This is a story about a company backed by Andreessen Horowitz, holding active Department of Defense contracts

Mon, May 4 · 5:46 PM UTC 2 min read

Compiled by KHAO Editorial — aggregated from 3 outlets. See llms.txt for citation guidance.

✓ KHAO Verified

Redacted course listing showing sensitive military training modules returned to an unprivileged account.

Some vulnerabilities are subtle.

Key facts

This is a story about a company backed by Andreessen Horowitz, holding active Department of Defense contracts, that had no authorization on its API
A platform serving military training data with no authorization layer on its API is a foundational failure and a massive OPSEC risk
Think immersive 3D simulations for naval personnel, Army grenadiers, Air Force operators, and defense contractors
At Strix they are not lawyers, but they would be surprised if this does not constitute a reportable incident

Summary

This is a story about a company backed by Andreessen Horowitz, holding active Department of Defense contracts, that had no authorization on its API. With an ordinary account, Strix could access users, organizations, courses, training metadata, and direct document links across tenants. Schemata is an AI-powered virtual training platform for the military and defense sector. The team have been building Strix, an open-source autonomous AI hacking agent that dynamically tests applications, validates vulnerabilities through real exploitation, and produces working proof-of-concept reports. The team heard about Schemata and assumed that, as a DoD contractor handling military training data, it would be a useful benchmark for the latest version of Strix.

#Pentagon