The week the perimeter, the pricing model, and the threat model all broke

Three things landed inside the same five days, and they interact.

NGINX shipped an unauthenticated RCE in the rewrite module that has been sitting there for eighteen years. Traefik shipped a CVSS 10.0 auth bypass that turns every middleware chain behind it into decoration. Anthropic killed the 70-90% implicit discount that anyone running Claude through Cursor, Cline, Zed, or a custom harness has been quietly living inside, effective June 15. And the UK AI Security Institute confirmed that Anthropic's Mythos cleared both of its hardest simulated attack ranges — full autonomous network takeover, not advanced persistence, not a foothold, the whole chain.

Any one of these would be the story. Together they're a forcing function.

The edge is on fire and the patch window is tonight

Start with the bugs because they have the shortest clock. NGINX's rewrite module ships in roughly every production deployment that's done URL rewriting since 2007, which is most of them. The bug fires before app-level auth, before rate limiting, before input validation. Traefik's bypass is worse in the sense that the score caps out — every service behind it is currently internet-facing without authentication, regardless of what the ForwardAuth config says. Argo CD shipped a 9.6 that hands plaintext Kubernetes Secrets to read-only users. Apache Iceberg and Polaris shipped paired 9.9s that let an attacker redirect table metadata to a poisoned S3 prefix, which means the next training run ingests adversarially-curated Parquet and your data quality monitors see nothing because the schema didn't change.

The tempo data is the part worth internalizing. PraisonAI was weaponized four hours after disclosure. Honeypots dressed as AI infrastructure get indexed by Shodan in three hours and absorb a hundred and thirteen thousand attacks a month. A thirty-day patch SLA against four-hour weaponization is not a policy, it's a confession.

Patch NGINX and Traefik tonight. Rotate every Kubernetes Secret that Argo CD could read in the vulnerable window — registry tokens, HF PATs, database credentials, cloud keys. Audit Iceberg catalog configs for write-path allowlisting before the next training job starts pulling features. If LiteLLM 1.81.16-1.83.7 is in the stack it's already on CISA KEV, take it offline and rotate the stored provider keys.

Mythos changes the threat model, not the patch list

The AISI result is the part that should reshape the next planning cycle. Prior frontier models found bugs. Mythos composes reconnaissance, working exploit, lateral movement, privilege escalation, and domain admin as one continuous action, in controlled conditions, against a hardened government range. Microsoft's MDASH ensemble — a hundred-plus specialized agents in a scan-debate-exploit pipeline — beat Mythos on CyberGym and shipped sixteen validated Windows CVEs in a single Patch Tuesday. Mozilla pointed Claude at Firefox with a custom harness and surfaced 271 real bugs. The same model pointed at curl produced one low-severity CVE.

The variable is the harness, not the model. That is the line worth underlining, because it tells you where defensive investment compounds. Generic AI scanning is a slide deck. Target-specific harnesses, wired into reproducible test cases and ephemeral VMs, are the thing that produces the 271 number. Same applies in reverse — the offensive uplift goes to whoever builds the tooling around the model, which is why NSA gets Mythos access ahead of CISA. The civilian defensive distribution is not the priority and should not be planned around.

Anthropic's pricing cliff is a vendor-risk event

The June 15 change is the boring one and the most expensive one. The $200 plan now buys $200 of API credit for programmatic work. The arbitrage that made Claude-via-third-party-harness economically dominant is gone. Heavy users are looking at a 3-10x effective cost increase overnight, and Opus 4.7 separately tripled image processing costs.

What sits underneath is more interesting than the headline. Anthropic planned for 10x growth and got 80x. The fix is leasing the entire Colossus 1 cluster — 220,000 GPUs — from xAI, whose CEO has on the record called the counterparty evil. That kind of arrangement only happens when compute scarcity is bending strategy harder than rivalry. Ramp's April data has Anthropic at 34.4% of paid business share against OpenAI's 32.3%, the first documented lead change. OpenAI replied within hours with two free months of Codex for thirty-day switchers. Sam Altman doesn't extend that offer when his enterprise position is comfortable.

ServiceNow exhausted its full-year Claude budget by May because Anthropic ships no per-user telemetry, no SLAs, and no enterprise dashboard that would have cleared procurement at a mid-tier SaaS vendor in 2014. National Life Group's CIO said the quiet part out loud — "great for consumer usage but not great for companies." That is consumer-grade plumbing carrying enterprise-grade revenue at a $900B mark, with an IPO calendar likely landing in October. Margin compression timed to S-1 diligence is a feature of the strategy, not a bug.

And Colossus 1 is a sub-processor change most DPAs don't cover. Prompts and code now transit infrastructure run by a competitor that has banned Anthropic developers from its own APIs in the recent past. The trust boundary moved. The data-flow diagram did not.

What to do this week

One specific thing, and it's not the patches — those are obvious.

Before June 10, model your Claude burn under the new metering against the next ninety days. Per team, per feature, per request ID. If you don't have that attribution today, the gateway middleware to add it is roughly a sprint of work — LiteLLM or a thin custom adapter, tagged at the call site, daily budget alerts wired to the on-call rotation. Run the OpenAI Codex free trial against your top three Claude workloads in parallel during that window. Even if you don't switch, the comparison data is leverage on the next renewal, and the renewal is where the cost recovery will actually happen.

The teams that wrote the per-user cost meter before this week are the ones moving on the pricing change in seventy-two hours. Everyone else is going to find out which power user burned the budget on the July invoice.