The week your security tools, your vendors, and your users all stopped being who you thought

Three things happened this week that, taken together, invalidate a lot of architectural assumptions sitting in production right now.

First: on March 19, Aqua Security's Trivy — the vulnerability scanner running in a meaningful slice of the world's CI pipelines — was backdoored by a group calling itself TeamPCP. Encrypted C2, encrypted exfiltration, a self-spreading npm worm. Standard egress monitoring that looks for plaintext credential dumps would have missed it. Anything Trivy could read on a CI runner since the 19th is now in someone else's hands until you prove otherwise. Oracle shipped a rare out-of-band patch for an unauthenticated RCE in Identity Manager (CVE-2026-21992) the same week, and Langflow's CVE-2026-33017 was being exploited twenty hours after the patch dropped. The scanner you trusted, the identity plane you trusted, and your patch SLA — all wrong at the same time.

Second: Anthropic took 40% of enterprise AI spend. OpenAI fell to 27%. Claude Code is at $2.5B ARR, ahead of Cursor at $2B and Codex at $1B, and Notion is migrating engineers off Cursor onto model-native agents. Meta — Meta — is running its internal executive tooling on Claude rather than its own LLaMA. The Microsoft–OpenAI axis that anchored most enterprise AI procurement decisions in 2024 is fracturing in public: OpenAI's Frontier agent builder ships on AWS, not Azure, and Mustafa Suleyman is now openly building Microsoft's own frontier models. Meanwhile MiniMax M2.7 hit 57% on Terminal-Bench at $0.30 per million input tokens — within a point of Opus at $5. A fourteen-to-one price gap at near-parity quality is not a pricing event. It's a routing event.

Third, and this is the one most teams are still missing: AI agents became the majority user on a surprising number of product surfaces. Hex says agents create more dashboard cells than humans. Mintlify says agents read the docs more than humans. Tally — a form builder — gets 25% of new signups from ChatGPT referrals. Imperva's 2025 numbers put bot traffic at 51% of web activity overall. Your analytics, your rate limits, your pricing page, your onboarding funnel — all calibrated for an audience that's now a minority.

The through-line nobody is naming

Each of these stories is being filed under a different beat. Supply chain security. Vendor strategy. Product analytics. They're the same story.

The substrate you assumed was static is moving. Your security tooling is now an attack surface, not a defense — 42% of skills on ClawHub are malicious, 10.8% of scanned MCP servers carry exploitable tool-pair flows, and o1-mini follows prompt-injected tool outputs 72.8% of the time. The capability-security curve has gone inverse: the better the model, the easier it is to weaponize through its tools. Your vendor stack is sliding under you at the same time — the company you signed an EA with last year has 23 fewer points of enterprise share this year, and the partnership that backstopped your procurement is fracturing on a quarterly cadence. And your users are increasingly machines you haven't instrumented for, paying with protocols (x402, MPP, AgentPay) that didn't exist last quarter.

The shared failure mode: most teams are still building one layer below where the action is. Patching CVEs while the scanner is backdoored. Negotiating seat pricing while a16z is publicly telling its portfolio that seat revenue is the line item enterprise buyers will cut first. Optimizing onboarding for humans while a quarter of your signups come from a model you don't have a relationship with.

The a16z framing matters more than people think

David George's piece this week — two paths, ten points of AI-driven growth or forty-to-fifty percent true operating margins, and the comfortable middle is dead — is going to land on every software board agenda within two cycles. The specifics are unusually load-bearing: four-person pods writing code on day one, $1K per engineer per month in tokens as table stakes, 50% of R&D on net-new AI products, full org redesign rather than the usual 8% RIF. Private credit funds are already gating redemptions on SaaS-backed loans — institutional money is reading the same data and voting with its feet before public earnings reflect it.

If you're a builder reading this, the relevant question isn't which path. It's which path your CFO can defend in eighteen months when your closest comp announces theirs. Declaring late is worse than declaring wrong.

What to do this week

If Trivy ran in your CI since March 19, treat every secret those runners could touch as compromised. Rotate with deny-before-reissue, not simple rotation — basic rotation is defeatable through token refresh. Pin GitHub Actions to commit SHAs, not tags. This is a today action, not a sprint action.

Then pick one product surface — the one with the highest API or docs traffic — and split the analytics. Human sessions, agent sessions, two columns. You will be surprised. The number you find is the number that determines whether your roadmap is aimed at the user base you actually have. If a quarter or more of your traffic is non-human and your product can't be discovered, consumed, and paid for by a model without a human in the loop, that's the gap to close before the next planning cycle. Not because agents are the future. Because they're already a plurality of your present, and you've been optimizing for the other half.