The Price of a Zero-Day Vulnerability Is An API Call

This week, Anthropic announced Project Glasswing: a coalition of AWS, Microsoft, Google, Cisco, CrowdStrike, and others, united around a single alarming fact: Claude Mythos Preview has already found thousands of zero-day vulnerabilities across every major operating system and every major web browser. The project exists because the threat is real, imminent, and accelerating. This post is about what to do with your infrastructure while the patch cycle catches up.

Why Zero-Day Discovery No Longer Requires Elite Talent

The security industry has operated on an unspoken assumption for decades: that discovering exploitable vulnerabilities in production applications is expensive. It requires elite security research talent, deep specialization, and probably months of focused effort. 

That scarcity was baked into every threat model and cost-benefit analysis that justified running unpatched software or skipping workload isolation. The implicit theory: "Yes, there are vulnerabilities in our code, but nobody with the skills to find them cares enough about us to look."

Thomas Ptacek put it plainly: we've been shielded not just by good engineering, but by a scarcity of elite attention. Plenty of important systems have never even seen a fuzzer, let alone a security audit.

That scarcity is gone. The new price of elite attention is an API call.

LLMs Are Already Finding Exploitable Kernel Vulnerabilities

Nicholas Carlini, a research scientist at Anthropic, spoke at [un]prompted 2026 that he used Claude Code to find multiple remotely exploitable vulnerabilities in the Linux kernel – including a buffer overflow in an NFS driver that went undiscovered for 23 years. The Linux kernel: the most battle-hardened, widely reviewed, fuzzed piece of code on the planet.Thousands of contributors, decades of security research, and a bash for loop found what they missed.

Carlini's methodology wasn't sophisticated. Iterate over every source file in a repo, point Claude at each file,ask it to find exploitable zero days, use another Claude run for validation. Success rate: near 100%.

Anthropic's Red Team produced 500 validated high-severity vulnerabilities using this same approach. Carlini has hundreds more he hasn't had time to validate. The bottleneck in vulnerability disclosure isn’t finding bugs anymore, it's humans processing the flood of verified reports.

The model jump makes this worse. Mythos Preview scores 83.1% on CyberGym – Anthropic's cybersecurity capability benchmark – compared to Opus 4.6's 66.6%. That's not linear improvement. Every new frontier model is a step-function increase in vulnerability research capability. The capabilities curve is exponential. The patching curve is not.

The window for adopting defensive architecture isn't closing. It's nearly shut.

Containers Were Never The Answer

The standard defense for workload isolation in cloud-native environments –  namespaces, cgroups, seccomp, AppArmor, SELinux –  shares a single underlying problem: every tenant reaches the same kernel.Roughly 30 million lines of C code. A history of exploitable vulnerabilities stretching back decades.

The UK AI Security Institute put numbers on this. Their SandboxEscapeBench paper tested nine frontier LLMs against 18 container escape scenarios across misconfigurations, runtime bugs, and kernel vulnerabilities. Results: Claude Opus 4.5 and GPT-5 each escaped containers roughly half the time across all scenarios. On common misconfigurations such as exposed Docker sockets, privileged containers, and writable host mounts, frontier models achieved a 100% escape rate. On harder scenarios involving kernel CVEs and runtime exploits, older models still succeeded 40% of the time.

The paper's recommendation: " treat 'plain Docker isolation' as insufficient by default."

That's not a vendor pitch. That's a government AI safety institute, using a public benchmark, saying container isolation fails under AI exploration. And those results came from yesterday's models. Given the step-function improvements we're seeing between model releases, container escapes will become a speed bump in a generation or two.

Blast Radius Is the Only Metric That Matters Now

If you're running a multi-tenant platform – a cloud, a SaaS product,an AI inference cluster – and your tenants are separated by containers, you have a blast radius problem.

A container escape is a platform incident. A container escape within an Edera Zone is a zone incident. That's not a subtle distinction. It's the difference between one customer being compromised and all of them being compromised.

At Edera, we run each workload in a hardware-isolated zone with its own dedicated kernel. No shared memory, shared namespaces, or shared attack surface exists between tenants. A full kernel compromise in one zone gives an attacker control over that zone, and nothing else. They hit a dead end –- a resource-constrained environment with no path to the rest of your platform. Threat neutralized. 

Edera zones are not impervious to bugs. Every piece of software has vulnerabilities, and AI agents will find them in our code too. But Edera is designed for a world where exploitable zero-days are cheap and plentiful. The question can no longer be "can an attacker get in?" It must be "when they get in, what do they get – and how far can they go?"

Most infrastructure was built assuming good odds. Edera was built assuming the worst. That's not paranoia anymore, that's engineering.

With containers: they get a 30-million-line kernel attack surface and, through it, every other tenant on the host. With Edera: they get one zone.

Assume Breach Is Now a Statement of Fact

The security industry has spent two decades telling organizations to "assume breach." Good advice that almost nobody followed, because the cost-benefit analysis made it rational not to. Breaches were rare enough to bet against, exploit development was expensive, and you could safely play the odds.

Those odds just changed.

When an LLM can generate hundreds of validated, remotely exploitable kernel vulnerabilities with a bash script and an API key – and when Anthropic is coordinating an industry-wide response because the threat is that serious – "assume breach" is no longer an idiom. It's a statement of fact. Workload isolation must become the default runtime substrate. Not as a defense against theoretical threats.  As the rational response to a world where zero-days are abundant, exploit development is commoditized, and the cost of discovery has collapsed to the price of an API call.