The week the unspoken assumptions under your stack stopped holding

PraisonAI went from disclosure to working exploit in four hours. Not four days. Not the comfortable seven-to-thirty most patch SLAs are written against. Four hours, on a Tuesday, before the on-call had finished their second coffee.

That number is the through-line for the week, and most of the other stories are restatements of it in different stack layers.

The perimeter is fictional this week

Five critical CVEs landed on five consecutive layers of a standard cloud-native stack. Traefik shipped a CVSS 10.0 auth bypass — the ingress is decorative. NGINX has an unauthenticated RCE in the rewrite module that has been sitting in the tree for eighteen years and runs in roughly nine out of ten production configs. Argo CD leaks plaintext Kubernetes Secrets to read-only users. LiteLLM is on the CISA KEV catalog with active exploitation. Copy Fail, a kernel LPE, modifies file contents in memory without touching disk — invisible to AIDE, Tripwire, dm-verity, every file-integrity tool you've paid for.

The compound chain is real and short. Traefik bypass reaches an internal service. Spring Cloud Config traversal reads cloud credentials. Argo CD extracts cluster Secrets. Copy Fail escalates the foothold to kernel root. Four hops, all with public CVEs, all this week.

Patching Argo CD without rotating every Secret it could reach leaves stolen credentials valid indefinitely. Patching is the start of the work, not the end of it.

The endpoint stopped being a control

TrustedSec pointed LLMs at five major commercial EDR products and found they share one architecture: YARA rules, Lua engines after a decryption pass, local ML classifiers. Reverse engineering that used to take weeks now takes days. The assumption EDR was sold against — that understanding the agent costs more than bypassing it — is no longer true for a growing population of adversaries.

In the same week, the UK AI Security Institute confirmed Anthropic's Mythos cleared both of its hardest simulated attack ranges. Full network takeover, autonomous, end-to-end. The prior model generation topped out at advanced persistence. AISI is already building harder benchmarks because the current ones saturated. Mozilla wrapped the same model in a custom harness and found 271 Firefox bugs including sandbox escapes; Daniel Stenberg pointed it at curl with a generic scaffold and got one low-severity CVE. Same weights, 271x delta from the harness alone.

The operational read: harness engineering dominates model selection by something like fifty-to-one on this task. The defensive read: your release gate, calibrated to refusal rates on static prompts, is measuring last year's threat model.

Anthropic's June 15 is a margin event masquerading as a pricing update

Claude subscriptions now convert to dollar-matched API credits across Agent SDK, GitHub Actions, and every third-party harness. The 70-90% effective discount that made Cursor, Cline, OpenCode, and Zed economically viable on Claude is gone. A $200 plan buys $200 of programmatic tokens. Same prompts, same outputs, three-to-ten times the bill on June 15.

Dario has admitted Anthropic planned for 10x growth and got 80x. The capacity scramble is the cause. The metering is the consequence. The same week, Anthropic leased xAI's entire 220,000-GPU Colossus 1 cluster — roughly 45% of xAI's capacity — from the company whose CEO publicly called Anthropic "misanthropic and evil." Renting compute from a sworn enemy is what an 80x miss looks like when it stops being an internal problem.

ServiceNow burned its full-year Anthropic budget by May. No per-user telemetry, no SLAs, no anomaly detection, no dashboards. National Life's CIO, on the record: "great for consumer usage but not great for companies." The revenue is real. The revenue quality is not SaaS-grade, and the gap between those two is the thing nobody on a $900B mark wants to discuss.

OpenAI's response landed inside a few hours: two months of free Codex for enterprise switchers, window closes July 13. That is a zero-cost evaluation window with a hard deadline. Treat it that way.

The architecture has already shifted

Vercel's AI Gateway, across 200,000+ teams over seven months of production traffic, reports 59% of all token volume is now agentic — multi-turn, tool-calling, stateful between hops. Anthropic captures 61% of dollar spend on Opus for reasoning. Google captures 38% of token volume on Flash for throughput. Two different businesses inside what we keep calling "foundation models."

If 59% of your tokens are agentic and 100% of your evals are single-turn, you are flying instruments-out. The bill lives on the cost path the harness does not see. A planner burning 40,000 tokens arguing with itself scores 90%+ on final-answer accuracy and bankrupts you in a quarter.

What to do this week

Four things, in order. The order matters.

Tonight, patch Traefik and NGINX, then Argo CD with Secret rotation, then LiteLLM with API key rotation. The change window is not the weekend. PraisonAI's four hours is the new clock.

This sprint, instrument every Claude-backed workload — Agent SDK, GitHub Actions, batch evals, third-party harnesses — at the LLM gateway with per-user, per-feature tagging and daily budget alerts. Do this before June 15, not after the first inflated invoice. ServiceNow's mistake is the cheapest one to learn from.

This sprint, activate the OpenAI Codex free window and run a head-to-head on five real production tasks with your own trajectory-level instrumentation. Worst case you have negotiation data for the next Anthropic renewal. Best case you have an exit.

This quarter, add a staged cyber-capability rubric to your model release gate — recon, lateral movement, persistence, exfil — and shift roughly a third of new security investment from endpoint to identity-layer detection and network behavioral analytics. The endpoint is glass now. The controls above it are the only ones that hold.

The assumption everyone built on for the last eighteen months — that EDR was opaque, that one model vendor was the safe default, that subscription pricing was stable, that perimeters were perimeters — is being falsified in the same quarter. That is not bad news. It is the news. Ship against the world that exists.