| Web | https://www.sakurasky.com/ |
| https://www.linkedin.com/company/sakura-sky/ |
Out now: The Autonomous Horizon - a strategic white paper for executive teams, written by our co-founder Andrew Stevens.
It draws together the six-part series we published last month and translates the operating-model argument for the CEO, CFO, COO, CMO, CRO, and CIO. Includes a board-level diagnostic.
Free, 34 pages.
The Mythos Ledger finale.
Across five posts, one fault line: machine-speed action, human-speed governance, and the attack surface in the gap.
The Resilient Cloud is what you build when governance moves down to the altitude of action. Three layers - build-time invariants, runtime intent-checking, verification before response. One architecture.
Governance at the altitude of action. Anything slower is a slower attack surface.
The series finale. Across four posts, we identified three machine-speed problems - discovery, intelligence, identity - that share the same shape. Resilience is what you build when you accept that governance has to operate at the same altitude as action.
Three numbers from GTG-1002:
1. 80–90% of tactical operations executed by AI autonomously
2. 4–6 human decision points per campaign
3. Thousands of requests per second
Not a benchmark. A production espionage campaign against thirty real targets, riding service accounts and static credentials at machine speed.
Stop vaulting secrets. Eliminate them.
Part 4 of The Mythos Ledger is out:
Non-human identities now outnumber humans by 40:1, 100:1, and in hyper-automated environments by 500:1. When AI agents do 80–90% of an attack autonomously, the question is no longer whether your IAM works for humans - it's whether it works at all for the systems doing most of the work, attacking and defending.
Project Glasswing has a $100M coalition, twelve launch partners, and an antitrust problem.
Whether or not it's a cartel, the operational reality is here: vulnerability intelligence is now tiered. Coalition members first. Approved orgs next. Everyone else waits.
Three architectural patterns close the disclosure-to-patch gap. Part 3 of The Mythos Ledger:
Anthropic's $100M Project Glasswing is the first attempt to flip the economics of AI-driven vulnerability research before offensive capabilities proliferate. We unpack the coalition, the antitrust critique, and the cloud architecture that lets the Autonomous Enterprise consume defensive intelligence at machine speed.
Four warning signs you're being sold an AI security tool by a marketing team, not an engineering team:
1. They talk about model size instead of accuracy
2. Their evidence is a case study they wrote
3. Key features are "shipping next quarter"
4. They reframe uncomfortable questions
Our free checklist asks the questions vendors avoid. No gate.
https://www.sakurasky.com/white-papers/signal-to-noise-checklist/
Three questions to ask any AI security vendor before you sign:
1. Can your tool show my team how to recreate the problems it flags?
2. Are your tests run against something that looks like our setup, or a lab?
3. What's your false-alarm rate, and how do you measure it?
If they can't answer clearly, you're being sold marketing not engineering.
21 more questions, free, no gate:
https://sakurasky.com/white-papers/signal-to-noise-checklist/
Three numbers from Firefox 150:
271 vulns surfaced by Claude Mythos
3 credited to Claude as standalone CVEs
98% below the standalone-CVE bar
Not a failure of the model. The 4-stage funnel working as designed: finding → reachability → exploitability → impact.
Part 2 of The Mythos Ledger: why detection commoditised but primitive construction hasn't, and how to architect for the verification gap.
AI-driven discovery has lowered the cost of finding bugs by an order of magnitude. The cost of proving which ones are actually exploitable hasn't moved. That gap is the defining operational problem in security right now - and the architecture to close it is more concrete than most teams realise.
The Firefox 150 / Mythos result is being read two unhelpful ways:
1. "AI broke security" - overstated. Mozilla said none of the 271 were beyond an elite human. Cost collapse, not new class of attacker.
2. "It's hype" - also overstated. AISI's 32-step benchmark (3/10 full, 22/32 avg) is a real trajectory.
My read: discovery is cheap, verification is the bottleneck. Invest in verification before discovery.
Firefox 150 fixed 271 vulnerabilities surfaced by Claude Mythos Preview. Before the hype carries us:
* 271 findings, 3 credited CVEs. Most likely lower-severity. Still a triage problem.
* AISI 32-step benchmark: 3/10 full, 22/32 avg. Test ranges had no live defenders, no EDR, no IR.
* Mozilla: none of the 271 were beyond an elite human. Cost collapse, not new class of attacker.
Our architecture response holds up at 100% or 60% true.
The Autonomous Horizon, Part 6: the architecture of trust.
Four pillars, one architecture.
GATE, the Governed Agent Trust Environment. Open, implementable, published under CC/MIT.
Andrew
