Anthropic killed the subsidy the same week the perimeter caught fire

Three things landed in the same news cycle, and any one of them would have owned the week. Together they tell you what to do before Friday.

Anthropic converted Claude subscriptions to dollar-matched API credits, with third-party tool credits cut loose from the pool entirely on June 15. The 70-90% implicit discount that powered every Cursor, Cline, OpenCode, and Zed user is gone. ServiceNow burned its full-year Anthropic budget by May. Sam Altman posted a two-month-free Codex enterprise switch promo within hours, with a 30-day enrollment window. Meanwhile NGINX disclosed an 18-year-old pre-auth RCE in the rewrite module that ships in roughly every production deployment, Traefik shipped a CVSS 10.0 auth bypass, MOVEit Automation shipped a 9.8 — and PraisonAI was weaponized four hours after disclosure. And the UK AISI confirmed Anthropic's Mythos cleared both simulated attack ranges, achieving full autonomous network takeover. Not persistence. Takeover.

If your patch SLA is 30 days and your AI cost model is built on subscription tokens, both are wrong by an order of magnitude as of Tuesday.

The pricing reset is an IPO cleanup

Anthropic hired a CFO and is reportedly tracking an October listing. Ramp's April data put them ahead of OpenAI in B2B at 34.4% to 32.3% — first lead change on record, with ARR going from $9B to $30B in four months. You don't go public on a revenue line where power users extract $700-2,000 of API value out of a $200 subscription. So that line is being closed.

The damage is downstream. Any wrapper that priced gross margin against subscription-tier tokens is now running 20-40% less effective runway than it had Friday. ServiceNow is the worst-case version of this — a $9B revenue company that couldn't see who was burning what, because Anthropic ships no native per-user telemetry, no per-feature attribution, and no SLAs. Their CDIO had to assign dedicated headcount to watch external billing they wired up themselves.

The Codex counter-offer matters less than the asymmetric instrumentation it forces. Two months of free Codex against current Claude workloads gives you a head-to-head dataset on identical prompts, and the window closes July 13. Run the bake-off whether or not you intend to switch — the leverage shows up in the next renewal call, not the next sprint.

The perimeter ate three hits at once

The NGINX bug is the headline because of the install base, but the chain is what kills you. Traefik 10.0 means anything behind that ingress is reachable as if no auth existed — every ForwardAuth and BasicAuth middleware in your cluster is decorative until patched. Then there's Argo CD CVE-2026-42880 at 9.6, where any read-only authenticated user pulls plaintext Kubernetes secrets, and Argo CD usually runs cluster-admin. LiteLLM is on CISA KEV with confirmed exploitation in the wild. Spring Cloud Config has a 9.1 directory traversal that reads arbitrary files from the config server, which is the system holding everyone else's credentials by job description.

The realistic chain: Traefik bypass reaches an internal service, that service reaches Argo CD, Argo CD coughs up your cloud credentials, you own the cluster. None of this requires sophistication. It requires the patch window most shops still treat as 30 days.

Four hours is the new number to plan against. PraisonAI went from disclosure to active exploitation in four. NGINX mass-scan timing is 24-48 hours from now based on prior cadence. Any internet-facing critical at a 30-day SLA is unmanaged.

Full network takeover is in the threat model now

The AISI result is not the doubling trend continuing. It's a step above it. Mozilla pointed Mythos at Firefox and found 271 bugs — sandbox escapes, use-after-frees, race conditions. Daniel Stenberg pointed the same model at curl with a generic scanner and got one low-severity CVE. Same weights. The 270x yield gap was the harness, not the model.

That's the operating principle for the next eighteen months. Harness investment beats model selection by at least an order of magnitude on both sides of the line — offense and defense. TrustedSec showed every major EDR shares architectural patterns reverse-engineerable in days by an AI with a decryption pass. Microsoft MDASH ran 100+ specialized agents through scan/debate/exploit and shipped 16 validated CVEs in one Patch Tuesday.

The defender's arithmetic is upside down. Disclosure-to-exploit is hours. EDR is glass-boxed. Frontier models can complete the kill chain end-to-end. NSA got Mythos access before CISA, which tells you which use case the government is treating as priority.

What to do this sprint

Pick three. By Friday.

First, project Claude burn under metered rates. Pull the last 30 days of token usage through every third-party harness, multiply the post-June-15 portion by API list, and put the number in front of finance before they find it themselves. While you're there, stand up an LLM gateway with per-user, per-feature attribution — LiteLLM, Portkey, whatever you can deploy in two weeks. ServiceNow could not solve this problem passively at $9B in revenue. You will not solve it passively either.

Second, patch the perimeter tonight. NGINX, Traefik, Argo CD, MOVEit, LiteLLM. In that order if you have to choose. If patching means downtime, put a WAF in front. Then rotate every Kubernetes secret Argo CD touched during the exposure window — patching alone doesn't close it, and any read in the vulnerable period is a credential compromise you have to assume happened.

Third, compress critical patch SLA from 30 days to 7 for internet-facing assets, and write the exception process so it surfaces who actually owns the asset that won't move. The number you can defend in a postmortem is the one that's smaller than your adversary's tooling cycle. Four hours is what they have. Seven days is what you can plausibly ship. Thirty is the answer to a question nobody is asking anymore.