The Pentester in the Loop
Both frontier labs shipped security products the same week a paper confirmed their models can’t tell their own thoughts from an attacker’s. Meanwhile Claude moved into your Slack channels — and the bill for all of it came due.
The Big Picture
The headline of the period is that AI security stopped being a panel topic and became a product line. OpenAI launched Daybreak — Codex Security, a GPT-5.5-Cyber model, and a Patch the Planet initiative already generating patches for cURL, the Linux kernel, FreeBSD, Go and Python. Anthropic’s Claude Mythos, in parallel, shipped 423 security fixes in a month and surfaced a 15-year-old bug in Firefox. This is offense and defense at ecosystem scale, and it’s arriving fast.
The irony writes itself. The same week, a paper on prompt injection as role confusion confirmed that models cannot reliably distinguish their own privileged text from untrusted input — worse, they weight writing style over actual content, so an attacker who mimics a model’s internal reasoning voice can talk it into almost anything. We are deploying LLMs to find and fix vulnerabilities while the LLMs themselves remain structurally insecure. If you ship agents, this tension is now your problem, not a researcher’s.
The second big shift is interaction. Claude Tag puts a proactive, persistent, multiplayer agent directly into Slack channels — Karpathy calls it the third major redesign of LLM UI/UX, and the framing is right. The agent stops being a tool you open and becomes a colleague you @-mention.
And underneath both: money. The subsidized “tokenmaxxing” era is visibly ending. Token budgets are starting to look like capital allocation, an affordability crisis is trending, and — not coincidentally — an open model that runs a 45-minute autonomous task for $3.36 suddenly looks less like a curiosity and more like a strategy.
Themes
AI security grows teeth — and a blind spot
The throughline across a dozen items: security is now a first-class AI application, with its own models, evals, and skill libraries. OpenAI’s Daybreak bundles a Codex Security plugin for deep scans, attack-path tracing and patch generation; Anthropic’s Mythos work shows the real lesson is architectural — the model was “only half the story,” the goal-loop harness did the heavy lifting. On the evaluation side, Eugene Yan’s patterns for cybersecurity evals (sandboxed target, difficulty-tunable inputs, tools, a grader) and Gray Swan’s Kolter and Fredrikson arguing AI security “is not just cybersecurity with AI” mark out the discipline’s edges.
But the same period delivered the counterweight. Prompt injection as role confusion is the must-read here: models take the style of text more seriously than its content, so text dressed up as a model’s own <think> block can override policy. If you’re building anything that mixes trusted instructions and untrusted input — which is every agent — assume the boundary leaks.
Go deeper: Daybreak · Mythos / 15-year Firefox bug · Prompt injection as role confusion · Cybersecurity eval patterns · Gray Swan on AI security
Claude joins the team: the third UI redesign
Last edition we noted agents acquiring identity, auth, and secrets. Claude Tag is the payoff — and worth treating as a genuine step, not a re-announcement. Tag Claude into a Slack channel and it spins up its own sandboxed instance per thread, clones repos, writes and tests code, and throws the environment away when done — with per-channel memory and permissions. It’s proactive, monitoring channels and drafting PRs without being prompted. Boris Cherny claims 65% of the product team’s new code already comes from an internal version.
The security design is the interesting part: Claude can’t see the credential secrets it uses and respects channel/workspace boundaries — exactly the identity-and-secrets discipline that’s now table stakes. Karpathy’s “third UI/UX redesign” framing is the bit to internalize: chat → IDE agent → ambient teammate. Early signal on adoption beyond Anthropic, but the paradigm is the thing to watch.
Go deeper: Claude Tag · Karpathy on the new paradigm · Latent Space writeup
The allocation era: ROI comes for tokens
The economics turned this week. Every’s Token Tightening calls it cleanly: the tokenmaxxing era — measuring adoption by raw consumption — is over, and token budgets are starting to look like trading portfolios, with the biggest compute going to whoever can prove returns. The trend has company: AI’s affordability crisis hit 307 points on HN, and an ML engineer’s cross-provider pricing comparison found the caching numbers surprising enough to spreadsheet. Even fchollet got in on it with token min-maxing.
For a developer, the practical read: cost is becoming a first-class design constraint again, after a long subsidized holiday. Expect more routing logic, more caching, and harder questions about which workloads justify a frontier model.
Go deeper: Token Tightening · AI’s affordability crisis · Cross-provider pricing sheet
The open frontier lands for real (GLM-5.2 update)
We introduced GLM-5.2 last edition as a capability threshold. This period it’s a behavior threshold: people are actually switching. Lenny ran it through codebase audits and a 45-minute autonomous bug hunt in Cursor and Claude Code and is replacing Opus with it — total cost $3.36. Nathan Lambert frames it as a step change for open agents, and swyx notes Z.ai has beaten DeepSeek to the world’s top open model post-IPO. The local crowd is already grafting MTP heads onto quants to push it from 2.5 to 50 tok/s on a GH200.
Alongside it, Apertus — an open foundation model pitched at “sovereign AI” — pulled 531 points, a reminder that the open-weights conversation is increasingly about who controls the model, not just how good it is.
Go deeper: Replacing Opus with GLM-5.2 · Step change for open agents · Apertus
The harness is half the story
A quieter but compounding theme: the agent loop, not the base model, is where the leverage is. Mozilla’s 423 fixes came from a goal-loop harness; Jason Liu’s “Codex-maxxing” is about preserving context across long-running work; ByteDance’s deer-flow (2,521 stars) packages sandboxes, memory, subagents and a message gateway into a long-horizon harness. Research is catching up to the same insight from two directions: Qwen-AgentWorld (72 upvotes) trains language world models to simulate the environment side of an agent loop across seven domains, and OpenThoughts-Agent opens the data-curation recipe for broadly capable agents after 100+ ablations.
The sobering counterpoint is NatureBench: frontier coding agents beat published SOTA on only 17.8% of real Nature-family tasks, succeeding mostly through “methodological translation” — reframing science as supervised prediction — rather than genuine invention. Better harnesses, yes; autonomous discovery, not yet.
Go deeper: Qwen-AgentWorld · OpenThoughts-Agent · deer-flow · NatureBench · Codex-maxxing
Radar
- Qwen-AgentWorld-35B-A3B — A 3B-active MoE language world model that predicts environment responses across MCP, terminal, SWE, Android, web and OS GUI domains; a new primitive for training and testing agents.
- Baidu Unlimited-OCR — 3.3B multilingual OCR (MIT) that transcribes dozens of pages in one forward pass, sidestepping the KV-cache blowup of token-by-token OCR.
- PP-OCRv6 — 50-language OCR scaling from 1.5M to 34.5M params, for when Unlimited-OCR is overkill.
- Kilo Code — “All-in-one agentic engineering platform” and one of the most popular open coding agents, 4,206 stars this week.
- Anthropic Cybersecurity Skills — 817 structured security skills mapped to MITRE ATT&CK, NIST CSF, ATLAS and more, working across Claude Code, Copilot, Codex and Cursor; 3,456 stars.
- cocoindex-code — Lightweight AST-based code search CLI that claims a 70% token saving for coding agents.
- RubyLLM — A single, clean Ruby framework across all major providers; a sign the agent tooling wave is finally reaching non-Python ecosystems.
- Haystack — Mature open framework for production agents and RAG, back on the front page.
- DeepSWE — Contamination-free coding benchmark written from scratch across 91 repos and 5 languages; harder and more honest than SWE-bench.
- Confident Decoding — Training-free trick that decodes from a near-final layer to dodge “alignment tax” perturbations, with sub-2% latency cost on reasoning benchmarks.
- Jalapeño — OpenAI and Broadcom’s custom LLM-inference chip; relevant mostly as a signal of where the cost curve (see “allocation era”) is headed.
- Moebius in the browser — Simon Willison ports a 0.2B image-inpainting model to WebGPU via Claude Code; a tidy demo of small models + browser runtimes.
Don’t Miss
- fchollet on complexity as a tax — A sharp thread arguing that with agentic coding, complexity now compounds mechanically: junk code lands in the repo, pollutes the context window, degrades reasoning, and begets more junk. The clearest articulation yet of why “it works” isn’t good enough in the agent era.
- Don’t use AI to write things you present as your own work — A pointed ethics-and-craft argument (105 points) that’s a useful gut-check as Claude Tag starts authoring 65% of someone’s commits.
- Two policy items worth a glance: a bill mandating location-tracking for advanced AI chips is gaining industry backing, and — in the strangest twist of the week — the Swiss Federal Supreme Court is evaluating abliteration tooling because over-aligned models keep refusing legitimate legal queries. Both are early signals that the governance fight is getting more concrete.