The week the patch SLA, the AI invoice, and the threat model all broke at once

Three things landed in the same seven days, and none of them are the kind of news you read once and move past.

NGINX disclosed an unauthenticated RCE in the rewrite module that has been sitting in the codebase for eighteen years. Traefik shipped two CVSS 10.0 auth bypasses on the same day. MOVEit pattern-matched its own 2023 Cl0p disaster with a 9.8 auth bypass. Argo CD leaks plaintext Kubernetes secrets to any authenticated user. LiteLLM is on CISA KEV, actively exploited. PraisonAI went from disclosure to working exploit in four hours.

That is the perimeter, the GitOps layer, and the AI gateway — six consecutive layers of a standard cloud-native stack, all bleeding pre-auth at the same time, and they chain cleanly into full cluster compromise from one entry point.

Meanwhile, the UK AI Security Institute published the result that retires a generation of threat modeling. Anthropic's Mythos cleared both of AISI's hardest cyber ranges. End-to-end autonomous network takeover, no human in the loop. Last cycle's ceiling was advanced persistence. This cycle's floor is full takeover. AISI is already building harder evals because the current ones saturated.

And Anthropic, the same week, killed the seventy-to-ninety-percent implicit subsidy that funded every Claude wrapper on the market. Starting June 15, programmatic usage through Cursor, Cline, Zed, OpenCode, and the Agent SDK meters against API credits at list price. ServiceNow, which is exactly the kind of buyer you would expect to see this coming, exhausted its full-year Anthropic budget by May. Their CDIO said publicly that Anthropic ships no per-user telemetry. Anthropic had no comment.

Three clocks shortened in the same week. The patch clock collapsed from days to hours. The capability clock jumped a full tier without an intermediate stop. The cost clock reset by a factor of five to ten on a date that is already on the calendar.

The patch SLA you're running is now an exposure window

The operational consequence is the same regardless of which lens you read this through. A thirty-day patch SLA on internet-facing infrastructure was calibrated for an adversary who needed thirty days. That adversary is no longer the marginal threat. PraisonAI's four-hour weaponization is the new base case, and AISI's confirmation says the population of attackers who can chain exploits at machine speed is no longer bounded by skilled-reverser supply.

TrustedSec made the matched point on defense: five commercial EDR products tested, all sharing the same architectural furniture — YARA rules, Lua engines, local ML classifiers — all reverse-engineered in days rather than weeks once an LLM is pointed at them. The obscurity premium that EDR vendors priced into their moat is gone. What you have left is identity, network telemetry, and recovery architecture. Whatever you bought to detect the binary is doing less work than the invoice suggests.

Mozilla's 271 Firefox bugs versus Daniel Stenberg's 1 CVE in curl is the cleanest data point of the week. Same model class, two-hundred-and-seventy-fold yield difference. The variable was the harness — Mozilla wrapped Mythos in their existing fuzzing infrastructure with reproducible test cases and ephemeral VMs; Stenberg pointed it at curl and got marketing. Build the harness or buy the model, but do not confuse them. The harness is where the leverage lives, on offense and defense.

The cost model you submitted in March is wrong by a multiple

Vercel's gateway data — two hundred thousand teams, seven months of production traffic — puts fifty-nine percent of token volume on multi-turn agentic workloads. That is the majority case now, not the upside case. Anthropic captures sixty-one percent of spend on the reasoning end. Google captures thirty-eight percent of volume on the cheap-throughput end. The bifurcation is structural.

If the eval harness you ship with still scores single-turn completions, it is measuring the forty-one percent minority. If the cost model still assumes a 3:1 input-output ratio, it is off by roughly five times — agentic traces run closer to 15:1. If the per-tenant attribution layer does not exist, you will discover the overrun the way ServiceNow did, from the invoice rather than the dashboard. Anthropic provides no native per-user telemetry. That observability gap is now your problem, on a deadline.

OpenAI dropped two months of free Codex for enterprise switchers the same day Anthropic metered the credits. The window closes July 13. Treat it as a free evaluation with asymmetric payoff — even a no-switch outcome leaves you with comparison data and renewal leverage you did not have last week.

What changes Monday

Do three things this week.

First, run active discovery for every NGINX, Traefik, Argo CD, LiteLLM, and MOVEit instance across public and internal subnets. CMDB will not have them all — the eighteen-year-old NGINX bug means every fork, every vendored copy, every appliance pinning a 2014 build is in scope. Patch the perimeter tonight. Rotate every Kubernetes secret Argo CD could reach. Treat any LiteLLM-stored API key as burned and rotate.

Second, model the new Anthropic invoice before June 15. The number you want is current third-party Claude usage minus the plan credit equivalent, multiplied by API rates. If that number breaks the budget, you have thirty days to either pilot Codex on the free offer or restructure the contract while you still have leverage. Ship per-customer, per-feature cost attribution before the next AI feature launches. The instrumentation Anthropic does not provide is the instrumentation you have to build.

Third, compress the critical patch SLA on internet-facing systems from thirty days to seventy-two hours and write it down. The SLA is the artifact that gets quoted in the post-mortem. If the document still says thirty, the post-mortem will say thirty.

The stack the industry shipped on Monday assumed human-tempo adversaries, subsidized inference, and obscurity in the detection layer. None of those three assumptions survived the week.