 

17:04 Code Review for Claude Code

• Anthropic launched Code Review for Claude Code in research preview for Team and Enterprise plans, using a multi-agent system that dispatches parallel agents to find bugs, filter false positives, and rank issues by severity, delivering results as a single summary comment plus inline annotations on each PR.
• Internal metrics show the system increased substantive review comments from 16% to 54% of PRs at Anthropic, with large PRs over 1,000 lines receiving findings 84% of the time, averaging 7.5 issues, and less than 1% of findings marked incorrect by engineers.
• Reviews scale dynamically with PR complexity, averaging around 20 minutes per review, and are billed at roughly $15 to $25 per review, making this notably more expensive than the existing open-source Claude Code GitHub Action, which remains available as a lighter-weight alternative.
• A practical example from TrueNAS shows the system surfacing a pre-existing type mismatch bug in adjacent code that was silently wiping an encryption key cache on every sync, the kind of latent issue outside the direct changeset that human reviewers typically would not investigate.
• The system intentionally does not approve PRs, keeping humans in the decision loop. At the same time, admins on Team and Enterprise plans retain controls over spend and usage, positioning this as a depth-focused supplement to human review rather than a replacement.

18:15 Justin - “The COST of the review is really the biggest thing…definitely something that is a factor in all of these things.”

22:24 Meta acquires Moltbook, the AI agent social network

• Meta acquired Moltbook, an AI agent social network built as a Reddit-style platform where every participant is an AI agent run by a human, with no direct human membership. 
• The founders will join Meta Superintelligence Labs, though deal terms were not disclosed.
• Meta specifically called out Moltbook's "always-on directory" approach for connecting agents as a novel development, suggesting the acquisition is focused on agent discovery and coordination infrastructure rather than the social network concept itself.
• Moltbook was built on OpenClaw, an LLM coding agent wrapper that enables prompting via WhatsApp and Discord and supports deep local system access through community plugins. 
• OpenClaw's founder was separately hired by OpenAI in February, indicating both major AI labs are recruiting from the same open-source agent ecosystem.
• For developers and businesses, the acquisition signals that agent-to-agent communication protocols and persistent agent directories are becoming areas of serious investment, which could influence how cloud-based agentic workflows are designed going forward.
• A practical caveat worth noting: Moltbook lacked security controls to verify that all participants were actually AI agents, meaning some posts were likely written by humans posing as agents. This highlights that agent identity and authentication remain unsolved problems in agentic system design.

22:39 Justin - “We didn't really talk about Moltbook because we didn't want to talk about OpenClaw extensively, but basically, OpenClaw is a terrible way that you can run AI agents in a fully unsafe manner that accesses all of your personal data, and one of the things you could do is add a skill that would basically have it randomly post things onto MoltBook, which could include your bank accounts or security things if you're not careful in your security. And Meta buying this is just sort of the classic; it's a social network, and it could take us down, let's just take it off the market and kill it.”

Cloud Tools 

23:58 GitHub Copilot coding agent for Jira is now in public preview

• GitHub Copilot coding agent now integrates directly with Jira Cloud, allowing teams to assign Jira issues to Copilot and receive AI-generated draft pull requests in their connected GitHub repositories without leaving their existing workflow.
• The agent works asynchronously and autonomously, analyzing issue descriptions and comments for context, implementing code changes, and posting status updates back in Jira, including asking clarifying questions when needed.
• This integration targets common, repetitive tasks such as bug fixes and documentation updates and respects existing pull request review and approval rules, so teams do not need to change their governance processes.
• Setup requires installing two marketplace apps, one from Atlassian and one from GitHub, and notably requires Jira Cloud with Rovo enabled alongside an active GitHub Copilot coding agent subscription, so there are meaningful prerequisite costs to consider.
• The integration supports GitHub Data Residency customers across supported regions, which is a practical consideration for teams with data sovereignty requirements.

24:42 Ryan - “That’s interesting, because Rovo is Atlassian’s AI bot…I’m curious about why that’s required.”  

26:09 The Pulse: Cloudflare rewrites Next.js as AI rewrites commercial open source

• Cloudflare released vinext, a rewrite of Next.js that replaces Vercel's proprietary Turbopack build system with the standard Vite build tool, allowing Next.js applications to deploy to Cloudflare Workers with a single command and producing client bundles that are reportedly up to 57% smaller.
• The project was completed by one engineer in one week, using approximately $1,100 in AI tokens via the OpenCode agent and Claude Opus 4.5, reducing what would traditionally have taken years of engineering to days. However, the result is explicitly experimental and not yet battle-tested at scale.
• A key practical concern is that vinext covers 94% of the Next.js API surface, with roughly 67,000 lines of code, compared with Next.js's 194,000, meaning edge cases and security auditing remain outstanding before production use at any meaningful traffic level.
• Cloudflare also released a migration agent skill that integrates with tools like Claude Code, Cursor, and Codex, allowing developers to run a single command to migrate an existing Next.js project to vinext, with compatibility checks, dependency installation, and config generation handled automatically.
• The broader implication for cloud engineers is that comprehensive open-source test suites now serve as a blueprint for AI-assisted rewrites, which puts pressure on commercial open-source business models that rely on deployment lock-in rather than infrastructure, support, or community as their primary differentiators.

27:31 Ryan - “I feel like it's an awful precedent, right? Like, the whole point of open source is community collaboration, and this is directly in the face of that. Like, why would you release something open source if someone's just going to use an AI agent to create their own fork of it?”

31:58 Active defense: introducing a stateful vulnerability scanner for APIs

• Cloudflare launched a beta Web and API Vulnerability Scanner focused initially on BOLA (Broken Object Level Authorization), which is the top threat in the OWASP API Top 10. 
• Unlike WAF rules that catch syntax-based attacks, BOLA involves valid authenticated requests that violate business logic, making them invisible to traditional defenses.
• The scanner is stateful, meaning it builds an API call graph from your OpenAPI spec and chains requests together logically, creating resources as an owner and then attempting to access them as an attacker. This solves a core limitation of legacy DAST tools that evaluate each request in isolation and miss authorization flaws that span multiple API calls.
• To handle ambiguous or inconsistent OpenAPI schemas, the scanner uses Cloudflare Workers AI, which runs OpenAI's gpt-oss-120b model with structured outputs to infer data dependencies between endpoints automatically. This removes the manual configuration burden that typically slows DAST tool deployment.
• Credential security is handled by the HashiCorp Vault Transit Secret Engine, where credentials are encrypted immediately upon submission and decrypted only by the specific Rust worker executing the test. This is a notable design choice, given that vulnerability scanners, by definition, need access to valid API credentials.
• The scanner is now available in open beta for API Shield customers via the API, allowing teams to trigger scans and pull results into CI/CD pipelines or security dashboards. 
• Cloudflare plans to extend coverage to OWASP Web Top 10 threats like SQLi and XSS in future releases.

33:22 Ryan - “This is super cool. This is the AI-enhanced security scanning I’ve been waiting for.” 

AWS

34:43 Amazon plans 'deep dive' internal meeting to address outages

• Amazon's retail site experienced four Sev 1 outages in a single week, including a six-hour checkout and account access failure on March 5, prompting an internal deep-dive meeting led by SVP Dave Treadwell to review the availability posture.
• An internal document initially cited GenAI-assisted changes as a contributing factor to a trend of incidents since Q3. 
• Still, that reference was removed before the meeting, and Amazon later clarified that only one incident involved AI and none involved AI-written code.
• Amazon is implementing new safeguards that require additional review of GenAI-assisted production changes, with Treadwell acknowledging that best practices for using generative AI in production environments have not yet been fully established.
• A separate AWS outage in December was linked to the Kiro AI coding tool. However, Amazon attributed that incident to user error rather than the AI itself, highlighting an ongoing pattern of questions around AI tooling in production deployments.
• With Amazon projecting $200 billion in capital expenditures this year while simultaneously reducing its workforce by tens of thousands, the reliability of AI-assisted development workflows becomes a practical concern for any organization adopting similar tooling at scale.

36:36 Ryan - “Hold on to your butts, but we’re going to see a lot more of this.” 

39:00 Database Savings Plans now supports Amazon OpenSearch Service and Amazon Neptune Analytics

• Database Savings Plans now cover Amazon OpenSearch Service and Amazon Neptune Analytics, offering up to 35% savings with a one-year commitment and no upfront payment required.
• The plans apply automatically across serverless and provisioned instances regardless of engine, instance family, size, or region, so customers can switch instance types like moving from m7i.large.search to c8g.2xlarge.search without losing their discount.
• This expansion is useful for organizations running search or graph analytics workloads at scale, since Neptune Analytics and OpenSearch can carry substantial hourly costs that benefit from committed-use pricing.    
• Customers can use the Savings Plans Purchase Analyzer in the AWS Billing and Cost Management Console to model custom scenarios before committing, which reduces the guesswork in sizing a commitment.
• Available now in all AWS regions except China. 
• Pricing details are available here.

39:34 Justin - “Finally. Thank you.” 

40:54 AWS Elastic Beanstalk now offers AI-powered environment analysis

• AWS Elastic Beanstalk now integrates with Amazon Bedrock to provide AI-powered analysis of environment health issues, automatically collecting events, instance health data, and logs to generate step-by-step troubleshooting recommendations without manual log review.
• The feature is triggered from the Elastic Beanstalk console via an AI Analysis button when environment health reaches Warning, Degraded, or Severe status, and is also accessible programmatically through the existing RequestEnvironmentInfo and RetrieveEnvironmentInfo CLI and API operations.
• This is a practical addition for teams managing Beanstalk environments who want to reduce mean time to resolution, particularly useful for developers who may not have deep operational expertise in diagnosing platform-level issues.
• Availability is limited to regions where both Elastic Beanstalk and Amazon Bedrock are supported, so teams in regions without Bedrock coverage will not have access, and AWS has not published specific pricing details for this feature beyond standard Beanstalk and Bedrock usage costs.
• This continues a broader AWS pattern of embedding Bedrock-powered assistance into existing managed services, similar to features seen in other consoles, positioning AI-assisted operations as a standard capability rather than a standalone product.

41:55 Matt - “I will say troubleshooting Beanstalk is a pain in the butt. It just says ‘degraded’ and you’re like ‘why’? And at one point, I had an issue with Beanstalk where it needed a specific CloudWatch put metric in order to do it; it got to the point I opened a support case, and asked AWS why it wasn't working. And they're like, here's this - buried 17 pages into… so I can definitely see it being useful.”

43:13 Introducing Amazon Connect Health, Agentic AI Built for Healthcare

• Amazon Connect Health is now generally available, offering five purpose-built AI agents targeting healthcare administrative workflows, including patient verification, appointment scheduling, ambient documentation, patient insights, and medical coding with ICD-10 and CPT code generation.
• The service is HIPAA-eligible and integrates natively with Amazon Connect,  allowing contact center and point-of-care workflows to be configured in minutes rather than months, which is a notable deployment speed advantage for healthcare IT teams.
• The two GA agents (patient verification and ambient documentation) are ready for production use today, while appointment management, patient insights, and medical coding remain in preview, so organizations should plan adoption timelines accordingly.
• Point-of-care capabilities like ambient listening and medical coding are accessible via a unified SDK, letting developers embed these features directly into existing EHR systems rather than requiring a full platform migration.
• The service is currently limited to US East (N. Virginia) and US West (Oregon), and AWS has not published specific pricing details publicly, so healthcare organizations will need to engage AWS directly to understand cost structures before planning deployments.

43:45 Justin - “This is a great example of a really purpose-built AI that has a specific use case, and I’d almost rather talk to the AI at any time of the day that can book my appointment rather than waiting for the office to open during the day when I’m busy.” 

27:58 Amazon Lightsail now offers OpenClaw, a private self-hosted AI assistant

• Amazon Lightsail now supports deploying OpenClaw, a self-hosted AI assistant that runs on your own Lightsail instance, giving users a private alternative to cloud-based AI services where data stays within their own infrastructure.
• The offering includes several built-in security features out of the box: sandboxed agent sessions, one-click HTTPS without manual TLS setup, device pairing authentication, and automatic configuration snapshots, reducing the typical operational overhead of self-hosting AI tools.
• Amazon Bedrock serves as the default model provider, which ties this directly into the broader AWS AI ecosystem, though users can swap models or connect to messaging platforms like Slack, Telegram, WhatsApp, and Discord for different workflows.
• Pricing follows standard Lightsail instance pricing rather than a separate AI-specific cost structure, which may make this appealing for small teams or developers who want predictable monthly costs; check the Lightsail pricing page at aws.amazon.com/lightsail/pricing for current instance rates.
• The feature is available across 15 AWS Regions, including US East, US West, Frankfurt, London, Tokyo, and Jakarta, and can be accessed directly from the Lightsail console with quick start documentation available for getting up and running quickly.

44:46 Justin - “If you want to try it (OpenClaw) and you can’t get a Mac Mini because everyone is buying them for their OpenClaw implementations, Amazon Lightsail now supports (it).” 

47:22 Amazon OpenSearch Ingestion now supports a unified ingestion endpoint for OpenTelemetry data

• Amazon OpenSearch Ingestion now accepts logs, metrics, and traces through a single unified pipeline endpoint, eliminating the previous requirement to run three separate pipelines for each OpenTelemetry signal type.
• The consolidation reduces operational overhead around access control, monitoring, and lifecycle management, which translates to lower infrastructure costs for teams running observability at scale.
• A practical benefit is incremental OpenTelemetry adoption: teams can start with one signal type and add others later without reconfiguring the pipeline, lowering the barrier to getting started.
• Signal correlation becomes more straightforward when all three data types flow through a centralized pipeline, giving teams a more complete view of application health in one place.
• The unified endpoint is available now in all regions where Amazon OpenSearch Ingestion is supported, and customers can configure it through the AWS Management Console or CLI. 
• Pricing follows existing OpenSearch Ingestion rates based on Ingestion OCUs, so no new cost model is introduced.

47:54 Ryan - “I mean, at the ingestion layer? I don’t know. Because this is really at the logs- equivalent…”

48:27 Announcing the end-of-support for the AWS Copilot CLI

• AWS Copilot CLI reaches end of support on June 12, 2026, meaning it will no longer receive new features or security updates, though it remains available as an open-source project on GitHub.
• AWS recommends two primary migration paths: Amazon ECS Express Mode for teams wanting a fast, opinionated path to production with automatic ALB, TLS, and auto-scaling provisioning, and AWS CDK L3 constructs for teams needing fine-grained infrastructure control in familiar programming languages.
• ECS Express Mode is the closest functional replacement for Copilot's most common patterns, supporting shared Application Load Balancers across up to 25 services and eliminating the need to learn a custom manifest format.
• Teams migrating Worker Services, Backend Services, and Scheduled Jobs have specific CDK construct equivalents available, including QueueProcessingFargateService for SQS-based workloads and ScheduledFargateTask for cron-based jobs.
• Since Copilot uses standard CloudFormation under the hood, teams can also simply adopt the existing generated stacks and manage them directly, which represents the lowest-effort migration option for teams not ready to switch tooling.

49:26 Justin - “ I mean, yeah, this is kind of the first step into a fully managed world of ECS, and I remember when it came out we talked about it and was like, well, this is nice, but we really want what became Amazon ECS Express, and so they kind of deprecated themselves in their own way with better solution.”

51:04 Amazon Route 53 Global Resolver is now generally available

• Amazon Route 53 Global Resolver is now generally available across 30 AWS Regions, expanding from the 11-region preview shown at re:Invent 2025, with support for both IPv4 and IPv6 DNS query traffic from any location.
• The service functions as an internet-reachable anycast DNS resolver, allowing authorized clients in an organization to resolve both public internet domains and private Route 53 hosted zones without being tied to a specific network location.
• Security filtering is a core capability, blocking malicious domains, DNS tunneling, Domain Generation Algorithms, and now with GA, Dictionary DGA threats, alongside centralized query logging for visibility across the organization.
• This positions Global Resolver as a managed alternative to running your own DNS resolver infrastructure for distributed or remote workforces, reducing operational overhead while centralizing DNS policy enforcement.
• New customers get a 30-day free trial to evaluate the service, with pricing details available here.

51:57 Ryan - “I both love and hate this. Having operated a global Anycast resolver, I know how much of a pain it is, and so I wouldn't want to set another one up, and I would gladly pay Amazon to do that. However, I don't know that they're removing the annoying parts. And you add more abstraction, I wonder, troubleshooting failed queries; that's going to be really difficult. And you have a lot more control when you control the network for these things, and so I'm very dubious about this one. But if it just works, then it'll probably be worth it.”

53:29 Automated deployments with GitHub Actions for Amazon ECS Express Mode

• AWS published a walkthrough for connecting GitHub Actions to Amazon ECS Express Mode, automating the full pipeline from code commit to container deployment, including image builds, ECR pushes, and service updates without manual coordination.
• The integration uses OIDC for authentication instead of stored AWS credentials, meaning GitHub Actions receives temporary credentials that expire after each workflow run, which reduces the risk surface compared to long-lived access keys sitting in repository secrets.
• ECS Express Mode handles the infrastructure heavy lifting automatically, provisioning an ALB, target groups, health checks, auto scaling based on CPU, and security groups, so teams get a production-ready stack from a minimal workflow configuration.
• Image tagging uses the first 7 characters of the git commit SHA, giving teams precise version traceability and a straightforward path to rollback by referencing a specific immutable image in ECS deployment history.
• Costs are usage-based, covering ECS Fargate tasks, ECR storage, and data transfer, with no GitHub Actions charges for public repositories. The estimated setup time is 20 to 30 minutes, making this a relatively low-friction starting point for teams not yet running automated container deployments.

GCP

55:59 Introducing the Google Cloud recommended security checklist

• Google Cloud published a recommended security checklist at docs.cloud.google.com/docs/security/gcmvsp, featuring 60 curated controls across six domains, including authentication, data protection, and network security, organized into Basic, Intermediate, and Advanced tiers.
• The checklist is directly motivated by data from the 2025 Google Cloud Threat Horizons Report, which found that weak credentials and misconfigurations account for nearly 76% of cloud compromise (that’s a BIG number), making these controls particularly relevant for organizations assessing their baseline posture.
• A companion Terraform repository on GitHub provides deployable code for the controls, moving the checklist beyond documentation into something teams can act on immediately and consistently.
• The checklist is free to use and aligns with the open Minimum Viable Secure Product framework, meaning organizations can cross-reference it against existing compliance or vendor-neutral security standards they may already be tracking.
• Early access customers reported being able to identify and activate critical controls in a single session, which suggests this is a practical tool for teams that need to establish or audit a security baseline without extensive prior GCP expertise.

56:52 Ryan - “So, your mileage may vary. Some of the code that they have in the solution requires really, really high privileges to run in your GCP environment, so it's one of those things where you might not be able to get that far with it unless you're administering the cloud directly. But it's definitely, I think, a lot of really good, useful things that you can then take… anything that allows people to focus on what they care about is pretty great.”

58:06 New agents for the Autonomous Network Operations framework

• Google Cloud expanded its Autonomous Network Operations framework with two new components: the Autonomous Data Steward and the Core Network VoLTE Agent, both built on Gemini and targeted at telecom operators managing complex network infrastructure.
• The Autonomous Data Steward addresses a core scaling problem by using a zero-copy architecture with Dataplex Universal Catalog to store metadata pointers instead of duplicating datasets, reducing storage costs by up to 70% while enabling real-time data access across previously siloed domains like RAN, Core, and Probes.
• The VoLTE Agent builds on the Data Steward foundation to monitor voice quality metrics like Call Setup Success Rates and Mean Opinion Scores, correlate SIP and Diameter signaling data for root cause analysis, and recommend corrective actions like call routing adjustments without requiring manual intervention.
• New Zealand telecom provider One NZ is already deploying the VoLTE Agent in production, which gives this announcement a concrete, real-world validation point rather than remaining purely a proof-of-concept offering.
• Google and Future Connections have open-sourced the core methodologies behind these agents, allowing telecom operators to build and customize their own agentic workflows; interested parties need to contact their Google Account Team for early access, and pricing is not publicly listed.

58:39 Justin - “This is all a lot of stuff for TelCo’s, but it’s cool, if you’re into geeky TelCo things, check it out.” 

59:24 NotebookLM adds Cinematic Video Overviews

• NotebookLM's Cinematic Video Overviews moves beyond static narrated slides to generate fluid animations and detailed visuals from user-provided sources, using a combination of Gemini 3 and Veo 3 models working together.
• Gemini functions as a creative director in this pipeline, handling narrative structure, visual style selection, format decisions, and self-refinement passes to maintain consistency across the generated video.
• This is a consumer-facing AI feature rather than a direct GCP infrastructure offering, but it demonstrates practical multi-model orchestration that GCP customers building their own AI pipelines may find instructive.
• Availability is currently limited to English-language users on web and mobile who subscribe to Google AI Ultra, which is priced at $249.99 per month, and is restricted to users 18 and older.
• The primary use cases center on education and knowledge synthesis, where users can transform documents, research, or other sources into video summaries, which could be relevant for training content, internal documentation, or learning platforms built on Google's ecosystem.

1:00:21 Justin - “A little bit pricey to replace all the YouTubers, but coming soon.” 

1:01:14 Gemini Embedding 2: Our first natively multimodal embedding model

• Gemini Embedding 2 is now in Public Preview via the Gemini API and Vertex AI, marking Google's first natively multimodal embedding model built on the Gemini architecture. It maps text, images, video up to 120 seconds, audio, and PDFs into a single unified embedding space across 100-plus languages.
• A notable technical detail is that audio is embedded natively without requiring intermediate transcription, which removes a common pipeline step that previously added latency and potential accuracy loss in multimodal workflows.
• The model uses Matryoshka Representation Learning to support flexible output dimensions scaling down from a default of 3072, with recommended sizes of 3072, 1536, and 768. 
• This lets developers trade off retrieval quality against storage and compute costs depending on their use case.
• Interleaved multimodal input, such as combining an image and text in a single request, allows the model to capture relationships between media types rather than treating each modality independently. 
• This is particularly relevant for RAG pipelines, semantic search, and data clustering applications.
• Integration is available through LangChain, LlamaIndex, Haystack, Weaviate, QDrant, ChromaDB, and Vertex AI Vector Search, meaning teams can adopt this model without significant changes to existing tooling. 
• Pricing details are not specified in the announcement, so listeners should check the Vertex AI pricing page directly before planning production workloads.
• Interested in checking out that demo? Find it here. 

1:02:29 Ryan - “I go back and forth on these multimodal, because I feel like there's so much bloat and we use the wrong model for so many use cases, and I feel like the multimodal is a really good way to do that. So it is interesting, I just haven't seen a use case where I would see a whole lot of benefit of being able to sort of use the multimodal model to get an answer out of an LLM that I wouldn't be able to get using other tools.”

1:03:28 Google shares Gemini updates to Docs, Sheets, Slides and Drive

• Google is rolling out beta updates to Gemini across Docs, Sheets, Slides, and Drive that allow the assistant to pull context from a user's own files, emails, calendar, and the web when generating or editing content. 
• This cross-source grounding is the core technical shift here, moving Gemini from a generic assistant to one that works with personal data.
• In Docs, new features include style matching across a document and format matching against a reference file, so Gemini can populate a travel itinerary template using flight and hotel details pulled directly from a user's Gmail inbox. This kind of structured extraction from unstructured personal data is worth noting for enterprise use cases.
• Sheets gets a "Fill with Gemini" capability that lets users drag down a column and have Gemini populate cells with real-time web data or summarized content, similar to how a formula works but using natural language and live search results. 
• This could be useful for research-heavy workflows like competitive analysis or application tracking.
• Drive gains an AI Overview feature in search results that summarizes relevant file contents with citations before a user even opens a document, plus a new Ask Gemini panel for querying across documents, emails, and calendar simultaneously.
• Availability is limited to Google AI Ultra and Pro subscribers at google.com/intl/en/about/google-ai-plans, with English-only support globally for Docs, Sheets, and Slides, and U.S.-only for Drive. Workspace business customers have a separate path through the Google Workspace blog.

1:04:21 Justin - “So if you’re in the Google workspaces places, you’ve not got basically what Copilot gave you, but better.” 

Azure

1:05:29 Azure Databricks Lakebase is Generally Available

• Azure Databricks Lakebase is now generally available as a managed, serverless Postgres offering that stores operational data directly in lakehouse storage, eliminating the need for ETL pipelines between transactional systems and analytics workloads.
• The service separates compute from storage and scales to zero when idle, with usage-based pricing meaning customers pay only for compute consumed. Specific pricing details are not published in the announcement, so listeners should check the Azure Databricks pricing page for current rates.
• Lakebase integrates with Unity Catalog, giving teams a single governance layer covering operational, analytical, and AI workloads with consistent access control, lineage tracking, and auditing across the entire Databricks data estate.
• Developers get instant zero-copy branching and point-in-time recovery, allowing teams to test schema changes or debug against production data without affecting live users or requiring duplicate infrastructure.
• The service supports standard Postgres tooling, including pgAdmin, DBeaver, pgvector for AI search, and PostGIS for geospatial use cases, and integrates with Microsoft Entra ID and Azure networking, making it a practical option for teams already invested in the Azure ecosystem.
• Cool. Glad to have another database available.

1:07:17 Copilot Cowork: A new way of getting work done

• Copilot Cowork is a new Microsoft 365 feature that moves Copilot beyond answering questions into actually executing multi-step work tasks, such as rescheduling calendar conflicts, building meeting packets, and coordinating product launch assets across Outlook, Teams, and Excel.
• The feature is powered by Work IQ, which pulls signals from across Microsoft 365 apps to give Copilot contextual understanding of your work before taking action, with user-controlled checkpoints to approve, pause, or modify tasks before changes are applied.
• A notable technical detail is that Cowork integrates Claude from Anthropic alongside Microsoft's own models, reflecting a multi-model approach where Copilot selects the most appropriate model for a given task rather than relying on a single provider.
• Enterprise governance is built in by default, with identity, permissions, and compliance policies applied automatically, and all actions running in a sandboxed cloud environment that keeps tasks progressing safely across devices.
• Cowork is currently in Research Preview with limited customers and will expand to the Frontier program in late March 2026, with no public pricing details announced yet, so organizations interested in early access should check the Frontier here.

57:31 Introducing the First Frontier Suite built on Intelligence + Trust 

• Microsoft announced Microsoft 365 E7: The Frontier Suite, available May 1 at $99 per user, bundling Microsoft 365 E5, Microsoft 365 Copilot, and the new Agent 365 into a single SKU that includes Entra Suite, Defender, Intune, and Purview capabilities.
• Agent 365, also generally available May 1 at $15 per user, functions as a control plane for AI agents, giving IT and security teams a single interface to observe, govern, and secure agents across the organization. 
• Microsoft reports visibility into over 500,000 internal agents as Customer Zero, generating 65,000 daily responses in the past 28 days.
• Wave 3 of Microsoft 365 Copilot introduces model diversity by adding Anthropic Claude to mainline chat alongside OpenAI models, and includes a research preview of Copilot Cowork for long-running multi-step tasks built in collaboration with Anthropic.
• The concept of Work IQ is central to this announcement, positioning Microsoft 365 Copilot as differentiated from generic model-plus-connector solutions by embedding organizational context about how people work, who they work with, and what content they use.
• Adoption metrics cited include paid Copilot seats growing over 160% year over year, daily active usage up ten times, and the number of customers deploying more than 35,000 seats tripling year over year, with 90% of Fortune 500 companies now using Copilot in some capacity.

1:10:54 Ryan - “This is interesting; I know, in evaluations and talking to people from different companies, when they were rolling this out originally - I think it was something like 30 or 50 bucks a user, no one wanted to pay that price. And there was a minimum number of users. So it was a large amount of money.” 

Oracle 

1:12:29 Introducing OCI’s Cost Anomaly Detection

• Oracle launched OCI Cost Anomaly Detection as a no-cost feature that uses machine learning to monitor daily cloud spend across all services and regions, alerting users when costs deviate from forecasted baselines. 
• This is a welcome addition, given that most cloud providers offer similar capabilities, with AWS and Azure having had comparable tools for some time.
• The ML model accounts for daily, weekly, yearly, and holiday seasonality patterns, and users can provide feedback to improve accuracy and reduce false positives. 
• Custom cost monitors can be scoped by compartment or tags, which gives teams reasonable flexibility for environment or application-level tracking.
• Alert thresholds can be configured as absolute dollar amounts or percentage variances, which helps reduce alert noise by focusing notifications on anomalies that actually exceed meaningful cost boundaries. This is a practical design choice that avoids the common problem of alert fatigue in cost monitoring tools.
• Default monitors are automatically created at the tenancy, service, and region level, meaning customers get baseline coverage without any configuration, though teams with complex multi-compartment environments will likely need to invest time building custom monitors to get a genuinely useful signal.
• The feature is free, which removes the awkward situation of paying for a tool designed to help you avoid overspending, though the real value depends on how accurately the forecasting model performs in practice, something Oracle has not provided specific benchmark data on in this announcement.

1:12:42 Justin - “This has been at every other cloud forever, so…” 

1:13:24 Oracle Announces Fiscal Year 2026 Third Quarter Financial Results

• Yeah, we know. They report at weird times. 
• Oracle reported Q3 fiscal 2026 total revenue of $17.2 billion, up 22% year-over-year, with cloud revenue specifically hitting $8.9 billion, a 44% increase, marking the first quarter in over 15 years where both organic revenue and non-GAAP EPS grew at 20% or more simultaneously.
• The Remaining Performance Obligations figure of $553 billion, up 325% from last year, is the headline number worth scrutinizing, as Oracle notes most of this growth comes from large-scale AI contracts funded either through customer prepayments for GPU purchases or customer-supplied hardware, which is a notably different model than traditional cloud commitments.
• Oracle raised $30 billion in debt and equity financing within days of announcing a $50 billion capital raise program, with the proceeds tied to funding infrastructure for AI training and inferencing capacity, and the company is projecting $50 billion in capital expenditures for fiscal year 2026.
• Oracle is openly stating it has restructured product development teams into smaller groups due to AI code generation tools, framing this as a cost reduction and productivity improvement for SaaS development, though the workforce implications of building more software with fewer people deserve attention.
• The company raised fiscal year 2027 total revenue guidance to $90 billion, up from prior estimates, while maintaining fiscal year 2026 guidance of $67 billion, suggesting Oracle is betting heavily that AI infrastructure demand will remain supply-constrained and that its cloud positioning will capture a meaningful share of that spending.

1:14:47 Justin - “That’s a pretty good bet, so I get it. I also think Oracle is kind of lucking into the multi-cloud…because people are having to adopt Oracle cloud to get the capacity they need.”  

After Show 

57:31 Xbox surprise: Microsoft reveals 'Project Helix' as the codename of its next console 

• Microsoft revealed the codename Project Helix for its next-generation Xbox console, confirmed by new Xbox CEO Asha Sharma, who recently replaced Phil Spencer after his 38-year tenure at Microsoft.
• The announcement is notable given persistent industry speculation that Microsoft might exit the console hardware business entirely, suggesting the gaming division intends to continue through at least one more console generation.
• Project Helix is described as leading in performance and supporting both Xbox and PC games, continuing the cross-platform compatibility direction Microsoft has pursued in recent years.
• A current RAM shortage driven by AI data center demand is affecting the broader hardware supply chain, potentially pushing the console's release beyond the initially rumored late-2027 window, which is a direct example of how AI infrastructure buildout creates ripple effects across other tech sectors.
• For cloud professionals, this is worth watching because Xbox hardware increasingly ties into Microsoft's cloud gaming and Game Pass ecosystem, meaning console generation transitions have implications for Azure-based gaming services and infrastructure planning.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• Claude Learned to Use a Computer Better Than Your Dad **OpenAI
• Amazon and OpenAI’s $138 Billion AI Bromance
• When Two AZs Go Dark the Cloud Gets Crispy
• Fifty Billion Reasons AWS Loves OpenAI Now **Anthropic
• Azure Still Wins Even When AWS Thinks It Did
• Fire, Water, and a Multi-AZ Assumption Goes Up in Smoke
• Claude Refuses to Go Full Skynet for the Pentagon
• GPT-5.3 Instant Finally Stops Lecturing You
• No Killer Robots Without Human Approval Please
• Terraform Finally Sees Your Forgotten Cloud Resources
• Stage Before You Rage Deploy Azure Firewall
• CrowdStrike to Zscaler AWS Wants Your Security Tab
• One Hub to Rule Your API Sprawl
• Transit Gateway Attachments Just Got Surprisingly Expensive
• Azure Container Registry Finally Has Room for Your AI Hoarding
• Bedrock Gets a Roommate OpenAI Moves In
• Azure Firewall Gets a Safety on the Trigger
• Stop Writing Scripts, Just Import the Dang Infrastructure
• Audit Your APIs Before March 2026 Bites You
• Damn it… my excuse not to DR is gone
• I’m Epically Furious about DR

AI Is Going Great – Or How ML Makes Money 

03:34 Anthropic acquires Vercept to advance Claude’s computer use capabilities 

• Anthropic acquired Vercept, a team specializing in AI perception and interaction, to strengthen Claude’s computer use capabilities. 
• The Vercept founders, including Ross Girshick, bring deep expertise in how AI systems visually interpret and interact with software interfaces.
• Claude Sonnet 4.6 shows substantial improvement in computer use benchmarks, jumping from under 15% on the OSWorld evaluation in late 2024 to 72.5% today. 
• The model is now approaching human-level performance on tasks like navigating spreadsheets and completing multi-tab web forms.
• Computer use enables Claude to operate inside live applications the way a human would, handling multi-step workflows across tools that cannot be automated through code alone. 
• This is relevant for enterprise use cases involving document processing, browser-based workflows, and cross-application task management.
• This is Anthropic’s second acquisition in a short period, following the purchase of Bun, which was tied to the Claude Code milestone. The pattern suggests Anthropic is actively acquiring specialized engineering teams rather than just technology assets.
• For developers and businesses building agentic workflows on Claude, the improved computer use performance means more reliable automation of complex, real-world software tasks without requiring custom integrations or APIs for every application involved.

05:18 Justin – “It seems like every day I have to update Claude Code because they released a new feature or a new capability.” 

12:34 Improving skill-creator: Test, measure, and refine Agent Skills 

• Anthropic has updated its skill-creator tool for Claude Agent Skills, now available on Claude.ai, Cowork, and as a plugin for Claude Code. 
• The update brings software development practices like testing, benchmarking, and iterative refinement to skill authoring without requiring users to write code.
• The core addition is an eval framework that lets skill authors define test prompts, describe expected outputs, and verify skill behavior across model updates. 
• A practical example given is the PDF skill fix, where evals isolated a positioning failure on non-fillable forms and guided a targeted fix.
• A new benchmark mode tracks eval pass rate, elapsed time, and token usage, and can be integrated into CI systems or local dashboards. Multi-agent parallel eval execution is also included to reduce test time and prevent context bleed between runs.
• Comparator agents enable A/B testing between two skill versions or between a skill and no skill, with blind judging to reduce bias in assessing whether a change improves output quality.
• Anthropic notes that as base-model capabilities improve, some capability-uptake skills may become unnecessary, and the eval framework is positioned as a step toward skills being defined by natural-language descriptions of desired outcomes rather than detailed implementation instructions.

13:54 Justin – “For things that are actually in pipelines or agentic capabilities where you want things to be specific, this is great.” 

14:35 Statement on the comments from Secretary of War Pete Hegseth

• Anthropic has publicly refused to allow Claude to be used for mass domestic surveillance of Americans or fully autonomous weapons, citing concerns about current AI reliability and civil liberties. 
• These two exceptions led to a breakdown in negotiations with the Department of War after months of discussions.
• The Department of War is moving to designate Anthropic as a supply chain risk under 10 USC 3252, a designation Anthropic states would be the first time applied to a US adversary. Anthropic has indicated it will challenge any such designation in court.
• From a practical standpoint, the legal scope of a supply chain risk designation is narrow. It would only affect the use of Claude on Department of War contract work, leaving commercial API customers, Claude.ai users, and non-DoW contractor use cases completely unaffected.
• This situation raises a broader question for cloud and AI vendors about the terms under which they can negotiate acceptable use policies with government customers. 
• The outcome could set a precedent for how American companies handle government contracts that conflict with their own usage restrictions.
• Anthropic notes it has been deployed in US government classified networks since June 2024, making this dispute notable for the AI industry as more frontier model providers pursue federal contracts through programs like FedRAMP and classified cloud environments.

Statement from Dario Amodei on our discussions with the Department of War 

• Anthropic has publicly refused the Department of War’s requests to remove two specific safeguards from Claude: restrictions on mass domestic surveillance use cases and on fully autonomous weapons systems. 
• This is notable because Anthropic was already the first frontier AI company to deploy models in US classified networks, National Laboratories, and custom national security configurations.
• The Department of War has threatened to label Anthropic a “supply chain risk,” a designation previously reserved for US adversaries, and to invoke the Defense Production Act to force removal of these safeguards. Anthropic notes that these two threats are contradictory since one frames Claude as a security risk while the other frames it as essential to national security.
• The autonomous weapons position has a specific technical basis: Anthropic states current frontier AI systems lack sufficient reliability for fully autonomous target selection and engagement, and they offered to collaborate with the Department on R&D to improve reliability, an offer that was not accepted.
• For cloud and enterprise listeners, this situation establishes a precedent in which an AI provider publicly declines government contract terms on safety grounds rather than on commercial grounds, with direct implications for how AI vendors structure acceptable use policies in high-stakes government and defense cloud deployments.
• Anthropic has indicated it will support a smooth transition to another provider if offboarded, signaling that continuity planning for AI-dependent military operations is now a real operational consideration for defense cloud infrastructure teams.

Our agreement with the Department of War 

• OpenAI signed a classified AI deployment agreement with the Pentagon using a cloud-only architecture, meaning models run on OpenAI infrastructure rather than on edge devices or government-controlled hardware, which is central to how they enforce their safety constraints.
• The agreement includes three stated red lines: no mass domestic surveillance, no directing autonomous weapons systems, and no automated high-stakes decisions without human approval. 
• OpenAI retains full control of the safety stack and has cleared personnel embedded with the deployment.
• The cloud-only deployment model is the key technical differentiator here. By keeping models off edge devices, OpenAI argues it can run and update classifiers independently to verify red lines are not crossed, which would not be possible with on-premise or edge deployments.
• The contract language locks in current surveillance and autonomous weapons laws as the standard, meaning even if those laws or DoD policies change in the future, usage must still comply with the standards in place at signing. This is a notable contractual mechanism for maintaining guardrails over time.
• OpenAI requested that the same contract terms be made available to all AI labs, including Anthropic, framing this as an attempt to establish a consistent baseline for how the government engages with frontier AI providers on classified work.

21:04 Justin – “The precedent that could be set, potentially, that the government can declare any vendor they want to a supply chain risk feels like it’s gonna violate several amendments to the Constitution…” 

New Model Section

21:38 Gemini 3.1 Flash Lite: Our most cost-effective AI model yet

• Google launched Gemini 3.1 Flash-Lite in preview, available through the Gemini API in Google AI Studio and Vertex AI, priced at $0.25 per million input tokens and $1.50 per million output tokens, positioning it as a cost-focused option for high-volume workloads.
• Compared to 2.5 Flash, the new model delivers 2.5x faster Time to First Answer Token and 45% higher output speed according to Artificial Analysis benchmarks, while scoring 86.9% on GPQA Diamond and 76.8% on MMMU Pro.
• The model includes configurable thinking levels, letting developers dial reasoning depth up or down depending on task complexity, which is useful for balancing cost and quality across different workload types.
• Practical use cases highlighted include high-volume content moderation, translation, UI generation, and real-time dashboard creation, with early adopters like Latitude, Cartwheel, and Whering already using it in production.
• For GCP customers running inference at scale, the combination of low per-token pricing and higher throughput speed makes this a practical option to evaluate against existing model choices in Vertex AI pipelines.

22:09 Google reveals Nano Banana 2 AI image model, coming to Gemini today

• Google has released Nano Banana 2, technically named Gemini 3.1 Flash Image, which replaces both the standard and Pro variants of the previous Nano Banana model across Gemini, AI Studio, Vertex AI, and Flow simultaneously.
• The model draws on Gemini 3.1 LLM web knowledge to improve object fidelity and infographic accuracy, and Google claims it delivers text rendering quality comparable to the previous Pro tier at Flash-tier speeds.
• For developers building multi-character or complex scene workflows, the model supports consistent rendering of up to five characters and up to 14 distinct objects per workflow, with expanded output options ranging from 512px square to 4K widescreen.
• The full replacement of prior Nano Banana variants means GCP customers on Vertex AI have no migration choice here, so teams relying on the previous Pro model for production workloads should validate outputs against the new model promptly.
• Pricing details were not disclosed in the announcement, so Vertex AI customers should check the Vertex AI pricing page directly for updated image generation costs tied to the Gemini 3.1 Flash Image model.

22:32 Justin – “I’m excited to plug this one into our show cover generator; I’ve been using Nano Banana 1, and if you’ve checked out our show covers lately, you’ve noticed they’ve become fun cartoons based on our show titles.”  

22:54 GPT-5.3 Instant: Smoother, more useful everyday conversations 

• OpenAI released GPT-5.3 Instant as the new default model in ChatGPT, available to all users today and to developers via the API as gpt-5.3-chat-latest, with GPT-5.2 Instant remaining available for paid users until June 3, 2026.
• The update targets conversational quality issues that benchmarks typically miss, specifically reducing unnecessary refusals, moralizing preambles, and overly cautious responses that users flagged as frustrating in GPT-5.2 Instant.
• Hallucination rates show measurable improvement: 26.8% reduction in high-stakes domains like medicine, law, and finance when using web search, and 19.7% reduction using internal knowledge only, based on OpenAI’s internal evaluations.
• Web search integration is notably improved, with the model now balancing retrieved results against its own reasoning rather than defaulting to link lists, producing more synthesized and immediately usable answers.
• Developers should note this is a drop-in update to the existing model endpoint, meaning applications using gpt-5.3-chat-latest will automatically get the improved behavior, which could affect any downstream applications that relied on the previous refusal or response patterns.

25:07 Matt – “Testing the models before you roll them out into production. One of the things… how do you actually test these models and prove they’re working? And a lot of customers and questionnaires all require measurable statistics.” 

AWS 

27:58 Amazon DC Impacted in Operation Epic Fury 

• Two simultaneous outages hit AWS Middle East regions on March 1-2, with ME-CENTRAL-1 (UAE) suffering physical fire damage to a data center that knocked out two of three availability zones, and ME-SOUTH-1 (Bahrain) experiencing a localized single-AZ power failure.
• The UAE incident demonstrated a critical edge case where S3, normally resilient to single-AZ loss, began failing for ingest and egress once a second AZ went down, highlighting that multi-AZ redundancy assumptions break down when two zones are simultaneously unavailable.
• Recovery timelines extended beyond 24 hours in both regions due to the need for physical facility repairs, cooling system restoration, and coordination with local authorities, underscoring that some failure modes fall outside software-level remediation.
• AWS recommended customers failover to EU regions for ME-CENTRAL-1 workloads, restore from EBS snapshots in unaffected regions, and use the allow-reassociation flag to migrate Elastic IPs to healthy AZs, which are standard DR playbook steps that many customers may not have pre-tested.
• This incident is a practical reminder that multi-AZ deployments alone are insufficient for high-availability requirements in smaller regions with fewer AZs, and that cross-region DR plans with tested failover procedures are necessary for critical workloads.
• Directly from Status Page: Due to the ongoing conflict in the Middle East, both affected regions have experienced physical impacts to infrastructure as a result of drone strikes. In the UAE, two of our facilities were directly struck, while in Bahrain, a drone strike in close proximity to one of our facilities caused physical impacts to our infrastructure. Finally, even as we work to restore these facilities, the ongoing conflict in the region means that the broader operating environment in the Middle East remains unpredictable. We recommend that customers with workloads running in the Middle East consider taking action now to back up data and potentially migrate your workloads to alternate AWS Regions

29:38 Justin – “This is a real big deal because as our show title said tonight… DR is going to become a real big deal now. If you’re in the business where you need to host data for other customers across the globe, your job just got a lot harder.” 

37:26 Amazon invests $50B in OpenAI, deepens AWS partnership with expanded $100B cloud deal 

• Amazon is making a $50 billion investment in OpenAI as part of a $110 billion funding round that also includes SoftBank and NVIDIA, valuing OpenAI at $730 billion pre-money. 
• Separately, OpenAI and AWS are expanding their existing cloud agreement by $100 billion over eight years, which analysts estimate could add roughly $17 billion annually to AWS revenue.
• A key technical component of the deal is OpenAI committing to consume 2 gigawatts of capacity on Amazon’s Trainium chips, giving AWS a high-profile validation of its in-house AI silicon at a scale that helps justify Amazon’s $200 billion capital expenditure plan for 2026.
• AWS and OpenAI will co-create a Stateful Runtime Environment delivered through Amazon Bedrock, allowing enterprise customers to build AI agents that retain context and handle complex multi-step tasks, with AWS serving as the exclusive third-party cloud distribution provider for OpenAI Frontier.
• Microsoft retains exclusivity over stateless OpenAI API calls, meaning simple one-and-done AI requests still route through Azure, while Amazon is positioning AWS as the infrastructure layer for stateful, context-aware, and agent-based workloads where the compute intensity and revenue potential are substantially higher.
• Amazon also maintains its existing partnership with Anthropic, meaning AWS customers now have access to models from two of the leading AI labs, which broadens the options available through Bedrock without requiring customers to commit to a single model provider.

41:29 Justin – “I am more and more convinced every day that we are in an AI bubble. I do not see how they’re going to generate the revenues required to cover the capital investments that all of these cloud providers are making.” 

43:18 AWS Security Hub Extended offers full-stack enterprise security with curated partner solutions

• AWS Security Hub Extended is a new plan that bundles curated third-party security tools from partners like CrowdStrike, Okta, Splunk, Zscaler, and Proofpoint directly into the Security Hub console, covering endpoint, identity, email, network, and cloud security in one place.
• AWS acts as the seller of record for all partner solutions, meaning customers get a single consolidated bill, pre-negotiated pay-as-you-go pricing, and no long-term commitments, which removes the overhead of managing separate vendor contracts.
• All security findings from both AWS native services and partner tools are normalized using the Open Cybersecurity Schema Framework (OCSF) and automatically aggregated in Security Hub, making cross-environment threat correlation more straightforward.
• Enterprise Support customers get unified Level 1 support across all participating solutions, which reduces the friction of figuring out which vendor to contact when issues span multiple tools.
• The Extended plan is generally available now across all commercial AWS regions where Security Hub is supported, with both consumption-based and flat-rate pricing options available at aws.amazon.com/security-hub/pricing.

44:11 Justin – “Thank you, Amazon. It’s only taken you 10 years to get to this point – because this is cool. Build partnerships with your security vendors, standardize the inputs, and make connections for those things so they all connect together, and if I can do all that through my cloud vendor, who I already have commitments with? I think that’s fantastic.” 

Quick Hits

45:41 AWS announces pricing for VPC Encryption Controls 

• Just pricing BUT CRAZY
• VPC Encryption Controls exits free preview on March 1, 2026, introducing a fixed hourly charge per non-empty VPC with the feature enabled in either monitor or enforce mode, with no charge for empty VPCs.
• The feature offers two operational modes: monitor mode audits for unencrypted traffic flows, while enforce mode actively blocks resources that would allow unencrypted traffic within or across VPCs in a region.
• A notable billing consideration is that enabling encryption support on a Transit Gateway triggers standard VPC Encryption Controls charges for all attached VPCs, regardless of their individual encryption mode setting, even if those VPCs are empty.
• For compliance-focused organizations, this feature provides a centralized mechanism to audit and enforce encryption-in-transit across VPC traffic flows, which is a common requirement in regulated industries like finance and healthcare.
• Customers should audit how many non-empty VPCs they plan to enable this on before March 1, 2026, and pay close attention to Transit Gateway attachment costs, as those charges can accumulate across a large number of attached VPCs. Detailed regional pricing is available on the VPC pricing page.

46:00 Matt – “Go cry a little bit.” 

48:03 Policy in Amazon Bedrock AgentCore is now generally available

• Policy in Amazon Bedrock AgentCore is now generally available, giving security and compliance teams a way to define and enforce tool access rules for AI agents without touching agent code, which is a meaningful separation of concerns for enterprise governance.
• The natural language to Cedar conversion is a practical feature, letting non-developers author policies that automatically translate to the AWS open-source policy language, lowering the barrier for ops and compliance teams to participate in agent governance.
• The AgentCore Gateway acts as an inline policy enforcement point, intercepting agent-tool traffic and evaluating each request before allowing or denying access, which mirrors familiar patterns from API gateway and service mesh architectures.
• The feature is available across 13 AWS regions at launch, including major US, European, and Asia Pacific regions, giving organizations with data residency requirements reasonable coverage from day one.
• Pricing details are not specified in the announcement, so teams evaluating this for production workloads should review the AgentCore pricing page and documentation at docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy.html before planning deployments.

49:27 Ryan – “I like the Cedar natural language processing, but I wonder how practical it is to write policies that allow agent-to-agent and tool communication.” 

GCP

57:07  Combat API sprawl using Apigee API hub

• Apigee API hub now integrates directly with API Gateway to automatically synchronize API definitions, OpenAPI specs, and gateway configurations in near real-time, giving platform teams a single control plane for APIs spread across multiple gateways and platforms.
• The new specification boost add-on, currently in public preview, uses AI to scan API specs for gaps like missing usage examples or undefined error codes, then generates an enhanced parallel version labeled specboost-draft without overwriting the original, so teams can compare before adopting.
• The core problem being addressed is that incomplete or undocumented APIs cause AI agents to fail at function calling or miss APIs entirely, so centralizing and enriching specs directly improves agent reliability in agentic workflows.
• Both features are available now, with API Gateway users seeing onboarding prompts directly in the console. 
• Pricing details for the spec boost add-on are not specified in the announcement, so teams should check the Add-on management section of the API hub for current cost information.
• Organizations running legacy specless proxies with no documentation stand to benefit most immediately, as the spec boost add-on can generate documentation for APIs that currently have none, making them visible to both developers and automated tools.

52:08 Matt – “Any undocumented API is always a problem, whether you’re using it or one team uses something they don’t know, or a client finds that should be a dark API that is public, and that always becomes a problem. So, a way to centralize that and kind of help address API sprawl in general is a great thing and will make people’s lives so much better.”

52:41 Improve chatbot memory using Google Cloud 

• Google Cloud’s polyglot storage approach for chatbot memory combines Memorystore for Redis, Cloud Bigtable, and BigQuery to handle short, mid, and long-term conversation history, respectively, addressing a common scaling challenge for conversational AI applications.
• Memorystore for Redis handles the hot layer with sub-millisecond latency using Redis Lists and RPUSH commands, while Bigtable serves as the durable mid-term store using a user_id#session_id#reverse_timestamp key pattern to enable efficient range scans across millions of simultaneous sessions.
• Bigtable’s garbage collection policies allow teams to retain only recent data, such as the last 60 days, in the high-performance tier, while older data flows asynchronously to BigQuery via Pub/Sub and Dataflow for archival and analytics without impacting live application performance.
• Cloud Storage handles unstructured multimedia artifacts using a URI pointer strategy with signed URLs, keeping the primary databases lean while maintaining secure, time-limited access to files generated or uploaded during conversations.
• This architecture is relevant to any team building production-scale agentic applications on Vertex AI Agent Builder, particularly in industries like customer service, healthcare, and financial services, where maintaining accurate long-term conversation context is a compliance or user experience requirement. Pricing varies across each component based on storage volume and query usage.
• Ryan loves this almost as much as he loves The Eagles.

Quick Hits

55:42 Spanner columnar engine in preview 

• Spanner columnar engine is now in preview, adding columnar storage alongside traditional row-based storage to enable analytical query acceleration of up to 200x on live operational data without impacting transactional workloads. 
• This addresses the longstanding trade-off between OLTP and analytical performance in a single horizontally scalable system.
• The engine uses vectorized execution to process data in batches rather than row-by-row, and Spanner automatically routes large-scan analytical queries to the columnar representation. 
• A new major compaction API also lets users manually trigger the conversion of existing data into columnar format.
• A key use case is reverse ETL from Iceberg lakehouses, where processed analytical data from BigQuery, Databricks, Snowflake, or Oracle Autonomous AI Lakehouse gets loaded into Spanner for sub-second, high-concurrency serving. This targets scenarios like real-time dashboards, AI agent features, and user-facing applications that need low-latency access to precomputed insights.
• The BigQuery integration is notably bidirectional, supporting federated queries via external datasets, reverse ETL pushes from BigLake Iceberg tables into Spanner, and live CDC streaming from Spanner back into BigQuery and BigLake Iceberg via Datastream. Oracle GoldenGate 26ai also now supports direct replication into Spanner.
• The feature is available in preview and can be enabled on existing Spanner tables via a DDL change, with benchmark queries available on GitHub. 
• Pricing follows standard Spanner node pricing, with no separate cost structure announced for the columnar engine specifically.

55:52 Justin – “If you don’t know anything about columnar databases, you don’t know how cool that is.” 

Azure

57:31 Announcing new public preview capabilities in Azure Monitor pipeline

• Azure Monitor pipeline now supports TLS and mutual TLS for TCP-based ingestion endpoints in public preview, allowing teams to encrypt data in transit and enforce mutual authentication without relying on external proxies or custom gateways. 
• This is particularly relevant for regulated environments and edge deployments where plain TCP ingestion no longer meets security requirements.
• The new execution placement configuration gives Kubernetes users direct control over how pipeline instances are scheduled across nodes, addressing practical problems like port exhaustion, multi-tenant isolation, and availability zone distribution. 
• Notably, if the cluster cannot satisfy placement rules, the pipeline simply will not deploy, making failures predictable rather than silent.
• Data transformations allow teams to filter, aggregate, and normalize telemetry before it reaches Azure Monitor, including converting raw syslog or CEF messages into standardized schemas using KQL templates. This addresses the cost and complexity of ingesting high-volume noisy data and cleaning it up after the fact.
• All three capabilities are in public preview today and target organizations running Azure Monitor pipeline on on-premises infrastructure, edge locations, and large Kubernetes clusters. 
• Pricing is not separately detailed for these features, so costs would follow existing Azure Monitor ingestion and data processing rates, which vary by volume.

58:38 Matt – “It’s their ETL pipeline service… that’s kind of why this is a big deal.” 

59:43 Microsoft Sovereign Cloud adds governance, productivity, and support for large AI models securely running even when completely disconnected

• Microsoft has expanded its Sovereign Cloud offering with three new capabilities targeting organizations that need to operate in fully disconnected environments: Azure Local disconnected operations, Microsoft 365 Local disconnected, and large model support in Foundry Local. 
• These are aimed at government, defense, and regulated industries where external connectivity may be intentionally restricted or prohibited.
• Azure Local disconnected operations allow organizations to run infrastructure with Azure governance and policy controls without any cloud connectivity, meaning management and workload execution stay entirely within customer-operated environments. This is now generally available worldwide, though pricing is not publicly listed and would depend on hardware and licensing configurations.
• Microsoft 365 Local disconnected brings Exchange Server, SharePoint Server, and Skype for Business Server into the sovereign private cloud boundary, with Microsoft committing support for these workloads through at least 2035. This extends productivity capabilities to teams operating in air-gapped or isolated environments without requiring a cloud connection.
• Foundry Local now supports large multimodal AI models running on-premises using NVIDIA GPU infrastructure, enabling local inferencing entirely within customer-controlled data boundaries. This moves beyond the small model support Foundry Local previously offered and is currently available to qualified customers rather than broadly.
• The overall architecture is designed to span connected, hybrid, and fully disconnected modes under a consistent governance model, which reduces the operational complexity of managing separate toolsets for different connectivity scenarios. 
• Organizations considering this stack should evaluate hardware requirements carefully, given the GPU dependencies for AI inferencing workloads.

57:25 Best Practice: Using Self-Signed Certificates with Java on Azure Functions 

Winner of the dumbest feature of the week: 

• Java developers on Azure Functions Linux who connect to services secured by self-signed certificates frequently encounter SSL handshake errors because the JVM only trusts well-known Certificate Authorities by default. The recommended fix is creating a custom truststore in the persistent /home directory and pointing the JVM to it via JAVA_OPTS application settings.
• The core reason to use /home for the truststore rather than system JVM directories is that the Linux Functions file system is ephemeral, meaning any changes outside /home are wiped on restart, scaling, or platform updates. Storing the keystore at a path like /home/site/wwwroot/my-truststore.jks ensures it survives those events.
• One practical deployment gotcha worth noting is that ZipDeploy or Run From Package configurations can overwrite /home/site/wwwroot contents during code deployments, so storing the .jks file in a separate directory like /home/my-certs/ is a safer long-term choice.
• Azure Functions Linux behaves differently from Azure App Service Linux in a notable way: App Service startup scripts often auto-import platform-managed certificates into the JVM keystore, but Functions does not, meaning OS-level tools like curl may succeed while Java code still throws handshake errors.
• For teams that prefer not to manage server-side keystore files, two code-based alternatives exist: loading an Azure-managed certificate from /var/ssl/certs via custom SSLContext code, or bundling a locally built JKS file inside the application JAR. Both require application code changes, which adds maintenance overhead compared to the JAVA_OPTS approach.

1:03:46 Justin – “This is just a way for you to troubleshoot certificates even worse than you were troubleshooting it before.” 

Quick Hits

1:05:19 Announcing general availability of Azure Intel® TDX confidential VMs 

• Azure has moved its Intel TDX confidential VMs to general availability, using 5th Gen Intel Xeon processors to provide hardware-enforced isolation that protects data while in use, which addresses a longstanding barrier for organizations running sensitive workloads in the cloud. Notably, existing applications can be deployed without any code changes.
• The new VM series (DCesv6, DCedsv6, ECesv6, ECedsv6) introduces NVMe local SSD support as a first for Azure confidential VMs, delivering roughly 5x more throughput and about 16% lower latency compared to the previous SCSI generation, with IO latency reduced by approximately 27 microseconds.
• These VMs are the first in Azure confidential compute to use the open-source OpenHCL paravisor, which increases transparency and allows customers to cryptographically verify workload integrity rather than simply trusting the cloud operator. 
• The open-source component is available at github.com/microsoft/openvmm.
• Intel AMX acceleration is built in, making these VMs suited for confidential AI workloads such as protecting model weights and running cross-organization AI pipelines without exposing underlying data. 
• Azure Boost support adds up to 205k IOPS, 4 GB/s remote storage throughput, and 40 Gbps network bandwidth.
• General availability is currently limited to the West US and West US 3 regions, with support for Windows Server 2025 and Ubuntu 22.04 and 24.04. Pricing is not specified in the announcement, and customers can request preview access in additional regions at aka.ms/acc/v6preview.

1:10:10 Generally Available: Draft & Deploy on Azure Firewall

• Azure Firewall Policy now supports a two-phase Draft and Deploy workflow, meaning teams can stage policy changes before committing them, which reduces the risk of unintended disruptions during updates.
• Previously, any policy change triggered a full firewall deployment, which could cause delays and service interruptions. 
• This feature separates the authoring phase from the deployment phase, giving teams more control over when changes go live.
• The feature is particularly useful for organizations with strict change management processes, as it allows multiple edits to be batched and reviewed before a single deployment is executed, rather than deploying each change individually.
• This is now generally available, so production workloads can rely on it. Azure Firewall Policy pricing remains consumption-based, and customers should check the Azure Firewall pricing page at azure.microsoft.com for current rates, as costs vary by policy tier and region.
• Teams managing complex or high-traffic environments will benefit most, since reducing the frequency of full deployments directly translates to fewer maintenance windows and more predictable firewall behavior.

1:10:27 Azure Container Registry Premium SKU Now Supports 100 TiB Storage

• Azure Container Registry Premium SKU now supports up to 100 TiB of storage, a 2.5x increase from the previous 40 TiB cap, with no configuration changes required for existing registries to benefit automatically.
• The increase directly addresses a real operational pain point where enterprises were splitting workloads across multiple registries just to stay under limits, adding complexity to access control and networking that had nothing to do with actual business requirements.
• AI and ML workloads are a clear driver here, as teams storing large model artifacts, training outputs, and inference containers were consuming registry capacity faster than anticipated, alongside normal container workload growth.
• Microsoft also improved geo-replication data sync speeds for new replicas and added a storage consumption view in the Azure Portal Monitoring tab, two improvements that had been customer requests for some time.
• The 100 TiB limit is exclusive to Premium SKU, so teams on Basic or Standard tiers will need to upgrade to access it, though Premium also includes geo-replication, private endpoints, and enhanced throughput. 
• Pricing details for Premium SKU storage are available at the Azure Container Registry pricing page.

1:10:47 Ryan – “So now instead of two windows container images you can store FOUR.” 

1:13:37 New Azure API management service limits 

• Azure API Management is rolling out updated resource limits starting March 2026, aligning classic tier limits with v2 tier limits across entities like API operations, tags, products, and subscriptions. This affects all service tiers in a phased rollout over several months.
• Existing classic tier customers whose usage exceeds the new limits will be grandfathered in, with their limits set 10% above observed usage at the time the new limits take effect. 
• New services and those under the new thresholds will be subject to the updated limits immediately.
• Limit increase requests will only be considered for Standard, Standard v2, Premium, and Premium v2 tiers, with Premium customers receiving priority. Requests are evaluated case by case and are not guaranteed, so teams relying on high resource counts should audit their usage now.
• Before requesting a limit increase, Microsoft recommends reviewing the Manage Resources Within Limits documentation at learn.microsoft.com, as some increases can introduce latency or affect service capacity. 
• This is a practical reminder that limits exist to protect shared infrastructure performance, not just to restrict usage.
• Pricing for API Management tiers varies, with the Developer tier starting around $0 for testing and the Premium tier running substantially higher for production workloads. Customers on lower tiers, like Consumption or Developer, cannot request limit increases, so production workload planning should account for tier selection early.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• Zero Bus, All Gas, No Kafka Brakes
• AI Coding Bot Bites the Hand That Runs It
• When Your Robot Developer Goes Rogue on AWS
• Kubernetes VPA Finally Stops Evicting Your Database Pods
• Google Trains 100 Million People, Still No One Reads the Docs 
• MCP Walks Into a Bar Not Enterprise Ready Yet
• No More Pod Evictions Kubernetes 1.35 Scales In Place
• No Keys No Drama Just IAM and Cloud SQL
• One Agent to Rule Them All in Kubernetes
• IAM Tired of Writing Policies Manually
• When Your AI Coding Tool Has Delete Permissions
• One Dashboard to Rule All Your GPU Clusters
• Serverless Reservations Prove Nothing Is Truly Free Range
• Kiro Takes the Wheel on AWS IAM Policies
• Stop Blaming Backups for Your Bad Architecture
• AI Agent Goes Rogue, Takes AWS Down With It
• Everything is Bigger in Texas Except the Water Usage
• OpenAI launches the college basketball of Inference. Pro service – low cost

General News 

1:05 Code Mode: give agents an entire API in 1,000 tokens

• Cloudflare‘s Code Mode MCP server reduces token consumption by 99.9% compared to a traditional MCP implementation, exposing the entire Cloudflare API (over 2,500 endpoints) through just two tools, search() and execute(), using roughly 1,000 tokens versus 1.17 million for a conventional approach.
• The architecture works by having the AI agent write JavaScript code against a typed OpenAPI spec representation, rather than loading tool definitions into context, with code executing inside a sandboxed V8 isolate (Dynamic Worker) that restricts file system access, environment variables, and external fetches by default.
• This approach addresses a fundamental constraint in agentic AI systems: adding more tools to give agents broader capabilities directly competes with the available context space for the task at hand.

01:41 Jonathan- “It’s good. I’m not sure I could imagine 2 ½ thousand MCP tool definitions in a context window and still actually use it for anything.”   

AI Is Going Great – Or How ML Makes Money 

03:58 OpenClaw creator Peter Steinberger joins OpenAI

• Peter Steinberger, creator of viral AI assistant OpenClaw (formerly Clawdbot/Moltbot), has joined OpenAI to lead development of next-generation personal agents. 
• OpenClaw gained attention for its ability to perform real-world tasks like calendar management, flight booking, and autonomous social network participation.
• OpenAI will maintain OpenClaw as an open source project through a foundation structure, allowing the community to continue development while Steinberger focuses on building similar capabilities into OpenAI’s product suite. 
• This acquisition-to-open-source model differs from typical tech company acquisitions, where projects are absorbed or shut down.
• The move signals OpenAI’s strategic focus on agentic AI systems that can execute multi-step tasks autonomously rather than just responding to prompts. Steinberger’s experience building practical automation workflows could accelerate OpenAI’s development of agent capabilities that compete with offerings from Anthropic, Google, and Microsoft.
• For developers, this represents a shift in how personal AI assistants may be deployed, moving from standalone applications to integrated agent frameworks within larger platforms. 
• The open source continuation of OpenClaw provides a reference implementation for building task-oriented AI systems.

04:19 Matt – “This is kind of where I see Anthriopic Cowork slowly going to, being your personal assistant, and having this be your ability to manage your real-world tasks. It’s great, and if they can build that into OpenAI, then it becomes a lot more of a personal assistant than just a general tool that you’re using.” 

09:11 Making frontier cybersecurity capabilities available to defenders

• Anthropic launched Claude Code Security in a limited research preview for Enterprise and Team customers, with free expedited access for open-source maintainers. 
• Unlike traditional static analysis tools that match known vulnerability patterns, it reasons through code contextually, the way a human security researcher would, catching logic flaws and access control issues that rule-based tools miss.
• The tool uses a multi-stage verification process where Claude re-examines its own findings to filter false positives, assigns severity ratings, and provides confidence scores. 
• Critically, no patches are applied without human approval, keeping developers in the decision loop.
• For cloud and enterprise teams, this integrates directly into Claude Code on the web, meaning security review happens within existing developer workflows rather than requiring separate tooling. The dashboard surfaces validated findings alongside suggested patches for team review.
• Want to request access? You can do that here. 

09:35 Preview, review, and merge with Claude Code

• Claude Code on desktop now closes the full development loop by adding live app preview, inline code review, and GitHub PR monitoring in a single interface, reducing the need to switch between tools during development.
• The new auto-fix and auto-merge features allow Claude to monitor PRs in the background, automatically attempt to fix CI failures, and merge PRs once all checks pass, letting developers move on to new tasks without manually tracking PR status.
• The inline code review feature via the Review Code button lets Claude examine local diffs and leave comments directly in the desktop diff view before any code leaves the machine, functioning as an automated pre-push review step.
• Session portability is now built in, allowing developers to start a session in the CLI using /desktop to bring context into the desktop app, or push local sessions to the web or Claude mobile app using the Continue with Claude Code on the web button.
• These updates are available now to all users and represent a shift toward agentic, background-running development workflows where the AI continues working on tasks like CI remediation while the developer focuses elsewhere.

11:20 Jonathan – “It’s a very human way of going back and self-reflecting on the work that you’ve just done.”  

18:08 Announcing General Availability of Zerobus Ingest, part of Lakeflow Connect

• Databricks has announced General Availability of Zerobus Ingest, part of Lakeflow Connect, a serverless streaming service that pushes data directly into Delta tables without intermediate message buses like Kafka. 
• It supports thousands of concurrent connections and achieves over 10GB per second of aggregate throughput with data landing in under 5 seconds.
• The core architectural difference is a single-sink design versus Kafka’s multi-sink approach, reducing a traditional five-system streaming stack down to two components. 
• This eliminates dedicated compute and storage for the message bus itself, along with the engineering overhead to manage it, at a fraction of the cost per gigabyte compared to self-managed Kafka.
• Developers can integrate via gRPC, REST APIs, or language-specific SDKs, and every write is automatically governed through Unity Catalog for lineage tracking and access control. 
• This means streaming data gets the same governance treatment as the rest of the lakehouse from the moment it arrives.
• Real-world deployments include Toyota using it to detect factory overheating conditions in minutes rather than hours, and Joby Aviation reducing aircraft telemetry resolution latency from days to minutes. 
• Both cases highlight manufacturing and IoT as strong use cases where low-latency ingestion has a direct operational impact.
• Zerobus Ingest is now GA on AWS and Azure, with Google Cloud support coming soon, priced under the Lakeflow Jobs Serverless SKU with a 6-month promotional pricing period currently active.

20:05 Jonathan – “I’m not a fan of Kafka in general, but I am a fan of doing things at massive scale, so it’s kind of cool.” 

07:27 OpenAI prepares new ChatGPT Pro Lite tier at $100 monthly

• OpenAI appears to be preparing a ChatGPT Pro Lite tier at $100 per month, slotting between the existing Plus plan at $20 and the full Pro plan at $200, based on findings from engineer Tibor Blaho, who has a consistent track record of uncovering unreleased features.
• The new tier would address a notable pricing gap for users who regularly hit Plus rate limits but cannot justify the full Pro cost, with freelancers, researchers, and developers as the likely target audience.
• The plan may be structured around compute-heavy use cases, including Codex and persistent agentic workloads, where background-running agents carry substantially higher infrastructure costs than standard chat interactions.
• OpenAI recently hired Peter Steinberger, creator of the open-source agent framework OpenClaw, and has signaled a multi-agent direction for ChatGPT, suggesting the Pro Lite tier could serve as an entry point for always-on agentic capabilities rather than just increased chat limits.
• No release date or confirmed feature set exists yet, but the addition of a mid-tier option would create competitive pressure on Google, which currently lacks an equivalent individual plan at this price point.

21:56 Matt – “I just think they needed a different naming convention.” 

Cloud Tools 

23:11 HCP Packer adds SBOM vulnerability scanning

• HCP Packer now includes SBOM vulnerability scanning in public beta, allowing platform teams to scan software bills of materials against MITRE’s CVE database and classify findings by severity directly within the artifact registry.
• The feature builds on last year’s SBOM storage capabilities, which are now generally available, meaning teams can generate, store, and now actively scan SBOMs for known vulnerabilities in a single workflow.
• This addresses a supply chain security gap by surfacing vulnerability data at the image level, covering AMIs, Docker containers, and virtual machines before they reach production environments.
• Teams can see which specific package versions are affected and when vulnerabilities were detected, giving them the information needed to prioritize remediation without leaving the HCP Packer interface.
• The feature is available in public beta at no cost through the free HCP Packer tier, making it accessible for teams looking to add CVE scanning to their image management process without additional tooling.

24:15 Jonathan – “It’s only as current as the time you built it though…” 

25:43 Why Kubernetes 1.35 is a game-changer for stateful workload scaling 

• Kubernetes 1.35 brings two notable autoscaling milestones: In-Place Pod Resize graduating to GA and Vertical Pod Autoscaler’s InPlaceOrRecreate update mode reaching beta, allowing VPA to adjust CPU and memory on running pods without evicting them.
• The practical benefit for stateful workloads is substantial. 
• Previously, VPA had to evict and recreate pods to apply new resource requests, which caused disruption for databases, caches, and other restart-sensitive applications. In-place resizing preserves the pod UID, container ID, and restart count throughout the adjustment.
• VPA operates in three stages worth understanding: a recommendation-only mode for passive observation, an InPlaceOrRecreate mode that attempts live resizing first and falls back to eviction only when node resources are insufficient, and configurable policies using minAllowed and maxAllowed to bound what VPA can actually set.
• VPA controllers are not bundled with Kubernetes itself. 
• Engineers need to clone the kubernetes/autoscaler repository and run the vpa-up.sh script to deploy the Recommender, Updater, and Admission Controller components alongside the mutating 

26:09 Jonathan – “I think the practical benefit for stable workloads are fairly substantial, if you’re one of those crazy people who like to run databases or SQL server on Kubernetes (like Cody) because previously those pods would be evicted and new resources requested, which would obviously cause disruption, stale caches, and other issues.” 

AWS 

31:20 Amazon service was taken down by AI coding bot

• Listener note: paywall article
• Amazon’s Kiro AI coding tool caused a 13-hour outage of an AWS cost exploration service in December after engineers granted it broad permissions, and it autonomously decided to delete and recreate the environment rather than patch it. 
• A second outage involved Amazon Q Developer, though Amazon says neither event impacted core customer-facing AWS services.
• Amazon’s official position is that both incidents were user error stemming from improper access controls, not failures of the AI tools themselves. 
• Kiro is designed to request authorization before acting, but the engineer involved had been granted broader permissions than intended, bypassing that safeguard.
• The incidents highlight a practical risk with agentic AI tools in production environments: when an AI agent is given the same permissions as a human operator without requiring peer review, it can take destructive autonomous actions that a second set of eyes might have caught. AWS has since added mandatory peer review and staff training as corrective measures.
• AWS is pushing for 80 percent of its developers to use AI coding tools at least once weekly, which means these tools are being adopted at scale internally before the risk patterns are fully understood. 
• Listeners running their own AI agents in production should treat permission scoping and human-in-the-loop approval gates as non-optional controls, not optional defaults.
• Kiro launched in July 2025 and is positioned as a specification-driven coding assistant meant to go beyond simple vibe coding. 
• The December incident was limited to mainland China, and the second incident had no customer-facing impact, but the pattern of two production disruptions in a few months is worth tracking as agentic tools become more common in enterprise workflows.

33:24 Matt – “…if you’re letting the AI tool start to do things inside of production environments, that’s where you need to watch it, and you need to probably have it be a little bit more specific, so the human needs to kind of be watching what’s going on and peer reviewing it.” 

35:49 Amazon pushes back on Financial Times report blaming AI coding tools for AWS outages 

• Amazon issued a public rebuttal to a Financial Times report claiming its Kiro AI coding tool caused multiple AWS outages, acknowledging one limited incident in December but attributing it to a misconfigured access control role rather than a flaw in the AI tool itself.
• The confirmed disruption affected only AWS Cost Explorer in a single China region for roughly 13 hours, with no customer inquiries received, and did not touch core services like compute, storage, or databases.
• Amazon’s core defense is that the issue was user error, not AI error, noting that a misconfigured role could result from any developer tool or manual action, AI-powered or not.
• In response to the incident, AWS has added safeguards, including mandatory peer review for production access, which is a practical governance consideration for any organization deploying agentic AI tools in production environments.
• The broader takeaway for AWS customers is that agentic AI tools capable of autonomous actions, like deleting and recreating environments, require clear human oversight policies and access control guardrails before being used in production systems.

37:00 AWS IAM Policy Autopilot is now available as a Kiro Power

• AWS IAM Policy Autopilot, an open source static code analysis tool launched at re:Invent 2025, is now available as a Kiro Power, allowing developers to generate baseline IAM policies directly within the Kiro IDE without manual policy writing.
• The integration uses a one-click installation model that removes the need for manual MCP server configuration, streamlining how developers access policy generation tools during AI-assisted development workflows.
• Key use cases include rapid prototyping of AWS applications, baseline policy creation for new projects, and keeping developers in their coding environment rather than switching to the IAM console or documentation.
• This fits into the broader trend of embedding security and permissions tooling earlier in the development cycle, helping teams start with least-privilege policies that can be refined over time rather than retrofitting permissions after the fact.
• The tool is open source and available on GitHub at github.com/awslabs/iam-policy-autopilot, with no additional cost mentioned beyond standard Kiro and AWS service usage, making it accessible for teams already using the Kiro IDE.

38:18 Jonathan – “I’m really on the fence about this. Because on one hand, I know the pain, especially with things like deployment policies…and just trying to figure out every permission that has to be added so that Terraform can just do a deployment – it becomes very complicated. At the same time, if you have a machine that looks at your code and says ‘this is the policy you need for it,’ I don’t think that’s any security at all unless there’s another check at the end.” 

-Honorable Mentions- 

41:52 Amazon Redshift Serverless introduces 3-year Serverless Reservations

• Amazon Redshift Serverless now offers 3-year Serverless Reservations, providing up to 45% cost savings compared to standard on-demand RPU pricing while maintaining the serverless model’s flexibility.
• The reservations are managed at the AWS payer account level and can be shared across multiple AWS accounts, making this useful for organizations running Redshift Serverless workloads across linked accounts.
• -stop
• Billing runs 24/7 on an hourly basis, metered per second, meaning you pay for reserved RPUs continuously, regardless of actual usage, so this option makes most sense for consistently active workloads rather than sporadic ones.
• Any RPU consumption beyond the reserved amount falls back to standard on-demand rates, so customers need to size their reservations carefully to avoid negating the savings.
• Reservations can be purchased through the Redshift console or via the create-reservation API and are available in all regions where Redshift Serverless is currently supported.
• More information is available on the Amazon Redshift Management Guide, which you can find here. 

42:03 Amazon Says It Will Spend $12 billion On Louisiana Data Centers 

• Amazon has announced a $12 billion investment in data center campuses in Louisiana, aimed at expanding infrastructure capacity for AI and cloud computing workloads.
• A notable aspect of the deal is Amazon’s commitment to covering its own power costs directly, working with regional utility Southwestern Electric Power Company to avoid passing energy expenses onto local consumers.
• Amazon is pairing the infrastructure investment with solar energy projects in Louisiana, which aligns with its broader sustainability commitments and addresses concerns about grid strain from large-scale data center operations.
• This announcement reflects a broader industry trend where cloud providers are proactively addressing public and political concerns about data center energy consumption, following a similar commitment from Microsoft last month regarding higher electricity rate payments.
• For AWS customers, this expansion signals continued investment in US-based infrastructure capacity, which could translate to improved regional availability and lower latency for workloads in the southern United States over time.

42:18 Announcing AWS Elemental Inference

• AWS Elemental Inference is a fully managed AI service that automatically generates vertical video crops and highlight clips from live and on-demand broadcasts in parallel with encoding, targeting broadcasters who need to distribute content across TikTok, Instagram Reels, YouTube Shorts, and similar platforms without dedicated production staff.
• The service uses an agentic AI approach with no prompts or human-in-the-loop intervention required, handling both vertical video cropping and metadata-based highlight detection automatically, which reduces the manual workflow overhead typically associated with multi-platform content distribution.
• Beta testing with large media companies showed 34% or more cost savings on AI-powered live video workflows compared to using multiple point solutions, making this a notable consolidation option for media organizations already using AWS Elemental encoding services.
• A practical sports broadcasting use case is highlighted where highlight clips can be identified and distributed to social platforms during live games rather than hours after the fact, addressing a real operational gap in live content workflows.
• The service is available in four regions at launch: US East N. Virginia, US West Oregon, Asia Pacific Mumbai, and Europe Ireland. 
• Pricing details are not specified in the announcement, so listeners should check the AWS Elemental Inference documentation at docs.aws.amazon.com/elemental-inference for current pricing information.

GCP

57:25  Managed MCP servers for Google Cloud databases

• Google Cloud expanded its managed MCP server support to cover AlloyDB, Spanner, Cloud SQL, Bigtable, and Firestore, allowing AI agents to interact with these databases through natural language without requiring infrastructure deployment or complex configuration.
• The security model relies entirely on IAM for authentication rather than shared keys, and all agent actions are logged in Cloud Audit Logs, which addresses a practical concern for teams worried about giving AI agents access to production databases.
• A new Developer Knowledge MCP server connects IDEs directly to Google’s official documentation, letting agents reference best practices in real time during tasks like database migrations or app development troubleshooting.
• Because these servers follow the open MCP standard, they work with third-party clients like Anthropic’s Claude in addition to Gemini, which broadens the practical appeal beyond teams already committed to Google’s AI tooling.
• Google has signaled plans to extend managed MCP support to Looker, Memorystore, Pub/Sub, Kafka, and migration services in the coming months, suggesting this is an ongoing buildout rather than a one-time release. 
• Pricing is not separately listed for MCP access and likely falls under existing database service costs.

44:12 Matt – “Anything that makes databases easier, I’m all for.” 

45:12 Gemini 3.1 Pro: Announcing our latest Gemini AI model

• Gemini 3.1 Pro is now available in preview for developers via Google AI Studio, Gemini CLI, Vertex AI, and Android Studio, with enterprise access through Vertex AI and Gemini Enterprise. Pricing details have not been publicly announced for the preview period.
• The model scores 77.1% on the ARC-AGI-2 benchmark, which tests reasoning on novel logic patterns, representing more than double the score of the previous Gemini 3 Pro model. 
• This positions it as a stronger option for complex problem-solving tasks compared to its predecessor.
• Practical use cases highlighted include generating animated SVGs from text prompts, building live data dashboards by connecting to public APIs, and prototyping interactive 3D interfaces with hand-tracking and generative audio. These examples suggest the model is particularly suited for developers working on data visualization and creative coding projects.
• Consumer access is rolling out through the Gemini app and NotebookLM, but the 3.1 Pro tier is restricted to Google AI Pro and Ultra plan subscribers. This tiered access model means free-tier users will not have access during the preview phase.
• Google notes the model is still in preview while they validate performance for agentic workflows before a general availability release. GCP customers evaluating it for production use should factor in that capabilities and pricing may shift before the full release.

46:23 Matt – “It’s just amazing to me how fast these models are improving. This one is saying it scored a 77%, where models a year ago where 40 and 50%. Seeing how fast everything is moving is insane.” 

47:36 Understanding the Firefly clock synchronization protocol

• Google’s Firefly is a software-based clock synchronization protocol that achieves sub-10-nanosecond NIC-to-NIC synchronization across data center hardware, without requiring specialized or expensive dedicated timing equipment.
• The protocol uses a distributed consensus algorithm built on random graphs rather than a traditional hierarchical time server model, which improves convergence speed, scalability, and resilience to network path asymmetries.
• Firefly decouples internal synchronization from external UTC synchronization, meaning external time server jitter does not degrade the precision of clock alignment within the data center fabric itself.
• Financial services workloads are a primary beneficiary, as regulatory requirements mandate sub-100 microsecond external UTC synchronization and sub-10 nanosecond internal synchronization, both of which Firefly meets on standard cloud infrastructure.
• Beyond finance, the protocol has practical implications for distributed database consistency, ML workload coordination, and fine-grained network telemetry, potentially enabling workloads that previously required on-premises dedicated hardware to run on cloud infrastructure instead. No specific pricing details were provided in the announcement.

48:52 Jonathan – “The fact that you need to guarantee sub-hundred microsynchronization for financial systems is crazy.” 

-Honorable Mentions- 

50:32 America-India Connect infrastructure connects four continents

• Google is investing $15 billion in AI infrastructure in India and launching America-India Connect, a multi-continent subsea cable initiative that establishes new fiber-optic routes connecting the United States, India, Singapore, South Africa, and Australia. 
• The project creates Visakhapatnam as a new international subsea gateway on India’s east coast, adding network diversity beyond existing Mumbai and Chennai landing points.
• The infrastructure combines multiple subsea cable systems, including Equiano, Nuvem, Bosun, Tabua, TalayLink, and Honomoana, to create redundant high-capacity routes between American coasts and India through both African and Pacific paths. 
• This approach provides network resilience for over 1 billion people in India while improving connectivity across the Southern Hemisphere.
• Google Cloud is serving as the primary cloud infrastructure provider for India’s iGOT Karmayogi platform, which delivers training to over 20 million public servants across 800+ districts. 
• The platform will use AI to digitize legacy training content and enable access in 18+ Indian languages, supporting the government’s Mission Karmayogi initiative for civil service modernization.
• The announcement positions these subsea cables as critical infrastructure to prevent an AI divide, with documented evidence that subsea cable connectivity improves internet affordability and reliability while driving productivity and economic growth. 
• The initiative builds on Google’s existing infrastructure investments in Africa, Australia, and the Pacific region.
• Added this one just for you, Justin. 

52:20 Wilbarger County data center

• Google is building a new data center in Wilbarger County, Texas, expanding its existing infrastructure footprint in the state. 
• This is primarily an infrastructure capacity announcement rather than a new GCP service or feature.
• The facility will use air-cooling technology instead of traditional water cooling, limiting water consumption to only essential campus operations like kitchens. This is a notable operational choice given ongoing concerns about data center water usage in drought-prone regions.
• Google has contracted to add more than 7,800 MW of net-new energy generation and capacity to the Texas electricity grid, with the Wilbarger facility co-located alongside new clean power developed in partnership with AES.
• Google announced a $30 million Energy Impact Fund in November to support energy affordability, school weatherization, and energy workforce development across Texas. Details on the fund are available here. 
• For GCP customers, additional Texas-based infrastructure generally signals potential improvements in latency and redundancy for workloads serving the south-central US region, though Google has not announced specific new GCP regions or zones tied to this facility.

52:55 Use Lyria 3 to create music tracks in the Gemini app

• Google DeepMind’s Lyria 3 model is now available in beta within the Gemini app, letting users generate 30-second music tracks with lyrics, custom cover art, and style controls from text prompts or uploaded photos and videos. 
• This is available to users 18 and older in 8 languages, with higher usage limits for Google AI Plus, Pro, and Ultra subscribers.
• Lyria 3 improves on previous versions by auto-generating lyrics from prompts, offering more control over style, vocals, and tempo, and producing more musically complex outputs without requiring users to provide their own creative assets.
• All generated tracks are embedded with SynthID, Google DeepMind’s imperceptible watermark, and the Gemini app now extends its AI content verification to audio files, allowing users to upload audio and check whether it was generated by Google AI.
• The feature is also rolling out to YouTube creators via Dream Track for Shorts soundtracks, connecting Lyria 3 to a broader content creation workflow beyond the Gemini app itself.
• On the responsible AI side, Google states Lyria 3 was trained with copyright and partner agreements in mind, artist-specific prompts are treated as stylistic inspiration rather than direct mimicry, and output filters check against existing content, though Google acknowledges this approach is not guaranteed to catch all issues.

Azure

57:25 A milestone achievement in our journey to carbon negative

• Microsoft has achieved its 2025 goal of matching 100 percent of global electricity consumption with renewable energy, contracting 40 gigawatts of new renewable capacity across 26 countries since 2020. 
• This represents enough energy to power approximately 10 million US homes, with 19 GW currently online and the remainder coming online over the next five years.
• The renewable energy procurement has reduced Microsoft’s reported Scope 2 carbon emissions by an estimated 25 million tons and mobilized billions in private investment through over 400 contracts with 95 utilities and developers. This directly impacts Azure datacenter operations globally, supporting the infrastructure that runs customer workloads while advancing toward the company’s 2030 carbon negative commitment.
• Microsoft is expanding beyond renewable energy to include nuclear power and other carbon-free technologies, including a 50 MW fusion project with Helion in Washington state and restarting the 835 MW Crane Clean Energy Center in Pennsylvania with Constellation Energy. The Climate Innovation Fund has allocated $806 million to 67 investees, with 38 percent directed toward energy systems innovation.
• The company is deploying AI-driven tools to accelerate clean energy deployment, including collaborations with Idaho National Laboratory for nuclear licensing and the Midcontinent Independent System Operator for grid optimization. 
• These tools aim to streamline the design, permitting, and deployment of new power technologies to expand grid capacity more efficiently.
• Azure customers benefit indirectly through more sustainable cloud infrastructure, though Microsoft notes the shift to an all-of-the-above decarbonization strategy recognizes that rising electricity demand from datacenters, AI workloads, and digital services requires diverse carbon-free energy sources beyond renewables alone.

55:58 Generally Available: Quota and deployment troubleshooting tools for Azure Functions Flex Consumption 

• Azure Functions Flex Consumption now has generally available quota and deployment troubleshooting tools built directly into the platform, giving developers clearer visibility into quota limits and constraints without needing to dig through documentation or support tickets.
• The quota troubleshooting experience surfaces Flex Consumption-specific limits in context, which is useful for teams hitting scaling walls and trying to understand why deployments are behaving unexpectedly.
• This is a quality-of-life improvement aimed at developers and platform engineers who use Flex Consumption for its per-execution billing model and fast scaling, helping reduce time spent diagnosing deployment failures.
• Pricing for Flex Consumption remains consumption-based, so there is no additional cost for these troubleshooting tools themselves. More details are available at the Azure updates page here. 
• Teams already invested in Azure Functions should note this reduces reliance on external monitoring or support escalations for common quota-related issues, keeping troubleshooting within the Azure portal workflow.

56:32 Matt – “This is a great quality of life improvement because you can see why things are breaking when you’re using flexible consumption.” 

-Honorable Mentions-

1:01:07 Public Preview Announcement: Empower Real-Time Security with Microsoft Sentinel’s CCF Push Feature | Microsoft Community Hub

• Microsoft Sentinel’s CCF Push feature, now in public preview, allows security data providers to send logs directly to a Sentinel workspace without the traditional setup overhead of manually configuring Data Collection Endpoints, Data Collection Rules, Entra app registrations, and RBAC assignments. Pressing Deploy handles all resource provisioning automatically.
• The feature is built on Sentinel’s Log Ingestion API, which supports high-throughput data ingestion, pre-ingestion data transformation, and direct targeting of system tables, making it more flexible than the older polling-based connector model.
• For partners and ISVs building Sentinel integrations, CCF Push reduces time to market by consolidating connector deployment through the Content Hub as a single interface, rather than requiring customers to configure multiple Azure resources independently.
• Early adopters include security vendors like Obsidian Security and Varonis, suggesting the feature is already being validated in real-world security workflows. 
• Developers can reference the MS Learn documentation here to get started.
• No specific pricing details were provided in the announcement, but since CCF Push feeds data into Sentinel workspaces, standard Sentinel and Log Analytics ingestion costs would apply. 
• Organizations evaluating this feature should factor in their existing Sentinel pricing tier when estimating costs.

1:01:24 Microsoft Sovereign Cloud adds governance, productivity and support for large AI models securely running even when completely disconnected

• Azure Local disconnected operations are now generally available, allowing organizations to run mission-critical infrastructure with full Azure governance and policy enforcement even when completely isolated from cloud connectivity. This targets government, defense, and regulated industries where external dependencies are either unacceptable or prohibited.
• Microsoft 365 Local disconnected brings Exchange Server, SharePoint Server, and Skype for Business Server into fully air-gapped sovereign environments running on Azure Local, with Microsoft committing support for these workloads through at least 2035. 
• This keeps productivity tools available under the same governance boundary as infrastructure workloads.
• Foundry Local now supports large multimodal AI models running on-premises hardware, including NVIDIA GPUs, within fully disconnected sovereign environments. This extends local AI inferencing capabilities beyond the smaller models Foundry Local previously supported, with Microsoft providing deployment, update, and operational health support.
• The three components together form a full-stack sovereign private cloud covering infrastructure, productivity, and AI inferencing, all manageable through consistent Azure governance tooling regardless of connectivity state. 
• Pricing is not publicly listed and appears to vary based on deployment scale and customer qualification, so organizations should contact Microsoft directly for specifics.
• Target customers include public sector agencies, classified environments, and regulated industries in regions where data residency and operational autonomy are legal or contractual requirements. 
• Azure Local is disconnected, and Microsoft 365 Local is available worldwide, while large model support on Foundry Local is currently limited to qualified customers.

Emerging Clouds 

1:03:04 Introducing Command Center:  The unified operations platform  for AI workloads

• Crusoe Command Center is a unified operations platform that consolidates GPU cluster monitoring, orchestration, and support into a single interface, addressing the common problem of engineers context-switching between fragmented dashboards during AI training runs.
• The platform integrates with Crusoe Managed Kubernetes and supports Managed Slurm, allowing long-running multi-week training jobs to operate continuously across large GPU clusters without manual intervention.
• AutoClusters is a key component that automatically detects GPU performance degradation, evicts compromised nodes, and replaces them with healthy instances from a reserve pool, reducing the need for around-the-clock manual oversight.
• On the observability side, Command Center supports multiple access methods, including a UI, Grafana via PromQL API, and a Prometheus endpoint, while a Telemetry Relay feature streams infrastructure metrics directly to external tools to reduce data silos.
• The Crusoe Watch Agent, paired with Telemetry Relay, extends visibility to custom application-level metrics, allowing teams to correlate workload performance with underlying GPU health data for more precise troubleshooting.

1:04:04 Matt – “The whole stack here is what I kind of find nice. The smaller clouds are trying to attack that whole vertical a lot more, where they’re giving you that depth all the way down, so if you are training your own model, you get the CPU, you get the GPU, you can see that whole stack of what’s going on, and really start to fine-tune.”     

1:05:09 Expanding our Agentic Inference Cloud: Introducing GPU Droplets Powered by AMD Instinct MI350X GPUs

• DigitalOcean is adding AMD Instinct MI350X GPUs to its GPU Droplets lineup, built on the CDNA 4 architecture and optimized for inference workloads, including prefill phase compute, low-latency token generation, and larger context windows.
• The platform has demonstrated measurable results with existing customers, including a 2x increase in production request throughput and 50% reduction in inference costs for Character.AI, giving potential adopters concrete performance benchmarks to evaluate.
• DigitalOcean is positioning these offerings toward AI-native companies and developers who need enterprise features like HIPAA eligibility and SOC 2 compliance without the complexity of larger cloud providers, with provisioning available in a few clicks.
• The GPUs are currently available in the Atlanta datacenter, with AMD Instinct MI355X GPUs planned for next quarter, which will introduce liquid-cooled rack infrastructure to support larger models and datasets.
• For smaller businesses and developers, the predictable usage-based pricing and simplified deployment model represent a meaningful alternative to the more complex pricing and configuration requirements typical of hyperscaler GPU offerings.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• Chrome’s WebMCP Protocol: Teaching AI Agents to Stop Doom-Scrolling the DOM and Actually Get Work Done
• Claude Enterprise Self-Service: Because Sometimes You Just Want to Buy AI Without Small Talk
• AWS EC2 Goes Inception Mode: Now You Can Virtualize Your Virtualization Without Going Broke
• Amazon EC2 Nested Virtualization: Because Your Virtual Machine Was Lonely and Needed Its Own Virtual Machine
• CloudWatch Alarm Mute Rules: Because Your Deployment Doesn’t Need a Standing    Ovation at 3 AM
• Anthropic’s $380 Billion Valuation Proves AI Funding Has Gone Claude Nine
• AWS EC2 Nested Virtualization Finally Escapes the Expensive Hardware Jail
• Cloudflare Teaches AI Agents the Magic Words: Accept text/markdown and Save 13,000 Tokens
• Crusoe Cloud’s MCP Server: Teaching AI Assistants to Stop Asking for the Manager and Just Fix Your Infrastructure
• Azure’s New Agentic Copilot: Because Manually Clicking Through Dashboards Was So 2023
• Chrome’s WebMCP Gives AI Agents a GPS for Websites Because Apparently They’ve Been Lost in the HTML This Whole Time 
• Anthropic Cuts Out the Middleman: Claude Enterprise Now Available Without the Enterprise Sales Dance
• AWS Gives CloudWatch the Silent Treatment: New Mute Rules Let Alarms Sleep Through Maintenance Windows
• AWS CloudWatch Hits Snooze: Mute Rules End On-Call Nightmares
• AWS Gives CloudWatch the Silent Treatment

General News 

00:45 Bloat Risk? Microsoft’s Notepad Upgrade Also Introduced a Vulnerability | PCMag

• Microsoft’s recent Notepad modernization introduced CVE-2026-20841, a vulnerability in the new Markdown support feature that allows malicious links in files to execute remote code. 
• The flaw has been patched in the February 2026 security updates, but it highlights the security trade-offs when adding features to historically simple applications.
• The vulnerability exploits Notepad’s Markdown rendering capability, which Microsoft added in May to support lightweight markup language formatting. When Notepad opens a specially crafted Markdown file, embedded malicious links can trigger unverified protocols that load and execute remote files on the system.
• This incident raises questions about feature bloat in core Windows utilities, particularly as Microsoft continues adding network-dependent capabilities like AI-powered text writing to Notepad. Security researchers are debating whether basic text editors should have network functionality at all, given the expanded attack surface.
• The vulnerability demonstrates how modernization efforts can introduce security risks in previously low-risk applications. 
• Organizations using Windows need to ensure their systems receive the February 2026 security updates to address this specific flaw in Notepad’s Markdown implementation.

02:04 Matt – “I’m just confused why they didn’t use Copilot on their pull request in order to identify this as a potential bug. I feel like it should have found it. Just sayin’…”  

03:13 WebMCP is available for early preview

• Chrome is introducing WebMCP, a standardized protocol that lets websites expose structured tools and actions directly to AI agents, eliminating the need for agents to parse raw HTML and DOM elements. 
• This addresses a key reliability problem in agentic workflows where AI agents currently struggle with inconsistent web interactions.
• The protocol offers two interaction modes: a declarative API for simple HTML form-based actions and an imperative API for complex JavaScript-driven workflows. This dual approach lets websites define exactly how agents should interact with features like booking systems, support ticket forms, and checkout processes.
• Early use cases focus on high-value transactional workflows, including e-commerce product configuration, travel booking with complex filtering requirements, and automated customer support ticket creation with technical details. These scenarios benefit most from structured interactions versus unreliable DOM manipulation.
• The early preview program requires sign-up for access to documentation and demos, indicating this is still in experimental stages. 
• Developers interested in making their sites agent-ready will need to implement these new APIs to participate in the agentic web ecosystem Chrome is building.
• This represents Chrome’s attempt to standardize how AI agents interact with websites before the market fragments with competing approaches. Sites that adopt WebMCP early may gain advantages as browser-based AI agents become more prevalent.
• Interested in signing up for the preview? You can do that here. 

04:41 Ryan – “It makes a lot of sense why they want to standardize on a specific protocol, but I can’t help but feel like this is the beginning of the end of human interaction; where you’re going to have an AI agent-to-agent protocol.” 

AI Is Going Great – Or How ML Makes Money 

07:27 Anthropic raises $30 billion in Series G funding at $380 billion post-money valuation \ Anthropic

• Anthropic closed a $30 billion Series G at a $380 billion post-money valuation, reaching $14 billion in run-rate revenue with 10x annual growth for three consecutive years. 
• The company now serves eight of the Fortune 10, with over 500 customers spending more than $1 million annually.
• Claude Code, made generally available in May 2025, has grown to $2.5 billion in run-rate revenue and now accounts for 4% of all public GitHub commits worldwide. Business subscriptions quadrupled since early 2026, with enterprise customers representing over half of Claude Code’s revenue.
• Opus 4.6 launched last week as the latest model release, leading the GDPval-AA benchmark for economically valuable knowledge work in finance and legal domains. The model powers agents capable of generating professional documents, spreadsheets, and presentations autonomously.
• Anthropic expanded its product portfolio in January with over thirty launches, including Cowork, which extends Claude Code capabilities to broader knowledge work with eleven open-source plugins for specialized roles. 
• Claude for Enterprise is now HIPAA-compliant and available for healthcare and life sciences organizations.
• Claude remains the only frontier AI model available across all three major cloud platforms through AWS Bedrock, Google Cloud Vertex AI, and Microsoft Azure Foundry. 
• The company trains on diversified hardware, including AWS Trainium, Google TPUs, and NVIDIA GPUs, to optimize workload performance and resilience.

08:10 Matt – “Those numbers are insane. I just want to make sure we’re all clear about that.” 

15:16 Introducing Sonnet 4.6 \ Anthropic

• Claude Sonnet 4.6 is now generally available across all Claude plans, API, and major cloud platforms at the same pricing as Sonnet 4.5 ($3/$15 per million tokens), with a 1M token context window in beta. 
• The model now serves as the default for Free and Pro plan users, bringing Opus-class performance to a mid-tier price point.
• Computer use capabilities have improved substantially, with Sonnet 4.6 scoring 94% on insurance benchmarks and showing human-level performance on tasks like navigating complex spreadsheets and multi-step web forms. 
• The model demonstrates better resistance to prompt injection attacks compared to Sonnet 4.5 and performs similarly to Opus 4.6 on safety evaluations.
• Coding performance has advanced significantly, with early users preferring Sonnet 4.6 over Sonnet 4.5 roughly 70% of the time and even choosing it over Opus 4.5 59% of the time. 
• Users report better instruction following, less overengineering, fewer hallucinations, and more consistent follow-through on multi-step tasks, with one customer reporting an 80.2% score on SWE-bench Verified.
• Several features have reached general availability on the API, including code execution, memory, programmatic tool calling, tool search, and tool use examples. 
• Web search and fetch tools now automatically write and execute code to filter search results, improving response quality and token efficiency.
• The model supports both adaptive thinking and extended thinking modes, with context compaction in beta that automatically summarizes older context as conversations approach limits. 
• Claude in Excel now supports MCP connectors, allowing users to pull data from external sources like S&P Global, LSEG, and PitchBook directly within spreadsheets. 

17:42 Ryan – “I haven’t played with Sonnet because it’s just released, but playing around with Opus, you can see that it’s another major improvement in these steps, and it is pretty fantastic to use.”

19:44 Token Anxiety – by Nikunj Kothari – Balancing Act

• This article describes a cultural shift in San Francisco’s tech scene where developers are prioritizing AI agent management over social activities, with people leaving parties early to check on overnight code generation and spending weekends running 12-hour build sessions with AI assistants like Claude and Codex.
• The piece highlights how AI coding tools have created a new productivity anxiety where developers feel compelled to keep agents running continuously, even during sleep, to maximize output and stay competitive as new model capabilities and context windows are released weekly.
• Developers are adopting new vocabulary around AI models, discussing them like sommeliers evaluate wine and using animal training metaphors like keeping Claude on a tight leash for code review while giving it more slack for creative work.
• The constant stream of benchmark improvements and new AI capabilities is creating pressure to continuously optimize workflows, as each advancement makes previous methods feel outdated and multiplies the sense that competitors are already leveraging these improvements.
• This represents a broader shift in developer culture where traditional leisure activities are being replaced by AI-assisted building, with the primary social metric changing from what you accomplished to how many agents you have running in parallel.

24:25 Ryan – “I still don’t know how everyone has these overnight workloads; I guess I don’t trust AI at all; I’m not going to let it run unsupervised.”  

31:48 Alibaba Launches New LLM as China’s AI Battle Heats Up 

• Qwen 3.5 is out. No industry freakouts (like with DeepSeek) so far

33:06 Seed News – ByteDance Seed Team

• ByteDance officially launched Seedance 2.0, a next-generation video creation model with a unified multimodal audio-video architecture supporting text, image, audio, and video inputs. 
• The model can process up to 9 images, 3 video clips, 3 audio clips, and natural language instructions simultaneously for comprehensive content referencing and editing.
• The model delivers substantial improvements in complex motion rendering and physical accuracy, particularly excelling at multi-subject interactions like competitive figure skating with synchronized movements, mid-air spins, and precise landings that follow real-world physics. 
• Industry evaluations show Seedance 2.0 achieves leading performance in motion stability, instruction following, and visual aesthetics compared to competing models.
• Seedance 2.0 introduces dual-channel stereo audio generation with multi-track parallel output for background music, ambient effects, and voiceovers synchronized to visual rhythm. 
• The model supports 15-second high-quality multi-shot audio-video output suitable for commercial advertising, film VFX, game animations, and explainer videos.
• New video editing capabilities allow targeted modifications to specific clips, characters, actions, and storylines, plus video extension functionality for generating continuous shots based on user prompts. 
• The model demonstrates improved instruction-following for complex scripts and open-ended prompts while maintaining subject consistency across extended sequences.
• The unified multimodal architecture enables professional-grade content creation workflows where users can reference composition, motion, camera movement, visual effects, and audio elements from input assets, significantly lowering barriers to industrial-level video production without requiring specialized technical expertise.
• https://www.instagram.com/reel/DUm4zSvEn76/ – John Wick cat video as mentioned. 

34:53 Justin – “I’m surprised Hollywood stock didn’t crash today over this; very very impressive. Crazily so.” 

AWS 

36:47 Announcing new Amazon EC2 general purpose M8azn instances

• AWS launches M8azn instances powered by fifth-generation AMD EPYC Turin processors running at 5GHz, the highest CPU frequency available in the cloud. These general-purpose instances deliver 2x compute performance over M5zn and 24% better performance than M8a instances, with 4.3x higher memory bandwidth and 10x larger L3 cache.
• The instances target latency-sensitive workloads like high-frequency trading, real-time financial analytics, and simulation modeling for automotive and aerospace industries. 
• Built on sixth-generation Nitro Cards, they provide 2x networking throughput and 3x EBS throughput compared to M5zn instances.
• M8azn instances come in nine sizes from 2 to 96 vCPUs with up to 384 GiB memory at a 4:1 memory-to-vCPU ratio, including two bare metal variants. Available in US East Virginia, US West Oregon, Tokyo, and Frankfurt regions through On-Demand, Spot, and Savings Plans pricing models.
• The high-frequency positioning fills a specific niche for workloads requiring maximum single-threaded performance rather than just core count.
• This complements AWS’s broader M8a lineup by offering customers a choice between standard frequency instances and these premium high-frequency variants for specialized use cases.

37:03 Announcing Amazon EC2 C8i, M8i, and R8i instances on second-generation AWS Outposts racks

• AWS is bringing C8i, M8i, and R8i instances to second-generation Outposts racks, delivering 20% better performance and 2.5x more memory bandwidth compared to the previous C7i, M7i, and R7i generation. These instances also provide 20% more compute capacity within the same physical rack space and power consumption, improving density for on-premises deployments.
• The new instances run on custom Intel Xeon 6 processors exclusive to AWS and target workloads that need enhanced on-premises performance, including large databases, memory-intensive applications, real-time analytics, high-performance video encoding, and CPU-based ML inference. 
• This addresses the gap for customers who need cloud-class compute but must keep workloads on-premises due to latency, data residency, or regulatory requirements.
• Second-generation Outposts racks continue AWS’s hybrid cloud strategy by extending the latest EC2 instance types to customer data centers with the same APIs and tooling as the public cloud. 
• The availability varies by region, so customers should check the Outposts rack FAQs page for current country and territory support before planning deployments.
• The performance improvements come primarily from the memory bandwidth increase and processor generation upgrade, which should benefit database operations, in-memory caching, and data-intensive applications that previously hit memory bottlenecks on Outposts. 
• The power and space efficiency gains matter for customers with constrained data center capacity or energy budgets.

37:08 Amazon EC2 Hpc8a Instances powered by 5th Gen AMD EPYC processors are now available

• AWS launches Hpc8a instances powered by 5th Gen AMD EPYC processors, delivering 40% higher performance and 42% greater memory bandwidth than the previous Hpc7a generation, while offering up to 25% better price-performance for tightly coupled HPC workloads like computational fluid dynamics and weather modeling.
• The instances come in a single 96xlarge size with 192 cores, 768 GiB memory, and 300 Gbps Elastic Fabric Adapter networking, featuring customizable core counts at launch and sixth-generation AWS Nitro cards for offloaded virtualization functions. Simultaneous Multithreading is disabled by default to optimize HPC performance.
• Available now in US East Ohio and Europe Stockholm regions, with support for AWS ParallelCluster, AWS Parallel Computing Service, and Amazon FSx for Lustre integration to simplify cluster management and provide sub-millisecond storage latencies. Customers can purchase as On-Demand Instances or through Savings Plans, with specific pricing available on the EC2 pricing page.
• The 1:4 core-to-memory ratio and high core density target compute-intensive simulation workloads requiring rapid time-to-results, including crash simulations and high-resolution weather modeling within tight operational windows. The customizable core count feature allows right-sizing based on specific HPC workload requirements without paying for unused capacity.

39:20 Ryan – “I’m sure they use a subcontractor for actual maintenance, things. But I’m sure that you have to give them access and manage them just like you would any other remote hands for your data center.”

39:37 MSK simplifies Kafka topic management with new APIs and console integration

• Amazon MSK now provides native AWS APIs for Kafka topic management, eliminating the need to set up and maintain separate Kafka admin clients. The three new APIs (CreateTopic, UpdateTopic, and DeleteTopic) work alongside existing ListTopics and DescribeTopic APIs through AWS CLI, SDKs, and CloudFormation, letting teams manage topics using standard AWS tooling and IAM permissions.
• The MSK console now consolidates all topic operations in one interface with guided defaults for creating and updating topics. Users can configure properties like replication factor, partition count, retention policies, and cleanup settings while viewing comprehensive partition-level metrics and configuration details directly in the console.
• These capabilities are available at no additional cost for MSK provisioned clusters running Kafka version 3.6 and above across all regions where MSK is offered. Organizations need to configure appropriate IAM permissions to use the new APIs, with setup instructions available in the MSK Developer Guide.
• The update addresses a common operational pain point where teams previously had to maintain separate Kafka admin tooling outside the AWS ecosystem. This integration brings Kafka topic management into standard AWS workflows, improving consistency with existing infrastructure-as-code practices and centralized access control through IAM.

40:47 Ryan – “I suspect this has more to do with Kafka than AWS because Kafka is notoriously hard to administer, so in a lot of cases there’s just not the ability…so I’m really happy to see this.”

42:40 Amazon Bedrock adds support for six fully-managed open weights models

• Amazon Bedrock now supports six new open weights models, including DeepSeek V3.2, MiniMax M2.1, GLM 4.7, GLM 4.7 Flash, Kimi K2.5, and Qwen3 Coder Next, providing frontier-class performance at lower inference costs than proprietary alternatives. 
• These models cover different enterprise needs from advanced reasoning and agentic tasks to autonomous coding with large output windows and lightweight production deployments.
• The models run on Project Mantle, a new distributed inference engine that accelerates model onboarding to Bedrock while providing serverless inference with quality of service controls and automated capacity management. Project Mantle includes native OpenAI API compatibility, allowing customers to switch from OpenAI endpoints without code changes.
• The addition of these open weights models gives AWS customers more flexibility in model selection based on specific workload requirements and cost constraints. 
• DeepSeek V3.2 and Kimi K2.5 handle complex reasoning tasks, while GLM 4.7 and MiniMax 2.1 support coding workflows with extended context windows, and Qwen3 Coder Next and GLM 4.7 Flash offer cost-efficient options for high-volume production use.
• Project Mantle’s unified capacity pools and higher default quotas address common scaling challenges customers face when deploying large language models. 
• The serverless architecture eliminates infrastructure management overhead, while the automated capacity management helps prevent quota limitations during peak usage periods.

44:05 Matt – “I like how they made it all compatible with OpenAI. It’s kind of like S3 compatibility; I feel like we’re slowly kind of coming to a standard, which means you can go play with it and see which model makes sense.”

46:02 Amazon EKS Auto Mode Announces Enhanced Logging for its Managed Kubernetes Capabilities

• EKS Auto Mode now integrates with CloudWatch Vended Logs to automatically collect logs from its managed Kubernetes capabilities, including compute autoscaling, block storage, load balancing, and pod networking. 
• This gives customers centralized visibility into Auto Mode’s infrastructure management operations without manual configuration.
• The integration uses CloudWatch Vended Logs, which provides lower pricing than standard CloudWatch Logs while maintaining built-in AWS authentication and authorization. 
• Customers can route logs to CloudWatch Logs, S3, or Kinesis Data Firehose, depending on their retention and analysis requirements, with standard destination charges applying.
• Each Auto Mode capability can be configured independently as a log delivery source through CloudWatch APIs or the AWS Console. 
• This granular control allows teams to monitor specific components like the Karpenter-based autoscaler or VPC CNI networking without collecting unnecessary log data.
• The feature addresses a common operational challenge where Auto Mode’s automated infrastructure management previously operated as a black box. DevOps teams can now troubleshoot issues like pod scheduling failures, storage provisioning problems, or load balancer configuration errors by examining the actual logs from Auto Mode’s control plane operations.
• Available immediately in all regions where EKS Auto Mode operates, this logging capability helps bridge the observability gap between customer workloads and AWS-managed Kubernetes infrastructure components.

47:05 Justin – “All I have to say is, some lovely CloudWatch PM just made their bonus this year by turning this one, as this is a lot of logging context that you now need to parse and pay for.” 

49:26 AWS CloudWatch Alarm Mute Rules eliminate alert fatigue

• CloudWatch Alarm Mute Rules let you temporarily silence alarm notifications during planned maintenance windows, deployments, or off-hours without disabling the underlying monitoring. 
• The feature supports up to 100 alarms per rule with one-time or recurring schedules, and automatically triggers any suppressed actions once the mute period ends if the alarm state persists.
• This addresses a common operational pain point where teams either ignore alerts during maintenance windows or use risky script-based workarounds that can be forgotten and leave monitoring disabled. 
• The native integration eliminates the need for custom automation to manage notification states during planned activities.
• The feature is available today across all AWS regions that support CloudWatch alarms at no additional cost beyond standard CloudWatch pricing. 
• Configuration is done through the CloudWatch console or API, with support for all alarm states, including OK, ALARM, and INSUFFICIENT_DATA.
• Primary use cases include silencing non-critical alerts during scheduled deployments, muting development environment alarms outside business hours, and suppressing known issues during maintenance windows. 
• This helps reduce alert fatigue while maintaining full visibility into system state and metrics collection.
• The automatic re-triggering of muted actions ensures teams don’t miss persistent issues that started during a mute window, providing a safety mechanism that manual notification management typically lacks.

50:49 Ryan – “This is much nicer. Basically, set it for ignore for an hour and then have it kick back in. Glad to see this, but strange that it took this long.” 

52:48 Amazon EC2 supports nested virtualization on virtual Amazon EC2 instances

• AWS now supports nested virtualization on standard EC2 instances, not just bare metal, allowing customers to run KVM or Hyper-V hypervisors inside virtual machines. This expands flexibility for development and testing scenarios that previously required more expensive bare metal instances.
• The feature launches on the latest generation C8i, M8i, and R8i instance families across all commercial AWS regions. 
• Customers can now run mobile app emulators, automotive hardware simulators, and Windows Subsystem for Linux on Windows workstations directly on virtual instances.
• This capability addresses a long-standing limitation where nested virtualization required bare metal instances, which carry higher costs and longer provisioning times compared to standard virtual instances. 
• The change makes nested environments more accessible for development teams and testing workflows.
• Common use cases include software vendors who need to test their products across multiple operating systems, automotive companies simulating vehicle hardware environments, and mobile developers running Android or iOS emulators at scale. 
• These workloads can now run on more cost-effective instance types with faster deployment.
• The feature requires enabling hardware virtualization extensions in the instance configuration, with full documentation available in the EC2 user guide. Pricing follows standard EC2 rates for the C8i, M8i, and R8i instance families without additional charges for the nested virtualization capability itself.

54:13 Ryan – “These kinds of announcements are usually preceded or quickly followed with Nitro…and it’s neat. It’s neat how they isolate the hardware layer to match these workloads.” 

54:50 Announcing Amazon SageMaker Inference for custom Amazon Nova models

• AWS now lets customers deploy custom-trained Amazon Nova models on SageMaker Inference with production-grade controls over instance types, auto-scaling, context length, and concurrency settings. 
• This addresses customer requests for the same deployment flexibility they get with open-weight models, enabling full-rank customized Nova Micro, Nova Lite, and Nova 2 Lite models trained via SageMaker Training Jobs or HyperPod.
• The service reduces inference costs by supporting more cost-effective EC2 G5 and G6 instances instead of requiring P5 instances, with auto-scaling based on 5-minute usage patterns and configurable inference parameters. 
• Customers pay only for compute instances used with per-hour billing and no minimum commitments, following standard SageMaker pricing.
• Deployment works through SageMaker Studio UI or SDK, supporting both real-time streaming and asynchronous batch inference modes. The service includes advanced configuration options for context length up to 8000 tokens, max concurrency settings, and inference parameters like temperature and top-p for optimizing latency-cost-accuracy tradeoffs.
• Currently available in US East N. Virginia and the US West Oregon regions, with support for Nova models with reasoning capabilities. 
• Instance type requirements vary by model size, with Nova Micro supporting g5.12xlarge and up, Nova Lite requiring g5.48xlarge minimum, and Nova 2 Lite needing p5.48xlarge instances.

56:47 Ryan – “It’s not an open-source model, and so it is kind of crazy that Nova offers that customization.” 

GCP

57:25  Gemini 3 Deep Think: AI model update designed for science

• Google has released a major update to Gemini 3 Deep Think, a specialized reasoning mode designed for complex scientific and engineering problems where data is messy or incomplete, and solutions aren’t straightforward. 
• The model achieved notable benchmark results, including 48.4% on Humanity’s Last Exam, 84.6% on ARC-AGI-2, and gold medal performance on the 2025 International Math, Physics, and Chemistry Olympiads.
• Early adopters are using Deep Think for practical applications like identifying logical flaws in peer-reviewed mathematics papers, optimizing semiconductor crystal growth fabrication methods, and converting sketches into 3D-printable files with generated code. 
• The model combines deep scientific knowledge with engineering utility to move beyond theoretical work into applied research.
• The updated Deep Think is available now to Google AI Ultra subscribers through the Gemini app, with pricing following the existing Ultra subscription model. 
• For the first time, Google is offering API access through an early access program for select researchers, engineers, and enterprises who can apply through a Google form.
• The release targets scientific research institutions and engineering teams working on complex problems in physics, chemistry, materials science, and advanced mathematics, where traditional AI models struggle with ambiguous requirements. 
• Deep Think’s ability to work with incomplete data and generate executable code for physical modeling makes it particularly relevant for R&D workflows.

1:00:19 New global queries in BigQuery span data from multiple regions

• BigQuery global queries now allow users to run a single SQL statement across datasets stored in multiple geographic regions without requiring ETL pipelines or data replication. 
• The feature automatically handles cross-region data movement in the background while respecting existing security controls like VPC Service Controls and requiring explicit opt-in at both the project and user level.
• The primary use case targets multinational organizations that need to analyze distributed data for compliance or performance reasons, such as joining US customer data with European transaction logs and Asian operational data in one query. 
• EssilorLuxottica is using this to perform cross-region aggregated analysis while maintaining data residency requirements for security and compliance. (DOES IT THOUGH?) 
• Users maintain control over where queries execute and can specify the processing location to meet data residency requirements, though cross-region data transfers will incur additional egress costs that organizations need to factor into their analytics budgets. 
• The feature is currently in preview with documentation available here.
• This addresses a longstanding limitation in cloud data warehousing, where geographic data distribution required complex engineering solutions, now replaced by standard SQL queries that any authorized analyst can run directly from the BigQuery console. The feature respects governance controls by default and prevents accidental data movement through required permissions and explicit enablement.

1:01:36 Matt – “I feel l ike it is compliant… if you’re running local and you’re not collecting anything that could be confidential. So it depends on how your lawyer at your company interprets it.” 

Azure

1:03:47 Agentic cloud operations and Azure Copilot for AI‑driven workloads

• Microsoft introduces agentic cloud operations through Azure Copilot, which uses AI agents to automate and coordinate cloud management tasks across the full infrastructure lifecycle. Instead of adding another dashboard, Azure Copilot provides a unified interface accessible through natural language, chat, console, or CLI that connects directly to a customer’s actual Azure environment, including subscriptions, resources, and policies.
• Azure Copilot includes six specialized agents that handle migration discovery and dependency mapping, deployment with infrastructure-as-code generation, continuous observability across the full stack, cost and performance optimization with carbon impact analysis, resiliency management including ransomware protection, and troubleshooting with root cause diagnosis. 
• These agents work as a connected system rather than isolated tools, correlating signals and taking action within existing RBAC and policy controls.
• The service maintains governance through built-in oversight features, including Bring Your Own Storage for conversation history, which keeps operational data within the customer’s Azure environment for compliance and sovereignty requirements. 
• All agent-initiated actions are reviewable, traceable, and auditable while respecting existing security policies and role-based access controls.
• Target customers are organizations running modern applications and AI workloads at scale, where traditional manual operations cannot keep pace with rapid deployment cycles and infrastructure changes. 
• The approach addresses environments where workloads move from experimentation to production in weeks and where telemetry streams continuously from every layer of the stack.
• Pricing details were not disclosed in the announcement, though the service builds on existing Azure Copilot capabilities introduced at Microsoft Ignite. Organizations can access resources and get started at azure.microsoft.com/products/copilot.

1:05:39 Matt – “Also, a developer actually understanding what they want and telling you what they want and actually being useful? I would love to see too, because how many times have we built something, deployed it, day before the release – we actually need these 16 other things that we didn’t tell you about that we manually did in our dev environment, which is why it’s working… and the release is tomorrow. Good luck. Why is it not done yet?”

1:06:18 General Availability: Instant access support for incremental snapshots of Azure Premium SSD v2 and Ultra Disk

• Azure now offers instant access to incremental snapshots for Premium SSD v2 and Ultra Disk storage, eliminating the previous wait time when restoring disks from snapshots. 
• This addresses a significant operational pain point for customers running high-performance workloads that require rapid disaster recovery or quick environment provisioning.
• The feature specifically targets enterprise customers using Azure’s highest-tier storage options, Premium SSD v2 and Ultra Disk, which are typically deployed for mission-critical databases, SAP HANA, and other latency-sensitive applications. 
• Previously, customers had to wait for snapshot data to fully hydrate before using restored disks, creating delays in recovery scenarios.
• Incremental snapshots only capture changes since the last snapshot, reducing storage costs and backup windows compared to full snapshots. 
• With instant access now available, customers can immediately mount and use restored disks while background hydration completes, improving recovery time objectives for business continuity planning.
• This capability brings Premium SSD v2 and Ultra Disk snapshot functionality closer to parity with standard Azure managed disk snapshots. 
• The feature is now generally available across Azure regions where Premium SSD v2 and Ultra Disk are supported, though specific pricing for snapshot storage follows existing Azure snapshot pricing models based on stored data volume.

1:06:25 Justin – “Welcome to what Amazon and Google have been doing for quite a while, so thanks, Azure! 

Emerging Clouds 

1:08:16 Introducing the Crusoe Cloud MCP server

• Crusoe Cloud released an MCP server that connects AI coding assistants like Claude Code and Cursor directly to cloud infrastructure, but unlike typical API wrappers, it returns filtered responses designed specifically for LLM consumption to avoid flooding context windows with unnecessary data. 
• The server includes composite tools like get_resource_relationships that map entire infrastructure topologies in a single call by fetching 11 resource types in parallel and resolving cross-references, something that doesn’t exist in their CLI or any single API endpoint.
• The cluster_health_check tool provides pre-analyzed node-level health metrics organized by InfiniBand pod placement, returning structured summaries with problem nodes flagged rather than raw metric time series that would require additional processing. 
• This approach addresses a key limitation of AI agents working with cloud infrastructure: most MCP implementations just wrap CLI commands and return the same JSON a human would see, forcing the AI to parse through irrelevant metadata and empty fields.
• The implementation reflects a broader trend of cloud providers releasing MCP servers, but Crusoe’s focus on response filtering and burst-heavy access patterns specific to AI agents suggests infrastructure management tools are being redesigned around LLM capabilities rather than human interaction patterns. For developers already using AI coding assistants, this enables natural language infrastructure queries and troubleshooting without manual scripting or console navigation.

1:10:16 Ryan – “This is gonna be chaos.” 

1:10:21 Introducing Markdown for Agents

• Cloudflare now automatically converts HTML to markdown for AI agents using content negotiation headers, reducing token usage by up to 80 percent. 
• When agents request pages with Accept: text/markdown, Cloudflare’s network performs real-time conversion at the edge, eliminating the need for downstream processing and reducing costs for AI systems.
• The feature addresses a fundamental inefficiency where AI agents waste tokens parsing HTML markup, navigation elements, and styling that have no semantic value. 
• A simple heading that costs 3 tokens in markdown can consume 12-15 tokens in HTML, and this blog post example shows 16,180 tokens in HTML versus 3,150 in markdown.
• Cloudflare includes an x-markdown-tokens header with converted responses to help developers calculate context window sizes and chunking strategies. The service also automatically adds Content-Signal headers indicating the content can be used for AI training, search results, and agentic use, integrating with their Content Signals framework from Birthday Week.
• The feature is available in beta at no cost for Pro, Business, and Enterprise plans, with Cloudflare already enabling it on their own blog and developer documentation. 
• Popular coding agents like Claude Code and OpenCode already send the appropriate accept headers, positioning this as infrastructure for the shift from traditional SEO to AI-driven content discovery.
• Cloudflare Radar now tracks content type distribution for AI bot traffic, allowing analysis of how different agents consume web content over time. This data is accessible through public APIs and shows early adoption patterns like OAI-Searchbot requesting markdown content.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• ChatGPT Goes Full Mad Men: Your AI Assistant Now Comes With Commercial Breaks
• Heroku’s New Feature: No New Features
• AWS Gives EC2 Instances a Storage Growth Spurt: 22.8TB of Local NVMe Now Available
• Identity Crisis Averted: IAM Identity Center Learns to Replicate Itself
• JSON Schema Enforcement: Because Your LLM Needs Structure in Its Life
• From Zero to Admin in 480 Seconds: A Serbian Speedrun Story
• From Proof of Concept to Proof of Claw: DigitalOcean Tames AI Agent Infrastructure
• Azure’s Growth Hits the Clouds: Microsoft’s 39% Increase Still Not Enough for Wall Street
• One Lake to Rule Them All: Microsoft and Snowflake Finally Stop Fighting Over Your Data
• Free Lunch Officially Over: ChatGPT Learns That Servers Cost Money
• Claude Won’t Sell You Anything (Except Maybe Peace of Mind)
• IAM Identity Center Goes Multi-Regional: Because One Region to Rule Them All Wasn’t Enough
• Databricks Takes the Base Out of Database with Lakebase GA
• I’m a Chrome Tab hoarder

General News 

01:30 Superbowl Ads of Note

• OpenAI: https://www.youtube.com/watch?v=aCN9iCXNJqQ
• Microsoft CoPilot: https://www.youtube.com/watch?v=Ndj9Jk-tGKo
• Base44?: https://www.youtube.com/watch?v=iKEUWtqvsis 
• Gemini: https://www.youtube.com/watch?v=Z1yGy9fELtE
• Anthropic: https://www.youtube.com/watch?v=gmnjDLwZckA 
• ai.com: https://www.youtube.com/watch?v=n7I-D4YXbzg&t=3s

16:35 Justin -If you ever want to knowif there’s a bubble, spending dumb money on the Super Bowl on an ad that makes no sense is probably your number one clue.” 

16:53 It’s Earnings Time!

Microsoft (MSFT) Q2 earnings report 2026

• Microsoft Q2 2026 earnings show Azure cloud growth slowing to 39% from 40% in the prior quarter, missing analyst expectations of 39.4% and causing shares to drop 7% in after-hours trading. 
• The company’s gross margin hit a three-year low at 68% due to substantial AI infrastructure investments totaling $37.5 billion in capital expenditures, up 66% year over year.
• OpenAI now represents 45% of Microsoft’s $625 billion remaining commercial performance obligation after the company committed to a $250 billion cloud services deal during the quarter. 
• This concentration raises questions about revenue dependence on a single customer, though Microsoft maintains that the remaining backlog is still larger and more diversified than most competitors, with 28% growth.
• Microsoft 365 Copilot adoption reached 15 million seats out of 450 million total paid commercial seats, representing only 3.3% penetration. 
• The company plans to raise prices on commercial Office subscriptions in July to help offset AI infrastructure costs and improve margins, while Q3 guidance projects Azure growth of 37-38% at constant currency.
• The More Personal Computing segment declined 3%, with gaming revenue down 9.5% due to an unspecified impairment charge, reflecting ongoing challenges in the Xbox division. 
• Microsoft added nearly one gigawatt of data center capacity in the quarter alone, but continues to face supply constraints that cannot keep pace with customer demand for AI services. 

20:27 Alphabet (GOOGL) Q4 2025 earnings

• Alphabet plans to spend between $175 billion and $185 billion on capital expenditures in 2026, more than double its 2025 spending, primarily targeting AI compute capacity for DeepMind and meeting cloud customer demand. 
• This represents one of the largest infrastructure investments in tech history and signals the scale of resources required to compete in enterprise AI.
• Google Cloud revenue grew 48% year-over-year to $17.66 billion and beat analyst expectations, with backlog reaching $240 billion after increasing 55% sequentially. 
• The cloud division’s performance demonstrates strong enterprise adoption of Google’s AI services and positions it as a more competitive alternative to AWS and Azure.
• Gemini AI now has 750 million monthly active users, up from 650 million last quarter, while Google reduced Gemini serving costs by 78% throughout 2025 through model optimizations and efficiency improvements. 
  • This cost reduction is critical for maintaining profitability as AI services scale to hundreds of millions of users.
• YouTube advertising revenue of $11.38 billion missed analyst expectations of $11.84 billion, which Alphabet attributed to difficult year-over-year comparisons against strong US election spending in Q4 2024. 
  • This shortfall highlights how political advertising cycles create volatility in digital ad revenue forecasting.
• Waymo recorded a $2.1 billion stock-based compensation charge following its $16 billion valuation fundraising round, contributing to Other Bets losses exceeding $3.6 billion despite serving 15 million autonomous rides across six US markets. 
  • The charge reflects the high cost of retaining talent in competitive autonomous vehicle development.

22:05 Justin – “Gemini adoption must be ramping up much faster than I realized, because the fact that Microsoft was missing on earnings, and they’re the OpenAI provider for the most part… makes me question how well OpenAI is actually doing.”   

22:50 AWS Q4 earnings report 2025

• AWS Q4 2025 revenue reached $35.58 billion with 24% year-over-year growth, maintaining its market leadership position, while operating margins improved to 35%. 
• The cloud unit now represents 17% of Amazon’s total revenue but generates the majority of the company’s profits at $12.47 billion in operating income.
• Amazon plans to invest $200 billion in capital expenditures for 2026, primarily for AWS infrastructure, which significantly exceeds analyst expectations of $148.86 billion. 
• The company added 4 gigawatts of computing capacity in 2025 and plans to double that by the end of 2027, with most investment directed toward AI workloads rather than traditional cloud services.
• AWS growth rate of 24% trails competitors Google Cloud at 48% and Azure at 39%, suggesting potential market share shifts in AI-driven cloud services. Both competitors are reporting stronger growth attributed to artificial intelligence workloads, which may indicate AWS is losing ground in the AI infrastructure race despite its overall market leadership.
• The company secured a $38 billion spending commitment from OpenAI and launched Nova Forge for advanced AI model customization at $100,000 annually. 
• These moves demonstrate AWS’s strategy to compete in the generative AI training market, though the pricing and approach differ from competitors’ offerings.
• Capital expenditure guidance reveals that non-AI workloads are growing faster than anticipated, requiring additional infrastructure investment beyond AI capacity. 
• This indicates traditional cloud computing demand remains strong and may be underestimated in current market analysis focused primarily on AI growth.

25:11 Capex Growth By Quarter 

24:14 Justin – “They also took a major write-off on Amazon Fresh, because they’re shutting that down as well. So just bad, bad all the way around for Amazon.”  

29:23 An Update on Heroku

• Heroku is moving to a sustaining engineering model, meaning no new features will be developed while the platform continues to receive security patches, stability updates, and operational support. 
• This represents a shift from active development to maintenance mode for the 15-year-old platform-as-a-service.
• Existing customers can continue using Heroku with no changes to pricing, billing, or service levels, and all core functionality, including applications, pipelines, teams, and add-ons, remains fully operational. 
• Credit card-based accounts remain available for both current and new customers through the dashboard.
• Salesforce is ending new Enterprise Account contracts while honoring existing enterprise subscriptions and support agreements through their renewal periods. This signals a strategic pivot away from enterprise sales expansion while maintaining commitments to current large customers.
• The parent company is redirecting engineering resources toward enterprise AI capabilities rather than continuing platform-as-a-service innovation. This follows a pattern of Salesforce deprioritizing Heroku since the acquisition, including the 2022 elimination of free tiers and reduced feature velocity in recent years.
• Developers relying on Heroku for production workloads should evaluate long-term platform viability given the maintenance-only status, though no immediate migration is required. 
• The announcement provides clarity for capacity planning but raises questions about the platform’s competitiveness as cloud-native alternatives continue advancing.

31:32 Matt – “It’s a great platform as a service, and I’m sad to see it go, because there’s a lot of companies I’ve worked with in the past that have started there because it was just so easy. The problem for them, at least back in the day, was scaling and supporting and having a lot of other features, which meant I helped a lot of customers move from Heroku to AWS to gain other aspects of the platform that they needed. So it doesn’t really surprise me, but it was a good starting point for a lot of companies.”  

35:58 AI-assisted cloud intrusion achieves admin access in 8 minutes | Sysdig

• An attacker achieved full AWS administrative access in just 8 minutes by exploiting credentials found in public S3 buckets, then used Lambda code injection to escalate privileges. 
• The attack shows strong evidence of LLM assistance, including Serbian-language code comments, hallucinated AWS account IDs, and references to non-existent GitHub repositories.
• The threat actor compromised 19 different AWS principals through role chaining and cross-account access attempts, making detection difficult by distributing operations across multiple identities. They specifically targeted AI infrastructure by invoking 9 different Bedrock models and attempting to launch expensive GPU instances (p5.48xlarge and p4d.24xlarge) for potential model training or compute resale.
• The attack demonstrates how AI tools are accelerating offensive operations, with the attacker completing reconnaissance, privilege escalation, and resource abuse in under two hours. 
• Organizations should implement least-privilege IAM policies, restrict Lambda UpdateFunctionCode permissions, and enable Bedrock model invocation logging to detect similar attacks.
• Critical security gaps included overly permissive Lambda execution roles with administrative access and the ReadOnlyAccess policy on the compromised user, which enabled extensive reconnaissance across all AWS services. 
• The attacker also attempted to deploy a Terraform-based backdoor that would create a publicly accessible Lambda function for generating persistent Bedrock credentials.
• The use of IP rotation, role chaining, and distributed operations across multiple principals shows sophisticated evasion techniques. 
• Detection requires behavioral analytics that can identify patterns like rapid enumeration across services, unusual Bedrock model invocations, and Lambda code modifications rather than relying on single-event alerts.

34:24 Ryan – “These are the types of examples I use when trying to talk to people about least privileged development and how, even in your lower environments where you think you’re safe, and you’re trying to develop things it’s really not okay to start not using least privileged access because there’s very creative ways in which you can do privilege escalation – this lambda attack is a very good example. And now it’s going to be so easy because AI will just do it for you, and this really demonstrates it.”

AI Is Going Great – Or How ML Makes Money 

37:09 Claude is a space to think | Anthropic \ Anthropic

• Anthropic commits to keeping Claude ad-free, stating that advertising would be incompatible with Claude’s role as a trusted assistant for work and deep thinking. 
• The company will continue its subscription and enterprise-based revenue model rather than introducing sponsored content or product placements in conversations.
• Analysis of Claude conversations shows a substantial portion involves sensitive personal topics or complex technical work where ads would be inappropriate. Anthropic argues that AI conversations differ from search or social media because users share more context, and the open-ended format makes them more susceptible to commercial influence.
• The company identifies specific risks with ad-supported AI models, including unpredictable behavior changes when advertising incentives are introduced. For example, a user asking about sleep problems might receive recommendations influenced by commercial motives rather than purely helpful advice, making it difficult to distinguish genuine assistance from monetization attempts.
• Anthropic will support commerce through user-initiated interactions like agentic commerce, where Claude handles purchases on behalf of users, and third-party tool integrations with services like Figma and Asana. 
• The key distinction is that these features are triggered by user requests rather than advertiser interests.
• The decision has clear tradeoffs for business model scalability compared to ad-supported competitors. 
• Anthropic is addressing access through educational partnerships in 60+ countries, nonprofit discounts, and maintaining frontier-level intelligence in free tiers rather than monetizing user attention.

37:22 Claude Opus 4.6 \ Anthropic

• Claude Opus 4.6 is now generally available with a 1M token context window in beta, marking the first time an Opus-class model has offered this extended context capability. 
• The model maintains $5/$25 per million token pricing, with premium pricing of $10/$37.50 for prompts exceeding 200k tokens.
• The model introduces adaptive thinking and four effort levels (low, medium, high, max) that let developers control how deeply Claude reasons through problems, balancing intelligence against speed and cost. Context compaction automatically summarizes older conversation history when approaching limits, enabling longer-running agentic tasks without hitting context windows.
• Opus 4.6 achieves state-of-the-art performance on Terminal-Bench 2.0 for agentic coding and outperforms GPT-5.2 by 144 Elo points on GDPval-AA, an evaluation of economically valuable knowledge work tasks. 
• On the 8-needle 1M variant of MRCR v2, it scores 76% compared to Sonnet 4.5’s 18.5%, demonstrating substantially improved long-context retrieval without degradation.
• New product features include agent teams in Claude Code that work in parallel and coordinate autonomously, plus Claude in PowerPoint (research preview) and upgraded Claude in Excel for handling multi-step data processing and presentation tasks. The model also supports 128k output tokens and US-only inference at 1.1x pricing for compliance-sensitive workloads.
• Safety evaluations show Opus 4.6 maintains alignment comparable to its predecessor while exhibiting the lowest over-refusal rate of any recent Claude model. 
• Anthropic developed six new cybersecurity probes to monitor potential misuse given the model’s enhanced security capabilities, and is using the model to find and patch vulnerabilities in open-source software.

34:24 Ryan – “One of the things that I’m constantly dabbling with is the context windows, and so I’m not so sure the context compaction works the way it’s advertised, because every time I go through a process like that, you lose so much.” 

43:18 Introducing OpenAI Frontier | OpenAI

• OpenAI launches Frontier, an enterprise platform for building, deploying, and managing AI agents across existing infrastructure without requiring replatforming. 
• The platform provides agents with shared business context by connecting siloed data warehouses, CRM systems, and internal applications, plus includes identity management, permissions, and governance controls for regulated environments.
• Frontier includes an agent execution environment where AI coworkers can reason over data, work with files, run code, and use tools while building memory from past interactions to improve performance. 
• The platform works across local environments, enterprise cloud infrastructure, and OpenAI-hosted runtimes, with built-in evaluation and optimization capabilities to help agents learn what good performance looks like over time.
• OpenAI pairs Forward Deployed Engineers with customer teams to help develop best practices for production agent deployments, creating a feedback loop between business problems, deployment, and OpenAI Research. Early adopters include HP, Intuit, Oracle, State Farm, Thermo Fisher, and Uber, with existing customers like BBVA, Cisco, and T-Mobile piloting the platform.
• The platform uses open standards to integrate with existing systems and applications, allowing third-party agent apps to access shared business context without lengthy custom integrations. OpenAI is working with Frontier Partners including Abridge, Clay, Ambience, Decagon, Harvey, and Sierra, to design and support enterprise AI solutions on the platform.
• Frontier is currently available to a limited set of customers with broader availability planned over the next few months. 
• OpenAI cites customer results, including a manufacturer reducing production optimization from six weeks to one day and a hardware company cutting test failure debugging from four hours to minutes.

44:35 Ryan – “I think they’re extremely late to the market with this. AWS was too early, and they botched it. Gemini seems to be in the sweet spot, and OpenAI – it’s still not ready yet.

46:28 Introducing GPT-5.3-Codex | OpenAI

• OpenAI released GPT-5.3-Codex, their most capable agentic coding model that combines the frontier coding performance of GPT-5.2-Codex with the reasoning capabilities of GPT-5.2, while running 25% faster. 
• The model achieves state-of-the-art results on SWE-Bench Pro and Terminal-Bench 2.0 benchmarks, using fewer tokens than previous models, and can autonomously iterate on complex projects over millions of tokens spanning days.
• GPT-5.3-Codex represents the first self-improving model at OpenAI, where the Codex team used early versions to debug its own training, manage deployment, and diagnose test results. 
• Internal teams report their work has fundamentally changed in the past two months, with researchers using Codex to monitor training runs, engineers using it to optimize harnesses and scale GPU clusters, and data scientists building custom pipelines and visualizations in under three minutes.
• The model extends beyond code generation to full computer operation, showing strong performance on OSWorld (visual desktop environment tasks) and matching GPT-5.2 on GDPval, which measures knowledge work across 44 occupations, including presentations, spreadsheets, and other professional deliverables. 
• The Codex app now provides real-time updates and interactive steering, allowing users to direct and supervise multiple agents working in parallel.
• OpenAI classifies GPT-5.3-Codex as having high capability for cybersecurity under their Preparedness Framework, marking the first model directly trained to identify software vulnerabilities. 
• They are deploying Trusted Access for Cyber, expanding the Aardvark security research agent beta, and committing 10 million dollars in API credits through their Cybersecurity Grant Program for open source and critical infrastructure defense.
• GPT-5.3-Codex is available now with paid ChatGPT plans across the Codex app, CLI, IDE extension, and web, with API access coming soon. 
• The model was co-designed for and trained on NVIDIA GB200 NVL72 systems, with infrastructure improvements delivering the 25% speed increase for all Codex users.

47:48 Ryan – “I’m surprised this is the first self-improving model.” 

48:43 Testing ads in ChatGPT | OpenAI

• OpenAI is launching ads in ChatGPT for free and Go tier users in the US, while Plus, Pro, Business, Enterprise, and Education subscribers remain ad-free. Users can opt out of ads on the free tier in exchange for reduced daily message limits.
• Ads are contextually matched to conversation topics and chat history but do not influence ChatGPT responses, which remain independent. Advertisers receive only aggregate performance metrics like views and clicks, with no access to individual chats, memories, or personal details.
• The ad program excludes users under 18 and blocks ads near sensitive topics, including health, mental health, and politics. Users can dismiss ads, provide feedback, delete ad data with one tap, and manage personalization settings at any time.
• OpenAI positions this as infrastructure funding to maintain free tier performance and quality while supporting development of more powerful features. 
• The company plans to expand ad formats, objectives, and buying models over time based on test results and user feedback.

49:45 Announcing Claude Opus 4.6 on Snowflake Cortex AI

• Snowflake Cortex AI now offers Claude Opus 4.6, Anthropic’s most capable model, providing enhanced reasoning and complex task handling directly within Snowflake’s data platform. 
• This integration allows enterprises to process sensitive data without moving it outside their Snowflake environment, maintaining data governance and security controls.
• Claude Opus 4.6 delivers improved performance on coding tasks, mathematical reasoning, and multilingual capabilities compared to previous versions. The model excels at nuanced instructions and can handle sophisticated analysis workflows while operating on structured and unstructured data within Snowflake.
• Cortex AI’s serverless architecture means customers pay only for actual model usage without managing infrastructure or dealing with capacity planning. 
• The integration supports both SQL and Python interfaces, enabling data teams to build AI applications using familiar tools and existing Snowflake data pipelines.
• Organizations can now combine Claude Opus 4.6 with Snowflake’s data clean rooms and governance features for compliant AI deployments in regulated industries. 
• This addresses enterprise concerns about data residency and privacy while enabling advanced AI capabilities on proprietary datasets.

49:57 Justin – “And just because we’re already 50 minutes into this, I will tell you we’re also getting Claude Opus 4.6 on multiple other providers, including Bedrock, Kiro, Vertex AI, and we’re getting it on Azure, in the Moicrosift Foundry App, as well as some of the smaller cloud providers, like DataBricks and DigitalOcean.” 

50:45 Agent Bricks Supervisor Agent is Now GA: Orchestrate Enterprise Agents | Databricks Blog

• Databricks Agent Bricks Supervisor Agent is now Generally Available, providing a managed orchestration layer that coordinates multiple specialized agents through Unity Catalog governance. 
• The supervisor uses dynamic routing to analyze user intent and delegate tasks between Genie Spaces for structured data queries, Knowledge Assistant agents for unstructured data, and MCP servers for tool execution.
• The platform implements On-Behalf-Of authentication where the supervisor acts as a transparent proxy, validating every data fetch and tool execution against the end user’s existing Unity Catalog permissions. 
• This eliminates the common security gap where agents access data through broad service accounts that users themselves aren’t authorized to see.
• Agent Learning on Human Feedback is built directly into the Supervisor Agent, allowing teams to add questions and guidelines that improve routing decisions and response quality over time. 
• Franklin Templeton reports reducing fund analysis tasks from days to seconds while maintaining compliance, and Zapier uses ALHF to refine orchestration between different Genie spaces without hard-coding routing logic.
• The system addresses enterprise agent sprawl, where teams toggle between dozens of specialized bots and duplicate work by creating agents that already exist. 
• Supervisor Agent provides a single entry point that reasons about intent and coordinates specialized agents while maintaining full MLflow experiment tracking for measurable performance monitoring.

51:40 Ryan – “It just goes to show you, depending on who your provider is, this is the type of platform you’re going to need, right? So if you already are using a whole bunch of AI execution on Snowflake, or if you’re only using it on OpenAI’s platform, you’re just going to need to sign on to the platform that’s already there.”

Cloud Tools

52:09 Introducing HashiCorp Agent Skills

• HashiCorp launches Agent Skills, an open-standard repository that packages domain expertise into portable instructions for AI assistants working with Terraform and Packer. 
• These skills provide AI tools like Claude with specialized HashiCorp product knowledge, schema definitions, and best practices to reduce hallucinations and ensure code follows proper conventions.
• The initial skills pack addresses common DevOps challenges, including building and maintaining Terraform providers, generating style-compliant Terraform code, refactoring monolithic configurations into modules, and creating machine images with Packer across AWS, Azure, and Windows. 
• HashiCorp partnered with Tessl to evaluate skill effectiveness using review and task-based evaluations against Anthropic’s best practices.
• Agent Skills differ from Model Context Protocol (MCP) as complementary technologies – MCP is the data pipe connecting information to AI, while Agent Skills are the knowledge textbooks. Installation takes seconds using npx, Tessl CLI, or Claude Code’s plugin marketplace with simple one-line commands.
• The skills solve a fundamental problem where AI assistants lack a specific technical context for complex infrastructure tasks, particularly around HashiCorp’s plugin framework architectures and coding conventions. 
• This prevents AI from suggesting outdated practices or generating code that doesn’t follow established patterns from official documentation.
• HashiCorp plans to expand beyond Terraform and Packer to cover additional products and welcomes community contributions through its GitHub repository. 
• The open-standard format means these skills are portable and reusable across different AI assistants that support the Agent Skills specification.

53:17 Justin – “I love this, because how many times I pointed Claude or others to the documentation, and said ‘I’m pretty sure you’re wrong, this is how it’s supposed to be done, here’s the doc.’ And it comes back and goes, you’re right, Justin, because you’re a genius. That’s what it always tells me.”

AWS 

56:10 Amazon EC2 C8id, M8id, and R8id instances with up to 22.8 TB local NVMe storage are generally available

• In “instances so big we don’t know what to do with them,” may we present…
• AWS launches C8id, M8id, and R8id EC2 instances with up to 22.8TB of local NVMe storage, triple the capacity of sixth-generation instances. 
• These new instances scale up to 96xlarge with 384 vCPUs and 3TiB of memory, delivering up to 43% higher compute performance and 3.3x more memory bandwidth than previous generation instances.
• The instances use custom Intel Xeon 6 processors exclusive to AWS, running at a 3.9 GHz sustained all-core turbo frequency. Performance improvements include up to 46% better I/O intensive database workload performance and 30% faster query results for real-time data analytics compared to sixth-generation instances.
• Instance Bandwidth Configuration feature allows customers to dynamically allocate resources between network and EBS bandwidth by 25%, optimizing for specific workload requirements. 
• The local NVMe storage is hardware-encrypted with XTS-AES-256 and ephemeral, meaning data is lost when instances stop or terminate.
• Currently available in US East N. Virginia, US East, Ohio, US West, Oregon, and Europe, Frankfurt regions, with additional regions planned. 
• Instances can be purchased as On-Demand, Savings Plans, Spot Instances, Dedicated Instances, or Dedicated Hosts, with pricing varying by region and purchase model.

56:47 Matt – “If it’s all core turbo, is it really turbo at that point?” 

58:45 AWS IAM Identity Center now supports multi-Region replication for AWS account access and application use

• AWS IAM Identity Center now supports multi-Region replication, allowing organizations to replicate workforce identities, permission sets, and metadata from a primary Region to additional Regions for improved resiliency and disaster recovery. 
• This means if the primary Region experiences a service disruption, users can still access AWS accounts through an active access portal endpoint in a secondary Region using their existing permissions.
• The feature requires using an organization instance of IAM Identity Center connected to an external IdP like Microsoft Entra ID or Okta, and you must first configure multi-Region customer-managed KMS keys before replicating to additional Regions. 
• The primary Region remains the central management point for all configurations, while additional Regions provide read-only console access except for application management and user session revocation.
• Organizations can now deploy AWS managed applications closer to users and datasets to meet data residency requirements or improve performance, with applications accessing replicated workforce identities locally in each Region. This addresses compliance scenarios where datasets must remain in specific Regions while still providing centralized identity management.
• The feature is available at no additional cost in 17 enabled-by-default commercial AWS Regions, with only standard AWS KMS charges applying for customer-managed keys. 
• All workforce actions are logged in CloudTrail in the Region where they occur, maintaining audit trails across multiple Regions for security and compliance monitoring.

59:32 Justin – “I recently set up IAM Identity Center for the first time, and I was surprised that it was US East 1 only, so I’m pleased to see this is now available.” 

1:00:25 Amazon ECS adds Network Load Balancer support for Linear and Canary deployments

• ECS now supports linear and canary deployment strategies natively with Network Load Balancers, bringing managed traffic shifting to TCP/UDP workloads that previously required custom solutions or third-party tools. 
• This fills a deployment gap for applications needing NLB features like static IPs, long-lived connections, and low latency.
• The feature integrates with CloudWatch alarms for automatic rollback if deployment issues are detected, providing safety guardrails for production updates. 
• Teams can shift traffic incrementally (linear) or start with a small percentage for validation (canary) before completing rollouts.
• Primary beneficiaries are latency-sensitive and connection-oriented workloads such as online gaming backends, financial transaction systems, and real-time messaging services that depend on NLB’s Layer 4 capabilities. 
• These applications can now use the same deployment patterns ALB users have had access to for years.
• Available immediately in all AWS commercial and GovCloud US regions for both new and existing ECS services. 
• Configuration is accessible through the AWS Console, CLI, and Infrastructure-as-Code tools with no additional cost beyond standard ECS and NLB pricing.
• This brings ECS deployment parity between ALB and NLB, eliminating a common pain point.

1:01:19 Ryan – “This is one of those rough edges that you hit unexpectedly. You want to use a network load balancer, typically because you have to. It’s easier to set up an application load balancer. You’re only using a network load balancer when it’s not your choice, but then you can’t deploy this app safely without lots of interruption or risk, and it’s kind of a problem.” 

1:02:12 Structured outputs now available in Amazon Bedrock

• Amazon Bedrock now enforces JSON schema compliance at the model level, eliminating the need for custom validation logic and retry mechanisms when extracting structured data from foundation models. 
• This addresses a common production pain point where formatting errors in LLM responses break downstream API integrations and automated workflows.
• The feature works in two modes: custom JSON schema definitions for response formatting, or strict tool definitions that ensure model tool calls match exact specifications. 
• This reduces operational overhead by preventing malformed outputs before they reach application code, making AI integrations more reliable for production use cases like data extraction, form processing, and API orchestration.
• Available now for Anthropic Claude 4.5 models and select open-weight models across all commercial AWS Regions where Bedrock operates. 
• The capability works with Converse, ConverseStream, InvokeModel, and InvokeModelWithResponseStream APIs, providing flexibility for both synchronous and streaming applications.
• The practical benefit is fewer failed requests and reduced engineering time spent on output parsing and error handling. 
• Organizations building production AI applications that feed into existing systems or databases can now rely on consistent, machine-readable responses without building extensive validation layers.
• int where teams had to choose between advanced deployment strategies and NLB’s technical requirements. Documentation available at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-linear.html 

FYI Claude Opus 4.6 now available in Amazon Bedrock

• Claude Opus 4.6 is now available in Amazon Bedrock, positioning itself as Anthropic’s most capable model with particular strength in coding, agentic workflows, and enterprise applications. 
• The model supports both 200K and 1M context windows in preview, enabling analysis of large codebases and extensive document sets without chunking.
• The model’s agentic capabilities allow it to manage complex multi-step tasks across dozens of tools with reduced oversight, including the ability to autonomously spin up subagents for task decomposition. 
• This makes it suitable for enterprise workflows like financial analysis that would typically require days of manual work, cybersecurity threat detection, and cross-application data movement.
• For developers, Opus 4.6 handles full software lifecycle management from requirements gathering through implementation and maintenance, particularly for long-horizon projects and large-scale codebases. 
• The model’s deep reasoning capabilities make it applicable to professional work requiring sophisticated multi-step orchestration.
• Regional availability varies by deployment, with specific regions listed in the AWS Bedrock documentation. Pricing follows Bedrock’s standard model-based pricing structure, though specific costs for Opus 4.6 are not detailed in the announcement and should be verified in the Bedrock console.

FYI Opus 4.6 is now available in Kiro 

• Kiro has released Claude Opus 4.6 integration in their IDE and CLI, marking Anthropic’s newest state-of-the-art model that claims to be the world’s best for coding. 
• The model is available to Kiro Pro, Pro+, and Power customers in AWS US-East-1 region with a 2.2x credit multiplier, same as Opus 4.5.
• Opus 4.6 targets production code and sophisticated agents, with particular strength in large-scale codebases and long-horizon projects. 
• Anthropic positions it as capable of helping senior engineers complete multi-day projects in hours through task delegation with reduced oversight requirements.
• The model integrates with Kiro’s spec-driven development workflows, enabling detailed but precise specifications on large existing projects and surgical precision updates with minimal user input. 
• This represents a shift toward AI-assisted development at enterprise scale rather than simple code completion.
• Access requires authentication through Google, GitHub, AWS BuilderID, or AWS IAM Identity Center, with experimental support currently limited to the Northern Virginia region. Users can access the model immediately by downloading or restarting the Kiro app or CLI.

1:03:55 Amazon Redshift now supports allocating extra compute for automatic optimizations

• Amazon Redshift now allows database administrators to allocate dedicated compute resources specifically for automatic optimization tasks like table optimization, sorting, vacuuming, and analysis. 
• This prevents maintenance operations from competing with user queries during peak usage periods, addressing a common pain point where DBAs had to manually schedule these tasks during off-hours.
• The feature includes cost controls for provisioned clusters, letting administrators cap the amount of extra compute resources that autonomics can consume. This prevents runaway costs while still enabling continuous optimization, and works alongside the new SYS_AUTOMATIC_OPTIMIZATION system table that provides visibility into what optimization operations are running and their resource consumption.
• This enhancement is available across all AWS Regions where Redshift operates, supporting both provisioned clusters and serverless workgroups. 
• The feature essentially decouples database maintenance from query performance, which is particularly valuable for organizations running 24/7 analytics workloads that previously had no maintenance windows.
• The practical benefit is that Redshift databases can now stay optimized continuously without manual intervention or performance degradation during business hours. 
• Organizations with high-concurrency analytics workloads or those operating across multiple time zones will see the most immediate value from this capability.

1:04:35 Justin – “This is why I wanted a managed service from you, Amazon, so I didn’t have to think about this. This is you failing me.”  

GCP

1:05:26  Introducing the Developer Knowledge API and MCP Server

• Google launches the Developer Knowledge API and Model Context Protocol server to provide AI assistants with programmatic access to official Google developer documentation as machine-readable Markdown. 
• This addresses the problem of LLMs relying on outdated training data or web scraping when helping developers build with Google technologies like Firebase, Android, and Google Cloud.
• The MCP server implements the open Model Context Protocol standard, allowing popular AI assistants and IDEs to directly query Google’s documentation for real-time answers about API changes, code examples, and best practices. Developers can enable it through gcloud CLI and configure it in their AI assistant settings, with support for tools like Claude Desktop and various IDE extensions.
• The service is currently in public preview with free access through standard Google Cloud API quotas. 
• Future plans include adding structured content support for code samples and API reference entities, expanding the documentation corpus, and reducing re-indexing latency before general availability.
• This integration benefits developers using AI coding assistants by ensuring responses reference current Google documentation rather than potentially stale information from model training cutoffs. The approach provides a canonical source of truth that updates as Google’s documentation changes.
• The Developer Knowledge API requires a Google Cloud project with the API enabled through gcloud beta services, and detailed configuration instructions are available in the official documentation at developers.google.com/knowledge/api and developers.google.com/knowledge/mcp.

1:04:35 Ryan – “This won’t fix the fact that Google documentation is awful, but this will make it at least better.” 

1:12:17 Delivering a secure, open, and sovereign digital world

• Google Cloud expands its Sovereign Cloud portfolio with three tiers – Data Boundary, Dedicated, and Air-Gapped – designed to meet varying data sovereignty requirements. 
• Air-Gapped operates completely disconnected from Google Cloud and the internet, with no remote access possible by Google, while Dedicated allows partners to monitor and block updates with up to 12 months of independent operation if disconnected.
• The company announces substantial infrastructure investments across all continents, including new cloud regions in Thailand, Malaysia, and Sweden, plus subsea cables like TalayLink and Dhivaru for Asia-Pacific connectivity. 
• Google commits to legal resistance against government shutdown orders and will enable qualified third parties to operate Google Cloud using Google’s code if Google becomes unable to continue operations.
• External Key Management lets customers store encryption keys outside Google Cloud with detailed access justifications required, while client-side encryption for Workspace ensures Google cannot read customer collaboration data. 
• Google eliminated data transfer fees for customers migrating off the platform and expanded local ML processing for select Gemini models to 11 countries, including Australia, Brazil, Canada, France, Germany, India, Japan, Singapore, South Korea, and the UK.
• Notable sovereign cloud deployments include NATO Communication and Information Agency, German Armed Forces, UK Ministry of Defence, and Singapore government agencies using Air-Gapped, while France’s S3NS offers Premi3NS built on Dedicated with SecNumCloud 3.2 qualification from ANSSI. 
• The portfolio targets highly regulated sectors like defense, government, banking, and healthcare, requiring strict data residency and operational independence guarantees.

FYI  Expanding Vertex AI with Claude Opus 4.6. 

• Google Cloud adds Anthropic’s Claude Opus 4.6 to Vertex AI, positioning it as its most powerful model for enterprise workflows, including document generation, financial analysis, and complex coding tasks. 
• The model excels at multi-step agentic workflows and can handle tasks like creating production-ready spreadsheets and presentations with fewer revision cycles, particularly valuable for finance and legal verticals requiring precision.
• Vertex AI provides a complete agentic stack beyond just model access, including Agent Development Kit for rapid prototyping, Agent Engine for serverless deployment, and Memory Bank for persistent context across interactions. 
• Cost optimization features include provisioned throughput for fixed pricing, prompt caching with flexible TTL, batch predictions, and a 1M token context window in preview for Claude Opus 4.6.
• The platform integrates with Google Cloud’s security infrastructure, including Model Armor for protection against prompt injection and tool poisoning, plus Security Command Center for AI threat detection. 
• Customer implementations show practical results, with Palo Alto Networks reporting a 20-30% increase in code development velocity and companies like Shopify, TELUS, and Replit using Claude on Vertex AI for production workloads.
• Claude Opus 4.6 is generally available on Vertex AI with deployment options through Google Cloud Marketplace for streamlined procurement. Regional availability and specific pricing details are documented at cloud.google.com/vertex-ai/generative-ai/pricing#claude-models, with the model accessible through the Vertex AI console and sample notebooks available on GitHub.

1:13:15 GEAR program now available

• Google launches GEAR (Gemini Enterprise Agent Ready) as a specialized learning program within the Google Developer Program to help developers build production-ready AI agents. 
• The program provides 35 monthly learning credits on the Google Skills platform for sandbox testing and lab access at no cost to participants.
• The program offers two main learning paths: Introduction to Agents for understanding agent architecture and integration with Gemini Enterprise, and Develop Agents with Agent Development Kit (ADK) for building agents with reasoning loops. 
• Both paths focus on moving developers from experimentation to production-grade implementations using Google’s open-source ADK.
• GEAR includes a credential system with completion badges on Google Developer profiles and skill badges for intermediate and advanced expertise. 
• For Google Cloud customers, a separate Get Certified cohort-based program offers instructor-led training and technical mentorship to prepare for industry-recognized certifications.
• The program addresses the shift toward agentic AI, where software can reason, plan, and execute complex workflows autonomously. Access requires creating or signing into a Google Developer Program profile and claiming the GEAR badge at developers.google.com/program/gear.

1:14:27 Ryan – “I still think there’s a very large amount of people who don’t really understand sort of putting an agentic workflow in place to do what they want, right? It’s still pretty much fire-and-forget chat operations. And so there’s a lot of power in the tool once you know how to use it, but it is sort of less than straightforward, so I think this is a great course.”

Azure

1:15:26 Updates in two of our core priorities

• Microsoft announces major security leadership change with Hayete Gallot returning as EVP of Security, reporting directly to CEO Satya Nadella, while Charlie Bell transitions from leading security to focus on engineering quality as an individual contributor. 
• This organizational shift reflects Microsoft’s continued emphasis on security as a top priority following recent Security Copilot and Purview adoption momentum.
• Gallot brings 15-plus years of Microsoft experience building Windows and Office franchises, plus recent Google Cloud customer experience leadership, positioning her to connect product development with customer value realization across Microsoft’s security portfolio. 
• Her appointment comes as Microsoft integrates security into its new commercial cohorts operating model announced during recent earnings.
• Charlie Bell’s move from organizational leadership to an individual contributor engineering role is notable for a senior executive, with his new focus on Quality Excellence Initiative to improve engineering standards and product durability across Microsoft’s global scale operations. He will partner with Azure leadership, including Scott Guthrie, on quality improvements.
• Ales Holecek takes on the Chief Architect for Security role to bring platform architecture expertise to security products and connect them with Microsoft’s existing scale businesses and the Agent Platform. This architectural focus suggests deeper integration between security services and Microsoft’s broader cloud infrastructure.
• The timing aligns with Microsoft’s recent earnings report, highlighting security business growth and the company’s broader reorganization around commercial cohorts, indicating security will have dedicated product development rhythms separate from other business units. No specific pricing or feature changes were announced as part of this leadership transition.

1:17:19 Justin – “I think this is them recreating the engineering operations review at Amazon at Azure. I think he is basically building a weekly program team that is going to be running the wheel, if you’re familiar with Amazon’s wheel thing, where basically you – as a service owner – can be called on at any time and you have to deep dive into all your KPIs, how your system’s operating, service operations, recent incidents, and you have to answer that at Amazon. They do it every week.”

1:19:23 Enhanced storage resiliency with Azure NetApp Files – Elastic zone-redundant service

• Azure NetApp Files Elastic ZRS introduces synchronous replication across three or more availability zones within a region with automatic service-managed failover, maintaining the same mount target and endpoint during zone failures. 
• This eliminates the need for customers to manage HA clusters or VM-level failover while guaranteeing zero data loss for mission-critical workloads.
• The service costs less than running three separate ANF volumes with cross-zone replication while providing the same multi-AZ high availability in a single volume. Volumes can be created as small as 1 GiB, offering flexibility for workloads of any size with support for both NFS and SMB protocols independently.
• ANF Elastic ZRS delivers enterprise data management capabilities, including instant snapshots, clones, tiering, and backup integration powered by NetApp ONTAP, plus efficient metadata operations through a shared QoS architecture that dynamically allocates IOPS. 
• The service is particularly suited for healthcare, financial services, and other regulated industries requiring continuous uptime and compliance.
• The service is currently available in select Azure regions with rapid expansion planned, and future capabilities will include simultaneous multi-protocol access (NFS, SMB, and Object REST API), custom region pairs for cross-region replication, and a migration assistant for moving data from on-premises ONTAP systems. 
• This represents a clear migration path for existing NetApp on-premises customers looking to modernize without re-architecting applications.

1:21:21 PostgreSQL on Azure supercharged for AI 

• Microsoft has enhanced Azure Database for PostgreSQL with native AI capabilities, including direct integration with Microsoft Foundry for in-database LLM operations like embeddings and semantic search. 
• The service now supports DiskANN vector indexing for high-performance similarity search and includes a new PostgreSQL extension for Visual Studio Code that enables database provisioning directly from the IDE with built-in Entra ID authentication.
• The platform introduces zero-ETL real-time analytics through Microsoft Fabric mirroring and native Parquet file support via the Azure Storage Extension, allowing direct read/write operations to Azure Storage using SQL commands. PostgreSQL 18 is now generally available on Azure with new V6 compute SKUs that deliver improved I/O performance and lower latency, while Elastic Clusters enable horizontal scaling for multi-tenant workloads.
• Azure HorizonDB was announced at Ignite as a new PostgreSQL-compatible service in private preview, designed specifically for AI-native workloads with scale-out compute and sub-millisecond latency. 
• This positions Azure to support both traditional PostgreSQL workloads and next-generation AI applications requiring ultra-low latency and horizontal scale.
• The GitHub Copilot integration provides schema-aware SQL assistance within Visual Studio Code, while the new Model Context Protocol server for PostgreSQL enables direct agent framework connections in Microsoft Foundry. 
• Nasdaq demonstrated a production use case with their Boardvantage platform, using Azure Database for PostgreSQL and Microsoft Foundry to add AI-powered document analysis and summarization to their board governance system serving nearly half of the Fortune 500.

1:22:49 Matt – “Nothing I like better than an LLM inside my database!” 

FYI      Claude Opus 4.6: Anthropic’s powerful model for coding, agents, and enterprise workflows is now available in Microsoft Foundry

• Claude Opus 4.6 is now available in Microsoft Foundry on Azure, bringing Anthropic’s most advanced reasoning model to enterprise customers with a 1M token context window in beta and 128K max output tokens. 
• The model targets complex coding tasks, agentic workflows, and knowledge work across finance, legal, and cybersecurity domains, with new API features including adaptive thinking that dynamically adjusts reasoning depth and context compaction for long-running conversations.
• The integration connects Claude Opus 4.6 with Foundry IQ, enabling access to data across Microsoft 365, Fabric, and web sources within Azure’s governance and compliance framework. 
• Customers like Adobe, Dentons, and Macroscope are using the model for code review, legal drafting, and document generation, with deployment available through both Microsoft Foundry and Copilot Studio for no-code agent building.
• Technical improvements include enhanced computer use capabilities for navigating interfaces and automating multi-application workflows, plus a new max effort control level that joins existing high, medium, and low settings for finer token allocation. The model handles large codebases effectively for refactoring and bug detection, with companies like Momentic AI processing millions of tokens per hour using the Azure infrastructure.
• Pricing follows a premium model beyond 200K tokens for the 1M context window beta, though specific per-token costs were not disclosed in the announcement. 
• The focus is on production-grade deployments where Azure’s managed infrastructure and operational controls help compress development timelines from days to hours while maintaining enterprise security requirements.

1:23:45 Microsoft OneLake and Snowflake interoperability (Generally Available) | Microsoft Fabric Blog

• Microsoft OneLake and Snowflake now offer bidirectional Iceberg table interoperability in general availability, allowing customers to store and access data across both platforms without duplication. 
• Changes made in one platform automatically reflect in the other, eliminating the need for traditional copy-heavy data integration approaches.
• Snowflake-managed Iceberg tables can now be natively stored in Microsoft OneLake, while Fabric data automatically converts to Iceberg format for direct Snowflake access. 
• This addresses the challenge of enterprise data living across fragmented systems by providing a single copy of data accessible through either platform’s analytical engines.
• New UI elements launching next week include a Snowflake item in OneLake for simplified access without complex configurations, plus Snowflake UI that pushes managed Iceberg tables directly into Fabric as discoverable OneLake items. The integration also supports OneLake table APIs working with Snowflake’s catalog-linked database feature.
• The target use case centers on data teams managing analytics and AI workloads across multiple platforms who want to avoid vendor lock-in and proprietary formats. Organizations can now choose the optimal storage location and analytical engine for each project while maintaining a unified data estate without operational overhead from data duplication.
• No specific pricing details were provided in the announcement, though the integration leverages existing OneLake and Snowflake licensing models. Customers can access quickstart guides and documentation through Microsoft Learn and Snowflake’s resources, with hands-on training available at FabCon and SQLCon 2026 in Atlanta from March 16-20.

1:24:44 Ryan – “This is kind of neat. I mean, it’s unexpected because it is data, and the amount of data and what you’d have in a data lake is usually one of those elements that makes using a service very sticky, so providing sort of an easy way to get out of that is a surprise to me, but it’s also – from a customer perspective – if you’ve got data across both, like how fantastic is that? To be able to use it. I like it.”

1:25:52 Generally Available: Azure Container Storage v2.1.0 now with Elastic SAN integration and on-demand installation

• Azure Container Storage v2.1.0 brings native Elastic SAN integration, allowing Kubernetes workloads to leverage Azure’s shared block storage service for high-performance persistent volumes. 
• This integration provides an alternative to existing Azure Disk and ephemeral disk options, particularly beneficial for workloads requiring shared storage across multiple pods.
• The release introduces an on-demand installation model that reduces the deployment footprint and operational overhead compared to previous versions. Instead of pre-installing all storage components, the system now deploys only the necessary drivers and resources when specific storage types are requested, streamlining cluster management.
• Elastic SAN support targets enterprise customers running stateful containerized applications that need consistent low-latency performance and the ability to scale storage independently from compute. 
• Common use cases include database workloads, analytics platforms, and applications requiring shared persistent volumes across multiple container instances.
• The lightweight installation approach addresses a common pain point where organizations previously had to deploy full storage stacks even when using only a subset of available storage options. 
• This change reduces resource consumption on AKS clusters and simplifies troubleshooting by limiting the number of active storage components

1:26:26 Justin – “The amount of SAN investment they’ve done in the last year is crazy to me.” 

1:27:20 Five Reasons to attend SQLCon | Microsoft Fabric Blog 

• SQLCon is a new SQL-focused conference co-located with FabCon in Atlanta, March 16-20, offering dual access with a single registration. 
• The event features 50 SQL sessions covering SQL Server, Azure SQL, and SQL database in Fabric, with hands-on workshops Monday-Tuesday and conference sessions Wednesday-Friday.
• Microsoft is sending over 30 SQL product team members to deliver engineering insights, roadmap announcements, and live demos of upcoming capabilities, including SSMS and VS Code extensions, Copilot integrations, and Fabric SQL experiences. This provides direct access to product teams for technical questions and future planning.
• The combined conference format allows attendees to mix deep SQL technical sessions with broader Fabric, Power BI, data engineering, and AI content throughout the week. 
• This structure benefits both specialists needing deep technical content and cross-functional teams building shared understanding across data platforms.
• Registration includes access to both conferences, hands-on workshops, Ask-the-Experts sessions with MVPs and engineers, and an attendee party at the Georgia Aquarium. 
• Early-bird pricing and team discounts are available, with promo code SQLCMTY200 offering $200 off registration.
• The event targets DBAs, developers, data engineers, architects, and data team leaders working with SQL Server, Azure SQL, or SQL database in Fabric who need practical migration, modernization, performance tuning, and AI integration guidance.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• Finally, a Chatbot That Actually Knows Where Your Data Lives **Anthropic
• Microsoft Adds Security Analyzer to MSSQL Extension: Because Bobby Tables Jokes Are Only Funny Until They Happen to You
• From Sequential Sadness to Parallel Paradise: GKE Node Pools Get Concurrent
• From Vibe Coding to Production: AWS MCP Server Gets SOPs
• One Prompt to Deploy Them All: AWS MCP Server Automates Infrastructure
• AWS Layoffs: Scaling Down Instead of Scaling Out
• Mutual TLS: Because CloudFront and Your Origin Need Couples Therapy
• Claude Team Plan: Now With More Seats and Less Bills
• From Snowflake to Snowball: Rolling Data and Dev Into One Platform
• From Notepad++ to Notepad Pwned: A Six-Month Hosting Horror Story
• EventBridge Payload Capacity Gets a 4x Upgrade: No More Event Splitting Headaches
• CloudFront Finally Learns to Check ID Before Knocking on Origin’s Door

General News 

01:30 SpaceX acquires xAI, plans to launch a massive satellite constellation to power it – Ars Technica

• SpaceX has acquired xAI to create a vertically integrated AI and space infrastructure company, with plans to deploy up to 1 million satellites as orbital data centers. 
• This represents a significant bet that space-based compute infrastructure can be cost-competitive with traditional ground-based data centers for AI workloads.
• The merger combines SpaceX’s launch capabilities and satellite manufacturing expertise with xAI’s Grok chatbot and X social platform. 
• The strategy assumes AI demand will continue to grow and that compute capacity, rather than other factors, is the primary bottleneck to AI adoption.
• The orbital data center concept raises questions about latency, power requirements, thermal management, and maintenance compared to terrestrial facilities. 
• Traditional cloud providers have invested heavily in ground-based infrastructure optimized for these factors.
• This consolidation of Musk’s companies creates potential conflicts between SpaceX’s established government and commercial contracts and xAI’s more controversial products. 
• The integration of a proven aerospace company with a newer AI venture introduces execution risk to SpaceX’s core business.
• The plan depends on several unproven assumptions, including sustained AI market growth, viable economics for space-based computing, and the ability to manufacture and launch satellites at unprecedented scale. 
• Cloud providers and enterprises will need to evaluate whether orbital compute offers advantages over existing multi-region terrestrial deployments.

03:22 Ryan – “I feel like this is a shell game con; taxes are over here – no, now they’re over here!” 

06:49 Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

• Chinese state-sponsored hackers compromised Notepad++ update infrastructure from June through December 2025 by exploiting vulnerabilities at the shared hosting provider level, not in Notepad++ code itself. 
• The attackers maintained access to internal service credentials even after losing server access in September, allowing them to selectively redirect update traffic to malicious servers until December 2025.
• The attack exploited insufficient update verification controls in older Notepad++ versions, with attackers specifically targeting the update manifest endpoint to serve compromised installers to selected users. 
• Version 8.8.9 added certificate and signature verification for downloaded installers, while the upcoming version 8.9.2 will enforce XMLDSig signature verification on update server responses.
• The hosting provider confirmed the compromise was limited to one shared hosting server and found no evidence of other clients being targeted, though the investigation of 400GB of logs yielded no concrete indicators of compromise like binary hashes or IP addresses. Rapid7 and Kaspersky later published a more detailed technical analysis with actual IoCs.
• This incident demonstrates supply chain attack risks even for open source software with millions of users, particularly when update infrastructure relies on shared hosting environments. 
• The Notepad++ project has since migrated to a new hosting provider with stronger security practices and implemented multiple layers of cryptographic verification.

09:24 Matt – “Getting in at this level – and that maintenance of control for 7 months – is crazy. It’s a pretty big attack.” 

15:25 Internal Messages Reveal Teams, Jobs Affected in Amazon Layoffs – Business Insider

• Amazon is cutting 16,000 corporate roles in its second major layoff round within four months, affecting multiple AWS service teams, including Bedrock AI, Redshift data warehouse, and ProServe consulting divisions. 
  • The cuts represent a significant restructuring of Amazon’s corporate workforce of approximately 350,000 employees.
• AWS engineering teams appear heavily impacted based on internal Slack messages, with software engineers from core cloud services posting job searches. 
• This raises questions about AWS’s product development velocity and customer support capacity during a period of intense AI competition with Microsoft Azure and Google Cloud.
• Affected US employees receive 90 days for internal job searches with severance and benefits for those unable to find new positions. 
• The timing follows Amazon’s return-to-office mandate and broader tech industry cost-cutting trends.
• The layoffs touch customer-facing teams like Prime subscription services and last-mile delivery alongside cloud infrastructure groups. This dual impact on retail and AWS operations suggests company-wide efficiency initiatives rather than targeted underperformance in specific business units.

17:24 Matt – “It really did affect a broad spectrum of the org.” 

AI Is Going Great – Or How ML Makes Money 

19:10 Project Genie: AI world model now available for Ultra users in U.S.

• Google DeepMind launches Project Genie, an experimental web app now available to Google AI Ultra subscribers in the U.S. (18+), powered by the Genie 3 world model that generates interactive 3D environments in real-time based on text prompts and images. 
  • Unlike static 3D snapshots, Genie 3 simulates physics and interactions dynamically as users navigate, creating expanding worlds on the fly.
• The platform offers three core capabilities: World Sketching (using Nano Banana Pro for image preview and fine-tuning before entering), World Exploration (real-time path generation based on user actions with adjustable camera controls), and World Remixing (building on existing worlds from galleries). 
  • Users can define character perspectives (first-person or third-person) and movement types (walking, flying, driving).
• Current limitations include 60-second generation caps, occasional physics inconsistencies, character control issues with higher latency, and generated worlds that may not always match prompts precisely. 
• Some Genie 3 capabilities announced in August, like promptable events that modify worlds during exploration, are not yet included in this prototype.
• This release represents Google’s approach to building general-purpose AI systems that can navigate diverse real-world scenarios, moving beyond domain-specific agents like AlphaGo. 
• The technology has potential applications in robotics simulation, animation modeling, location exploration, and historical setting recreation, though it remains an early research prototype in Google Labs.

24:07 Retiring GPT-4o, GPT-4.1, GPT-4.1 mini, and OpenAI o4-mini in ChatGPT | OpenAI

• OpenAI will retire GPT-4o, GPT-4.1, GPT-4.1 mini, and o4-mini from ChatGPT on February 13, 2026, though API access remains unchanged. 
• Only 0.1% of users still select GPT-4o daily, with most usage shifted to GPT-5.2.
• GPT-4o was previously deprecated, then restored after user feedback about creative ideation needs and preference for its conversational warmth. 
• This feedback directly influenced GPT-5.1 and GPT-5.2 development, which now includes customizable personality controls for warmth, enthusiasm, and conversational styles like Friendly.
• OpenAI is addressing user complaints about unnecessary refusals and overly cautious responses in newer models. The company is developing an adult-focused version of ChatGPT for users over 18 with expanded freedom within appropriate safeguards, supported by age prediction rollout in most markets.
• The model retirement strategy allows OpenAI to concentrate resources on improving models with active user bases rather than maintaining legacy versions. 
• This follows a pattern of deprecating older models as newer versions incorporate user-requested features and achieve broader adoption.

25:43 Matt – “Deprecation of things is one of the hardest things; we joked a lot last year when AWS finally deprecated things, but it’s hard. People have it built in and hard-coded into their apps and workflows. They’re used to specific types of responses.” 

28:15 Introducing the Codex app | OpenAI 

• OpenAI launches the Codex desktop app for macOS, a command center interface for managing multiple AI coding agents simultaneously across long-running development tasks. 
• The app includes native support for parallel agent workflows using git worktrees, allowing multiple agents to work on isolated copies of the same repository without conflicts while maintaining separate thread contexts per project.
• Codex now extends beyond code generation through a Skills system that bundles instructions, resources, and scripts for tasks like Figma design implementation, Linear project management, and cloud deployment to Cloudflare, Netlify, Render, and Vercel. 
• OpenAI demonstrated this by having Codex autonomously build a complete racing game using 7 million tokens from a single prompt, with the agent taking on designer, developer, and QA tester roles.
• The app introduces Automations for scheduled background tasks like daily issue triage, CI failure analysis, and release briefs, with results landing in a review queue for developer oversight. All agents run in configurable system-level sandboxes by default, restricted to editing files in their working folder and requiring permission for elevated operations like network access.
• For a limited time, OpenAI is including Codex access with ChatGPT Free and Go tiers and doubling rate limits across all paid plans (Plus, Pro, Business, Enterprise, Edu). 
• Usage has doubled since GPT-5.2-Codex launched in mid-December, with over one million developers now using the service, and Windows support is planned for future releases.

29:52 Ryan – “They’ve got a lot of catching up to do. Claude Code is all I hear about…it’s everywhere. I do hear about Gemini Code, mostly because I live in that ecosystem. I haven’t had a chance to play with it and compare it to the other tools.” 

AWS 

35:20 AWS announces Deployment Agent SOPs in AWS MCP Server

• AWS introduces Deployment Agent SOPs in the AWS MCP Server in preview, enabling developers to deploy web applications to production using natural language prompts through MCP-compatible tools like Claude, Cursor, and Kiro. 
• The system automatically generates CDK infrastructure, deploys CloudFormation stacks, and sets up CI/CD pipelines with AWS security best practices included.
• The feature addresses the gap between AI-assisted prototyping and production deployment by allowing developers to move from vibe-coded applications to production environments in a single prompt. This is fine. Just fine. 
• Agent SOPs follow multi-step procedures to analyze project structure, create preview environments on S3 and CloudFront, and configure CodePipeline for automated deployments from source repositories.
• Support includes popular web frameworks like React, Vue.js, Angular, and Next.js, with automatic documentation generation that enables AI agents to handle future deployments and troubleshooting across sessions. The deployment process creates persistent documentation in the repository for continuity.
• Currently available in preview at no additional cost in US East N. Virginia region only, with customers paying standard rates for AWS resources created and applicable data transfer costs. 
• This represents AWS’s integration of AI agents into the deployment workflow, competing with other infrastructure-as-code and deployment automation tools.

36:58 Ryan – “I like and hate this all at the same time.” 

40:54 AWS STS now supports validation of select identity provider-specific claims from Google, GitHub, CircleCI and OCI

• AWS STS now validates provider-specific claims from Google, GitHub, CircleCI, and Oracle Cloud Infrastructure when federating into AWS via OIDC. 
• This allows customers to reference custom claims as condition keys in IAM role trust policies and resource control policies, enabling more granular access control for federated identities beyond the standard OIDC claims.
• The feature addresses a common security gap where organizations previously could only validate standard OIDC claims like subject and audience, but couldn’t enforce conditions based on provider-specific attributes like GitHub repository names or Google Workspace domains. 
  • This enhancement helps establish data perimeters by allowing customers to restrict access based on the specific context of the federated identity.
• Available now in all AWS Commercial Regions at no additional cost beyond standard STS API usage. 
• Organizations using OIDC federation for CI/CD pipelines, developer access, or multi-cloud identity management can immediately implement more restrictive trust policies without changing their authentication flows.
• The supported claims vary by provider and include attributes like GitHub repository visibility, CircleCI project IDs, and OCI tenancy information. Full documentation of available condition keys is provided in the IAM User Guide under Available Keys for OIDC federation.

17:00 Matt – “This is a fantastic feature that I was convinced was a brand new announcement, until Matt schooled me and said, ‘I’ve been doing this for months, ‘ because I didn’t know you could do this with STS.” 

46:33 Amazon CloudFront announces mutual TLS support for origins

• CloudFront now supports mutual TLS authentication for origins, allowing customers to verify that requests to their backend servers come only from authorized CloudFront distributions using certificate-based authentication. 
• This eliminates the operational overhead of managing custom solutions like shared secret headers or IP allow-lists that previously required constant rotation and maintenance.
• The feature works with AWS Private Certificate Authority or third-party private CAs imported through AWS Certificate Manager, providing cryptographic verification of CloudFront’s identity to any origin that supports mTLS, including Application Load Balancers, API Gateway, on-premises servers, and third-party cloud providers. There is no additional charge for using origin mTLS beyond standard CloudFront pricing.
• This addresses a common security gap for organizations serving proprietary content through CloudFront, particularly when origins are publicly accessible or hosted externally. 
• Previously, customers had to build custom authentication layers to ensure only their CloudFront distributions could access backend infrastructure, creating an ongoing operational burden.
• Configuration is available through the AWS Management Console, CLI, SDK, CDK, or CloudFormation, making it straightforward to implement across existing CloudFront distributions. The feature is also included in CloudFront’s Business and Premium flat-rate pricing plans at no extra cost.

49:33 AWS Management Console now displays Account Name on the Navigation bar for easier account identification

• The AWS Management Console now displays account names in the navigation bar, replacing the previous reliance on account numbers for identification. 
  • This addresses a common pain point for organizations managing multiple AWS accounts across development, production, and different business units.
• The feature is available at no additional cost across all public AWS regions and requires administrator enablement through IAM managed policies. 
• Once enabled, all authorized users in an account will see the account name displayed in the console navigation bar.
• This update provides immediate value for teams working across multiple accounts who previously had to memorize or reference 12-digit account numbers. 
• The visual distinction helps reduce errors when switching between environments like dev and prod.
• The implementation follows AWS best practices for multi-account architectures, making it easier to maintain account separation while improving operational efficiency. Organizations using AWS Organizations or Control Tower will particularly benefit from clearer account identification.

51:21 Matt – “Not the sexiest feature, but for the love of God the most USEFUL feature of this podcast.” 

53:22 Announcing increased 1 MB payload size support in Amazon EventBridge 

• EventBridge now supports 1 MB event payloads, up from the previous 256 KB limit, eliminating the need for developers to split large events, compress data, or store payloads externally in S3. 
• This simplifies architectures for applications handling LLM prompts, telemetry data, and complex JSON structures from machine learning models.
• The increased payload size reduces architectural complexity and operational overhead by allowing comprehensive contextual data to be included in a single event rather than requiring chunking logic or coordination with external storage systems. 
  • This is particularly relevant for AI/ML workloads where model outputs and prompts can exceed the previous size constraints.
• The feature is available now in most commercial AWS regions where EventBridge operates, with notable exceptions including Asia Pacific regions like New Zealand, Thailand, Malaysia, and Taipei, plus Mexico Central. No additional cost is mentioned for the larger payload support beyond standard EventBridge pricing.
• This change addresses a common pain point in event-driven architectures where developers previously had to implement workarounds for large payloads, adding code complexity and potential failure points. 
• The 4x increase in payload size aligns EventBridge more closely with modern application needs around AI and real-time data processing.

54:44 Ryan – “I think this is a good thing. I was lauhging at this because I remember event size in Kinesis being a big to-do and a project forever ago, and trying to think through all the limits…but now I was thinking through the AI workloads and how much of a pain it would be to have your prompts referencing and external source everytime…so glad to see this.” 

56:55 AWS Network Firewall now supports GenAI traffic visibility and enforcement with Web category-based filtering

• • AWS Network Firewall adds URL category-based filtering that lets you control access to GenAI applications, social media, streaming services, and other web categories using pre-defined categories instead of maintaining manual domain lists. 
  • This reduces operational overhead for security teams who need to enforce consistent policies across AWS environments while gaining visibility into emerging technology usage.
  • The GenAI traffic visibility component addresses a growing compliance need as organizations struggle to track and govern employee access to ChatGPT, Claude, Gemini, and other AI services. 
  • Security teams (booo) can now restrict GenAI usage to approved corporate tools or block access entirely based on their risk tolerance and regulatory requirements.
  • When combined with TLS inspection, the feature enables full URL path inspection for granular control beyond just domain-level blocking. 
  • This matters for scenarios where you need to allow access to a domain but block specific paths or query parameters that might expose sensitive data.
  • The feature is available now in all AWS commercial regions where Network Firewall operates, with no additional base cost beyond standard Network Firewall pricing, which starts at 0.395 dollars per firewall endpoint hour plus 0.065 dollars per GB processed. 
  • You can implement this through stateful rule groups using the AWS Console, CLI, or SDKs without requiring new infrastructure deployment.
• Did we talk about this one last week? It feels like we talked about this one already. Guess it’s time to build another bot. 

GCP

59:49 Conversational Analytics in BigQuery is in preview 

• Google launches Conversational Analytics in BigQuery as a preview feature that lets users query data using natural language instead of SQL. 
• The AI agent uses Gemini models to generate queries, execute them, and create visualizations while maintaining security controls and audit logging within BigQuery’s existing governance framework.
• The system goes beyond basic chatbots by grounding responses in actual BigQuery schemas, metadata, and custom business logic, including verified queries and User Defined Functions. 
• This ensures generated SQL aligns with production metrics and enterprise standards rather than making generic assumptions about data structure.
• Users can perform predictive analytics through natural language by leveraging BigQuery AI functions like AI.FORECAST and AI.DETECT_ANOMALIES without writing code. 
• The agent also supports querying unstructured data such as images stored in BigQuery object tables, expanding analysis beyond traditional row-column datasets.
• The agents can be deployed across multiple surfaces, including Looker Studio Pro, the BigQuery UI, custom applications via API, and existing agentic ecosystems through ADK tools. 
• Documentation and codelabs are available at cloud.google.com for implementation guidance, though specific pricing details were not disclosed in the announcement.
• This addresses a common enterprise bottleneck where business users wait in queues for data teams to write queries, potentially reducing time-to-insight from hours or days to seconds for authorized users.

1:01:11 Matt – “Anything that makes BigQuery easier to use.” 

1:01:36 Introducing Single-tenant Cloud HSM for more data encryption control 

• Google Cloud has launched Single-tenant Cloud HSM, a dedicated hardware security module service that gives organizations exclusive control over cryptographic keys with FIPS 140-2 Level 3 validation. 
• Unlike multi-tenant solutions, customers get sole access to physical HSM partitions with hardware-enforced isolation, meaning their keys are cryptographically separated from other customers and Google operators. The service is generally available now in the US and EU, with “competitive” pricing https://cloud.google.com/kms/pricing#stch_pricing ($3500/month). 
• The service targets highly-regulated industries like financial services, defense, healthcare, and government that need strict compliance controls but want to avoid managing physical hardware. 
• Key security features include full ownership of root keys, quorum-based administration requiring multiple authorized users for sensitive operations, and the ability to revoke Google’s access at any time, which immediately makes all keys and encrypted data inaccessible until authorization is restored.
• Single-tenant Cloud HSM integrates directly with existing Cloud KMS APIs and works with Customer-Managed Encryption Keys (CMEK) across Google Cloud services. Setup takes approximately 15 minutes using standard gcloud commands, and the service automatically scales to handle peak traffic loads while maintaining high availability across multiple zones. 
• The service has already obtained compliance certifications, including FedRAMP, DISA IL5, ITAR, SOC 1/2/3, HIPAA, and PCI DSS.
• Google manages all hardware provisioning, configuration, monitoring, and compliance, removing the operational burden of physical HSM management while maintaining the same redundancy and availability standards as multi-tenant Cloud HSM. 
• Administrators can use hardware tokens like YubiKey or other key management systems to generate and manage their administrative credentials, with quorum requirements preventing any single individual from making unauthorized changes.

1:06:21 Ryan – “And that’s why Google is announcing this. Someone had this checkbox – someone with deep enough pockets had this checkbox.” 

Azure

44:40 Public Preview: 7th generation Intel-based VMs – Dlsv7/Dsv7/Esv7 

• Azure launches Dlsv7, Dsv7, and Esv7 virtual machines in public preview, powered by Intel Xeon 6 processors codenamed Granite Rapids. 
• These 7th-generation Intel-based VMs represent the latest iteration in Azure’s general-purpose and memory-optimized VM families, bringing newer processor architecture to cloud workloads.
• The new VM series targets customers running compute-intensive and memory-intensive workloads that can benefit from the latest Intel processor improvements. 
• General-purpose Dlsv7 and Dsv7 VMs suit balanced workloads like web servers and application hosting, while Esv7 VMs are optimized for memory-heavy applications such as databases and in-memory analytics.
• Intel Xeon 6 processors introduce architectural improvements over previous generations, though specific performance metrics and pricing details are not provided in the announcement. 
• Customers interested in testing these VMs should evaluate them during preview to determine if the newer processor generation delivers meaningful improvements for their specific workloads.
• The preview status means these VMs are available for testing but may not yet be suitable for production workloads, depending on service level agreements and regional availability. 
• Organizations should check Azure documentation for supported regions and any preview limitations before deploying workloads on these new VM series.

1:11:15 Matt – “The other reason I wanted to keep it in was, I’m still struggling to get the V6 in some regions. And granted, these are less common regions, you know, but I have a different skews based on region availability because I just can’t get it, and in some places it’s like, ‘we can do it in two zones.’ And I’m like, cool, thank you. Way to make yourself more money.”

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• Claude’s Pricing Tiers: Free, Pro, and Maximum Overdrive
• GitHub Copilot Learns Database Schema: Finally an AI That Understands Your Joins
• SSMS Gets a Copilot: Your T-SQL Now Writes Itself While You Grab Coffee
• Too Many Cooks in the Cloud Kitchen: How 32 GPUs Outcooked the Big Tech Industrial Kitchens
• Uncle Sam Gets a Gemini Twin: Google’s AI Goes Federal
• Route 53 Gets Domain of Its Own: .ai Joins the Party
• Thai One On: Google Cloud Plants Its Flag in Bangkok
• NAT So Fast: Azure’s Gateway Gets a V2 Glow-Up
• Beware Azure’s SQL Assistant doesn’t smoke your joints.

AI Is Going Great, Or How ML Makes Money  

30:10 Announcing BlackIce: A Containerized Red Teaming Toolkit for AI Security Testing | Databricks Blog

• Databricks released BlackIce, an open-source containerized toolkit that bundles 14 AI security testing tools into a single Docker image available on Docker Hub as databricksruntime/blackice:17.3-LTS. 
• The toolkit addresses common red teaming challenges, including conflicting dependencies, complex setup requirements, and the fragmented landscape of AI security tools, by providing a unified command-line interface similar to how Kali Linux works for traditional penetration testing.
• The toolkit includes tools covering three main categories: Responsible AI, Security testing, and classical adversarial ML, with capabilities mapped to MITRE ATLAS and the Databricks AI Security Framework. 
• Tools are organized as either static (simple CLI-based with minimal programming needed) or dynamic (Python-based with customization options), with static tools isolated in separate virtual environments and dynamic tools in a global environment with managed dependencies.
• BlackIce integrates directly with Databricks Model Serving endpoints through custom patches applied to several tools, allowing security teams to test for vulnerabilities like prompt injections, data leakage, hallucination detection, jailbreak attacks, and supply chain security issues. 
• Users can deploy it via Databricks Container Services by specifying the Docker image URL when creating compute clusters.
• The release includes a demo notebook showing how to orchestrate multiple security tools in a single environment, with all build artifacts, tool documentation, and examples available in the GitHub repository. 
• The CAMLIS Red Paper provides additional technical details on tool selection criteria and the Docker image architecture.

04:30 Ryan – “It’s very difficult to feel confident in your AI security practice or patterns. I feel like it’s just bleeding edge, and I’m learning so much all the time. And so I spend a lot of time reading papers and talking to others and seeing what they’re doing and meeting with vendors trying to figure out strategy, and it just feels like I’m drinking from a fire hose, and it’s really difficult to feel confident. So I like tools like this, where not only is it adding a whole bunch of value, but you can use it as a rubric against what you’ve been doing and where your gaps are.”    

07:28 Ai2 cooks up open-source coding agents with a tech equivalent of ‘hot plate and frying pan’ – GeekWire

• Allen Institute for AI releases SERA (Soft-Verified Efficient Repository Agents), the first in their Open Coding Agents series, as a fully open-source coding agent that organizations can fine-tune on their own codebases for approximately $1,300 using commodity GPUs. 
• The model handles GitHub issues, generates line-by-line patches, and submits pull requests while learning internal APIs and development conventions.
• SERA-32B achieves over 50% success rate on SWE-Bench, matching the performance of proprietary models like GitHub Copilot Workspace and Claude Code, but was built with just 32 GPUs and a five-person team. 
• This demonstrates that competitive coding agents can be developed without the massive infrastructure typically required by tech giants.
• The model runs on organization-owned infrastructure without ongoing licensing fees and integrates with existing tools like Claude Code out of the box. 
• Teams can deploy it with a few lines of code and customize it for private codebases, offering an alternative to expensive closed systems from Microsoft and Anthropic.
• By open-sourcing both the model and training code, Ai2 enables companies to maintain control over their proprietary code while still leveraging advanced AI coding assistance. 
• This addresses a key concern for enterprises hesitant to send sensitive code to third-party services.

05:30 Justin – “I was playing with Olamma, actually, this week, plugging it into Claude, and I definitely needed to get a new M5 MacBook with much more GPU capacity – or go buy a GPU for my house to make that really perform well. But even on my Mac with the 20B open model, it was serviceable. It just wasn’t as fast as using Anthropix APIs directly.”

09:51 Introducing Agentic Vision in Gemini 3 Flash

• Google launches Agentic Vision in Gemini 3 Flash, introducing a Think-Act-Observe loop that enables the model to actively manipulate images through Python code execution rather than processing them in a single static pass. 
• This approach delivers a 5-10% quality improvement across most vision benchmarks by allowing the model to zoom, crop, rotate, and annotate images iteratively to ground its reasoning in visual evidence.
• The capability enables three primary use cases: implicit zooming for fine-grained detail inspection (PlanCheckSolver.com improved building plan validation accuracy by 5%), image annotation with bounding boxes and labels to prevent counting errors, and visual math with deterministic Python execution to parse tables and generate charts without hallucination.
• Agentic Vision is available now via the Gemini API in Google AI Studio and Vertex AI, with rollout beginning in the Gemini app under the Thinking model option. 
• Developers can enable the feature by turning on Code Execution under Tools in the AI Studio Playground.
• Google plans to expand the capability by making behaviors like image rotation and visual math fully implicit without requiring prompt nudges, adding more tools, including web and reverse image search, and extending support beyond Flash to other model sizes. 
• Currently, some capabilities require explicit prompting to trigger code execution.
• The feature addresses a fundamental limitation in frontier AI models that previously had to guess when missing fine-grained details like serial numbers or distant street signs, now replacing probabilistic guessing with verifiable code execution in a deterministic Python environment.

11:08 Justin – “Enhance!” 

13:44 Introducing Prism | OpenAI

• OpenAI launches Prism, a free cloud-based LaTeX workspace for scientific writing that integrates GPT-5.2 directly into the research workflow. 
• The platform offers unlimited projects and collaborators for anyone with a ChatGPT personal account, with enterprise plans coming soon for Business, Enterprise, and Education customers.
• Prism builds on OpenAI’s acquisition of Crixet, a LaTeX platform, and adds native AI capabilities, including real-time collaboration, literature search from sources like arXiv, equation conversion from whiteboard photos to LaTeX, and voice-based editing. GPT-5.2 Thinking mode operates within the document context, understanding the full paper structure, including equations, citations, and figures.
• The platform eliminates the fragmented workflow researchers typically face by consolidating drafting, revision, collaboration, and publication preparation into a single workspace. 
• This removes the need for local LaTeX installations and reduces context switching between separate editors, PDF viewers, reference managers, and chat interfaces.
• OpenAI positions this as part of a broader shift where AI accelerates scientific discovery, following examples of GPT-5 advancing mathematical research, immune-cell analysis, and molecular biology experiments. 
• The free tier provides immediate access to core features, while more advanced AI capabilities will be available through paid ChatGPT plans over time.

14:49 Justin – “I don’t care for LaTex, but I’m not in science either, so maybe this is for those people.” 

AWS

16:41 Now available: 48xlarge and metal-48xl sizes for EBS optimized Amazon EC2 instances

• AWS launches 48xlarge and metal-48xl instance sizes for Graviton4-powered C8gb, M8gb, and R8gb instances, delivering up to 30% better compute performance than Graviton3 and the highest EBS bandwidth (300 Gbps) among non-accelerated EC2 instances. 
• These instances support up to 1440K IOPS, making them the highest EBS IOPS performers in EC2.
• The new instances scale up to 48xlarge with three memory-to-vCPU ratio options (compute, general purpose, and memory optimized), plus metal sizes for C8gb and R8gb that provide direct hardware access. 
• They include up to 400 Gbps networking bandwidth and support Elastic Fabric Adapter for low-latency cluster workloads.
• Primary use cases include high-throughput database workloads, data analytics pipelines, and tightly coupled HPC applications that require sustained high block storage performance. 
• The EFA support makes these particularly suitable for distributed computing tasks that need consistent low-latency inter-node communication.
• Currently available in US East (N. Virginia) and US West (Oregon), with metal sizes limited to US East (N. Virginia) only. 
• This follows AWS’s typical pattern of launching new instance types in primary US regions before broader global expansion.
• The instances represent AWS’s continued investment in Graviton ARM-based processors, offering customers an alternative to x86 instances with improved price-performance for workloads that can run on ARM architecture. 

18:04 Justin – They’re the only thing I used to like to buy on the spot market until AI came around and then ruined it for me.”

18:47 Amazon Route 53 Domains adds support for .ai, and other top-level domains

• Route 53 now supports ten new top-level domains, including .ai, .nz, .shop, .bot, .moi, .spot, .free, .deal, .now, and .hot, expanding domain registration options directly within AWS. 
• The .ai domain has become particularly relevant for AI companies despite originally being Anguilla’s country code, while other TLDs target specific use cases like e-commerce (.shop) and chatbot services (.bot).
• The new domains integrate with existing Route 53 features, including DNS management, automatic renewal, and hosted zones, allowing customers to manage domain registration and DNS records through the console, CLI, or SDKs. 
• This consolidation eliminates the need for third-party domain registrars when building AWS-hosted applications.
• Domain registration pricing varies by TLD, with no standard rate mentioned in the announcement. 
• Customers should check the Route 53 pricing page for specific costs per domain type, as premium TLDs like .ai typically command higher annual registration fees than traditional domains.
• The timing aligns with increased demand for AI-related branding, though Route 53 has historically added TLD support incrementally rather than in response to specific market trends. 
• The service now competes more directly with dedicated domain registrars by offering industry-specific and regional domain options.
• follows standard EC2 on-demand and reserved instance models, with Graviton instances typically offering 20-40% better price-performance than comparable x86 instances.

20:03 Ryan – “It is frustrating, and it’s not like these are new. Like, AI’s been around for a while, and so it is strange that it takes that long.”

22:50 Amazon WorkSpaces announces advanced printer redirection

• Amazon WorkSpaces now supports advanced printer redirection for Windows users, enabling access to printer-specific features like duplex printing, paper tray selection, and finishing options such as stapling and hole-punching directly from virtual desktops. 
• This addresses a longstanding limitation where WorkSpaces users were restricted to basic printing capabilities through generic drivers.
• The feature includes configurable driver validation modes that let administrators balance compatibility with feature support, automatically falling back to basic printing when matching drivers are not available. 
• Organizations with users who need professional document printing, specialized labels, or advanced output formatting will benefit most from this capability.
• Advanced printer redirection requires WorkSpaces Agent version 2.2.0.2116 or later and Windows client version 5.31 or later, with matching printer drivers installed on both the WorkSpace and client device. 
• The feature is available in all AWS Regions where Amazon WorkSpaces Personal is offered, though it is limited to Windows WorkSpaces with Windows clients only.
• This enhancement brings WorkSpaces closer to feature parity with traditional desktop environments for printing workflows, which is particularly important for industries like legal, healthcare, and finance, where document formatting and specialized printing are common requirements. 
• The addition fills a notable gap in virtual desktop infrastructure capabilities that has been a barrier for some organizations considering cloud-based desktop solutions.

26:55 AWS Network Firewall now supports GenAI traffic visibility and enforcement with Web category-based filtering

• AWS Network Firewall adds URL category-based filtering that specifically identifies and controls GenAI application traffic alongside traditional web categories like social media and streaming services. 
• This allows security teams to enforce policies like blocking unauthorized AI tools or restricting access to approved GenAI services only, addressing a growing compliance concern as organizations struggle to govern employee use of ChatGPT, Claude, and similar platforms.
• The feature works by inspecting traffic against pre-defined URL categories and can be combined with AWS Network Firewall’s existing TLS inspection capability for full URL path analysis. 
• This provides more granular control than simple domain blocking, enabling organizations to differentiate between different services from the same provider or allow specific features while blocking others.
• The capability is available now in all AWS commercial regions where Network Firewall operates, with no separate pricing beyond existing Network Firewall costs, which start at $0.395 per firewall endpoint hour plus $0.065 per GB processed. 
• Organizations can implement this through stateful rule groups using the AWS Console, CLI, or SDKs without requiring additional infrastructure changes.
• This addresses a practical security gap where traditional firewall rules struggle to keep pace with rapidly emerging GenAI services, reducing the operational burden of manually maintaining blocklists and allowlists. The pre-defined categories are maintained by AWS, meaning customers automatically get coverage for new GenAI services as they launch without manual rule updates.

28:32 Ryan – “I’m happy to see this being added to the AWS network firewall. Hoping this gets added to the Google NextGen firewall as well, because it is sort of difficult when you’re forced to do domain-based filtering on these things.” 

GCP

30:33 Mastering Gemini CLI: Your Complete Guide from Installation to Advanced Use-Cases 

• Google has partnered with DeepLearning.ai to launch a free, comprehensive course on Gemini CLI, an open-source command-line agent that integrates AI capabilities into daily workflows. 
• The course covers installation and context management through GEMINI.md files, extensibility via Model Context Protocol servers, and practical applications across software development, data analysis, content creation, and personalized learning.
• The course is structured as a sub-2-hour curriculum with nine lessons that progress from foundational setup to specialized workflows. 
• Key technical features include memory management for maintaining context across sessions, integration with external tools through MCP servers, and custom extensions that allow users tailor the CLI to specific needs.
• Gemini CLI targets a broad user base beyond traditional developers, with dedicated modules for data visualization from local CSVs and Google Sheets, automated blog and social media content generation, and study plan creation. 
• The tool is available as an open-source project on GitHub with full documentation at geminicli.com.
• The course is completely free and available now at goo.gle/gemini-cli-learning-course, positioning it as an accessible entry point for users looking to incorporate AI agents into command-line workflows. 
• This represents Google’s continued push to make Gemini models more accessible through developer-friendly tooling and educational resources.

32:30 Jonathan – “It’s interesting they didn’t go for a command line coding tool. It’s not Gemini code; it’s Gemini that does a whole bunch of stuff. So they’ve seen the broader implications of what those tools can do.”

34:08 Google Cloud Launches New Region in Bangkok, Thailand

• Google Cloud has opened its Bangkok region (asia-southeast3), backed by a $1 billion infrastructure investment that’s projected to contribute $41 billion to Thailand’s economy and support 130,000 jobs annually over five years. 
• The region addresses data residency requirements under Thailand’s Personal Data Protection Act (PDPA) while providing low-latency access to local customers and connectivity to Google’s global network via the TalayLink subsea cable.
• The region launches with key compliance certifications, including ISO 27001/27017/27018, PCI DSS, and SOC 1/2/3, making it suitable for regulated industries like banking and insurance. KASIKORN Business-Technology Group and True Digital Group are among the first customers leveraging the local infrastructure to meet Bank of Thailand regulatory standards while maintaining data sovereignty.
• The Bangkok region provides local compute and storage with millisecond-level latency for Thai users, while AI workloads can access globally-hosted services like Vertex AI, Gemini 3, and generative models through the region as a secure on-ramp. 
• This hybrid approach lets customers run general-purpose workloads locally without investing in specialized AI hardware while still accessing Google’s AI ecosystem when needed.
• Launch partners, including Accenture, Deloitte, MFEC, and NTT Data, are providing local engineering and consulting support to help customers migrate to the new region. ZZZZGoogle is also running the PanyaThAI customer success program and Google Skills initiatives to build local cloud and AI talent in Thailand.
• The region is now available in the Google Cloud console under asia-southeast3, joining Google’s network of 43 cloud regions connected by over 7.75 million kilometers of fiber infrastructure. 
• Pricing follows standard Google Cloud regional pricing models with no specific Thailand-region premiums mentioned in the announcement.

35:12 Justin – “It’s really Google’s way of not having to buy a billion GPUs and distribute them globally, but you can argue it as a secure onramp all you want.”  

37:36 Cloud Composer supports Apache Airflow 3.1

• Cloud Composer now supports Apache Airflow 3.1 in preview, making Google the first hyperscaler to offer this version. 
• The update builds on Airflow 3.0’s decoupled architecture with new features including Human-in-the-Loop workflows that pause execution for manual approvals via UI or API, Deadline Alerts that replace legacy SLAs with proactive time-based notifications, and native support for 17 languages in the React-based interface.
• The Human-in-the-Loop functionality integrates with Airflow Notifiers to send approval requests through Slack, email, or PagerDuty with direct links to decision points. This addresses the growing need for human oversight in AI agent workflows and complex automated pipelines, particularly for deployment approvals or reviewing generative AI outputs.
• Google positions Cloud Composer as an open orchestration alternative to proprietary walled garden platforms, emphasizing that Airflow-based workflows remain portable Python code rather than vendor-locked logic. The company contributes directly to the Airflow codebase and highlights access to thousands of community-built providers and custom operator development for legacy system integration.
• Additional developer-focused improvements include a React plugin system for embedding custom dashboards in the UI and a new streaming API endpoint for watching synchronous DAG execution until completion. The preview is available now for new Cloud Composer 3 environments, though specific pricing details for Airflow 3.1 support were not disclosed in the announcement.

38:58 Ryan – “This is rich, because after dealing with Cloud Composer and its kind of terribleness… now with Cloud Composer 3, they’re just rebranding and saying that, no, all that stuff that you were complaining about is a feature, not a bug! We’re not going to build a complicated workflow engine where you don’t get exposed to the innards; we’re going to just let you run your own managed airflow. And it’s basically a deployment template. But it’s a feature, because they’re allowing direct access, not wall cards.”

40:23 Gemini for Government: Unlocking Public Sector Innovation

• Google launches Gemini for Government, a FedRAMP High-authorized AI platform specifically designed for public sector agencies. 
• The platform provides secure access to Gemini models and agentic AI capabilities, with the Department of Defense already deploying it to 3 million personnel through GenAI.mil and the FDA implementing agentic AI across their operations.
• The platform emphasizes AI agents as productivity multipliers for government employees, automating administrative tasks while allowing workers to focus on strategic decision-making. 
• At Google’s Public Sector Summit, agencies built over 300 AI agents in a single day to demonstrate potential use cases across different government functions.
• Gartner named Google a Company to Beat for Enterprise Agentic AI Platforms in their December 2025 report, citing Google’s integrated tech stack and enterprise-wide adoption capabilities. 
• This recognition positions Google’s government AI offering against competitors in the federal marketplace, where security accreditation and compliance are critical requirements.
• The Department of Transportation selected Google Workspace as its agency-wide collaboration suite, showing broader adoption of Google’s cloud services beyond just AI capabilities. 
• This indicates government agencies are consolidating on Google’s platform for both productivity and AI workloads rather than using point solutions.
• No pricing information was disclosed in the announcement, though agencies can register for a February 5 webinar and download AI agent toolkits to explore implementation options. 
• The focus appears to be on enterprise agreements rather than public pricing, given the government procurement process.

45:18 New BigQuery gen AI functions for better data analysis 

• BigQuery now integrates Gemini 3.0 and Vertex AI models directly into SQL queries through new AI functions, including AI.GENERATE for text and structured output, AI.EMBED for embeddings, and AI.SIMILARITY for semantic search. The setup process has been simplified by allowing End User Credentials authentication, eliminating the need for separate service account connections if users have the Vertex AI User role.
• The AI.GENERATE function handles multimodal inputs, including text, images, video, audio, and documents, and can perform multiple AI tasks simultaneously, like sentiment analysis, translation, and summarization in a single SQL call. Users can specify an output schema to convert unstructured data directly into structured table columns, making results immediately usable in downstream applications.
• The new AI.SIMILARITY function provides a streamlined approach to semantic search by computing embeddings and similarity scores in one step, ideal for interactive analysis on small to medium datasets. For larger-scale operations across millions of rows, users can transition to the VECTOR_SEARCH function with precomputed embeddings and vector indexing.
• These functions are fully composable within standard SQL, meaning they can be used in SELECT statements, WHERE clauses, and ORDER BY clauses alongside traditional SQL operations. The AI.GENERATE and AI.GENERATE_TABLE functions are now generally available, while AI.EMBED and AI.SIMILARITY is currently in preview.

46:28 Ryan – “I can have AI generate the query to call AI to analyze the results of the AI-generated query! I don’t see what could go wrong?” 

 Azure

47:35 SSMS 22.2.1 Release

• SQL Server Management Studio 22.2.1 adds GitHub Copilot code completions directly in the query editor, going beyond traditional IntelliSense by providing context-aware T-SQL suggestions that improve as more code is written in the editor. 
• Microsoft customized the Visual Studio Copilot implementation to include database context, ensuring suggestions are both relevant and performant for SQL workflows.
• The release focuses on fundamental improvements with bug fixes addressing user-reported issues from the feedback site, while engineering teams work on the backend pipeline and testing enhancements. 
• Microsoft spent December and January prioritizing quality and reliability improvements that may not be immediately visible but strengthen the product foundation.
• GitHub Copilot Agent mode is coming to SSMS, according to the updated roadmap, along with improvements to instructions functionality, which ranks as a top user request. 
• Users can vote on specific AI features through the feedback site, with Microsoft using vote counts as the primary metric for prioritizing development work.
• Code completions may compete with traditional IntelliSense, so users experiencing conflicts can disable IntelliSense to get the full benefit of Copilot suggestions. 
• The feature requires a GitHub Copilot subscription, which is separate from SSMS itself and follows standard GitHub Copilot pricing for individuals or organizations.
• This positions SSMS as a more AI-native database management tool, particularly relevant for SQL developers already using Copilot in other Microsoft development environments like Visual Studio and VS Code. 
• The database context integration represents technical work specific to SQL workloads rather than a simple port of existing Copilot functionality. 

49:57 What’s New in Azure Repos: Recent Updates – Azure DevOps Blog

• Azure Repos has rolled out several quality-of-life improvements focused on pull request workflows and TFVC modernization. 
• The most impactful change is a breaking update that disables obsolete TFVC check-in policies, requiring teams still using the old storage format to migrate to the new system or lose policy enforcement entirely.
• Pull request notifications have been streamlined to reduce noise by removing low-value alerts like draft state changes and auto-complete updates, while simplifying remaining notifications to show only relevant changes like affected files. 
  • This addresses a common complaint about notification overload in code review workflows.
• Pull request templates now support nested folder structures that map to multi-level branch names, automatically selecting the most specific template available when targeting branches like feature/foo/december. 
  • This eliminates template duplication for teams using hierarchical branching strategies.
• The Azure DevOps MCP Server continues expanding with new tools for programmatic interaction with repos, branches, commits, and pull requests directly from VS Code and GitHub Copilot. 
  • This enables developers to query repository metadata and inspect code without opening the Azure DevOps web interface.
• Upcoming improvements include a more efficient Git policy configuration API that reduces unnecessary calls when retrieving policies across repositories and branches, plus additional pull request features like highlighting PRs with outstanding comments and filtering by tags. 
• These changes target teams managing policies at scale and aim to keep code reviews moving more efficiently.

51:17 Justin – “Wow. TFVC modernization is your feature. You’re just going to turn it off and lose your enforcement when they migrate automatically. That’s brutal. Classic Microsoft.”       

55:12 Generally Available: StandardV2 NAT Gateway with zone-redundancy and StandardV2 public IPs  

• Azure’s StandardV2 NAT Gateway reaches general availability with zone-redundancy and improved performance while maintaining the same pricing as the original Standard SKU. 
• This upgrade provides automatic high availability across availability zones without requiring customers to manage multiple NAT Gateways or configure complex failover scenarios.
• The StandardV2 SKU introduces dual-stack connectivity supporting both IPv4 and IPv6 traffic through a single NAT Gateway instance. 
• This simplifies network architecture for organizations transitioning to IPv6 or running hybrid IP environments, eliminating the need to deploy separate NAT solutions for each protocol.
• StandardV2 Public IP addresses and prefixes are now available alongside the NAT Gateway upgrade, providing consistent zone-redundant capabilities across the networking stack. 
• These resources work together to ensure outbound connectivity remains available even during zone-level failures without manual intervention.
• The price-neutral upgrade path means existing Standard SKU customers can migrate to StandardV2 for enhanced resiliency without budget impact. 
• Organizations running mission-critical workloads that require guaranteed outbound connectivity should evaluate this upgrade, particularly those currently managing multiple NAT Gateways for redundancy purposes.

56:27 Jonathan – “I guess it’s not as easy as it sounds. I mean, to us it’s like, well, why don’t I just deploy two, right? But if they’re NATing to public IPs, then those public IPs need to be routable to the zones, and so there’s probably a whole bunch more complexity on the back end in implementing multi-zone support for NAT than perhaps people realize.”

57:46 Announcing Unified SOX & DORA Compliance Solutions in Microsoft Sentinel

• Microsoft Sentinel now includes dedicated compliance solutions for SOX IT General Controls, and DORA regulations, providing financial institutions with continuous monitoring and audit-ready evidence through workbook-driven dashboards. 
• Both solutions are currently in public preview and consolidate telemetry from Microsoft Entra ID, Azure Activity Logs, Defender signals, Microsoft 365 audit logs, and third-party sources into structured compliance views.
• The SOX IT Compliance solution maps directly to three core control domains: Access Management, monitoring unauthorized access to financial systems, Change Management tracking configuration modifications across Azure and on-premises environments, and Data Integrity controls detecting audit log tampering or gaps in critical system logging. 
• Organizations deploy the solution by enabling data connectors, defining a SOX watchlist of authorized users and systems, and customizing queries to match internal policies.
• The DORA Compliance solution addresses the EU Digital Operational Resilience Act requirements through four specialized tabs covering Incident Management with MTTR tracking and SLA breach detection, Threat Intelligence correlating IOCs with MITRE ATT&CK techniques, Business Continuity monitoring inactive servers and failover events, and Compliance Mapping that links security alerts directly to specific DORA Articles for audit evidence.
• Both solutions target financial services organizations, ICT providers, and any entity handling financial reporting systems that need to demonstrate regulatory compliance. 
• The workbooks are fully customizable with editable KQL queries, allowing organizations to extend mappings, integrate custom logs, and adapt controls to different financial systems and regulatory frameworks over time.
• Deployment requires existing Microsoft Sentinel infrastructure with appropriate data connectors enabled, and organizations can define scope using watchlists to filter regulated assets. 
• Pricing follows the standard Microsoft Sentinel consumption-based model for data ingestion and retention, with costs varying based on log volume from connected sources.

1:00:55 Maia 200: The AI accelerator built for inference

• Microsoft launches Maia 200, a custom AI inference accelerator built on TSMC’s 3nm process that delivers over 10 petaFLOPS in FP4 precision and 5 petaFLOPS in FP8 within a 750W envelope. 
• The chip offers 30% better performance per dollar than current Azure hardware and outperforms Amazon Trainium third generation and Google’s TPU seventh generation in key metrics.
• The accelerator features 216GB HBM3e memory at 7 TB/s bandwidth and 272MB on-chip SRAM, designed specifically for running large language models like GPT-5.2 and synthetic data generation workloads. 
• Microsoft’s Superintelligence team will use Maia 200 for reinforcement learning and creating training data for next-generation models.
• Maia 200 uses a two-tier scale-up network built on standard Ethernet rather than proprietary fabrics, with each accelerator providing 2.8 TB/s bidirectional bandwidth and supporting clusters up to 6,144 accelerators. 
• This approach reduces power consumption and total cost of ownership while maintaining predictable performance for dense inference workloads.
• Initial deployment is in US Central datacenter region near Des Moines, with US West 3 near Phoenix coming next, integrated with Microsoft Foundry and Microsoft 365 Copilot services. 
• Microsoft is offering a Maia SDK preview with PyTorch integration, Triton compiler, and low-level programming tools for developers to optimize models for the new hardware.
• Microsoft achieved rapid deployment by validating the end-to-end system in pre-silicon environments, getting AI models running within days of receiving packaged parts and reducing time from first silicon to datacenter deployment by more than 50% compared to similar programs. 
• The company positions this as the first in a multi-generational accelerator program with future iterations already in design.

1:02:50 Ryan – “It’s a blessing and a curse that I don’t have these types of workloads. I’m not using these types of things for building models…but I’m sort of jealous because it would be kind of cool to have a use case where I could use this.”    

1:03:34 Azure Storage 2026: Built for Agentic Scale and Cloud‑Native Apps

• Azure Storage is positioning itself as the foundational platform for AI workloads across the entire lifecycle, from frontier model training to large-scale inference and agentic applications. 
• Key capabilities include Blob scaled accounts that handle millions of objects across hundreds of scale units, and Azure Managed Lustre delivering up to 512 GBps throughput with 25 PiB namespaces for keeping GPU fleets continuously fed during training and inference operations.
• The platform is adapting to handle agentic workloads that generate an order of magnitude more queries than traditional user-driven systems. 
• Elastic SAN is becoming the core building block for cloud-native applications, offering fully managed block storage pools with multi-tenant capabilities, while Azure Container Storage has been open-sourced and now delivers 7x faster performance for Kubernetes-based stateful applications.
• Mission-critical workload performance has reached new levels with M-series VMs pushing disk storage to 780,000 IOPS and 16 GB/s throughput for SAP HANA deployments. 
• Ultra Disks paired with Ebsv6 VMs can achieve 800,000 IOPS and 14 GB/s throughput with sub-500 microsecond latency, while Azure NetApp Files is introducing Elastic ZRS for zone-redundant high availability without operational complexity.
• Microsoft is addressing power and supply chain constraints through Azure Boost Data Processing Units that offload storage operations to dedicated hardware, reducing per-unit energy consumption while improving performance. 
• The company is also expanding integrations with external datasets and AI frameworks, including Microsoft Foundry, LangChain, Ray, and Anyscale, to simplify data pipeline operations across hybrid environments.
• The partner ecosystem is expanding with co-engineered solutions from Commvault, Dell PowerScale, Pure Storage, Qumulo, and others that integrate deeply with Azure Storage services. 
• These partnerships focus on hybrid data movement and backup solutions that enable customers to leverage Azure AI services while maintaining data across on-premises and cloud environments.

1:05:07 Matt – “I just got concerned when Elastic SAN became the core building blocks of cloud native apps.” 

Oracle 

1:05:55 Announcing Support for IAM Deny Policies in the OCI IAM

• Oracle Cloud Infrastructure now supports IAM Deny Policies, allowing administrators to explicitly block specific actions even when allow policies would otherwise grant access. 
• This addresses a common security gap where overly permissive policies could inadvertently grant unwanted access, particularly useful for enforcing compliance requirements and preventing accidental resource deletion in production environments.
• The deny policies work alongside existing allow policies using a deny-by-default model where explicit denies always override allows, following standard IAM best practices seen in AWS and other cloud providers. Organizations can now create guardrails that prevent even highly privileged users from performing certain actions, like deleting critical resources or accessing sensitive compartments.
• This feature integrates with Oracle’s existing IAM infrastructure, including compartments, groups, and dynamic groups, without requiring architectural changes. 
• Customers can implement deny policies immediately through the OCI console, CLI, or API using the same policy language syntax they already know, though they’ll need to carefully plan policy hierarchies to avoid unintended lockouts.
• Primary use cases include preventing production resource deletion, enforcing regulatory compliance by blocking data exports to certain regions, and implementing separation of duties where even administrators cannot bypass certain security controls. 
• The feature is available across all OCI regions at no additional cost beyond standard IAM usage.

1:06:48 Justin – “Welcome to the party! How long has that been missing?”     

Cloud Journey

44:40 How Google SREs Use Gemini CLI to Solve Real-World Outages

• Google SREs are using Gemini CLI with their latest foundation model to reduce Mean Time to Mitigation during production outages, targeting a 5-minute SLO just to acknowledge incidents. 
• The system uses function calling to fetch incident details, analyze logs, correlate time series data, and recommend specific mitigation playbooks like task restarts rather than generating arbitrary bash scripts.
• The implementation maintains human-in-the-loop control through multi-layer safety, including strictly typed tools via Model Context Protocol, risk assessment metadata, policy enforcement, and required confirmation steps before executing any production changes. 
  • This copilot approach allows AI-speed analysis while preserving human accountability and creating automatic audit trails for compliance.
• Gemini CLI integrates directly with Google’s monorepo to analyze code changes, generate patches as Changelists, and automate the entire incident lifecycle from initial triage through postmortem generation. 
  • The system can populate timelines, create action items, file bugs in issue trackers, and export documentation automatically.
• The workflow creates a feedback loop where generated postmortems become training data for future incident responses, and the pattern is reproducible outside Google using open-source Gemini CLI with MCP servers connecting to tools like Grafana, Prometheus, PagerDuty, and Kubernetes. 
• Custom commands allow teams to automate their specific operational workflows, similar to Google’s internal postmortem generator.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• US-EAST-1: Still the Least Reliable Friend You Keep Inviting to Parties **OpenAI
• 0⃣ From Zero to Inference: BigQuery Makes Open Models a Two-SQL Problem
• AWS Goes Full Brandenburg Gate: Sovereign Cloud Opens for Business
• Seven Ate Nine: AWS Skips G7 and Goes Straight to G7e Instances
• From Crawling to Calling: Cloudflare Buys Human Native to Fix AI’s Data Problem
• Finally, an AI That Actually Listens to Your War Room Panic
• Tag, You’re Governed: AWS Automation Takes the Wheel
• Cloudflare Reaches for the Stars: Astro Framework Acquisition Lands
• Gemini Gets Personal: Google AI Finally Reads Your Email (With Permission)
• AWS Strikes Ore: Amazon Cuts Out the Middleman in Copper Supply Chain
• When Your Region Goes Down More Often Than Your Kubernetes Cluster
• ChatGPT Go: OpenAI’s New Middle Child Gets $8 Allowance
• Cloudflare’s Space-Age Acquisition: Astro Gets Jetsons-Level Upgrade
• Rosie the Robot Fired: Cloudflare Brings Astro Framework Into the Family
• It took 5 years, and now we have ads in our AI. 
• AI now with Ads
• EU says hands off my data

General News 

00:50 Heather’s data is not unreliable 

• Maybe it’s unreliable.
• I blame Matt for having screwed up his outtro (as he did today), in which case I no longer recognize his participation. 

01:11 Astro is joining Cloudflare

• Cloudflare acquires The Astro Technology Company, bringing the popular open-source web framework in-house while maintaining its MIT license and multi-cloud deployment capabilities. 
• Major platforms like Webflow Cloud, Wix Vibe, and Stainless already use Astro on Cloudflare infrastructure to power customer websites.
• Astro 6 introduces a redesigned development server built on Vite Environments API that runs code locally using the same runtime as production deployment. When using the Cloudflare Vite plugin, developers can test against workerd runtime with access to Durable Objects, D1, KV, and other Cloudflare services during local development.
• The framework focuses on content-driven websites through its Islands Architecture, which renders most pages as static HTML while allowing selective client-side interactivity using any UI framework. 
• This approach addresses the complexity that made building performant websites difficult before 2021, providing a simpler foundation for both human developers and AI coding agents.
• Astro 6 adds stable Live Content Collections for real-time data updates without site rebuilds and includes first-class Content Security Policy support. 
• The acquisition positions Cloudflare to serve better platform builders who extend Cloudflare services to their own customers through Cloudflare for Platforms.
• Tailwind recently laid off 80% of their staff, ostensibly due to AI, so this may have been an opportune moment for an exit. 

04:15 Matt – “I would assume that they heavily use it (AI) internally, so hopefully it’s something that they can leverage and continue to grow and they don’t have to redevelop their platform.” 

04:53 Human Native is joining Cloudflare

• Cloudflare acquired Human Native, a UK-based AI data marketplace that transforms multimedia content into structured, searchable data for AI training. 
• The acquisition accelerates Cloudflare’s AI Index initiative, which uses a pub/sub model to let websites push structured content updates to AI developers in real time, rather than relying on traditional web crawling.
• Human Native’s platform focuses on licensed, high-quality training data rather than scraped content, with one UK video AI company reportedly discarding its existing training data after achieving better results with Human Native’s curated datasets. 
  • This approach addresses the growing problem of crawl-to-referral ratios reaching tens of thousands of bot crawls per human visitor.
• The acquisition builds on Cloudflare’s existing AI Crawl Control and Pay Per Crawl products, giving content owners more control over how AI systems access their content. 
• Human Native’s technology will help customers structure their content for both AI consumption and traditional human audiences while enabling new monetization models.
• Cloudflare is positioning this work alongside the x402 Foundation (partnered with Coinbase) to enable machine-to-machine transactions for digital resources. 
• The combination aims to create new economic models where AI developers can subscribe to structured content feeds and content creators receive fair compensation for their data.

05:30 Justin – “We block you from getting to people’s AI content, and now we offer you a way to buy better content. Well played.” 

AI Is Going Great – Or How ML Makes Money 

06:40 Introducing Labs \ Anthropic

• Anthropic is launching Labs as a dedicated team focused on incubating experimental AI products at the frontier of Claude’s capabilities, led by Instagram co-founder Mike Krieger and Ben Mann. 
• This organizational shift separates rapid experimentation from production scaling, with Ami Vora taking over as head of Product to focus on enterprise-grade Claude experiences.
• The Labs approach has already produced several products that moved from research to production, including Claude Code, which reached $1 billion in revenue within six months of launch, and the Model Context Protocol, which now has 100 million monthly downloads and has become an industry standard for connecting AI systems to tools and data.
• Recent Labs outputs include Skills, Claude in Chrome, and Cowork, which launched as a research preview to bring Claude’s agentic capabilities to desktop environments. This demonstrates the team’s focus on exploring new interaction models and deployment patterns for large language models beyond traditional chat interfaces.
• The organizational structure creates two parallel tracks: Labs for frontier experimentation with unpolished versions and early user testing, and the core Product organization partnering with CTO Rahul Patil to scale proven experiences for millions of daily users and enterprise customers. 
  • This separation aims to balance innovation velocity with reliability requirements.
• Anthropic is actively hiring for Labs positions, specifically targeting builders with experience creating consumer products and working with emerging technologies. 
• The team structure reflects the company’s view that rapid AI advancement requires different organizational approaches than traditional product development cycles.

08:04 Matt – “The fact that you can get a lab to a GA customer product…is a really hard thing. They seem to have done a pretty good job of that with all these different technologies.” 

10:56 Mira Murati’s startup, Thinking Machines Lab, is losing two of its co-founders to OpenAI 

• Thinking Machines Lab, Mira Murati’s AI startup valued at $12 billion after a $2 billion seed round last July, has lost two of its three co-founders back to OpenAI within a year of founding. 
• Barret Zoph, who served as CTO, along with co-founder Luke Metz and researcher Sam Schoenholz, returned to OpenAI in what reports suggest was not an amicable departure.
• The startup has now lost four key personnel in under a year, including co-founder Andrew Tulloch, who left for Meta in October. 
• Soumith Chintala has been promoted to replace Zoph as CTO, bringing over a decade of AI field experience to the role.
• The rapid co-founder departures raise questions about Thinking Machines’ internal dynamics and strategic direction, particularly given the company secured backing from major investors, including Andreessen Horowitz, Accel, Nvidia, and AMD. The startup has not publicly disclosed what products or services it is developing despite the substantial funding.
• This talent movement highlights the ongoing competition for AI research talent among major players, with OpenAI CEO of applications Fidji Simo noting the returns had been in the works for several weeks. The pattern mirrors OpenAI’s own history of co-founder departures to competing ventures, including John Schulman, who left for Anthropic before joining Thinking Machines.

12:35 Matt – “It’s interesting that they’re going back to OpenAI. I’m curious, with NDAs and all of that stuff in place, how that is going to work.”  

13:49 OpenAI partners with Cerebras 

• OpenAI is adding 750MW of dedicated low-latency inference capacity through a partnership with Cerebras, with deployment rolling out in phases through 2028. 
• Cerebras uses a unique architecture with a single giant chip that combines compute, memory, and bandwidth to eliminate traditional bottlenecks in AI inference.
• The partnership focuses specifically on accelerating real-time AI responses for workloads like complex queries, code generation, image creation, and AI agents. 
• OpenAI’s strategy is to match specialized hardware to specific workload types rather than using one-size-fits-all infrastructure.
• Cerebras systems are purpose-built for fast token generation during the output phase of inference, which is critical for interactive AI applications where users expect immediate responses. This addresses the request-think-respond loop that determines user experience quality.
• The integration represents OpenAI’s approach to building a diversified compute portfolio, adding specialized low-latency systems alongside their existing infrastructure. 
• This allows them to optimize different types of AI workloads based on performance requirements rather than using general-purpose hardware for everything.

14:29 Justin – “In general, anybody that can get you AI capacity is apparently a musto-do.”  

15:49 Introducing ChatGPT Go, now available worldwide

• OpenAI launches ChatGPT Go globally at $8 per month, creating a three-tier subscription model with Go, Plus ($20), and Pro ($200). 
• The Go tier provides 10x more messages, file uploads, and image creation than the free tier, with access to GPT-5.2 Instant, plus longer memory and context windows for improved conversation continuity.
• The pricing strategy positions Go as an entry-level paid option for users who need more capacity than the free tier but don’t require the advanced reasoning capabilities of GPT-5.2 Thinking (Plus) or GPT-5.2 Pro. 
• OpenAI reports that Go became their fastest-growing product after initial rollout to 170 countries, with strong adoption for writing, learning, image creation, and problem-solving tasks.
• OpenAI plans to introduce advertising in both the free tier and ChatGPT Go in the US, while Plus, Pro, Business, and Enterprise tiers remain ad-free. 
• This ad-supported model aims to sustain free and low-cost access points, while generating revenue from users who don’t need premium features.
• The tiered approach reflects a shift toward market segmentation similar to traditional SaaS models, with clear differentiation between casual users (Go), professionals (Plus), and power users (Pro). The $8 price point is localized in some markets, suggesting OpenAI is optimizing for purchasing power parity to maximize global adoption.

17:00 Matt – “Ads are coming to AI. We all knew it was coming; they have to find additional ways to monetize it.” 

Cloud Tools

19:15 Bringing secure, just-in-time secrets to Cursor with 1Password

• 1Password has integrated with Cursor, the AI-powered IDE, to provide just-in-time secrets management through Cursor Hooks that validate and inject credentials at runtime without ever storing them on disk. 
• This eliminates the common security risk of developers hard-coding API keys or committing secrets to source control while working with AI coding assistants.
• The integration works by running a Hook Script before Cursor’s AI agent executes shell commands, verifying that the required environment files from 1Password Environments are properly configured and prompting users to authorize access only when needed. 
• Secrets remain in memory for the runtime session only, and never touch disk or Git history, maintaining zero-trust principles while keeping development velocity high.
• This addresses a critical gap in AI-assisted development where AI agents could potentially access unrestricted credentials, or developers might paste tokens directly into config files for convenience. 
• The solution lets project owners configure secrets management centrally while individual developers maintain control over authorization through 1Password’s existing access policies and vault permissions.
• Plans include granular, task-specific access rules for AI agents, broader support for the Model Context Protocol in external API interactions, automated secret rotation for AI workflows, and enhanced audit visibility for security teams. 
  • The goal is to make secure access a native part of AI-powered development rather than an afterthought bolted on later.
• This matters because AI coding tools like Cursor are rapidly becoming standard in developer workflows, but most teams lack proper secrets management for these new AI-driven interactions. 
• The integration provides a practical path to adopt AI assistance without compromising security posture or requiring developers to change existing 1Password policies.

20:34 Justin – “The one thing they don’t mention, which I think is also a big threat, is you’re sending your context to their servers, and if you’re putting your password into the context, that password is now going to the inference systems, and that could potentially get exposed. So it would be nice if this also had the ability to prevent a secret from getting transmitted to the third party LLM.” 

23:36 Announcing the Harness Human-Aware Change Agent

• Harness launched the Human-Aware Change Agent, an AI system that listens to incident response conversations in Slack, Teams, and Zoom to extract operational clues like “the checkout button froze after they updated their cart” and automatically correlates them with actual production changes, including deployments, feature flags, and config updates. 
• This solves the problem where critical incident context lives in human conversations but never makes it into automated investigation tools.
• The agent is part of Harness AI SRE, which includes an AI Scribe that filters incident-related conversation from noise and feeds it to the change investigation engine. 
• Instead of just transcribing chat or generating generic RCA summaries, it produces evidence-backed hypotheses like “deployment to checkout-service 12 minutes before the incident introduced new retry config, followed by latency spike and downstream timeouts.”
• The system integrates with existing observability and incident management tools, including Datadog, PagerDuty, Jira, ServiceNow, Slack, and Teams through native integrations and webhooks. 
• It also includes Automation Runbooks for standardized response and On-Call management to route incidents to the right owners.
• The core innovation is treating human insight as operational data rather than assuming incidents can be solved purely through logs, metrics, and traces. This addresses the reality that on-call engineers often identify patterns through conversation before they show up in dashboards, especially as AI-assisted development increases code velocity and reduces clear ownership of changes.
• The tool aims to shorten the incident response cycle from “What are we seeing” to “What changed” to “What should we do” by connecting human observations with machine-driven change intelligence in real time during active incidents.

25:22 Justin – “Human awareness of how the system works as a whole – because typically AI systems don’t have the context to handle the whole system view – is also very valuable to the AI as well, so I guess we’re going to serving the AI someday, instead of the otherway around.” 

AWS 

26:15 Amazon EC2 X8i instances powered by custom Intel Xeon 6 processors are generally available for memory-intensive workloads 

• Want to burn all your moneys? Good news! 
• AWS launches X8i instances with custom Intel Xeon 6 processors offering up to 6 TB of memory and 3.9 GHz sustained all-core turbo frequency, delivering 1.5x more memory capacity and 3.4x more memory bandwidth than previous X2i generation. 
• These SAP-certified instances target memory-intensive workloads like in-memory databases, data analytics, and EDA applications.
• Performance improvements are substantial across multiple workloads: 50% higher SAP HANA performance, 47% faster PostgreSQL, 88% faster Memcached, and 46% faster AI inference compared to X2i instances. Real customer deployments show Orion reduced SQL Server licensing costs by 50% while maintaining performance thresholds by using fewer active cores.
• The instances come in 14 sizes, including three new larger options (48xlarge, 64xlarge, 96xlarge) and two bare metal variants, with network bandwidth up to 100 Gbps supporting Elastic Fabric Adapter and 80 Gbps EBS throughput. 
• The instance bandwidth configuration feature allows flexible allocation between network and EBS bandwidth with up to 25% scaling capability.
• Currently available in US East N. Virginia, US East Ohio, US West Oregon, and Europe Frankfurt regions with standard purchasing options including On-Demand, Savings Plans, and Spot Instances. 
• Pricing follows standard EC2 memory-optimized instance rates available on the EC2 pricing page.

27:23 Announcing Amazon EC2 G7e instances accelerated by NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs

• AWS launches EC2 G7e instances powered by NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs, delivering 2.3x better inference performance compared to G6e instances and doubling GPU memory to 96GB per GPU. 
• These instances can handle models up to 70B parameters with FP8 precision on a single GPU, with configurations scaling up to 8 GPUs and 768GB total GPU memory per node.
• The instances feature substantial networking improvements with 4x the bandwidth of G6e instances (up to 1,600 Gbps) and support for NVIDIA GPUDirect RDMA via Elastic Fabric Adapter for multi-node workloads. 
• GPUDirect P2P enables direct GPU-to-GPU communication over PCIe with 4x the inter-GPU bandwidth compared to previous generation L40s GPUs, reducing latency for distributed model inference.
• G7e instances target generative AI inference, spatial computing, and scientific computing workloads with support for GPUDirect Storage integration with FSx for Lustre, providing up to 1.2 Tbps throughput for rapid model loading. Configurations range from single GPU instances to 8-GPU systems with up to 192 vCPUs and 2TB of system memory.
• Currently available in US East N. Virginia and Ohio regions with support for On-Demand, Spot, Savings Plans, Dedicated Instances, and Dedicated Hosts purchasing options. 
• SageMaker AI integration is planned for future release, while ECS and EKS support is available now.

27:46 Justin – “That’s a lot of power, and cooling, and that where all my RAM went to, which is why my RAM is expensive now.”  

29:00 Opening the AWS European Sovereign Cloud

• AWS European Sovereign Cloud is now generally available with its first region in Brandenburg, Germany, operating as a physically and logically separate infrastructure partition (aws-eusc) entirely within the EU. 
• The infrastructure will be operated exclusively by EU residents located in the EU, with dedicated IAM and billing systems, and technical controls that prevent access from outside the EU.
• The service launches with comprehensive AWS capabilities, including SageMaker, Bedrock, EC2, Lambda, EKS, Aurora, DynamoDB, S3, and other core services, backed by a 7.8 billion EUR investment expected to contribute 17.2 billion EUR to the European economy through 2040. 
• Expansion plans include sovereign Local Zones in Belgium, the Netherlands, and Portugal, plus options for Dedicated Local Zones, AI Factories, and Outposts deployments.
• The operational model features EU-based management through German legal entities, with Stephane Israel appointed as managing director and an advisory board of EU citizens providing sovereignty oversight. 
• The infrastructure maintains AWS security standards, including Nitro System isolation, ISO/IEC 27001, SOC 1/2/3 reports, and BSI C5 attestation, with a Sovereign Reference Framework available in AWS Artifact.
• Data residency guarantees ensure all customer content and metadata, including roles, permissions, and configurations, remain within the EU, using dedicated European trust service providers for certificate authority operations and European TLDs for Route 53 name servers. Pricing is in EUR with billing available in eight supported currencies through Amazon Web Services EMEA SARL.
• Major AWS partners, including Adobe, Cisco, SAP, Snowflake, and Wiz, are making their solutions available in the sovereign cloud, enabling public sector and highly regulated industry customers to meet strict compliance requirements while accessing modern cloud capabilities without being stuck in legacy on-premises environments.

31:53 Justin – “Google’s got the same thing on a partnership with Thales in France. I think Azure is doing something similar as well… but the question is kind of, a European entity owned by a US corporation, does that actually fulfill the concerns the European Union has?” 

33:16 Rio Tinto and Amazon Web Services collaborate to bring low-carbon Nuton copper to U.S. data centres

• AWS becomes the first customer for Rio Tinto’s Nuton bioleaching technology, which uses microorganisms to extract copper from ore at the Johnson Camp mine in Arizona. 
• The process produces 99.99% pure copper cathode directly at the mine without traditional smelters or refineries, achieving a carbon footprint of 2.82 kgCO2e/kg Cu compared to the global range of 1.5-8.0 kgCO2e/kg Cu.
• The two-year agreement supplies low-carbon copper for AWS data center components, including electrical cables, busbars, transformers, circuit boards, and processor heat sinks.
• Johnson Camp is now the lowest-carbon primary copper producer in the U.S., targeting approximately 30,000 tonnes of refined copper over four years with 71 liters of water per kilogram versus the industry average of 130 liters.
• AWS provides cloud-based data and analytics support to optimize Nuton’s bioleaching operations, including heap-leach performance simulation and advanced analytics for acid and water usage. 
• The modular system enables rapid scaling and customization for different ore bodies while recovering value from previously classified waste material.
• This collaboration addresses supply chain resilience by producing critical materials domestically for U.S. data centers while supporting Amazon’s Climate Pledge goal of net-zero carbon by 2040. 
• The partnership demonstrates how industrial mining operations can integrate cloud technology to reduce environmental impact and shorten mine-to-market supply chains.

34:39 Justin – “It also tells me how much you desperately need it (copper) for all the AI investments you’re about to be making.”  

35:53 Skills, Custom Diff Tools, Improved Code Intelligence, and Conversation Compaction

• Kiro CLI version 1.24.0 introduces Skills, a new resource type for progressive context loading that only loads metadata at startup and fetches full documentation content on demand when the AI agent needs it. 
• This addresses memory constraints when working with large documentation sets by requiring YAML frontmatter with descriptive metadata to help agents determine when to load complete content.
• The release adds built-in code intelligence for 18 programming languages, including Python, JavaScript, Go, Rust, and others, without requiring LSP setup. Developers get immediate access to symbol search, definition navigation, and structural code searches, plus a new /code overview command for quick workspace analysis.
• New AST-based pattern-search and pattern-rewrite tools enable precise code refactoring by matching syntax tree patterns instead of text regex. This eliminates false matches in string literals and comments, providing more reliable code transformations for AI agents.
• Conversation Compaction addresses context window limitations with a /compact command that summarizes conversation history while preserving key information. The feature triggers automatically when context limits are reached and creates a new session while allowing users to resume the original conversation, with configurable retention settings for message pairs and context window percentage.
• The update includes granular URL permissions for the web_fetch tool using regex patterns to control which domains AI agents can access, plus remote authentication support for Google and GitHub when running Kiro CLI on remote machines via SSH, SSM, or containers.

GCP

38:43 Introducing BigQuery managed and SQL-native inference for open models | Google

• BigQuery now supports SQL-native inference for open models from Hugging Face and Vertex AI Model Garden through a two-step process: CREATE MODEL with a model ID string, then run inference using AI.GENERATE_TEXT or AI.GENERATE_EMBEDDING functions. 
• This eliminates the need for separate infrastructure management or API integrations outside of BigQuery.
• The service includes automated resource management with configurable idle timeout settings that automatically undeploy endpoints when not in use, preventing runaway costs from idle GPU instances. 
• Users can customize machine types, replica counts, and leverage Compute Engine reservations for consistent GPU availability on demanding workloads.
• This extends BigQuery’s existing managed inference capabilities beyond Google’s Gemini models and partner models like Anthropic and Mistral to any compatible open model. 
• The entire lifecycle from deployment to cleanup happens through SQL statements, making LLM inference accessible to data analysts without requiring ML engineering expertise.
• The feature is currently in Preview and supports both text generation and embedding generation workloads directly on data stored in BigQuery tables. 
• Cost control includes both automated endpoint recycling based on idle time and manual undeploy options via ALTER MODEL statements, with automatic cleanup of all Vertex AI resources when models are dropped.

39:45 Matt – “This all seems crazy to me; this is where we’re at, where AI is writing, creating models, running all of these things for us.” 

40:56 TranslateGemma: A new family of open translation models

• Google released TranslateGemma, a new family of open translation models based on Gemma 3, available in 4B, 12B, and 27B parameter sizes supporting 55 languages. 
• The models use a two-stage training process combining supervised fine-tuning on parallel data from human translations and Gemini-generated synthetic translations, followed by reinforcement learning using MetricX-QE and AutoMQM reward models.
• The 12B TranslateGemma model outperforms the baseline Gemma 3 27B model on WMT24++ benchmarks while using less than half the parameters, delivering higher throughput and lower latency. 
• The 4B model matches the performance of the 12B baseline, making it suitable for mobile inference and edge deployment.
• TranslateGemma retains Gemma 3’s multimodal capabilities, showing improved performance on the Vistra image translation benchmark without specific multimodal fine-tuning. 
• The models were trained on nearly 500 language pairs beyond the core 55, providing a foundation for researchers to fine-tune for specific language pairs or low-resource languages.
• The models are optimized for different deployment scenarios: 4B for mobile and edge devices, 12B for consumer laptops, and 27B for a single H100 GPU or TPU cloud deployment. 
• All three sizes are available now for developers and researchers to download and use.

41:50 Justin – “I am excited about the idea of models that specialize in supporting language translations; and so this is things that power future products inside of your Android phones someday, where Apple has a feature where it can slowly translate things through your Airpods… it’s a little delayed but it works relatively well. I’m sure this will bring similar type capabilities to you and your Android phone.”       

Azure

44:40 Design your AI strategy with Microsoft Marketplace Solutions

• Microsoft positions its Marketplace as a central hub for AI adoption with over 11,000 pre-packaged models (“models”) and 4,000 AI apps and agents, offering organizations flexible build-buy-blend strategies for implementing AI solutions. 
• The platform integrates directly into existing Microsoft tools like Copilot Studio and Azure Foundry, allowing teams to discover and deploy AI components within their normal workflows rather than switching between separate procurement systems.
• The Marketplace supports both pro-code development with full control over custom logic and IP ownership, and low-code approaches through Copilot Studio using models from providers like Anthropic, OpenAI, Meta, and NVIDIA. 
• Organizations with Azure consumption commitments can apply Marketplace purchases dollar-for-dollar against their contracts with no limit, potentially improving ROI on existing Microsoft agreements.
• Microsoft emphasizes a blended approach where companies can extend partner solutions with proprietary components, illustrated by financial services firms deploying pre-built fraud detection models while customizing them with internal data pipelines and compliance workflows. 
• This strategy reduces the engineering effort and compliance review cycles compared to building detection systems from scratch while maintaining data security through Managed Identity within Azure tenants.
• The platform includes try-before-you-buy capabilities with trials and proofs-of-concept that run within customer Microsoft environments, allowing validation before full deployment. 
• Solutions are filtered by product, category, and industry to match specific organizational needs, with agents available directly in Microsoft 365 Copilot and models accessible through the Azure portal.

 Cloud Journey 

52:07 Is Northern Virginia Still the Least Reliable AWS Region in 2025? We Analyzed the Data

• StatusGator published an analysis of AWS outages from January through December 2025, focusing on regional reliability and service-level incidents across all commercial AWS regions

• N. Virginia (us-east-1) is the least reliable AWS region: 10 outages, 34 hours of downtime, 126 components affected
• October 20, 2025, was one of AWS’s most significant outages ever: 76 components down for ~15 hours, cascading failures across thousands of SaaS platforms
• Compute and ML services hit hardest: EC2 (14 outages), SageMaker (11), Glue (10), EMR (10), ECS (10)
• Several services exceeded 24 hours cumulative downtime: OpenSearch, CloudWatch, EMR Serverless, STS
• Multi-region (“Regionless”) outages increased: 12 incidents, 32 hours of downtime
• Status Gator speculates reasons:

• Customer density: us-east-1 has 2x the users of Oregon and 3x other regions
• Higher service density creates more interconnected dependencies and potential failure points
• Heavier API traffic and more complex multi-AZ coordination
• No evidence that the age of the region or architectural differences are factors

• Best Practices from Status Gator
  • Avoid over-reliance on a single region, especially us-east-1
  • Design for multi-region resilience and failover
  • Monitor authentication/identity services (STS) as critical dependencies
  • Consider the blast radius when selecting primary regions

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• Snowflake’s Ironic Timing: Buying Downtime Prevention Tool While Experiencing Downtime
• Flexera Buys ProsperOps and Chaos Genius, Promises Less Chaos and More Prosperity
• Flexera Goes Shopping: Two FinOps Acquisitions to Prosper and Reduce Chaos
• Token of Appreciation: Gemini CLI Now Tracks Every Penny of Your AI Spend
• Snowflake Buys Observe to Stop Its Own Services from Melting Down
• Google’s Veo 3.1 Goes Vertical: Finally Understanding How People Actually Hold Their Phones
• Alphabet’s New Power Move: Buying the Company That Literally Powers Data Centers
• Dashboard Confessional: Gemini CLI Gets Transparent About Its Usage
• Microsoft’s New Agent Works 24/7 and Never Asks for a Raise
• From Robot Vacuums That Climb Stairs to TVs You Can’t Feel: CES Gets Weird
• Agent Shopping: When Your AI Has Better Taste Than You Do
• The cloudpod hosts do not like any stories this week
• AWS took a nap on announcements this week
• Claude is my new co-worker
• Wake up, AWS, and give us some fun news
• The $200 Assistant: Is Cowork the End of Workplace Admins?
• Azure has more interesting announcements than AWS oh noooo
• If you can’t beat them in AI, just acquire everyone
• Notebook LM turns the Data Tables on you

AI Is Going Great – Or How ML Makes Money 

01:11 Anthropic launches Cowork, a Claude Code-like for general computing – Ars Technica

• Anthropic launches Cowork, a new feature in the macOS Claude desktop app that extends Claude Code‘s agentic capabilities to general office work tasks. 
• Users can grant Claude access to specific folders and use plain language instructions to automate tasks like filling expense reports from receipt photos, writing reports from notes, or reorganizing files.
• Cowork lowers the technical barrier compared to Claude Code by making AI-assisted file operations accessible to non-developer knowledge workers, including marketers and office staff. 
• The feature was developed after Anthropic observed users already applying Claude Code to general knowledge work despite its developer-focused positioning.
• The tool provides similar functionality to what was possible through Model Context Protocol integrations, but offers a more streamlined interface with Claude Code-style usability improvements. 
• Users can submit new requests or modifications to ongoing tasks without waiting for the initial assignment to complete.
• Cowork represents a strategic expansion of Anthropic’s agentic AI approach beyond software development into broader productivity workflows. The feature demonstrates how AI agents with file system access can automate routine knowledge work tasks that previously required manual processing of documents and data.

02:15 Ryan – “This week is the first time I actually tried to use AI to generate a PowerPoint presentation. It did not go well. It did generate some cool images, though.” 

07:42 Enhanced Veo 3.1 capabilities are now available in the Gemini API.

• Google has released Veo 3.1 updates in the Gemini API and Google AI Studio, adding enhanced Ingredients to Video capabilities that maintain character identity and background consistency across generated videos. 
• The model now supports native 9:16 vertical format generation optimized for mobile-first applications, eliminating the need to crop from landscape orientation.
• The updated model delivers professional-grade output with new 4K resolution support and improved 1080p quality using state-of-the-art enhancement techniques. All generated videos include SynthID digital watermarking for content provenance tracking.
• These capabilities are available today through the Gemini API for developers and Vertex AI for enterprise customers. Google AI Studio provides a demo app for testing the new features at ai.studio/apps/bundled/veo_studio.
• The vertical video format addresses the growing demand for social media content creation, while the 4K output positions Veo 3.1 for professional video production workflows. The character consistency improvements reduce the need for manual editing and post-processing in multi-shot video projects.

08:20 Justin – “Don’t make the same mistakes that I do, and go try this and then get a $35 bill, which I did the first time I tried Veo out. So, do be cautious with this one!”  

11:08 Snowflake Announces Intent to Acquire Observe to Deliver AI-Powered Observability

• Snowflake is acquiring Observe to integrate AI-powered observability directly into its data platform, allowing customers to analyze telemetry data like logs, metrics, and traces alongside their business data. 
• This consolidation eliminates the need for separate observability tools and reduces data movement between systems.
• The acquisition addresses the growing challenge of managing observability data at scale, which has become increasingly expensive and complex as organizations generate massive volumes of telemetry information. 
• Observe’s approach stores data in a structured format that enables more efficient querying and analysis compared to traditional observability platforms.
• By bringing observability into Snowflake’s platform, customers can correlate operational metrics with business outcomes using the same SQL-based tools they already use for analytics. 
• This unified approach should help teams identify how application performance issues directly impact revenue, customer experience, and other business metrics.
• The deal positions Snowflake to compete more directly with observability vendors like Datadog, Splunk, and New Relic by offering native capabilities rather than requiring third-party integrations. 
• Organizations already using Snowflake for data warehousing can now consolidate their observability spend and simplify their tool stack.

12:08 Ryan – “I don’t know how to feel about this; I feel like Snowflake is a part of an application, but it’s not the entirety of an application. I definitely see a use for this for data warehousing and visualizing, but I don’t think it replaces your traditional observability tools because you have too many data sources that are outside of Snowflake.” 

Cloud Tools

13:58 Flexera acquires ProsperOps and Chaos Genius to expand its FinOps solution with agentic and AI-enabled cost optimization

• Flexera acquires two FinOps companies to add autonomous AI-driven cost optimization across major cloud platforms and data analytics services: ProsperOps brings automated commitment management for AWS, Azure, and Google Cloud with over $6B in annual cloud usage under management, while Chaos Genius focuses specifically on Snowflake and Databricks optimization with reported cost reductions up to 30%.
• The acquisitions shift Flexera’s FinOps approach from passive recommendations to active autonomous execution through agentic AI. 
• This means the platform can automatically purchase and manage cloud commitments and optimize data workloads without requiring manual human intervention, addressing the challenge of dynamic cloud usage patterns that don’t align well with static commitment purchases.
• ProsperOps will continue operating as a separate brand while integrating with Flexera’s existing FinOps capabilities. The company was growing at over 90% and has generated more than $3 billion in lifetime savings for customers, suggesting strong market demand for automated rate optimization solutions.
• The Chaos Genius acquisition specifically targets the emerging problem of runaway costs in data analytics platforms like Snowflake and Databricks as AI workloads scale. 
• This addresses a gap in traditional FinOps tools that primarily focused on compute and storage optimization but lacked specialized capabilities for modern data cloud platforms.
• These moves position Flexera to cover the complete FinOps Framework defined by the FinOps Foundation, combining cost visibility, workload optimization, and rate optimization in a single platform. 
• This matters for enterprises struggling to manage costs across an increasingly complex mix of traditional cloud services, AI infrastructure, and specialized data platforms.

15:35 Matt – “It definitely needs some pretty strong guardrails of what your business objective is, like don’t go over 90% savings plan or look at the secondary market for short term if you see a random burst for a few months. But it’s not a terrible idea…”      

AWS

19:12 Weirdly enough, there are no AWS stories this week. 

GCP

20:06 Instant insights: Gemini CLI’s New Pre-Configured Monitoring Dashboards | Google Cloud Blog

• Google has added pre-configured monitoring dashboards to Gemini CLI that provide immediate visibility into usage metrics like monthly active users, token consumption, and code changes without requiring custom query writing. 
• The dashboards integrate with Google Cloud Monitoring and use OpenTelemetry for standardized data collection, allowing teams to track CLI adoption and performance across their organization.
• The implementation uses direct GCP exporters that bypass intermediate OTLP collector configurations, simplifying setup to three steps: setting the project ID, authenticating with proper IAM roles, and updating the settings.json file. This reduces infrastructure complexity compared to traditional OpenTelemetry deployments that require separate collector services.
• Organizations can analyze raw OpenTelemetry logs and metrics to answer specific questions like identifying power users by token consumption, tracking budget allocation by command type, and monitoring tool reliability through status codes. The data follows GenAI OpenTelemetry conventions, ensuring compatibility with other observability backends like Prometheus, Jaeger, or Datadog if teams want to switch platforms.
• The feature targets development teams using Gemini CLI who need to understand tool adoption patterns and justify AI tooling investments through concrete usage metrics. 
• Engineering managers can track which developers benefit most from AI assistance and where token budgets are being allocated across different command types

21:55 Ryan – “As long as there’s no metric for how stupid a question is, because that. That I don’t want.”   

22:40 We’re advancing U.S. energy innovation with Intersect.

• Alphabet announced a definitive agreement to acquire Intersect, a company specializing in data center and energy infrastructure solutions. 
• This acquisition aims to accelerate the deployment of data center capacity and energy generation infrastructure in the United States.
• The deal addresses a critical bottleneck in AI and cloud infrastructure expansion by bringing expertise in energy development and data center deployment under Alphabet’s umbrella. Intersect’s capabilities will help Google bring more computing capacity online faster, which is essential given the substantial power requirements of AI workloads and hyperscale cloud operations.
• This acquisition reflects the growing importance of energy infrastructure as a limiting factor for cloud providers, particularly as AI training and inference workloads drive unprecedented power demands. By acquiring energy infrastructure expertise, Google positions itself to better control the full stack from power generation through data center operations.
• The announcement provides limited technical details about integration timelines or specific projects, but signals Google’s commitment to vertical integration in the infrastructure space. This move follows similar investments by other hyperscalers in power generation and energy partnerships to support their expanding data center footprints.

22:50 Justin – “If you can’t get the capacity from the vendor, just buy them – and then force them to do it. Good move!”   

25:00 Google’s NotebookLM introduces Data Tables feature

• NotebookLM now includes Data Tables, a feature that automatically synthesizes information from multiple sources into structured tables that can be exported directly to Google Sheets. 
• The feature is available today for Pro and Ultra users, with rollout to all users planned for the coming weeks.
• The feature addresses a common workflow challenge where valuable information is scattered across multiple documents, requiring manual compilation. Data Tables automates this process by extracting and organizing key facts into clean, structured formats without manual data entry.
• Use cases span professional and personal applications, including converting meeting transcripts into action item tables with owners and priorities, synthesizing research data like clinical trial outcomes across multiple papers, creating competitor analysis tables with pricing and strategy comparisons, and building study guides organized by relevant categories.
• The feature represents Google’s continued integration of AI capabilities into productivity tools, positioning NotebookLM as a research and synthesis tool rather than just a note-taking application. 
• This builds on NotebookLM’s existing source analysis capabilities by adding structured data output.
• The tiered rollout strategy, with Pro and Ultra users receiving immediate access, suggests Google is testing the feature with power users before broader deployment, likely to gather usage patterns and refine the table generation algorithms.

25:52 Justin – “I love creating spreadsheets; my budgets, all of my tracking of things, tasks I’m doing, vacation planning – it all lives in spreadsheets. And you’re going to take that away from me, Google? How dare you. AI is coming for my passion for spreadsheets.”   

29:53 T5Gemma 2: The next generation of encoder-decoder models

• Google releases T5Gemma 2,  a new generation of encoder-decoder models based on Gemma 3, available now in pre-trained checkpoints at three sizes: 270M-270M (370M total), 1B-1B (1.7B total), and 4B-4B (7B total) parameters. The models use tied word embeddings and merged decoder attention to reduce parameter count while maintaining capabilities, making them suitable for on-device applications and rapid experimentation.
• T5Gemma 2 adds multimodal vision capabilities using an efficient vision encoder for visual question answering and reasoning tasks, extends context windows to 128K tokens using Gemma 3’s alternating local and global attention mechanism, and supports over 140 languages out of the box. 
• These represent the first multi-modal and long-context encoder-decoder models in the Gemma family.
• The architecture merges decoder self-attention and cross-attention into a single unified layer, reducing model complexity and improving parallelization for better inference performance. 
• This structural change, combined with tied embeddings, allows more active capabilities within the same memory footprint compared to the original T5Gemma.
• Benchmarks show T5Gemma 2 outperforms Gemma 3 on several multimodal tasks, delivers substantial quality gains on long-context problems compared to both Gemma 3 and T5Gemma, and shows improved performance on coding, reasoning, and multilingual tasks. Post-training results indicate better performance than decoder-only counterparts, making these models suitable for both research and production applications.
• The models are designed for developers to post-train for specific tasks before deployment, continuing the approach from the original T5Gemma of adapting pre-trained decoder-only models into an encoder-decoder architecture without the computational cost of training from scratch.
•  Pre-trained checkpoints are available across multiple platforms for broad developer access.

31:14 Jonathan – “I’m actually looking forward to playing with the T5Gemma model because the encoder part of it is what’s going to make it really special. Transformers have always had these two halves, encoder and decoder, and most LMs only use the decoder. And what that means is that as the attention is calculated for each token in the context window, it only ever attends to previous tokens in the message. So if you have a word, that word can only ever be related to something that you’ve already said in the conversation. But people aren’t like that. People go back and forth, and they refer back to things they said… people just suck at communication most of the time. And so what the encoder model does is it looks at the entire message holistically. It doesn’t only look at the last word by the time it gets to the last word, it looks at everything and encodes the meaning of the entire text. And then from there, it passes it to the decoder, and the decoder starts generating text based on the entire knowledge of the whole thing.”

33:39 New tech and tools for retailers to succeed in an agentic shopping era

• Google launches Universal Commerce Protocol (UCP), an open standard for agentic commerce co-developed with Shopify, Etsy, Wayfair, Target, and Walmart. 
• UCP enables AI agents to interact across the entire shopping journey from discovery to post-purchase support, working alongside existing protocols like A2A, AP2, and MCP. The protocol is endorsed by over 20 companies, including Adyen, American Express, Mastercard, Stripe, and Visa.
• New agentic checkout feature goes live in AI Mode in Search and Gemini app, allowing shoppers to purchase from eligible U.S. retailers directly within Google’s AI surfaces. 
• The integration uses Google Pay and PayPal for payments, with retailers maintaining seller of record status and the ability to customize the implementation. Global expansion and additional capabilities like loyalty rewards and product discovery are planned for the coming months.
• Business Agent launches tomorrow as a branded AI assistant that appears directly in Search results for retailers like Lowe’s, Michaels, Poshmark, and Reebok. U.S. retailers can activate and customize this agent through Merchant Center, with future capabilities including training on retailer data, customer insights, product offers, and direct agentic checkout within the chat experience.
• Google introduces Direct Offers pilot in AI Mode, allowing advertisers to present exclusive discounts and deals to shoppers during AI-powered searches. The system uses AI to determine when offers are relevant to display, initially focusing on discounts with plans to expand to bundles and free shipping. Early partners include Petco, e.l.f. Cosmetics, Samsonite, Rugs USA, and Shopify merchants.
• Merchant Center adds dozens of new data attributes designed for conversational commerce discovery across AI Mode, Gemini, and Business Agent. These attributes extend beyond traditional keywords to include product Q&A, compatible accessories, and substitutes, rolling out first to a small group of retailers before broader expansion.

35:20 Ryan – “I think it’s important to standardize. In a web transaction where you’re doing shopping, there’s so many handoffs to different things, I can see, as more and more AI and agent-based or agent-assisted transactions happen, being able to talk a common language is super important.” 

33:38 Read Sundar Pichai’s remarks at the 2026 National Retail Federation

• Google announced Universal Commerce Protocol (UCP), an open standard for agentic commerce built with Shopify, Etsy, Wayfair, Target, and Walmart. The protocol enables native checkout directly in Google Search AI Mode and Gemini, allowing retailers to maintain merchant of record status and own customer relationships while offering personalized pricing and loyalty enrollment at checkout.
• Gemini Enterprise for Customer Experience is now available in preview, providing retailers with integrated shopping assistants, support bots, and agentic search capabilities. 
• The Home Depot and McDonald’s are already using these agents for customer service, while Kroger is testing a shopping agent that brings AI Mode functionality directly into retailer apps.
• Google processed over 90 trillion tokens through its API in December 2025, representing an 11x increase from 8.3 trillion tokens in December 2024. This growth demonstrates the rapid adoption of AI capabilities by retailers and the scale at which Google’s infrastructure is supporting commercial AI applications.
• Wing delivery service expanded to Houston, with Orlando, Tampa, and Charlotte coming soon, after doubling deliveries in existing markets during 2025 through its Walmart partnership. 
• The expansion addresses the high cost and logistical challenges of last-mile delivery for retailers.

38:35 Jonathan – “So is this how Google is going to make money in the future? Because obviously serving ads through AI is both controversial and a very lame customer experience. Are they going to start skimming off a percentage of sales for sales they direct to these retailers through their AI interface?”  

Azure 

39:58 Announcing public preview: Uncovering hidden threats with the Dynamic Threat Detection Agent | Microsoft Community Hub

• Microsoft launches the Dynamic Threat Detection Agent in public preview, an AI-powered backend service that runs continuously within Defender to identify hidden threats across Defender and Sentinel environments. 
• The agent operates autonomously with no setup required, automatically generating alerts with natural language explanations, MITRE technique mappings, and remediation steps directly into existing XDR workflows.
• The agent achieves over 85% precision across thousands of alerts and 28 threat types by combining adaptive GenAI detection with hyperscale threat intelligence from TITAN and UEBA behavioral analytics. 
• It runs a five-step investigation loop at machine scale, starting from high-priority incidents, building unified activity timelines, testing hypotheses through automated Q&A, and closing detection gaps with explainable alerts that include transparent reasoning traces.
• Public preview is free for Security Copilot customers and enabled by default for eligible organizations, with general availability planned for late 2026 when it transitions to Security Copilot’s SCU-based consumption model. 
• Starting July 2026, the agent will be included with Microsoft 365 E5 licenses that have Security Copilot entitlement, and customers can disable it or monitor usage through detailed consumption reporting at any time.
• The service respects data residency by running region-local and integrates deeply with the Microsoft security ecosystem, using Sentinel to correlate third-party and native telemetry while surfacing Copilot-sourced detections in Defender. 
• Built on Azure Synapse for massive scale, it can run thousands of parallel investigations and deliver near-real-time detections while continuously learning from analyst feedback to improve detection quality and reduce alert noise.

43:54 Jonathan – “You don’t want to block a potential customer who’s about to press a button to spend tens of thousands of dollars either. guess false positives are almost as bad as false negatives.”

45:26 Generally Available: Geo-Replication for Azure Service Bus Premium

• Azure Service Bus Premium now includes generally available Geo-Replication, allowing customers to replicate messaging infrastructure across regions for disaster recovery. 
• This addresses a critical need for enterprises running mission-critical messaging workloads that require protection against regional outages.
• The feature provides active replication of Service Bus entities, including queues, topics, and subscriptions, between paired regions, maintaining message ordering and metadata consistency. 
• Organizations can now implement cross-region failover strategies without building custom replication logic or managing multiple Service Bus namespaces manually.
• This capability is exclusive to the Premium tier of Service Bus, which starts at approximately $677 per month for the base messaging unit. Customers should factor in additional costs for cross-region data transfer and the secondary namespace when planning their disaster recovery architecture.
• The geo-replication option complements existing Service Bus disaster recovery features like Geo-Disaster Recovery (metadata-only failover), giving customers flexibility in choosing between cost-optimized metadata replication or full data replication based on their recovery time objectives. 
• This is particularly relevant for financial services, healthcare, and retail sectors, where message loss during regional failures is unacceptable.

46:23 Justin – “I’m surprised this wasn’t already part of premium, but I’m also sort of intrigued that they think people’s messaging strategies only involve two regions, because some of the cost architectures I’ve seen are like multiple regions with active replication across these things for geodistributed applications that need to have globally low latency for user populations everywhere – and I guess I just can’t run that on this service. So I guess, screw you? Or wait for Azure Service Bus Ultra?” 

After Show 

46:38 CES 2026: The best tech announced so far | The Verge

• CES 2026 showcased significant infrastructure innovations, including Wi-Fi 8 routers from Asus and others, despite the standard not being finalized until 2028, plus solid-state battery breakthroughs from Donut Lab claiming 400 Wh/kg energy density that could give EVs 30 percent more range. These developments signal major shifts in networking and power infrastructure that cloud and edge computing deployments will eventually leverage.
• Smart home and IoT devices are getting serious upgrades with Matter compatibility becoming standard across Ikea and Philips Hue products, while spatial awareness features like Hue’s SpatialAware use AR to map rooms for better lighting distribution. For cloud professionals, this represents the maturation of IoT protocols and edge AI processing that will drive increased demand for home automation backend services.
• The display technology race is heating up with Samsung showing creaseless foldable OLED panels, Dell launching a 52-inch 6K Thunderbolt hub monitor, and LG reviving its Wallpaper TV with wireless video transmission. These advances in display tech and connectivity standards like Thunderbolt 5, delivering 120Gbps speeds, will impact how professionals design workspaces and remote work setups.
• AI wearables are moving beyond glasses with Razer’s Project Motoko headphones featuring 4K cameras, on-device AI processing via Qualcomm chips, and 36-hour battery life that eclipses current smart glasses. This shift toward headphone-based AI assistants could influence how voice interfaces and edge AI applications are developed for consumer devices.
• Robotics took center stage with practical home automation like Roborock’s stair-climbing Saros Rover vacuum and LG’s CLOiD dual-arm robot that can fold laundry and handle kitchen tasks. While still in development, these robots represent the convergence of computer vision, edge AI, and mechanical engineering that will require robust cloud backends for training and coordination.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• Prompt Engineering Our Way Into Trouble
• The Demo Worked Yesterday, We Swear
• It Scales Horizontally, Trust Us
• Responsible AI But Terrible Copy (Marketing Edition)

General News 

00:58 Watch ‘The Thinking Game’ documentary for free on YouTube

• Google DeepMind is releasing the “The Thinking Game” documentary for free on YouTube starting November 25, marking the fifth anniversary of AlphaFold. 
• The feature-length film provides behind-the-scenes access to the AI lab and documents the team’s work toward artificial general intelligence over five years.
• The documentary captures the moment when the AlphaFold team learned they had solved the 50-year protein folding problem in biology, a scientific achievement that recently earned Demis Hassabis and John Jumper the Nobel Prize in Chemistry. 
• This represents one of the most significant practical applications of deep learning to fundamental scientific research.
• The film was produced by the same award-winning team that created the AlphaGo documentary, which chronicled DeepMind’s earlier achievement in mastering the game of Go. For cloud and AI practitioners, this offers insight into how Google DeepMind approaches complex AI research problems and the development process behind their models.
• While this is primarily a documentary release rather than a technical product announcement, it provides context for understanding Google’s broader AI strategy and the research foundation underlying its cloud AI services. The AlphaFold model itself is available through Google Cloud for protein structure prediction workloads.

01:54 Justin – “If you’re not into technology, don’t care about any of that, and don’t care about AI and how they built all the AI models that are now powering the world of LLMs we have, you will not like this documentary.” 

04:22 ServiceNow to buy Armis in $7.7 billion security deal • The Register

• ServiceNow is acquiring Armis for $7.75 billion to integrate real-time security intelligence with its Configuration Management Database, allowing customers to identify vulnerabilities across IT, OT, and medical devices and remediate them through automated workflows. 
• The deal is expected to close in the second half of 2026 and aims to triple ServiceNow’s current $1 billion annual security revenue.
• The acquisition represents a strategic data play when combined with ServiceNow’s recent purchase of Data.World, giving the company both massive volumes of security asset data from Armis and the governance tools to make that data searchable and usable with AI. 
• This combination enhances ServiceNow’s CMDB capabilities by an order of magnitude, according to Forrester analysts.
• ServiceNow has completed six acquisitions this year, including Armis, Veza for identity access management, and Data.World for data governance, signaling an aggressive expansion strategy focused on security and data management. 
• The company’s integration approach will be critical as customers watch how well these separate platforms merge into ServiceNow’s unified platform.
• The deal positions ServiceNow to eliminate the patchwork of security tools organizations currently use by embedding security capabilities directly into its AI platform. 
• Armis brings 950 employees, $340 million in annual recurring revenue, and recognition as a Gartner leader in cyber-physical systems protection.
• Despite Salesforce entering the ITSM market, analysts assess ServiceNow maintains a five-year development lead in the space, though successful integration of multiple acquisitions remains the key challenge for maintaining that advantage.

05:49 Ryan – “Is this security tooling that you use for analysis or threat hunting? Or is this something that they’re adding to their existing tooling, so it’s more of an integration?” 

Listener Note: If you have any idea what this company does, let us know! 

Cloud Tools

08:38 TOON vs. JSON | DigitalOcean

• TOON (Token Oriented Object Notation) is a new data format designed to replace JSON in LLM prompts, claiming to reduce input token usage by approximately 40% while maintaining or improving accuracy. 
• The format works by eliminating verbose JSON syntax and repeated tokens, converting structured data into a more compact representation that LLMs can still interpret effectively.
• DigitalOcean released a Python library (toon-python) that automatically converts JSON datasets to TOON format before sending them to LLM endpoints. In their testing example, a JSON dataset using 172 tokens was reduced to 71 tokens in TOON format (59% reduction) while producing identical query results across multiple model providers, including Mistral 3.
• TOON is specifically designed for input context containing structured data from databases or other sources, not for replacing plain text prompts or LLM outputs. Studies show that converting plain text instructions to structured formats like JSON doesn’t consistently improve accuracy, so TOON’s value proposition is primarily for applications already using JSON-formatted datasets in their prompts.
• The format has limitations, including a lack of proven effectiveness for model outputs, potential compatibility issues with models that haven’t been trained on TOON examples, and the need for application-specific testing to verify accuracy and token savings. Function calling, parsing, and other use cases requiring JSON outputs should continue using JSON rather than attempting TOON conversions.
• For cost-conscious LLM applications processing large structured datasets, TOON represents a practical optimization that could reduce token costs by 40% without requiring changes to model architecture or training. The token savings become more significant at scale, particularly for applications making frequent API calls with substantial context data.

09:16 Justin – “I’d almost argue that TOON is more of what I would have wanted; very simple comma-separated values… so maybe LLMs will finally solve all my JSON complaints…but maybe not.” 

10:40 Google 2025 recap: Research breakthroughs of the year

• Google released Gemini 3 Pro in November 2025 and Gemini 3 Flash in December 2025, with Gemini 3 Pro topping the LMArena Leaderboard and achieving 23.4% on MathArena Apex benchmark. 
• Gemini 3 Flash delivers Pro-grade reasoning at Flash-level latency and cost, continuing Google’s trend where each generation’s Flash model surpasses the previous generation’s Pro model in quality while being substantially cheaper and faster.
• The company introduced several specialized AI models, including Nano Banana Pro for native image generation and editing, Veo 3.1 for video generation, and Imagen 4 for image creation. 
• Google also launched developer tools like Google Antigravity for AI-assisted software development and Jules, an asynchronous coding agent that acts as a collaborative partner for developers.
• Google’s AlphaFold celebrated its 5th anniversary with over 3 million researchers across 190+ countries using the Nobel Prize-winning protein folding system, including 1 million users in low and middle-income countries. 
• New AI tools for genomics include AlphaGenome for genome understanding and DeepSomatic for identifying genetic variants in tumors, moving beyond sequencing to the interpretation of complex genomic data.
• Google’s quantum computing work achieved recognition with Googler Michel Devoret receiving the 2025 Nobel Prize in Physics, while the Quantum Echoes algorithm demonstrated progress toward real-world quantum applications. 
• The company also introduced Ironwood, a new TPU designed for inference workloads using the AlphaChip design method, and launched WeatherNext 2, which generates weather forecasts 8x faster with up to 1-hour resolution covering flood predictions for 2 billion people across 150 countries.
• Google formed the Agentic AI Foundation with other AI labs to establish open standards for agentic AI interoperability and announced Model Context Protocol support for Google services. 
• The company also partnered with the US Department of Energy’s 17 national laboratories on the Genesis project to transform scientific research and expand educational AI initiatives with school districts like Miami-Dade County.

11:52 Meta acquires intelligent agent firm Manus, capping a year of aggressive AI moves

• Meta acquired Singapore-based AI agent firm Manus for over $2 billion, bringing on board a company that claims $125 million in revenue run rate just eight months after launching its general-purpose AI agent. 
• Manus will continue operating its subscription service while its team joins Meta to enhance automation across consumer products like Meta AI assistant and business tools.
• Manus offers AI agents capable of executing complex tasks, including market research, coding, and data analysis, having processed over 147 trillion tokens and supported 80 million virtual computers to date. 
• The platform provides both free and paid subscription tiers and has already been tested by Microsoft in Windows 11 PCs for tasks like creating websites from local files.
• The acquisition represents Meta’s continued strategy of acquiring specialized AI startups to accelerate its AI capabilities and Llama large language model development. 
• This follows Meta’s $14.3 billion investment in Scale AI in June and its acquisition of AI-wearables startup Limitless earlier this month, demonstrating an aggressive talent and technology acquisition approach.
• Manus originated as a product of Chinese startup Butterfly Effect before relocating its headquarters from Beijing to Singapore in June, backed by investors including Tencent, HongShan Capital Group, and Benchmark, which led a $75 million Series B round. The company maintains strategic partnerships with Chinese tech firms, including Alibaba’s Qwen AI team, despite its geographic shift.

13:04 Ryan – “You know, the upside, if they’ve just been around for 8 months, they don’t have the terrible tech debt that all these other firms have…they have 8 months of it.” 

AWS

15:59 Security Hub CSPM automation rule migration to Security Hub | AWS Security Blog

• AWS has split Security Hub into two services: the new Security Hub with enhanced capabilities using the Open Cybersecurity Schema Framework (OCSF), and Security Hub CSPM, which continues as a separate service focused on cloud security posture management. 
• The schema change from AWS Security Finding Format (ASFF) to OCSF means existing automation rules need migration to work with the new service.
• AWS released an open-source Python migration tool on GitHub that automatically discovers Security Hub CSPM automation rules, transforms them to OCSF schema, and generates CloudFormation templates for deployment. 
• The tool handles Regional differences intelligently, supporting both home Region deployments where rules apply across linked Regions and Region-by-Region deployments for unlinked Regions.
• Not all automation rules can be fully migrated due to schema differences between ASFF and OCSF. The tool generates a migration report identifying rules that cannot be migrated or are only partially migrated, and creates all new rules in a disabled state by default so administrators can validate them before enabling.
• The migration tool preserves the original order of automation rules, which matters when multiple rules operate on the same findings or fields. 
• For organizations using a delegated administrator account with AWS Organizations, rules must be created in that account’s home Region, and the tool is designed to work with this model while also supporting single-account deployments.
• This migration capability is included in the Security Hub essentials plan at no additional cost beyond standard Security Hub pricing. 
• Organizations should review the ASFF to OCSF field mapping tables in the documentation before migration, as some criteria fields, like ComplianceAssociatedStandardsId and ProductName have no OCSF equivalents and require manual rule redesign.

18:21 Matt – “The problem I always have with CPAMs – and this is a larger rant or conversation we can have – is there’s no interoperability. So if you have a CPAM and you want to then set up a GRC tool, or your other security tool can also run it, there’s no interoperability. So you then have to acknowledge things in three different spots, and there’s no single source of truth.

20:08 Proactive Amazon EKS monitoring with Amazon CloudWatch Operator and AWS Control Plane metrics | Containers

• EKS clusters running version 1.28 and above now automatically send control plane metrics to CloudWatch at no extra cost, covering API server health, scheduler performance, and etcd database status. 
• The new CloudWatch Observability Operator add-on extends this with Container Insights and Application Signals for deeper visibility into workloads and applications without code changes.
• The enhanced monitoring addresses common operational challenges like detecting pod scheduling bottlenecks through metrics such as scheduler_pending_pods and scheduler_schedule_attempts_UNSCHEDULABLE, which help identify under-resourced worker nodes. API server throttling issues become visible through apiserver_request_total_429 metrics, showing when the default 600 in-flight request limit is approached.
• Critical infrastructure components like admission webhooks, which power AWS Load Balancer Controller and IRSA functionality, can now be monitored for failures and latency issues. The apiserver_admission_webhook_rejection_count metric helps catch silent webhook failures that could prevent deployments, with CloudWatch Log Insights providing correlated log data for troubleshooting.
• The etcd database monitoring is particularly important since EKS has an 8 GB recommended limit, and exceeding it makes clusters read-only. CloudWatch alarms can trigger at 80 percent capacity (6.4 GB) using the apiserver_storage_size_bytes metric, giving teams time to clean up unnecessary resources before hitting the limit.
• Application Signals provides automatic instrumentation for Java applications with pre-built dashboards tracking traffic, latency, and availability at a 5 percent sampling rate. 
• The feature integrates with CloudWatch anomaly detection using machine learning to identify unusual patterns in metrics like node_cpu_utilization without manual threshold configuration.

21:15 Ryan – “I like this, except for the fact that it’s an operator…I don’t understand why this isn’t just configuration options in your cluster.” 

21:59 Amazon ECS Managed Instances now supports Amazon EC2 Spot Instances

• ECS Managed Instances now supports EC2 Spot capacity, allowing customers to run fault-tolerant containerized workloads at up to 90% discount compared to On-Demand pricing while AWS handles all infrastructure management. 
• You configure a new capacityOptionType parameter as spot or on-demand in your capacity provider settings.
• This extends ECS Managed Instances beyond its existing capabilities of automatic provisioning, dynamic scaling, and cost-optimized task placement. AWS still handles the infrastructure operations through AWS-controlled access in your account, but now you can choose between spot and on-demand capacity types alongside existing options for GPU, network-optimized, and burstable instance families.
• The feature is available in all AWS Regions where ECS Managed Instances currently operate. Pricing includes both the spot EC2 instance costs and an additional management fee for the compute provisioning service, though specific management costs are not disclosed in the announcement.
• This targets customers running stateless or fault-tolerant containerized applications like batch processing, CI/CD pipelines, or web services that can handle interruptions. 
• The combination of managed infrastructure and spot pricing addresses a common challenge where teams want cost savings from spot instances but lack resources to manage the complexity of spot interruptions and capacity management.

24:07 Enhance Amazon EKS network security posture with DNS and admin network policies | Containers

• Amazon EKS now supports DNS-based and Admin network policies, allowing teams to control pod traffic using stable domain names instead of constantly changing IP addresses. 
• This eliminates the operational overhead of maintaining IP allowlists for AWS services, on-premises systems, and third-party APIs while providing centralized policy management across multiple namespaces.
• Admin network policies operate in two tiers with hierarchical enforcement that cannot be overridden by namespace-level policies, enabling platform teams to enforce mandatory security controls like blocking access to EC2 Instance Metadata Service at 169.254.169.254. 
• The policies use label-based segmentation to apply security standards across multiple namespaces simultaneously, reducing the need for per-namespace policy management.
• DNS-based policies are available in EKS Auto mode clusters version 1.29 and later, while Admin policies work in both EKS Auto mode and EC2-based clusters running VPC CNI version 1.21.1 or later. 
• The feature removes the need for third-party network policy tools and integrates with existing Kubernetes NetworkPolicy resources for defense-in-depth security.
• The policy evaluation order follows a strict hierarchy: Admin tier Deny rules take precedence over everything, followed by Admin Allow rules, then namespace-scoped policies, and finally Baseline tier policies. 
• This ensures security teams can enforce organization-wide controls while still allowing application teams flexibility for namespace-specific requirements.
• Real-world applications include multi-tenant environments where different applications need controlled access to specific AWS services like S3 or DynamoDB using patterns like asterisk.s3.amazonaws.com, and hybrid cloud scenarios where workloads access on-premises databases through stable DNS names that remain valid even as underlying infrastructure changes.

24:17 Justin – “Thank you, Jesus.” 

27:46 Ryan – “If you are a traditional engineer listening to our show, this is an example of something where you can take your skillset and add a ton of value.” 

28:00 AWS raises GPU prices 15% on a Saturday • The Register

• AWS increased prices for EC2 Capacity Blocks for ML by approximately 15 percent over the weekend, with p5e.48xlarge instances jumping from $34.61 to $39.80 per hour in most regions. 
• This marks a departure from AWS’s two-decade pattern of price reductions and represents one of the first straight increases to a line item not tied to regulatory requirements.
• Capacity Blocks allow customers to reserve guaranteed GPU capacity for ML training jobs from one day to several weeks in advance with locked-in rates paid upfront. 
• AWS attributes the increase to supply and demand patterns for this quarter, reflecting the global GPU shortage driven by increased AI workload demand across the industry.
• The price increase creates complications for customers with Enterprise Discount Programs, as their percentage discounts remain the same, but absolute costs rise by 15 percent. 
• This gives competitors like Azure and GCP a direct talking point for enterprise sales conversations, though whether they can absorb the demand remains uncertain given industry-wide GPU constraints.
• The change establishes a precedent that could extend to other resource-constrained services, particularly RAM-intensive offerings that touch nearly every AWS service. 
• The timing and execution on a Saturday with minimal announcement suggest AWS is testing customer response to price increases after conditioning the market to expect only decreases.
• This affects primarily enterprise customers running serious ML workloads with budgets in the millions, as Capacity Block pricing targets teams that cannot afford training run interruptions. 
• The broader concern is whether this signals a shift in AWS’s pricing strategy across other services where supply constraints or cost increases exist.

29:31 Matt – “I don’t think it’s a broader concern; but I think it’s the first real time you’re seeing a dramatic increase, and it’s been a fear for many companies for many years…what if they raise the prices and there’s nothing we can do because we’re already there? And they’re doing it, and there’s not much you CAN do.” 

30:51 EC2 Capacity Manager now includes Spot interruption metrics

• EC2 Capacity Manager adds three new Spot interruption metrics at no additional cost across all commercial AWS regions. 
• The metrics track total Spot instance count, interruption counts, and interruption rates across regions, availability zones, and accounts to help optimize Spot placement strategies.
• The new visibility helps customers make data-driven decisions about Spot instance diversification by identifying patterns in interruptions. 
• Organizations can use this data to determine which availability zones or instance types experience fewer interruptions and adjust their Spot strategies accordingly.
• This enhancement integrates with existing Spot placement score functionality to provide a complete picture of Spot capacity management. 
• Customers can now correlate predicted availability scores with actual interruption data to validate and refine their capacity planning decisions.
• The metrics are particularly valuable for organizations running large-scale Spot fleets where even small improvements in interruption rates translate to meaningful cost savings. 
• By tracking interruption rates over time, teams can measure the effectiveness of their diversification strategies and identify opportunities to expand into more stable capacity pools.

31:11 Justin – “Or…you could just make this a service I could subscribe to.”

GCP

32:50 Looker self-service Explores, tabbed dashboards, custom themes | Google Cloud Blog

• Y’all can thank Ryan if you’re not into this particular story. Hit him up on Slack and let him know your thoughts. 
• Looker now allows users to upload CSV and spreadsheet files directly into the platform through a drag-and-drop interface in the new self-service Explores feature, currently in Public Preview. 
• This bridges the gap between governed data models and ad-hoc analysis by letting users combine local files with existing Looker data while maintaining administrator oversight on uploads and permissions.
• The new tabbed dashboard feature helps organize complex dashboards into logical sections with automatic filter propagation across tabs, reducing visual clutter by showing only relevant filters per view. 
• Users can share specific tab URLs and export entire multi-tab dashboards as single PDF documents, making it easier to present cohesive data narratives.
• Internal dashboard theming is now available in Public Preview, enabling organizations to customize tile styles, colors, fonts, and formatting to match corporate branding within the Looker application. 
• Administrators can create reusable theme templates and set default themes across entire instances to ensure consistency.
• A new content certification flow helps distinguish between ad-hoc experiments and vetted data sources, addressing governance concerns when users upload their own datasets. 
• This feature works alongside administrator controls to maintain data quality standards while enabling self-service capabilities.
• These features are available starting with Looker version 25.20 and can be enabled through the Admin Labs page, with no specific pricing changes announced as they appear to be included in existing Looker subscriptions.

34:06 Ryan – “For everyone that has to supply you with pretty graphs and pictures, this is very important. It is very difficult to sort of modify and work with existing data sets in any BI tool, and so this is another knob that you can put. And I could use something like this for just uploading a very easy CSV of like product names or usernames or something that’s just a list, versus having to parse that out of a very large data set, which may have a combination of structured and unstructured data or just bad schema adherence. And so this is sort of a nice tool for being able to create those types of things.” 

35:28 Optimizing AlloyDB AI text-to-SQL accuracy | Google Cloud Blog

• AlloyDB AI’s natural language API, currently in preview, enables developers to build agentic applications that translate natural language questions into SQL queries with near-100% accuracy. 
• The system uses descriptive context like table descriptions, prescriptive context including SQL templates and facets for complex conditions, and a value index to disambiguate database-specific terms that foundation models wouldn’t recognize.
• The API addresses a critical business need where 80-90% accuracy isn’t sufficient, particularly in industries like real estate search and retail, where poor query interpretation directly impacts conversions and revenue. 
• Users can iteratively improve accuracy through a hill-climbing approach, starting with out-of-the-box capabilities and progressively adding context to handle nuanced questions like “homes near good schools” that require specific business logic for terms like “near” and “good.”
• The system provides explainability features that show users what the API understood their question to mean, allowing agents and end users to verify the interpretation even when accuracy isn’t perfect. 
• This transparency helps mitigate the impact of occasional misinterpretations while the system approaches 100% accuracy for specific use cases.
• Integration options include MCP Toolbox for Databases for developers writing AI tools or Gemini Enterprise for no-code agentic programming, allowing conversational applications that combine web knowledge with database queries. The technology works across structured, unstructured, and multimodal data using AlloyDB’s vector search, text search, and AI operators like AI.IF for semantic conditions.
• Google plans to expand this natural language capability beyond AlloyDB to a broader set of Google Cloud databases, though specific timelines and pricing details for the preview or general availability weren’t disclosed in the: announcement.

36:43 Justin – “Natural language query – I am here for it.” 

37:56 New Enhanced Tool Governance in Vertex AI Agent Builder | Google Cloud Blog

• Google introduces enhanced tool governance for Vertex AI Agent Builder through Cloud API Registry integration, allowing administrators to centrally manage and curate approved tools across their organization while developers access them via a new ApiRegistry object in the Agent Development Kit. 
• This addresses the duplicate work problem where developers previously built tools separately for each agent and gives enterprises better control over what data and APIs their AI agents can access.
• The Agent Development Kit now supports Gemini 3 Pro and Flash models with full TypeScript compatibility, plus improved state management features including automatic recovery from failures, human-in-the-loop pause and resume capabilities, and conversation rewind functionality. 
• The new Interactions API integration provides consistent multimodal input/output handling across agents, while A2UI enables agents to pass UI components directly to applications without the security risks of executable code.
• Agent Engine sessions and memory bank reach general availability, powered by Google Cloud AI Research’s topic-based approach for managing both short-term and long-term agent memory across interactions. 
• The service expands to seven additional regions globally, with runtime pricing reduced and billing for additional Agent Engine services beginning January 28, 2026 (specific pricing details available in documentation).
• Customer implementations show practical benefits: Burns & McDonnell uses Agent Builder to transform project data into real-time intelligence, Payhawk reduced expense submission time by over 50 percent through Memory Bank’s context retention, and Gurunavi projects a 30 percent improvement in user experience for their restaurant discovery app by remembering user preferences and patterns.
• The platform now includes Vertex AI Agent Garden with one-click deployment of curated agent samples and an Agent Starter Pack providing production-ready templates for building, testing, and deploying agents. 
• Apigee integration allows organizations to transform existing managed APIs into custom MCP servers, bringing multi-cloud tools into a centralized catalog through Cloud API Registry.

38:47  Ryan – “This just goes to show how early we are in this ecosystem. Companies are just starting to sort of get wise that they’ve got a whole bunch of developers using these platforms, and they’re all kind of doing their own things and separate little silos and there’s very little ability to share or get any kind of optimization with those central resources… I do think that this is a good thing.” 

39:55 Introducing VM Extensions Manager | Google Cloud Blog

• Google launches VM Extensions Manager in preview to centralize and automate the installation and lifecycle management of OS agents across Compute Engine fleets. 
• The service eliminates manual scripting and startup script dependencies by providing policy-driven control that can reduce operational overhead from months to hours, according to Google.
• The preview supports three critical extensions at launch: Cloud Ops Agent for telemetry collection, Agent for SAP for monitoring SAP workloads, and Agent for Compute Workloads for workload evaluation. 
• Administrators can pin specific extension versions or let the system automatically deploy the latest releases, with more extensions planned for future support.
• VM Extensions Manager offers two rollout speeds for global policies: SLOW mode executes zone-by-zone deployments over 5 days by default to minimize risk, while FAST mode enables immediate fleet-wide updates for urgent security patches. 
• Zonal policies at the project level are available now, with global policies and organization or folder-level policies coming in the following months.
• The service integrates directly into the existing compute.googleapis.com API without requiring new API enablement or discovery, allowing administrators to start creating policies immediately through the Cloud Console or gcloud CLI. Documentation is available here. 

42:18  Matt – “I like that they released both of those day one – both slow and fast mode.” 

43:23 Cloud SQL for MySQL introduces optimized writes | Google Cloud Blog

• Cloud SQL for MySQL Enterprise Plus edition now includes optimized writes, a feature that automatically tunes five different MySQL parameters and configurations based on real-time workload metrics to improve write performance. 
• The feature is enabled by default on all Enterprise Plus instances and requires no manual intervention or configuration changes.
• Google reports up to 3x better write throughput compared to the standard Enterprise edition, with reduced latency, particularly beneficial for write-intensive OLTP workloads. 
• Performance gains vary based on machine configuration, and the feature complements the existing SSD-backed data cache that provides up to 3x higher read throughput.
• The optimized writes feature works by automatically adjusting MySQL flags, data handling, and parameters in response to instance and workload characteristics. 
• Customers can benchmark the improvements using sysbench by comparingthe  Enterprise edition, the Enterprise Plus without optimized writes, and the Enterprise Plus with optimized writes enabled.
• Existing Cloud SQL instances can upgrade to the Enterprise Plus edition in-place to access optimized writes, though specific pricing details for the Enterprise Plus tier are not provided in the announcement. 
• The feature targets organizations running write-heavy database workloads that previously required manual MySQL tuning and optimization efforts.

Azure 

43:23 Microsoft announces acquisition of Osmos to accelerate autonomous data engineering in Fabric – The Official Microsoft Blog

• Microsoft acquires Osmos to bring agentic AI capabilities to Fabric for autonomous data engineering workflows. Osmos uses AI agents to automate data preparation tasks that typically consume most of data teams’ time, transforming raw data into analytics-ready assets in OneLake without manual intervention.
• The acquisition addresses a common enterprise challenge where organizations have abundant data but lack efficient ways to make it actionable. 
• Osmos will integrate into Microsoft Fabric’s unified data platform, allowing AI agents to handle data connection, preparation, and transformation tasks that currently require significant manual effort and technical expertise.
• The Osmos team joins Microsoft’s Fabric engineering organization to advance autonomous data operations within the existing Fabric ecosystem. 
• This builds on Fabric’s existing capabilities around OneLake, Power BI, and unified data analytics by adding intelligent automation for data engineering workflows.
• No pricing details or availability timeline were announced, though Microsoft indicates integration updates will be shared through the Microsoft Fabric Blog. The acquisition targets organizations spending excessive resources on data preparation rather than analysis, particularly those already invested in the Fabric ecosystem.

45:32  Ryan – “As long as they deliver on the promise. There’s been solutions that make the same promise – not with AI… and it just never works the way it should. Drives me nuts that it’s so failure prone. As long as the AI and Agentic add to these things, that’s fantastic.” 

46:38 Microsoft’s strategic AI datacenter planning enables seamless, large-scale NVIDIA Rubin deployments | Microsoft Azure Blog

• Azure is deploying NVIDIA’s next-generation Rubin platform at scale, with infrastructure already designed to handle its power, cooling, and networking requirements. 
• Microsoft’s Fairwater datacenters in Wisconsin and Atlanta can accommodate Rubin’s 50 petaflops per chip and 3.6 exaflops per rack without retrofitting, representing a five-times performance jump over GB200 systems.
• The deployment leverages Azure’s systems approach where compute, networking, storage, and infrastructure work as an integrated platform. 
• Key technical enablements include support for sixth-generation NVLink with 260 TB/s bandwidth, ConnectX-9 1,600 Gb/s networking, HBM4 memory thermal management, and pod exchange architecture for rapid hardware servicing without extensive rewiring.
• Azure’s track record includes operating the world’s largest commercial InfiniBand deployments and being first to deploy both GB200 and GB300 NVL72 platforms at scale. 
• The company’s multi-year collaboration with NVIDIA on co-design means Rubin integrates directly into existing infrastructure, enabling faster customer deployments compared to competitors who need infrastructure upgrades.
• Microsoft’s regional superfactory approach differs from other hyperscalers’ single megasite strategy, allowing more predictable global rollout of new AI capabilities. 
• This modular design combined with Azure Boost offload engines, liquid cooling systems, and optimized orchestration through CycleCloud and AKS aims to maximize GPU utilization and deliver better performance per dollar at cluster scale.

Oracle 

46:38 Oracle is Set to Power on New Data Center in Michigan

• Oracle is building a new data center in Saline Township, Michigan specifically to serve OpenAI’s infrastructure needs, marking another major cloud capacity expansion for AI workloads. 
• The facility will use closed-loop non-evaporative cooling systems that consume water comparable to an average office building rather than millions of gallons daily like traditional evaporative systems.
• The project includes a 17-year power agreement with DTE Energy where Oracle pays 100% of energy costs including new transmission lines and an onsite substation, with Michigan law prohibiting utilities from passing data center costs to existing ratepayers. 
• Oracle claims its large customer contribution to DTE’s fixed costs will reduce overall energy costs for other customers by approximately $300 million annually by 2029-2030.
• The facility will create 2,500 union construction jobs and 450 permanent on-site positions plus an estimated 1,500 jobs across Washtenaw County, with construction scheduled to begin in Q1 2026. The project includes $8 million annually for local schools, $1.6 million yearly in direct tax revenue for Saline Township, and over $14 million in community benefits.
• Oracle is developing only 250 of 575 acres with the remaining land protected as open space, farmland, wetlands and woodlands including 47.5 acres in conservation easement. 
• This represents Oracle’s 148th data center with 64 more under construction globally, though the company provides no specific pricing or service details for customers beyond OpenAI.

52:15 Ryan – “But are you trading the water concern for the high energy costs?”

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Let’s get started! 

Titles we almost went with this week

• SQL Me Maybe: AlloyDB Gets Chatty With Your Database **OpenAI
• SELECT * FROM natural_language WHERE accuracy LIKE ‘100%’ **Anthropic
• etcd You Were Worried About Database Limits: CloudWatch Has Your Back
• CSV You Later: Looker Adds Drag-and-Drop Data Uploads
• AWS Spots an Opportunity to Manage Your Container Costs
• EKS Network Policies: No More IP Address Whack-a-Mole
• AWS Security Hub Splits: It’s Not You, It’s CSPM
• Spot On: ECS Finally Manages Your Cheapest Compute
• TOON Squad: DigitalOcean’s New Format Makes JSON Look Bloated
• The Price is Wrong: AWS Breaks Two Decades of Downward Pricing Tradition
• Show Your Work: Why AI-Generated Code Without Tests is Just Expensive Spam
• No More Agent Orange: Google Simplifies VM Extension Deployment
• AWS Discovers Prices Can Go Both Ways, Raises GPU Costs 15 Percent
• Sovereignty Washing: When Your European Cloud Still Answers to Uncle Sam
• Agent Builder Gets a Memory Upgrade: Google’s AI Finally Remembers Where It Put Its Keys
• Ctrl+F for the Future: A year-end Scorecard & Next-Gen Bets
• AI Agents, GPU Prices, and The best of the Cloud Pod 2025
• Beyond the Hype: The Cloud Pods Definitive 2025 Year in Review
• Apocalypse Now… What? Our 2026 Forecast

Follow Up 

01:27 RYAN’S PREDICTIONS

Ryan Score: 2/3

02:25 MATTHEW’S PREDICTIONS

Matthew Score: 3/3

03:22 JONATHAN’S PREDICTIONS

Jonathan Score: 2.5/3

05:07 JUSTIN’S PREDICTIONS

Justin Score: 2.5/3

JONATHAN’S PREDICTIONS

Jonathan Score: 2.5/3

FINAL STANDINGS

Key Takeaways for the Pod

1. The AI model predictions were NAILED – All three major model releases happened exactly as predicted.
2. OpenAI’s dominance really did slip – Anthropic now leads enterprise, Gemini is surging, Sam issued “code red.”
3. AI agents are HERE – OpenAI Operator and Google AI Mode are booking real reservations.
4. AWS deprecation wave was massive – Way more than 5 services axed (but WorkMail survived!)
5. Edge AI exploded – Akamai, AWS, and others went all-in on inference at the edge.e

Solid predictions all around – Matthew takes the crown!

06:08 Jonathan – “That’s good; it only took us 6 years to know what the hell we’re talking about!” 

06:23 2025 Stats Review

• We covered 1,308 stories from 15 different, unique sources.
• Amazon accounted for 39% of those stories.
• Ryan’s favorite, Azure, made up 22.9% of the stories (Thanks, Matt…) 
• GCP was 38.1% of our news announcements. 
• The official blogs from cloud providers, including AWS, Azure, and GCP, made up the bulk of the sources for the above stories. 
• This is an interesting change from the first year we recorded, 2019, when AWS accounted for 73% of the announcements. 
• When it comes to host participation, only 6 shows had all four hosts participating. Justin was present for 95%, Ryan for 85%, Matt recorded 78% (not bad with a new baby, honestly), and we had Jonathan for 12 episodes. 
• We only had one guest, and increasing the number of guests is one of our 2026 resolutions, so thanks to Elise for joining us. 
• AI was mentioned 526 times, averaging 12.2x per episode (which seems low to the show note editor), and has definitely been growing each year exponentially. 
• Outages were discussed 19 times (boooo). 
• And we got to talk about our favorite topic, deep-sea cables, 5 times. 
• There were 58.9 hours of runtime over the course of 49 shows, with an average length of 72 minutes.
• The in memorium includes AWS Cloud Search, Glacier, Migration Hub, S3 Object Lambda, Azure Consumption API, dial-up internet, and RC4 encryption, among many others. RIP.  
• The most mentioned non-hyperscaler company was OpenAI, followed closely by Nvidia and Antropic. 
• Lastly, Justin has updated our show LLM Bolt, building a brand new data pipeline for the podcast, which will include show notes, transcripts, etc., all with a new AI-based search. Want to check it out? Join our Slack channel! 

16:28 Ryan – “I’m having a similar experience mostly in my day job… trying to use AI for different workloads and then falling back into more traditional technologies or different ways, and at first I thought it was just like old dog, new tricks, just falling back in the comfort zone. But I find more and more I’m identifying things that, you know, the large language models just are not good at. And I think a lot of stats and the metrics, it feels like it should be able to do that, right? Because it’s conversational and you’re building a corpus of data for the model to query and do all that, but that it really can’t, right? And so, fortunately, we do have machine learning technologies and the ability to do notebooks and stuff. And agentic can absolutely help you make the notebook, but it can’t do the analysis for you, which I find funny.”

To be a good vibe coder, you need to be an experienced programmer, you need to have business experience, and I don’t think the people who are vibe coding right now are getting really good results if they don’t have that kind of background.” 

https://tcp-media.s3.us-west-2.amazonaws.com/2025_year_in_review.html 

25:54 Favorite Announcements

• • Justin:
    • Amazon saying F*** your security to Microsoft was great. 
      • Episode 287: Recorded for the week of Jan 8th, 2025: The Cloud Pod rebrands to The Cloud AI so we can get a 1B valuation.
      • https://www.csoonline.com/article/3625205/amazon-refuses-microsoft-365-deployment-because-of-lax-cybersecurity.html
    • Episode 303 – Someday You Will Find Me, Caught beneath the AI Landslide, in a Champagne Premier Nova in the Sky, from May 18th.  
      • https://aws.amazon.com/blogs/aws/amazon-nova-premier-our-most-capable-model-for-complex-tasks-and-teacher-for-model-distillation/
    • Episode 288: Recorded for the week of Jan 14th, 2025: You might be able to retrain Notebook LM hosts to be less annoyed, but not your cloud pod hosts
      • https://www.theverge.com/2025/1/6/24337530/nvidia-ces-digits-super-computer-ai 
    • Episode 322: Recorded for September 16th, 2025: Did OpenAI and Microsoft break up?… It’s complicated
      • https://www.anthropic.com/news/claude-4 
  • Matt: 
    • Chime is dead: Update on Support for Amazon Chime 
      • episode 294: “Ding: Chime is Dead”** (recorded for the week of February 25th, 2025).
    • GitHub Will Prioritize Migrating to Azure Over Feature Development – The New Stack
      • Episode 317** (“I Got 99 Problems, But a Hallucination Ain’t One”).
      • https://thenewstack.io/github-will-prioritize-migrating-to-azure-over-feature-development/
    • Claude on Azure
      • **Episode 331** is where Claude’s big Azure announcement happened!
      • The episode title says it all: “Claude Gets a $30 Billion Azure Wardrobe and Two New Best Friends” (published November 18, 2025).
  • Ryan:
    • A2A protocol

• Jonathan:

• • DeepSeek is stirring things up
  • AWS Frontier Agents

47:35 2026 Predictions

• Matt
  • A Major GCP Outage will occur
  • A step forward in quantum computing (A quantum leap into 2026)
  • A new MicroHyperscaler will go into the market at the same level as Digital Ocean
• Justin
  • AI Layoff Regret
  • AI Agent Security Breach (Agent that breaches an organization and exfiltrates data)
  • AI-designed web instead of Eyeballs/Humans
• Ryan
  • Multi-Agent Orchestration will blow up in a big way. Major providers of more A2A integrations of workflows between services/clouds
  • Infrastructure as Code will turn into Infrastructure as Intent. 
  • Full Stack Media Creation company with AI? With CMS and Providence tracking and watermarking. Tooling/etc.
• Jonathan
  • Highly Visible company bankruptcy due to rising AI/GPU/Inference Costs.
  • Explosion of Competition against existing SaaS companies
  • An entirely AI-generated Podcast episode from the cloud pod

56:11 Ryan – “Trying to think through emerging threats on technology that I barely understand – because it’s coming out so fast – it’s changing the way we work. You’re already starting to see AI in attacks where groups of people are using AI to put together pretty sophisticated attacks on companies. It’s a lot easier for natural language speakers to generate content for spearfishing; it’s a lot easier for malicious actors to have an AI agent to do a bunch of research on a company real quick, and this is where I think it will be weak.” 

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Let’s get into it! 

Titles we almost went with this week

• From Roomba to Tomb-ba: How the Robot Vacuum Pioneer Got Cleaned Out **OpenAI
• From Napkin Sketch to Production: Google’s App Design Center Goes GA
• Terraform Gets a Canvas: Google Paints Infrastructure Design with AI
• Mickey Mouse Takes Off the Gloves: Disney vs Google AI Showdown
• From Data Silos to Data Solos: Google Conducts the Integration Orchestra
• No More Thread Dread: AWS Brings AI to JVM Performance Troubleshooting
• MCP: More Corporate Plumbing Than You Think
• GPT-5.2 Beats Humans at Work Tasks, Still Can’t Get You Out of Monday Meetings
• Kerberos More Like Kerbero-Less: Microsoft Axes Ancient Encryption Standard
• OpenAI Teaches GPT-5.2 to PowerPoint: Death by Bullet Points Now AI-Generated
• MCP: Like USB-C, But Everyone’s Keeping Theirs in the Drawer
• Flash Gordon: Google’s Gemini 3 Gets a Speed Boost Without the Sacrifice
• Tag, You’re It: AWS Finally Knows Who to Bill
• Snowflake Gets a GPT-5.2 Upgrade: Now With More Intelligence Per Query
• OpenAI and Snowflake: Making Data Warehouses Smarter Than Your Average Analyst
• GPT-5.2 Moves Into the Snowflake: No Melting Required

AI Is Going Great, or How ML Makes Money 

01:06 Meta’s multibillion-dollar AI strategy overhaul creates culture clash:

• Meta is developing Avocado, a new frontier AI model codenamed to succeed Llama, now expected to launch in Q1 2026 after internal delays related to training performance testing. 
• The model may be proprietary rather than open source, marking a significant shift from Meta’s previous strategy of freely distributing Llama’s weights and architecture to developers. We feel like this is an interesting choice for Meta, but what do we know? 
• Meta spent 14.3 billion dollars in June 2025 to hire Scale AI founder Alexandr Wang as Chief AI Officer and acquire a stake in Scale, while raising 2026 capital expenditure guidance to 70-72 billion dollars. 
  • Wang now leads the elite TBD Lab developing Avocado, operating separately from traditional Meta teams and not using the company’s internal workplace network.
• The company has restructured its AI leadership following the poor reception of Llama 4 in April, with Chief Product Officer Chris Cox no longer overseeing the GenAI unit. 
• Meta cut 600 jobs in Meta Superintelligence Labs in October, contributing to the departure of Chief AI Scientist Yann LeCun to launch a startup, while implementing 70-hour workweeks across AI organizations.
• Meta’s new AI leadership under Wang and former GitHub CEO Nat Friedman has introduced a “demo, don’t memo” development approach, replacing traditional multi-step approval processes with rapid prototyping using AI agents and newer tools. 
• The company is also leveraging third-party cloud services from CoreWeave and Oracle while building the 27 billion dollar Hyperion data center in Louisiana.
• Meta’s Vibes AI video product, launched in September, trails OpenAI’s Sora 2 in downloads, and was criticized for lacking features like realistic lip-synced audio, while the company increasingly relies on external AI models from Black Forest Labs and Midjourney rather than exclusively using internal technology.

02:23 Ryan – “I guess I really don’t understand the business of the AI models. I guess if you’re going to offer a chat service, you have to have a proprietary model, but it’s kind of strange.”

03:04 Disney says Google AI infringes copyright “on a massive scale” – Ars Technica

• Disney has issued a cease and desist letter to Google alleging copyright infringement through its generative AI models, claiming Google trained its systems on Disney’s copyrighted content without authorization and now enables users to generate Disney-owned characters like those from The Lion King, Deadpool, and Star Wars. 
• This represents one of the first major legal challenges from a content owner with substantial legal resources against a cloud AI provider.
• The legal notice targets two specific violations: Google’s use of Disney’s copyrighted works in training data for its image and video generation models, and the distribution of Disney character reproductions to end users through AI-generated outputs. 
  • Disney demands the immediate cessation of using its content and the implementation of safeguards to prevent the future generation of Disney-owned intellectual property.
• This case could establish important precedents for how cloud providers handle copyrighted training data and implement content filtering in AI services. 
• The outcome may force cloud AI platforms to develop more sophisticated copyright detection systems or negotiate licensing agreements with content owners before deploying generative models.
• Disney’s involvement brings considerable legal firepower to the AI copyright debate, as the company has historically shaped US copyright law through decades of litigation to protect its intellectual property. 
• Cloud providers offering generative AI services may need to reassess their training data sources and output filtering mechanisms to avoid similar legal challenges from other major content owners.

04:06 Ryan – “Disney – suing for copyright infringement – shocking.” 

04:54 Disney invests $1 billion in OpenAI, licenses 200 characters for AI video app Sora – Ars Technica

• Disney invests $1 billion in OpenAI and licenses over 200 characters from Disney, Marvel, Pixar, and Star Wars franchises for use in Sora video generator. 
• This marks the first major Hollywood studio content licensing deal for OpenAI’s AI video platform, which launched in late September and faced industry criticism over copyright concerns.
• The three-year licensing agreement allows Sora users to create short video clips featuring licensed Disney characters, representing a shift from OpenAI’s previous approach of training models on copyrighted material without permission. 
• This deal is notable given Disney’s history of aggressive copyright protection and lobbying that shaped modern US copyright law in the 1990s.
• OpenAI has been pursuing content licensing deals with major IP holders after facing multiple lawsuits over unauthorized use of copyrighted training data. 
• The company previously argued that useful AI models cannot be created without copyrighted material, but has shifted strategy since becoming well-funded through investments.
• The partnership aims to extend Disney’s storytelling reach through generative AI while addressing creator concerns about unauthorized use of intellectual property. 
• Disney CEO Robert Iger emphasized the company’s commitment to respecting and protecting creators’ works while leveraging AI technology for content creation.
• This deal could establish a precedent for how AI companies and content owners structure licensing agreements, potentially influencing how other studios and IP holders approach AI-generated content partnerships. 
• The financial terms suggest significant value in controlled character licensing for AI applications.

06:26 Ryan – “Is it just a way to get out of the lawsuit so they can generate the content?” 

07:12 The new ChatGPT Images is here | OpenAI

• OpenAI released GPT Image 1.5, their new flagship image generation model, now available in ChatGPT for all users and via API. 
• The model generates images up to 4x faster than the previous version and includes a dedicated Images feature in the ChatGPT sidebar with preset filters and prompts for quick exploration.
• The model delivers improved image editing capabilities with better preservation of original elements like lighting, composition, and people’s appearance across edits. 
• It handles precise modifications, including adding, subtracting, combining, and blending elements while maintaining consistency, making it suitable for practical photo edits and creative transformations.
• GPT Image 1.5 shows improvements in text rendering with support for denser and smaller text, better handling of multiple small faces, and more natural-looking outputs. 
• The model follows instructions more reliably than the initial version, enabling more intricate compositions where relationships between elements are preserved as intended.
• API pricing for GPT Image 1.5 is 20% cheaper than GPT Image 1 for both inputs and outputs, allowing developers to generate and iterate on more images within the same budget. 
• The model is particularly useful for marketing teams, ecommerce product catalogs, and brand work requiring consistent logo and visual preservation across multiple edits.
• The new ChatGPT Images model works across all ChatGPT models without requiring manual selection, while the earlier version remains available as a custom GPT. 
• Business and Enterprise users will receive access to the new Images experience later, with the API version available now through OpenAI Playground. 

07:38 Justin – “It’s very competitive against Nano Banana, and I was looking at some of the charts, and it’s already jumped to the top of the charts.” 

08:52 Introducing GPT-5.2 | OpenAI

• OpenAI has released GPT-5.2, now generally available in ChatGPT for paid users and via API as gpt-5.2, with three variants: Instant for everyday tasks, Thinking for complex work, and Pro for the highest-quality outputs. 
• The model introduces native spreadsheet and presentation generation capabilities, with ChatGPT Enterprise users reporting 40-60 minutes saved daily on average.
• GPT-5.2 Thinking achieves a 70.9% win rate against human experts on GDPval benchmark spanning 44 occupations and sets new records on SWE-Bench Pro at 55.6% (80% on SWE-bench Verified). 
• The model demonstrates 11x faster output generation and less than 1% the cost of expert professionals on knowledge work tasks, though human oversight remains necessary.
• Long-context performance reaches near 100% accuracy on the 4-needle MRCR variant up to 256k tokens, with a new Responses compact endpoint extending the effective context window for tool-heavy workflows. Vision capabilities show roughly 50% error reduction on chart reasoning and interface understanding compared to GPT-5.1.
• API pricing is set at $1.75 per million input tokens and $14 per million output tokens, with a 90% discount on cached inputs. 
• OpenAI reports that despite higher per-token costs, GPT-5.2 achieves a lower total cost for given quality levels due to improved token efficiency. 
• The company has no current plans to deprecate GPT-5.1, GPT-5, or GPT-4.1.
• The model introduces improved safety features, including strengthened responses for mental health and self-harm scenarios, plus a gradual rollout of age prediction for content protections. 
• GPT-5.2 was built on NVIDIA H100, H200, and GB200-NVL72 GPUs in Microsoft Azure data centers, with a Codex-optimized version planned for the coming weeks.

10:06 Ryan – “I’m happy to see the improved safety features because that’s come up in the news recently and had some high-profile events happen, where it’s become a concern, for sure. So I want to see more protection in that space from all the providers.” 

Cloud Tools

10:58 Cedar Joins CNCF as a Sandbox Project | AWS Open Source Blog

• Cedar is an open source authorization policy language that just joined CNCF as a Sandbox project, solving the problem of hard-coded access control by letting developers define fine-grained permissions as policies separate from application code. 
  • It supports RBAC, ABAC, and ReBAC models with fast real-time evaluation.
• The language stands out for its formal verification using the Lean theorem prover and differential random testing against its specification, providing mathematical guarantees for security-critical authorization logic. This rigor addresses the growing complexity of cloud-native authorization, where traditional ad-hoc systems fall short.
• Production adoption is already strong with users including Cloudflare, MongoDB, AWS Bedrock, and Kubernetes integrations like kubernetes-cedar-authorizer. 
• The CNCF move provides vendor-neutral governance and broader community access beyond AWS stewardship.
• Cedar offers an interactive policy playground and Rust SDK for developers to test authorization logic before deployment. 
• The analyzability features enable automated policy optimization and verification, reducing the risk of misconfigured permissions in production.
• The CNCF acceptance fills a gap in the cloud-native landscape for a foundation-backed authorization standard, complementing existing projects and potentially becoming the go-to solution as it progresses from Sandbox to Incubation status.

12:05 Ryan – “I think this kind of policy is going to be absolutely key to managing permissions going forward.” 

AWS

12:50 GuardDuty Extended Threat Detection uncovers a cryptomining campaign on Amazon EC2 and Amazon ECS | AWS Security Blog

• GuardDuty Extended Threat Detection identified a coordinated cryptomining campaign starting November 2, 2025, where attackers used compromised IAM credentials to deploy miners across EC2 and ECS within 10 minutes of initial access. 
• The new AttackSequence: EC2/CompromisedInstanceGroup finding correlated signals across multiple data sources to detect the sophisticated attack pattern, demonstrating how Extended Threat Detection capabilities launched at re:Invent 2025 can identify coordinated campaigns.
• The attackers employed a novel persistence technique using ModifyInstanceAttribute to disable API termination on all launched instances, forcing victims to manually re-enable termination before cleanup and disrupting automated remediation workflows. 
• They also created public Lambda endpoints without authentication and established backdoor IAM users with SES permissions, showing advancement in cryptomining persistence methodologies beyond typical mining operations.
• The campaign targeted high-value GPU and ML instances (g4dn, g5, p3, p4d) through auto scaling groups configured to scale from 20 to 999 instances, with attackers first using DryRun flags to validate permissions without triggering costs. The malicious Docker Hub image yenik65958/secret accumulated over 100,000 pulls before takedown, and attackers created up to 50 ECS clusters per account with Fargate tasks configured for maximum CPU allocation of 16,384 units.
• AWS recommends enabling GuardDuty Runtime Monitoring alongside the foundational protection plan for comprehensive coverage, as Runtime Monitoring provides host-level signals critical for Extended Threat Detection correlation and detects crypto mining execution through Impact:Runtime/CryptoMinerExecuted findings. 
• Organizations should implement SCPs to deny Lambda URL creation with an AuthType of NONE and monitor CloudTrail for unusual DryRun API patterns as early warning indicators.
• The attack demonstrates the importance of temporary credentials over long-term access keys, MFA enforcement, and least privilege IAM policies, as the compromise exploited valid credentials rather than AWS service vulnerabilities. GuardDuty’s multilayered detection using threat intelligence, anomaly detection, and Extended Threat Detection successfully identified all attack stages from initial access through persistence.

55:31 Justin – “Hackers have the same tools we do for development.” 

16:17 Amazon EKS introduces enhanced network policy capabilities | Containers

• Amazon EKS now supports Admin Network Policies and Application Network Policies, giving cluster administrators centralized control over network security across all namespaces while allowing namespace administrators to filter outbound traffic using domain names instead of maintaining IP address lists. 
• This addresses a key limitation of standard Kubernetes Network Policies, which only work within individual namespaces and lack explicit deny rules or policy hierarchies.
• The new Admin Network Policies operate in two tiers: Admin Tier rules that cannot be overridden by developers, and Baseline Tier rules that provide default connectivity but can be overridden by standard Network Policies. 
• This enables platform teams to enforce cluster-wide security requirements like isolating sensitive workloads or ensuring monitoring access while still giving application teams flexibility within those boundaries.
• Application Network Policies, exclusive to EKS Auto Mode clusters, add Layer 7 FQDN-based filtering to traditional Layer 3/4 network policies, solving the problem of managing egress to external services with frequently changing IP addresses. Instead of maintaining IP lists for SaaS providers or on-premises resources behind load balancers, teams can simply whitelist domain names like internal-api.company.com, and policies remain valid even when underlying IPs change.
• Requirements include Kubernetes 1.29 or later, Amazon VPC CNI plugin v1.21.0 for standard EKS clusters, and EKS Auto Mode for Application Network Policies with DNS filtering. 
• The feature is available now for new clusters, with support for existing clusters coming in the following weeks, though pricing remains unchanged, as this is a native capability of the VPC CNI plugin.

17:30 Ryan – “This is one of those things that’s showing a maturity level of container-driven applications. It’s been a while since security teams have been aware of some of the things you can do with network policies and routing, and so you want to empower your developers, but also being able to have a comprehensive way to ban and approve has been missing from a lot of these ingress controllers. So this is a great thing for security teams, and probably terrible for developers.” 

19:12 Automate java performance troubleshooting with AI-Powered thread dump analysis on Amazon ECS and EKS | Containers

• AWS has released an automated Java thread dump analysis solution that combines Prometheus monitoring, Grafana alerting, Lambda orchestration, and Amazon Bedrock AI to diagnose JVM performance issues in seconds rather than hours. 
• The system works across both ECS and EKS environments, automatically detecting high thread counts and generating actionable insights without requiring deep JVM expertise from operations teams.
• The solution uses Spring Boot Actuator endpoints for ECS deployments and Kubernetes API commands for EKS to capture thread dumps when Grafana alerts trigger. 
• Amazon Bedrock then analyzes the dumps to identify deadlocks, performance bottlenecks, and thread states while providing structured recommendations across six key areas, including executive summary and optimization guidance.
• Deployment is handled through CloudFormation templates available in the Java on AWS Immersion Day Workshop, with all thread dumps and AI analysis reports automatically stored in S3 for historical trending. 
• The architecture follows event-driven principles with modular components that can be extended to other diagnostic tools like heap dump analysis or automated remediation workflows.
• The system enriches JVM metrics with contextual tags, including cluster identification and container metadata, enabling the Lambda function to determine the appropriate thread dump collection method. This metadata-driven approach allows a single solution to handle heterogeneous container environments without manual configuration for each deployment type.
• Pricing follows standard AWS service costs for Lambda invocations, Bedrock LLM usage per token, S3 storage, and CloudWatch metrics, with no additional licensing fees for the open source monitoring components. 
• The solution addresses the common problem where only a handful of engineers on most teams can interpret thread dumps, democratizing JVM troubleshooting across operations teams.

20:55 Justin – “This tells me that if you have a bad container that crashes a lot, you could spend a lot of money on LLM usage for tokens analyzing your exact same crash dump every time. Do keep that in mind.” 

22:50 EC2 Auto Scaling now offers a synchronous API to launch instances inside an Auto Scaling group

• EC2 Auto Scaling introduces a new LaunchInstances API that provides synchronous feedback when launching instances, allowing customers to immediately know if capacity is available in their specified Availability Zone or subnet. 
• This addresses scenarios where customers need precise control over instance placement and real-time confirmation of scaling operations rather than waiting for asynchronous results.
• The API enables customers to override default Auto Scaling group configurations by specifying exact Availability Zones and subnets for new instances, while still maintaining the benefits of automated fleet management like health checks and scaling policies. Optional asynchronous retries are included to help reach the desired capacity if initial synchronous attempts fail.
• This feature is particularly useful for workloads that require strict placement requirements or need to implement fallback strategies quickly when capacity constraints occur in specific zones. Customers can now build more sophisticated scaling logic that responds immediately to capacity availability rather than discovering issues after the fact.
• Available immediately in all AWS Regions and GovCloud at no additional cost beyond standard EC2 and EBS charges. Customers can access the feature through AWS CLI and SDKs, with documentation available at https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-instances-synchronously.

23:47 Ryan – “I find that the things that it’s allowing you to tune – it’s the things that I moved to autoscaling for; I don’t want to deal with any of this nonsense. And so you still have to maintain your own orchestration, which understands which zone that you need to roll out to, because it’s going to have to call that API.” 

24:28 Announcing cost allocation using users’ attributes

• AWS now enables cost allocation based on workforce user attributes like cost center, division, and department imported from IAM Identity Center. 
• This allows organizations to automatically tag per-user subscription and on-demand fees for services like Amazon Q Business, Q Developer, and QuickSight with organizational metadata for chargeback purposes.
• The feature addresses a common FinOps challenge where companies struggle to attribute SaaS-style AWS application costs back to specific business units. Once user attributes are imported to IAM Identity Center and enabled as cost allocation tags in the Billing Console, usage automatically flows to Cost Explorer and CUR 2.0 with the appropriate organizational tags attached.
• This capability is particularly relevant for enterprises deploying Amazon Q Business or QuickSight at scale, where individual user subscriptions can quickly add up across departments. Instead of manually tracking which users belong to which cost centers, the system automatically associates costs based on existing identity data.
• The feature is generally available in all commercial AWS regions except GovCloud and China regions. 
• No additional pricing is mentioned beyond the standard costs of the underlying AWS applications being tracked.

25:26 Justin – “There’s lots of use cases; this gets interesting real quickly. It’s a really nice feature that I’m really happy about.”  

GCP

26:34 Introducing Gemini 3 Flash: Benchmarks, global availability

• Google launches Gemini 3 Flash in general availability, positioning it as a frontier intelligence model optimized for speed at reduced cost. 
• The model processes over 1 trillion tokens daily through Google’s API and replaces Gemini 2.5 Flash as the default model in the Gemini app globally at no cost to users.
• Gemini 3 Flash achieves strong benchmark performance with 90.4% on GPQA Diamond and 81.2% on MMMU Pro while running 3x faster than Gemini 2.5 Pro and using 30% fewer tokens on average for typical tasks. 
• Pricing is set at $0.50 per million input tokens and $3 per million output tokens, with audio input at $1 per million tokens.
• The model demonstrates strong coding capabilities with a 78% score on SWE-bench Verified, outperforming both the 2.5 series and Gemini 3 Pro. This makes it suitable for agentic workflows, production systems, and interactive applications requiring both speed and reasoning depth.
• Gemini 3 Flash is available through multiple channels, including Google AI Studio, Vertex AI, Gemini Enterprise, Google Antigravity platform, Gemini CLI, and Android Studio. 
• The model is also rolling out as the default for AI Mode in Search globally, combining real-time information retrieval with multimodal reasoning capabilities.
• Early enterprise adopters, including JetBrains, Bridgewater Associates, and Figma, are using the model for applications ranging from video analysis and data extraction to visual Q&A and in-game assistance. 
• The multimodal capabilities support real-time analysis of images, video, and audio content for actionable insights.

27:01 Justin – “This, just in general, is a pretty big improvement from not only the cost perspective, but also the overall performance, and the ability to run this on local devices, for like Android phones, is gonna be a huge breakthrough in LM performance on the device. So I suspect you’ll see a lot of Gemini 3 flash getting rolled out all over the place because it does a lot of things really darn well.”

28:16 Connect Google Antigravity IDE to Google’s Data Cloud services | Google Cloud Blog

• Google has integrated Model Context Protocol servers into its new Antigravity IDE, allowing AI agents to directly connect to Google Cloud data services, including AlloyDB, BigQuery, Spanner, Cloud SQL, and Looker. 
• The MCP Toolbox for Databases provides pre-built connectors that eliminate manual configuration, letting developers access enterprise data through a UI-driven setup process within the IDE.
• The integration enables AI agents to perform database administration tasks, generate SQL code, and run queries without switching between tools. 
• For AlloyDB and Cloud SQL, agents can explore schemas, develop queries, and optimize performance using tools like list_tables, execute_sql, and get_query_plan directly in the development environment.
• BigQuery and Looker connections extend agent capabilities into analytics and business intelligence workflows. 
• Agents can forecast trends, search data catalogs, validate metric definitions against semantic models, and run ad-hoc queries to ensure application logic matches production reporting standards.
• The MCP servers use IAM credentials or secure password storage to maintain security while giving agents access to production data sources. This approach positions Antigravity as a data-aware development environment where AI assistance is grounded in actual enterprise data rather than abstract reasoning alone.
• The feature is available now through the Antigravity MCP Store with documentation at cloud.google.com/alloydb/docs and the open-source MCP Toolbox on GitHub at googleapis/genai-toolbox. 
• No specific pricing information was provided for the MCP integration itself, though standard data service costs for AlloyDB, BigQuery, and other connected services apply.

29:15 Announcing official MCP support for Google services | Google Cloud Blog

• Google now offers fully-managed, remote Model Context Protocol (MCP) servers for its services, eliminating the need for developers to deploy and maintain individual local MCP servers. 
• This provides a unified, enterprise-ready endpoint for connecting AI agents to Google and Google Cloud services with built-in IAM, audit logging, and Model Armor security.
• Initial MCP support launches for four key services: Google Maps Platform for location grounding, BigQuery for querying enterprise data in-place, Compute Engine for infrastructure management, and GKE for container operations. Additional services, including Cloud Run, Cloud Storage, AlloyDB, Spanner, and SecOps, will receive MCP support in the coming months.
• Apigee integration allows enterprises to expose their own custom APIs and third-party APIs as discoverable tools for AI agents, extending MCP capabilities beyond Google services to the broader enterprise stack. 
• Organizations can use Cloud API Registry and Apigee API Hub to discover and govern available MCP tools across their environment.
• The implementation enables agents to perform complex multi-step workflows like analyzing BigQuery sales data for revenue forecasting while simultaneously querying Google Maps for location intelligence, all through standardized MCP interfaces. 
• This approach keeps data in place rather than moving it into context windows, reducing security risks and latency.

30:34 MCP support for Apigee | Google Cloud Blog

• Apigee now supports Model Context Protocol (MCP), allowing organizations to expose their existing APIs as tools for AI agents without writing code or managing MCP servers. Google handles the infrastructure, transcoding, and protocol management while Apigee applies its 30+ built-in policies for authentication, authorization, and security to govern agentic interactions.
• The implementation automatically registers deployed MCP proxies in Apigee API hub as searchable MCP APIs, enabling centralized tool catalogs and granular access controls through API products. 
• Organizations can apply quota policies and identity controls to restrict which agents and clients can access specific MCP tools, with full visibility through Apigee Analytics and the new API Insights feature.
• Integration with Google’s Agent Development Kit (ADK) provides streamlined access to Apigee MCP endpoints for developers building custom agents, with an ApigeeLLM wrapper available for routing LLM calls through Apigee proxies. 
• The feature works with multiple agent frameworks, including LangGraph, though ADK users get optimized tooling for the Google ecosystem, including Vertex AI Agent Engine and Gemini Enterprise deployment options.
• Security capabilities extend beyond standard API protection to include Cloud Data Loss Prevention for sensitive data classification and Model Armor for defending against prompt injection attacks. 
• The feature is currently in preview with select customers, requiring contact with Apigee or Google Cloud account teams for access, with no pricing information disclosed yet.

31:07 Ryan – “I just did some real-time analysis about the features of the MCP and then also the browser and stuff. It’s one of those things where it is the newer model of coding, where you’re having distributed agents do tasks, and that, so the new IDs are taking advantage of that… And it is a VS Code fork. So it’s very comfortable to your VS Code users.”

32:05 Application Design Center now GA | Google Cloud Blog

• Google’s Application Design Center reaches general availability as a visual, AI-powered platform for designing and deploying Terraform-backed application infrastructure on GCP. 
• The service integrates with Gemini Cloud Assist to let users describe infrastructure needs in natural language and receive deployable architecture diagrams with Terraform code, while automatically registering applications with App Hub for unified management.
• The platform addresses platform engineering needs by providing a curated catalog of opinionated application templates, including specialized GKE templates for AI inference workloads using various LLM models. 
• Organizations can bring their own Terraform configurations from Git repositories and combine them with Google-provided components to create standardized infrastructure patterns for reuse across development teams.
• New GA features include public APIs and gcloud CLI support, VPC service controls compatibility, and GitOps integration for CI/CD workflows. 
• The service offers application template revisions as an immutable audit trail and automatically detects configuration drift between intended designs and deployed applications to maintain compliance.
• The platform is available free of cost for building and deploying application templates, with pricing details at cloud.google.com/products/application-design-center/pricing. 
• Integration with Cloud Hub provides operational insights and a unified control plane for managing application portfolios across the organization.
• Platform teams can create secure, shareable catalogs of approved templates that give developers self-service access to compliant infrastructure while maintaining governance and security standards. 
• The service supports downloading templates as infrastructure-as-code for direct editing in local IDEs with changes flowing through standard Git pull request workflows.

33:10 Ryan – “It’s kind of the pangea that everyone’s been hoping for, for a long time. With AI making it possible. Being able to plain text speak your infrastructure into existence…I definitely like this model better than like Beanstalk or the hosted application model, which has been the solution until this. This is the answer I want.” 

Azure

34:30 Microsoft will finally kill obsolete cipher that has wreaked decades of havoc – Ars Technica

• Microsoft is deprecating RC4 encryption in Windows Active Directory after 26 years of default support, following its role in major breaches, including the 2024 Ascension healthcare attack that affected 5.6 million patient records. 
• The cipher has been cryptographically weak since 1994 and enabled Kerberoasting attacks that have compromised enterprise networks for over a decade.
• Windows servers have continued to accept RC4-based authentication requests by default even after AES support was added, creating a persistent attack vector that hackers routinely exploit. 
• Senator Ron Wyden called for an FTC investigation of Microsoft in September 2025 for gross cybersecurity negligence related to this default configuration.
• The deprecation addresses a fundamental security gap in enterprise identity management that has existed since Active Directory launched in 2000. Organizations using Windows authentication will need to ensure their systems are configured to use AES encryption and disable RC4 fallback to prevent downgrade attacks.
• This change affects any organization running Active Directory for user authentication and access control, particularly those in healthcare, finance, and other regulated industries where credential theft can lead to catastrophic breaches. (Or literally anyone running Windows.) 
• The move comes after years of security researchers and government officials pressuring Microsoft to remove the obsolete cipher from default configurations.

36:06 Ryan – “It’s so complex, everyone just accepts the defaults just to get it up and going, and if you don’t know how compromised the cipher is, you don’t really prioritize getting back and fixing the encryption. So I’m really happy to see this; it’s always been a black mark that’s made me not trust Windows.” 

37:11 Azure Storage innovations: Unlocking the future of data 

• Azure Blob Storage now scales to exabytes with 50+ Tbps throughput and millions of IOPS, specifically architected to keep GPUs continuously fed during AI training workloads. 
• The platform powers OpenAI’s model training and includes a new Smart Tier preview that automatically moves data between hot, cool, and cold tiers based on 30 and 90-day access patterns to optimize costs without manual intervention.
• Azure Ultra Disk delivers sub-0.5ms latency with 30% improvement on Azure Boost VMs, scaling to 400K IOPS per disk and up to 800K IOPS per VM on new Ebsv6 instances. 
• The new Instant Access Snapshots preview eliminates pre-warming requirements and reduces recovery times from hours to seconds for Premium SSD v2 and Ultra Disk, while flexible provisioning can reduce total cost of ownership by up to 50%.
• Azure Managed Lustre AMLFS 20 preview supports 25 PiB namespaces with 512 GBps throughput, featuring auto-import and auto-export capabilities for seamless data movement between AMLFS and Azure Blob Storage. 
• This addresses the specific challenge of training AI models at terabyte and petabyte scale by maintaining high GPU utilization through parallel I/O operations.
• Azure Files introduces Entra-only identity support for SMB shares, eliminating the need for on-premises Active Directory infrastructure and enabling cloud-native identity management, including external identities for Azure Virtual Desktop. Storage Mover adds cloud-to-cloud transfers and on-premises NFS to Azure Files NFS 4.1 migration, while Azure NetApp Files large volumes now scale to 7.2 PiB capacity with 50 GiBps throughput, representing a 3x and 4x increase, respectively.
• Azure Native offers now include Pure Storage and Dell PowerScale for customers wanting to migrate existing on-premises partner solutions to Azure using familiar technology stacks. The Storage Migration Program provides access to partners like Atempo, Cirata, Cirrus Data, and Komprise for SAN and NAS workload migrations, with a new Storage Migration Solution Advisor in Copilot to streamline decision-making. Pricing details were not disclosed in the announcement.

38:26 Ryan – “It just dawned on me, as you’re reading through here… this is interesting; getting all this high performance from object stores just sort of blows my mind. And then I realized that all these sorts of ‘cloud file systems’ have been backed underneath by these object stores for a long time; like, of course, they need this.”

39:49 Future-Ready Cloud: Microsoft’s U.S. Infrastructure Investments

• Microsoft is expanding its U.S. datacenter footprint with a new East US 3 region launching in Greater Atlanta in early 2027, plus adding Availability Zones to five existing regions by the end of 2027. 
• The Atlanta, Georgia region will support advanced AI workloads and feature zone-redundant storage for improved application resilience, designed to meet LEED Gold certification standards for sustainability.
• The expansion adds Availability Zones to North Central US, West Central US, and US Gov Arizona regions, plus enhances existing zones in East US 2 Virginia and South Central US Texas. 
• This provides customers with more options for multi-region architectures to improve recovery time objectives and meet compliance requirements like CMMC and NIST guidance for government workloads.
• Azure Government customers get dedicated infrastructure expansion with three Availability Zones coming to US Gov Arizona in early 2026, specifically supporting Defense Industrial Base requirements. 
• This complements the Azure for US Government Secret cloud region launched earlier in 2025, offering an alternative to US Gov Virginia for latency-sensitive and mission-critical deployments.
• The infrastructure investments support organizations like the University of Miami using Availability Zones for disaster recovery in hurricane-prone regions, and the State of Alaska consolidating legacy systems while improving reliability. 
• Microsoft emphasizes its global network of over 70 regions, 400 datacenters, and 370,000 miles of fiber as a foundation for resilient cloud strategies using its Cloud Adoption Framework and Well-Architected Framework guidance.
• ai.azure.com for building production-ready AI agents.

40:33 Ryan – “AI is definitely driving a lot of this, but like with large data sets, you don’t really want that distributed globally. But I also think that they’re just purely running out of space.”

41:17 Azure Networking Updates: Secure, Scalable, and AI-Optimized

• Azure is tripling down on AI infrastructure with its global network now reaching 18 petabits per second of total capacity, up from 6 Pbps at the end of FY24. 
• The network spans over 60 AI regions with 500,000 miles of fiber and 4 Pbps of WAN capacity, using InfiniBand and high-speed Ethernet for lossless data transfer between GPU clusters.
• NAT Gateway Standard V2 enters public preview with zone redundancy by default at no additional cost, delivering 100 Gbps throughput and 10 million packets per second. 
• This joins ExpressRoute, VPN, and Application Gateway in offering zone-resilient SKUs as part of Azure’s resiliency-by-default strategy.
• Security updates include DNS Security Policy with Threat Intel now generally available for blocking malicious domains, Private Link Direct Connect in preview for extending connectivity to any routable private IP, and JWT validation at Layer 7 in Application Gateway preview to offload token validation from backend servers.
• ExpressRoute is getting 400G direct ports in select locations starting in 2026 for multi-terabit throughput, while VPN Gateway, now generally available, supports 5 Gbps single TCP flow and 20 Gbps total throughput with four tunnels. 
• Private Link scales to 5,000 endpoints per VNet and 20,000 across peered VNets.
• Container networking improvements for AKS include eBPF Host Routing for lower latency, Pod CIDR Expansion without cluster redeployment, WAF for Application Gateway for Containers now generally available, and Azure Bastion support for private AKS cluster access.

42:45 Ryan – “If you have those high-end network throughput needs, that’s fantastic! It’s been a while since I’ve really got into cloud at that deep layer, but I do remember in AWS the VPN limitations really biting; it was easy to hit those limits really fast.” 

After Show 

44:22 Roomba maker iRobot swept into bankruptcy

• iRobot’s bankruptcy marks the end of an era for the company that pioneered consumer robotics with the Roomba, now being acquired by its Chinese supplier Picea Robotics after losing ground to cheaper competitors. 
• The stock crashed from Amazon’s $52 offer in 2023 to just $4, showing how quickly market leaders can fall when undercut on price.
• The failed Amazon acquisition in 2023 due to EU antitrust concerns looks particularly painful in hindsight, as iRobot might have been better off with Amazon’s resources than facing bankruptcy. 
• This highlights how regulatory decisions intended to preserve competition can sometimes accelerate a company’s decline instead.
• For cloud professionals, this demonstrates how hardware IoT companies struggle without strong cloud services and ecosystem lock-in that could justify premium pricing. iRobot’s inability to differentiate beyond hardware shows why companies like Amazon, Google, and Apple integrate devices tightly with their cloud platforms.
• The Chinese supplier takeover raises questions about data privacy and security for the millions of Roombas already mapping homes worldwide. 
• This could become a cautionary tale about supply chain dependencies and what happens when your manufacturer becomes your owner.
• Founded by MIT engineers in 1990 and selling 40 million devices, iRobot’s fall shows that innovation alone isn’t enough without sustainable competitive advantages in manufacturing costs and ongoing software value.
• This is a sad day, especially if you’re a fan of all things serverless, as they were the poster child of all things serverless.  

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• EKS Gets Chatty: Natural Language Replaces Command Line Nightmares
• Harvest Now, Decrypt Later: Why Your RSA Keys Need a Quantum Makeover Before 2026
• NAT So Fast: AWS Helps You Find Gateways Doing Absolutely Nothing
• AWS Finally Admits You Have Too Many Log Buckets
• AWS Finally Lets You Log In Like a Normal Human
• Lambda Gets a Memory: Checkpoint Your Way to Multi-Step Workflows
• Step Functions at Home: Lambda Durable Functions Let You Write Workflows in Actual Code
• No More Bucket List: S3 Public Access Gets Organization-Wide Lockdown
• AWS Hits Ctrl-Z on CodeCommit Deprecation
• AWS Puts a Cap on CloudFront: Unlimited Traffic, Limited Anxiety
• AWS Tells SQL Server to Take a Thread Off: Optimize CPU Cuts Costs by 55%
• Amazon Bedrock Gets a Bouncer: AgentCore Identity Checks IDs at the Door
• AI Brings on the Developer Renaissance

Follow Up 

01:27 re:Invent 

• Matt Garman- 14th Reinvent, which is weird, since we’ve been doing cloud stuff for 87 years…
• Warner – Open Mind for a different View and nothing else matters T-shirt.

02:59 re:Invent predictions

Jonathan

1. 1. Serverless GPU support (extension in Lambda or a different service), it’s about time we have a serverless GPU/Inference capability.
      1. It is talked about in the keynote with DeSantis.

• AI Agent with a goal/instructions that can run when they need to, periodically, or always, and perform an action (Agentic Platform that runs agents) –

•  Garman – Bedrock AgentCore and Kiro Autonomous Agent

• Werner will announce this is his last keynote and he will retire

• He retired from re:Invent Presentations

Ryan

• New Tranium 3 chips, Inferentia, and Graviton chips

• Garman – announced Tranium 3 Ultraservers.

• They brought the Rack Ryan

• Expand the number of models in or via bedrock

• Doubled the number of models and announced Gemma, Minimax M2, Nvidia Nemotron, Mistral Large, and Mistral 3
• Refresh to AWS Organizations

Justin

• New Nova Model & Sonic with Multi-modal

• Garman Nova 2 – Lite, Pro, and Sonic (the lack of Sonic the Hedgehog/Sega reference is a shame)

• Nova 2 Omni

• Announce a partnership with OpenAI (likely on stage)

1. 1. 1. Not announced as new, but said they’re running on AWS and that EC2 Ultraservers are in use. 

• Advanced Agentic AI Capabilities for Security Hub (Automate the SOC teams)

• Garman – Advanced Agentic AI Capabilities for Security Hub – with NEW AWS Security Agent

Matt

1. A model router to route LLM queries to different AI models
2. Well-architected framework expansion 
3. End user Authentication that doesn’t suck (not current Cognito)

Tie Breaker – How many times will they say AI or Artificial Intelligence

Matt: 200

Justin: 160

Ryan: 99 Jonathan: 1

Matt Garman’s Keynote: 77

DeSantis’ Keynote: 31

Swami: 44

Werner: 31

Total: 183

This means Justin wins this year!

10:05 Honorable Mentions:

• • Mathematical Proof that one of Amazon’s Models has output that can be verifiable with math

• Marketplace for AI Work

• • New Device to go along with the Nova Models
  • Cost Savings for Networking
  • FinOps AI recommender for Model Usage
  • Savings Plans for AI/Bedrock Models
  • S3 Vectors with integration bedrock
  • FinOps Kubernetes Service

• Q Developer with Autonomous Agents

• Next Generation Silicone for a combined TPU competitor, ie GPU/Graviton/Learning
• Bedrock Model Marketplace with Revenue Share for fine-tuned models (Ryan)
• Sustainability Dashboard
• Aurora/DSQL is an AI feature

AWS

11:59 re:Invent keynote Recap

• Matt – started the weekend strong, although we struggled with his keynotes. (Sounds like he could use a good copywriter to help with his speeches.) 
• Swami – Solid B from us, but that’s because we’re not super interested in his topics. Sorry. 
• Peter – we enjoyed this one more. Cool tech, lots of mentions, and one of the better presenters. A for him. 
• Werner – Great Intro Video. Welcome to the Renaissance Coder

15:00 A Quick Recap 

Look.  We know you care about non-AI things (and so do we), so we’re going to do 25 exciting new announcements in 10 minutes. x8, elon instance, c8a, c8ine instances, m8azn, m3 and m4 max macs, lambda durable functions, 50tb s3 object, s3 batch ops 10x faster, intelligent tiering for s3 tables, automatic replication for s3 tables, s3 access points for FSX netapp, S3 Vectors, GPU Index for Amazon Opensearch, Amazon EMR Serverless with no storage provisioning, Guardduty to ECS & Ec2, Security Hub is GA, Unified data store in cloudwatch, Increases STorage for SQL and Oracle RDS, Optimize CPus for RDS for SQL server, SQL Server Development support, Database Savings Plans. 2 hours on AI…when we would have been really happy with all of THIS as the keynote. 

26:08 AI/ML & Amazon Bedrock

• Bedrock Service Tiers (Priority/Standard/Flex) – Match AI workload performance with cost
• Bedrock Reserved Service Tier – Pre-purchase guaranteed tokens-per-minute capacity with 99.5% SLA
• Bedrock AgentCore – Policy controls, evaluations, episodic memory for AI agents
• Bedrock Reinforcement Fine-tuning – RLVR and RLAIF for model customization
• Amazon Nova 2 Lite – Fast, cost-effective reasoning model with configurable thinking
• Nova Forge – Build your own foundational models
• 18 New Open Weight Models – Mistral Large 3, Ministral 3 variants, others
• Amazon Q Developer Cost Management – Natural language queries for AWS spending analysis
• SageMaker Serverless Customization – Automated infrastructure for fine-tuning
• SageMaker HyperPod – Checkpointless and elastic training capabilities
• AWS Clean Rooms ML – Privacy-enhancing synthetic dataset generation
• AgentCore Evaluations – Continuously inspect agent quality based on real-world behavior

29:09 Ryan – “I do agree with you that no one should be building their own foundational models unless it’s really, truly built on a data set that’s unique, but I do think that everyone should go through the exercise of building a model to understand how AI works.” 

30:58 Compute (EC2 & Lambda)

• EC2 P6-B300 Instances – NVIDIA Blackwell Ultra GPUs, 6.4Tbps networking
• EC2 X8aedz Instances – AMD EPYC 5GHz, memory-optimized for EDA/databases
  • X Æ A-Xii Musk
• EC2 C8a Instances – AMD EPYC Turin, 30% higher compute performance
• EC2 M9g Instances – Graviton5 powered, 25% better than Graviton4
• Graviton5 Processor – 192 cores, 5x larger cache
• Lambda Tenant Isolation Mode – Built-in multi-tenant separation
• Lambda Managed Instances – Run Lambda on your EC2 with AWS management
• Lambda Durable Functions – Multi-step workflows with automatic state management
• AWS AI Factories – Cloud-scale AI infrastructure in customer data centers|

33:46 Matt – “I feel like we should have seen this coming, given that they just released the ECS management system a couple of months ago, and it feels like the next step.” 

42:24 Containers (EKS & ECS)

• EKS Capabilities – Managed Argo CD, ACK, KRO in AWS-owned infrastructure
• EKS MCP Server – Natural language Kubernetes management (preview)
• EKS Container Network Observability – Service maps, flow tables, performance metrics
• EKS/ECS Amazon Q Troubleshooting – AI-powered console diagnostics
• ECS Express Mode – Simplified deployment with automatic ALB, domains, HTTPS

43:36 Ryan – “I think this is what I’ve always wanted Beanstalk and Lightsail to be, is this service. This, for me, feels like the best of both worlds.” 

45:34 Networking & Content Delivery

• CloudFront Flat-Rate Pricing – Bundled delivery, WAF, DDoS protection ($0-$1K/month tiers)
• VPN Concentrator – 25-100 low-bandwidth sites via a single Transit Gateway attachment
• Route 53 Accelerated Recovery – 60-minute RTO for DNS during regional outages
• Route 53 Global Resolver (preview) – Anycast DNS for remote/distributed clients
• NAT Gateway Regional Availability – Auto-scale across AZs, simplified management
• VPC Encryption Controls – Enforce encryption in transit within/across VPCs
• Network Firewall Proxy (preview) – Explicit proxy for outbound traffic filtering

50:29 Ryan – “If you’ve ever had to do any kind of compliance evidence, that’s the reason why this exists and that’s why I love it so much. The song and dance that you have to do to illustrate your use of encryption across your environment is painful.”

53:14 Storage (S3 & FSx)

• S3 Vectors GA – Native vector support, 2B vectors/index, 20T vectors/bucket
• S3 Tables Replication & Intelligent-Tiering – Cross-region/account Iceberg replication
• S3 Storage Lens Enhancements – Performance metrics, billions of prefixes, S3 Tables export
• S3 Encryption Controls – Bucket-level encryption type enforcement
• S3 Block Public Access – Organization-level enforcement
• S3 50TB Object Size – 10x increase from previous 5TB limit
• FSx for NetApp ONTAP S3 Access Points – Access file data via S3 API

54:38 Matt – “This is just a nice quality of life improvement.” 

58:24 Databases

• Aurora DSQL Cost Estimates – Statement-level DPU usage in query plans
• Aurora PostgreSQL Dynamic Data Masking – pg_columnmask extension
• OpenSearch 3.3 – Agentic search, semantic highlighter improvements
• OpenSearch GPU Acceleration – 6-14x faster vector indexing
• RDS SQL Server/Oracle Optimizations – Free Developer Edition, 256 TiB storage, CPU optimization
• RDS SQL Server Resource Governor – Workload resource control
• Database Savings Plans – Up to 35% savings across 9 database services

1:01:01 Justin – “This is quite nice, and quite broad, so they definitely heard all of the community saying please bring us database savings plans.” 

1:03:33 Security & Identity

• Security Hub GA – Near real-time analytics, risk prioritization, Trends feature
• Secrets Manager External Secrets – Managed rotation for Salesforce, Snowflake, BigID
• IAM Outbound Identity Federation – Short-lived JWTs for external service authentication
• AWS login CLI Command – Eliminate long-term access keys with OAuth 2.0
• WAF Web Bot Auth – Cryptographic signature verification for legitimate AI agents
• Agentcore Identity 
• GuardDuty Extended Threat Detection – EC2/ECS multistage attack correlation
• AWS Security Agent (preview) – AI-powered security reviews, code scanning, pen testing
• IAM Policy Autopilot – Open source MCP server for generating IAM policies from code.

1:08:18 Matt – “…it’s definitely competing with Azure releasing the same thing during their conference. The piece I like about this is the pen test piece because it now lives in your source code, which you probably already have in SCA or a static code analysis tool.”

1:11:46 Cost Management & FinOps

• Cost Explorer 18-Month Forecasting – Extended from 12 months to 18 months, explainable with AI (in preview).
• Cost Efficiency Metric – Single percentage score combining optimization opportunities.
• AWS Data Exports FOCUS 1.2 – Standardized multi-cloud billing format
• Billing Transfer – Centralized billing across multiple Organizations
• Compute Optimizer NAT Gateway Recommendations – Identify unused NAT Gateways

1:14:09 Developer Tools & Modernization

• Step Functions Local Testing – TestState API with mocking support
• AWS Transform Custom – AI-powered code modernization (Java, Node.js, Python)
• AWS Transform Mainframe – COBOL to microservices with automated testing
• API Gateway Developer Portals – Native API discovery and documentation
• CodeCommit Restored to GA – Git LFS (Q1 2026), regional expansion (Q3 2026)
• AWS Transform Windows – Full-stack .NET/SQL Server modernization
• CloudWatch Unified Data Management – Consolidated ops/security/compliance logs
• CloudWatch Deletion Protection – Prevent accidental log group removal. 
• CloudWatch Network Flow Monitor – Container network observability for EKS

1:18:09 Matt – “I mean, I hope all customers have some sort of plan, knowing that I’ve seen many companies say ‘we got this notice six months ago, we’ll deal with it in six months’ and now it’s three weeks and six days, and it expires tomorrow…there’s probably a lot of customers still there.” 

1:20:58 Observability & Monitoring

• CloudWatch Unified Data Management – Consolidated ops/security/compliance logs
• CloudWatch Deletion Protection – Prevent accidental log group removal
• CloudWatch Network Flow Monitor – Container network observability for EKS

1:21:39 Governance & Management

• Control Tower Controls Dedicated – Use managed controls without a full landing zone.
• Service Quotas Automatic Management – Auto-adjust limits based on usage
• Supplementary Packages for Amazon Linux – Pre-built EPEL9 packages
• AMI Ancestry – Automatic lineage tracking for AMIs

1:23:05 Matt – “I’ve built three different ways to do this in my career. You always want to know where it came from, so if there’s a vulnerability, you know where to start patching and go up from there…but if you have multiple teams, it’s hard to track. So knowing I can track it is a godsend.” 

1:25:35 DevOps & Operations

• AWS DevOps Agent (preview) – Autonomous incident investigation and root cause analysis
• AWS Support Plan Restructure – Business Support+ ($29/mo), Enterprise ($5K/mo), Unified Ops ($50K/mo)

1:26:41 Ryan – “I hope this ends up being decent service, but in my head I’m thinking they’re lowering the cost because they’re getting rid of all their support staff.” 

1:29:29 Marketplace & Partner

• Partner Central in Console – Unified customer/partner experience
• Multi-Product Solutions – Bundled offerings from multiple vendors
• CrowdStrike Falcon Integration – Automated SIEM setup wizard

1:30:15 Connectivity & Contact Center

• Amazon Connect Predictive Insights (preview) – AI-powered recommendations
• Amazon Connect MCP Support – Standardized tools for AI agents

Noteable Announcments We Didn’t Cover in the Show:

• AWS announces flat-rate pricing plans for website delivery and security
• Accelerate workflow development with enhanced local testing in AWS Step Functions
• Streamlined multi-tenant application development with tenant isolation mode in AWS Lambda
• AWS Control Tower introduces a Controls Dedicated experience
• Monitor network performance and traffic across your EKS clusters with Container Network Observability 
• New AWS Billing Transfer for centrally managing AWS billing and costs across multiple organizations
• AWS Cost Explorer now provides 18-month forecasting and explainable AI-powered forecasts
• Announcing enhanced cost management capabilities in Amazon Q Developer
• Simplify access to external services using AWS IAM Outbound Identity Federation
• Introducing AWS Glue 5.1
• Tech predictions for 2026 and beyond | All Things Distributed
• Introducing multi-product solutions in AWS Marketplace

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• Boring Error Pages Not Found
• Claude Goes Native in Snowflake: Finally, AI That Stays Where Your Data Lives
• Cross-Cloud Romance: AWS and Google Make It Official with Interconnect
• Google Gemini Puts OpenAI in Code Red: The Tables Have Turned
• Azure NAT Gateway V2: Now With More Zones Than a Parking Lot
• From ChatGPT to Chat-Uh-Oh: OpenAI Sounds the Alarm as Gemini Steals 200 Million 
•       Users **Anthropic
• Scheduled Actions: Because Your VMs Need a Work-Life Balance Too
• Finally, Your 500 Errors Can Look as Good as Your Homepage
• Foundry Model Router: Because Choosing Between 47 AI Models is Nobody’s Idea of Fun
• Google Takes the Scenic Route: New Cable Avoids the Sunda Strait Traffic Jam
• Azure Application Gateway Gets Its TCP/IP Diploma
• Google Cloud Gets Its Türkiye Dinner: 2 Billion Dollar Cloud Feast Coming Soon
• Microsoft Foundry: Turning AI Chaos into Compliance Gold

AI Is Going Great, or How ML Makes Money 

02:59 Nano Banana Pro available for enterprise

• Google launches Nano Banana Pro (Gemini 3 Pro Image) in general availability on Vertex AI and Google Workspace, with Gemini Enterprise support coming soon.
• The model supports up to 14 reference images for style consistency and generates 4K resolution outputs with multilingual text rendering capabilities.
• The model includes Google Search grounding for factual accuracy in generated infographics and diagrams, plus built-in SynthID watermarking for transparency. Copyright indemnification will be available at general availability under Google’s shared responsibility framework.
• Enterprise integrations are live with Adobe Firefly, Photoshop, Canva, and Figma, enabling production-grade creative workflows. Major retailers, including Klarna, Shopify, and Wayfair, report using the model for product visualization and marketing asset generation at scale.
• Developers can access Nano Banana Pro through Vertex AI with Provisioned Throughput and Pay As You Go pricing options, plus advanced safety filters. Business users get access through Google Workspace apps, including Slides, Vids, and NotebookLM, starting today.
• The model handles complex editing tasks like translating text within images while preserving visual elements, and maintains character and brand consistency across multiple generated assets. This addresses a key enterprise challenge of maintaining creative control when using AI for production assets.

03:59 Justin – “The thing that’s the most important about this is when Nano Banana messes up the text (which it doesn’t do as often), you can now edit it without generating a whole completely different image.” 

05:58 Introducing Claude Opus 4.5 

• Claude Opus 4.5 is now generally available across Anthropic’s API, apps, and all three major cloud platforms at $5 per million input tokens and $25 per million output tokens. This represents a substantial price reduction that makes Opus-level capabilities more accessible.
• Developers can access it via the claude-opus-4-5-20251101 model identifier.
• The model achieves state-of-the-art performance on software engineering benchmarks, scoring higher than any human candidate on Anthropic’s internal performance engineering exam within a 2-hour time limit on SWE-bench Verified. It matches Sonnet 4.5‘s best score while using 76% fewer output tokens at medium effort, and exceeds it by 4.3 percentage points at highest effort while still using 48% fewer tokens.
• Anthropic introduces a new effort parameter in the API that lets developers control the tradeoff between speed and capability, allowing optimization for either minimal time and cost or maximum performance depending on the task requirements. 
  • This combines with new context management and memory capabilities to boost performance on agentic tasks by nearly 15 percentage points in testing.
• Claude Code gains Plan Mode that builds a user-editable plan.md files before execution, and is now available in the desktop app for running multiple parallel sessions. The consumer apps remove message limits for Opus 4.5 through automatic context summarization, and Claude for Chrome and Claude for Excel expand to all Max, Team, and Enterprise users.
• The model demonstrates improved robustness against prompt injection attacks compared to other frontier models and is described as the most robustly aligned model Anthropic has released. 
  • It shows better performance across vision, reasoning, and mathematics tasks while using dramatically fewer tokens than predecessors, reaching similar or better outcomes.

08:01 Justin – “The most important part of the whole announcement is the cheaper context input and output tokens.” 

09:58 Announcing Claude Opus 4.5 on Snowflake Cortex AI

• Snowflake Cortex AI now offers Claude Opus 4.5 and Claude Sonnet 4.5 in general availability, bringing Anthropic’s latest models directly into Snowflake’s data platform. 
• Users can access these models through SQL, Python, or REST APIs without moving data outside their Snowflake environment.
• Claude Opus 4.5 delivers improved performance on complex reasoning tasks, coding, and multilingual capabilities compared to previous versions, while Claude Sonnet 4.5 provides a balanced option for speed and intelligence. 
  • Both models support 200K token context windows and can process text and images natively within Snowflake queries.
• The integration enables enterprises to build AI applications using their Snowflake data with built-in governance and security controls, eliminating the need to export sensitive data to external AI services. 
  • Pricing follows Snowflake’s credit-based model, with costs varying by model and token usage.
• Developers can combine Claude models with other Cortex AI features like vector search, document understanding, and fine-tuning capabilities to create end-to-end AI workflows. 
  • This allows for use cases ranging from customer service automation to financial analysis and code generation, all within the Snowflake ecosystem.

11:03 OpenAI CEO declares “code red” as Gemini gains 200 million users in 3 months 

• Oh, how the turn tables have turned…
• OpenAI CEO Sam Altman issued an internal code red memo to refocus the company on improving ChatGPT after Google’s Gemini 3 model topped the LMArena leaderboard and gained 200 million users in three months. 
• The directive delays planned features, including advertising integration, AI agents for health and shopping, and the Pulse personal assistant feature.
• Google’s Gemini 3 model, released in mid-November, has outperformed ChatGPT on industry benchmark tests and attracted high-profile users like Salesforce CEO Marc Benioff, who publicly announced switching from ChatGPT after three years. 
• The model’s performance represents a significant shift in the competitive landscape since OpenAI’s initial ChatGPT launch in December 2022.
• The situation mirrors December 2022, when Google declared its own code red after ChatGPT’s rapid adoption, with CEO Sundar Pichai reassigning teams to develop competing AI products. 
• This role reversal demonstrates how quickly competitive positions can shift in the AI model space, particularly around user experience and benchmark performance.
• OpenAI is implementing daily calls for teams responsible for ChatGPT improvements and encouraging temporary team transfers to address the competitive pressure. 
• The company’s response indicates that maintaining market leadership in conversational AI requires continuous iteration even for established products with large user bases.

13:11 Ryan – “I started on ChatGPT and tried to use it after adopting Claude, and I try to go back every once in a while – especially when they would announce a new model, but I always end up going back to one of the Anthropic models.” 

GCP

15:19 New Google Cloud region coming to Türkiye

• Google Cloud is launching a new region in Türkiye as part of a 2 billion dollar investment over 10 years, partnering with local telecom provider Turkcell, which will invest an additional 1 billion dollars in data centers and cloud infrastructure. 
• This brings Google Cloud’s global footprint to 43 regions and 127 zones, with Türkiye serving as a strategic hub for EMEA customers.
• The region targets three key verticals already committed as customers: financial services with Garanti BBVA and Yapi Kredi Bank modernizing core banking systems, airlines with Turkish Airlines improving flight operations and passenger systems, and government entities focused on digital sovereignty. 
• The local presence addresses data residency requirements and provides low-latency access for organizations that need to keep data within national borders.
• Technical capabilities include standard Google Cloud services for data analytics, AI, and cybersecurity with data encryption at rest and in transit, granular access controls, and threat detection systems meeting international security standards. The region will serve both Türkiye and neighboring countries with reduced latency compared to existing European regions.
• The announcement emphasizes digital sovereignty as a primary driver, with government officials highlighting the importance of local infrastructure for maintaining control over national data while accessing hyperscale cloud capabilities. 
• This follows a pattern of Google Cloud expanding into regions where data localization requirements create demand for in-country infrastructure.
• No specific pricing details were provided for the Türkiye region, though standard Google Cloud pricing models based on compute, storage, and network usage will apply once the region launches. 
• The timeline for when the region will be operational was not disclosed in the announcement.
• Show note editor Heather note: If you enjoy history, you need to travel to Türkiye immediately! 

17:03 Introducing BigQuery Agent Analytics

• Google launches BigQuery Agent Analytics, a new plugin for their Agent Development Kit that streams AI agent interaction data directly to BigQuery with a single line of code. 
• The plugin captures metrics like latency, token consumption, tool usage, and user interactions in real-time using the BigQuery Storage Write API, enabling developers to analyze agent performance and optimize costs without complex instrumentation.
• The integration allows developers to leverage BigQuery’s advanced capabilities, including generative AI functions, vector search, and embedding generation to perform sophisticated analysis on agent conversations. 
• Teams can cluster similar interactions, identify failure patterns, and join agent data with business metrics like CSAT scores to measure real-world impact, going beyond basic operational metrics to quality analysis.
• The plugin includes three core components: an ADK plugin that requires minimal code changes, a predefined optimized BigQuery schema for storing interaction data, and low-cost streaming via the BigQuery Storage Write API. 
  • Developers maintain full control over what data gets streamed and can customize pre-processing, such as redacting sensitive information before logging.
• Currently available in preview for ADK users, with support for other agent frameworks like LangGraph coming soon. 
• The feature addresses a critical gap in agentic AI development where understanding user interaction patterns and agent performance is essential for refinement, particularly as organizations move from building agents to optimizing them at scale.
• Pricing follows standard BigQuery costs for storage and queries, with the Storage Write API offering cost-effective real-time streaming compared to traditional batch loading methods. 
• Documentation and a hands-on codelab are available at google.github.io/adk-docs for developers ready to implement agent analytics.

18:16 Ryan – “This is an interesting model; providing both the schema and the already instrumented integration. I feel like a lot of times with other types of development, you’re left to your own devices, and so this is a neat thing. As you’re developing an agent, everyone is instrumenting these things in odd ways, and it’s very difficult to compile the data in a way where you get usable queries out of it. So it’s kind of an interesting concept.” 

19:35 TalayLink subsea cable to connect Australia and Thailand

• You know how much we love a good undersea cable…
• Google announces TalayLink, a new subsea cable connecting Australia and Thailand via the Indian Ocean, taking a western route around the Sunda Strait to avoid congestion from existing cable paths. 
  • This cable extends the Interlink system from the Australia Connect initiative and will directly connect to Google’s planned Thailand cloud region and data centers.
• The project includes two new connectivity hubs in Mandurah, Western Australia, and South Thailand, providing diverse landing points away from existing cable concentrations in Perth and enabling cable switching, content caching, and colocation capabilities. 
  • Google is partnering with AIS for the South Thailand hub to leverage existing infrastructure.
• TalayLink forms part of a broader Indian Ocean connectivity strategy, linking with previously announced hubs in the Maldives and Christmas Island to create redundant paths connecting Australia, Southeast Asia, Africa, and the Middle East. 
• This routing diversity aims to improve network resilience across multiple regions.
• The infrastructure supports Thailand’s digital economy transformation goals and Western Australia’s digital future roadmap, with the Thailand Board of Investment actively backing the project. 
  • • No pricing or specific completion timeline was disclosed in the announcement.

  The Cloud Pod is excited to cover the latest innovations and trends. We aim to keep you informed about the evolving landscape of cloud technology and artificial intelligence.

20:34 Matt – “It’s amazing…subsea cable congestion. How many cables can be there that there’s congestion?”  

23:16 Claude Opus 4.5 on Vertex AI 

• Claude Opus 4.5 is now generally available on Vertex AI, delivering Anthropic’s most advanced model at one-third the cost of its predecessor Opus 4.1. 
• The model excels in coding tasks that can compress multi-day development projects into hours, agentic workflows with dynamic tool discovery from hundreds of tools without context window bloat, and office productivity tasks with improved memory for maintaining consistency across documents.
• Google is positioning Vertex AI as a unified platform for deploying Claude with enterprise features, including global endpoints for reduced latency, provisioned throughput for dedicated capacity at fixed costs, and prompt caching with flexible Time To Live up to one hour. 
• The platform integrates with Google’s Agent Builder stack, including the open Agent Development Kit, Agent2Agent protocol, and fully managed Agent Engine for moving multi-step workflows from prototype to production.
• Security and governance capabilities include Google Cloud’s foundational security controls, data residency options, and Model Armor protection against AI-specific threats like prompt injection and tool poisoning through Security Command Center. 
• Customers like Palo Alto Networks report 20-30 percent increases in code development velocity when using Claude on Vertex AI.
• The model supports a 1 million token context window, batch predictions for cost efficiency, and web search capabilities in preview. 
• Regional availability and specific pricing details are available in the Vertex AI documentation, with the model accessible through both the Model Garden and Google Cloud Marketplace.

23:58 Registration is live for Google Cloud Next 2026 in Las Vegas

• Google Cloud Next 2026 takes place April 22-24 in Las Vegas, with registration now open at an early bird price of $999 for a limited time. 
• This represents the standard pricing structure for Google’s flagship annual conference following their record-breaking attendance in 2025.
• The conference focuses heavily on AI agent development and implementation, featuring interactive demos, hackathons, and workshops designed to help attendees build intelligent agents. 
• Organizations can learn from real-world case studies of companies deploying AI solutions at scale.
• Next 2026 offers hands-on technical training through deep-dive sessions, keynotes, and practical labs aimed at developers and technical practitioners. The format emphasizes actionable learning with direct access to Google engineers and product experts.
• The event serves as a networking hub for cloud practitioners to connect with peers facing similar technical challenges and to provide feedback that influences Google Cloud’s product roadmap. This direct line to product teams can be valuable for organizations planning their cloud strategy.
• Ready to register? You can do that here. 

27:19 VPC Flow Logs for Cross-Cloud Network

• VPC Flow Logs now support Cloud VPN tunnels and VLAN attachments for Cloud Interconnect and Cross-Cloud Interconnect, extending visibility beyond traditional VPC subnet traffic to hybrid and multi-cloud connections. 
  • This addresses a critical gap for organizations running Cross-Cloud Network architectures who previously lacked detailed telemetry on traffic flowing between Google Cloud, on-premises infrastructure, and other cloud providers.
• The feature provides 5-tuple granularity logging (source/destination IP, port, and protocol) with new gateway annotations that identify traffic direction and context through reporter and gateway object fields. 
• Flow Analyzer integration eliminates the need for complex SQL queries, offering built-in analysis capabilities including Gemini-powered natural language queries and in-context Connectivity Tests to correlate flow data with firewall policies and network configurations.
• Primary use cases include identifying elephant flows that congest specific tunnels or attachments, auditing Shared VPC bandwidth consumption by service projects, and troubleshooting connectivity issues by verifying whether traffic reaches Google Cloud gateways. 
  • Organizations can also validate DSCP markings for application-aware Cloud Interconnect policy configurations, which is particularly valuable for enterprises with quality-of-service requirements.
• The feature is available now for both new and existing deployments through Console, CLI, API, and Terraform, with Flow Analyzer providing no-cost analysis of logs stored in Cloud Logging. 
• This capability is particularly relevant for financial services, healthcare, and enterprises with strict compliance requirements that need comprehensive audit trails of cross-cloud and hybrid network traffic.

28:37 Ryan – “The controls say that you have to have logging, not what the logging is – and so very frequently it is sort of ‘turn it on and sort of forget it’. I do think this is great, but it is sort of, they say the five-tuple granularity will help you measure congestion, but I don’t see them actually producing any sort of bandwidth or request size metrics. So it is sort of an interesting thing, but it’s at least better than the nothing that we had before. So I’ll take it.”

30:35 AWS and Google Cloud collaborate on multicloud networking

• AWS and Google Cloud jointly engineered a multicloud networking solution that eliminates the need for manual physical infrastructure setup between their platforms. 
• Customers can now provision dedicated bandwidth and establish connectivity in minutes instead of weeks through either cloud console or API.
• The solution uses AWS Interconnect multicloud and Google Cloud Cross-Cloud Interconnect with quad-redundancy across physically separate facilities and MACsec encryption between edge routers. 
• Both providers published open API specifications on GitHub for other cloud providers to adopt the same standard.
• Previously, connecting AWS and Google Cloud required customers to manually coordinate physical connections, equipment, and multiple teams over weeks or months. 
• This new managed service abstracts away physical connectivity, network addressing, and routing policy complexity into a cloud-native experience.
• Salesforce is using this capability to connect its Data 360 platform across clouds using pre-built capacity pools and familiar AWS tooling. 
  • The integration allows them to ground AI and analytics in trusted data regardless of which cloud it resides in.
• The collaboration represents a shift toward cloud provider interoperability through open standards rather than proprietary solutions. 
• The published specifications enable any cloud provider or partner to implement compatible multicloud connectivity using the same framework.

31:38 Justin – “I do want you guys to check the weather. Do you see pigs flying or anything crazy?” 

Azure

33:17 Generally Available: TLS and TCP termination on Azure Application Gateway

• Azure Application Gateway now supports TLS and TCP protocol termination at general availability, expanding beyond its traditional HTTP/HTTPS load balancing capabilities. 
• This allows customers to use Application Gateway for non-web workloads like database connections, message queuing systems, and other TCP-based applications that previously required separate load balancing solutions.
• The feature consolidates infrastructure by letting organizations use a single gateway service for both web and non-web traffic, reducing the need to deploy and manage multiple load balancers. 
• This is particularly useful for enterprises running mixed workloads that include legacy applications, databases like SQL Server or PostgreSQL, and custom TCP services alongside modern web applications.
• Application Gateway’s existing features, like Web Application Firewall,  autoscaling, and zone redundancy, now extend to TCP and TLS traffic, providing consistent security and availability across all application types. 
• The pricing model follows Application Gateway’s standard consumption-based structure with charges for gateway hours and data processing, though specific costs for TCP/TLS termination were not detailed in the announcement.
• Common use cases include load balancing for database clusters, securing MQTT or AMQP message broker connections, and providing SSL offloading for legacy applications that don’t natively support modern TLS versions. 
  • This positions Application Gateway as a more versatile Layer 4-7 load balancing solution competing with dedicated TCP load balancers and third-party appliances.

33:38 Justin – “Thank you for developing network load balancers.” 

34:48 Generally Available: Azure Application Gateway mTLS passthrough support

• Want to make your life even more complicated? Well, it’s GOOD NEWS!
• Azure Application Gateway now supports mutual TLS passthrough in general availability, allowing backend applications to validate client certificates and authorization headers directly while still benefiting from Web Application Firewall inspection. 
  • This addresses a specific compliance requirement where organizations need end-to-end certificate validation but cannot terminate TLS at the gateway layer.
• The feature enables scenarios where backend services must verify client identity through certificates for regulatory compliance or zero-trust architectures, particularly relevant for financial services, healthcare, and government workloads. Previously, customers had to choose between WAF protection or backend certificate validation, creating security or compliance gaps.
• Application Gateway continues to inspect traffic through WAF rules even as the mTLS connection passes through to the backend, maintaining protection against common web exploits and OWASP vulnerabilities. 
• This dual-layer approach means organizations can enforce both perimeter security policies and application-level authentication without architectural compromises.
• The capability is available across all Azure regions where Application Gateway v2 SKU operates, with standard Application Gateway pricing applying based on capacity units consumed. 
• No additional charges exist specifically for the mTLS passthrough feature itself, though backend certificate validation may increase processing overhead slightly.

36:30 Matt – “I did S tunnel and MongoDB because it didn’t support encryption for the longest time…that was a fun one.” 

36:50 Public Preview: Azure API Management adds support for A2A Agent APIs

• Azure API Management now supports Agent-to-Agent (A2A) APIs in public preview, allowing organizations to manage AI agent APIs alongside traditional REST APIs, AI model APIs, and Model Context Protocol tools within a single governance framework. 
  • This addresses the growing need to standardize how autonomous agents communicate and interact across enterprise systems.
• The feature enables centralized management of agent interactions, which is particularly relevant as organizations deploy multiple AI agents that need to coordinate tasks and share information. 
• API Management can now apply consistent security policies, rate limiting, and monitoring across all agent communications, reducing the operational complexity of multi-agent architectures.
• This capability positions Azure API Management as a unified control plane for the full spectrum of API types emerging in AI-driven applications. 
• Organizations already using API Management for traditional APIs can extend their existing governance practices to cover agent-based workflows without deploying separate infrastructure.
• The preview is available in Azure regions where API Management is currently supported, though specific pricing for A2A API features has not been disclosed separately from standard API Management tiers. 
• Organizations should evaluate this against their existing API Management costs, which start at approximately $50 per month for the Developer tier.

38:13 Introducing Claude Opus 4.5 in Microsoft Foundry

• Claude Opus 4.5 is now available in public preview on Microsoft Foundry, GitHub Copilot paid plans, and Microsoft Copilot Studio, expanding Azure’s frontier model portfolio following the Microsoft-Anthropic partnership announced at Ignite. 
• The model achieves 80.9% on SWE-bench software engineering benchmarks and is priced at one-third the cost of previous Opus-class models, making advanced AI capabilities more accessible for enterprise workloads.
• The model introduces three key developer features on Foundry: an Effort Parameter in beta that lets teams control computational allocation across thinking and tool calls, Compaction Control for managing context in long-running agentic tasks, and enhanced programmatic tool calling with dynamic tool discovery that doesn’t consume context window space. 
  • These capabilities enable sophisticated multi-tool workflows across cybersecurity, financial modeling, and full-stack development.
• Opus 4.5 serves as Anthropic’s strongest vision model and delivers improved computer use performance for automating desktop tasks, particularly for creating spreadsheets, presentations, and documents with professional polish. 
• The model maintains context across complex projects using memory features, making it suitable for precision-critical verticals like finance and legal,   where consistency matters.
• Microsoft Foundry’s rapid integration strategy gives Azure customers immediate access to the latest frontier models while maintaining centralized governance, security, and observability at scale. 
• This positions Azure as offering the widest selection of advanced AI models among cloud providers, with Opus 4.5 available now through the Foundry portal and coming soon to Visual Studio Code via the Foundry extension.

38:37 Justin – “Cool, it’s in Foundry – hooray!” 

40:21 Generally Available: DNS security policy Threat Intelligence feed

• Azure DNS security policy now includes a managed Threat Intelligence feed that blocks queries to known malicious domains. 
• This feature addresses the common attack vector where nearly all cyber attacks begin with a DNS query, providing an additional layer of protection at the DNS resolution level.
• The service integrates with Azure’s existing DNS infrastructure and uses Microsoft’s threat intelligence data to automatically update the list of malicious domains. 
  • Organizations can enable this protection without managing their own threat feeds or maintaining blocklists, reducing operational overhead for security teams.
• This capability is particularly relevant for enterprises looking to implement defense-in-depth strategies, as it stops threats before they can establish connections to command and control servers or phishing sites. 
• The feature works alongside existing Azure Firewall and network security tools to provide comprehensive protection.
• The general availability means the service is now production-ready with full SLA support across Azure regions. 
• Pricing details were not specified in the announcement, so customers should check Azure pricing documentation for DNS security policy costs.

41:28 Ryan – “It is something, being able to automatically take the results of a feed, I will do any day just because these things are updated by many more parties and faster than I can ever react to, and you know, our own threat intelligence. So that’s pretty great. I like it.”

42:46 Public Preview: Standard V2 NAT Gateway and StandardV2 Public IPs

• Azure introduces StandardV2 NAT Gateway in public preview, adding zone-redundancy for high availability in regions with availability zones. 
• This upgrade addresses a key limitation of the original NAT Gateway by ensuring outbound connectivity survives zone failures, which matters for enterprises running mission-critical workloads that require consistent internet egress.
• The StandardV2 SKU includes matching StandardV2 Public IPs that work together with the new NAT Gateway tier. Organizations using the original Standard SKU will need to evaluate migration paths since zone-redundancy represents a fundamental architectural change requiring new resource types rather than an in-place upgrade.
• This release targets customers who previously had to architect complex workarounds for zone-resilient outbound connectivity, particularly those running multi-zone deployments of containerized applications or database clusters. 
  • The preview allows testing of failover scenarios before production deployment.
• The announcement lacks specific pricing details for the StandardV2 tier, though NAT Gateway typically charges based on hourly resource fees plus data processing costs. 
• Customers should monitor Azure pricing pages as the preview progresses toward general availability for cost comparisons against the Standard SKU.

43:48 Justin – “The fact that this is not an upgrade that I can just check, and I have to redeploy a whole new thing, annoys the crap out of me.” 

46:51 Generally Available: Custom error pages on Azure App Service

• Custom error pages on Azure App Service have moved to general availability, allowing developers to replace default HTTP error pages with branded or customized alternatives. 
• This addresses a common requirement for production applications where maintaining a consistent user experience during errors is important for brand identity and user trust.
• The feature integrates directly into App Service configuration without requiring additional Azure services or third-party tools. 
• Developers can specify custom HTML pages for different HTTP error codes like 404 or 500, which App Service will serve automatically when those errors occur.
• This capability is particularly relevant for customer-facing web applications, e-commerce sites, and SaaS platforms where error handling needs to align with corporate branding guidelines. 
• The feature works across all App Service tiers that support custom domains and SSL certificates.
• No additional cost is associated with custom error pages beyond standard App Service hosting fees, which start at approximately $13 per month for the Basic tier. Implementation requires uploading error page files to the app’s file system and updating configuration settings through Azure Portal or deployment templates.
• The general availability status means the feature is now production-ready with full support coverage, moving beyond the preview phase where it was available for testing. 
  • Documentation is available at the Azure App Service custom error pages guide.

48:17 Matt – “It’s crazy that this wasn’t already there. The workarounds you had to do to make your own error page was messy at best.” 

49:01 Generally Available: Streamline IT governance, security, and cost management experiences with Microsoft Foundry

• Microsoft Foundry reaches general availability as an enterprise AI governance platform that consolidates security, compliance, and cost management controls for IT administrators deploying AI solutions. 
• The platform addresses the growing need for centralized oversight as organizations scale their AI initiatives across Azure infrastructure.
• The service integrates with existing Azure management tools to provide unified visibility and control over AI workloads, allowing IT teams to enforce policies and monitor resource usage from a single interface. 
  • This reduces the operational overhead of managing disparate AI projects while maintaining enterprise security standards.
• Foundry targets large enterprises and regulated industries that require strict governance frameworks for AI deployment, particularly organizations balancing innovation speed with compliance requirements. 
• The platform helps bridge the gap between data science teams pushing for rapid AI adoption and IT departments responsible for risk management.
• The general availability announcement indicates Microsoft is positioning Azure as the enterprise-ready AI cloud, competing directly with AWS and Google Cloud for organizations prioritizing governance alongside AI capabilities. 
• Specific pricing details were not disclosed in the announcement, suggesting costs likely vary based on usage and existing Azure commitments.

50:22 Justin – “It’s like a combination of SageMaker and Vertex married Databricks and then had a baby – plus a report interface.” 

52:44 Generally Available: Model Router in Microsoft Foundry

• Microsoft Foundry’s Model Router is now generally available as an AI orchestration layer that automatically selects the optimal language model for each prompt based on factors like complexity, cost, and performance requirements. 
• This eliminates the need for developers to manually choose between different AI models for each use case.
• The service supports an expanded range of models, including the GPT-4 family, GPT-5 family, GPT-oss, and DeepSeek models, giving organizations flexibility to balance performance needs against cost considerations. 
• The router can dynamically switch between models within a single application based on prompt characteristics.
• This addresses a practical challenge for enterprises deploying multiple AI models where different tasks require different model capabilities. For example, simple queries could route to smaller, less expensive models while complex reasoning tasks automatically use more capable models.
• The orchestration layer integrates with Microsoft Foundry’s broader AI infrastructure, allowing customers to manage multiple model deployments through a single interface rather than building custom routing logic. This reduces operational complexity for teams managing diverse AI workloads across their organization.
• No specific pricing details are provided in the announcement, though costs will likely vary based on the underlying models selected by the router and usage patterns. Organizations should evaluate potential cost savings from routing simpler queries to less expensive models versus always using premium models.

54:50 Generally Available: Scheduled Actions 

• Azure’s Scheduled Actions feature is now generally available, providing automated VM lifecycle management at scale with built-in handling of subscription throttling and transient error retries. 
• This eliminates the need for custom scripting or third-party tools to start, stop, or deallocate VMs on a recurring schedule.
• The feature addresses common cost optimization scenarios where organizations need to automatically shut down development and test environments during off-hours or scale down non-production workloads on weekends. 
• This can reduce compute costs by 40-70% for environments that don’t require 24/7 availability.
• Scheduled Actions integrates directly with Azure Resource Manager and works across VM scale sets, making it suitable for both individual VMs and large-scale deployments. The automatic retry logic and throttling management means operations complete reliably even when managing hundreds or thousands of VMs simultaneously.
• The service is available in all Azure public cloud regions where VMs are supported, with no additional cost beyond standard VM compute charges. 
• Organizations pay only for the time VMs are running, so automated shutdown schedules directly translate to reduced monthly bills.

55:31 Justin – “Thank you for copying every other cloud that’s had this forever…”

After Show 

51:46 OpenAI and NORAD team up to bring new magic to “NORAD Tracks Santa.”

• OpenAI partnered with NORAD to add AI-powered holiday tools to the annual Santa tracking tradition, creating three ChatGPT-based features that turn kids’ photos into elf portraits, generate custom toy coloring pages, and build personalized Christmas stories. This represents a consumer-friendly application of generative AI that demonstrates how large language models can be packaged for mainstream family use during the holidays.
• The collaboration shows OpenAI pursuing brand-building partnerships with trusted institutions like NORAD to normalize AI tools in everyday contexts. By embedding ChatGPT features into a 68-year-old military tradition that reaches millions of families, OpenAI gains exposure to non-technical users who might otherwise be hesitant about AI adoption.
• From a technical perspective, these tools showcase practical implementations of image generation and text-to-image capabilities that parents can use without understanding the underlying models. The focus on simple, single-purpose GPTs rather than complex interfaces suggests OpenAI is testing how to make their technology more accessible to casual users.
• The partnership raises interesting questions about AI companies seeking legitimacy through associations with government organizations and cultural traditions. While the tools are harmless holiday fun, they demonstrate how AI providers are moving beyond enterprise sales to embed their technology into cultural moments and family activities.
• This is essentially a marketing play disguised as holiday cheer, but it does illustrate how cloud-based AI services are becoming infrastructure for consumer experiences rather than just backend business tools. The real story is about distribution strategy and making AI feel safe and familiar to mainstream audiences.
• The Cloud Pod has one message: keep Skynet out of Christmas!

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week:

• Roll For Initiative: The Re:Invent Prediction Draft
• Justin’s Winning Streak: A Study in Actually Doing Your Homework
• Serverless GPUs and Broken Dreams: Our Re:Invent Wishlist
• Shooting in the Dark: AWS Predictions Edition
• We’re Never Good at This, But Here We Go Again
• Vegas Odds: What Happens at Re:Invent, Gets Predicted Wrong

AWS Re:Invent Predictions 2025

The annual prediction draft is here! Draft order was determined by dice roll: Jonathan first, followed by Ryan, Justin, and Matt in last position. As always, it’s a reverse order format, with points awarded for each correct prediction announced during the Tuesday, Wednesday, and Thursday keynotes.

Jonathan’s Predictions

1. Serverless GPU Support – An extension to Lambda or a different service that provides on-demand serverless GPU/inference capability. Likely with requirements for pre-warmed provisioned instances.
2. Agentic Platform for Continuous AI Agents – A service that allows agents to run continuously with goals or instructions, performing actions periodically or on-demand in the real world. Think: running agents on a schedule that can check conditions and take automated actions.
3. Werner Vogels Retirement Announcement – Werner will announce that this is his last Re:Invent keynote and that he is retiring.

Ryan’s Predictions

1. New Trainium 3 Chips, Inferentia, and Graviton Chips – New generation of AWS custom silicon across training, inference, and general compute.
2. Expanded Model Availability in Bedrock – AWS will significantly expand the number of models available in Bedrock, potentially via partnerships or integrations with additional providers.
3. Major Refresh to AWS Organizations – UI-based or functionality refresh providing better visibility into SCPs, OU mappings, and stack sets across organizations.

Justin’s Predictions

1. New Nova Model with Multi-modal Support – Launch of Nova Premier or Nova Sonic with multi-modal capabilities, bringing Amazon’s foundational model to the next level.
2. OpenAI Partnership Announcement – AWS and OpenAI will announce a strategic partnership, potentially bringing OpenAI models to Bedrock (likely announced on stage).
3. Advanced Agentic AI Capabilities for Security Hub – Enhanced features for Security Hub adding Agentic AI to help automate SOC team operations.

Matt’s Predictions

1. Model Router for Bedrock – A service to route LLM queries to different AI models, simplifying the process of testing and selecting models for different use cases.
2. Well-Architected Framework Expansion – New lenses or significant updates to the Well-Architected Framework beyond the existing Generative AI and Sustainability lenses.
3. End User Authentication That Doesn’t Suck – A new or significantly revamped end-user authentication service (essentially Cognito 2.0) that actually works well for client portals.

Tiebreaker: How Many Times Will “AI” or “Artificial Intelligence” Be Said On Stage?

If we end in a tie (or nobody gets any predictions correct, which is historically possible), we go to the tiebreaker!

Honorable Mentions

Ideas that didn’t make the cut but might just surprise us:

Jonathan:

• Mathematical proof/verification that text was generated by Amazon’s LLMs (watermarking for AI output)
• Marketplace for AI work – publish and monetize AI-based tools with Amazon handling billing
• New consumer device to accompany Nova models (smarter Alexa replacement with local inference)

Ryan:

• FinOps AI recommender for model usage and cost optimization
• Savings plans or committed use discounts for Bedrock use cases

Matt:

• Sustainability/green dashboard improvements
• AI-specific features for Aurora or DSQL

Justin:

• Big S3 vectors announcement and integration to Bedrock
• FinOps service for Kubernetes
• Amazon Q Developer with autonomous coding agents
• New GPU architecture combining training/inference/Graviton capabilities
• Amazon Bedrock model marketplace for revenue share on fine-tuned models

Quick Hits From the Episode

• 00:02 – Is it really Re:Invent already? The existential crisis begins.
• 01:44 – Jonathan reveals why Justin always wins: “Because you read the notes.”
• 02:54 – Matt hasn’t been to a Re:Invent session since Image Builder launched… eight years ago.
• 05:03 – Jonathan comes in hot with serverless GPU support prediction.
• 06:57 – The inference vs. training cost debate – where’s the real ROI?
• 09:30 – Matt’s picks get systematically destroyed by earlier drafters.
• 14:09 – The OpenAI partnership prediction causes draft chaos.
• 16:24 – Jonathan drops the Werner retirement bombshell.
• 19:12 – Justin’s Security Hub prediction: “Please automate the SOC teams.”
• 19:46 – Everyone hates Cognito. Matt’s prediction resonates with the universe.
• 21:47 – Tiebreaker time: Jonathan goes with 1 out of pure spite.
• 24:08 – Honorable mentions include mathematical AI verification and a marketplace for AI work.

Re:Invent Tips (From People Who Aren’t Going)

Since none of us are attending this year, here’s what we remember from the good old days:

• Chalk Talks remain highly respected and valuable for deep technical content
• Labs and hands-on sessions are worth your time more than keynotes you can watch online
• Networking on the expo floor and in hallways is where the real value happens
• Don’t try to see everything – focus on what matters to your work
• Stay hydrated – Vegas is dry and conferences are exhausting

Closing

And that is the week in the cloud! We’re taking Thanksgiving week off, so there won’t be an episode during Re:Invent. We’ll record late that week and have a dedicated Re:Invent recap episode the following week. If you’re heading to Las Vegas, have a great time and let us know how it goes!

Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

Titles we almost went with this week

• GPT-5.1 Gets a Shell Tool Because Apparently We Haven’t Learned Anything From Sci-Fi Movies
• The Great Ingress Egress: NGINX Controller Waves Goodbye After Years of Volunteer Burnout
• Queue the Applause: Lambda SQS Mapping Gets a Serious Speed Boost
• SELECT * FROM future WHERE SQL meets AI without the prompt drama
• MFA or GTFO: Microsoft’s 99.6% Phishing-Resistant Authentication Achievement
• JWT Another Thing ALB Can Do: OAuth Validation Moves to the Load Balancer
• Google’s Emerging Threats Center: Because Manually Checking 12 Months of Logs Sounds Terrible
• EventBridge Gets a Drag-and-Drop Makeover: No More Schema Drama
• Permission Denied: How Granting Access Took Down the Internet

Follow Up 

00:51 Ignite Predictions – The Results 

Matt (Who is in charge of sound effects, so be aware) 

1. ACM Competitor – True SSL competitive product
2. AI announcement in Security AI Agent (Copilot for Sentinel) – sort of (½) 
3. Azure DevOps Announcement

Justin

1. New Cobalt and Mai Gen 2 or similar – Check
2. Price Reduction on OpenAI & Significant Prompt Caching 
3. Microsoft Foundational LLM to compete with OpenAI – 

Jonathan

1. The general availability of new, smaller, and more power-efficient Azure Local hardware form factors
2. Declarative AI on Fabric: This represents a move towards a declarative model, where users state the desired outcome, and the AI agent system determines the steps needed to achieve it within the Fabric ecosystem.
3. Advanced Cost Management: Granular dashboards to track the token and compute consumption per agent or per transaction, enabling businesses to forecast costs and set budgets for their agent workforce.

How many times will they say Copilot:

The word “Copilot” is mentioned 46 to 71 times in the video.

Jonathan 45

Justin: 35

Matt: 40

General News

05:13 Cloudflare outage on November 18, 2025

• Cloudflare experienced its worst outage since 2019 on November 18, 2025, lasting approximately three hours and affecting core traffic routing across its entire network. 
• The incident was triggered by a database permissions change that caused a Bot Management feature file to double in size, exceeding hardcoded limits in their proxy software and causing system panics that resulted in 5xx errors for customers.
• The root cause reveals a cascading failure pattern, where a ClickHouse database query began returning duplicate column metadata after permission changes. 
• This resulted in a significant increase in the feature file, from approximately 60 features to over 200, which exceeded the preallocated memory limit of 200 features in their Rust-based FL2 proxy code. 
• The team initially suspected a DDoS attack due to fluctuating symptoms caused by the bad configuration file being generated every five minutes as the database cluster was gradually updated.
• The outage impacted multiple Cloudflare services, including their CDN, Workers KV, Access, and even their own dashboard login system through Turnstile dependencies. 
• Customers on the older FL proxy engine did not see errors but received incorrect bot scores of zero, potentially causing false positives for those using bot blocking rules.
• Cloudflare’s remediation plan includes treating internal configuration files with the same validation rigor as user input, implementing more global kill switches for features, and preventing error reporting systems from consuming excessive resources during incidents. 
• The company acknowledged this as unacceptable for their position in the Internet ecosystem and committed to architectural improvements to prevent similar failures.

06:41 Justin – “Definitely a bad outage, but I appreciate that they owned it, and owned it hard… especially considering they were front page news.” 

AI Is Going Great, or How ML Makes Money 

07:27 Introducing GPT-5.1 for developers | OpenAI

• OpenAI has released GPT-5.1 in their API platform with adaptive reasoning that dynamically adjusts thinking time based on task complexity, resulting in 2-3x faster performance on simple tasks while maintaining frontier intelligence. 
• The model includes a new “no reasoning” mode (reasoning_effort set to ‘none’) that delivers 20% better low-latency tool calling performance compared to GPT-5 minimal reasoning, making it suitable for latency-sensitive applications while supporting web search and improved parallel tool calling.
• GPT-5.1 introduces extended prompt caching with 24-hour retention (up from minutes), maintaining the existing 90% cost reduction for cached tokens with no additional storage charges. 
• Early adopters report the model uses approximately half the tokens of competitors at similar quality levels, with companies like Balyasny Asset Management seeing agents run 50% faster while exceeding GPT-5 accuracy.
• The release includes two new developer tools in the Responses API: apply_patch for structured code editing using diffs without JSON escaping, and a shell tool that allows the model to propose and execute command-line operations in a controlled plan-execute loop. GPT-5.1 achieves 76.3% on SWE-bench Verified and shows 7% improvement on diff editing benchmarks according to early testing partners like Cline and Augment Code.
• OpenAI is also releasing specialized gpt-5.1-codex and gpt-5.1-codex-mini models optimized specifically for long-running agentic coding tasks, while maintaining the same pricing and rate limits as GPT-5. 
  • If you didn’t catch it in the podcast, Justin HATES this. Hates. It. All the hate. 
• The company has committed to not deprecating GPT-5 in the API and will provide advanced notice if deprecation plans change.
• Pricing and rate limits are the same at GPT-5. 

9:31 Ryan – “I didn’t really like GPT-5, so I don’t have high expectations, but as these things enhance, I’ve found  using different models for different use cases has some advantages, so maybe I’ll find the case for this one.” 

11:31 Piloting group chats in ChatGPT | OpenAI

• OpenAI is piloting group chat functionality in ChatGPT, starting with users in Japan, New Zealand, South Korea, and Taiwan across all subscription tiers (Free, Go, Plus, and Pro). 
• The feature allows up to 20 people to collaborate in a shared conversation with ChatGPT, with responses powered by GPT-5.1 Auto that selects the optimal model based on the prompt and the user’s subscription level.
• ChatGPT has been trained with new social behaviors for group contexts, including deciding when to respond or stay quiet based on conversation flow, reacting with emojis, and referencing profile photos for personalized image generation. 
• Users can mention “ChatGPT” explicitly to trigger a response, and custom instructions can be set per group chat to control tone and personality.
• Privacy controls separate group chats from personal conversations, with personal ChatGPT memory not shared or used in group contexts. 
• Users must accept invitations to join, can see all participants, and can leave at any time, with group creators having special removal privileges.
• The feature includes safeguards for users under 18, automatically reducing sensitive content exposure for all group members when a minor is present. 
  • Parents can disable group chats entirely through parental controls, providing additional oversight for younger users.
• Rate limits apply only to ChatGPT responses (not user-to-user messages) and count against the subscription tier of the person ChatGPT is responding to. 
• The feature supports search, image and file uploads, image generation, and dictation, making it functional for both personal planning and workplace collaboration scenarios.

12:41 Jonathan – “I’d rather actually have group chats enabled if kids are going to use it because at least you have witnesses to the conversation at that point.”

16:38 Gemini 3: Introducing the latest Gemini AI model from Google

• Google launches Gemini 3 Pro in preview across its product suite, including the Gemini app, AI Studio, Vertex AI, and a new AI Mode in Search with generative UI capabilities. 
• The model achieves a 1501 Elo score on LMArena leaderboard and demonstrates 91.9% on GPQA Diamond, with a 1 million token context window for processing multimodal inputs including text, images, video, audio and code.
• Gemini 3 Deep Think mode offers enhanced reasoning performance, scoring 41.0% on Humanity’s Last Exam and 45.1% on ARC-AGI-2 with code execution. 
• Google is providing early access to safety testers before rolling out to Google AI Ultra subscribers in the coming weeks, following comprehensive safety evaluations per their Frontier Safety Framework.
• Google introduces Antigravity, a new agentic development platform that integrates Gemini 3 Pro with Gemini 2.5 Computer Use for browser control and Gemini 2.5 Image for editing. 
• The platform enables autonomous agent workflows with direct access to editor, terminal, and browser, scoring 54.2% on Terminal-Bench 2.0 and 76.2% on SWE-bench Verified for coding agent capabilities.
• The model shows improved long-horizon planning by topping Vending-Bench 2 leaderboard and delivers enhanced agentic capabilities through Gemini Agent for Google AI Ultra subscribers. 
• Gemini 3 demonstrates 72.1% on SimpleQA Verified for factual accuracy and 1487 Elo on WebDev Arena for web development tasks, with availability in third-party platforms including Cursor, GitHub, JetBrains, and Replit.

18:24 Ryan – “I look forward to trying this. My initial attempts with Gemini 2.5 did not go well, but I found a sort of sweet spot in using it for planning and documentation. It’s still much better at coding than any other model that I’ve used. So cool, I look forward to using this.”

19:14 Microsoft, NVIDIA, and Anthropic announce strategic partnerships – The Official Microsoft Blog

• Continuing the messy breakups…
• Anthropic commits to $30 billion in Azure compute capacity, and up to one gigawatt of additional capacity, making this one of the largest cloud infrastructure commitments in AI history. 
• This positions Azure as Anthropic’s primary scaling platform for Claude models.
• NVIDIA and Anthropic are establishing their first deep technology partnership focused on co-design and engineering optimization. 
• Anthropic will optimize Claude models for NVIDIA Grace Blackwell and Vera Rubin systems, while NVIDIA will tune future architectures specifically for Anthropic workloads to improve performance, efficiency, and total cost of ownership.
• Claude models, including Sonnet 4.5, Opus 4.1, and Haiku 4.5, are now available through Microsoft Foundry on Azure, making Claude the only frontier model accessible across all three major cloud platforms (AWS, Azure, GCP). 
• Azure enterprise customers gain expanded model choice beyond OpenAI offerings.
• Microsoft commits to maintaining Claude integration across its entire Copilot family, including GitHub Copilot, Microsoft 365 Copilot, and Copilot Studio.
• This ensures developers and enterprise users can leverage Claude capabilities within existing Microsoft productivity and development workflows.
• NVIDIA and Microsoft are investing up to $10 billion and $5 billion, respectively, in Anthropic as part of the partnership. So yes, that’s a lot of money going back and forth. 
• The combined $15 billion investment represents substantial backing for Anthropic’s continued development and positions all three companies to benefit from Claude’s growth trajectory.

21:57 Jonathan – “I’m wondering what Anthropic’s plan is – what they’re working on in the background – because they have just taken a huge amount of capacity from AWS and their new data center in Northern Indiana, and now another 30 billion in Azure Compute? I guess they’re still building models every day… that’s a lot of money flying around.” 

Cloud Tools  

23:17  Ingress NGINX Retirement: What You Need to Know | Kubernetes Contributors

• Ingress NGINX, one of the most popular Kubernetes ingress controllers that has powered billions of requests worldwide, is being retired in March 2026 due to unsustainable maintenance burden and mounting technical debt. 
• The project has struggled for years with only one or two volunteer maintainers working after hours, and despite its widespread use in hosted platforms and enterprise clusters, efforts to find additional support have failed.
• The retirement stems from security concerns around features that were once considered flexible but are now viewed as vulnerabilities, particularly the snippets annotations that allowed arbitrary NGINX configuration. 
• The Kubernetes Security Response Committee and SIG Network exhausted all options to make the project sustainable before making this difficult decision to prioritize user safety over continuing an undermaintained critical infrastructure component.
• Users should immediately begin migrating to Gateway API, the modern replacement for Ingress that addresses many of the architectural issues that plagued Ingress NGINX. Existing deployments will continue to function and installation artefacts will remain available, but after March 2026, there will be zero security patches, bug fixes, or updates of any kind.
• Alternative ingress controllers are plentiful and listed in Kubernetes documentation, including cloud-provider-specific options and vendor-supported solutions. 
• Users can check if they are affected by running a simple kubectl command to look for pods with the ingress-nginx selector across all namespaces.
• This retirement highlights a critical open source sustainability problem where massively popular infrastructure projects can fail despite widespread adoption when companies benefit from the software but do not contribute maintainer resources back to the community.

24:39 Justin – “I’m actually surprised NGINX didn’t want to pick this up; it seems like an obvious move for F5 to pick up and maintain the Ingress NGINX controller. But what do I know?” 

25:46 Replicate is joining Cloudflare

• Cloudflare acquires Replicate, bringing its 50,000-plus model catalog and fine-tuning capabilities to Workers AI. 
• This consolidates model discovery, deployment, and inference into a single platform backed by Cloudflare’s global network.
• The acquisition addresses the operational complexity of running AI models by combining Replicate’s Cog containerization tool with Cloudflare’s serverless infrastructure. 
• Developers can now deploy custom models and fine-tune without managing GPU hardware or dependencies.
• Existing Replicate APIs will continue functioning without interruption while gaining Cloudflare’s network performance. 
• Workers AI users get access to proprietary models like GPT-5 and Claude Sonnet through Replicate’s unified API alongside open-source options.
• The integration extends beyond inference to include AI Gateway for observability and cost analytics, plus native connections to Cloudflare’s data stack, including R2 storage and Vectorize database. 
• This creates an end-to-end platform for building AI applications with state management and real-time capabilities.
• Replicate’s community features for sharing models, publishing fine-tunes, and experimentation will remain central to the platform. 
• The acquisition positions Cloudflare to compete more directly with hyperscaler AI offerings by combining model variety with edge deployment.

27:09 Ryan – “Cloudflare has been doing kind of amazing things at the edge, which is kind of neat. We’ve had serverless and functions for a while, and definitely options out there that provide much better performance. It’s kind of neat. They’re well-positioned to do that.”

28:02 KubeCon NA 2025 Recap: The Dawn of the AI Native Era | Blog

• KubeCon 2025 marked the industry shift from cloud native to AI native, with CNCF launching the Kubernetes AI Conformance Program to standardize how AI and ML workloads run across clouds and hardware accelerators like GPUs and TPUs. 
• The live demo showed Dynamic Resource Allocation making accelerators first-class citizens in Kubernetes, signaling that AI infrastructure standardization is now a community priority.
• Harness showcased Agentic AI capabilities that transform traditional CI/CD pipelines into intelligent, adaptive systems that learn and optimize delivery automatically. 
  • Their booth demonstrated 17 integrated products spanning CI, CD, IDP, IaCM, security, testing, and FinOps, with particular emphasis on AI-powered pipeline creation and visual workflow design that caught significant attendee interest.
• Security emerged as a critical theme with demonstrations of zero-CVE malware attacks that bypass traditional vulnerability scanners by compromising the build chain itself. 
  • The solution path involves supply chain attestation using SLSA, policy-as-code enforcement, and artifact signing with Sigstore, which Harness demonstrated as native capabilities in their platform.
• Apple introduced Apple Containerization, a framework running Linux containers directly on macOS using lightweight microVMs that boot minimal Linux kernels in under a second. 
  • This combines VM-level security with container speed, creating safer local development environments that could reshape how developers work on Mac hardware.
• The conference emphasized that AI native infrastructure requires intelligent scheduling, deeper observability, and verified agent identity using SPIFFE/SPIRE, with multiple sessions showing practical implementations at scale from companies like Yahoo, managing 8,000 nodes, and Spotify handling a million infrastructure resources.

29:51 Justin – “Everyone has moved on from Kubernetes as the hotness; now it’s all AI, so what are people working on in the AI space?”

AWS 

30:27 AWS Lambda enhances event processing with provisioned mode for SQS event-source mapping

• AWS Lambda now offers provisioned mode for SQS event source mapping, providing 3x faster scaling and 16x higher concurrency (up to 20,000 concurrent executions) compared to the standard polling mode. 
• This addresses customer demands for better control over event processing during traffic spikes, particularly for financial services and gaming companies requiring sub-second latency.
• The new provisioned mode uses dedicated event pollers that customers can configure with minimum and maximum values, where each poller handles up to 1 MB/sec throughput, 10 concurrent invokes, or 10 SQS API calls per second. 
• Setting a minimum number of pollers maintains baseline capacity for immediate response to traffic surges, while the maximum prevents downstream system overload.
• Pricing is based on Event Poller Units (EPUs) charged for the number of pollers provisioned and their duration, with a minimum of 2 event pollers required per event source mapping. 
• Each EPU supports up to 1 MB per second throughput capacity, though AWS has not published specific per-EPU pricing on the announcement.
• The feature is available now in all commercial AWS Regions and can be configured through the AWS Console, CLI, or SDKs. 
• Monitoring is handled through CloudWatch metrics, specifically the ProvisionedPollers metric that tracks active event pollers in one-minute windows.
• This capability enables applications to handle up to 2 GBps of aggregate traffic while automatically scaling down to the configured minimum during low-traffic periods for cost optimization. 
• The enhanced scaling detects growing backlogs within seconds and adjusts poller count dynamically between configured limits.

31:36 Ryan – “Where was this 5 years ago when we were maintaining a logging platform? This would have been very nice!” 

33:30 Amazon EventBridge introduces enhanced visual rule builder  

• EventBridge launches a new visual rule builder that integrates the Schema Registry with a drag-and-drop canvas, allowing developers to discover and subscribe to events from over 200 AWS services and custom applications without referencing individual service documentation. 
• The schema-aware interface helps reduce syntax errors when creating event filter patterns and rules.
• The enhanced builder includes a comprehensive event catalog with readily available sample payloads and schemas, eliminating the need to hunt through documentation for event structures. 
  • This addresses a common pain point: developers previously had to manually locate and understand event formats across different AWS services.
• Available now in all regions where Schema Registry is launched at no additional cost beyond standard EventBridge usage charges. 
  • The feature is accessible through the EventBridge console and aims to reduce development time for event-driven architectures.
• The visual builder particularly benefits teams building complex event-driven applications that need to filter and route events from multiple sources. 
• By providing schema validation upfront, it helps catch configuration errors before deployment rather than during runtime.

34:46 Matt – “I definitely – back in the day – had lots of fun with EventBridge, and trying to make sure I got the schemas right for every frame when you’re trying to trigger one thing from another. So not having to deal with that mess is exponentially better. You know, at this point, though, I feel like I would just tell AI to tell me what the scheme was and solve the problem that way.”

35:43 Application loadbalancer support client credential flow with JWT verification 

• ALB now handles JWT token verification natively at the load balancer layer, eliminating the need for custom authentication code in backend applications. This offloads OAuth 2.0 token validation, including signature verification, expiration checks, and claims validation, directly to the load balancer, reducing complexity in microservices architectures.
• The feature supports Client Credentials Flow and other OAuth 2.0 flows, making it particularly useful for machine-to-machine and service-to-service authentication scenarios. Organizations can now centralize token validation at the edge rather than implementing it repeatedly across multiple backend services.
• This capability is available immediately in all AWS regions where ALB operates, with no additional ALB feature charges beyond standard load balancer pricing. Customers pay only for the existing ALB hourly rates and Load Balancer Capacity Units (LCUs) consumed.
• The implementation reads JWTs from request headers and validates against configured JSON Web Key Sets (JWKS) endpoints, supporting integration with identity providers like Auth0, Okta, and AWS Cognito. 
• Failed validation results in configurable HTTP error responses before requests reach backend targets.
• This addresses a common pain point in API gateway and microservices deployments, where each service previously needed its own token validation logic. 
• The centralized approach reduces code duplication and potential security inconsistencies across service boundaries.

38:40 Jonathan – “Maybe this is kind of a sign that Cognito is not gaining the popularity they wanted. Because effectively, you could re-spin this announcement as Auth0 and Okta are now first-class citizens when it comes to authentication through API Gateway and ALB.”

GCP

39:10 How Protective ReRoute improves network resilience | Google Cloud Blog 

• Google Cloud’s Protective ReRoute (PRR) shifts network failure recovery from centralized routers to distributed endpoints, allowing hosts to detect packet loss and immediately reroute traffic to alternate paths. 
• This host-based approach has reduced inter-datacenter outages from slow network convergence by up to 84 percent since deployment five years ago, with recovery times measured in single-digit multiples of round-trip time rather than seconds or minutes.
• PRR works by having hosts continuously monitor path health using TCP retransmission timeouts, then modifying IPv6 flow-label headers to signal the network to use alternate paths when failures occur. Google contributed this IPv6 flow-label modification mechanism to the Linux kernel version 4.20 and later, making it available as open source technology for the broader community.
• The feature is particularly critical for AI and ML training workloads, where even brief network interruptions can cause expensive job failures and restarts costing millions in compute time. 
• Large-scale distributed training across multiple GPUs and TPUs requires the ultra-reliable data distribution that PRR provides to prevent communication pattern disruptions.
• Google Cloud customers can use PRR in two modes: hypervisor mode, which automatically protects cross-datacenter traffic without guest OS changes, or guest mode for the fastest recovery, requiring Linux kernel 4.20 plus, TCP applications, and IPv6 traffic, or gVNIC driver for IPv4.
• Documentation is available at cloud.google.com/compute/docs/networking for enabling guest-mode PRR on critical workloads.
• The architecture treats the network as a highly parallel system where reliability increases exponentially with available paths rather than degrading serially through forwarding stages. 
• This approach capitalizes on Google’s network path diversity to protect real-time applications, frequent short-lived connections, and data integrity scenarios where packet loss causes corruption beyond just throughput reduction.

40:57 Ryan – “I was trying to think how I would even implement something like this in guest mode because it breaks my head. It seems pretty cool, and I’m sure that from an underlying technology at the infrastructure level, from the Google network, it sounds pretty neat. But it’s also the coordination of that failover seems very complex. And I would worry.”

41:54 Introducing the Emerging Threats Center in Google Security Operations | Google Cloud Blog

• Google Security Operations launches the Emerging Threats Center, a Gemini-powered detection engineering system that automatically generates security rules when new threat campaigns emerge from Google Threat Intelligence, Mandiant, and VirusTotal. 
• The system addresses a key pain point where 59% of security leaders report difficulty deriving actionable intelligence from threat data, typically requiring days or weeks of manual work to assess organizational exposure.
• The platform provides two critical capabilities for security teams during major threat events: it automatically searches the previous 12 months of security telemetry for campaign-related indicators of compromise and detection rule matches, while also confirming active protection through campaign-specific detections. 
  • This eliminates the manual cross-referencing process that traditionally occurs when zero-day vulnerabilities emerge.
• Under the hood, the system uses an agentic workflow where Gemini ingests threat intelligence from Mandiant incident response and Google’s global visibility, generates synthetic event data mimicking adversary tactics, tests existing detection rules for coverage gaps, and automatically drafts new rules when gaps are found. Human security analysts maintain final approval before deployment, transforming detection engineering from a best-effort manual process into a systematic automated workflow.
• The Emerging Threats Center is available today for licensed Google Security Operations customers, though specific pricing details were not disclosed in the announcement. 
• Organizations with high-volume security operations like Fiserv are already using the behavioral detection capabilities to move beyond single indicators toward systematic adversary behavior detection.

44:40 Jonathan – “I see this as very much a CrowdStrike-type AI solution for Google Cloud, in a way. Looking at the data, you’re identifying emerging threats, which is what CrowdStrike’s sales point really is, and then implementing controls to help quench that.” 

47:56 Introducing Dhivaru and two new connectivity hubs | Google Cloud Blog

• Google is investing in Dhivaru, a new Trans-Indian Ocean subsea cable connecting the Maldives, Christmas Island, and Oman, extending the Australia Connect initiative to improve regional connectivity. 
• The cable system aims to support growing AI service demand like Gemini 2.5 Flash and Vertex AI by providing resilient infrastructure across the Indian Ocean region.
• The announcement includes two new connectivity hubs in the Maldives and Christmas Island that will provide three core capabilities: cable switching for automatic traffic rerouting during faults, content caching to reduce latency by storing popular content locally, and colocation services offering rack space to carriers and local companies. 
  • These hubs are positioned to serve Africa, the Middle East, South Asia, and Oceania with improved reliability.
• Google emphasizes the energy efficiency of subsea cables compared to traditional data centers, noting that connectivity hubs require significantly less power since they focus on networking and localized storage rather than compute-intensive AI and cloud workloads. 
• The company is exploring ways to use power demand from these hubs to accelerate local investment in sustainable energy generation in smaller locations.
• The connectivity hubs will provide strategic benefits by minimizing the distance data travels before switching paths, which improves resilience and reduces downtime for services across the region. 
  • This infrastructure investment aims to strengthen local economies while supporting Google’s objective of serving content from locations closer to users and customers.
• The project represents Google’s continued infrastructure expansion to meet long-term demand driven by AI adoption rates that are outpacing predictions, with partnerships including Ooredoo Maldives and Dhiraagu supporting the Maldives hub deployment.

49:38 Matthew – “I had to look up one connectivity hub, which is literally just a small little data center that just kind of handles basic networking and storage – and nothing fancy, which is interesting that they’re putting the two connectivity hubs. They’re dropping these hubs where all their cables terminate. So they are able to cache stuff at each location, which is always interesting.”

Azure

51:46 Infinite scale: The architecture behind the Azure AI superfactory – The Official Microsoft Blog 

• Microsoft announces its second Fairwater datacenter in Atlanta, connecting it to the Wisconsin site and existing Azure infrastructure to create what they call a planet-scale AI superfactory. 
• The facility uses a flat network architecture to integrate hundreds of thousands of NVIDIA GB200 and GB300 GPUs into a unified supercomputer for training frontier AI models.
• The datacenter achieves 140kW per rack power density through closed-loop liquid cooling that uses water equivalent to 20 homes annually and is designed to last 6-plus years without replacement. 
• The two-story building design minimizes cable lengths between GPUs to reduce latency, while the site secures 4×9 availability power at 3×9 cost by relying on resilient grid power instead of traditional backup systems.
• Each rack houses up to 72 NVIDIA Blackwell GPUs connected via NVLink with 1.8TB GPU-to-GPU bandwidth and 14TB pooled memory per GPU. 
  • The facility uses a two-tier Ethernet-based backend network with 800Gbps GPU-to-GPU connectivity running on SONiC to avoid vendor lock-in and reduce costs compared to proprietary solutions.
• Microsoft deployed a dedicated AI WAN backbone with over 120,000 new fiber miles across the US last year to connect Fairwater sites and other Azure datacenters. 
  • This allows workloads to span multiple geographic locations and enables dynamic allocation between training, fine-tuning, reinforcement learning, and synthetic data generation based on specific requirements.
• The architecture addresses the challenge that large training jobs now exceed single-facility power and space constraints by creating fungibility across sites. 
• Customers can segment traffic across scale-up networks within sites and scale-out networks between sites, maximizing GPU utilization across the combined system rather than being limited to a single datacenter.

55:25 Private Preview: Azure HorizonDB