346: Zuckerberg Finally Finds His People, They Are All AI Agents

Welcome to episode 346 of The Cloud Pod, where the forecast is always cloudy! Hold on to your butts, because Justin, Ryan, and Matt are in the studio today, and they’re ready to bring you all the latest in Cloud and AI news, including the usual: Meta buying social networks, Amazon responding to outages, and OpenAI giving up another version of GPT. Let’s get into it!

Titles we almost went with this week

✍️ Cloudflare Spent $1100 to Rewrite Next.js in a Week
🪈 One Pipe to Rule All Your OpenTelemetry Data
☑️ Check Yourself Before Google Wrecks Your Cloud Config
🎫 Copilot Takes Jira Tickets So You Don’t Have To
🧑‍✈️ GitHub Copilot Agent Joins Your Jira Workflow Uninvited
👉 When AI Agents Network, Meta Swipes Right on Moltbook
🎛️ Sixty Controls Walk Into a Terraform Repository
🪪 One Security Console to Rule All Your Clouds
🔒 AI Ate My Lock-In, and I Feel Fine
⛅ Oracle Sees $90 Billion Future Cloudy With a Chance of GPUs
💻 Your API Has Trust Issues, and We Can Prove It
🏃 Stop Running Three Pipelines Like a Telemetry Hoarder
🦕 From Database Dinosaur to AI Cash Cow
☠️ Meta: Target acquired; must kill Moltbook
🔫 Meta saw Moltbook and said, “WE MUST OWN IT AND KILL.”

Follow Up

00:51 Where things stand with the Department of War

Anthropic has been designated a supply chain risk to US national security by the Department of War, a designation the company is challenging in court as legally unsound under 10 USC 3252.
The practical scope of the designation is narrow, applying only to the use of Claude in direct Department of War contracts, not to all customers that hold such contracts or to unrelated business with Anthropic.
Anthropic has stated that it will continue to provide its models to the Department of War and the national security community at nominal cost, with ongoing engineering support, during any transition period and for as long as permitted.
The company’s two stated exceptions to military use involve fully autonomous weapons and mass domestic surveillance, and Anthropic has clarified these do not extend to operational decision-making, which it considers the military’s domain.
For cloud and enterprise customers, the key takeaway is that existing Claude deployments unrelated to Department of War contracts remain unaffected, though the legal dispute introduces uncertainty into federal procurement pipelines involving AI services.
We will keep you updated on this in 12-18 months…

AI Is Going Great – Or How ML Makes Money

01:21 Introducing GPT-5.4

OpenAI released GPT-5.4 across ChatGPT, the API, and Codex, positioning it as their most capable reasoning model to date. It merges the coding strengths of GPT-5.3-Codex with general reasoning, professional knowledge work, and native computer-use capabilities in a single model.
The computer-use capabilities are a notable technical step, with GPT-5.4 achieving a 75% success rate on OSWorld-Verified desktop navigation, surpassing the reported human benchmark of 72.4% and up from GPT-5.2’s 47.3%.
This makes it the first general-purpose OpenAI model with native computer use built in, making it relevant for developers building agents that operate across web browsers and desktop software.
Tool search is a practical efficiency improvement for agentic API workflows, dynamically loading tool definitions only when needed rather than stuffing all definitions into the prompt upfront. In testing against Scale’s MCP Atlas benchmark on 36 MCP servers, this reduced total token usage by 47% with no loss in accuracy, directly translating to lower API costs for tool-heavy applications.
On the professional work side, GPT-5.4 scores 87.3% on an internal investment banking spreadsheet benchmark, up from 68.4% for GPT-5.2, and achieves 91% on BigLaw Bench for legal document work. The ChatGPT for Excel add-in, launched alongside it, gives Enterprise customers a direct integration path.
Pricing is higher per token than GPT-5.2 in the API, though OpenAI notes the model’s token efficiency should offset costs for many workloads.
Batch and Flex pricing remain available at half the standard rate, and Priority processing is available at 2x the standard rate for latency-sensitive use cases.

02:19 📢 Justin – “There’s also been a slew of every cloud provider in the world announcing Chat-GPT 5.4 is now available, and we will not be telling you about all of them, but assume that if you use a different model or different cloud, they probably have it.”

04:33 Introducing ChatGPT for Excel and new financial data integrations

OpenAI launched ChatGPT for Excel in beta, an add-in powered by GPT-5.4 that lets users build, update, and analyze spreadsheet models using plain language descriptions.
It preserves existing formulas and structure, asks permission before making changes, and links answers to specific cells for auditability.
Available now for Business, Enterprise, Edu, Pro, and Plus users in the US, Canada, and Australia.
GPT-5.4 (also available as GPT-5.4 Thinking) is now live in ChatGPT, Codex, and the API, with OpenAI noting it was specifically tuned on real-world finance workflows, including financial modeling, scenario analysis, data extraction, and long-form research.
New financial data integrations bring Moody’s, Dow Jones Factiva, MSCI, Third Bridge, MT Newswire, and others directly into ChatGPT workflows, with FactSet coming soon.
Organizations can also connect proprietary data sources using Model Context Protocol (MCP), centralizing market, company, and internal data in a single interface.
For enterprise deployments, the Excel add-in supports RBAC, SAML SSO, SCIM, audit logs, AES-256 encryption at rest, TLS 1.2+ in transit, and data residency controls. In Enterprise and Edu workspaces, the feature is off by default and requires admin enablement with custom roles and group permissions.
ChatGPT for Google Sheets is listed as coming soon, signaling OpenAI is extending this spreadsheet integration beyond the Microsoft ecosystem.

04:49 📢 Justin – “If I were a betting man, I’d also say they’re going to have a PowerPoint version any day.”

06:13 Meet KARL: A Faster Agent for Enterprise Knowledge, powered by custom RL

Databricks introduced KARL (Knowledge Agent with Reinforcement Learning), a custom model built using RL techniques to handle grounded reasoning tasks like document search, fact-finding, and multi-step reasoning across enterprise data sources.
KARL was trained with a few thousand GPU hours using entirely synthetic data. In internal testing, it matched or outperformed Frontier’s proprietary models on inference cost, latency, and response quality simultaneously.
The core technical challenge KARL addresses is hard-to-verify tasks, where there is no single correct answer, making RL reward signal design particularly difficult compared to domains like math or code, where correctness is easier to measure.
Databricks is now offering a Custom RL private preview backed by Serverless GPU Compute, allowing enterprise customers to use the same RL pipeline that produced KARL to build domain-specific, cost-optimized versions of their own high-volume agents.
For enterprises running AI agents at scale, this approach suggests that custom RL fine-tuning on smaller models can substantially reduce inference costs compared with relying on general-purpose frontier models, a practical consideration as agentic workload costs grow.
Interested in checking out the preview? You can find more information on that here.

07:09 📢 Ryan – “It’s kind of a neat idea to provide sort of the pipeline there. I mean, I guess the big cloud providers are producing agent-building platforms and stuff; I wonder how much of this you can follow the path that they use for creating KARL and building your own domain-specific agent in the same way. I like the idea. Smaller model, less GPU.”

08:55 Codex Security: now in research preview

OpenAI launched Codex Security in research preview, formerly known as Aardvark, and is now available to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web with free usage for the first month.
The tool functions as an agentic application security scanner that builds a project-specific threat model to identify and prioritize vulnerabilities with context-aware fixes.
The performance metrics from the beta are notable: false positive rates dropped by over 50%, overreported severity findings fell by more than 90%, and noise was reduced by 84% in some repositories.
Over the last 30 days, it scanned more than 1.2 million commits, surfacing 792 critical and 10,561 high-severity findings, with critical issues appearing in fewer than 0.1% of commits.
The tool uses sandboxed validation environments to pressure-test findings before surfacing them and can generate working proofs of concept when configured with a project-specific runtime environment. It also learns from user feedback on finding severity to refine its threat model over time.
Codex Security has already produced real-world results in open source, with 14 CVEs assigned across projects including OpenSSH, GnuTLS, GOGS, PHP, and Chromium.
OpenAI is also launching Codex for OSS, offering free ChatGPT Pro and Plus accounts, as well as Codex Security access for open-source maintainers.

10:07 📢 Ryan – “I wish AI wouldn’t generate all those vulnerabilities in code… but I do like that these tools are available.”

12:40 OpenAI to acquire Promptfoo

OpenAI is acquiring Promptfoo, an AI security platform used by over 25 percent of Fortune 500 companies, with plans to integrate its technology directly into OpenAI Frontier, the company’s enterprise platform for building AI agents.
Promptfoo’s core capabilities include automated red-teaming and security testing for LLM applications, targeting risks such as prompt injection, jailbreaks, data leaks, tool misuse, and out-of-policy agent behavior.
These will become native features within Frontier rather than separate tools.
The acquisition addresses a practical gap for enterprise AI deployments: systematic ways to test agent behavior before production, maintain audit trails, and meet governance and compliance requirements as AI agents connect to real data and business systems.
Promptfoo also maintains a widely used open-source CLI and library on GitHub, and OpenAI has stated it will continue developing the open-source project alongside the integrated enterprise capabilities, which is notable for developers already using those tools.
For enterprises building on Frontier, this signals that security testing and evaluation are moving from optional add-ons to built-in requirements of the development workflow, with direct implications for how teams structure AI deployment pipelines and compliance documentation.

13:36 📢 Justin – “It’s good that this company got bought, integrated into the models is a great stepping stone, and I look forward to seeing more red teaming agents, because I think that’s an area companies really have underinvested, and with our new cyber warfare world, it’s going to become more more important that you’re doing more active red teaming.”

15:21 Introducing Kasal

Databricks released Kasal, an open-source visual platform for building multi-agent AI workflows without writing orchestration code.
Users can drag and drop agents onto a canvas or describe workflows conversationally, and Kasal automatically generates the underlying CrewAI-based Python code.
Kasal runs natively on Databricks Apps with built-in OBO authentication, SQLite or Lakebase persistence, and MLflow tracing integration, meaning teams can move from visual design to production deployment with minimal additional configuration.
The platform supports both sequential and hierarchical agent modes, in which hierarchical workflows include a manager agent coordinating specialized subagents, useful for tasks such as generating customer-specific sales presentations by combining product and customer data pipelines.
Observability is handled at two layers: business users see execution timelines and workflow status in the Kasal frontend. At the same time, AI engineers can use MLflow tracing to debug LLM calls and agent behavior at a technical level.
Workflows built in Kasal can be exported as Python code for further customization, and reusable plans can be registered in a shared catalog, giving teams a path from low-code prototyping to production-grade pipelines without being locked into the visual interface.

15:48 📢 Justin – “They didn’t mention security review; I just want to call that out.”

17:04 Code Review for Claude Code

Anthropic launched Code Review for Claude Code in research preview for Team and Enterprise plans, using a multi-agent system that dispatches parallel agents to find bugs, filter false positives, and rank issues by severity, delivering results as a single summary comment plus inline annotations on each PR.
Internal metrics show the system increased substantive review comments from 16% to 54% of PRs at Anthropic, with large PRs over 1,000 lines receiving findings 84% of the time, averaging 7.5 issues, and less than 1% of findings marked incorrect by engineers.
Reviews scale dynamically with PR complexity, averaging around 20 minutes per review, and are billed at roughly $15 to $25 per review, making this notably more expensive than the existing open-source Claude Code GitHub Action, which remains available as a lighter-weight alternative.
A practical example from TrueNAS shows the system surfacing a pre-existing type mismatch bug in adjacent code that was silently wiping an encryption key cache on every sync, the kind of latent issue outside the direct changeset that human reviewers typically would not investigate.
The system intentionally does not approve PRs, keeping humans in the decision loop. At the same time, admins on Team and Enterprise plans retain controls over spend and usage, positioning this as a depth-focused supplement to human review rather than a replacement.

18:15 📢 Justin – “The COST of the review is really the biggest thing…definitely something that is a factor in all of these things.”

22:24 Meta acquires Moltbook, the AI agent social network

Meta acquired Moltbook, an AI agent social network built as a Reddit-style platform where every participant is an AI agent run by a human, with no direct human membership.
The founders will join Meta Superintelligence Labs, though deal terms were not disclosed.
Meta specifically called out Moltbook’s “always-on directory” approach for connecting agents as a novel development, suggesting the acquisition is focused on agent discovery and coordination infrastructure rather than the social network concept itself.
Moltbook was built on OpenClaw, an LLM coding agent wrapper that enables prompting via WhatsApp and Discord and supports deep local system access through community plugins.
OpenClaw’s founder was separately hired by OpenAI in February, indicating both major AI labs are recruiting from the same open-source agent ecosystem.
For developers and businesses, the acquisition signals that agent-to-agent communication protocols and persistent agent directories are becoming areas of serious investment, which could influence how cloud-based agentic workflows are designed going forward.
A practical caveat worth noting: Moltbook lacked security controls to verify that all participants were actually AI agents, meaning some posts were likely written by humans posing as agents. This highlights that agent identity and authentication remain unsolved problems in agentic system design.

22:39 📢 Justin – “We didn’t really talk about Moltbook because we didn’t want to talk about OpenClaw extensively, but basically, OpenClaw is a terrible way that you can run AI agents in a fully unsafe manner that accesses all of your personal data, and one of the things you could do is add a skill that would basically have it randomly post things onto MoltBook, which could include your bank accounts or security things if you’re not careful in your security. And Meta buying this is just sort of the classic; it’s a social network, and it could take us down, let’s just take it off the market and kill it.”

Cloud Tools

23:58 GitHub Copilot coding agent for Jira is now in public preview

GitHub Copilot coding agent now integrates directly with Jira Cloud, allowing teams to assign Jira issues to Copilot and receive AI-generated draft pull requests in their connected GitHub repositories without leaving their existing workflow.
The agent works asynchronously and autonomously, analyzing issue descriptions and comments for context, implementing code changes, and posting status updates back in Jira, including asking clarifying questions when needed.
This integration targets common, repetitive tasks such as bug fixes and documentation updates and respects existing pull request review and approval rules, so teams do not need to change their governance processes.
Setup requires installing two marketplace apps, one from Atlassian and one from GitHub, and notably requires Jira Cloud with Rovo enabled alongside an active GitHub Copilot coding agent subscription, so there are meaningful prerequisite costs to consider.
The integration supports GitHub Data Residency customers across supported regions, which is a practical consideration for teams with data sovereignty requirements.

24:42 📢 Ryan – “That’s interesting, because Rovo is Atlassian’s AI bot…I’m curious about why that’s required.”

26:09 The Pulse: Cloudflare rewrites Next.js as AI rewrites commercial open source

Cloudflare released vinext, a rewrite of Next.js that replaces Vercel‘s proprietary Turbopack build system with the standard Vite build tool, allowing Next.js applications to deploy to Cloudflare Workers with a single command and producing client bundles that are reportedly up to 57% smaller.
The project was completed by one engineer in one week, using approximately $1,100 in AI tokens via the OpenCode agent and Claude Opus 4.5, reducing what would traditionally have taken years of engineering to days. However, the result is explicitly experimental and not yet battle-tested at scale.
A key practical concern is that vinext covers 94% of the Next.js API surface, with roughly 67,000 lines of code, compared with Next.js’s 194,000, meaning edge cases and security auditing remain outstanding before production use at any meaningful traffic level.
Cloudflare also released a migration agent skill that integrates with tools like Claude Code, Cursor, and Codex, allowing developers to run a single command to migrate an existing Next.js project to vinext, with compatibility checks, dependency installation, and config generation handled automatically.
The broader implication for cloud engineers is that comprehensive open-source test suites now serve as a blueprint for AI-assisted rewrites, which puts pressure on commercial open-source business models that rely on deployment lock-in rather than infrastructure, support, or community as their primary differentiators.

27:31📢 Ryan – “I feel like it’s an awful precedent, right? Like, the whole point of open source is community collaboration, and this is directly in the face of that. Like, why would you release something open source if someone’s just going to use an AI agent to create their own fork of it?”

31:58 Active defense: introducing a stateful vulnerability scanner for APIs

Cloudflare launched a beta Web and API Vulnerability Scanner focused initially on BOLA (Broken Object Level Authorization), which is the top threat in the OWASP API Top 10.
Unlike WAF rules that catch syntax-based attacks, BOLA involves valid authenticated requests that violate business logic, making them invisible to traditional defenses.
The scanner is stateful, meaning it builds an API call graph from your OpenAPI spec and chains requests together logically, creating resources as an owner and then attempting to access them as an attacker. This solves a core limitation of legacy DAST tools that evaluate each request in isolation and miss authorization flaws that span multiple API calls.
To handle ambiguous or inconsistent OpenAPI schemas, the scanner uses Cloudflare Workers AI, which runs OpenAI’s gpt-oss-120b model with structured outputs to infer data dependencies between endpoints automatically. This removes the manual configuration burden that typically slows DAST tool deployment.
Credential security is handled by the HashiCorp Vault Transit Secret Engine, where credentials are encrypted immediately upon submission and decrypted only by the specific Rust worker executing the test. This is a notable design choice, given that vulnerability scanners, by definition, need access to valid API credentials.
The scanner is now available in open beta for API Shield customers via the API, allowing teams to trigger scans and pull results into CI/CD pipelines or security dashboards.
Cloudflare plans to extend coverage to OWASP Web Top 10 threats like SQLi and XSS in future releases.

33:22 📢 Ryan – “This is super cool. This is the AI-enhanced security scanning I’ve been waiting for.”

AWS

34:43 Amazon plans ‘deep dive’ internal meeting to address outages

Amazon‘s retail site experienced four Sev 1 outages in a single week, including a six-hour checkout and account access failure on March 5, prompting an internal deep-dive meeting led by SVP Dave Treadwell to review the availability posture.
An internal document initially cited GenAI-assisted changes as a contributing factor to a trend of incidents since Q3.
Still, that reference was removed before the meeting, and Amazon later clarified that only one incident involved AI and none involved AI-written code.
Amazon is implementing new safeguards that require additional review of GenAI-assisted production changes, with Treadwell acknowledging that best practices for using generative AI in production environments have not yet been fully established.
A separate AWS outage in December was linked to the Kiro AI coding tool. However, Amazon attributed that incident to user error rather than the AI itself, highlighting an ongoing pattern of questions around AI tooling in production deployments.
With Amazon projecting $200 billion in capital expenditures this year while simultaneously reducing its workforce by tens of thousands, the reliability of AI-assisted development workflows becomes a practical concern for any organization adopting similar tooling at scale.

36:36 📢 Ryan – “Hold on to your butts, but we’re going to see a lot more of this.”

39:00 Database Savings Plans now supports Amazon OpenSearch Service and Amazon Neptune Analytics

Database Savings Plans now cover Amazon OpenSearch Service and Amazon Neptune Analytics, offering up to 35% savings with a one-year commitment and no upfront payment required.
The plans apply automatically across serverless and provisioned instances regardless of engine, instance family, size, or region, so customers can switch instance types like moving from m7i.large.search to c8g.2xlarge.search without losing their discount.
This expansion is useful for organizations running search or graph analytics workloads at scale, since Neptune Analytics and OpenSearch can carry substantial hourly costs that benefit from committed-use pricing.
Customers can use the Savings Plans Purchase Analyzer in the AWS Billing and Cost Management Console to model custom scenarios before committing, which reduces the guesswork in sizing a commitment.
Available now in all AWS regions except China.
Pricing details are available here.

39:34 📢 Justin – “Finally. Thank you.”

40:54 AWS Elastic Beanstalk now offers AI-powered environment analysis

AWS Elastic Beanstalk now integrates with Amazon Bedrock to provide AI-powered analysis of environment health issues, automatically collecting events, instance health data, and logs to generate step-by-step troubleshooting recommendations without manual log review.
The feature is triggered from the Elastic Beanstalk console via an AI Analysis button when environment health reaches Warning, Degraded, or Severe status, and is also accessible programmatically through the existing RequestEnvironmentInfo and RetrieveEnvironmentInfo CLI and API operations.
This is a practical addition for teams managing Beanstalk environments who want to reduce mean time to resolution, particularly useful for developers who may not have deep operational expertise in diagnosing platform-level issues.
Availability is limited to regions where both Elastic Beanstalk and Amazon Bedrock are supported, so teams in regions without Bedrock coverage will not have access, and AWS has not published specific pricing details for this feature beyond standard Beanstalk and Bedrock usage costs.
This continues a broader AWS pattern of embedding Bedrock-powered assistance into existing managed services, similar to features seen in other consoles, positioning AI-assisted operations as a standard capability rather than a standalone product.

41:55 📢 Matt – “I will say troubleshooting Beanstalk is a pain in the butt. It just says ‘degraded’ and you’re like ‘why’? And at one point, I had an issue with Beanstalk where it needed a specific CloudWatch put metric in order to do it; it got to the point I opened a support case, and asked AWS why it wasn’t working. And they’re like, here’s this – buried 17 pages into… so I can definitely see it being useful.”

43:13 Introducing Amazon Connect Health, Agentic AI Built for Healthcare

Amazon Connect Health is now generally available, offering five purpose-built AI agents targeting healthcare administrative workflows, including patient verification, appointment scheduling, ambient documentation, patient insights, and medical coding with ICD-10 and CPT code generation.
The service is HIPAA-eligible and integrates natively with Amazon Connect, allowing contact center and point-of-care workflows to be configured in minutes rather than months, which is a notable deployment speed advantage for healthcare IT teams.
The two GA agents (patient verification and ambient documentation) are ready for production use today, while appointment management, patient insights, and medical coding remain in preview, so organizations should plan adoption timelines accordingly.
Point-of-care capabilities like ambient listening and medical coding are accessible via a unified SDK, letting developers embed these features directly into existing EHR systems rather than requiring a full platform migration.
The service is currently limited to US East (N. Virginia) and US West (Oregon), and AWS has not published specific pricing details publicly, so healthcare organizations will need to engage AWS directly to understand cost structures before planning deployments.

43:45 📢 Justin – “This is a great example of a really purpose-built AI that has a specific use case, and I’d almost rather talk to the AI at any time of the day that can book my appointment rather than waiting for the office to open during the day when I’m busy.”

27:58 Amazon Lightsail now offers OpenClaw, a private self-hosted AI assistant

Amazon Lightsail now supports deploying OpenClaw, a self-hosted AI assistant that runs on your own Lightsail instance, giving users a private alternative to cloud-based AI services where data stays within their own infrastructure.
The offering includes several built-in security features out of the box: sandboxed agent sessions, one-click HTTPS without manual TLS setup, device pairing authentication, and automatic configuration snapshots, reducing the typical operational overhead of self-hosting AI tools.
Amazon Bedrock serves as the default model provider, which ties this directly into the broader AWS AI ecosystem, though users can swap models or connect to messaging platforms like Slack, Telegram, WhatsApp, and Discord for different workflows.
Pricing follows standard Lightsail instance pricing rather than a separate AI-specific cost structure, which may make this appealing for small teams or developers who want predictable monthly costs; check the Lightsail pricing page at aws.amazon.com/lightsail/pricing for current instance rates.
The feature is available across 15 AWS Regions, including US East, US West, Frankfurt, London, Tokyo, and Jakarta, and can be accessed directly from the Lightsail console with quick start documentation available for getting up and running quickly.

44:46 📢 Justin – “If you want to try it (OpenClaw) and you can’t get a Mac Mini because everyone is buying them for their OpenClaw implementations, Amazon Lightsail now supports (it).”

47:22 Amazon OpenSearch Ingestion now supports a unified ingestion endpoint for OpenTelemetry data

Amazon OpenSearch Ingestion now accepts logs, metrics, and traces through a single unified pipeline endpoint, eliminating the previous requirement to run three separate pipelines for each OpenTelemetry signal type.
The consolidation reduces operational overhead around access control, monitoring, and lifecycle management, which translates to lower infrastructure costs for teams running observability at scale.
A practical benefit is incremental OpenTelemetry adoption: teams can start with one signal type and add others later without reconfiguring the pipeline, lowering the barrier to getting started.
Signal correlation becomes more straightforward when all three data types flow through a centralized pipeline, giving teams a more complete view of application health in one place.
The unified endpoint is available now in all regions where Amazon OpenSearch Ingestion is supported, and customers can configure it through the AWS Management Console or CLI.
Pricing follows existing OpenSearch Ingestion rates based on Ingestion OCUs, so no new cost model is introduced.

47:54 📢 Ryan – “I mean, at the ingestion layer? I don’t know. Because this is really at the logs- equivalent…”

48:27 Announcing the end-of-support for the AWS Copilot CLI

AWS Copilot CLI reaches end of support on June 12, 2026, meaning it will no longer receive new features or security updates, though it remains available as an open-source project on GitHub.
AWS recommends two primary migration paths: Amazon ECS Express Mode for teams wanting a fast, opinionated path to production with automatic ALB, TLS, and auto-scaling provisioning, and AWS CDK L3 constructs for teams needing fine-grained infrastructure control in familiar programming languages.
ECS Express Mode is the closest functional replacement for Copilot’s most common patterns, supporting shared Application Load Balancers across up to 25 services and eliminating the need to learn a custom manifest format.
Teams migrating Worker Services, Backend Services, and Scheduled Jobs have specific CDK construct equivalents available, including QueueProcessingFargateService for SQS-based workloads and ScheduledFargateTask for cron-based jobs.
Since Copilot uses standard CloudFormation under the hood, teams can also simply adopt the existing generated stacks and manage them directly, which represents the lowest-effort migration option for teams not ready to switch tooling.

49:26 📢 Justin – “ I mean, yeah, this is kind of the first step into a fully managed world of ECS, and I remember when it came out we talked about it and was like, well, this is nice, but we really want what became Amazon ECS Express, and so they kind of deprecated themselves in their own way with better solution.”

51:04 Amazon Route 53 Global Resolver is now generally available

Amazon Route 53 Global Resolver is now generally available across 30 AWS Regions, expanding from the 11-region preview shown at re:Invent 2025, with support for both IPv4 and IPv6 DNS query traffic from any location.
The service functions as an internet-reachable anycast DNS resolver, allowing authorized clients in an organization to resolve both public internet domains and private Route 53 hosted zones without being tied to a specific network location.
Security filtering is a core capability, blocking malicious domains, DNS tunneling, Domain Generation Algorithms, and now with GA, Dictionary DGA threats, alongside centralized query logging for visibility across the organization.
This positions Global Resolver as a managed alternative to running your own DNS resolver infrastructure for distributed or remote workforces, reducing operational overhead while centralizing DNS policy enforcement.
New customers get a 30-day free trial to evaluate the service, with pricing details available here.

51:57 📢 Ryan – “I both love and hate this. Having operated a global Anycast resolver, I know how much of a pain it is, and so I wouldn’t want to set another one up, and I would gladly pay Amazon to do that. However, I don’t know that they’re removing the annoying parts. And you add more abstraction, I wonder, troubleshooting failed queries; that’s going to be really difficult. And you have a lot more control when you control the network for these things, and so I’m very dubious about this one. But if it just works, then it’ll probably be worth it.”

53:29 Automated deployments with GitHub Actions for Amazon ECS Express Mode

AWS published a walkthrough for connecting GitHub Actions to Amazon ECS Express Mode, automating the full pipeline from code commit to container deployment, including image builds, ECR pushes, and service updates without manual coordination.
The integration uses OIDC for authentication instead of stored AWS credentials, meaning GitHub Actions receives temporary credentials that expire after each workflow run, which reduces the risk surface compared to long-lived access keys sitting in repository secrets.
ECS Express Mode handles the infrastructure heavy lifting automatically, provisioning an ALB, target groups, health checks, auto scaling based on CPU, and security groups, so teams get a production-ready stack from a minimal workflow configuration.
Image tagging uses the first 7 characters of the git commit SHA, giving teams precise version traceability and a straightforward path to rollback by referencing a specific immutable image in ECS deployment history.
Costs are usage-based, covering ECS Fargate tasks, ECR storage, and data transfer, with no GitHub Actions charges for public repositories. The estimated setup time is 20 to 30 minutes, making this a relatively low-friction starting point for teams not yet running automated container deployments.

GCP

55:59 Introducing the Google Cloud recommended security checklist

Google Cloud published a recommended security checklist at docs.cloud.google.com/docs/security/gcmvsp, featuring 60 curated controls across six domains, including authentication, data protection, and network security, organized into Basic, Intermediate, and Advanced tiers.
The checklist is directly motivated by data from the 2025 Google Cloud Threat Horizons Report, which found that weak credentials and misconfigurations account for nearly 76% of cloud compromise (that’s a BIG number), making these controls particularly relevant for organizations assessing their baseline posture.
A companion Terraform repository on GitHub provides deployable code for the controls, moving the checklist beyond documentation into something teams can act on immediately and consistently.
The checklist is free to use and aligns with the open Minimum Viable Secure Product framework, meaning organizations can cross-reference it against existing compliance or vendor-neutral security standards they may already be tracking.
Early access customers reported being able to identify and activate critical controls in a single session, which suggests this is a practical tool for teams that need to establish or audit a security baseline without extensive prior GCP expertise.

56:52 📢 Ryan – “So, your mileage may vary. Some of the code that they have in the solution requires really, really high privileges to run in your GCP environment, so it’s one of those things where you might not be able to get that far with it unless you’re administering the cloud directly. But it’s definitely, I think, a lot of really good, useful things that you can then take… anything that allows people to focus on what they care about is pretty great.”

58:06 New agents for the Autonomous Network Operations framework

Google Cloud expanded its Autonomous Network Operations framework with two new components: the Autonomous Data Steward and the Core Network VoLTE Agent, both built on Gemini and targeted at telecom operators managing complex network infrastructure.
The Autonomous Data Steward addresses a core scaling problem by using a zero-copy architecture with Dataplex Universal Catalog to store metadata pointers instead of duplicating datasets, reducing storage costs by up to 70% while enabling real-time data access across previously siloed domains like RAN, Core, and Probes.
The VoLTE Agent builds on the Data Steward foundation to monitor voice quality metrics like Call Setup Success Rates and Mean Opinion Scores, correlate SIP and Diameter signaling data for root cause analysis, and recommend corrective actions like call routing adjustments without requiring manual intervention.
New Zealand telecom provider One NZ is already deploying the VoLTE Agent in production, which gives this announcement a concrete, real-world validation point rather than remaining purely a proof-of-concept offering.
Google and Future Connections have open-sourced the core methodologies behind these agents, allowing telecom operators to build and customize their own agentic workflows; interested parties need to contact their Google Account Team for early access, and pricing is not publicly listed.

58:39 📢 Justin – “This is all a lot of stuff for TelCo’s, but it’s cool, if you’re into geeky TelCo things, check it out.”

59:24 NotebookLM adds Cinematic Video Overviews

NotebookLM‘s Cinematic Video Overviews moves beyond static narrated slides to generate fluid animations and detailed visuals from user-provided sources, using a combination of Gemini 3 and Veo 3 models working together.
Gemini functions as a creative director in this pipeline, handling narrative structure, visual style selection, format decisions, and self-refinement passes to maintain consistency across the generated video.
This is a consumer-facing AI feature rather than a direct GCP infrastructure offering, but it demonstrates practical multi-model orchestration that GCP customers building their own AI pipelines may find instructive.
Availability is currently limited to English-language users on web and mobile who subscribe to Google AI Ultra, which is priced at $249.99 per month, and is restricted to users 18 and older.
The primary use cases center on education and knowledge synthesis, where users can transform documents, research, or other sources into video summaries, which could be relevant for training content, internal documentation, or learning platforms built on Google’s ecosystem.

1:00:21 📢 Justin – “A little bit pricey to replace all the YouTubers, but coming soon.”

1:01:14 Gemini Embedding 2: Our first natively multimodal embedding model

Gemini Embedding 2 is now in Public Preview via the Gemini API and Vertex AI, marking Google’s first natively multimodal embedding model built on the Gemini architecture. It maps text, images, video up to 120 seconds, audio, and PDFs into a single unified embedding space across 100-plus languages.
A notable technical detail is that audio is embedded natively without requiring intermediate transcription, which removes a common pipeline step that previously added latency and potential accuracy loss in multimodal workflows.
The model uses Matryoshka Representation Learning to support flexible output dimensions scaling down from a default of 3072, with recommended sizes of 3072, 1536, and 768.
This lets developers trade off retrieval quality against storage and compute costs depending on their use case.
Interleaved multimodal input, such as combining an image and text in a single request, allows the model to capture relationships between media types rather than treating each modality independently.
This is particularly relevant for RAG pipelines, semantic search, and data clustering applications.
Integration is available through LangChain, LlamaIndex, Haystack, Weaviate, QDrant, ChromaDB, and Vertex AI Vector Search, meaning teams can adopt this model without significant changes to existing tooling.
Pricing details are not specified in the announcement, so listeners should check the Vertex AI pricing page directly before planning production workloads.
Interested in checking out that demo? Find it here.

1:02:29 📢 Ryan – “I go back and forth on these multimodal, because I feel like there’s so much bloat and we use the wrong model for so many use cases, and I feel like the multimodal is a really good way to do that. So it is interesting, I just haven’t seen a use case where I would see a whole lot of benefit of being able to sort of use the multimodal model to get an answer out of an LLM that I wouldn’t be able to get using other tools.”

1:03:28 Google shares Gemini updates to Docs, Sheets, Slides and Drive

Google is rolling out beta updates to Gemini across Docs, Sheets, Slides, and Drive that allow the assistant to pull context from a user’s own files, emails, calendar, and the web when generating or editing content.
This cross-source grounding is the core technical shift here, moving Gemini from a generic assistant to one that works with personal data.
In Docs, new features include style matching across a document and format matching against a reference file, so Gemini can populate a travel itinerary template using flight and hotel details pulled directly from a user’s Gmail inbox. This kind of structured extraction from unstructured personal data is worth noting for enterprise use cases.
Sheets gets a “Fill with Gemini” capability that lets users drag down a column and have Gemini populate cells with real-time web data or summarized content, similar to how a formula works but using natural language and live search results.
This could be useful for research-heavy workflows like competitive analysis or application tracking.
Drive gains an AI Overview feature in search results that summarizes relevant file contents with citations before a user even opens a document, plus a new Ask Gemini panel for querying across documents, emails, and calendar simultaneously.
Availability is limited to Google AI Ultra and Pro subscribers at google.com/intl/en/about/google-ai-plans, with English-only support globally for Docs, Sheets, and Slides, and U.S.-only for Drive. Workspace business customers have a separate path through the Google Workspace blog.

1:04:21 📢 Justin – “So if you’re in the Google workspaces places, you’ve not got basically what Copilot gave you, but better.”

Azure

1:05:29 Azure Databricks Lakebase is Generally Available

Azure Databricks Lakebase is now generally available as a managed, serverless Postgres offering that stores operational data directly in lakehouse storage, eliminating the need for ETL pipelines between transactional systems and analytics workloads.
The service separates compute from storage and scales to zero when idle, with usage-based pricing meaning customers pay only for compute consumed. Specific pricing details are not published in the announcement, so listeners should check the Azure Databricks pricing page for current rates.
Lakebase integrates with Unity Catalog, giving teams a single governance layer covering operational, analytical, and AI workloads with consistent access control, lineage tracking, and auditing across the entire Databricks data estate.
Developers get instant zero-copy branching and point-in-time recovery, allowing teams to test schema changes or debug against production data without affecting live users or requiring duplicate infrastructure.
The service supports standard Postgres tooling, including pgAdmin, DBeaver, pgvector for AI search, and PostGIS for geospatial use cases, and integrates with Microsoft Entra ID and Azure networking, making it a practical option for teams already invested in the Azure ecosystem.
Cool. Glad to have another database available.

1:07:17 Copilot Cowork: A new way of getting work done

Copilot Cowork is a new Microsoft 365 feature that moves Copilot beyond answering questions into actually executing multi-step work tasks, such as rescheduling calendar conflicts, building meeting packets, and coordinating product launch assets across Outlook, Teams, and Excel.
The feature is powered by Work IQ, which pulls signals from across Microsoft 365 apps to give Copilot contextual understanding of your work before taking action, with user-controlled checkpoints to approve, pause, or modify tasks before changes are applied.
A notable technical detail is that Cowork integrates Claude from Anthropic alongside Microsoft’s own models, reflecting a multi-model approach where Copilot selects the most appropriate model for a given task rather than relying on a single provider.
Enterprise governance is built in by default, with identity, permissions, and compliance policies applied automatically, and all actions running in a sandboxed cloud environment that keeps tasks progressing safely across devices.
Cowork is currently in Research Preview with limited customers and will expand to the Frontier program in late March 2026, with no public pricing details announced yet, so organizations interested in early access should check the Frontier here.

57:31 Introducing the First Frontier Suite built on Intelligence + Trust

Microsoft announced Microsoft 365 E7: The Frontier Suite, available May 1 at $99 per user, bundling Microsoft 365 E5, Microsoft 365 Copilot, and the new Agent 365 into a single SKU that includes Entra Suite, Defender, Intune, and Purview capabilities.
Agent 365, also generally available May 1 at $15 per user, functions as a control plane for AI agents, giving IT and security teams a single interface to observe, govern, and secure agents across the organization.
Microsoft reports visibility into over 500,000 internal agents as Customer Zero, generating 65,000 daily responses in the past 28 days.
Wave 3 of Microsoft 365 Copilot introduces model diversity by adding Anthropic Claude to mainline chat alongside OpenAI models, and includes a research preview of Copilot Cowork for long-running multi-step tasks built in collaboration with Anthropic.
The concept of Work IQ is central to this announcement, positioning Microsoft 365 Copilot as differentiated from generic model-plus-connector solutions by embedding organizational context about how people work, who they work with, and what content they use.
Adoption metrics cited include paid Copilot seats growing over 160% year over year, daily active usage up ten times, and the number of customers deploying more than 35,000 seats tripling year over year, with 90% of Fortune 500 companies now using Copilot in some capacity.

1:10:54 📢 Ryan – “This is interesting; I know, in evaluations and talking to people from different companies, when they were rolling this out originally – I think it was something like 30 or 50 bucks a user, no one wanted to pay that price. And there was a minimum number of users. So it was a large amount of money.”

Oracle

1:12:29 Introducing OCI’s Cost Anomaly Detection

Oracle launched OCI Cost Anomaly Detection as a no-cost feature that uses machine learning to monitor daily cloud spend across all services and regions, alerting users when costs deviate from forecasted baselines.
This is a welcome addition, given that most cloud providers offer similar capabilities, with AWS and Azure having had comparable tools for some time.
The ML model accounts for daily, weekly, yearly, and holiday seasonality patterns, and users can provide feedback to improve accuracy and reduce false positives.
Custom cost monitors can be scoped by compartment or tags, which gives teams reasonable flexibility for environment or application-level tracking.
Alert thresholds can be configured as absolute dollar amounts or percentage variances, which helps reduce alert noise by focusing notifications on anomalies that actually exceed meaningful cost boundaries. This is a practical design choice that avoids the common problem of alert fatigue in cost monitoring tools.
Default monitors are automatically created at the tenancy, service, and region level, meaning customers get baseline coverage without any configuration, though teams with complex multi-compartment environments will likely need to invest time building custom monitors to get a genuinely useful signal.
The feature is free, which removes the awkward situation of paying for a tool designed to help you avoid overspending, though the real value depends on how accurately the forecasting model performs in practice, something Oracle has not provided specific benchmark data on in this announcement.

1:12:42 📢 Justin – “This has been at every other cloud forever, so…”

1:13:24 Oracle Announces Fiscal Year 2026 Third Quarter Financial Results

Yeah, we know. They report at weird times.
Oracle reported Q3 fiscal 2026 total revenue of $17.2 billion, up 22% year-over-year, with cloud revenue specifically hitting $8.9 billion, a 44% increase, marking the first quarter in over 15 years where both organic revenue and non-GAAP EPS grew at 20% or more simultaneously.
The Remaining Performance Obligations figure of $553 billion, up 325% from last year, is the headline number worth scrutinizing, as Oracle notes most of this growth comes from large-scale AI contracts funded either through customer prepayments for GPU purchases or customer-supplied hardware, which is a notably different model than traditional cloud commitments.
Oracle raised $30 billion in debt and equity financing within days of announcing a $50 billion capital raise program, with the proceeds tied to funding infrastructure for AI training and inferencing capacity, and the company is projecting $50 billion in capital expenditures for fiscal year 2026.
Oracle is openly stating it has restructured product development teams into smaller groups due to AI code generation tools, framing this as a cost reduction and productivity improvement for SaaS development, though the workforce implications of building more software with fewer people deserve attention.
The company raised fiscal year 2027 total revenue guidance to $90 billion, up from prior estimates, while maintaining fiscal year 2026 guidance of $67 billion, suggesting Oracle is betting heavily that AI infrastructure demand will remain supply-constrained and that its cloud positioning will capture a meaningful share of that spending.

1:14:47 📢 Justin – “That’s a pretty good bet, so I get it. I also think Oracle is kind of lucking into the multi-cloud…because people are having to adopt Oracle cloud to get the capacity they need.”

After Show

57:31 Xbox surprise: Microsoft reveals ‘Project Helix’ as the codename of its next console

Microsoft revealed the codename Project Helix for its next-generation Xbox console, confirmed by new Xbox CEO Asha Sharma, who recently replaced Phil Spencer after his 38-year tenure at Microsoft.
The announcement is notable given persistent industry speculation that Microsoft might exit the console hardware business entirely, suggesting the gaming division intends to continue through at least one more console generation.
Project Helix is described as leading in performance and supporting both Xbox and PC games, continuing the cross-platform compatibility direction Microsoft has pursued in recent years.
A current RAM shortage driven by AI data center demand is affecting the broader hardware supply chain, potentially pushing the console’s release beyond the initially rumored late-2027 window, which is a direct example of how AI infrastructure buildout creates ripple effects across other tech sectors.
For cloud professionals, this is worth watching because Xbox hardware increasingly ties into Microsoft’s cloud gaming and Game Pass ecosystem, meaning console generation transitions have implications for Azure-based gaming services and infrastructure planning.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod

346: Zuckerberg Finally Finds His People, They Are All AI Agents