Abstract: Anthropic's Mythos recently made headlines for discovering zero-day vulnerabilities, but this capability is no longer exclusive to massive proprietary models. By orchestrating finite-state machine workflows through IronCurtain, I replicated these findings using Opus 4.7, Sonnet 4.6, and GLM 5.1. The workflow finds material problems in every source code base I have analyzed. This democratization of AI vulnerability discovery empowers open-source maintainers but also proves that traditional vulnerability management is a failing strategy. We cannot patch our way to security when accessible models uncover critical flaws on demand. Instead of chasing patches, organizations must invest in security invariants that categorically eliminate attack vectors, as outlined at securityblueprints.io. Implementing just three fundamental invariants prevents over sixty percent of vulnerabilities. These include enforcing egress control to block unauthorized external communication, applying positive execution control to run only trusted software, and utilizing hardware mandatory second factors to prevent password phishing. Historically, building these structural defenses demanded significant software engineering resources. Today, AI coding changes that reality, enabling us to deploy the invariants needed to render these newly discovered vulnerabilities less impactful.
Bio: Niels Provos is a German-American security researcher with a PhD in computer science from the University of Michigan. He co-invented the bcrypt password hashing method, contributed to OpenSSH, and developed the Honeyd honeypot system. He led most of Google's security engineering teams and co-founded Safe Browsing, and later served as Head of Security at Stripe. He is the creator of IronCurtain, an open-source AI agent security runtime. He also produces cybersecurity-themed electronic dance music as Activ8te, with tracks featured on the DEFCON soundtrack, and is a voting member of the Recording Academy.