Skip to main content
Latest Blog Posts
English post_kicker ·

The End of Craftsmanship Security — How the 2026 Zero-Day Flood Changed the Game

A
Arthur Marcel
Founder & AI Consultant

Hey there! Have you ever stopped to think that the patch you’re deploying today might have been discovered by an AI in less than a second ?

The truth is uncomfortable: the security model based on humans manually hunting for bugs has collapsed under the weight of algorithmic scale.

The cost of finding a critical vulnerability has dropped to less than $50 USD. This has created a "vulnerability flood" that no engineering team can process with just coffee and manual effort. I’m going to show you how AI stopped being just a "copilot" and became the only viable defense against automated attacks.

The Claude Mythos Paradigm Shift

In April 2026, the Claude Mythos model proved that AI doesn’t just read code—it understands execution semantics. It found a 27-year-old logical flaw in OpenBSD, a system known for being a fortress. Hmm... the issue wasn't a simple syntax error, but a complex flaw in the TCP SACK protocol that cost pennies for the machine to deduce. It's wild: traditional fuzzing tools tested that specific code 5 million times without success. The AI won because it reasoned about the software's state, rather than just throwing random data at the wall.

Cyber Reasoning Systems (CRS) and the Death of "Shift Left"

If AI attacks at this speed, defense must be proactive and autonomous. The Gondar project (winner of DARPA’s AIxCC) demonstrated that we can create machines that explore, report, and patch flaws in real-time. This killed the romanticized concept of Shift Left. – Asking the average developer to manage this flood of alerts alone is a recipe for burnout. – Responsibility is shifting back to specialized AppSec hubs. – Now, they use agents like Google DeepMind’s CodeMender to refactor entire codebases before an attack even exists.

The "Good Taste" Filter and the Torvalds Rule

It’s not all sunshine and rainbows, though, haha. The flood of automatic fixes has created the Slopocalypse: thousands of useless Pull Requests that just generate noise. Linus Torvalds and the Linux Foundation laid down the law: AI is a tool, but the human remains legally responsible. To keep code clean, using the Assisted-by tag is now mandatory. This separates "algorithmic junk" from what Torvalds calls good taste. The AI proposes, but the final human audit is what prevents legal and technical contamination of the project.

Next Steps

If you manage repositories, start implementing DCO (Developer Certificate of Origin) policies and demand transparency in LLM usage. The future isn’t about who writes more code, but who best orchestrates the agents that protect it.

About the author

Arthur Marcel — CTO & Tech Advisor e Parceiro Estratégico de Tecnologia

Arthur Marcel is the founder of AMS tech, with 30+ years automating organizations — from factory floor to artificial intelligence. He connects strategy, people, and operations through technology.

Connect on LinkedIn →