AICrossesFull-NetworkTakeoverThreshold;EDRStackObsolete

◆ DEEP DIVES

1. 01

   Your endpoint security model just became transparent — the architectural reset is this quarter

   The Capability Discontinuity

   Three findings landed this week that, taken together, invalidate the assumption underneath most security budgets: that the endpoint agent is the load-bearing detection control.

   TrustedSec ran LLMs against five commercial EDR products and found all five built to the same blueprint: YARA-style rules, behavioral logic, allowlists, prefilters, scripted engines (some readable as Lua after a single decryption pass), and local ML classifiers. Work that took skilled reversers weeks now takes days with AI assistance. The population of attackers capable of bypassing EDR expanded by an order of magnitude overnight.

   In parallel, the UK AI Security Institute confirmed that Anthropic's Mythos completed both end-to-end cyber attack simulations, the first model to achieve full network takeover rather than persistence alone. OpenAI's GPT-5.5-cyber completed one of two. These models chain exploits in near real-time.

   The security model of the defensive stack was built on the premise that the cost of understanding the agent exceeded the value of bypassing it. That premise is no longer true for a growing share of the threat population.

   The 4-Hour Reality

   PraisonAI was actively exploited within 4 hours of disclosure. Microsoft's MDASH system found 16 exploitable flaws in a single Patch Tuesday through multi-model AI analysis. A honeypot dressed as AI infrastructure was indexed by Shodan in 3 hours and absorbed 113,000+ attacks per month. Patch SLAs written for 30-day windows are operating in a world where weaponization happens in hours.

   Where Sources Diverge

   A reasonable vendor will say EDR still works and they will patch. That version is not wrong. It is incomplete. The compensating controls that matter in the next 18 months are identity, network telemetry, and behavioral analytics above the endpoint. The agent moves from load-bearing control to one signal among several. Organizations that keep treating endpoint as the primary detection surface will discover what "load-bearing" means when the control becomes transparent.

   ---

   The Sigstore Problem

   Quieter but potentially larger: the TeamPCP/Shai-Hulud framework now forges Sigstore provenance, the trust mechanism the industry adopted specifically to prevent supply chain attacks. It extracts OIDC tokens from CI/CD runner memory. The verification chain itself is now an attack surface. Five CISA KEV entries in AI infrastructure tools (LiteLLM, Ollama, OpenClaw) confirm the tooling was adopted faster than it was secured.

   Action items

   • Commission AI-assisted red team against your specific EDR product within 30 days — understand your actual detection gap, not your theoretical one
   • Shift detection investment toward identity analytics, network telemetry, and behavioral detection above the endpoint layer before Q4 budget finalization
   • Audit all AI infrastructure tooling (LiteLLM, Ollama, model registries) for KEV exposure — these were likely deployed without security review
   • Rewrite critical-vulnerability patch SLA from 30 days to 72 hours for internet-facing assets

   Sources:Clint Gibler · The Information AM · CyberScoop · The Hacker News · SANS AtRisk · TLDR InfoSec

2. 02

   The agent execution layer is being claimed this quarter — your platform is either routing through or being routed around

   59% Changes the Question

   Vercel's AI Gateway production telemetry, covering 200K+ teams, now reports that 59% of all token volume is agentic workloads rather than human conversations. That number reframes the competitive question. It is no longer which model is best. It is which layer coordinates the agents. Four companies with incompatible business models placed the same bet inside seven days.

   Two Incompatible Theories of Agent Architecture

   Dimension	SAP	ServiceNow
   Architecture	Vertically integrated Knowledge Graph	Headless Action Fabric via MCP
   Investment	€100M fund	MCP server standard
   Theory	Data-moat makes own agents superior	Open interoperability wins
   Strongest where	Process IS the transaction (O2C, R2R)	Workflow spans multiple systems

   The collision matters because agents acting across finance, HR, IT, and procurement need one authoritative place to reconcile state. Two authoritative places is zero authoritative places. The "run both" compromise that held for the last decade breaks the moment agents are asked to commit writes.

   Being bypassed is not the same as being disrupted. Disruption leaves a seat at the table. Bypass does not.

   Platform Gatekeepers Are Moving

   Apple is inserting itself at the agent layer on iOS, specifically addressing agents that "spin up smaller apps" after the parent app is approved. That is a safety claim and a revenue claim at the same time, since it prevents agents from routing around the 30% tax. Any company shipping consumer-facing agents on iOS now faces a new constraint layer, and the window to influence it closes at WWDC.

   Google ships Gemini Intelligence on 3B+ Android devices this summer. The agent becomes the surface the user talks to. The app becomes the thing the agent calls. That is a demotion even when the install base holds.

   Amazon killed standalone Rufus, embedded AI into Alexa shopping, and then shipped Buy for Me, which completes purchases on third-party sites from inside Amazon's surface. That is a claim on the transaction layer of the open web.

   The a16z Thesis

   a16z estimates $150B+ of GTM value is migrating from the CRM system of record to the AI orchestration layer above it. The CRM stops being where work happens and becomes where work is recorded. Lemkin's data point: one customer running 20+ agents saw 80% fewer human seats and 83% higher total spend. The pricing model has already flipped, just not uniformly.

   ---

   A reasonable skeptic would call the 12-18 month window to claim orchestration overstated. The reasonable skeptic may be right on the timing and wrong on the shape. Products that are technically API-addressable but sit outside the default agent's routing table will be bypassed the same way sites outside Google's search index were bypassed in 2005.

   Action items

   • Conduct an agent-readiness audit of your product by end of Q3 — can third-party AI agents discover, invoke, and orchestrate your workflows without a human UI?
   • Decide between SAP's data-moat model and ServiceNow's MCP interoperability model for your core enterprise workflows before Q4 contract negotiations
   • Audit iOS agent roadmap for Apple distribution risk and model fee/approval structure into unit economics before WWDC
   • Stand up an AI governance function with authority over tool/vendor rationalization before Q3 budgeting

   Sources:TLDR IT · a16z · Techpresso · TLDR · Simplifying AI · ben's bites

3. 03

   Cerebras at $56B, Anthropic at $30B ARR, and the compute market that no longer exists on paper

   The Numbers That Moved This Week

   Cerebras closed its IPO at fifty-six billion dollars fully diluted, priced sixteen percent above an already-elevated range, and traded up seventy percent on day one. The catalyst was a twenty billion dollar OpenAI procurement commitment signed in December 2025. A company that pulled its filing in late 2025 over G42 dependency concerns is now the most successful tech IPO in five years. One anchor customer did that.

   Anthropic reached thirty billion dollars annualized, up from nine billion roughly four months ago. That is not a growth rate in the ordinary sense. It is enterprise customers switching providers at a speed the category has not previously demonstrated. Ramp's data confirms Anthropic is now the preferred provider across its business customer base.

   Fervo Energy debuted at more than ten billion dollars, up thirty-three percent from an already-raised range. Google holds an option for three gigawatts from Fervo against only 658 megawatts currently contracted. That is sixty-plus large data centers from a single power supplier.

   The xAI Signal

   Elon Musk agreed to lease 220,000 GPUs, forty-five percent of Colossus 1, to a company he publicly called "misanthropic and evil." Grok never achieved meaningful traction and trails open-source models in developer surveys, so the financial logic overwhelmed the competitive logic. Compute is being financialized. Leasing the asset is now more attractive than racing with it, and that reordering should alter enterprise compute economics over the next twelve to eighteen months.

   AI compute supply is now being allocated through relationship-based bilateral commitments, not open market competition. The marginal buyer arriving in 2026 will get compute. The marginal buyer will not get the 2024 terms.

   What ServiceNow's Budget Blowout Reveals

   ServiceNow burned its full-year Anthropic budget by May. Anthropic offers no SLAs, no usage telemetry, no enterprise cost controls. ServiceNow's CDIO is already building the workaround, calling it AI Control Tower, and selling it to other enterprises. The market is routing around a vendor deficiency and minting a product category in the process.

   Every major AI player is converging on Palantir's forward-deployed-engineer model. Google is hiring hundreds of FDEs, OpenAI bought Tomoro, ServiceNow and Salesforce are staffing their own FDE teams. The implication for boards approving AI envelopes is concrete: true program cost runs three to five times the model fees, because the loaded cost includes five to ten FDEs at three hundred to five hundred thousand dollars each.

   ---

   The Contradiction Worth Naming

   A reasonable skeptic would argue these valuations represent peak-cycle confidence, not a new normal. The skeptic has a point worth taking seriously. Anthropic's thirty billion ARR supports a nine hundred billion valuation on a P/S basis comparable to hypergrowth SaaS, but the same dataset that produced the number shows zero vendor loyalty: Anthropic quadrupled share while OpenAI grew 0.3 percent. Unlike ERP or cloud migrations, token consumption can be reduced to zero overnight. That fragility is not in the model-company multiples.

   Action items

   • Evaluate multi-year compute commitments this quarter — the 4:1 demand ratio means favorable terms are available now but not in 12 months
   • Implement AI spend governance tooling and per-team attribution before the next budget cycle
   • Accelerate any AI infrastructure M&A conversations before the IPO window reprices all targets to Cerebras multiples
   • Model AI cost trajectories assuming supplier pricing power persists and build multi-model routing capability within 90 days

   Sources:StrictlyVC · The Pragmatic Engineer · Katie Roof · Martin Peers · Laura Bratton · Bloomberg Technology

4. 04

   The AI liability regime is being written in three jurisdictions simultaneously — and most builders are absent from the room

   Three Parallel Tracks, One Decision Window

   The framework that wins decides two things: what a deployer of an AI system is presumed to know about its failure modes, and who pays when the system injures someone. The rest is commentary.

   Track 1: Legislative. a16z has published the most comprehensive lobbying blueprint the AI industry has produced on liability, anchored on user-liability defaults, damages caps, and safe harbors for firms that follow best practices. The firm has committed $115.5M into 2026 midterms, making it the largest disclosed political donor, with AI and crypto regulation as the explicit targets.

   Track 2: Judicial. Active courts are creating precedent right now on whether general-purpose AI developers bear liability for downstream misuse, and no legislative framework exists yet to override them. The precedent-setting rulings will almost certainly arrive before a comprehensive federal bill, leaving a patchwork that subsequent legislation has to route around rather than replace.

   Track 3: Executive. Inside the Trump White House, ODNI and Commerce are fighting over AI model assessment authority. CAISI, sitting at Commerce, published voluntary testing agreements with Google, Microsoft, and xAI, then retracted them in the same week. The IC's proposal would function as a licensing regime for frontier AI in everything but name, extending release timelines by months and converting regulatory relationships into competitive moats for the firms that can staff them.

   The competitive moat for any serious operator for the next five years will be the quality of the audit trail and the contractual allocation of residual risk with upstream vendors.

   The Open Source Threat

   If developer liability for downstream use becomes standard, the economic logic of releasing an open-source model stops working. No rational actor open-sources a model that generates unbounded liability, which means product strategies that assume continued access to open weights — which is most of them — carry an unpriced dependency on regulatory outcomes the P&L does not show.

   The 'Liability Cartel' Dynamic

   A reasonable skeptic would say deep pockets do not actually want strict liability, because strict liability is expensive. The reasonable skeptic is missing the point. Deep pockets prefer any rule that prices out the challenger, and a product-liability regime consolidates the market toward whoever holds the deepest litigation reserves. The framework decides which companies still exist in five years, not which ones compete well.

   ---

   The firms filing this under "future problem" are the ones that will discover, in a courtroom, that it was this quarter's problem. Governance infrastructure built now — model cards, safety testing documentation, incident reporting — satisfies any plausible safe harbor. Built later, it satisfies a subpoena.

   Action items

   • Commission a legal exposure audit against three competing liability frameworks (absolute, safe harbor, user-liability presumption) to quantify financial exposure under each scenario
   • Begin building audit-ready AI governance infrastructure — model cards, safety testing documentation, incident reporting — that would satisfy proposed safe harbor requirements
   • Evaluate open-source AI dependencies and develop contingency plans for a world where open-source model availability contracts due to developer liability
   • Engage in the federal legislative process through industry coalitions — align with a16z's framework or shape alternatives while the outcome is contestable

   Sources:a16z AI Policy Brief · Risky.Biz · Morning Brew · The Download from MIT Technology Review