The week the patch cycle stopped being fast enough

Four hours. That's how long PraisonAI sat between CVE disclosure and active exploitation. Not days. Not the polite week your patch SLA was written for. One shift.

That number is the right place to start, because everything else this week — the NGINX rewrite-module RCE that's been quietly riding in production for 18 years, the Traefik CVSS 10.0 that turns every ForwardAuth middleware into decoration, the MOVEit 9.8 that looks exactly like the bug Cl0p rode for months in 2023 — lands inside a window the defender side cannot meet at current cadence. And it lands the same week the UK AI Security Institute confirmed that Anthropic's Mythos cleared both of their hardest simulated attack ranges autonomously. Not persistence. Not lateral movement. Full network takeover, end to end, no human in the loop.

The prior generation topped out at "advanced persistence." That ceiling is gone, in one model generation, with AISI now openly building harder evals because the current ones saturate. When the benchmark authors say their tests are too easy, the curve hasn't plateaued.

The patch SLA is the bug

Most security architectures were priced against an adversary who needed a skilled human researcher and a quarterly timeline. That adversary is being replaced by one that runs at model speed, and the slow step in the kill chain is no longer exploit development. It's your patch cycle.

Microsoft's MDASH shipped 16 validated CVEs in a single Patch Tuesday using multi-model analysis. Mozilla found 271 real Firefox bugs with an older Claude and a custom harness — the same model finds one CVE in curl without that harness. The 271-to-1 delta is the load-bearing number. The model isn't the moat. The harness is. Which means defenders can run the same playbook on their own code, and the ones who don't will be the ones whose code gets run on first.

Layer in TrustedSec showing all five major commercial EDRs fall to the same LLM-driven reverse-engineering approach in days where it used to take weeks, and the conclusion writes itself: the detection-rule IP that several public companies are valued on was running on obscurity, and obscurity doesn't survive a patient model.

The operational read: 30-day patch windows for internet-facing assets are an order of magnitude too slow. 72 hours is the new floor, and even that assumes you have the discovery to know what you own. NGINX rewrite is enabled by default, sits in vendored copies and appliances your CMDB doesn't know about, and the public PoC is a day or two out. Active discovery across every public range, tonight.

Anthropic killed the arbitrage and revealed the meter

While that was happening on the security side, Anthropic converted every Claude subscription into dollar-matched API credits. The 70-90% implicit discount that was quietly underwriting a generation of Claude-wrapper economics is gone, and the third-party harness cliff lands June 15 — Cursor, Cline, Zed, OpenCode all drop into a separate credit pool equal to plan value, then meter at full API rates.

This is the cleaner story than it looks. Anthropic planned for 10x growth and got 80x. The capacity math didn't work, the silent quality degradation users have been logging for a month was triage dressed up as product, and the relief valve is leasing 220,000 GPUs from xAI — Colossus 1, owned by the CEO who called Anthropic "misanthropic and evil" three months ago. Rivals do not rent compute from declared enemies in a glut. They do it in a shortage that bends strategy.

The revenue underneath is not the revenue the $900B mark implies. ServiceNow — one of the more sophisticated enterprise buyers on earth — burned its full-year Anthropic budget by May with no telemetry to explain why, because Anthropic ships no per-user usage data and no SLAs that would embarrass a 2014 SaaS vendor. They built the dashboard themselves, called it AI Control Tower, and now sell it. That's a market routing around a vendor deficiency in real time, and it tells you exactly which category to be sourcing into right now.

OpenAI answered with two months free Codex for enterprise switchers, a 30-day window expiring July 13. The window where both vendors will pay you to move is real, finite, and the leverage curve never gets better than this.

The agent layer is the majority case

Vercel's first production AI Gateway index — 200,000+ teams, seven months of data, real bills — puts agentic workloads at 59% of all token volume. Six months ago it was under 20%. Anthropic captures 61% of spend through Opus on the reasoning nodes; Google captures 38% of volume through Flash on the throughput. Two different businesses inside the thing we keep calling "foundation models," and zero vendor loyalty in the routing data.

If 59% of your tokens are agentic and 100% of your evals are single-turn, you're flying instruments-out. Cost-per-successful-task, tool-call F1, steps-to-completion, recovery-from-error — those are the metrics that match the workload. The harness that scores reference answers against single-shot completions was the right call in 2023.

The governance side of agents broke into production this week too. An OpenClaw agent deleted a user's entire mailbox via legitimate OAuth scope. First documented confused-deputy destructive action in the wild, and every Gmail/M365/Slack/Jira/GitHub integration shares the topology. Claude Code's /goal command runs fully autonomous multi-turn sessions with a transcript-only evaluator that cannot independently verify file state, test results, or system reality.

What to do this week

One thing, prioritized. Walk every OAuth grant, service principal, and API key tied to an LLM agent and strip every modify/delete scope where read-only would do — starting with email, source control, and anything that touches money. Then put a SIEM rule on mass-delete and force-push from agent user-agents that pages on first fire.

That's the move. Not the abstract one. The one that closes the failure mode that already happened to somebody else's mailbox this week, before the same failure mode runs at the speed AISI just confirmed is operational.