The four-hour exploit window is the new operating tempo

An 18-year-old unauthenticated RCE in NGINX's rewrite module shipped this week, alongside a CVSS 10.0 auth bypass in Traefik and a 9.8 in MOVEit Automation whose shape matches the 2023 Cl0p campaign. PraisonAI's CVE-2026-44338 went from disclosure to active exploitation in four hours. The UK AISI confirmed Anthropic's Mythos and OpenAI's GPT-5.5-cyber complete autonomous full-network takeover end-to-end — the first models to clear both simulated ranges. And the Vercel AI Gateway, with telemetry from 200,000+ teams, now reports 59% of token volume is agentic.

These are not five stories. They are one story told from five angles. The operating tempo of the stack you ship into has compressed by an order of magnitude, and the assumptions that justified your patch SLA, your eval harness, your vendor contract, and your detection stack all broke in the same cycle.

The patch SLA is fiction

Four hours is the number to internalize. PraisonAI sits in the LLM-orchestration layer, where dependency graphs are wide and downstream patch cadence runs in weeks. Traefik's bug isn't a buffer overflow — it's an architectural auth bypass that makes every middleware decoration ornamental. The NGINX bug sat undiscovered since before most fuzzing harnesses that should have caught it existed.

Draw the chain on a whiteboard: Traefik bypass reaches an internal service, Spring Cloud Config (CVSS 9.1, same week) reads cloud credentials, Argo CD (9.6, also same week) extracts plaintext Kubernetes secrets, cluster owned. Credentials required: zero. Six CVSS 9.0+ vulnerabilities hit consecutive layers of a standard cloud-native deployment in one disclosure window, and LiteLLM is already on CISA's KEV catalog with confirmed in-the-wild exploitation. The 30-day patch window was calibrated for a world where weaponization took weeks. That world is over.

Meanwhile TrustedSec ran LLMs against five commercial EDR products and found they share identical architectures — YARA rules, Lua engines, local ML classifiers — now reverse-engineerable in days instead of weeks. The endpoint agent was load-bearing because the cost of understanding it exceeded the value of bypassing it. That premise no longer holds for a growing share of the threat population. The compensating controls that matter from here are identity, network telemetry, and behavioral analytics above the endpoint. The agent becomes one signal among several.

Your eval harness is measuring the minority

59% of production token volume is agentic. Anthropic captures 61% of spend on Opus for reasoning. Google captures 38% of volume on Flash for throughput. There is no vendor loyalty in that data — it's a textbook tiered-routing signature, already at scale.

If your eval harness scores single-turn pass@1 on curated prompts, you are scoring the 41%. The 59% is multi-turn sessions of 10–50 API calls before anything user-visible appears, with input-output ratios closer to 15:1 than the 3:1 most cost models were fit on. That's a 5x error on spend, asymmetric across vendors, with the median request no longer a useful planning unit. Sayash Kapoor's argument is the right default: outcome-only metrics systematically underestimate failure modes in capable agents, because stronger agents surface reward-hacking paths weaker ones can't reach. The pass@1 curve flattens exactly when real reliability is diverging.

The specific gap to close is trajectory-level instrumentation: tool-call precision and recall, steps to completion, cost per successful task, drift detection across turns. Microsoft's published agent memory architecture stabilizes at 400–500 memories with 97.2% retention; persona drift is measurable within eight rounds. None of that shows up in a benchmark designed for chat completion.

Anthropic's June 15 deadline is in 16 days

Anthropic planned for 10x growth and got 80x. The patch is leasing xAI's entire Colossus 1 cluster — 220,000+ GPUs, including GB200s — from the CEO who three months ago publicly called them evil. Rivals do not lease capacity to declared enemies during a glut. Nebius posted 684% YoY Q1 growth with four-plus customers bidding per GPU. The public-market "AI capex glut" narrative is trading against a private-market reality where compute is being financialized in $10B+ bilateral blocks.

The pricing change that lands June 15 is surgical. Claude usage through third-party tools — Zed, Conductor, OpenCode, T3 Code, custom Agent SDK harnesses — moves to a separate credit pool capped at plan value. After exhaustion, you pay full API rates. The 70–90% implicit discount that built unit economics for a generation of wrappers is gone. ServiceNow burned its full-year Anthropic budget by May with zero per-user telemetry to attribute the spend. PagerDuty and National Life Group describe the same pattern. ServiceNow's CDIO is now building the workaround, calling it AI Control Tower, and selling it to other enterprises. The market is routing around a vendor deficiency and minting a category in the process.

OpenAI's counter — two months free Codex for enterprise switchers, expiring July 13 — is timed displacement pricing. Take the comparison data either way. Even a no-switch outcome gives you negotiation leverage and a warm second provider, which is no longer optional.

What to do this week

Three concrete moves, in order of how much they hurt to delay.

First, rewrite the patch SLA tonight. 72 hours for internet-facing critical CVEs, not 30 days. Patch NGINX, Traefik, Argo CD, LiteLLM, and Spring Cloud Config in that order. Rotate every Kubernetes secret Argo could read. Patching the binary is not enough — the secrets read during the vulnerable window must be assumed compromised.

Second, deploy an LLM gateway with per-team, per-feature cost attribution before June 1. LiteLLM, Portkey, or your own. Tag every request, alert daily on budget burn, and add a second frontier provider behind automatic 429/5xx failover. ServiceNow had controls and still missed it. You will not catch it passively.

Third, instrument trajectory-level metrics on whatever agent surface ships next. Tool-call precision and recall. Steps per task. Cost per successful outcome, not cost per token. Flag agent traffic in your experimentation platform — 81% of bot detection bypasses succeed against AI-orchestrated headless browsers, which means your A/B populations are already contaminated and your ranking models are already optimizing for agent-preferred artifacts.

The four-hour window is the SLA now. Everything downstream of that — pricing, evals, detection, procurement — is a derivative.