Anthropic'sMythosBreakstheEDRThreatModelOvernight

◆ DEEP DIVES

1. 01

   Your Security Architecture Was Priced Against Last Year's Adversary — Full Network Takeover Changes the Category

   The Capability Discontinuity

   Tuesday's briefing reported an 81% autonomous hack rate and called it the trend. This week's data is a different category. Anthropic's Mythos became the first model to clear both UK AISI simulated attack ranges — full network takeover, not persistence. OpenAI's GPT-5.5-cyber completed one. The UK AI Security Institute confirms this is above the exponential line that was already doubling every few months. Congress is holding closed-door Mythos demos. The access is going to NSA rather than CISA, which tells you which mission the government has decided is the priority.

   The EDR Transparency Problem

   A reasonable skeptic would argue that endpoint vendors still have depth-of-defense the attacker has to grind through. The skeptic is partially right and structurally wrong. TrustedSec ran LLMs against five commercial EDR products and found all five are architecturally identical: YARA-style rules, behavioral logic, allowlists, prefilters, scripted engines (some readable as Lua after a single decryption pass), and local ML classifiers. Work that took skilled reversers weeks now takes days. The defensive model assumed obscurity bought time. The time is gone.

   The security model of the defensive stack was built on the premise that the cost of understanding the agent exceeded the value of bypassing it for most adversaries. That premise is no longer true for a growing share of the threat population.

   The Exploit Window Has Collapsed

   PraisonAI went from disclosure to active exploitation in 4 hours. An 18-year undetected RCE in NGINX's rewrite module proves even foundational infrastructure escapes audit. A Raspberry Pi honeypot dressed as AI infrastructure was indexed by Shodan in 3 hours and absorbed 113,000+ attacks per month, with attacker tooling evolving mid-experiment to detect and evade the honeypot itself. The patch SLA most organizations operate against was set in a different decade.

   The Supply Chain Dimension

   Foxconn lost 8TB of confidential designs from Apple, Google, Intel, and Nvidia through a single breach. AI infrastructure tooling — LiteLLM, Ollama, OpenClaw — is now on CISA's Known Exploited Vulnerabilities catalog. The AI gateway went from experiment to production at most firms without passing through security review.

   Where Sources Agree and Diverge

   All eight sources covering this theme agree that the defender's cost-asymmetry advantage has inverted. They diverge on timeline. Some suggest 12-18 months before these capabilities are broadly available to threat actors. Others point to the open-sourcing of Shai-Hulud and industrialized guardrail bypass as evidence the window is already closed. The conservative assumption — that current patch SLAs and an EDR-centric model survive unchanged through 2027 — is the one no source supports.

   Action items

   • Commission a red-team exercise specifically targeting your EDR with AI-assisted reverse engineering to measure actual detection gap against the TrustedSec findings
   • Compress critical vulnerability patch SLAs to 72 hours maximum for internet-facing assets, with 24-hour target for AI infrastructure
   • Conduct emergency inventory of all AI infrastructure tooling (LiteLLM, Ollama, model registries, AI gateways) and validate against CISA KEV list
   • Shift detection investment toward identity, network telemetry, and behavioral analytics above the endpoint layer over the next two quarters
   • Brief the board on AI cyber capability discontinuity — frame as a threat model replacement, not a patch cycle

   Sources:Clint Gibler · The Information AM · AINews · CyberScoop · SANS AtRisk · The Hacker News

2. 02

   The Agent Execution Layer Is the New Platform Control Point — And the Land Grab Started This Week

   Two Incompatible Architectures, One Decision Window

   SAP and ServiceNow stopped talking past each other this week. Both now claim the execution layer, the surface where AI agents commit writes to systems of record. SAP's answer is a €100M fund and a vertically integrated Knowledge Graph that makes its own agents contextually superior inside SAP's data universe. ServiceNow's answer is a headless Action Fabric exposed via MCP (Model Context Protocol) that any agent can call. These are not adjacent positions. They are incompatible theories of how the agent economy organizes.

   Agents that act across finance, HR, IT, and procurement need one authoritative place to reconcile state. Two authoritative places is zero authoritative places.

   MCP Is Becoming the De Facto Standard

   ServiceNow adopting MCP servers as the communication standard for Action Fabric pulls the ecosystem toward that protocol. When a company with workflow gravity across IT, HR, and customer service declares that agents talk to it via MCP, the weight of that declaration compounds. Notion's developer platform launched the same week with explicit agent-hosting positioning. The protocol question is being answered by adoption, not by committee.

   The Budget Blowout Signal

   A reasonable skeptic would call the next data point an outlier. ServiceNow's CDIO admitted the company blew its full-year Anthropic budget by May. Anthropic offers no SLAs, no usage telemetry, and no comment on enterprise cost overruns. That is not immaturity. It is a deliberate choice to optimize capability over governance. ServiceNow's response was to build its own AI Control Tower and sell it to other enterprises. The market is routing around vendor deficiency.

   The Pricing Model Shift

   SAP is not charging per-seat for autonomous finance agents. It is positioning around workflow execution value. ServiceNow's headless architecture implies consumption-based pricing on agent API calls. Vercel's production data settles the direction: 59% of all AI token volume is now agentic workloads, not human conversations. Per-seat pricing structurally cannot capture this value. The transition from seat-based to action-based revenue is being decided this year, not this decade.

   What This Means for the Architecture Decision

   The decision is not which vendor wins the category. Neither will, cleanly. The decision is which vendor owns the execution layer for the processes that cannot stop, and which one gets relegated to integration. SAP's claim is strongest where the process is the transaction, meaning order-to-cash and record-to-report. ServiceNow's claim is strongest where the process is the workflow across systems. Most enterprises have both shapes. The run-both instinct will not survive the first quarter in which agents need to commit writes to both at once.

   Action items

   • Conduct an 'agent readiness' audit — map which of your platforms can be discovered, invoked, and orchestrated by third-party AI agents without a human UI
   • Evaluate MCP as a strategic investment for your platform roadmap — build or integrate MCP server capabilities before Q4
   • Stand up an AI governance function with authority over tool/vendor rationalization before Q3 budgeting
   • Model the financial impact of per-action/per-outcome pricing on your revenue if agents reduce human seat consumption by 50%+

   Sources:TLDR IT · Laura Bratton · a16z · TLDR · Simplifying AI · ben's bites

3. 03

   Compute Is Being Financialized — The Spot-Market Assumption Just Got Deleted

   Three IPOs That Changed the Capital Structure of AI

   The reasonable read of last week is that three IPOs repriced the inputs to every AI infrastructure plan, not just three balance sheets. Cerebras priced at $56B fully diluted, sixteen percent above the raised range, with a seventy percent first-day pop. That is the most successful tech IPO in five years, and the catalyst was not the technology. It was a $20B procurement commitment from OpenAI that converted a regulatory cautionary tale into market validation. Fervo Energy debuted above $10B with a thirty-three percent first-day pop, framed openly as an AI datacenter trade. Google holds an option for 3 gigawatts from Fervo against 658MW currently contracted. That is sixty-plus data center facilities from a single energy supplier.

   Compute as Financial Instrument

   xAI is leasing 45% of its Colossus cluster (220,000 GPUs) to Anthropic, and Musk has publicly called Anthropic misanthropic and evil. The financial logic has overwhelmed the competitive logic. Grok never achieved meaningful traction, and the lease revenue exceeds what Grok could generate from the same silicon. Excess infrastructure is moving onto the lease market. Enterprise compute economics could shift on a twelve-to-eighteen-month horizon as a result.

   A company that is quietly preparing to stand beside its flagship partner rather than behind it is a company that has already concluded the single-vendor story does not survive contact with the next contract cycle.

   The Numbers That Reframe the Budget

   Metric	Value	Implication
   Microsoft → OpenAI total commitment	$100B+	This is the floor for platform-scale AI, not the ceiling
   Nebius revenue growth	684% YoY	4:1 demand-to-GPU ratio persists
   Anthropic ARR trajectory	$9B → $30B in ~4 months	Enterprise switching velocity is unprecedented
   Anthropic total capital raised	$75B	Hardware-scale capital producing software-scale growth

   What This Means Operationally

   Most infrastructure plans rest on a quiet assumption that capacity will be available somewhere, at some price, when the workload arrives. That line item is being deleted. Supply is being pre-sold in bilateral blocks of $10B and up. The firms shipping AI product on schedule are the ones that locked capacity twelve-to-eighteen months ago. A plan written last quarter that assumed three viable suppliers in eighteen months now has one and a half.

   A reasonable skeptic would say Microsoft's behavior is idiosyncratic, not a market signal. The reasonable skeptic is correct on the first point and wrong on the second. Microsoft is preparing to stand beside OpenAI rather than behind it, and actively exploring other AI startup deals. That is a company that has concluded single-provider dependency does not survive the next cycle. If the best-positioned buyer in the world is hedging, the argument for your team not hedging is weaker than it was last Monday.

   Action items

   • Audit compute procurement strategy and determine if multi-year committed capacity is required — model the cost differential between locking now vs. spot-pricing in 12 months
   • Explore whether becoming a 'transformational customer' for an emerging AI chip or infrastructure company could secure strategic compute advantage
   • Accelerate any in-progress M&A conversations with AI infrastructure targets before IPO window fully reprices seller expectations
   • Secure long-term power supply agreements or partnerships for any planned data center expansion

   Sources:The Information AM · TLDR AI · Martin Peers · StrictlyVC · Bloomberg Technology · Katie Roof