Army Brands $100M NGC2 Comms Prototype "Very High Risk" - 25 High‑Severity Flaws, Three Partner Apps 200+ Vulnerabilities

The Army's internal review paints a nasty picture for the new battlefield comms stack that companies including Anduril (NYSE: ANDR), Palantir (NYSE: PLTR) and Microsoft (NASDAQ: MSFT) helped build: major security holes, weak user controls, and an overall assessment that the prototype is "very high risk."

The platform in question, known inside the Army as NGC2, is intended to tie together soldiers, sensors, vehicles and commanders so data flows in near real time. That promise is what won a roughly $100 million prototype award to Anduril and partners. But a memo from the Army's technology office issued in September says the initial build fails key cybersecurity basics.

Top-line problems flagged in the memo: anyone with an account can see almost everything on the system regardless of need-to-know; there's little or no activity logging to trace misuse; and third-party apps running on the platform haven't been through full Army security vetting. The document notes a single integrated app with 25 high-severity code flaws, and three other partner apps each showing more than 200 vulnerabilities that still need examination.

Those findings aren't just bureaucratic nitpicks. The Army CTO warns of the "likelihood of an adversary gaining persistent undetectable access." In plain terms: if the gaps aren't closed, an attacker could quietly live on the network and siphon or manipulate battlefield data without easy detection.

The project also carries a political edge. The companies leading the effort are closely tied to allies of President Donald Trump and have been promoted as faster, cheaper alternatives to the Pentagon's long-standing defense contractors. That mix - high expectations, big military contracts and visible political attention - ups the reputational stakes.

There's some counterpoint inside the Army. The chief information officer says the memo is part of normal triage: identify flaws, prioritize fixes, and harden the prototype. And Anduril has pointed to an exercise earlier in the year when the 4th Infantry Division used the system during live-fire artillery training at Fort Carson, Colorado - a test the company said demonstrated better speed and reliability than older gear.

For market watchers, this is a multi-layered story. A flagged prototype can mean program delays, extra compliance work for contractors, and scrutiny from both defense buyers and political overseers. It also puts partner firms under a microscope: security shortfalls on a defense network can raise questions about execution and quality control for any company with its name on the contract.

None of that prescribes a trade - it just sketches the risk picture that traders will be parsing around any headlines tied to the project. The immediate facts are: the Army labeled the NGC2 prototype very high risk, identified specific access-control and software-vulnerability failings, and asked for remediation. Can the teams turn that around before an adversary notices?