gcp

At Google Cloud, we empower businesses to accelerate their generative AI innovation cycle by providing a path from prototype to production. Palo Alto Networks, a global cybersecurity leader, partnered with Google Cloud to develop an innovative security posture control solution that can answer complex “how-to” questions on demand, provide deep insights into risk with just a few clicks, and guide users through remediation steps. 

Using advanced AI services, including Google’s Gemini models and managed Retrieval Augmented Generation (RAG) services such as Google Cloud’s Vertex AI Search, Palo Alto Networks had an ideal foundation for building and deploying gen AI-powered solutions. 

The end result was Prisma Cloud Co-pilot, the Palo Alto Networks Prisma Cloud gen AI offering. It helps simplify cloud security management by providing an intuitive, AI-powered interface to help understand and mitigate risks.

Technical challenges and surprises 

The Palo Alto Networks Prisma Cloud Co-pilot journey began in 2023 and launched in October 2024. During this time, Palo Alto Networks witnessed Google’s AI models evolve rapidly, from Text Bison (PaLM) to Gemini Flash 1.5. That rapid pace of innovation meant that each iteration brought new capabilities, necessitating a development process that could quickly adapt to the evolving landscape. 

To effectively navigate the dynamic landscape of evolving gen AI models, Palo Alto Networks established robust processes that proved invaluable to their success:

• Prompt engineering and management: Palo Alto Networks used Vertex AI to help manage prompt templates and built a diverse prompt library to generate a wide range of responses. To rigorously test each new model’s capabilities, limitations, and performance across various tasks, Palo Alto Networks and Google Cloud team systematically created and updated prompts for each submodule. Additionally, Vertex AI’s Prompt Optimizer helped streamline the tedious trial-and-error process of prompt engineering.
• Intent recognition: Palo Alto Networks used the Gemini Flash 1.5 model to develop an intent recognition module, which efficiently routed user queries to the relevant co-pilot component. This approach provided users with many capabilities through a unified and lightweight user experience.

• Input guardrails: Palo Alto Networks created guardrails as a first line of defense against unexpected, malicious, or simply incorrect queries that could compromise the functionality and experience of the chatbot. These guardrails maintain the chatbot’s intended functionality by preventing known prompt injection attacks, such as circumventing system instructions; and restricting chatbot usage to its intended scope. Guardrails were created to detect if user queries are restricted to responses within the predefined domain of general cloud security, risks, and vulnerabilities to prevent unintended use. Any topics outside this scope did not receive a response from the chatbot. Additionally, since the chatbot was designed for proprietary code generation for Palo Alto Networks systems to query internal systems, requests for general-purpose code generation similarly did not receive a response.

• Evaluation dataset curation: A robust and representative evaluation dataset serves as a foundation to accurately and quickly assess the performance of gen AI models. The Palo Alto Networks team took great care to choose high-quality evaluation data and keep it relevant by constantly refreshing it with representative questions and expert-validated answers. The accuracy and reliability of the evaluation dataset was sourced and validated directly from Palo Alto Networks subject matter experts.

• Automated evaluation: In collaboration with Google Cloud, Palo Alto Networks developed an automated evaluation pipeline using Vertex AI’s gen AI evaluation service. This pipeline allowed Palo Alto Networks to rigorously scale their assessment of different gen AI models, and benchmark those models using custom evaluation metrics while focusing on key performance indicators such as accuracy, latency, and consistency of responses. 

• Human evaluator training and red teaming: Palo Alto Networks invested in training their human evaluation team to identify and analyze specific loss patterns and provide detailed answers on a broad set of custom rubrics. This allowed them to pinpoint where a model’s response was inadequate and provide insightful feedback on model performance, which then guided model selection and refinement.

  The team also conducted red teaming exercises focused on key areas, including:

  • Manipulating the co-pilot: Can the co-pilot be tricked into giving bad advice by feeding it false information?
  • Extracting sensitive data: Can the co-pilot be manipulated into revealing confidential information or system details?
  • Bypassing security controls: Can the co-pilot be used to craft attacks that circumvent existing security measures?
• Load testing: To ensure the gen AI solutions met real-time demands, Palo Alto Networks actively load tested them, working within the pre-defined QPM (query per minute) and latency parameters of Gemini models. They simulated user traffic scenarios to find the optimal balance between responsiveness and scalability using provisioned throughput, which helped ensure a smooth user experience even during peak usage.

Operational and business challenges 

Operationalizing gen AI can introduce complex challenges across multiple functions, especially for compliance, legal, and information security. Evaluating ROI for gen AI solutions also requires new metrics. To address these challenges, Palo Alto Networks implemented the following techniques and processes:

• Data residency and regional ML processing: Since many Palo Alto Networks customers need a regional approach for ML processing capabilities, we prioritized regional machine learning processing to help enable customer compliance with data residency needs and regional regulations, if applicable.

  Where Google does not offer an AI data center that matched Prisma Cloud data center locations, customers were able to choose having their data processed in the U.S. before gaining access to the Prisma Cloud Co-pilot. We implemented strict data governance policies and used Google Cloud’s secure infrastructure to help safeguard sensitive information and uphold user privacy.

• Deciding KPIs and measuring success for gen AI apps: The dynamic and nuanced nature of gen AI applications demands a bespoke set of metrics tailored to capture its specific characteristics and comprehensively evaluate its efficacy. There are no standard metrics that work for all use cases. The Prisma Cloud AI Co-pilot team relied on technical and business metrics to measure how well the system was operating. 

• Technical metrics, such as recall, helped to measure how thoroughly the system fetches relevant URLs when answering questions from documents, and to help increase the accuracy of prompt responses and provide source information for users. 

• Customer experience metrics, such as measuring helpfulness, relied on explicit feedback and telemetry data analysis. This provided deeper insights into user experience that resulted in increased productivity and cost savings.

Given customer concerns, enterprises must prioritize clear communication around data usage, storage, and protection.  By collaborating  with legal and information security teams early on to create transparency in marketing and product communications, Palo Alto Networks was able to build customer trust and help ensure they have a clear understanding of how and when  their data is being used. 

Ready to get started with Vertex AI ?

The future of generative AI is bright, and with careful planning and execution, enterprises can unlock its full potential. Explore your organization’s AI needs through practical pilots in Vertex AI, and rely on Google Cloud Consulting for expert guidance.

• Learn more about Vertex AI customer use cases and stories.

• Dive into our generative AI repository and explore tuning notebooks and samples.

Your customers might not all speak the same language. If you operate internationally or serve a diverse customer base, you need your chatbot to meet them where they are – whether they’re searching for something in Spanish or Japanese. If you want to give your customers multilingual support with chatbots, you’ll need to orchestrate multiple AI models to handle diverse languages and technical complexities intelligently and efficiently. Customers expect quick, accurate answers in their language, from simple requests to complex troubleshooting.

To get there, developers need a modern architecture that can leverage specialized AI models – such as Gemma and Gemini – and a standardized communication layer so your LLM models can speak the same language, too.  Model Context Protocol, or MCP, is a standardized way for AI systems to interact with external data sources and tools. It allows AI agents to access information and execute actions outside their own models, making them more capable and versatile. Let’s explore how we can build a powerful multilingual chatbot using Google’s Gemma, Translation LLM and Gemini models, orchestrated via MCP.

The challenge: Diverse needs, one interface

Building a truly effective support chatbot might be challenging for a few different reasons:  

1. Language barriers: Support needs to be available in multiple languages, requiring high-quality, low-latency translation.

2. Query complexity: Questions range from simple FAQs (handled easily by a basic model) to intricate technical problems demanding advanced reasoning.

3. Efficiency: The chatbot needs to respond quickly without getting bogged down, especially when dealing with complex tasks or translations.

4. Maintainability: As AI models evolve and business needs change, the system must be easy to update without requiring a complete overhaul.

Trying to build a single, monolithic AI model to handle everything is often inefficient and complex. A better approach? Specialization and smart delegation.

MCP architecture for harnessing different LLMs

The key to making these specialized models work together effectively is MCP. MCP defines how an orchestrator (like our Gemma-powered client) can discover available tools, request specific actions (like translation or complex analysis) from other specialized services, pass necessary information (the “context”), and receive results back. It’s the essential plumbing that allows our “team” of AI models to collaborate. Here’s a framework for how it works with the LLMs:

• Gemma: The chatbot uses a versatile LLM like Gemma to manage conversations, understand user requests, handle basic FAQs, and determine when to utilize specialized tools for complex tasks via MCP.

• Translation LLM server: A dedicated, lightweight MCP server exposing Google Cloud’s Translation capabilities as a tool. Its sole focus is high-quality, fast translation between languages, callable via MCP.

• Gemini: A specialized MCP server uses Gemini Pro or similar LLM for complex technical reasoning and problem-solving when invoked by the orchestrator.

• Model  Context Protocol:This protocol will allow Gemma to discover and invoke the Translation and Gemini “tools” running on their respective servers.

How it works

Let’s walk through an example non-English language scenario:

1. A technical question arrives: A customer types a technical question into the chat window, but it’s in French.

2. Gemma receives the text: The Gemma-powered client receives the French text. It recognizes the language isn’t English and determines translation is needed.

3. Gemma calls on Translation LLM: : Gemma uses the MCP connection to send the French text to the Translation LLM Server, requesting an English translation.

4. Text is translated: The Translation LLM Server performs the translation via its MCP-exposed tool and sends the English version back to the client.

This architecture offers broad applicability. For example, imagine a financial institution’s support chatbot where all user input, regardless of the original language, must be preserved in English in real time for fraud detection. Here, Gemma operates as the client, while Translation LLM, Gemini Flash, and Gemini Pro function on the server. In this configuration, the client-side Gemma manages multi-turn conversations for routine inquiries and intelligently directs complex requests to specialized tools. As depicted in the architectural diagram, Gemma manages all user interactions within a multi-turn chat. A tool leveraging Translation LLM can translate user queries and concurrently save them for immediate fraud analysis. Simultaneously, Gemini Flash and Pro models can generate responses based on the user’s requests. For intricate financial inquiries, Gemini Pro can be employed, while Gemini Flash can address less complex questions.

Let’s look at this sample GitHub repo that illustrates how this architecture works.

Why this is a winning combination

This is a powerful combination because it’s designed for both efficiency and how easily you can adapt it.

The main idea is splitting up the work. The Gemma model based client that users interact with stays light, handling the conversation and sending requests where they need to go. Tougher jobs, like translating or complex thinking, are sent to separate LLMs built specifically for those tasks. This way, each piece does what it’s best at, making the whole system perform better.

A big plus is how this makes things easier to manage and more flexible. Because the parts connect with a standard interface (the MCP), you can update or swap out one of the specialized LLMs – maybe to use a newer model for translation – without having to change the Gemma client. This makes updates simpler, reduces potential headaches, and lets you try new things more easily. You can use this kind of setup for things like creating highly personalized content, tackling complex data analysis, or automating workflows more intelligently.

Get started 

Ready to build your own specialized, orchestrated AI solutions?

• Explore the code: Clone the GitHub repository for this project and experiment with the client and server setup.

• Learn more about the models and MCP: 

• Gemma open models

• Gemini models on Vertex AI

• Google Cloud Translation LLM

• Model Context Protocol (MCP) documentation

We’re thrilled to share that Google Cloud Spanner has been recognized by Gartner in the Critical Capabilities for Cloud Database Management Systems for Operational Use Cases report, where it was ranked #1 in the Lightweight Transactions Use Case and was ranked #3 in the OLTP Transactions Use Case and the Application State Management Use Case. This recognition showcases Spanner’s strength and versatility to handle the most demanding workloads.

Check out the full Gartner report.

Beyond traditional transactions: Expanding capabilities

We believe the Gartner recognition isn’t just about raw performance. We feel it’s about Spanner’s comprehensive feature set, which is designed to address the complex needs of modern enterprises. Beyond its renowned transactional consistency and global scalability, Spanner offers a powerful multi-model experience, seamlessly integrating the graph, full-text, and vector search functionality required by modern applications. 

• Graph database functionality: Spanner’s ability to model and query relationships makes it a strong fit for applications requiring graph analysis, such as social networks, fraud detection, and recommendation engines.

• Full-text search: Integrated full-text search capabilities enable efficient retrieval of unstructured data, powering features like product catalogs, content management systems, and knowledge bases.

• Vector search: With the rise of AI and machine learning, Spanner’s vector search capabilities facilitate similarity searches, enabling applications like image recognition, semantic search, and personalized recommendations.

This flexibility allows developers to build diverse applications on a single platform that provides dynamic elasticity combined with operational efficiency without the complexity of managing multiple specialized databases.

A truly global service: Transactions and analytics combined

Spanner’s global footprint helps ensure low latency and high availability for transactional workloads, regardless of a user’s location. But its power extends beyond transactions. Spanner’s deep integration with BigQuery allows for federated queries, enabling real-time analytics on transactional data without the need for complex ETL processes. This integration also supports reverse ETL from BigQuery, allowing you to push analytical insights back into Spanner for operational use.

Real-world impact: Customer success stories

The true testament to Spanner’s capabilities is its impact on our customers. Here’s a sampling of how it’s being used in the field:

• Spanner’s high availability, external consistency, and infinite horizontal scalability made it the ideal choice for Deutsche Bank’s business critical application for online banking.

• By consolidating all user data with the exception of logs to a single database for development, COLOPL has eliminated the scalability constraints that occurred when using horizontally and vertically partitioned databases for large-scale services.

• With Spanner’s fully-managed relational database, Kroger has been able to build a true event-driven ledger, which enables the company to capture unique events to make better-informed decisions about how to direct associates to be more productive.

Looking ahead

We believe Spanner’s recognition in the Gartner Critical Capabilities report reinforces Google’s position in the Cloud Database Management Systems market. We’re committed to continuing to innovate and expand Spanner’s capabilities, empowering our customers to build the next generation of mission-critical applications.

Whether you need a database for global transactions, multi-model applications or real-time analytics, Spanner is the solution you can rely on. Sign up for a free Spanner trial account and experience the power of multi-model Spanner today.

^{Gartner Critical Capabilities for Cloud Database Management Systems for Operational Use Cases, Ramke Ramakrishnan, Henry Cook, Xingyu Gu, Masud Miraz, Aaron Rosenbaum, 18 December, 2024.}

^{GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. in the U.S. and internationally and is used herein with permission. All rights reserved. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Google. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.}

It’s a core part of our mission at Google Cloud to help you meet your evolving policy, compliance, and business objectives. To help further strengthen the security of your cloud environment, we continue regular delivery of new security controls and capabilities on our cloud platform.

We announced at Google Cloud Next multiple new capabilities in our IAM, Access Risk, and Cloud Governance portfolio. Our announcements covered a wide range of new product capabilities and security enhancements in Google Cloud, including:

• Identity and Access Management (IAM)

• Access Risk products including VPC Service Controls, Context-Aware Access and Identity Threat Detection and Response

• Cloud Governance with Organization Policy Service

• Resource Management

We also announced new AI capabilities to help cloud developers and operators at every step of the application lifecycle. These new capabilities take an application-centered approach and embed AI assistance throughout the application development lifecycle, driven by new features in Gemini Code Assist and Gemini Cloud Assist.

What’s new in Identity and Access Management

Workforce Identity Federation

Workforce Identity Federation extends Google Cloud’s identity capabilities to support syncless, attribute-based single sign on. Over 95% of Google Cloud products now support Workforce Identity Federation.We also released support for FedRAMP High government requirements to help manage and satisfy compliance mandates. 

Enhanced security for non-human identities

With the rise of microservices and the popularity of multicloud deployments, non-human and workload identities are growing rapidly, much faster than human identities. Many large enterprises now have between 10 and 45 times more non-human identities than human (user) identities, often with expansive permissions and privileges. 

Securing non-human identities is a key goal for Google Cloud, and we are announcing two new capabilities to enhance authorization and access protection:

• Keyless access to Google Cloud APIs using X.509 certificates, to further strengthen workload authentication.

• Managed Workload Identities (in preview) based on the Secure Production Identity Framework For Everyone (SPIFFE) standard, enabling secure identification, authentication, and mutual TLS (mTLS) encryption for workload to workload communication (such as with Google Compute Engine and Google Kubernetes Engine).

Cloud Infrastructure Entitlement Management (CIEM) for multicloud

Across the security landscape, we are contending with the problem of excessive and often unnecessary widely-granted permissions. At Google Cloud, we work to proactively address the permission problem with tools that can help you control permission proliferation, while also providing comprehensive defense across all layers. 

Cloud Infrastructure Entitlement Management (CIEM), our key tool for addressing permission issues, is now available for Azure (in preview) and generally available for Google Cloud and AWS. 

IAM Admin Center

We also announced IAM Admin Center , a single pane of glass experience that is customized to your role, showcasing recommendations, notifications, and active tasks. You can also launch into other services directly from the console. 

IAM Admin Center will provide organization administrators and project administrators a unified view to discover, learn, test, and use IAM capabilities. It’ll provide contextual discovery of features, enable focus on day to day tasks, and offer curated guides for getting started and resources for continuous learning. 

You can sign-up here to request access.

Enhancements to existing IAM features

Additionally, other IAM features grew in coverage and in feature depth.

• Previously, we announced IAM Deny and Principal access boundary (PAB) policies, powerful mechanisms to set policy-based guardrails on access to resources. As these important controls continue to grow in service coverage and adoption, now there is a need for tooling to simplify planning and visualize impact.

  To address this, we released in preview a Deny simulator, a PAB simulator and a troubleshooter (for both).

• Privileged Access Manager (PAM) now has multi-level approval: up to two levels and multiple principals at each level. We also announced grant customization to scope entitlement grants only to the required subset of folders, projects, resources & roles. 

What’s new with Access Risk

Comprehensive security demands continuous monitoring and control even with authenticated users and workloads equipped with the right permissions and engaged in active sessions. Google Cloud’s access risk portfolio brings dynamic capabilities that layer additional security controls around users, workloads, and data.

Enhanced access and session security

Today, you can use Context-Aware Access (CAA) to secure access to Google Cloud based on attributes including user identity, network, location, and corporate-managed devices. 

Coming soon, CAA will be further enhanced with Identity Threat Detection and Response (ITDR) capabilities, using numerous activity signals, such as activity from a suspicious source or a new geo location, to automatically identify risky behavior, and trigger further security validations using mechanisms such as multi-factor authentication (MFA), re-authentication, or denials.

We also announced automatic re-authentication, which triggers a re-authentication request when users perform highly-sensitive actions such as updating billing accounts. This will be enabled by default, and while you can opt-out we strongly recommend you keep it turned on.

Expanded coverage for VPC Service Controls

VPC Service Controls lets you create perimeters that protect your resources and data, and for services that you explicitly specify. To speed up diagnosis and troubleshooting when using VPC Service Controls, we launched Violation Analyzer and Violation Dashboard to help you diagnose an access denial event.

What’s new in Cloud Governance with Organization Policy Service

Expanded coverage for Custom Organization Policy 

Google Cloud’s Organization Policy Service gives you centralized, programmatic control over your organization’s resources. Organization Policy already provides predefined constraints, but for greater control you can create custom organization policies. Custom organization policy has now expanded service coverage, with 62 services supported.

Google Cloud Security Baseline

Google Cloud strives to make good security outcomes easier for customers to achieve. As part of this continued effort, we are releasing an updated and stronger set of security defaults, our Google Cloud Security Baseline. These were rolled out to all new customers last year — enabled by default — and based on positive feedback, we are now recommending them to all existing customers. 

Starting this year, existing customers are seeing recommendations in their console to adopt the Google Cloud Security Baseline. You also have access to a simulator that tests how these constraints will impact your current environment.

What’s new with resource management

App-enablement with Resource Manager 

We also extended our application centric approach to Google Cloud’s Resource Manager. App-enabled folders, now in preview, streamline application management by organizing services and workloads into a single manageable unit, providing centralized monitoring and management, simplifying administration, and providing an application-centric view. 

You can now enable application management on folders in a single step. 

Learn more

To learn more, you can view the Next ‘25 session recording with an overview of these announcements.

Recently at Google Cloud Next 25, we announced our latest Cross-Cloud Network innovation: Cloud WAN, a fully managed, reliable, and secure solution to transform enterprise wide area network (WAN) architectures. Today, we continue our series of deep dives into the technologies powering Cloud WAN, namely Premium Tier networking and the Verified Peering Provider program. 

The ever-changing enterprise network

The evolution of enterprise WANs is marked by a significant shift from primarily connecting branches and headquarters to managing a growing volume of traffic directed towards the internet, cloud-based services, and Software-as-a-Service (SaaS) applications. In this transformed landscape, achieving consistent end-to-end reliability has become a paramount concern for organizations.

However, ensuring end-to-end reliability with traditional WAN architectures can often be costly and complex. The integration of solutions from multiple vendors can escalate both expenses and operational intricacy. Furthermore, the common practice of overprovisioning network resources to guarantee reliability adds a significant financial burden. The reliance on multiple internet hops to reach cloud services can introduce latency and result in unpredictable service level agreements (SLAs). Compounding these challenges, fluctuating bandwidth demands make effective cost management increasingly difficult.

In essence, traditional WAN architectures present substantial hurdles to obtaining consistent end-to-end reliability in a cost-effective, manageable, and predictable manner, especially as businesses accelerate their adoption of cloud and SaaS solutions.

Cloud WAN: Global connectivity for distributed enterprises

Cloud WAN offers a single, fully managed network solution for reliable, any-to-any connectivity. It leverages Google’s high-performance global network — the same infrastructure that connects over a billion users daily to services like YouTube, Search, Maps, and Workspace — to connect enterprise sites, cloud applications, data centers, and users. 

Cloud WAN enables a high-performance and consistently reliable architecture through: 

• Premium Tier: Google’s high performance global backbone ensures reliable traffic delivery within the Google network and all internet-bound traffic between Google services and the internet

• Verified Peering Provider (VPP) Program: This program ensures reliable, high-quality internet connectivity between the enterprise and Google networks.

The following sections will explore how these components work together to create a strong, dependable, and efficient WAN.

Premium Tier: a high-performance backbone

With Premium Tier, ingress user traffic enters Google’s network using Anycast at the edge point of presence (PoP) that is optimized for the user location. This traffic is carried over Google’s backbone to the relevant application hosted in any Google Cloud region. For outbound traffic, a peering location near the destination ISP is selected to avoid congestion on peering links. This sends outgoing packets along Google’s backbone for the bulk of their journey, and the traffic egresses near the destination, for the highest reliability. Google Cloud’s network is engineered and provisioned so that there are at least three independent paths (N+2 redundancy) between Google Cloud regions, providing availability even in the case of fiber issues or an unplanned outage. 

Traffic travels from the peering PoP to the end-user via an internet service provider’s (ISP) network. When the ISP participates in Google’s Verified Peering Provider (VPP) program, that means that Google has pre-validated their redundant and diverse connectivity to Google’s global network, providing a more reliable experience for the customer.

Key benefits of Premium Tier include:

• Global reach: Connectivity with 42 regions, 200+ network edge locations worldwide, 2M+ miles of fiber, and 33 subsea cable investments

• Enhanced performance: Cross-Cloud Network provides up to 40% improved performance compared to the public internet¹

• High reliability: Backed by a 99.99% uptime SLA, providing peace of mind for critical applications

• Security: Security services such as encryption for data at rest and in transit, and DDoS protection are turned on by default 

• Predictable pricing: Starting in 2H’25, we will offer committed use discounts for Premium Tier and Standard Tier internet data transfers

“Google Cloud’s Premium Tier network provides exceptional global reachability and consistent low latency for Snap’s 450M daily active users, enabling reachability in many countries being served from Google cloud regions. Google Cloud’s low inter-region latency helps Snap ensure a responsive real-time user experience, which is critical for excellent user experience. The superior network performance including low latency across cloud providers is the primary reason why Snap chose to use Google Cloud.” – Mahmoud Ragab, Manager Software Engineering, Snap

Verified Peering Provider: Simple and reliable connectivity

The Verified Peering Provider program recognizes ISPs who have demonstrated high-quality, diverse, and reliable connectivity to Google’s network. Google Cloud customers can choose to reach Google’s services through these ISPs to access all publicly accessible Google services. 

Choosing a Verified Peering Provider provides several benefits to Google Cloud customers:

• Simplified and reliable connectivity: Choosing a Verified Peering Provider simplifies Google connectivity by identifying ISPs that offer internet services optimized for enterprises. Customers who choose to connect with a Verified Peering Provider aren’t required to meet Google’s peering requirements, leaving the complexities of peering arrangements to the ISPs. 
• Stable internet latency: The program’s peering redundancy requirements help ensure that participating ISPs can maintain diverse paths to Google’s network across physically separated network locations, minimizing single points of failure. This design helps keep latency stable and predictable during planned network maintenance or unexpected outages.

• Ease of locating a well-connected ISP: Customers often struggle to locate an ISP with diverse and reliable connectivity to Google’s network, or understand where an ISP’s network is connected to Google. The Verified Peering Provider program discloses the locations where an ISP is connected to Google, allowing customers to select the ISP that is closest to their workloads. 

Expanding the Verified Peering Provider program

With Cloud WAN, we also expanded the Verified Peering Provider program. Since its launch last year, the program has successfully enrolled more than 40 ISPs across 50 metropolitan areas, spanning North America, Europe, Latin America, and the Asia Pacific region. These partnerships have been crucial in enhancing the Google Cloud experience for our users, offering simplified connectivity solutions to access publicly accessible Google services.

Building on this momentum, we are broadening VPP enrollment eligibility to additional ISPs worldwide. We encourage all interested ISPs to review the technical criteria and begin the enrollment process.

The foundation of a tomorrow’s enterprise network

Together, Premium Tier and the Verified Peering Provider program enable Cloud WAN with high-performance, reliable, and secure connectivity to Google Cloud resources and the broader internet.

Premium Tier helps ensure that traffic between the internet and Google Cloud stays on Google’s high-performance global network, as close to the user as possible, maximizing reliability and performance. This is crucial for globally distributed enterprises that require consistent application performance and user experience across different regions. 

The Verified Peering Provider program works alongside Premium Tier, signaling that the ISPs connecting to Google have reliable and redundant connectivity from Enterprise branches to Google’s global network. By choosing a Verified Peering Provider, you get simplified, enterprise-ready connectivity using the ISP’s existing connection to Google — plus access to its SLAs and support offerings.

By combining Premium Tier and a Verified Peering Provider, enterprises can achieve end-to-end:

• Improved performance: Higher bandwidth for faster application response times

• Enhanced reliability: Increased network uptime with consistent user experience 

• Simplified management: Streamlined network operations and reduced complexity

The demand for reliable and efficient enterprise network connectivity will only continue to grow with the emergence of AI. By leveraging Cloud WAN, enterprises can upgrade their networks and unlock the potential of cloud-based applications and services. Learn more about Cloud WAN on the Cross-Cloud Network solution page, and read the first blog in our Cloud WAN deep dive series on NCC Gateway. 

^{1. During testing, network latency was more than 40% lower when traffic to a target traveled over the Cross-Cloud Network compared to when traffic to the same target traveled across the public internet.}

At Next ’25, we introduced several new innovations within BigQuery, the autonomous data to AI platform. BigQuery ML provides a full range of AI and ML capabilities, enabling you to easily build generative AI and predictive ML applications with BigQuery. The new AI and ML capabilities from BigQuery ML include: 

• a new state-of-the-art pre-trained forecasting model (TimesFM) which drastically simplifies forecasting problems

• support for generating or extracting structured data with large language models (LLMs)

• a set of new row-wise inference functions enabling you to mix gen AI processing with standard SQL

• expanded model choice with Gemini and OSS models

• the general availability of the Contribution Analysis feature, useful for explaining changes in your business metrics

Let us explore these new capabilities.

1. TimesFM forecasting model in BigQuery

Accurate time series forecasting is essential for many business scenarios such as planning, supply chain management, and resource allocation. BigQuery now embeds TimesFM, a state-of-the-art (SOTA) pre-trained model from Google Research, enabling powerful forecasting via the simple AI.FORECAST function. Trained on over 100 billion real-world time-points, TimesFM provides impressive zero-shot forecasting accuracy across various real world domains and at different granularities without requiring you to train or tune on your data. 

Key benefits of TimesFM in BigQuery include:

• Managed and scalable: A fully managed, highly scalable forecasting engine within BigQuery.

• Easy forecasting: Generate forecasts for one or millions of time series in a single query – no model training required.

Here’s a basic example of creating a forecast using the new AI.FORECAST function with TimesFM: 

SQL

SELECT * FROM AI.FORECAST(
  TABLE dataset.table,
  data_col => "data",
  timestamp_col => "timestamp",
  model => "TimesFM 2.0",
  horizon => 30
)

This query forecasts the “data” column for the next 30 time units, using “timestamp” as the time identifier. Please see the documentation for more details.

2. Structured data extraction and generation with LLMs

Extracting structured information consistently from unstructured data such as customer reviews, emails, logs etc. can be complex. BigQuery’s new AI.GENERATE_TABLE function simplifies structured data extraction/generation using the constrained decoding capabilities of LLMs. This function takes a model, a table of input data and an output_schema as inputs and outputs a table whose schema is determined by the output_schema parameter.

Here’s how you can use AI.GENERATE_TABLE: 

SQL

SELECT * FROM AI.GENERATE_TABLE(
  MODEL project_id.dataset.model,
  (SELECT medical_transcripts as prompt from table),
  STRUCT("age INT64, medications ARRAY<STRING>" AS output_schema)
)

In this example, the output table has ‘age’ and ‘medications’ columns — no complex parsing required. The output is written as a BigQuery temporary table. To materialize the results to a permanent table, the above query can be used in a DDL statement:

CREATE TABLE project_id.dataset.my_structured_table
AS <AI.GENERATE_TABLE subquery>

Please see the documentation for more details.

3. Row-wise (Scalar) LLM functions

The first wave of BigQuery’s LLM functions focused on table-valued functions (TVFs) that output entire tables. We are now introducing row-wise AI functions for LLM inference for more flexible and expressive data manipulation and analysis. These scalar functions enhance the usability of LLMs within BigQuery, as they can be used anywhere a value is needed, such as in SELECT, WHERE, JOIN, and GROUP BY clauses. Let’s go though some of the capabilities we are adding: a) Basic text generation with AI.GENERATE

First, let’s see how the new AI.GENERATE() can be used for convenient row-wise LLM inference:

SELECT
  city,
  AI.GENERATE(
    ('Give a short, one sentence description of ', city),
    connection_id => 'us.test_connection',
    endpoint => 'gemini-2.0-flash').result
FROM mydataset.cities;

b) Structured output with AI.GENERATE

In addition, the structured output generation capabilities introduced above also extend to row-wise AI functions. In this example, the query generates state capitals for a list of states, using the output_schema argument to set two custom fields in the output struct — state and capital:

SQL

SELECT
  state,
  AI.GENERATE(
    ('What is the capital of ', state, '?'),
    connection_id => 'us.example_connection',
    endpoint => 'gemini-2.0-flash',
    output_schema => 'state STRING, capital STRING').capital
FROM mydataset.states;

c) Type-specific functions (e.g., AI.GENERATE_BOOL)

For common tasks requiring specific data types like boolean, integer, or float, BigQuery now offers simple, type-specific functions. For instance, you can use AI.GENERATE_BOOL for classification or validation tasks:

SQL

SELECT city.name, AI.GENERATE_BOOL(
  ("Is", city.name, "in the state of WA?"),
  connection_id => "us.example_connection",
  endpoint => 'gemini-2.0-flash').result
FROM city

Additional type-specific functions, namely AI.GENERATE_INT and AI.GENERATE_DOUBLE, are also available for generating integer and floating-point results. Please see the documentation for more details.

4. Expanded model choice: Gemini, OSS and third-party

BigQuery ML allows you to use LLMs to perform tasks such as entity extraction, sentiment analysis, translation, text generation, and more on your data using familiar SQL syntax. In addition to first-party Gemini models, BigQuery supports inference with open-source and third-party models, which comes in two flavors:

• Customer-managed endpoints for open source models (previously announced): You can host any open source model of your choice on a Vertex AI Model Garden endpoint and then use it from BigQuery.

• Model as a service integrations: Access fully managed model endpoints directly through BigQuery. This already included models like Anthropic’s Claude, and we are excited to announce newly added support for Llama and Mistral models, further expanding model choice available to developers.

5. Contribution analysis now generally available

Businesses constantly need to answer questions like “Why did our sales drop last month?” or ” For what user, device, demographics combination was our marketing campaign most effective?” Answering these “why” questions accurately is vital, but often involves complex manual analysis. The BigQuery contribution analysis feature automates this analysis and helps you pinpoint the key factors (or combinations of factors) responsible for the most significant changes in a metric between the control and test groups you define. 

Now generally available, the BigQuery ML contribution analysis release includes enhancements focused on improved interpretability and performance, including: 

• A new summable by category metric to analyze the sum of a numerical measure of interest normalized by a categorical variable

• Top-K Insights by Apriori Support option to automatically fetch k insights with the largest segment size

• A redundant insight pruning option, which improves result readability by returning only unique insights 

Let’s say you want to understand what drove changes in the average sales per user across various vendors and payment types between the control and test data. To answer this with a contribution analysis model, you tell BigQuery which factors (dimensions) to investigate (dimension_id_cols), what metric you care about (contribution_metric), and which column identifies your test/control groups (is_test_col).

SQL

-- Define the contribution analysis task

CREATE MODEL bqml_tutorial.contribution_analysis_model
OPTIONS (
    model_type = 'CONTRIBUTION_ANALYSIS',
    dimension_id_cols = ['vendor', 'month', 'payment_type'],
    contribution_metric = 'sum(sales)/count(distinct user_id)',
    is_test_col = 'is_test_col',
    top_k_insights_by_apriori_support = 25,
    pruning_method = 'PRUNE_REDUNDANT_INSIGHTS'
) AS
SELECT * FROM dataset.input_data;

Once the model is created, you can use a SQL query like the following to generate insights:

SELECT * FROM ML.GET_INSIGHTS (MODEL bqml_tutorial.contribution_analysis_model);

BigQuery returns a prioritized list showing which combinations of factors (e.g., “Users paying via Amex Credit Card from Vendor”) had the most significant impact on the average sales per user between your control and test groups.

Bring AI into your data

The latest BigQuery ML updates bring powerful AI/ML capabilities directly into your data workflows. Between forecasting with TimesFM, automated root-cause analysis with contribution analysis, flexible row-wise LLM functions, streamlined structured data generation, and expanded model choice, you can move faster from data to insights and impactful outcomes. 

You can also view the Next ‘25 breakout session, including a demo showcasing these capabilities.

AI is fundamentally transforming the compute landscape, demanding unprecedented advances in data center infrastructure. At Google, we believe that physical infrastructure — the power, cooling, and mechanical systems that underpin everything — isn’t just important, but critical to AI’s continued scaling. 

We have a long-standing partnership with the Open Compute Project (OCP) that has been instrumental in driving industry collaboration and open innovation in infrastructure. At the 2025 OCP EMEA Summit today, we discussed the power delivery transformation from 48 volts direct current (VDC) to the new +/-400 VDC, which will enable IT racks to scale from 100 kilowatts up to 1 megawatt. We also shared that we’ll contribute our fifth-generation cooling distribution unit, Project Deschutes, to OCP, helping to accelerate adoption of liquid cooling industry-wide.

Transforming power delivery with 1 MW per IT rack

Google has a long history of advancing data center power delivery. Almost 10 years ago, we championed the adoption of 48 VDC inside the IT rack to significantly increase the power distribution efficiency and reduce losses compared to what typical 12 VDC solutions delivered. The industry responded to our call to action to collaborate on this technology, and the resulting architecture has worked well, scaling from 10 kilowatts to 100 kilowatts IT racks. 

The AI era requires even greater power delivery capabilities for two distinct reasons. The first is simply that ML will require more than 500 kW per IT rack before 2030. The second is the densification of each IT rack, where every millimeter of space in the IT rack is used for tightly interconnected “xPUs” (e.g. GPUs, TPUs, CPUs). This requires a much higher voltage DC power distribution solution, where power components and battery backup are outside of the IT rack.

We are excited to introduce +/-400 VDC power delivery that can support up to 1 MW per rack. This is about much more than simply increasing power delivery capacity — selecting 400 VDC as the nominal voltage allows us to leverage the supply chain established by electric vehicles (EVs), for greater economies of scale, more efficient manufacturing, and improved quality and scale, to name a few. As part of the Mt Diablo project, we are collaborating with Meta, and Microsoft at OCP to standardize the electrical and mechanical interfaces, and the 0.5 specification draft will be available for industry feedback in May. 

The first embodiment of this work is an AC-to-DC sidecar power rack that disaggregates power components from the IT rack. This solution improves the end-to-end efficiency by ~ 3% while enabling the entire IT rack to be used for xPUs. Longer term, we are exploring directly distributing higher-voltage DC power within the data center and to the rack, for even greater power density and efficiency.

The liquid cooling imperative

The dramatic increase in chip power consumption — from 100W chips to accelerators exceeding 1000W — has made advanced thermal management essential. Packing more powerful chips into racks also creates significant challenges for cooling density. Liquid cooling has emerged as the clear solution, given its superior thermal and hydraulic properties. Water can transport approximately 4000 times more heat per unit volume than air for a given temperature change, while the thermal conductivity of water is roughly 30 times greater than air. 

At Google, we’ve deployed liquid cooling at GigaWatt scale across more than 2000 TPU Pods in the past seven years with remarkable uptime — consistently at about 99.999%. Google first used liquid cooling in TPU v3 that was deployed in 2018. Liquid-cooled ML servers have nearly half the geometrical volume of their air-cooled counterparts because they replace bulky heatsinks with compact cold plates. This allowed us to double chip density and quadruple the size of our liquid-cooled TPU v3 supercomputer compared to the air-cooled TPU v2 generation.

We’ve continued to refine this technology generation over generation, from TPU v3 and TPU v4, through TPU v5, and most recently, Ironwood. Our implementation utilizes in-row coolant distribution units (CDUs) with redundant components and uninterruptible power supplies (UPS) for high availability. These CDUs isolate the rack’s liquid loop from the facility loop, providing a controlled, high-performance cooling system delivered via manifolds, flexible hoses, and cold plates that are directly attached to the high-power chips. In our CDU architecture, named Project Deschutes, the pump and heat exchanger unit is redundant, which is what has enabled us to consistently achieve the above-mentioned fleet-wide CDU availability of ~99.999% since 2020.

We will contribute the fifth-generation Project Deschutes CDU, currently in development, to OCP later this year. This contribution, including system details, specifications, and best practices, is intended to help accelerate the industry’s adoption of liquid cooling at scale. Our insights are drawn from nearly a decade of designing and deploying liquid cooling across four generations of TPUs, and encompass:

• Design for high cooling performance

• Manufacturing quality

• Reliability and uptime

• Deployment velocity

• Serviceability and operational excellence

• Supply ecosystem advancements

Get ready for the next generation of AI

We’re encouraged by the significant strides the industry has made in power delivery and liquid cooling. However, with the accelerating pace of AI hardware development, it’s clear that we must collectively quicken our pace to prepare data centers for what’s next. We’re particularly excited about the potential for rapid industry adoption of +/-400 VDC, facilitated by the upcoming Mt Diablo specification. We also strongly encourage the industry to adopt the Project Deschutes CDU design and leverage our extensive liquid cooling learnings. Together, by embracing these advancements and fostering deeper collaboration, we believe the most impactful innovations are still ahead.

The rise of AI is revolutionizing data management platforms, where advanced automation, built-in data intelligence, and AI-powered data management are changing how organizations manage traditional tasks like data ingestion, data processing and governance.

We’re excited to announce that Google was named a Leader in The Forrester Wave™: Data Management for Analytics Platforms, Q2 2025 report. In the report, Google received 5 out of 5, the highest score possible, across 13 different criteria. We believe this is a testament to our strengths in several key areas, particularly in delivering agentic experiences that automate manual tasks and accelerate gen AI use cases, built-in intelligence to unlock new insights from structured and unstructured data, real-time capabilities driving insights to action, and a secure and governed multimodal data foundation with governance across the data-to-AI lifecycle. 

According to the report:

Google’s distinctive and forward-thinking vision is to provide a unified, agentic, intelligent, and seamlessly integrated data platform that blends data management, advanced analytics, and AI capabilities at scale. The platform continues to evolve rapidly, focusing on advanced automation, open standards, global scale, self-service, and deeper integration with other Google services. The vendor’s roadmap is exceptionally well-defined, delivering a powerful strategic direction and alignment with AI positioned at its core.

Google placed furthest on Strength of Strategy and received above-average customer feedback in the evaluation, denoted by the halo around Google’s circle. Customers such as Dun & Bradstreet, Shopify, General Mills and many more choose BigQuery for its autonomous data and AI capabilities when building their data management platforms.  Let’s take a closer look at the capabilities that differentiate Google Cloud’s data platform.

Agentic and AI-assisted capabilities to power your analytics 

Data management isn’t just about storing and querying data; it’s also about intelligent automation and assistance. As highlighted in our recent announcements from Google Cloud Next 25, BigQuery has evolved into an autonomous data-to-AI platform, where specialized data agents, advanced engines, and business users can all operate on a self-managing multimodal data foundation built for processing and activating all types of data. With assistive capabilities powered by gen AI and integrations with Vertex AI for model building and deployment, you can reduce the complexities of data management and smooth the path from raw data to actionable AI-driven insights.

BigQuery’s AI-powered data management capabilities are designed for users of all skill levels. Data analysts can use natural language to query data, generate SQL, and summarize results. Data engineers can automate manual tasks like data preparation, building data pipelines, and performing anomaly detection to accelerate analytics workflows. Data scientists can use AI-driven notebook experiences and new engines to process complex data and support advanced analyses in real time. 

A multimodal data foundation with unified governance

BigQuery helps unify analytics across diverse data types by allowing data teams to build on an open lakehouse foundation. It combines highly performant native data management capabilities with support for open formats like Apache Iceberg, Delta, and Hudi. Multimodal support lets you store and analyze structured and unstructured data within the same table, streamlining complex analytics workflows. Finally, BigQuery’s universal catalog lets you work across SQL, Spark, AI, BI, and third-party engines, all with a flexible and open data lakehouse architecture, supporting interoperability.

Beyond the universal catalog, BigQuery data governance (powered by Dataplex) provides a unified experience for discovering, managing, monitoring, and governing data across data lakes, warehouses, and AI models. It also enables consistent policy enforcement, automated data quality checks, and comprehensive lineage tracking. Combined with a robust security infrastructure and fine-grained access controls, it helps you manage your data and AI assets with confidence, supporting compliance and building trust. Features like managed disaster recovery, enhanced workload management for aligning budget with performance needs, and flexible pricing with spend-based commitments further reinforce enterprise readiness. 

Built-in intelligence for real-time insights

BigQuery enables your teams to build and deploy machine learning models using their existing SQL skills. This helps to eliminate complexity and accelerates the adoption of AI across the organization. BigQuery’s integration with advanced AI models helps to extract insights from multimodal data in documents, videos, and images. Scalable vector search supports intelligent recommendations, while the new BigQuery AI query engine allows analysts to use familiar SQL and LLMs for real-world context when analyzing unstructured data. 

Real-time data capabilities are important for bringing fresh data to your AI models. BigQuery is designed from the ground up to support high-throughput streaming ingestion, allowing data to be analyzed as soon as it arrives. Real-time data combined with built-in machine learning and AI enables use cases like real-time fraud detection, dynamic personalization, operational monitoring, and immediate response to changing market conditions. Combining real-time data pipelines with the Vertex AI allows you to build and deploy models that react instantly, turning real-time data into real-time intelligent action.

Google is your partner for data to AI transformation

Google’s recognition as a Leader in The Forrester Wave™: Data Management For Analytics Platforms, validates our strategy and execution in delivering a comprehensive, AI-powered platform. Our focus on AI-driven assistance, a multimodal data foundation, and real-time intelligence helps to reduce manual data management tasks, so you can accelerate insights, and innovate faster.

As we evolve BigQuery into an autonomous data-to-AI platform, we are committed to helping you navigate the complexities of the modern data landscape and lead with data and AI. Thank you, our customers and partners, for choosing BigQuery to power your data management and analytics. Learn more about BigQuery today by visiting our website. Read the full Forrester Wave™: Data Management For Analytics Platforms, Q2 2025 report here.

^{Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here .}

The traditional drug discovery process involves massive capital investments, prolonged timelines, and is plagued with daunting failure rates. From initial research to obtaining regulatory approval, bringing a new drug to market can take decades. During this time, many drug candidates that had seemed very promising fail to deliver, either due to inefficacy or safety concerns. Only a small fraction of candidates successfully make it through clinical trials and regulatory hurdles. 

Enter SandboxAQ, which is helping researchers explore vast chemical spaces, gain deep insights into molecular interactions, and predict biological outcomes with precision. It does so with cutting-edge computational approaches such as active learning, absolute free energy perturbation solution (AQFEP), generative AI, structural analysis, and predictive data analytics, ultimately reducing drug discovery and development timelines. And it does all this on a cloud-native foundation. 

Drug design involves an iterative cycle of designing, synthesizing, and testing molecules referred to as the Design-Make-Test cycle. Many customers approach SandboxAQ during the design phase, often when their computational methods are falling short. By improving and accelerating this part of the cycle, SandboxAQ helps medicinal chemists bring innovative and effective molecules to market. For example, in a project related to neurodegenerative disease, SandboxAQ’s approach expanded chemical space from 250,000 to 5.6 million molecules, achieving a 30-fold increase in hit rate and dramatically accelerating the discovery of candidate molecules.

Cloud-native development for scientific insight

SandboxAQ’s software relies on large-scale computation and to maximize flexibility and scale, they use a cloud strategy,  which includes Google Cloud infrastructure and tools. 

The technologies in large-scale virtual screening campaigns need to be agile and scale cost-effectively. Specifically, SandboxAQ engineers need to be able to quickly iterate on scientific code, immediately run that code at scale cost-effectively, and store and organize all of the data it produces. 

SandboxAQ achieved a significant boost in efficiency and scalability with Google Cloud infrastructure. They scaled their computational throughput by 100X to leverage tens of thousands of virtual machines (VMs) in parallel. They also improved utilization by reducing idle time by 90%. By consolidating development and deployment on Google Cloud, SandboxAQ streamlined its workflows, from code development and testing to large-scale batch processing and machine-learning model training.

All of SandboxAQ’s development and deployment takes place in the cloud. Code and data live in cloud-based services, and development is done on a cloud-based platform that provides scientists and engineers with self-service VMs with standardized and centrally maintained environments and tools. This is important, because scientific code often requires heavy-duty computing hardware. Scientists have access to hefty 96-core machines, or instances with large GPUs. They can also create new machines with alternate configurations or CPU types as depicted below, enabling low-friction testing and development processes across heterogeneous resources.

SanboxAQ scientists and developers manage and access their Bench machines (see above) using the company’s `bench` client. They can connect to machines via SSH or use any number of managed tools, for example a browser-based VNC service for instant remote desktop, or JupyterLab for a familiar notebook development flow.

As code is ready to be run at a larger scale, researchers can dispatch SandboxAQ parameterized sets of computations as jobs on an internal tool powered by Batch, a fully managed service to schedule, queue, and execute batch jobs on Google infrastructure. With development and batch runtime environments closely synced, changes can be quickly run at scale. Code developed on bench machines is pushed to GitHub and immediately available for batch execution. Then, as tools are reviewed and merged into `main` of the company’s monorepo, the new tools become automatically available on SandboxAQ scientists’ bench machines, who can launch parallel jobs processing millions of molecules on any kind of Google Cloud VM resource in any global zone, utilizing either on-demand or Spot VMs.

SandboxAQ’s implementation of a globally resolved transitive dependency tree, enables simple package and dependency management. With this practice, Google Batch can seamlessly integrate with individual tools developed by engineers to train many instances of a model in parallel.

Machine learning is a core component of SandoxAQ’s strategy, making easy data access especially important. At the same time, SandboxAQ’s Drug Discovery team also works with clients who have sensitive data. To secure customers’ data, bench and batch workloads read and write data from a unified interface that’s managed via IAM, allowing granular control of different data sources within the organization.

Meanwhile, Google Cloud services like Cloud Logging, Cloud Monitoring, Compute Engine and Cloud Run make it simple to develop tools to monitor these workloads, easily surface logs to SandboxAQ scientists, and comb through huge amounts of output data. As new features are tested or bugs show up, changes are made immediately available to the scientific team, without having to wrangle infrastructure. Then, as code becomes stable, they can incorporate it into downstream production applications, all in a centrally secured, unified way on Google Cloud.

In short, having a unified development, batch compute, and production environment on Google Cloud reduces the friction SandboxAQ faces to develop new workloads and run them at scale. With shared environments for scientific workload development and engineering, SandboxAQ makes it quick and easy for customers to move from experimentation to production, delivering the results customers want, fast.

SandboxAQ solution in the real world

SandboxAQ is already having a profound impact on drug discovery programs targeting a range of hard-to-treat diseases. For example, there are advanced collaborations with Professor Stanley Pruisner’s lab at University of California San Francisco (UCSF), Riboscience, Sanofi, and with the Michael J Fox Foundation, to name a few. With this approach built on Google CloudSandboxAQ has achieved a superior hit rate compared to other methods like high throughput screening, demonstrating the transformative potential of SandboxAQ on drug discovery and bringing cures to patients faster. 

Visit the Google Cloud AI Hypercomputer web page to  learn about Google Cloud AI infrastructure.

At Google Cloud Next 25, we expanded the availability of Gemini in Looker, including Conversational Analytics, to all Looker platform users, redefining how line-of-business employees can rapidly gain access to trusted data-driven insights through natural language. Due to the complexity inherent in traditional business intelligence products, which require steep learning curves or advanced SQL knowledge, many potential users who could benefit from BI tools simply don’t. But with the convergence of AI and BI, the opportunity to ask questions and chat with your data using natural language breaks down the barriers that have long stood in the way. 

Conversational Analytics from Looker is designed to make BI more simple and approachable, democratizing data access, enabling users to ask data-related queries in plain, everyday language, and go beyond static dashboards that often don’t answer all potential questions. In response, users receive accurate and relevant answers derived from Looker Explores or BigQuery tables, without needing to know SQL or specific data tools.

For data analysts, this means fewer support tickets and interruptions, so they can focus on higher priority work, Business users can now take on their own data queries themselves and get answers, empowering trusted self-service by , putting the controls in the hands of users who need the answers most. Now, instead of struggling with field names and date formats, users can simply ask questions like: “What were our top-performing products last quarter?” or say “Show me the trend of website traffic over the past six months.” Additionally, when using Conversational Analytics with Looker Explores, users can be sure tables are consistently joined and metrics are calculated the same way every time.

Conversational Analytics in Looker is designed to be simple, helpful, and easy to use, offering:

• Trusted, consistent results: Conversational Analytics only uses fields defined by your data experts in LookML. Once the fields are selected, they are deterministically translated to SQL by Looker, the same way every time.

• Transparency with “How was this calculated?”: This feature provides a clear, natural language explanation of the underlying query that generated the results, presented in easy-to-understand bullet points.

• A deeper dive with follow-up questions: Just like a natural conversation, users can ask follow-up questions to explore the data further. For example, users can ask to filter a result to a specific region, to change the timeframe of the date filter, or to switch from bar graph to an area chart. Conversational Analytics allows for seamless iteration and deeper exploration of the data.

• Hidden insights with Gemini: Once the initial query results are displayed, users can click the “Insights” button to ask Gemini to analyze the data results and generate additional insights about patterns and trends they might have otherwise missed.

Empowering data analysts and developers

With the release of Conversational Analytics, our goal is for it to benefit data analysts and developers on top of line-of–business teams. The Conversational Analytics agent lets data analysts provide crucial context and instructions to Gemini, enhancing its ability to answer business user questions effectively, and empowering analysts to map business jargon to specific fields, specify the best fields for filtering, and define custom calculations.

Analysts can further curate the experience by creating agents for specific use cases. When business users select an agent, they can feel confident that they are interacting with the right data source.

As announced at Next 25, the Conversational Analytics API will power Conversational Analytics across multiple first-party Google Cloud experiences and third-party products, including customer applications, chat apps, Agentspace, and BigQuery, bringing the benefits of natural language queries to your data to the applications where you work every day. Later this year we’ll also bring Conversational Analytics into Looker Dashboards, allowing users to chat with their data in that familiar interface, whether inside Looker or embedded in other applications.Also, if you’re interested in solving even more complex problems while chatting with your data, you can try our new Code Interpreter (available in preview), which uses Python rather than SQL to perform advanced analysis like cohort analysis and forecasting. With the Conversational Analytics Code Interpreter, you can tackle data science tasks without learning advanced coding or statistical methods. Sign up for access here.

Expanding the reach of AI for BI

Looker Conversational Analytics is a step forward in making BI accessible to a wider audience. By removing the technical barriers and providing an intuitive, conversational interface, Looker is empowering more business users to leverage data in their daily routines. With Conversational Analytics available directly in Looker, organizations can now make data-driven insights a reality for everyone. Start using Conversational Analytics today in your Looker instance.

Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov

Executive Summary

Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. 

Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection.

We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts.

Scope 

This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that demonstrate how actors use both historic and novel techniques to exploit vulnerabilities in targeted products. The following content leverages original research conducted by GTIG, combined with breach investigation findings and reporting from reliable open sources, though we cannot independently confirm the reports of every source. Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents through digital forensic investigations. The numbers presented here reflect our best understanding of current data.

GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation.

Key Takeaways

• Zero-day exploitation continues to grow gradually. The 75 zero-day vulnerabilities exploited in 2024 follow a pattern that has emerged over the past four years. While individual year counts have fluctuated, the average trendline indicates that the rate of zero-day exploitation continues to grow at a slow but steady pace.

• Enterprise-focused technology targeting continues to expand. GTIG continued to observe an increase in adversary exploitation of enterprise-specific technologies throughout 2024. In 2023, 37% of zero-day vulnerabilities targeted enterprise products. This jumped to 44% in 2024, primarily fueled by the increased exploitation of security and networking software and appliances.

• Attackers are increasing their focus on security and networking products. Zero-day vulnerabilities in security software and appliances were a high-value target in 2024. We identified 20 security and networking vulnerabilities, which was over 60% of all zero-day exploitation of enterprise technologies. Exploitation of these products, compared to end-user technologies, can more effectively and efficiently lead to extensive system and network compromises, and we anticipate adversaries will continue to increase their focus on these technologies.

• Vendors are changing the game. Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success. We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems.

• Actors conducting cyber espionage still lead attributed zero-day exploitation. Between government-backed groups and customers of commercial surveillance vendors (CSVs), actors conducting cyber espionage operations accounted for over 50% of the vulnerabilities we could attribute in 2024. People’s Republic of China (PRC)-backed groups exploited five zero-days, and customers of CSVs exploited eight, continuing their collective leading role in zero-day exploitation. For the first year ever, we also attributed the exploitation of the same volume of 2024 zero-days (five) to North Korean actors mixing espionage and financially motivated operations as we did to PRC-backed groups.

Looking at the Numbers 

GTIG tracked 75 exploited-in-the-wild zero-day vulnerabilities that were disclosed in 2024. This number appears to be consistent with a consolidating upward trend that we have observed over the last four years. After an initial spike in 2021, yearly counts have fluctuated but not returned to the lower numbers we saw in 2021 and prior.

While there are multiple factors involved in discovery of zero-day exploitation, we note that continued improvement and ubiquity of detection capabilities along with more frequent public disclosures have both resulted in larger numbers of detected zero-day exploitation compared to what was observed prior to 2021.

Higher than any previous year, 44% (33 vulnerabilities) of tracked 2024 zero-days affected enterprise technologies, continuing the growth and trends we observed last year. The remaining 42 zero-day vulnerabilities targeted end-user technologies.

Enterprise Exploitation Expands in 2024 as Browser and Mobile Exploitation Drops

End-User Platforms and Products

In 2024, 56% (42) of the tracked zero-days targeted end-user platforms and products, which we define as devices and software that individuals use in their day-to-day life, although we acknowledge that enterprises also often use these. All of the vulnerabilities in this category were used to exploit browsers, mobile devices, and desktop operating systems.

• Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for browsers and by about half for mobile devices compared to what we observed last year (17 to 11 for browsers, and 17 to 9 for mobile).

• Chrome was the primary focus of browser zero-day exploitation in 2024, likely reflecting the browser’s popularity among billions of users.

• Exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices.

• Third-party components continue to be exploited in Android devices, a trend we discussed in last year’s analysis. In 2023, five of the seven zero-days exploited in Android devices were flaws in third-party components. In 2024, three of the seven zero-days exploited in Android were found in third-party components. Third-party components are likely perceived as lucrative targets for exploit development since they can enable attackers to compromise many different makes and models of devices across the Android ecosystem.

• 2024 saw an increase in the total number of zero-day vulnerabilities affecting desktop operating systems (OSs) (22 in 2024 vs. 17 in 2023), indicating that OSs continue to be a strikingly large target. The proportional increase was even greater, with OS vulnerabilities making up just 17% of total zero-day exploitation in 2023, compared to nearly 30% in 2024. 

• Microsoft Windows exploitation continued to increase, climbing from 13 zero-days in 2022, to 16 in 2023, to 22 in 2024. As long as Windows remains a popular choice both in homes and professional settings, we expect that it will remain a popular target for both zero-day and n-day (i.e. a vulnerability exploited after its patch has been released) exploitation by threat actors.

Enterprise Technologies

In 2024, GTIG identified the exploitation of 33 zero-days in enterprise software and appliances. We consider enterprise products to include those mainly utilized by businesses or in a business environment. While the absolute number is slightly lower than what we saw in 2023 (36 vulnerabilities), the proportion of enterprise-focused vulnerabilities has risen from 37% in 2023 to 44% in 2024. Twenty of the 33 enterprise-focused zero-days targeted security and network products, a slight increase from the 18 observed in this category for 2023, but a 9% bump when compared proportionally to total zero-days for the year.

The variety of targeted enterprise products continues to expand across security and networking products, with notable targets in 2024 including Ivanti Cloud Services Appliance, Palo Alto Networks PAN-OS, Cisco Adaptive Security Appliance, and Ivanti Connect Secure VPN. Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks. Endpoint detection and response (EDR) tools are not usually equipped to work on these products, limiting available capabilities to monitor them. Additionally, exploit chains are not generally required to exploit these systems, giving extensive power to individual vulnerabilities that can single-handedly achieve remote code execution or privilege escalation.

Over the last several years, we have also tracked a general increase of enterprise vendors targeted. In 2024, we identified 18 unique enterprise vendors targeted by zero-days. While this number is slightly less than the 22 observed in 2023, it remains higher than all prior years’ counts. It is also a stark increase in the proportion of enterprise vendors for the year, given that the 18 unique enterprise vendors were out of 20 total vendors for 2024. 2024’s count is still a significant proportional increase compared to the 22 unique enterprise vendors targeted out of a total of 23 in 2023.

The proportion of zero-days exploited in enterprise devices in 2024 reinforces a trend that suggests that attackers are intentionally targeting products that can provide expansive access and fewer opportunities for detection.

Exploitation by Vendor

The vendors affected by multiple 2024 zero-day vulnerabilities generally fell into two categories: big tech (Microsoft, Google, and Apple) and vendors who supply security and network-focused products. As expected, big tech took the top two spots, with Microsoft at 26 and Google at 11. Apple slid to the fourth most frequently exploited vendor this year, with detected exploitation of only five zero-days. Ivanti was third most frequently targeted with seven zero-days, reflecting increased threat actor focus on networking and security products. Ivanti’s placement in the top three reflects a new and crucial change, where a security vendor was targeted more frequently than a popular end-user technology-focused vendor. We discuss in a following section how PRC-backed exploitation has focused heavily on security and network technologies, one of the contributing factors to the rise in Ivanti targeting.

We note that exploitation is not necessarily reflective of a vendor’s security posture or software development processes, as targeted vendors and products depend on threat actor objectives and capabilities.

Types of Exploited Vulnerabilities

Threat actors continued to utilize zero-day vulnerabilities primarily for the purposes of gaining remote code execution and elevating privileges. In 2024, these consequences accounted for over half (42) of total tracked zero-day exploitation.

Three vulnerability types were most frequently exploited. Use-after-free vulnerabilities have maintained their prevalence over many years, with eight in 2024, and are found in a variety of targets including hardware, low-level software, operating systems, and browsers. Command injection (also at eight, including OS command injection) and cross-site scripting (XSS) (six) vulnerabilities were also frequently exploited in 2024. Both code injection and command injection vulnerabilities were observed almost entirely targeting networking and security software and appliances, displaying the intent to use these vulnerabilities in order to gain control over larger systems and networks. The XSS vulnerabilities were used to target a variety of products, including mail servers, enterprise software, browsers, and an OS.

All three of these vulnerability types stem from software development errors and require meeting higher programming standards in order to prevent them from occurring. Safe and preventative coding practices, including, but not limited to code reviews, updating legacy codebases, and utilizing up-to-date libraries, can appear to hinder production timelines. However, patches prove the potential for these security exposures to be prevented in the first place with proper intention and effort and ultimately reduce the overall effort to properly maintain a product or codebase.

Who Is Driving Exploitation

Due to the stealthy access zero-day vulnerabilities can provide into victim systems and networks, they continue to be a highly sought after capability for threat actors. GTIG tracked a variety of threat actors exploiting zero-days in a variety of products in 2024, which is consistent with our previous observations that zero-day exploitation has diversified in both platforms targeted and actors exploiting them. We attributed the exploitation of 34 zero-day vulnerabilities in 2024, just under half of the total 75 we identified in 2024. While the proportion of exploitation that we could attribute to a threat actor dipped slightly from our analysis of zero-days in 2023, it is still significantly higher than the ~30% we attributed in 2022. While this reinforces our previous observation that platforms’ investment in exploit mitigations are making zero-days harder to exploit, the security community is also slowly improving our ability to identify that activity and attribute it to threat actors.

Consistent with trends observed in previous years, we attributed the highest volume of zero-day exploitation to traditional espionage actors, nearly 53% (18 vulnerabilities) of total attributed exploitation. Of these 18, we attributed the exploitation of 10 zero-days to likely nation-state-sponsored threat groups and eight to CSVs.

CSVs Continue to Increase Access to Zero-Day Exploitation

While we still expect government-backed actors to continue their historic role as major players in zero-day exploitation, CSVs now contribute a significant volume of zero-day exploitation. Although the total count and proportion of zero-days attributed to CSVs declined from 2023 to 2024, likely in part due to their increased emphasis on operational security practices, the 2024 count is still substantially higher than the count from 2022 and years prior. Their role further demonstrates the expansion of the landscape and the increased access to zero-day exploitation that these vendors now provide other actors.

In 2024, we observed multiple exploitation chains using zero-days developed by forensic vendors that required physical access to a device (CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748). These bugs allow attackers to unlock the targeted mobile device with custom malicious USB devices. For instance, GTIG and Amnesty International’s Security Lab discovered and reported on CVE-2024-53104 in exploit chains developed by forensic company Cellebrite and used against the Android phone of a Serbian student and activist by Serbian security services. GTIG worked with Android to patch these vulnerabilities in the February 2025 Android security bulletin. 

PRC-Backed Exploitation Remains Persistent

PRC threat groups remained the most consistent government-backed espionage developer and user of zero-days in 2024. We attributed nearly 30% (five vulnerabilities) of traditional espionage zero-day exploitation to PRC groups, including the exploitation of zero-day vulnerabilities in Ivanti appliances by UNC5221 (CVE-2023-46805 and CVE-2024-21887), which GTIG reported on extensively. During this campaign, UNC5221 chained multiple zero-day vulnerabilities together, highlighting these actors’ willingness to expend resources to achieve their apparent objectives. The exploitation of five vulnerabilities that we attributed to PRC groups exclusively focused on security and networking technologies. This continues a trend that we have observed from PRC groups for several years across all their operations, not just in zero-day exploitation.

North Korean Actors Mix Financially Motivated and Espionage Zero-Day Exploitation

For the first time since we began tracking zero-day exploitation in 2012, in 2024, North Korean state actors tied for the highest total number of attributed zero-days exploited (five vulnerabilities) with PRC-backed groups. North Korean groups are notorious for their overlaps in targeting scope; tactics, techniques, and procedures (TTPs); and tooling that demonstrate how various intrusion sets support the operations of other activity clusters and mix traditional espionage operations with attempts to fund the regime. This focus on zero-day exploitation in 2024 marks a significant increase in these actors’ focus on this capability. North Korean threat actors exploited two zero-day vulnerabilities in Chrome as well as three vulnerabilities in Windows products.

• In October 2024, it was publicly reported that APT37 exploited a zero-day vulnerability in Microsoft products. The threat actors reportedly compromised an advertiser to serve malicious advertisements to South Korean users that would trigger zero-click execution of CVE-2024-38178 to deliver malware. Although we have not yet corroborated the group’s exploitation of CVE-2024-38178 as reported, we have observed APT37 previously exploit Internet Explorer zero-days to enable malware distribution.

• North Korean threat actors also reportedly exploited a zero-day vulnerability in the Windows AppLocker driver (CVE-2024-21338) in order to gain kernel-level access and turn off security tools. This technique abuses legitimate and trusted but vulnerable already-installed drivers to bypass kernel-level protections and provides threat actors an effective means to bypass and mitigate EDR systems.

Non-State Exploitation

In 2024, we linked almost 15% (five vulnerabilities) of attributed zero-days to non-state financially motivated groups, including a suspected FIN11 cluster’s exploitation of a zero-day vulnerability in multiple Cleo managed file transfer products (CVE-2024-55956) to conduct data theft extortion. This marks the third year of the last four (2021, 2023, and 2024) in which FIN11 or an associated cluster has exploited a zero-day vulnerability in its operations, almost exclusively in file transfer products. Despite the otherwise varied cast of financially motivated threat actors exploiting zero-days, FIN11 has consistently dedicated the resources and demonstrated the expertise to identify, or acquire, and exploit these vulnerabilities from multiple different vendors.

We attributed an additional two zero-days in 2024 to non-state groups with mixed motivations, conducting financially motivated activity in some operations but espionage in others. Two vulnerabilities (CVE-2024-9680 and CVE-2024-49039, detailed in the next section) were exploited as zero-days by CIGAR (also tracked as UNC4895 or publicly reported as RomCom), a group that has conducted financially motivated operations alongside espionage likely on behalf of the Russian government, based partly on observed highly specific targeting focused on Ukrainian and European government and defense organizations.

A Zero-Day Spotlight on CVE-2024-44308, CVE-2024-44309, and CVE-2024-49039: A look into zero-days discovered by GTIG researchers

Spotlight #1: Stealing Cookies with Webkit

On Nov. 12, 2024, GTIG detected a potentially malicious piece of JavaScript code injected on https://online.da.mfa.gov[.]ua/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4. The JavaScript was loaded directly from the main page of the website of the Diplomatic Academy of Ukraine, online.da.mfa.gov.ua. Upon further analysis, we discovered that the JavaScript code was a WebKit exploit chain specifically targeting MacOS users running on Intel hardware.

The exploit consisted of a WebKit remote code execution (RCE) vulnerability (CVE-2024-44308), leveraging a logical Just-In-Time (JIT) error, succeeded by a data isolation bypass (CVE-2024-44309). The RCE vulnerability employed simple and old JavaScriptCore exploitation techniques that are publicly documented, namely:

• Setting up addrof/fakeobj primitives using the vulnerability

• Leaking StructureID

• Building a fake TypedArray to gain arbitrary read/write

• JIT compiling a function to get a RWX memory mapping where a shellcode can be written and executed

The shellcode traversed a set of pointers and vtables to find and call WebCookieJar::cookieRequestHeaderFieldValue with an empty firstPartyForCookies parameter, allowing the threat actor to access cookies of any arbitrary website passed as the third parameter to cookieRequestHeaderFieldValue.

The end goal of the exploit is to collect users’ cookies in order to access login.microsoftonline.com. The cookie values were directly appended in a GET request sent to https://online.da.mfa.gov.ua/gotcookie?.

This is not the first time we have seen threat actors stay within the browser to collect users’ credentials. In March 2021, a targeted campaign used a zero-day against WebKit on iOS to turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites. In August 2024, a watering hole on various Mongolian websites used Chrome and Safari n-day exploits to exfiltrate users’ credentials.

While it is unclear why this abbreviated approach was taken as opposed to deploying full-chain exploits, we identified several possibilities, including:

• The threat actor was not able to get all the pieces to have a full chain exploit. In this case, the exploit likely targeted only the MacIntel platform because they did not have a Pointer Authentication Code (PAC) bypass to target users using Apple Silicon devices. A PAC bypass is required to make arbitrary calls for their data isolation bypass.

• The price for a full chain exploit was too expensive, especially when the chain is meant to be used at a relatively large scale. This especially includes watering hole attacks, where the chances of being detected are high and subsequently might quickly burn the zero-day vulnerability and exploit.

• Stealing credentials is sufficient for their operations and the information they want to collect.

This trend is also observed beyond the browser environment, wherein third-party mobile applications (e.g., messaging applications) are targeted, and threat actors are stealing the information only accessible within the targeted application.

Spotlight #2: CIGAR Local Privilege Escalations

CIGAR’s Browser Exploit Chain

In early October 2024, GTIG independently discovered a fully weaponized exploit chain for Firefox and Tor browsers employed by CIGAR. CIGAR is a dual financial- and espionage-motivated threat group assessed to be running both types of campaigns in parallel, often simultaneously. In 2023, we observed CIGAR utilizing an exploit chain in Microsoft Office (CVE-2023-36884) as part of an espionage campaign targeting attendees of the Ukrainian World Congress and NATO Summit; however, in an October 2024 campaign, the usage of the Firefox exploit appears to be more in line with the group’s financial motives.

Our analysis, which broadly matched ESET’s findings, indicated that the browser RCE used is a use-after-free vulnerability in the Animation timeline. The vulnerability, known as CVE-2024-9680, was an n-day at the time of discovery by GTIG.

Upon further analysis, we identified that the embedded sandbox escape, which was also used as a local privilege escalation to NT/SYSTEM, was exploiting a newfound vulnerability. We reported this vulnerability to Mozilla and Microsoft, and it was later assigned CVE-2024-49039.

Double-Down on Privilege Escalation: from Low Integrity to SYSTEM

Firefox uses security sandboxing to introduce an additional security boundary and mitigate the effects of malicious code achieving code execution in content processes. Therefore, to achieve code execution on the host, an additional sandbox escape is required.

The in-the-wild CVE-2024-49039 exploit, which contained the PDB string C:etalonPocLowIL@OutputPocLowIL.pdb, could achieve both a sandbox escape and privilege escalation. The exploit abused two distinct issues to escalate privileges from Low Integrity Level (IL) to SYSTEM: the first allowed it to access the WPTaskScheduler RPC Interface (UUID: {33d84484-3626-47ee-8c6f-e7e98b113be1}), normally not accessible from a sandbox Firefox content process via the “less-secure endpoint” ubpmtaskhostchannel created in ubpm.dll; the second stems from insufficient Access Control List (ACL) checks in WPTaskScheduler.dll RPC server, which allowed an unprivileged user to create and execute scheduled tasks as SYSTEM.

As detailed in “How to secure a Windows RPC Server, and how not to.,” there are three ways to secure an RPC server, and all three were utilized in WPTaskScheduler:

1. Securing the endpoint: In WPTaskScheduler::TsiRegisterRPCInterface, the third argument to RpcServerUseProtseq is a non-NULL security descriptor (SD).

• This SD should prevent the Firefox “Content” process from accessing the WPTaskScheduler RPC endpoint. However, a lesser known “feature” of RPC is that RPC endpoints are multiplexed, meaning that if there is a less secure endpoint in the same process, it is possible to access an interface indirectly from another endpoint (with a more permissive ACL). This is what the exploit does: instead of accessing RPC using the ALPC port that the WPTaskScheduler.dll sets up, it resolves the interface indirectly via upbmtaskhostchannel. ubpm.dll uses a NULL security descriptor when initializing the interface, instead relying on the UbpmpTaskHostChannelInterfaceSecurityCb callback for ACL checks:

2. Securing the interface: In the same WPTaskScheduler::TsiRegisterRPCInterface function, an overly permissive security descriptor was used as an argument to RpcServerRegisterIf3. As we can see on the listing below, the CVE-2024-49039 patch addressed this by introducing a more locked-down SD.

3. Ad-hoc Security: Implemented in WPTaskScheduler.dll::CallerHasAccess and called prior to enabling or executing any scheduled task. The function performs checks on whether the calling user is attempting to execute a task created by them or one they should be able to access but does not perform any additional checks to prevent calls originating from an unprivileged user.

CVE-2024-49039 addresses the issue by applying a more restrictive ACL to the interface; however, the issue with the less secure endpoint described in “1. Securing the endpoint” remains, and a restricted token process is still able to access the endpoint.

Unidentified Actor Using the Same Exploits

In addition to CIGAR, we discovered another, likely financially motivated, group using the exact same exploits (albeit with a different payload) while CVE-2024-49039 was still a zero-day. This actor utilized a watering hole on a legitimate, compromised cryptocurrency news website redirecting to an attacker-controlled domain hosting the same CVE-2024-9680 and CVE-2024-49039 exploit.

Outlook and Implications

Defending against zero-day exploitation continues to be a race of strategy and prioritization. Not only are zero-day vulnerabilities becoming easier to procure, but attackers finding use in new types of technology may strain less experienced vendors. While organizations have historically been left to prioritize patching processes based on personal or organizational threats and attack surfaces, broader trends can inform a more specific approach alongside lessons learned from major vendors’ mitigation efforts.

We expect zero-day vulnerabilities to maintain their allure to threat actors as opportunities for stealth, persistence, and detection evasion. While we observed trends regarding improved vendor security posture and decreasing numbers around certain historically popular products—particularly mobile and browsers—we anticipate that zero-day exploitation will continue to rise steadily. Given the ubiquity of operating systems and browsers in daily use, big tech vendors are consistently high-interest targets, and we expect this to continue. Phones and browsers will almost certainly remain popular targets, although enterprise software and appliances will likely see a continued rise in zero-day exploitation. Big tech companies have been victims of zero-day exploitation before and will continue to be targeted. This experience, in addition to the resources required to build more secure products and detect vulnerabilities in responsible manners, permits larger companies to approach zero-days as a more manageable problem.

For newly targeted vendors and those with products in the growing prevalence of targeted enterprise products, security practices and procedures should evolve to consider how successful exploitation of these products could bypass typical protection mechanisms. Preventing successful exploitation will rely heavily on these vendors’ abilities to enforce proper and safe coding practices. We continue to see the same types of vulnerabilities exploited over time, indicating patterns in what weaknesses attackers seek out and find most beneficial to exploit. Continued existence and exploitation of similar issues makes zero-days easier; threat actors know what to look for and where exploitable weaknesses are most pervasive.

Vendors should account for this shift in threat activity and address gaps in configurations and architectural decisions that could permit exploitation of a single product to cause irreparable damage. This is especially true for highly valuable tools with administrator access and/or widespread reach across systems and networks. Best practices continue to represent a minimum threshold of what security standards an architecture should demonstrate, including zero-trust fundamentals such as least-privilege access and network segmentation. Continuous monitoring should occur where possible in order to restrict and end unauthorized access as swiftly as possible, and vendors will need to account for EDR capabilities for technologies that currently lack them (e.g., many security and networking products). GTIG recommends acute threat surface awareness and respective due diligence in order to defend against today’s zero-day threat landscape. Zero-day exploitation will ultimately be dictated by vendors’ decisions and ability to counter threat actors’ objectives and pursuits.

At Google, we believe in empowering people and founders to use AI to tackle humanity’s biggest challenges. That’s why we’re supporting the next generation of AI leaders through our Google for Startups Accelerator: AI First programs. We announced the program in January and today, we’re proud to welcome 16 UK-based startups into our accelerator community that are using AI to drive real-world impact.

Out of hundreds of applicants, we’ve carefully selected these 16 high-potential startups to receive 1:1 guidance and support from Google, each demonstrating a unique vision for leveraging AI to address critical challenges and opportunities. This diverse cohort showcases how AI is being applied across sectors — from early cancer detection and climate resilience, to smarter supply chains and creative content generation. By joining the Google for Startups Accelerator: AI First UK program, these startups gain access to technical expertise, mentorship, and a global network to help them scale responsibly and sustainably.

“Google for Startups Accelerator: AI First provides an exceptional opportunity for us to enhance our AI expertise, accelerate the development of our data-driven products, and engage meaningfully with potential investors.” – Denise, Williams, Managing Director, Dysplasia Diagnostics.

Read more about the selected startups and the founders shaping the future of AI:

• Bindbridge (London) is a generative AI platform that discovers and designs molecular glues for targeted protein degradation in plants.

• Building Atlas (Edinburgh) uses data and AI to support the decarbonisation of non-domestic buildings by modelling the best retrofit plans for any portfolio size.

• Comply Stream (London) helps to streamline financial crime compliance operations for businesses and consumers.

• Datawhisper (London) provides safe and compliant AI Agentic solutions tailored for the fintech and payments industry.

• Deducta (London) is a data intelligence platform that supports global procurement teams with supply chain insights and efficiencies.

• Dysplasia Diagnostics (London) develops AI-based, non-invasive, and affordable solutions for early cancer detection and treatment monitoring.

• Flow.bio (London) is an end-to-end cloud platform for running large sequencing pipelines and auto-structuring bio-data for machine learning workflows.

• Humble (London) enables non-technical users to build and share AI-powered apps and workflows, allowing them to automate without writing code.

• Immersive Fox (London)  is an AI studio for creating presenter-led marketing and communication videos directly from text.

• Kestrix (London) uses thermal drones and advanced software to map and quantify heat loss from buildings and generate retrofit plans.

• Measmerize (Birmingham) provides sizing advice for fashion e-commerce retailers, enabling brands to increase sales and decrease return rates.

• PSi (London) uses AI to host large-scale online deliberations, enabling local governments to harness collective intelligence for effective policymaking.

• Shareback (London) is an AI platform that allows employees to securely interact with GPT-based assistants trained on company, department, or project-specific data.

• Sikoia (London) streamlines customer verification for financial services by consolidating data, automating tasks, and delivering actionable insights.

• SmallSpark (Cardiff) enables low power AI at the edge, simplifying the deployment, management, and optimization of ML models on embedded devices.

• Source.dev (London) simplifies the software development lifecycle for smart devices, to help accelerate innovation and streamline software updates.

“Through the program, we aim to leverage Google’s expertise and cutting-edge AI infrastructure to supercharge our growth on all fronts.” Lauren Ladd, Founder, Shareback

These 16 startups reflect the diversity and depth of AI innovation happening across the UK.  Each company will receive  technical mentorship, strategic guidance, and access to strategic connections from Google, and will continue to receive hands-on support via our alumni network after the program wraps in July. 

Congratulations to this latest cohort! To learn more about applying for an upcoming Google for Startups program , visit the program page here.

In 2023, the Waze platform engineering team transitioned to Infrastructure as Code (IaC) using Google Cloud’s Config Connector (KCC) — and we haven’t looked back since. We embraced Config Connector, an open-source Kubernetes add-on, to manage Google Cloud resources through Kubernetes. To streamline management, we also leverage Config Controller, a hosted version of Config Connector on Google Kubernetes Engine (GKE), incorporating Policy Controller and Config Sync. This shift has significantly improved our infrastructure management and is shaping our future infrastructure.

The shift to Config Connector

Previously, Waze relied on Terraform to manage resources, particularly during our dual-cloud, VM-based phase. However, maintaining state and ensuring reconciliation proved challenging, leading to inconsistent configurations and increased management overhead.

In 2023, we adopted Config Connector, transforming our Google Cloud infrastructure into Kubernetes Resource Modules (KRMs) within a GKE cluster. This approach addresses the reconciliation issues encountered with Terraform. Config Sync, paired with Config Connector, automates KRM synchronization from source repositories to our live GKE cluster. This managed solution eliminates the need for us to build and maintain custom reconciliation systems.

The shift helped us meet the needs of three key roles within Waze’s infrastructure team: 

1. Infrastructure consumers: Application developers who want to easily deploy infrastructure without worrying about the maintenance and complexity of underlying resources.

2. Infrastructure owners: Experts in specific resource types (e.g., Spanner, Google Cloud Storage, Load Balancers, etc.), who want to define and standardize best practices in how resources are created across Waze on Google Cloud.

3. Platform engineers: Engineers who build the system that enables infrastructure owners to codify and define best practices, while also providing a seamless API for infrastructure consumers.

First stop: Config Connector

It may seem circular to define all of our Google Cloud infrastructure as KRMs within a Google Cloud service, however, KRM is actually a great representation for our infrastructure as opposed to existing IaC tooling.

Terraform’s reconciliation issues – state drift, version management, out of band changes – are a significant pain. Config Connector, through Config Sync, offers out-of-the-box reconciliation, a managed solution we prefer. Both KRM and Terraform offer templating, but KCC’s managed nature aligns with our shift to Google Cloud-native solutions and reduces our maintenance burden. 

Infrastructure complexity requires generalization regardless of the tool. We can see this when we look at the Spanner requirements at Waze:

• Consistent backups for all Spanner databases

• Each Spanner database utilizes a dedicated Cloud Storage bucket and Service Account to automate the execution of DDL jobs.

• All IAM policies for Spanner instances, databases, and Cloud Storage buckets are defined in code to ensure consistent and auditable access control.

To define these resources, we evaluated various templating and rendering tools and selected Helm, a robust CNCF package manager for Kubernetes. Its strong open-source community, rich templating capabilities, and native rendering features made it a natural fit. We can now refer to our bundled infrastructure configurations as ‘Charts.’ While KRO has since emerged that achieves a similar purpose, our selection process predated its availability.

Under the hood

Let’s open the hood and dive into how the system works and is driving value for Waze.

1. Waze infrastructure owners generically define Waze-flavored infrastructure in Helm Charts. 

2. Infrastructure consumers use these Charts with simplified inputs to generate infrastructure (demo).

3. Infrastructure code is stored in repositories, enabling validation and presubmit checks.

Code is uploaded to a Artifact Registry where Config Sync and Config Connector align Google Cloud infrastructure with the code definitions.

Approaching our destination

So why does all of this matter? Adopting this approach allowed us to move from Infrastructure as Code to Infrastructure as Software. By treating each Chart as a software component, our infrastructure management goes beyond simple code declaration. Now, versioned Charts and configurations enable us to leverage a rich ecosystem of software practices, including sophisticated release management, automated rollbacks, and granular change tracking.

Here’s where we apply this in practice: our configuration inheritance model minimizes redundancy. Resource Charts inherit settings from Projects, which inherit from Bootstraps. All three are defined as Charts. Consequently, Bootstrap configurations apply to all Projects, and Project configurations apply to all Resources.

Every change to our infrastructure – from changes on existing infrastructure to rolling out new resource types – can be treated like a software rollout.

Now that all of our infrastructure is treated like software, we can see what this does for us system-wide:

Reaching our destination

In summary, Config Connector and Config Controller have enabled Waze to achieve true Infrastructure as Software, providing a robust and scalable platform for our infrastructure needs, along with many other benefits including: 

• Infrastructure consumers receive the latest best practices through versioned updates.

• Infrastructure owners can iterate and improve infrastructure safely.

• Platform Engineers and Security teams are confident our resources are auditable and compliant

• Config Connector leverages Google’s managed services, reducing operational overhead.

For data scientists and ML engineers, building analysis and models in Python is almost second nature, and Python’s popularity in the data science community has only skyrocketed with the recent generative AI boom. We believe that the future of data science is no longer just about neatly organized rows and columns. For decades, many valuable insights have been locked in images, audio, text, and other unstructured formats. And now, with the advances in gen AI, data science workloads must evolve to handle multi-modality and use new gen AI and agentic techniques. 

To prepare you for the data science of tomorrow, we announced BigQuery DataFrames 2.0 last week at Google Cloud Next 25, bringing multimodal data processing and AI directly into your BigQuery Python workflows.

In BigQuery, data scientists frequently look to use Python to process large data sets for analysis and machine learning. However, this almost always involves learning a different Python framework and rewriting the code that worked on smaller data sets. You can hardly take Pandas code that worked on 10 GB of data and get it working for a terabyte of data without expending significant time and effort. 

Version 2.0 also strengthens the core foundation for larger-scale, Python data science. And then it builds on this foundation, adding groundbreaking new capabilities that unlock the full potential of your data, both structured and unstructured.

BigQuery DataFrames adoption

We launched BigQuery DataFrames last year as an open-source Python library that scales Python data processing without having to add any new infrastructure or APIs, transpiling common Python data science APIs from Pandas and scikit-learn to various BigQuery SQL operators. Since its launch, there’s been over 30X growth in how much data it processes and, today, thousands of customers use it to process more than 100 PB every month. 

During the last year we evolved our library significantly across 50+ releases and worked closely with thousands of users. Here’s how a couple of early BigQuery DataFrames customers use this library in production.

Deutsche Telekom has standardized on BigQuery DataFrames for its ML platform.

“With BigQuery DataFrames, we can offer a scalable and managed ML platform to our data scientists with minimal upskilling.” – Ashutosh Mishra, Vice President – Data Architecture & Governance, Deutsche Telekom

Trivago, meanwhile, migrated its PySpark transformations to BigQuery DataFrames.

“With BigQuery DataFrames, data science teams focus on business logic and not on tuning infrastructure.” – Andrés Sopeña Pérez, Head of Data Infrastructure, Trivago 

What’s new in BigQuery Dataframes 2.0?

This release is packed with features designed to streamline your AI and machine learning pipelines:

Working with multimodal data and generative AI techniques 

• Multimodal DataFrames (Preview): BigQuery Dataframes 2.0 introduces a unified dataframe that can handle text, images, audio, and more, alongside traditional structured data, breaking down the barriers between structured and unstructured data. This is powered by BigQuery’s multimodal capabilities enabled by ObjectRef, helping to ensure scalability and governance for even the largest datasets.

  When working with multimodal data, BigQuery DataFrames also abstracts many details for working with multimodal tables and processing multimodal data, leveraging BigQuery features behind the scene like embedding generation, vector search, Python UDFs, and others.

• Pythonic operators for BigQuery AI Query Engine (experimental): BigQuery AI Query Engine makes it trivial to generate insights from multimodal data: Now, you can analyze unstructured data simply by including natural language instructions in your SQL queries. Imagine writing SQL queries where you can rank call transcripts in a table by ‘quality of support’ or generate a list of products with ‘high satisfaction’ based on reviews in a column. BigQuery AI Query Engine makes that possible with simple, stackable SQL.

  BigQuery DataFrames offers a DataFrame interface to work with AI Query Engine. Here’s a sample:

• Gemini Code Assist for DataFrames (Preview): To keep up with the evolving user expectations around code generation, we’re also making it easier to develop BigQuery DataFrames code, using natural language prompts directly within BigQuery Studio. Together, Gemini’s contextual understanding and DataFrames-specific training help ensure smart, efficient code generation. This feature is released as part of Gemini in BigQuery.

Strengthening the core 

To make the core Python data science workflow richer and faster to use,  we added the following features. 

• Partial ordering (GA): By default, BigQuery DataFrames maintains strict ordering (as does Pandas). With 2.0, we’re introducing a relaxed ordering mode that significantly improves performance, especially for large-scale feature engineering. This “spin” on traditional Pandas ordering is tailored for the massive datasets common in BigQuery. Read more about partial ordering here. 

Here’s some example code that uses partial ordering :

• Work with Python UDF (Preview): BigQuery Python user-defined functions are now available in preview [see the documentation].

  Within BigQuery DataFrames you can now auto-scale Python function execution to millions of rows, with serverless, scale-out execution. All you need to do is put a “@udf” decorator on top of a function that needs to be pushed to the server-side.   

  Here is an example code that tokenizes comments from stackoverflow data stored in a  BigQuery public table with ~90 million rows using a Python UDF: 

• dbt Integration (Preview): For all the dbt users out there, you can now integrate BigQuery DataFrames Python into your existing dbt workflows. The new dbt Python model allows you to run BigQuery DataFrames code alongside your BigQuery SQL, unifying billing, and simplifying infrastructure management. No new APIs or infrastructure to learn — just the power of Python and BigQuery DataFrames within your familiar dbt environment. [Try now ]

Why this matters now

For years, unstructured data has largely resided in silos, separate from the structured data in data warehouses. This separation restricted the ability to perform comprehensive analysis and build truly powerful AI models. BigQuery’s multimodal capabilities and BigQuery Dataframes 2.0 eliminates this divide, bringing the capabilities traditionally associated with data lakes directly into the data warehouse, enabling:

• Unified data analysis: Analyze all your data – structured and unstructured – in one place, using a single, consistent Pandas-like API.

• LLM-powered insights: Unlock deeper insights by combining the power of LLMs with the rich context of your structured data.

• Simplified workflows: Streamline your data pipelines and reduce the need for complex data movement and transformation.

• Scalability and governance: Leverage BigQuery’s serverless architecture and robust governance features for all your data, regardless of format.

See BigQuery Dataframes 2.0 in Action

You can see all of these features in action in this video from Google Cloud Next ’25 

Get started today!

BigQuery Dataframes 2.0 is a game-changer for anyone working with data and AI. It’s time to unlock the full potential of your data, regardless of its structure. Start experimenting with the new features today!

• Dive into the documentation.

• For multimodal use cases – fill out this intake form to get your project number allowlisted for ObjectRef.

• Try out DBT Python model with BigQuery DataFrames via this Quickstart

• Join the Community – Stay connected with the BigQuery DataFrames team by signing up for an email group here.

The daily grind of sifting through endless alerts and repetitive tasks is burdening security teams. Too often, defenders struggle to keep up with evolving threats, but the rapid pace of AI advancement means it doesn’t have to be that way.

Today at the RSA Conference, as we introduce M-Trends 2025 and discuss how we’re boosting defenders, we’re also detailing our vision for how AI agents can help security operations.

Agentic AI promises a fundamental, tectonic shift for security teams, where intelligent agents work alongside human analysts to autonomously take on routine tasks, augment human decision-making, automate workflows and empower them to focus on what matters most: the complex investigations and strategic challenges that truly demand human expertise. 

The agentic AI future

While assistive AI primarily aids human analyst actions, agentic AI goes further and can independently identify, reason through, and dynamically execute tasks to accomplish goals — all while keeping human analysts in the loop.

Our vision for this agentic future for security builds on the the tangible benefits our customers experience today with Gemini in Security Operations:

“No longer do we have our analysts having to write regular expressions that could take anywhere from 30 minutes to an hour. Gemini can do it within a matter of seconds,” said Hector Peña, senior information security director, Apex Fintech Solutions.

We believe that agentic AI will transform security operations. The agentic security operations center (SOC), powered by multiple connected and use-case driven agents, can execute semi-autonomous and autonomous security operations workflows on behalf of defenders.

The agentic SOC

We are rapidly building the tools for the agentic SOC with Gemini in Security. Earlier this month at Google Cloud Next, we introduced two new Gemini in Security agents:

In Google Security Operations, an alert triage agent performs dynamic investigations on behalf of users. Expected to preview for select customers in Q2 2025, this agent analyzes the context of each alert, gathers relevant information, and renders a verdict on the alert. 

It also provides a fully transparent audit log of the agent’s evidence, reasoning and decision making. This always-on investigation agent will vastly reduce the manual workload of Tier 1 and Tier 2 analysts who otherwise are triaging and investigating hundreds of alerts per day.

In Google Threat Intelligence, a malware analysis agent performs reverse engineering tasks to determine if a file is malicious. Expected to preview for select customers in Q2 2025, this agent analyzes potentially malicious code, including the ability to create and execute scripts for deobfuscation. The agent will summarize its work, and provide a final verdict.

Building on these investments, the agentic SOC is a connected, multi-agent system that works collaboratively with the human analyst to achieve exponential gains in efficiency. These intelligent agents are designed to fundamentally change security and threat management, working alongside analysts to automate common tasks and workflows, improve decision-making, and ultimately enable a greater focus on complex threats.

To illustrate this vision in action, consider the following examples of how agentic collaboration could transform everyday security tasks with agents. At Google Cloud, we believe many critical SOC functions can be automated and orchestrated: 

• Data management: Ensures data quality and optimizes data pipelines.

• Alert triage: Prioritizes and escalates alerts. 

• Investigation: Gathers evidence and provides verdicts on alerts, documents each analysis step, and determines the response mechanism. 

• Response: Remediates issues using hundreds of integrations,such as endpoint isolation.

• Threat research: Bridges silos by analyzing and disseminating intelligence to other agents, such as the threat hunt agent. 

• Threat hunt: Proactively hunts for unknown threats in your environment with data from Google Threat Intelligence. 

• Malware analyst: Analyzes files at scale for potentially malicious attributes.

• Exposure management: Proactively monitors internal and external sources for credential leaks, initial access brokers, and exploited vulnerabilities.

• Detection engineering: Continuously analyzes threat profiles and can create, test, and fine-tune detection rules.

How the Google advantage helps agentic AI

Developing dependable and impactful agents for real-world security applications requires three key ingredients, all of which Google excels in:

1. We harness our deep reservoir of security data and expertise to provide guiding principles for the agents.

2. We integrate our cutting-edge AI research, and use mature agent development tools and frameworks to enable the creation of a reusable and scalable agentic system architecture.

3. Our ownership of the complete AI technology stack, from highly scalable and secure infrastructure to state-of-the-art models, provides a robust foundation for agentic AI development.

These advantages allow us to establish a well-defined framework for security agents, empowering AI to emulate human-level planning and reasoning, leading to superior performance in security tasks compared to general-purpose large language models.

This approach ensures high-quality and consistent results across security tasks and also facilitates the development of new agents through the modular composition of existing security capabilities – building a diverse garden of reusable, task-focused security agents.

Furthermore, agent interoperability, regardless of developer, boosts autonomy, productivity, and reduces long-term costs. Our open Agent2Agent (A2A) protocol, announced at Google Cloud Next, facilitates this, complementing the model context protocol (MCP) for standardized AI interaction with security applications and platforms. 

To further advance interoperability, we are pleased to announce the open-sourcing of MCP servers for Google Unified Security, allowing users to build custom security workflows that use both Google Cloud and ecosystem tools. We are committed to an open ecosystem, envisioning a future where agents can collaborate dynamically across different products and vendors.

“We see an immediate opportunity to use MCP with Gemini to connect with our array of custom and commercial tools. It can help us make ad-hoc execution of data gathering, data enrichment, and communication easier for our analysts as they use the Google Security Operations platform,” said Grant Steiner, principal cyber-intelligence analyst, Enablement Operations, Emerson.

Introducing SecOps Labs for AI

To help defenders as our AI work rapidly advances, and to give the community an opportunity to offer direct feedback, we’re excited to introduce SecOps Labs. This initiative offers customers early access to cutting-edge AI pilots in Google Security Operations, and is designed to foster collaboration with defenders through firsthand experience, valuable feedback, and direct influence on future Google Security Operations technologies. 

Initial pilots showcase AI’s potential to address key security challenges, such as: 

• Detection engineering: This pilot autonomously converts threat reports into detection rules and generates synthetic data for testing their effectiveness. 

• Response playbooks: This pilot recommends and generates automation playbooks for new alerts based on analysis of past incidents.

• Data parsing: This pilot is a first step towards AI generated parsers starting with allowing users to update their parsers using natural language.

SecOps Labs is a collaborative space to refine AI capabilities, to ensure they address real-world security challenges and deliver tangible value, while enabling teams to experiment with the latest pre-production capabilities. Stay tuned for more in Q2 2025 to participate in shaping the future of agentic security operations with Google Cloud Security.

Meet us at RSAC to learn more

Excited about agentic AI and the impact it will have on security? Connect with our experts and see Google Cloud Security tech in action. Find us on the show floor at booth #N-6062 Moscone Center, North Hall, or at the Marriott Marquis to meet with our security experts and learn how you can make Google part of your security team. 

Not able to join us in person? Stream RSA Conference or catch up on-demand here, and connect with Google Cloud Security experts and fellow professionals in the Google Cloud Security Community to share knowledge, access resources, discover local events and elevate your security experience.

Cybersecurity is facing a unique moment, where AI-enhanced threat intelligence, products, and services are poised to give defenders an advantage over the threats they face that’s proven elusive — until now.  

To empower security teams and business leaders in the AI era, and to help organizations proactively combat evolving threats, today at RSA Conference we’re sharing Mandiant’s latest M-Trends report findings, and announcing enhancements across Google Unified Security, our product portfolio, and our AI capabilities. 

M-Trends 2025 

The 16th edition of M-Trends is now available. The report provides data, analysis, and learnings drawn from Mandiant’s threat intelligence findings and over 450,000 hours of incident investigations conducted in 2024. Providing actionable insights into current cyber threats and attacker tactics, this year’s report continues our efforts to help organizations understand the evolving threat landscape and improve their defenses based on real-world data.

We see that attackers are relentlessly seizing opportunities to further their objectives, from using infostealer malware, to targeting unsecured data repositories, to exploiting cloud migration risks. While exploits are still the most common way that attackers are breaching organizations, they’re using stolen credentials more than ever before. The financial sector remains the top target for threat actors.

M-Trends 2025 dives deep into adversarial activity, loaded with highly relevant threat data analysis, including insider risks from North Korean IT workers, blockchain-fueled cryptocurrency threats, and looming Iranian threat actor activity. Our unique frontline insight helps us illustrate how threat actors are conducting their operations, how they are achieving their goals, and what organizations need to be doing to prevent, detect, and respond to these threats. 

Google Unified Security

Throughout 2024, Google Cloud Security customers directly benefited from the threat intelligence and insights now publicly released in the M-Trends 2025 report. The proactive application of our ongoing findings included expert-crafted threat intelligence, enhanced detections in our security operations and cloud security solutions, and Mandiant security assessments, ensuring customers quickly received the latest insights and detections as threats were uncovered on the frontlines.

Now, with the launch of Google Unified Security, customers benefit from even greater visibility into threats and their environment’s attack surface, while Mandiant frontline intelligence is actioned directly through curated detections and playbooks in the converged solution.

By integrating Google’s leading threat intelligence, security operations, cloud security, secure enterprise browsing, and Mandiant expertise, Google Unified Security creates a single, scalable security data fabric across the entire attack surface. Gemini AI enhances threat detection with real-time insights; streamlines security operations; and fuels our new malware analysis and triage AI agents, empowering organizations to shift from reactive to preemptive security. 

In today’s threat landscape, one of the most critical choices you need to make is who will be your strategic security partner, and Google Unified Security is the best, easiest, and fastest way to make Google part of your security team. Today, we’re excited to share several enhancements across the product portfolio.

What’s new in Google Security Operations

Google Security Operations customers now benefit from Curated Detections and Applied Threat Intelligence Rule Packs released for specific M-Trends 2025 observations, which can help detect malicious activity, including infostealer malware, cloud compromise, and data theft. 

For example, the indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) from cloud compromise observations have been added to the Cloud Threats curated detections rule pack.

We’re also excited to announce several AI and product updates designed to simplify workflows, dramatically reduce toil, and empower analysts. 

We’ve already seen the transformative power of AI in security operations through the tangible benefits our customers experience today with Gemini in Google Security Operations. Our vision for the future is even more ambitious: an agentic security operations center (SOC), where security operations are fundamentally enhanced by a collaborative multi-agent system. 

As we bring this vision to life, we’re developing intelligent, use-case driven agents that are designed to work in concert with human analysts as they automate routine tasks and improve decision-making. Ultimately, the agentic SOC will enable a greater focus on complex threats, helping to deliver autonomous security operations workflows and exponential gains in efficiency.

To further accelerate the adoption and refinement of AI-powered security capabilities, we are launching SecOps Labs, a new space for customers to get early access to our latest AI pilots and provide feedback. Initial features include an Natural Language Parser Extension, a Detection Engineering Agent for automated rule creation and testing, and a Response Agent for generating automation playbooks. SecOps Labs will foster collaboration in shaping the future of AI-powered security operations.

Composite Detections, in preview, can connect the dots between seemingly isolated events to help defenders uncover a more complete attack story. Your SOC can use it to create sophisticated multi-stage detections and attacker activity correlation, simplify detection engineering, and minimize false positives and false negatives. 

Composite Detections can help teams build reusable detection logic to reveal hidden connections, stop advanced attackers that evade simple detection, and overcome the assumed precision and recall tradeoff inherent to most detection engineering.

The Content Hub, in preview, is your go-to for the resources you need to streamline security operations and maximize the platform’s potential. Security operations teams can access content packs for top product integrations and use cases, making data ingestion configuration and data onboarding more efficient. 

There’s also a library of certified integrations, pre-built dashboards, and ready-to-install search queries. Plus, you can gain deeper insights into your security posture with access to curated detections and insights into their underlying logic. Now you can discover, onboard, and manage all your security operations content in one place.

With Gemini in Google Security Operations, we’re also introducing a new way to get your product questions answered instantly, accessible from anywhere in the platform (in preview). You can now search documentation with Gemini, which will provide fast and high-quality answers for your security operations related questions, complete with reference links.

What’s new in Security Command Center

Rapidly building on AI Protection, which was announced in March, we are adding new multi-modal capabilities for detecting sensitive data in images used for training and inference.

To help security teams gain more visibility into AI environments, discover a wider range of sensitive data, and configure image-redaction rules if needed, AI Protection will be able to conduct object-based detection (such as barcodes) available in June.

In addition to detecting sensitive data in images, we’ve added new AI threat detectors to AI Protection to identify specific cloud-based threats against your AI workloads. Aligned with MITRE ATLAS tactics, AI Protection detects threats like Suspicious/Initial Access, Persistence, and Access Modifications for your Vertex workloads and associated resources, empowering your organization with the visibility and context needed to rapidly investigate and respond to threats against your AI environment.

AI Protection is currently in preview (sign up here), and provides full AI lifecycle security that discovers AI assets and prioritizes top risks, secures AI with guardrails and safety controls, and helps detect, investigate, and respond to AI threats.

We’re also excited to share our latest research on the intersection of security and AI, Secure AI Framework (SAIF) in the Real World. We provide key considerations for applying SAIF principles across the data, infrastructure, application, and model dimensions of your AI projects. 

What’s new in Mandiant Cybersecurity Consulting 

Google Unified Security integrates Mandiant’s expertise through the Mandiant Retainer, offering on-demand access to experts with rapid incident response and flexible pre-paid funds for consulting services and, through Mandiant Threat Defense, which provides AI-assisted threat detection, hunting, and response, extending customer security teams through expert collaboration and SOAR playbooks.

Mandiant’s new Essential Intelligence Access (EIA) subscription, available now, offers organizations direct and flexible access to our world-class threat intelligence experts. These experts serve as an extension of your security team, providing personalized research and analysis, delivering tailored insights to inform critical decisions, focus defenses, and strengthen cybersecurity strategies. 

EIA also helps customers maximize the value and efficiency of their Cyber Threat Intelligence (CTI) investments. Going beyond raw threat feeds, EIA analyzes data in the context of your specific environment to illuminate unique threats. Crucially, this includes personalized guidance from human experts deeply experienced in operationalizing threat intelligence, upskilling teams, prioritizing threats, and delivering continuous support to improve security posture and reduce organizational risk.

Evolve your security strategy with Google Cloud

The M-Trends 2025 report is a call to action. It highlights the urgency of adapting your defenses to meet increasingly sophisticated attacks. 

At RSA Conference, we’ll be sharing how these latest Google Cloud Security advancements and more can transform threat intelligence into proactive, AI-powered security. You can find us at booth #N-6062 Moscone Center, North Hall, and connect with security experts at our Customer Lounge in the Marriott Marquis. 

You can also stream the conference or catch up on-demand here, and join the Google Cloud Security Community to share knowledge, access resources, discover local events, and elevate your security experience. 

Feel more secure about your security, by making Google part of your security team today.

In today’s data-driven world, the ability to extract meaningful insights quickly is paramount. Yet, for many, the journey from raw data to actionable intelligence is fraught with challenges. Complex SQL queries, time-consuming iterative analyses, and the gap between technical and non-technical users often hinder progress. BigQuery data canvas is a visual workspace designed to democratize data analysis and empower everyone to unlock the power of their BigQuery data. At Google Cloud Next 25 earlier this month, we introduced a built-in AI-assistive chat experience in data canvas powered by Gemini that encapsulates a variety of workflow analysis processes, ranging from data exploration to visualization, all with a single prompt. 

Data canvas isn’t just another feature; it’s a fundamental change in how data practitioners interact with data. By seamlessly integrating visual workflows with BigQuery and Gemini, we’re bridging the gap between raw data and impactful insights.

Core features: A deep dive

Let’s take a look at what you can do with the data canvas assistant.

Gemini powers your AI data agent

We integrated Gemini, our powerful AI model, into data canvas to enhance your data exploration experience. With it, you can use natural language to generate and refine queries, ask questions about your data, and receive intelligent suggestions and insights. For example, if you type “Show me the top 10 customers by revenue” data canvas powered by Gemini generates the corresponding query as well as offers insights about the dataset. Gemini also assists in data discovery, suggesting datasets that may be relevant to your questions.

The Gemini-powered AI chat experience encapsulates workflow analysis processes, from data exploration to visualization — all with a single prompt. Don’t know where to start? Use the suggested prompts to start exploring your data. Based on your selected or most used tables, BigQuery Data Canvas uses Gemini to generate natural language questions about your data, along with the corresponding SQL queries to answer them. You can add multiple data sources to the chat context from which Gemini can answer your questions. You can also further ground the chat by passing system instructions to pass domain knowledge about your data, to increase the accuracy of the resulting answers. For example, perhaps your organization’s fiscal year does not run from January to December — you can inform Gemini of this using system instructions. You can also use the system instructions to mold the way your answers are formatted and returned to you, e.g., “always present findings with charts, use green colour for positive and red color for negative.” 

And coming soon, for complex problems like forecasting and anomaly detection, the chat experience will support advanced analysis using Python. Toggle this feature on in your chat’s settings bar, and based on the complexity of your prompt, Gemini chat assist will use a Python code interpreter to answer your question. 

“Data Canvas is a game-changer in BigQuery, allowing data professionals to interactively discover, query, transform, and visualize data using a seamless blend of natural language processing and graphical workflows, all powered by Gemini AI.” – Sameer Zubair, Principal Platform Tech Lead, Virgin Media O2

Visual query building: Explore multiple paths in one place

When sitting down to do data analysis, imagine a unified hub where you can filter, join, aggregate, or visualize data across multiple tables, each in its own container, all on the same page. Instead of forcing you down a linear path, data canvas uses a DAG (Directed Acyclic Graph) approach, allowing you to branch off at any point to explore alternative angles, circle back to earlier steps, or compare multiple outcomes simultaneously. Adding data is simple: just search for the tables you need, and add them to the canvas. You can start by asking questions of your data using natural language, and data canvas automatically generates the underlying SQL, which you can review or tweak whenever you like. This node-based method lowers the barrier to analysis for experienced SQL pros and newer analysts alike, allowing them to follow insights wherever they lead, without wrestling with complex query syntax.

Interactive visualizations: Uncover insights in real time

Data canvas offers a variety of interactive visualizations, from charts and graphs to tables. It’s easy to customize your visualizations, explore data interactively, and identify trends and anomalies. Want to see the distribution of sales across different regions? Add the “Region” and “Sales” fields onto the canvas, and let data canvas generate a chart for you automatically. Simply select the best visualization for the data, or select your own visualization, and watch as your data comes to life. Furthermore, you can export these visualizations as a PNG or to Looker Studio for further manipulation and sharing.

Putting data canvas to work in the real world

There’s no end of ways you can use new AI assistive capabilities in BigQuery data canvas. Here are a few industry-specific ideas to get your creative juices flowing. 

Telecom support and diagnostics: Speeding up service restoration

Imagine a telecom support team that’s troubleshooting customer issues. Support tickets get ingested into BigQuery every hour, and can be queried in data canvas to extract who (customer phone), where (postcode), what (the affected service), when (timestamp), and which (closest cell tower). Each of these data points is handled in its own node, all within a single canvas, so analysts don’t need to toggle across multiple query tabs to perform this analysis. This visual workflow lets them spot localized outages, route technicians to the right towers, and resolve service disruptions faster than ever.

E-commerce analytics: Boosting sales and customer engagement

Picture a marketing team analyzing customer purchase data to optimize campaigns. Using data canvas, they can visually join customer and product tables, filter by purchase history, and visualize sales trends across different demographics. They can quickly identify top-selling products, high-value customer segments, and the effectiveness of their marketing campaigns, to make data-driven decisions.

Supply chain optimization: Streamlining logistics

A logistics manager could use data canvas to track inventory levels, analyze delivery routes, and identify potential bottlenecks. By visualizing this supply chain data, they can optimize delivery schedules, reduce costs, and improve efficiency. They can also create interactive dashboards to monitor key performance indicators and make real-time adjustments.

The future of data exploration is visual and AI-powered

BigQuery data canvas is a significant leap forward in making data accessible and actionable for everyone. By combining visual workflows, the power of BigQuery, and the intelligence of Gemini, we’re empowering you to unlock the full potential of your data. Start your journey today and experience the future of data exploration.

Get started with BigQuery data canvas today with this course. It’s completely free to use.

How is generative AI actually impacting developers’ daily work, team dynamics, and organizational outcomes? We’ve moved beyond simply asking if organizations are using AI, and instead are focusing on how they’re using it.

That’s why we’re excited to share DORA’s Impact of Generative AI in Software Development report. Based on extensive data and developer interviews, the report moves beyond the hype to offer perspective on AI’s impact on individuals, teams, and organizations.

Let’s take a look at some of the highlights – research-backed ways organizations are already benefitting from AI in their software development, plus five actionable ways to maximize AI’s benefits while mitigating potential risks.

Understanding the real-world impact

Our research shows real productivity gains, organizational benefits, and grassroots adoption of AI.Here are just a few of the key highlights:

• The AI imperative is real: A staggering 89% of organizations are prioritizing the integration of AI into their applications, and 76% of technologists are already using AI in some part of their daily work. This signals both top-down and grassroots adoption solidifying the fact that this isn’t a future trend; it’s happening now.

• Productivity gains confirmed: Developers using gen AI report significant increases in flow, productivity, and job satisfaction. For instance, a 25% increase in AI adoption is associated with a 2.1% increase in individual productivity.

• Organizational benefits are tangible: Beyond individual gains, we found strong correlations between AI adoption and improvements in crucial organizational metrics. A 25% increase in AI adoption is associated with increases in document quality, code quality, code review speed and approval speed.

How to maximize AI adoption and impact

So how do you make the most of AI in your software development? The report explores five practical approaches for both leaders and practitioners:

1. Have transparent communications: Our research suggests that organizations that apply this strategy can gain an estimated 11.4% increase in team adoption of AI.

2. Empower developers with learning and experimentation: Our research shows that giving developers dedicated time during work hours to explore AI leads to a 131% increase in team AI adoption.

3. Establish clear policies: Our data suggest that organizations with clear AI acceptable-use policies see a 451% increase in AI adoption compared to those without.

4. Rethink performance metrics: Shift the focus from hours worked to outcomes and value delivered. Acknowledge the labor involved in effectively working with AI, including prompt engineering and refining AI-generated output.

5. Embrace fast feedback loops: Implement mechanisms that enable faster feedback for continuous integration, code reviews, and testing. These loops are becoming even more critical as we venture into workflows with AI agents.

The future of software development is here

Generative AI is poised to revolutionize software development. But realizing its full potential requires a strategic, thoughtful, and human-centered approach.

Download the full report, Impact of Generative AI in Software Development, today and learn how to effectively utilize AI for your team and your organization.

Consumer packaged goods brands invest significantly in advertising, driving brand affinity to boost sales now and in the future. Campaigns are often optimized as they run by monitoring media-in-progress metrics against strategies like targeting specific audiences cohorts. However, because most sales happen in physical stores, accurately linking media sales lift to target audiences while ads are running can be a challenge. 

Many solutions use “total ad sales” for measurement, but this metric doesn’t always correlate to incremental sales, which is Mars Wrigley’s gold standard key performance indicator (KPI) for media effectiveness. 

So how do you know if your current ad spend is paying off while it’s still possible to optimize your in-flight campaigns?

Mars Wrigley is working with EPAM, and using Google Cloud Cortex Framework, to make significant progress tackling this issue with an approach that introduces an agile way to accurately measure in-flight audience effectiveness based on incremental sales.

The Mars Wrigley approach: Connecting data for actionable audience insights

After exploring many solutions, Mars Wrigley decided to look inward and harness the power of its own data. However, this data was siloed in various media and retailer platforms. 

To solve this, the company adopted Cortex Framework, using its pre-built data connectors and standardized data models to quickly integrate media data from sources like YouTube with sales information from retailers, creating a unified view of ad impact within a central, AI-ready cloud data foundation in BigQuery.

By combining data in BigQuery and using built-in data science tools like BQML, Mars Wrigley can now better understand how specific audience targeting strategies in its media investments are driving incremental sales lift across key customer groups.

For example, by identifying stores with similar sales patterns, the company can create geo-targeted control and expose Designated Market Areas (DMAs) for running audience testing.

By dividing its audiences into distinct segments, each with a control group, Mars Wrigley can experiment and monitor live campaign performance to optimize its investments for maximum sales lift.

Google Cloud Cortex Framework: Accelerating insights and decisions

The accelerated access to a consolidated AI-enabled data core represents a valuable addition to Mars Wrigley’s portfolio of media effectiveness tools. Cortex Framework provides instant insights with its predefined and customizable analytics content as well as seamless integration with major media platforms like Google Ads, YouTube, TikTok, Meta, and more.

“Before, we were struggling to get an accurate in-flight view of our audiences’ performance. With Google Cloud Cortex Framework, we realized that the answer was within our internal data. We partnered with EPAM Systems to harness the synergy of our internal data sources, enabling us to run timely experimentation based on actual sales lift. This filled an important gap within our portfolio of measurement tools and allowed us to continue making data-driven decisions when it matters.”
– Lía Inoa Pimentel – Sr. Global Manager, Brand Experience & Media Measurement, Mars Wrigley.  

By embracing Cortex Framework, Mars Wrigley is not only gaining a clearer understanding of media impact on sales but also paving the way for a more data-driven and agile approach to marketing in the consumer packaged goods industry.

This approach includes some of the following key benefits:

• Agile hypothesis testing: Bringing insights in-house significantly accelerates the ability to test hypotheses and adapt strategies quickly.

• Scalability: The architecture allows for easy expansion to encompass more media investment insights and a broader range of retail customers.

• Versatility: Beyond audience testing, Mars Wrigley can also leverage Cortex Framework for other use cases, such as media formats, content variations, shopper media, and more. 

To learn more about solutions that can help accelerate your marketing journey in the cloud visit the EPAM and Google Cloud Cortex Framework websites.