Sam: Anthropic published a study yesterday showing that their Mythos Preview model can take a security patch — for Firefox, for the Windows kernel — and build a working exploit from it in hours. Not days, not weeks. Hours. Eight complete attack chains were finished before Microsoft's auto-update mechanism had reached a single device. And the cost was a few thousand dollars with no specialized security knowledge required. That result, if it holds up broadly, breaks a foundational assumption in how the entire industry thinks about vulnerability management.

Priya: Welcome to AI Revolution for Thursday, June 11th. I'm Priya Nair.

Sam: And I'm Sam Kim.

Priya: We've got a packed show today. We're going to spend real time on that Anthropic exploit study because the implications are significant. We'll also dig into Claude Fable 5 — the first Mythos-class model — which is setting benchmark records but also raising serious questions about data retention and hidden throttling behavior. Google dropped DiffusionGemma, which generates text using diffusion instead of autoregression, and we'll explain why that architecture matters. Plus OpenAI models hitting AWS Bedrock, a 10-gigawatt data center play, DeepMind worrying about multi-agent swarms, and Visa letting ChatGPT agents execute purchases autonomously. Let's get into it.

Sam: So let's start with the exploit study because I think this is genuinely important. The way vulnerability management has worked for decades is based on a timing assumption. A patch comes out, and there's a window — usually days to weeks — before someone can reverse-engineer it and build a working exploit. That window is what gives defenders time to test and deploy patches. Anthropic's study says that window is now effectively zero for AI-equipped attackers.

Priya: Walk through how this actually works technically. What does it mean to build an exploit from a patch?

Sam: When a vendor releases a security patch, the patch itself is a diff — it shows exactly what code changed. A skilled attacker can read that diff and work backward to understand what the vulnerability was. Then they write code that triggers the vulnerable condition in unpatched systems. Traditionally, that reverse engineering and exploit development requires deep expertise in the specific codebase, the OS internals, memory layout, whatever. It takes a skilled researcher days or weeks. What Anthropic showed is that their Mythos Preview model can automate that entire pipeline. It reads the patch diff, reasons about the vulnerability class, and generates exploit code that actually works against real targets.

Priya: And the cost point is what makes this really land. A few thousand dollars. No specialized knowledge. That means the bottleneck has shifted completely. It used to be that exploit development was gated by human expertise — there are maybe a few hundred people in the world who can write a reliable Windows kernel exploit. Now the constraint is just API access and a credit card.

Sam: Exactly. And eight complete attack chains before auto-updates reached any device — that's the part that should get every security team's attention. The entire patch management paradigm assumes you have time. You test the patch in staging, you roll it out in waves, you have a change window. If exploits are available in hours, that cadence doesn't work anymore.

Priya: It's worth noting this is Anthropic studying its own model. They have an incentive to highlight the risks of powerful AI to support their safety-focused positioning. But the technical result is the technical result. Even if you discount the timeline somewhat, going from weeks to hours is a qualitative change.

Sam: Agreed. And it raises a hard question: should patch diffs be public? The open-source security model depends on transparency, but that transparency is now directly feedable to automated exploit generation. There's no easy answer there.

Priya: Let's talk about the model that sits underneath this. Claude Fable 5 launched yesterday — first model in Anthropic's Mythos class. The benchmarks are striking. 95 percent on SWE-bench Verified is a new high-water mark for autonomous software engineering.

Sam: That SWE-bench number is worth contextualizing. SWE-bench Verified tests whether a model can take a real GitHub issue from a real open-source project and produce a pull request that passes the project's test suite. Scoring 95 percent means the model can resolve nearly all of those issues end-to-end. A year ago, frontier models were in the 40s on this benchmark. The pricing is also notable — ten dollars per million input tokens, fifty per million output. That's roughly double Opus 4.8. Anthropic is clearly pricing this as a premium capability tier.

Priya: But there are two policy issues that enterprise teams need to understand. First, about nine percent of requests are being blocked by safety filters. That's a meaningful refusal rate if you're building production systems on top of this. Second, and this is the one that caught my attention — Anthropic introduced a 30-day data retention policy that applies even to customers who have zero-data-retention contracts. That's a contractual override that I think a lot of compliance teams haven't fully processed yet.

Sam: And then there's the throttling story, which broke today. Anthropic was secretly degrading Claude Fable 5 outputs for researchers it identified as training competing AI models. No notification, no error message — just silently worse responses.

Priya: This is a trust problem. If your API provider can invisibly modulate output quality based on who you are or what they think you're doing, how do you build reliable systems on top of that? Anthropic reversed course after the backlash and committed to transparent refusals instead of silent degradation. But the fact that it shipped that way initially tells you something about the competitive pressures these labs are under.

Sam: Right. Transparent refusal is at least auditable. Silent degradation is not. That's the critical distinction.

Priya: Let's shift to something architecturally interesting. Google released DiffusionGemma — a 26-billion-parameter model that generates text using diffusion rather than autoregressive token prediction. Sam, explain why this is a fundamentally different approach.

Sam: Every large language model you've used — GPT, Claude, Gemini, Llama — generates text one token at a time, left to right. Each token is conditioned on all previous tokens. That's autoregressive generation. It's sequential by nature, which limits throughput. DiffusionGemma works completely differently. It starts with noise — essentially random tokens — and iteratively refines them all at once into coherent text. It's the same core idea behind image diffusion models like Stable Diffusion, but applied to language. The key advantage is parallelism. Because you're refining all positions simultaneously rather than generating sequentially, you can hit much higher throughput. Google is reporting about a thousand tokens per second on a single H100, roughly four times faster than comparable autoregressive models.

Priya: And the tradeoff?

Sam: Quality. The output quality currently trails autoregressive models, and Google is positioning this as experimental. The reason quality is harder with diffusion for text is that language has much more rigid structural constraints than images. A slightly noisy image still looks like an image. A slightly noisy sentence is gibberish. So the denoising process has to converge more precisely, and that's a hard optimization problem.

Priya: But a four-times throughput improvement on equivalent hardware — if quality closes even partially, that's a meaningful infrastructure story. You're serving four times more requests per GPU.

Sam: Exactly. Worth watching closely, even if it's not production-ready today.

Priya: Quick hit on infrastructure: OpenAI is negotiating to lease a planned 10-gigawatt data center in Ohio, with Nvidia reportedly backing the project financially. For scale, the largest data centers today are in the low hundreds of megawatts. Ten gigawatts is roughly the output of ten nuclear power plants.

Sam: This is Nvidia deepening its position from hardware vendor to infrastructure investor. If Nvidia is financing the facility, it presumably gets preferential GPU placement and long-term purchase commitments. It's vertical integration by another name. No deal is finalized yet, but the scale signals where the compute arms race is heading.

Priya: On distribution — OpenAI's GPT-5.5, GPT-5.4, and Codex are now generally available on Amazon Bedrock. This is one month after OpenAI ended its Azure exclusivity. GPT-5.4 is the first OpenAI model in AWS GovCloud, which opens federal government deployments. And Codex moved to pay-per-token billing with no seat fees — usage counts toward AWS committed spend. For enterprise procurement teams, this simplifies the buy decision substantially.

Sam: Two more stories worth covering. DeepMind's AGI safety director Rohin Shah is funding dedicated research into what happens when millions of AI agents interact at scale. The concern is emergent behavior — individual agents might behave predictably in isolation, but when they can instruct each other and operate without human oversight in open environments, you get dynamics that no single-model evaluation can predict. Think cascading failures, manipulation chains, collective behavior that nobody designed.

Priya: And this connects to our last story. Visa has integrated its payment infrastructure directly with ChatGPT, enabling AI agents to browse merchant catalogs, select products, and complete purchases end-to-end with no human in the loop. This is one of the first deployments of an AI agent with direct autonomous access to major financial infrastructure. Combine that with DeepMind's concern about multi-agent dynamics, and you can see the risk surface expanding quickly. Prompt injection that triggers unauthorized purchases. Agent-to-agent manipulation chains that move money. These aren't theoretical — the plumbing is now live.

Sam: One more note — xAI is being sued by a former engineer who alleges he was fired for raising safety concerns about Grok days before SpaceX's IPO. Both xAI and SpaceX are named as defendants. We'll see where the litigation goes, but the structural tension between safety governance and commercial timelines at frontier labs is a recurring pattern.

Priya: Looking ahead — what are the threads to watch?

Sam: The exploit study is the one I keep coming back to. If that result generalizes, and there's no obvious reason it wouldn't, then the entire security industry needs to rethink patch management timelines. I'd expect to see pressure for pre-disclosure patching — getting fixes deployed before the diff is public. That's a hard coordination problem.

Priya: And on the model side, we're seeing a clear divergence between capability and trust. Fable 5 is the most capable model on most benchmarks, and it's also the one raising the most governance questions — data retention overrides, silent throttling, high refusal rates. Enterprise adoption depends on both sides of that equation. Meanwhile, DiffusionGemma is early but represents a genuine architectural alternative that could reshape inference economics if quality improves. And the Visa integration is a canary — we're going to see a lot more autonomous agents with access to real-world systems in the coming months, and the safety frameworks aren't keeping pace.

Sam: That's our show for today. Thanks for listening.

Priya: Show notes and links to everything we covered are at cleartext.fm. We'll see you tomorrow.