ai-security
8 items · chronological order
Anthropic's AI Hacked the Firefox Browser. It Found a Lot of Bugs.
The independent credibility piece for Anthropic's security capabilities. Claude found 100+ Firefox bugs (14 high-severity) in two weeks -- more high-severity than the world reports to Mozilla in two months. The Curl counter-narrative is the buried lede: AI bug reports are 95% garbage (Stenberg data), making Claude's hit rate the real differentiator, not the volume. Most important detail: Claude is better at finding bugs than exploiting them -- the defender/attacker asymmetry currently favors defenders, but that gap is temporary.
Codex Security: now in research preview
Same-day competitive counter to Anthropic with stronger receipts: 15 named CVEs in the appendix (GnuTLS heap overflows, GnuPG stack buffer overflow, GOGS 2FA bypass), published improvement curves (84% noise reduction, 90%+ severity over-reporting reduction, 50%+ false positive reduction). The threat model architecture -- building an editable intermediate artifact before scanning -- is the most interesting pattern: it generalizes as "make the agent's understanding inspectable before execution." Broader tier access (Pro through Edu) weakens the dual-use containment narrative but maximizes adoption velocity.
Making frontier cybersecurity capabilities available to defenders
Product announcement dressed as research disclosure. Claude Code Security uses multi-stage self-verification to scan codebases beyond pattern-matching SAST. The 500-vuln claim has no CVEs, no false positive rates, and no comparison to existing tools. Zero external validation in the announcement itself -- the WSJ/Firefox piece did that work. The real play: security scanning as a loss-leader wedge for enterprise platform deals. Neither lab announced pricing.
Codex Security: now in research preview
Codex Security shipped with receipts: 15 named CVEs, published noise-reduction curves showing 84% improvement, and false positive rates cut by over 50%, giving enterprise buyers metrics to evaluate rather than claims to trust. The structurally interesting detail is the threat model architecture, which builds an editable intermediate artifact before scanning, making the agent's reasoning inspectable before execution. That pattern generalizes well beyond security, but it sits in direct tension with the cognitive load data surfacing elsewhere this week: if inspecting the agent's intermediate state is what makes it trustworthy, the oversight burden migrates rather than shrinks. Broad tier access from Pro through Edu maximizes adoption velocity while quietly undermining any dual-use containment argument either lab has made. The CISO budget is the Trojan horse for the engineering budget, and both labs are through the door.
Justice Department Says Anthropic Can't Be Trusted With Warfighting Systems
The DOJ's filing reveals a dependency it was supposed to prevent: Claude is currently the only AI model cleared for classified DOD systems, which means the supply-chain risk designation is partly a self-inflicted wound. The government's argument that Anthropic "could" sabotage warfighting systems conflates a vendor's contractual right to set usage terms with criminal sabotage, and the distinction matters for every AI company negotiating enterprise AUPs. The real signal is structural: safety restrictions are now priced as commercial liability in the defense market, and the replacement vendors inheriting these contracts gain not just revenue but classified use-case intelligence that compounds for years.
Vulnerability Research Is Cooked
Every IT department runs on a hidden subsidy: the scarcity of people smart enough to hack them. Anthropic's Frontier Red Team just demonstrated 500 validated high-severity vulnerabilities from a trivial bash script and Claude Opus 4.6, no fuzzers, no specialized tooling, just raw model inference. The Bitter Lesson is about to hit security like a brick: 80% of exploit development was jigsaw-puzzle grinding, and now everyone has a universal solver. The scarce resource isn't intelligence anymore; it's the ability to patch faster than agents can find what's broken.
How Anthropic Ended the Cybersecurity Stock Selloff
CRWD dropped 7% and PANW 6% the day the Mythos leak surfaced autonomous vulnerability discovery at scale. Twelve days later both reversed, CRWD +5% and PANW +4%, when Anthropic named them Glasswing launch partners with exclusive model access: the same capability that looked like a replacement became an amplifier the moment it was sold as one. At $25/$125 per million tokens, $100M in credits as customer acquisition, and $30B ARR disclosed the same week, restricted frontier access isn't just safety policy; it's the go-to-market.
How Anthropic Ended the Cybersecurity Stock Selloff
CRWD fell 7% and PANW 6% the day autonomous vulnerability discovery at scale became visible; twelve days later both reversed, CRWD +5% and PANW +4%, after Anthropic named them Glasswing launch partners with exclusive Mythos access. The same capability that read as replacement became amplifier the moment it was sold as one — which is the clearest demonstration this week of how scarcity and safety become indistinguishable as business strategy. At $25/$125 per million tokens and $100M in credits deployed as customer acquisition, Anthropic is using restricted frontier access the way platform companies use exclusivity deals: not to limit adoption, but to route it. This is the Glasswing inversion of the OpenClaw decision — one story about cutting access to protect margins, the other about granting access to establish a coalition, both moves made in the same week by the same company. The $30B ARR disclosure in the same window wasn't incidental; restricted access compounds fastest when the numbers confirm the frontier is real.