All posts
Security·April 26, 2026·7 min read

The mythos, the receipts, and what's left of privacy

Anthropic's Mythos sells the priesthood. AISLE's open-weights stack found 12/12 OpenSSL CVEs without joining it. So what's the privacy story we have not finished telling ourselves yet?

By VoidOrigin Labs

The mythos

On April 7, 2026, Anthropic announced Mythos: a limited-access model designed to autonomously find and exploit zero-day vulnerabilities in critical software. Alongside it, Project Glasswing: a consortium pledging up to $100M in usage credits and $4M in direct donations to open-source security organizations.

The announcement sells itself. Frontier intelligence, gated. A budget the size of a Series B, allocated to the maintainers of the world's most boring and most load-bearing infrastructure. Trust us with your supply chain.

This is the corporate AI mythos in its purest form. Sealed weights. A short list of trusted partners who get access. A capability claim that cannot be independently reproduced, because the artifact behind the claim cannot be inspected. The pitch is always that the gating is for safety. The structure of the gating is, every time, also the structure of the moat.

It is hard to argue with the gesture. Open-source security is starved for resources. A 25-year-old bug in a TLS library means nobody has been paid to look. If the priesthood is going to spend $100M on the maintainers, the maintainers will probably take it.

But the question worth asking is the smaller, quieter one. Do you actually need the priesthood?

The receipt

A company called AISLE, founded mid-2025 and out of stealth since October 2025, has spent the months since publishing the answer.

AISLE's stack does not run on Mythos. It does not run on any frontier model in particular. It runs on a rotation of cheap open-weights models: GPT-OSS at eleven cents per million tokens, DeepSeek R1, Kimi K2, Qwen3, Gemma 4. They scaffold those models inside what they call an AI-native cyber reasoning system: triage, retrieval, validation, exploitation, fix proposal, and a maintainer-facing pull request a human can read in a minute. The model is one moving part. The system is the product.

The receipts are public. AISLE found twelve out of twelve CVEs in a single OpenSSL security release, including a 25-year-old bug. They found a 16-year-old FreeBSD NFS remote code execution (CVE-2026-4747). They found a 27-year-old TCP SACK bug in OpenBSD. Across 30+ projects they have submitted more than 180 externally validated CVEs. The OpenSSL CTO went on the record. None of it required gated weights.

Their framing of the result is sharp: “the moat in AI cybersecurity is the system, not the model,” and elsewhere, “a thousand adequate detectives searching everywhere will find more bugs than one brilliant detective who has to guess where to look.”

The priesthood model assumes one detective, very brilliant, very expensive, lent out by appointment. AISLE shows the inversion. Hand the cheap models to everyone, deploy them in the place where the code already lives, and the math of everywhere beats the math of very smart somewhere almost every time.

The same fight, different vertical

This is not an outside observation for us. It is the architectural bet we made.

KongBrain, the cognitive memory engine for OpenClaw, ships with local BGE-M3 embeddings via node-llama-cpp by default. No hosted vector DB. No retrieval API. No outbound call required for the read path. A sibling project, KongClaw, hits 98.2% Recall@5 on LongMemEval with the same posture: cosine similarity, graph expansion, and a small auto-trained reranker, all running in process.

Last week we shipped configurable embedding providers (issue #1 in the repo, six days from open to merged across four stacked PRs). The new path lets users plug into the OpenAI /v1/embeddings shape, which is the same shape implemented by Azure, Together, vLLM, LM Studio, Ollama, DeepInfra, and Fireworks. One adapter, eight backends. A baseURL change.

The default stayed local. The hosted path is opt-in.

That is the same shape AISLE chose, just sitting in a different vertical. Open weights where they are competitive, with a clean way to swap providers when the user wants to. The work runs in the user's boundary, not ours, not somebody else's. If we go away, the model and the data on disk are still readable. If a hosted provider breaks an API contract, the local default still ships answers.

The point is not that local is always best. The point is that local should be the default, and hosted should be a knob, not a hostage.

What “open” actually buys

The open-weights story has a sales-pitch shape that obscures the real ledger. Three things land. One pushes back.

The first is verifiability. A capability claim about an open-weights model can be checked. The benchmark harness is published, the weights are downloadable, the result is reproducible end to end. KongClaw's 98.2% Recall@5 on LongMemEval is reproducible from the repo. Mythos's vulnerability-finding numbers are asserted by Anthropic and validated by selected partners under non-disclosure. One of those approaches is engineering. The other is marketing.

The second is that nothing changes under you. A hosted API can deprecate the model, raise the price, lower the rate limit, or edit the privacy terms. All unilateral, all on a schedule you do not set. Weights on disk do none of that. The model you downloaded six months ago still runs on the same hardware, with the same outputs, on the day the next gated release ships.

The third is supply-chain isolation. Owned inference removes a third party from the dependency graph. For security-sensitive work, that is the only architecture that lets you answer “what touches our customer data” with a list shorter than the internet.

The pushback is real. Open is not free. Someone runs the inference, which means hardware, electricity, ops, and a person who knows how to drive a GPU pool. For low-volume work, the hosted bill is genuinely cheaper than running your own. The right framing is not that open beats hosted. The right framing is that the choice has two columns to balance: cost in dollars and cost in privacy. Whether open can pay either column depends on how much capability open weights actually deliver. That part is genuinely up for debate.

The capability question

Capability is jagged but moving up.

That phrase, jagged but moving, captures where open ends and hosted begins. AISLE's finding is that no single model is best at all cybersecurity tasks. Some open-weights models match or beat hosted leaders on specific subtasks today. Others lag. The frontier is not a wall, it is a coastline, and the coastline keeps moving inland.

The arc of the last twenty-four months is hard to argue with. Open models priced at single-digit cents per million tokens now do work that a year ago required a hosted call to a billion-dollar foundation. Llama, Qwen, DeepSeek, Mistral, Kimi each release a model that closes another gap. The hosted lead is real on certain frontier capabilities. It is also smaller than it was last quarter. That trend has not reversed in any month of the last two years.

The honest counter is the compute question. Training the next tier costs more, not less. Multimodal training, long-context training, agent-loop reinforcement learning all run into compute budgets that only the hosted players can finance. There may be a generation or two of capability that lives behind a hosted wall for genuine economic reasons, not just gating ones.

Even granted that, the priesthood model is fighting gravity. The thing AISLE proved is that a year-old open-weights model with a good system around it beats a brand-new gated model with a thin one. If that pattern holds, the question about Mythos five years from now is not whether it is more powerful. The question is what you sign over for the privilege.

The privacy question

Privacy in 2026 is in the same state as the climate in 2006. Everyone agrees it matters. Almost no one is willing to give up the convenience that erodes it. The trend line is the trend line.

The mechanic is direct. Every prompt sent to a hosted model is a paste of context the model cannot answer without. Codebases. Customer data. Threat models. Private email threads. Notes from a deal. Whatever was in the clipboard, plus whatever the agent decided to retrieve into the system prompt to make the answer good. That blob lives in a log on someone else's hardware. The provider's terms of service describe what happens to it next. Those terms can change unilaterally, on a schedule you do not set.

The convention now is to wave at this with a “we don't train on your data” footnote. It is true and beside the point. The data still sits in retention buckets for safety review. It still gets sampled by humans tasked with hunting policy violations. It still gets subpoenaed. It still leaks when an inference provider has a bad week, which they all eventually do. The promise that your data will not be used to train the next model is the cheapest promise in the stack to keep, because the harm path that matters does not require training on it.

The harder question is the one nobody wants to ask out loud. The privacy battle was not lost in some future regulatory fight. It was lost the morning the dominant pattern of using a frontier model became copy-pasting a private codebase into a chat window because the productivity gain felt too good to refuse. The opt-out exists. It runs on your hardware, costs more time per query, and is slower until the curve catches up. Almost nobody picks it.

This is not a moralizing point. It is an architectural one. If most inference goes through hosted providers because the alternative is harder, the cost in privacy is the price the alternative was always paying. We just stopped denominating in it.

Where we land

The lab's default is local. Open weights where they are competitive. Owned inference where the data is sensitive. Hosted APIs as a deliberate trade with both columns named in the contract: dollars one direction, privacy the other.

KongBrain ships local. KongClaw ships local. The new openai-compat path exists because users asked for it, and because a clean opt-in is more honest than a hard rule. The default did not move.

This is what we mean when we say the AI work is open. It is not a marketing stance. It is the architecture, and the architecture is testable. Read the repo. Run the benchmark. If it does not reproduce, it does not count.

The mythos sells one detective, brilliant and gated. The receipt is a thousand adequate ones, working everywhere, on the cheap. Five years from now, Mythos will not be defeated by a single competitor. It will be diluted by the gravity of the open stack getting good enough often enough that the gate stops being the point.

That is the bet. We made it on purpose.

Share /
Link copied
End of post·Questions or corrections: [email protected]<VoidOrigin/>
Continue reading
May 29, 2026·AI

What KongCode is, honestly

Graph-backed permanent memory for Claude Code, reviewed without the marketing. What it does, why it is worth running, and the costs nobody puts on a landing page: the token bill that drains in the background, extraction that forgets on purpose, a database layer we are still hardening release after release, and a privacy tradeoff that lives or dies with one disk.

May 15, 2026·AI

The release with no features

174 commits. 17 days. Zero new features. The biggest KongCode release ever shipped was a cleanup, and we are honest about which parts were engineered and which parts were vibe coded.