> Cloud Security Alliance · 2026
AI finds critical bugs on demand. Patching was never going to keep up.
Niels Provos
$ mythos --target openbsd/tcp
scanning .................................. ok
FOUND 27-year-old DoS vulnerability
⚠ author of original commit (November 1998): N. Provos
Anthropic’s Mythos found real zero-days. Industry reaction: “frontier model magic.”
I replicated this with IronCurtain’s FSM workflow on:
Opus 4.7
Anthropic frontier
Sonnet 4.6
mid-tier, cheaper
GLM 5.1
open-weights
The capability is no longer exclusive to frontier proprietary models. Any motivated researcher with API credits crosses the threshold.
Open source. Assume attackers have the same workflow.
Carlini, Anthropic. Even frontier models drift past this horizon.
The closer the model gets to its window, the worse it reasons about what it already read.
Left alone, the model declares done and moves on. Vulnerability research requires the opposite.
Same source code in. Same kind of bug out. Two very different decompositions of the work.
SINGLE PROMPT frontier model, end-to-end
The model reads, hypothesizes, builds tests, runs them, and writes up findings, all inside one continuous conversation.
× Drifts past long horizons. Trained to finish, so takes shortcuts. Only frontier-scale models stay coherent long enough.
WORKFLOW the problem decomposed into narrow steps
Map the code: entry points, assumptions.
Pick one specific suspicious pattern.
Write a harness that drives that code.
Execute millions of inputs. Watch for failures.
Record the input that triggered it.
✓ Each step is a fresh, narrow task. No stage requires holding the whole problem at once. Smaller models stay on track. Open-weights GLM 5.1 works.
You can’t use LLMs for enforcement — they’re not deterministic. The state machine is.
%%{init: {'flowchart': {'defaultRenderer': 'elk', 'nodeSpacing': 40, 'rankSpacing': 60}}}%%
flowchart TB
analyzeNode[analyze]
orchestratorNode[orchestrator]
harnessNode["harness pipeline"]
discoverNode[discover]
triageNode[triage]
escalationNode["human escalation"]
concludeNode[conclude]
analyzeNode --> orchestratorNode
orchestratorNode -- reanalyze --> analyzeNode
orchestratorNode -- harness_design --> harnessNode
orchestratorNode -- discover --> discoverNode
orchestratorNode -- triage --> triageNode
orchestratorNode -- escalate --> escalationNode
orchestratorNode -- complete --> concludeNode
classDef hub fill:#12121a,stroke:#5b8fad,stroke-width:2px,color:#5b8fad
classDef terminal fill:#12121a,stroke:#6dba6d,stroke-width:1px,color:#6dba6d
classDef gate fill:#12121a,stroke:#c9a84c,stroke-width:1px,color:#c9a84c
class orchestratorNode hub
class concludeNode terminal
class escalationNode gate
Orchestrator routes by verdict. Bounded loops with visit caps. Human gates on stalls. Every verdict audited before routing.
Material problems in every codebase I have run it against.
The goal is not to build a $20M zero-click exploit against iPhones. The bar is reproducible evidence a maintainer can act on.
Real runs against popular open-source media libraries. Project names redacted. Technical claims intact.
popular open-source
image processing library
core memory primitive
Integer truncation. Heap OOB read/write.
High
Long-standing structural bug. Memory disclosure demonstrated through normal output channels. Found by an open-weights model, verified by hand.
popular open-source
video codec library
decoder allocator
Integer wrap. Heap OOB write.
Medium
Multiplication overflow yields a severely undersized buffer. Writes through the publication path land in adjacent heap. Externally reachable on 32-bit builds.
popular open-source
image processing library
container metadata loader
Unbounded allocation DoS
High
Modest crafted input drives runaway memory growth. Practical amplification under common transport encoding.
popular open-source
image manipulation suite
niche image format decoder
No exploitable bug
Orchestrator closed the hypothesis with execution evidence, not text reasoning. Negative results are results.
If you’re a CISO and you approach your role as “I’m going to stand up a vulnerability management program” — that is a strategy that is going to fail.
Yesterday
Time-to-discover >> time-to-patch. Defenders win on cadence.
Today
AI collapses time-to-discover. The asymmetry inverted. You cannot patch faster than the discoverer can iterate.
Stop chasing bugs.
Build infrastructure that eliminates the attack surface.
A security invariant1 is a machine-enforced constraint applied consistently across an infrastructure. It impedes one or more steps of an attack kill chain without requiring per-incident human security decisions. The bug may still exist. What changes is whether the attacker can complete the chain.
Hardware 2FA
Mandatory physical tokens. Phishing and credential reuse become structurally impossible.
Egress control
Allow-listed outbound destinations. Second-stage payloads and exfiltration channels break.
Positive execution control
Only signed, allow-listed binaries run. Unknown malware cannot execute on the endpoint.
Analysis of 69 real-world breaches: these three would have prevented or contained over 65%.2
| Invariant | Breach class neutralized | Reference incident |
|---|---|---|
| Hardware 2FA | Credential phishing, password reuse | National Public Data, 2024 |
| Egress control | Second-stage payload, exfil | SolarWinds, 2020 |
| Execution control | Unknown binaries, supply-chain drops | OPM, 2015 |
Those three are a starting set. Invariants live at every layer of the stack. Two extremes:
ARM MTE on Android. Memory Integrity Enforcement on iOS. CHERI in research and early production.
Pointers and allocations are tagged at the hardware level. Most heap-class memory-safety bugs become unexploitable at the point of dereference. Works on unmodified binaries given an MTE-capable platform and a tag-aware allocator. Hardware refresh cycles can outpace software rewrite cycles.
Production deployment against insider risk.
Every access to sensitive data requires a verifiable business justification. No legitimate context, no access. Stolen credentials grant nothing on their own. The system enforces the justification check; no per-incident human in the loop.
1 Framing thanks to Dino Dai Zovi.
“We can’t build that. We don’t have the engineering headcount.”
Historically true. Building structural defenses required serious software engineering — allow-list management, egress inventory, hardware rollout tooling, exception workflows. Most organizations couldn’t justify the spend against a patch program that looked like it was working.
The same capability that finds zero-days builds the defenses.
$ ironcurtain workflow start design-and-code \
“Build an egress allow-list manager for our prod VPCs”
planner ......... ok spec written
architect ....... ok design reviewed
coder ........... ok PR opened
⚠ time: hours, not quarters
AI coding inverts the historical cost curve. Invariants are now a decision, not a budget cycle.
The day after the zero-days, the winners are not the ones with the fastest patch cycle. They are the ones who made the bug class irrelevant.
Patching is a probabilistic race you are now losing.
Invariants are a structural property your attacker cannot iterate against.
And for the first time, you can build them at the speed of the threat.
> Thank You
“Heartbleed” — cybersecurity-themed EDM, released twelve years after the OpenSSL Heartbleed vulnerability · activ8te.io/heartbleed