The week your patches stopped working and your model bill stopped mattering

On April 24, three things happened in roughly the same 24 hours. OpenAI shipped GPT-5.5 at $5/$30 per million tokens — double the prior price — and confirmed the model was built using its predecessor on a seven-week cycle. DeepSeek released V4-Flash under MIT license at $0.14/$0.28 per million tokens, with day-zero vLLM and SGLang support and a hybrid attention architecture that cuts KV cache by 90%. And CISA issued an emergency directive ordering federal agencies to capture memory snapshots from every Cisco ASA and Firepower device in their fleet, because a Chinese actor named UAT-4356 had been sitting inside those firewalls through two complete patch cycles using a backdoor — FIRESTARTER — that rewrites boot configuration to reinstall itself on every reboot.

Those two stories sound unrelated. They aren't. They're the same story told twice: the operational defaults you built your stack around are no longer load-bearing.

The 35x gap is an architecture decision, not a procurement one

If you're running a single-provider AI stack at frontier prices, you are now overpaying by one to two orders of magnitude on workloads that don't need frontier capability. That's not a hot take — it's the math. GPT-5.5 medium matches Claude Opus 4.7 max at roughly a quarter of the cost on Artificial Analysis benchmarks. V4-Flash undercuts GPT-5.5 output by 107x. GLM-5.1 under MIT license tops SWE-Bench Pro at $1.40 per million input tokens. Together AI's monthly inference volume is up 10,000x year-over-year.

The rebuttal that always shows up here is "but quality." The rebuttal doesn't survive contact with your own production traffic. Most of what your application sends to a frontier model is classification, extraction, summarization, or templated generation — the exact tasks where a $0.28-per-million model is indistinguishable from a $30-per-million one. Frontier capability matters for the tail. Routing matters for the rest.

The minimum viable architecture this quarter is three tiers: V4-Flash or GLM-5.1 for the bulk, a mid-tier like Gemini 3.1 Pro or V4-Pro for general reasoning, and GPT-5.5 or Opus 4.7 reserved for the cases where cost is genuinely secondary. If you don't have a model abstraction layer that lets you swap providers in a week, that's the work — not picking the next default model.

Two caveats worth naming. GPT-5.5 API access is gated pending additional safeguards; OpenAI classified the model as High risk, and you should not schedule launches against an API that doesn't have a date. And V4-Pro capacity is constrained until Huawei Ascend 950 clusters land in H2 2026 — V4-Flash is the immediately deployable piece. Build against what's confirmed.

The agent platform window is twelve days, not twelve months

In the same week, Google folded Vertex AI into the Gemini Enterprise Agent Platform, OpenAI launched Workspace Agents in ChatGPT (free until May 6, then credit-based), Microsoft made Copilot Agent Mode default-on across 365, and Anthropic shipped filesystem-backed memory for Managed Agents with scoped permissions and audit logs. Four platforms, one direction: agents that accumulate persistent state, hold tool permissions, and run when you're offline.

Persistent state is the lock-in mechanism. An agent that has six months of your team's institutional context, action history, and approved-tool inventory is harder to migrate than any SaaS contract you've ever signed. Whichever platform your engineers, sales ops, or finance team starts using during the free window is the one whose memory layer you'll be auditing in 2027.

The right move isn't to pick a winner. It's to make the decision deliberately. Convene the cross-functional review now, define which workflows you're willing to let run inside a hyperscaler's agent surface and which need to stay in your stack, and write down the governance requirements — identity, kill switches, audit retention — before the platform's defaults become yours by accident.

Patching is no longer remediation

Three disclosures this week share the same uncomfortable shape: applying the vendor patch leaves you compromised.

FIRESTARTER on Cisco ASA persists through firmware updates and graceful reboots. Only a hard power-cycle — actual power removal — followed by reimage from verified media clears it. The campaign has been running since late 2025. If you patched in September and moved on, the adversary has had six-plus months of post-patch access to your perimeter.

CVE-2026-40372 in ASP.NET Core (CVSS 9.1, Linux/macOS only) computes its HMAC over the wrong bytes and discards the hash. Auth cookies forged before patching remain cryptographically valid after you upgrade to 10.0.7 — unless you rotate the DataProtection key ring and force-invalidate every session.

The @bitwarden/cli npm namespace was hijacked at v2026.4.0 and now harvests AWS, GCP, GitHub, SSH, and — for the first time at this scale — Claude API keys and MCP configuration files. Exfiltration uses GitHub itself as a C2 channel. A separate self-propagating worm is cross-pollinating between npm and PyPI through legitimate maintainer publishes.

Meanwhile, LMDeploy CVE-2026-33626 went from advisory to working exploit in twelve hours and thirty-one minutes with no public PoC — the first clean public evidence that AI-assisted exploit development has compressed the weaponization window below a typical patch SLA.

The operational pattern is not subtle. Patch cycles assumed human-speed adversaries reading human-written PoCs. They no longer apply to internet-facing infrastructure or supply chain dependencies.

What to do this week

One thing, specifically. Stand up a kill chain audit on your AI stack: inventory every Claude API key, MCP config, OpenAI token, and agent credential currently sitting in a config file, .env, or developer machine — and move all of them into your secrets manager with rotation by Friday. While you're there, hard power-cycle and reimage every Cisco ASA and Firepower device in your fleet, and pin every GitHub Action in your CI to a full commit SHA. The supply chain attackers added your AI tooling to the standard exfiltration checklist this week. Treat them like the cloud credentials they're now adjacent to.