AI Update
Wednesday, June 24, 2026

The Pentester in the Loop

Both frontier labs shipped security products the same week a paper confirmed their models can’t tell their own thoughts from an attacker’s. Meanwhile Claude moved into your Slack channels — and the bill for all of it came due.

The Big Picture

The headline of the period is that AI security stopped being a panel topic and became a product line. OpenAI launched Daybreak — Codex Security, a GPT-5.5-Cyber model, and a Patch the Planet initiative already generating patches for cURL, the Linux kernel, FreeBSD, Go and Python. Anthropic’s Claude Mythos, in parallel, shipped 423 security fixes in a month and surfaced a 15-year-old bug in Firefox. This is offense and defense at ecosystem scale, and it’s arriving fast.

The irony writes itself. The same week, a paper on prompt injection as role confusion confirmed that models cannot reliably distinguish their own privileged text from untrusted input — worse, they weight writing style over actual content, so an attacker who mimics a model’s internal reasoning voice can talk it into almost anything. We are deploying LLMs to find and fix vulnerabilities while the LLMs themselves remain structurally insecure. If you ship agents, this tension is now your problem, not a researcher’s.

The second big shift is interaction. Claude Tag puts a proactive, persistent, multiplayer agent directly into Slack channels — Karpathy calls it the third major redesign of LLM UI/UX, and the framing is right. The agent stops being a tool you open and becomes a colleague you @-mention.

And underneath both: money. The subsidized “tokenmaxxing” era is visibly ending. Token budgets are starting to look like capital allocation, an affordability crisis is trending, and — not coincidentally — an open model that runs a 45-minute autonomous task for $3.36 suddenly looks less like a curiosity and more like a strategy.

Themes

AI security grows teeth — and a blind spot

The throughline across a dozen items: security is now a first-class AI application, with its own models, evals, and skill libraries. OpenAI’s Daybreak bundles a Codex Security plugin for deep scans, attack-path tracing and patch generation; Anthropic’s Mythos work shows the real lesson is architectural — the model was “only half the story,” the goal-loop harness did the heavy lifting. On the evaluation side, Eugene Yan’s patterns for cybersecurity evals (sandboxed target, difficulty-tunable inputs, tools, a grader) and Gray Swan’s Kolter and Fredrikson arguing AI security “is not just cybersecurity with AI” mark out the discipline’s edges.

But the same period delivered the counterweight. Prompt injection as role confusion is the must-read here: models take the style of text more seriously than its content, so text dressed up as a model’s own <think> block can override policy. If you’re building anything that mixes trusted instructions and untrusted input — which is every agent — assume the boundary leaks.

Go deeper: Daybreak · Mythos / 15-year Firefox bug · Prompt injection as role confusion · Cybersecurity eval patterns · Gray Swan on AI security

Claude joins the team: the third UI redesign

Last edition we noted agents acquiring identity, auth, and secrets. Claude Tag is the payoff — and worth treating as a genuine step, not a re-announcement. Tag Claude into a Slack channel and it spins up its own sandboxed instance per thread, clones repos, writes and tests code, and throws the environment away when done — with per-channel memory and permissions. It’s proactive, monitoring channels and drafting PRs without being prompted. Boris Cherny claims 65% of the product team’s new code already comes from an internal version.

The security design is the interesting part: Claude can’t see the credential secrets it uses and respects channel/workspace boundaries — exactly the identity-and-secrets discipline that’s now table stakes. Karpathy’s “third UI/UX redesign” framing is the bit to internalize: chat → IDE agent → ambient teammate. Early signal on adoption beyond Anthropic, but the paradigm is the thing to watch.

Go deeper: Claude Tag · Karpathy on the new paradigm · Latent Space writeup

The allocation era: ROI comes for tokens

The economics turned this week. Every’s Token Tightening calls it cleanly: the tokenmaxxing era — measuring adoption by raw consumption — is over, and token budgets are starting to look like trading portfolios, with the biggest compute going to whoever can prove returns. The trend has company: AI’s affordability crisis hit 307 points on HN, and an ML engineer’s cross-provider pricing comparison found the caching numbers surprising enough to spreadsheet. Even fchollet got in on it with token min-maxing.

For a developer, the practical read: cost is becoming a first-class design constraint again, after a long subsidized holiday. Expect more routing logic, more caching, and harder questions about which workloads justify a frontier model.

Go deeper: Token Tightening · AI’s affordability crisis · Cross-provider pricing sheet

The open frontier lands for real (GLM-5.2 update)

We introduced GLM-5.2 last edition as a capability threshold. This period it’s a behavior threshold: people are actually switching. Lenny ran it through codebase audits and a 45-minute autonomous bug hunt in Cursor and Claude Code and is replacing Opus with it — total cost $3.36. Nathan Lambert frames it as a step change for open agents, and swyx notes Z.ai has beaten DeepSeek to the world’s top open model post-IPO. The local crowd is already grafting MTP heads onto quants to push it from 2.5 to 50 tok/s on a GH200.

Alongside it, Apertus — an open foundation model pitched at “sovereign AI” — pulled 531 points, a reminder that the open-weights conversation is increasingly about who controls the model, not just how good it is.

Go deeper: Replacing Opus with GLM-5.2 · Step change for open agents · Apertus

The harness is half the story

A quieter but compounding theme: the agent loop, not the base model, is where the leverage is. Mozilla’s 423 fixes came from a goal-loop harness; Jason Liu’s “Codex-maxxing” is about preserving context across long-running work; ByteDance’s deer-flow (2,521 stars) packages sandboxes, memory, subagents and a message gateway into a long-horizon harness. Research is catching up to the same insight from two directions: Qwen-AgentWorld (72 upvotes) trains language world models to simulate the environment side of an agent loop across seven domains, and OpenThoughts-Agent opens the data-curation recipe for broadly capable agents after 100+ ablations.

The sobering counterpoint is NatureBench: frontier coding agents beat published SOTA on only 17.8% of real Nature-family tasks, succeeding mostly through “methodological translation” — reframing science as supervised prediction — rather than genuine invention. Better harnesses, yes; autonomous discovery, not yet.

Go deeper: Qwen-AgentWorld · OpenThoughts-Agent · deer-flow · NatureBench · Codex-maxxing

Radar

Don’t Miss