The Strait of Hormuz was open on February 27, 2026. Twenty percent of the world’s oil flowed through it. No tolls. No blockade. No crisis. Then Trump slammed his little fist on the bright red Palantir “easy” button on his big desk.
On February 28, the United States and Israel launched strikes on Iran, killing its supreme leader and seriously depleting American preparedness for actual war. Iran closed the strait and waited.
The math is stupid, it’s so simple.
The Pentagon told Congress the first six days cost $11.3 billion. Harvard’s Kennedy School estimates $2 billion a day in short-term costs. The AEI puts the five-week total between $22.3 billion and $31 billion. The Pentagon has requested an additional $200 billion from Congress.
Get it?
Spend $30 billion to close a strait that was open.
Then ask for $200 billion to reopen it.
While you also say you will close it, because… when talks fail, blockade the strait and float the idea of the United States charging tolls on the strait you blockaded because the enemy closed it because you bombed them.
Every phase of this stupidity costs more than the last.
Every phase intentionally escalates to generate new contracts, new munitions orders, new revenue for the targeting platforms that identify the next set of things to destroy. It’s like lighting taxpayer money on fire.
Which brings us to news about Friday’s “Truth Social” post.
“Palantir Technologies (PLTR) has proven to have great war fighting capabilities and equipment. Just ask our enemies!!!”
Trump included the stock ticker. PLTR was down 14% for the week. CREW flagged the post as a potential attempt to pump the stock of a major backer that had sponsored multiple administration events and donated to the White House ballroom project.
Note the roles converging in one person.
Trump is the commander-in-chief who authorized the strikes. He is the head of the government that provides more than half of Palantir’s U.S. revenue. He is the promoter of the stock on social media.
Customer, warmaker, and pitchman.
When Trump pumped Tesla, the conflict was financial.
Source: White House Press Secretary
The Tesla pump killed hundreds. Here the conflict is financial and operational, killing thousands. Palantir’s “Maven Smart System” identifies targets for the strikes. School girls? Triple tap? The war crime strikes sustain the MAGA rage. The rage sustains the contracts. The contracts sustain the stock price. The president sustains all of it and then posts the ticker symbol when the price dips.
Germans know what’s going on. They remember history. Suhrkamp offers a taxonomy of the American techno-sovereign crisis, with Cum-Ex prosecutor Anne Brorhilker holding up the shelf.
Palantir’s own communications chief called the company’s political shift toward the Trump administration “concerning.” The video of her saying it was scrubbed from the internet because Palantir has a social truth problem.
Michael Burry is holding puts. He believes the fundamental value is well under $50 a share. Why not $5? The stock trades at $126. The gap between actual and speculation value is sheer corruption, held open by cooked government contracts tied to a war that has cost at least $30 billion to bomb school children and produced a global energy crisis that did not exist seven weeks ago.
The strait was open. Trump spent tens of billions to close it. Now Trump is trying to spend hundreds of billions to… repeatedly claim he can open and close it while he tries to juice his stocks for whatever happens next.
NBC News just ran a story called The Vulnpocalypse about Anthropic’s decision to withhold its Mythos model from the public. The tone is, well, you know.
The author, Kevin Collier, lined up well-known cybersecurity vendors to stoke fear that AI-powered hackers will crash financial systems, lock up hospitals, and shut down water treatment plants.
Sigh.
Anyone who has worked in security long enough will recognize this FUD genre immediately. Replace “AI” with “war dialer” and this is the exact same article WarGames generated in 1983. At least back then we said the word war out loud instead of just implying it.
Captain Crunch Whistles for Everyone!
Back in 1983 some Milwaukee teenagers called the 414s (Milwaukee area code, yeah) waltzed into the unprotected computers at Los Alamos National Laboratory and Memorial Sloan-Kettering Cancer Center using nothing more exotic than a modem and a telephone line. The Newsweek cover on September 5, 1983 featured the word “hacker” for the first time on a major magazine cover.
The youngest of the 414s, therefore able to pose on the cover of Newsweek, September 5, 1983
Congress held hearings. Ronald Reagan was shown the movie WarGames and asked the Joint Chiefs if the premise was real. Within a week the answer was: “Yes, the premise was technically possible.” Eighteen months later he pushed a signature onto NSDD-145, the first Presidential directive on computer security.
The actual legal consequences for the 414s were two years’ probation and a $500 fine for phone harassment. And even that seemed a bit much.
Time Magazine in 1983 with stern warning that network attacks on computers will kill someone.
Neal Patrick became a media star. John Draper, Captain Crunch himself, had been phreaking the phone system with a cereal box whistle and people talked about it as though he were going to bring down AT&T. The whistle found in kids’ cereal boxes exploited in-band signaling on the analog phone network (2600 Hz tone on the same channel as voice). The fix was to push for the long-overdue move to out-of-band signaling (SS7). It stands as proof of the harm from natural monopolies refusing to invest in baseline safety. Dare I say history tends to rhyme even when it doesn’t repeat?
The vulnerability landscape was real, the exploitation was incremental, and the apocalyptic framing served the companies selling defenses. McAfee built an entire empire on this dynamic, most memorably during the 1992 Michelangelo virus panic, when John McAfee personally stoked fear that millions of computers would be destroyed on March 6th. The press amplified, the public panicked, almost nothing happened, and McAfee’s sales went through the roof. Perhaps most bizarre was how he became a security industry celebrity for undermining trust in the security industry. The vendors and conference attendees at events like BlackHat or Defcon acted as if Enron’s CEO should have been the toast of Wall Street.
The Same Article, Forty-Three Years Later
Collier’s piece follows the 1983 script with remarkable fidelity. The threat model is identical: hypothetical unsophisticated attackers gain access to powerful tools, critical infrastructure is vulnerable, and the proposed solution is withholding the tool from the public while sharing it with “partners.” By this logic we should be terrified of kids getting a hold of sophisticated string and precision percussion instruments. Jazz? Rock and Roll? Catastrophe.
The Soviet state both said “today he plays jazz, tomorrow he betrays his country” and also printed cheerful matchbox art of ФЕСТИВАЛЬ (Festival) when the political winds shifted. The threat level of the instrument depended entirely on who was in charge that year.
His expert sourcing follows a similar pattern. Quote a government official convening emergency meetings (Treasury Secretary Bessent gathering the banks). Quote a vendor whose business model depends on threats expanding (Casey Ellis, founder of Bugcrowd). Quote a former FBI official warning about “wannabes” (Cynthia Kaiser, now a senior vice president at Halcyon). Close with water treatment plants. Everyone drinks water, it’s life. That’s a strong FUD move. Every quoted source in this piece stands to gain from security industry services related to the scariest story possible. Bugcrowd, Halcyon, Luta Security, Scythe. Who needs advertising when the article is the ad?
The Atlantic’s Priority
The Atlantic’s Matteo Wong went even further than Collier. His hyperventilated lede described Mythos as “a tool potentially capable of commandeering most computer servers in the world” that could “hack into banks, exfiltrate state secrets, and fry crucial infrastructure.”
It’s the opposite of reporting. It is the language of a film trailer. Anyone deep inside AI at the operations level knows how fundamentally flawed it remains versus humans.
Wong’s most consequential move was positioning Anthropic as a peer to nation-state intelligence services: “This level of cyberattack is typically available only to elite, state-sponsored hacking cells.” This framing matters because once the press treats a private company as operating at nation-state capability, the company inherits the presumption of nation-state authority over disclosure, access, and classification. Which is precisely what Project Glasswing establishes.
The Atlantic in 2023 published my co-authored article on real, documented AI harm. Tesla’s vehicles have been crashing into trees, killing motorcyclists, and veering off roads for years. The body count is in the hundreds now and the design flaws are landing in court cases. No Treasury Secretary convenes an emergency meeting over it. No consortium of tech giants receives $100 million to address it. Tesla AI notoriously “veers” uncontrollably and fatally crashes. Design defects (e.g. Pinto doors) trap occupants and burn them to death as horrified witnesses and emergency responders watch helplessly. Source: VoCoFM, Korea, 2024
But a company announces that its AI could hypothetically find software vulnerabilities faster than defenders could close them, and the entire press corps treats it like the fall of civilization.
Wired Gets It
WIRED’s Lily Hay Newman was the exception. She included skeptics, named Anthropic’s financial incentive, and quoted Niels Provos saying the model “doesn’t intrinsically change the problem space.” She quoted me, and so I’m pointing right back at her. Cisco’s president is out there calling Mythos “a very, very big deal” and Anthropic’s own red team lead is describing how “the phone calls got shorter and shorter.” Well, ok, but the counterargument at least got a seat at the table and may be the least prone to hallucinations.
Water Tanks
In 1915, a battle-hardened and war-weary Winston Churchill funded development of armored tractors meant to break through trenches, barbed wire, and machine gun nests. The British War Office ordered hundreds built under strict secrecy. The project was initially disguised as “water tanks”, which denied German intelligence any insight into what was actually being manufactured. The codename stuck, which is why ironically we still say tanks to speak of things that are not tanks.
The tank changed battlefield tactics, but it most certainly did not end battlefields. The immediate response was to dig better trenches and adapt doctrine. And, as always, a side that understood a new weapon’s limitations and integrated it into combined-arms operations won. A side that waxed about mythical wonder weapons, lost.
The history of the rifle tells the same story even more precisely. The bolt-action rifle gave way to the repeating rifle, which gave way to automatic fire. Each transition made a previous method more specialized. Each technology innovation demanded doctrinal adaptation. None of the innovations ended war. A rifle is not only still a rifle, the NRA whines constantly that you shouldn’t regulate an automatic rifle differently from a powder musket.
Vulnerability discovery has a similar question of progression. Manual research was bolt-action. Automated scanners were repeating. AI-assisted discovery is automatic. What Anthropic built with Mythos is a much faster fuzzer. And since they aren’t a security company at all, they probably are running around the office as if their hair is on fire yelling “what do we do, what do we do” instead of seeing it the way Churchill looked at a tank.
I say this from battle experience. When cloud computing arguably was first launched (e.g. Loudcloud, by Andreessen et al) I punched a massive hole right through claims about customer isolation. It was a normal finding, in my estimation. A service provider says customers are isolated, and my tool says nope. I handed the finding to the man sitting next to me and he literally jumped out of his chair, waved his hands in the air, ran out of the room and around the office yelling “OMG we’re in! We’re in!” He was, shall we say, less experienced.
Zero-day vulnerabilities have been found and disclosed continuously since the term was coined. Google’s Project Zero has been publishing them for a decade. The entire bug bounty industry exists because this is ordinary work. Finding two hundred exploits faster than the previous tool found 2 is an efficiency gain in the rate of fire. It is not a civilizational rupture. And here is what the coverage systematically omits: faster discovery means faster patching. A tool that finds vulnerabilities at scale is, by definition, a tool that enables remediation at scale. That makes it a patch accelerator. The question is who controls the framing.
I have spent over a decade working with AI and showing companies both how to break and how to secure it. What I can report from being deep in the field for so long is that the fundamentals have not changed. You still need someone who knows where to point the weapon, and you still need a trench to fight from. The obfuscation is in calling the automatic rifle a magic alien death ray.
Withholding as the Product
“Our model is so dangerous we can’t release it” is, of course, the same sentence as “our model is so valuable you need us.” Such product mystique reads to me more like another geturked presentation to those in power than a proper public threat modeling disclosure.
Kupferstich eines “Schachtürken”
Rename “we built a better fuzzer” to “we possess a weapon too dangerous for the public” and you have a centuries-old trick in the defense contractor playbook.
Anthropic announced that Mythos produced 181 working exploits from a vulnerability set where the previous flagship model succeeded only twice. That is a real capability jump and should be taken seriously.
What should also be taken seriously is what happened next: Anthropic shared the model exclusively with twelve tech giants under Project Glasswing, backed by $100 million in usage credits. The withholding became the product launch. “Too dangerous to release” turned out to be the most effective marketing copy the industry has ever produced, and both Collier and Wong ran it as news.
The Treasury meeting completes a very shady picture. Bessent convenes the banks, Anthropic briefs the banks, and suddenly every major financial institution has a rather convenient public-private attachment to Anthropic’s vulnerability discovery capability. That is an undemocratic merger wrapped in false national security fearmongering.
Back Door
The timeline gives it away. On February 27, 2026, Defense Secretary Hegseth raged about making Anthropic a supply chain risk after the company refused his demands to strip safeguards against mass surveillance and autonomous weapons from Claude. Hegseth bloviated so hard, he made Anthropic the first American company ever given a designation normally reserved for foreign adversaries. Anthropic naturally sued, because common sense has to go to court. A judge blocked the designation.
Five weeks later, Anthropic announced Mythos and handed it directly to Microsoft, Google, Apple, Amazon, and the rest of the companies the Pentagon depends on for its entire technology stack. The front door closed and the back door opened wider. When the Secretary of Defense designates you a foreign adversary over a contract dispute, the direct route to military integration is blocked. But you can achieve the same position by making yourself the security backbone of every company the military depends on. No contract. No congressional testimony. No use restrictions. The money flows through the same channels. The brand stays “clean” of Hegseth.
The Doctrine, Not the Weapon
Grant and Sherman won the Civil War by combining coordinated force with the systematic destruction of the enemy’s capacity to produce war. The engagement mattered less than the doctrine. AI vulnerability discovery tools follow the same logic: they are force multipliers for whatever doctrine you already have. If your doctrine is “sell fear,” they push a LOT of fear. If your doctrine is “map the attack surface and hold the line,” they multiply that.
The question nobody in the Vulnpocalypse coverage has asked is whether zero-day resolution is now accelerating faster than zero-day discovery. If it is, then Mythos is a net defensive tool and the entire panic narrative collapses. Anthropic has the data to answer this. They have not published it, to my knowledge. My guess is they lack the security experience to frame it that way.
The 1983 version of this panic produced NSDD-145 and eventually the Computer Fraud and Abuse Act, real legislation born from manufactured urgency. The 2026 version is producing something structurally different: a private company functioning as a classification authority that decides who gets access to vulnerability discovery capabilities and on what terms. That is a larger institutional shift than the old Presidential directive, and it is happening while the press runs “Vulnpocalypse” headlines and quotes panic pill vendors.
The exhausted CISOs and security teams I talk to many times every day already know the AI tools are real and they know the rate of fire has changed. What they need is a defensible position against the flood of AI vendors who confuse a product launch with the end of the world.
Anthropic calls its patch accelerator Mythos for the same reason Churchill called his tractors tanks. The name disguises the use, preventing doctrinal analysis.
Churchill hid the function so the enemy couldn’t develop counterdoctrine. Anthropic hides the function so the market can’t judge how a defensive tool is being pitched as an offensive threat.
Cloudflare kicked off Agents Week with a blog post asking important questions about AI infrastructure: “which agent are you, who authorized you, and what are you allowed to do?”
Then they moved on to talk about isolates.
The Right Stuff
The Cloudflare post’s core argument is that containers were built for one application to serve many users.
Of course they were. The efficiency of a “service” being multi-user is as old as humanity itself. We don’t ride the shared infrastructure of the Internet, enjoying the massive speed and efficiency gains, wishing we had laid our own dedicated fiber from every person we want to communicate with securely. History shows why. “Sewer socialism” was a period that solved this mess, by developing literal shared sewer systems, fire departments, police stations, and telecommunications, saving America the embarrassment of “radical individualist” infrastructure disastersClick to enlarge. Source: In These Times
The dozens of CISOs I met with last week were asking me how do we run more agents? And I certainly was not telling them to light up one user, one agent, one task. To put it another way, if a CISO asks me about how to scale hardware, I might say let’s talk about a hypervisor to run software-based virtual machines. If a CISO asked me how to scale software-based machines, I might say let’s talk about containers… and so the logic of “sewer socialism” in shared infrastructure lives on.
Cloudflare enters this context saying containers now are too heavy for agents. V8 isolates start in milliseconds, use megabytes instead of gigabytes, and cost orders of magnitude less per session. At the scale agents require, isolates win.
This is correct. Cloudflare is stating the obvious. They have the network. They have the edge. They are like the contractors who provide the cafeteria for your office. But a cafeteria is not a chef. And a chef operating in your building, reading all your email, accessing all your financial accounts, and talking to your coworkers, in fact needs more than a fast startup time to serve hot meals on time.
The Wrong Stuff
Cloudflare’s post reveals a gap, yet they aren’t talking about it directly. Today’s agent deployments are “fraught with risk: prompt injection, data exfiltration, unauthorized API access, opaque tool usage.”
CISOs feel huge pressure to open up “productivity” gains yet can’t sign off because a security model doesn’t exist yet. OpenClaw is one of the biggest design disasters in software history: a single golden key that doesn’t rotate and can be stolen without detection.
Cloudflare’s answer is to merge their developer platform with their zero trust platform. Two products, built for different audiences, being stitched together like a Frankenstein. That takes time. And, for those who forget the science-fiction warning, stitching is not the same as weaving.
The artificially over-hyped open-source agent platform, one that suddenly showed up with 341,000 GitHub stars and little evidence for why, consolidates access to every messaging channel behind a single static token in a single process. No channel isolation. No credential rotation. No audit trail. It’s an embarrassment to the word engineering, a complete absence of design and no sense of accountability.
Cloudflare is stepping in where they operate, at the infrastructure layer. The compute, the network, the edge. And then what sits between that infrastructure and the user’s actual data remains an open question.
That question has an easy answer.
Are Your Agents Wirken Yet?
Wirken is a secure, model-agnostic AI agent orchestration platform. It exists because the tools that run agents against your messaging channels and business data should be built to deserve that access.
The security is not slopped in or bolted on. It is designed with baselines in mind and enforced at compile time.
Every channel adapter runs in its own OS process. A Slack credential cannot touch a Telegram session. This is not a runtime permission check that can be bypassed. It is a Rust phantom type constraint. Cross-channel access is a compiler error. It does not run. It does not build.
Credentials live in an encrypted vault using XChaCha20-Poly1305 with OS keychain integration. They are scoped per channel and rotate. The secret type has no Display, no Debug, no Serialize, no Clone. It zeroes on drop. A credential cannot leak through logging, serialization, or accidental copy because the type system will not allow it.
Every agent action is recorded in an append-only, SHA-256 hash-chained audit log before execution. Tamper with any entry and the chain breaks. Forward it to your SIEM. Hand it to your auditor. It is a complete, verifiable record of what every agent did, when, and with whose authorization.
Skills are signed with Ed25519. Unsigned code does not run. The skill registry is not a marketplace where 20% of entries are malicious. It is a supply chain with cryptographic verification.
The Cafeteria and the Chef
Cloudflare used a good analogy. A traditional application is like an industrial form of restaurant: fixed menu, optimized kitchen, high volume. An agent is a chef who asks what you want (chicken or shrimp), then improvises with whatever tools and ingredients the task requires.
Extend the analogy. The chef is in your office. You hand the chef keys to the entire building. The chef can open all your files, read all your communications, and assume your identity to send messages as you.
You want that chef to be fast with the meal. You also want to know which chef is in your building, who sent them, what they are allowed to touch, and a tamper-proof record of everything they did while they were there.
Cloudflare is building the high-speed kitchen. Fast counters, efficient burners, millisecond cleanup. Wirken is the system that makes sure that any chef you interact with is doing what that chef was authenticated and authorized to do. Different layers. Complementary.
What This Looks Like in Practice
Wirken ships as a single static Rust binary. No runtime dependencies. No Node.js. No container orchestrator. Install it, configure your channels and your model, and run it.
It is model-agnostic. Point it at Anthropic, Gemini, OpenAI, Ollama for local inference, or even Privatemode for confidential inference inside hardware enclaves. The orchestration layer does not care which model you use. The security guarantees are the same regardless.
It runs behind Cloudflare Tunnel today. Any self-hosted Wirken instance gets a public endpoint for webhook-based channel adapters without exposing ports. Cloudflare handles the network. Wirken handles the trust boundary.
It has nine channel adapters for a reference architecture: Telegram, Discord, Slack, Teams, Matrix, WhatsApp, Signal, Google Chat, iMessage. It comes with fifteen bundled skills (natively compatible with OpenClaw) and MCP server support.
Two Layers, One Stack
The shift to agents needs defense-in-depth. The compute layer that makes agents affordable at scale is coming faster than ever. Now an orchestration layer that makes agents safe to deploy is on the table.
Cloudflare asked great questions. Which agent are you, who authorized you, and what are you allowed to do?
Ugh. Any angler knows that a fish circling a lure is ready to bite. It is the most important moment in the sequence. It’s not hesitation. It’s the last check before commitment. A better lure doesn’t make fish circle more when they already circle. You need the lure to reduce circle to less time, because it passes final inspection sooner.
Deciphering mosquito host-seeking behavior is essential to prevent disease transmission through mosquito capture and surveillance. Despite recent substantial progress, we still lack a comprehensive quantitative understanding of how visual and other sensory cues guide mosquitoes to their targets.
They built a model that predicts flight paths. What they should have built is a model that predicts target rejection. The circle is the authentication window. Every mosquito that circles and leaves is telling you exactly which credential your trap failed to present. CO2 got them to the door. The silhouette got them to slow down. Something in the final check bounced them.
Why?
That’s why the flight path geometry is the least interesting part of their own data. The interesting data is the authentication failure rate and what correlates with it.
Which mosquitoes completed the approach and which ones broke off? At what point in the circle? Facing which part of the target? That’s where the species-level targeting logic lives.
Maybe I need to fish less but the parallel goes further. Nobody studies the shape of a fish’s approach path to improve lure design. We study what makes a fish strike or turn away. The strike-to-rejection ratio is the metric. Everything else is circular.
Twenty million mosquito data points? That’s a lot of circles for nothing.
a blog about the poetry of information security, since 1995
