Eclecta The frontier, distilled Daily brief 2026-05-19
← Front page

Tuesday, May 19, 2026

Two vendor field reports put a security-tuned Anthropic model preview to work on real codebases and credit the scaffolding over the model, as Marc Brooker reframes where coding agents win.

Two field reports on a security model preview

Cloudflare’s Project Glasswing reports running a security-tuned model preview against more than 50 of its own repositories. The model, which Cloudflare names only by the internal codename Mythos and attributes to Anthropic, did two things prior frontier models did not, the company says: it chained low-severity primitives into working exploits, from a use-after-free to arbitrary read/write to a ROP chain, and it validated its own proofs by writing, compiling, and running them, then retrying on failure. Rival models found the same bugs and stopped. The codename is anonymized, so none of this is independently verifiable.

The durable lesson is architectural. A single agent pointed at a repository covers about 0.1% of 100,000 lines before its context fills, so Cloudflare built a pipeline: reconnaissance, roughly 50 narrow hunters in parallel, an independent adversarial validator running a different model that cannot emit findings of its own, deduplication, cross-repository reachability tracing, and a schema-validated report. Splitting “is it a bug” from “is it reachable” is the center of the design.

Mozilla reports a parallel result, excerpted by Michael Tsai: Firefox 150 ships fixes for 271 vulnerabilities surfaced by an early build of the same preview, after 22 from an earlier Opus model in Firefox 148. Mozilla’s Brian Grinstead credits the custom harness, not the raw model, and says it found nothing an elite human could not have. Neither report gives false-positive rates or methodology, and both vendors sell what they call the fix. Cloudflare adds that the preview ran with safeguards stripped and refused tasks inconsistently by framing, which it argues means organic guardrails cannot stand as a safety boundary.

What coding agents make easy

Marc Brooker, a senior principal engineer at AWS, argues that coding agents are feedback loops wrapped around a flawed open-loop part, the language model, the way control-theory feedback turns an analog multiplier into a square-rooter. His hypothesis: an agent’s ceiling is set by the supply of accurate, automatable feedback, not by model quality. The inversion cuts against intuition. SaaS and UI work is hard, because its feedback runs through slow humans; systems software is easy, because specs, APIs, and safety and liveness properties give the loop something to check. He predicts rising value for verification tools — Rust, Verus, TLA+, property-based testing. It is a hypothesis from experience, with no benchmarks behind it.

A faster Flash that costs more

Google made Gemini 3.5 Flash generally available at I/O 2026, pitching it as its strongest coding and agent model with a 1M-token context, per a smol.ai recap. Its wins over Gemini 3.1 Pro are on Google’s own benchmarks. Independent testing by Artificial Analysis places Flash well on the speed-intelligence frontier but at 5.5 times the cost of Gemini 3 Flash and 75% more than 3.1 Pro to run its suite, priced at $1.50 and $9 per million input and output tokens. The takeaway that lasts: Flash is no longer the cheap tier.

Systems and secrets

Daniel Lemire describes a peer-reviewed method, with Jaël Champagne Gareau, that turns a 64-bit integer into eight ASCII digits using two AVX-512 IFMA multiply-add instructions, replacing repeated division by ten with eight-wide multiplicative-inverse math. He reports 1.4 to 2 times the best existing routines and 2 to 4 times std::to_chars, with reproducible benchmarks; the catch is that IFMA needs a recent AMD or Intel server part. It targets a path every backend runs hot: logging and serialization.

Separately, a CISA contractor kept a public GitHub repo holding admin keys to three AWS GovCloud accounts, plaintext password files, and tokens, found by GitGuardian’s Guillaume Valadon and reported by Brian Krebs. The contractor had disabled GitHub’s default secret-scanning push protection; the keys reportedly stayed valid about 48 hours after takedown.

What to watch today

  • GA release notes for Anthropic’s security model: whether shipped safeguards answer Cloudflare’s finding that stripped guardrails refuse inconsistently.
  • Independent, non-vendor replication of the autonomous exploit-chaining claim, which today rests on two companies that sell the fix.
  • Third-party cost and latency numbers for Gemini 3.5 Flash against GPT-5.5, the comparison skeptics say Google’s benchmarks skipped.
  • A portable fallback for Lemire’s routine, which for now needs AVX-512 IFMA on recent AMD or Intel-server silicon.

← All digests