The day the patch window closed and the toolchain caught fire

Buzz, a Sequoia-backed shop, published research this week showing an agent stitched together from off-the-shelf Anthropic, OpenAI, and Google APIs autonomously exploited 103 of 122 vulnerabilities in CISA's Known Exploited Vulnerabilities catalog. Most fell in under an hour. React2Shell — one of last year's nastier flaws — went down in 22 minutes. No custom model. No restricted access. Just a prompt, a budget, and CISA's own prioritization list fed in as a target queue.

The catalog meant for defenders is now a machine-readable to-do list for offense.

In the same week, the SANS @RISK bulletin landed with the densest cluster of critical AI/ML tool CVEs anyone can remember. FastGPT at CVSS 10.0 — unauthenticated HTTP proxy, full SSRF. llama.cpp at 9.8 — RCE via tensor deserialization, meaning a poisoned GGUF file from Hugging Face owns your inference host. Claude Code CLI at 9.8 — OS command injection in the auth helper, which is the part that holds your credentials. LiteLLM at 9.1 — auth bypass that inherits a legitimate user's identity and exposes every API key the gateway is configured with. Kestra and Windmill at 9.9 each. PraisonAI with six criticals. Twelve thousand-plus Flowise instances still sitting on the open internet.

None of these tools went through the security hardening cycle that traditional infrastructure earned over twenty years. They were adopted at startup speed and never audited. Your engineering teams are running most of them right now, and your AppSec team probably can't name half.

The arithmetic doesn't work anymore

If the median exploitation time for a published KEV is under sixty minutes and your remediation pipeline involves a Jira ticket, a sprint planning meeting, and a change advisory board, you are operating with an architecture that assumes human-speed attackers. That assumption is dead. Chevron's CISO Jon Raper said it cleanly: finding vulnerabilities isn't the problem anymore — remediating them in time is. The Internet Bug Bounty paused new submissions this week citing AI-collapsed discovery costs. Mythos generated 181 working Firefox exploits where its predecessor produced two. That's not an improvement curve; that's a phase change.

The defensive answer isn't faster patching. You will lose that race. The answer is shifting your survival controls from "patch before exploit" to "contain during exploit" — microsegmentation that's actually enforced, automated host isolation on KEV signatures, blast-radius diagrams for every new agentic deployment. The risk of imperfect AI-assisted defense is now demonstrably lower than the risk of defending at human tempo.

The supply chain is the perimeter

Two other items from this week are load-bearing for the same argument. Salt Typhoon pivoted through a commercial ISP into FBI systems and accessed surveillance target data — eighteen months after the original telecom campaign and with no public countermeasures report in between. Your ISP is not a vendor; it's a network-adjacent trust relationship with line-of-sight to your traffic. Forest Blizzard has 5,000+ SOHO routers across 200 organizations doing DNS hijacking against Outlook Web Access. The connectivity layer is now contested terrain, and most enterprise security stacks sit above it.

Meanwhile, the European Commission lost 340 GB through a compromised Trivy scanner — a security tool weaponized as the attack vector. The axios npm compromise was attributed to DPRK and rode through @usebruno/cli during a three-hour window on March 31. "We use industry-standard scanning" is no longer a sufficient answer to a customer security questionnaire. You need to articulate how your supply chain is verified, not that it's scanned.

What to actually do this week

One thing, measurable, this week: pull your current CISA KEV coverage report and instrument time-to-remediation for the last ten KEVs your environment touched. If any of them exceeded twenty-four hours, that number is your real exposure window — and it's the metric your board needs to see next to the Buzz 84.4% figure. Then pick the three highest-blast-radius services in production and verify they're segmented from each other at the network layer, not just the IAM layer. Not aspirationally. Actually.

While you're at it, run pip list and npm list against the CVE block above before standup. llama.cpp ≥ b8492. FastGPT ≥ 4.14.9.5. Kestra ≥ 1.3.7. Rotate every API key configured in any LiteLLM instance you find — the auth bypass means those keys must be considered compromised, not at-risk. Reject unsigned model files in any inference path you control. Disable M365 device code authentication via Conditional Access today; EvilToken solved the fifteen-minute expiry problem and is hunting your finance and exec accounts through Microsoft Graph enumeration right now.

The through-line of the day is not that AI is dangerous. It's that the offense side adopted AI by default and the defense side is still in procurement review. That gap is the only thing being measured at machine speed.