Cloud Security Alliance · 2026

The Day After
the Zero-Days

AI finds critical bugs on demand. Patching was never going to keep up.

Niels Provos

The Headline

$ mythos --target openbsd/tcp

scanning .................................. ok

FOUND 27-year-old DoS vulnerability

 

⚠ author of original commit (November 1998): N. Provos

Anthropic’s Mythos found real zero-days. Industry reaction: “frontier model magic.”

The Twist

I replicated this with IronCurtain’s FSM workflow on:

Opus 4.7

Anthropic frontier

Sonnet 4.6

mid-tier, cheaper

GLM 5.1

open-weights

The capability is no longer exclusive to frontier proprietary models. Any motivated researcher with API credits crosses the threshold.

Open source. Assume attackers have the same workflow.

Why a Single Prompt Fails

Long-horizon ceiling

~15h max coherent prompt-following1

Carlini, Anthropic. Even frontier models drift past this horizon.

Context degradation

↓↓↓ accuracy near context limit

The closer the model gets to its window, the worse it reasons about what it already read.

Trained to finish

takes the easy path

Left alone, the model declares done and moves on. Vulnerability research requires the opposite.

Two Ways to Find a Bug

Same source code in. Same kind of bug out. Two very different decompositions of the work.

SINGLE PROMPT frontier model, end-to-end

ONE RUNNING CONTEXT

The model reads, hypothesizes, builds tests, runs them, and writes up findings, all inside one continuous conversation.

× Drifts past long horizons. Trained to finish, so takes shortcuts. Only frontier-scale models stay coherent long enough.

WORKFLOW the problem decomposed into narrow steps

1
READ

Map the code: entry points, assumptions.

2
HYPOTHESIZE

Pick one specific suspicious pattern.

3
BUILD TEST

Write a harness that drives that code.

4
RUN

Execute millions of inputs. Watch for failures.

5
CONFIRM

Record the input that triggered it.

Each step is a fresh, narrow task. No stage requires holding the whole problem at once. Smaller models stay on track. Open-weights GLM 5.1 works.

Finite-State Machines

You can’t use LLMs for enforcement — they’re not deterministic. The state machine is.
  • Orchestrator + append-only ledger. One agent routes; every state writes evidence to disk.
  • Fresh context per state. Each agent boots from artifacts, not a 200k-token transcript.
  • Constrained verdicts. The state can only emit a verdict from a fixed set. No “done, looks fine.”
  • Forced behaviors. “You are not allowed to complete. You are only allowed to analyze.”

vuln-discovery.yml

%%{init: {'flowchart': {'defaultRenderer': 'elk', 'nodeSpacing': 40, 'rankSpacing': 60}}}%%
flowchart TB
  analyzeNode[analyze]
  orchestratorNode[orchestrator]
  harnessNode["harness pipeline"]
  discoverNode[discover]
  triageNode[triage]
  escalationNode["human escalation"]
  concludeNode[conclude]

  analyzeNode --> orchestratorNode
  orchestratorNode -- reanalyze --> analyzeNode
  orchestratorNode -- harness_design --> harnessNode
  orchestratorNode -- discover --> discoverNode
  orchestratorNode -- triage --> triageNode
  orchestratorNode -- escalate --> escalationNode
  orchestratorNode -- complete --> concludeNode

  classDef hub fill:#12121a,stroke:#5b8fad,stroke-width:2px,color:#5b8fad
  classDef terminal fill:#12121a,stroke:#6dba6d,stroke-width:1px,color:#6dba6d
  classDef gate fill:#12121a,stroke:#c9a84c,stroke-width:1px,color:#c9a84c

  class orchestratorNode hub
  class concludeNode terminal
  class escalationNode gate
          

Orchestrator routes by verdict. Bounded loops with visit caps. Human gates on stalls. Every verdict audited before routing.

What the Workflow Finds

Material problems in every codebase I have run it against.

  • PROVEN Execution-based proof, not detector output
  • PROVEN Sanitizer fires, attacker-visible effect demonstrated
  • STOPS AT Exploitation primitive, not weaponized exploits

The goal is not to build a $20M zero-click exploit against iPhones. The bar is reproducible evidence a maintainer can act on.

Four of Many

Real runs against popular open-source media libraries. Project names redacted. Technical claims intact.

FOUND PATCHED

popular open-source
image processing library

core memory primitive


Integer truncation. Heap OOB read/write.

High

Long-standing structural bug. Memory disclosure demonstrated through normal output channels. Found by an open-weights model, verified by hand.

FOUND PATCHED

popular open-source
video codec library

decoder allocator


Integer wrap. Heap OOB write.

Medium

Multiplication overflow yields a severely undersized buffer. Writes through the publication path land in adjacent heap. Externally reachable on 32-bit builds.

FOUND PATCHED

popular open-source
image processing library

container metadata loader


Unbounded allocation DoS

High

Modest crafted input drives runaway memory growth. Practical amplification under common transport encoding.

RULED OUT

popular open-source
image manipulation suite

niche image format decoder


No exploitable bug

  • 71% line coverage
  • 51 targeted seeds
  • 239k+ fuzz iterations

Orchestrator closed the hypothesis with execution evidence, not text reasoning. Negative results are results.

Vulnerability Management Is a Failing Strategy

If you’re a CISO and you approach your role as “I’m going to stand up a vulnerability management program” — that is a strategy that is going to fail.

Yesterday

Time-to-discover >> time-to-patch. Defenders win on cadence.

Today

AI collapses time-to-discover. The asymmetry inverted. You cannot patch faster than the discoverer can iterate.

The Pivot

Stop chasing bugs.
Build infrastructure that eliminates the attack surface.

A security invariant1 is a machine-enforced constraint applied consistently across an infrastructure. It impedes one or more steps of an attack kill chain without requiring per-incident human security decisions. The bug may still exist. What changes is whether the attacker can complete the chain.

Three Invariants, 65% of Breaches

Hardware 2FA

Mandatory physical tokens. Phishing and credential reuse become structurally impossible.

Egress control

Allow-listed outbound destinations. Second-stage payloads and exfiltration channels break.

Positive execution control

Only signed, allow-listed binaries run. Unknown malware cannot execute on the endpoint.

Analysis of 69 real-world breaches: these three would have prevented or contained over 65%.2

What Each One Kills

Invariant Breach class neutralized Reference incident
Hardware 2FA Credential phishing, password reuse National Public Data, 2024
Egress control Second-stage payload, exfil SolarWinds, 2020
Execution control Unknown binaries, supply-chain drops OPM, 2015

The Invariant Stack

Those three are a starting set. Invariants live at every layer of the stack. Two extremes:

HARDWARE LAYER

Memory Tagging1

ARM MTE on Android. Memory Integrity Enforcement on iOS. CHERI in research and early production.

Pointers and allocations are tagged at the hardware level. Most heap-class memory-safety bugs become unexploitable at the point of dereference. Works on unmodified binaries given an MTE-capable platform and a tag-aware allocator. Hardware refresh cycles can outpace software rewrite cycles.

APPLICATION LAYER

Context-Aware Data Access

Production deployment against insider risk.

Every access to sensitive data requires a verifiable business justification. No legitimate context, no access. Stolen credentials grant nothing on their own. The system enforces the justification check; no per-incident human in the loop.

1 Framing thanks to Dino Dai Zovi.

The Old Objection

“We can’t build that. We don’t have the engineering headcount.”

Historically true. Building structural defenses required serious software engineering — allow-list management, egress inventory, hardware rollout tooling, exception workflows. Most organizations couldn’t justify the spend against a patch program that looked like it was working.

What Changed

The same capability that finds zero-days builds the defenses.

$ ironcurtain workflow start design-and-code \

    “Build an egress allow-list manager for our prod VPCs”

planner ......... ok   spec written

architect ....... ok   design reviewed

coder ........... ok   PR opened

⚠ time: hours, not quarters

AI coding inverts the historical cost curve. Invariants are now a decision, not a budget cycle.

The Takeaway

The day after the zero-days, the winners are not the ones with the fastest patch cycle. They are the ones who made the bug class irrelevant.

Patching is a probabilistic race you are now losing.
Invariants are a structural property your attacker cannot iterate against.
And for the first time, you can build them at the speed of the threat.

Thank You

Find me here.

“Heartbleed” — cybersecurity-themed EDM, released twelve years after the OpenSSL Heartbleed vulnerability · activ8te.io/heartbleed