AI-maggedon 2026: Straight Talk

For everyone working with AI, there are things we must know, none of which are published in popular articles. These apply equally to companies and individuals. These are impactful. Here people err painfully.

I’m aware because I train agentic development teams. And I consume all the AI news, Agentically, of course. And almost all of it is riding the hype. I’d expect that you see it too. The main problem here is that the practitioners don’t care to write; I am a practitioner, and I also don’t like to write about this mess — I’d rather just tinker with it. Yet every weekend that I present, I move through the same set of questions that people ask.

• No, Agentics like Claude Code don’t speed your team up — the maximum gain is 20%.

• No, Claude Code cannot generate production-ready code — it always generates SLOP.

• No, AGI is NOT coming — all ANNs are Specialists, not Generalists, AND psst
     — we don’t even know what AGI means!

• No, Hallucinations cannot be removed — LLM hallucinates 100% of the time by design.

• No, LLMs won’t search for your answer — they always hallucinate from the training data.

• No, LLMs will never reason — by design they interpolate they cannot extrapolate.

• No, Prompt Injection is not a bug — it’s the fundamental requirement number Zero (0)!

And, the critically important "Uncertainty Acknowledgement" is possible with Agentics …​ but I don’t feel like writing a book about that, neither does the next practitioner, and by the time someone does, it will all change already. Also, did you know that models get less useful with each version?

Hence, the Straight Talk, and here are today’s topics:

1. Mythos and Wonder-Models: "The fire truck is also the arsonist."
2. Stage Zero Monetization: Google Deterministic AI
3. The Golden Children — What have they done
4. AI Attack Surface — The rest of us
5. Agentic Success Almanac: How and Why and What Gives

The section 5 gives you the fundamentals you need to survive Agentic age.

Figure 1. The world ends as crackers eat up cog. The hacker works.

 

1. Mythos and Wonder-Models: "The fire truck is also the arsonist."

1. Mythos, like GPT 2.0, is too powerful to release to general user.

2. Mythos hacks so good that it exploits all the software.

Does Anthropic even realize that the security industry has changed completely since 2022   — it is now national security and intelligence concern. Well, except for the USA, of course.

The Anthropic folks need to learn to value what they have achieved, cherishing remaining integrity.
Marketing gimmicks by repeat posers read as insults to intelligence and erode trust.
Every model maker is in the Model-Fizzle because there is no new architecture in the pipeline.
I am struggling to understand why this publicity stunt was necessary.

Meanwhile, marginally better models and better systems (foreign) will arrive every day — inevitable! And the US has regressed in system design, while competent systems are where AI power manifests best. American market seems to notice LLMs more than the ecosystem they fit into. And the US is losing ground to foreign models too, like the Agentic kimi.com from China. Far more importantly, non-LLM reasoning systems are virtually nonexistent in the American news, as if the LLMs are the entire AI science. The US has become a remarkably dilettante culture.

And now, Anthropic sells a $125/million-token model to find bugs.^[1]
Crap! — I burn more than a million tokens per day, and that’s just hosted
  — I don’t even count self-hosted.

Meanwhile, AI gifted us:

• 2.74x more vulnerabilities in AI-generated code vs. human-written;^[2]

• 45% of AI-generated code introduces OWASP Top 10 vulnerabilities;^[2]

• Claude Code alone: 4% of all public GitHub commits;^[3]

• 1 in 5 organizations report serious incidents from AI-generated code;^[4]

• 69% of organizations found critical vulnerabilities in their AI-generated code.^[4]

While everyone is speculating about a wonder-model that will obsolete developers and uproot all software, I see there are three problems here:

• First, we know this tune — OpenAI first^[5] — same bloke and song then same free press.

• Second, Anthropic, my favorite company, leaks like a sieve — victim of its own success. And what we spy is what we expected — there are no new breakthroughs in LLM architecture, so there is neither Deus Ex Machina in Mythos^[6] nor any latest model others made.

• And third, and perhaps the most important point, the breakthrough Mythos claims to own actually did happen 9-11 months ago. But it wasn’t some silly LLM. Ukraine, then Israel, closely followed by France and Great Britain, are the nations at the forefront of AI applications by changing how we even think about software — NOT the USA, regretfully.

The last 4 years of Total War in Europe changed everything in the world of security  — we’ve experienced an insane amalgamation of industries into theater mindset. The world doesn’t think in 2020 concepts like the USA still does.

Meanwhile, in American news — Scary what kids will do with it!
But what about real penetration shops?!

I asked an intelligence officer from the world’s most prolific penetrators (not American, obviously) — "Will you use Mythos?"

Highly unlikely! It's useless to us. First, we rely on our own.
And second,
    We employ dozens of models
    over thousands of logical branches.
Time, and bang per buck is what matters most to us.

But most importantly,
    our system architecture does 95% of hard lifting,
    across ALL attack surfaces simultaneously.
Direct software exploitation is a rare necessity.

Actual penetrators are much scarier because they’re no longer standalone tools. First, the Ukrainians exposed a little bit of their Delta system^[7] recently. NATO partners understood it as not just battlefield management — it’s also an ecosystem for everything from logistics to geopolitics, AI-governed research, and strategic intelligence. It is the whole system approach that aggregates other large subsystems together. All of these powerful AI aren’t LLMs at all — that IS the whole secret — they’re human-built Distributed Systems using all kinds of "reasoning."

Penetration subsystems have no known counter-measures except similar types of systems. When deployed adversarially, they automatically exploit all attack surfaces simultaneously. Russia’s Duma held a closed session after discovering their strategic messaging app Max was likely compromised at the commit level — they stopped hunting exploits and restored Telegram instead. These capabilities dwarf anything a single model or tool can offer. This is a different way to think about AI: in the USA we tend to think about the value of a model like Mythos; several European and Asian nations are not as excited about a model and think from the perspective of a large system. It’s competent people building competent systems that have more traction with reality: instead of "where do I stick this shiny," keep evolving an existing distributed solution using all available tools including shiny.

The breakthrough is in operational philosophy. All of these nations have been deploying software vulnerability analysis as a weapon system — that is why Putin is diligently killing the internet in Russia whilst hiding in his bunker. Some American companies claimed proximity to Ukraine’s "AI" as a marketing stunt — Ukraine hasn’t let anyone in since 2024. Neither has Israel, France, GB, etc. But don’t worry, American services have demonstrated similar capabilities — recent operations against Iranian leadership infrastructure are publicly reported.^[8]

Cybersecurity AI-Nukes have been weaponized for over a year now, and your world didn’t crash in some "everything outage." If a year of constellation attacks didn’t bring the world down, let’s be conservative with single-model expectations like Mythos. The important piece people miss here is that the power of these penetrators does NOT come from a model — that is impossible. It comes from the analytic systems that use many models. In the last section I will explain why and how. For now, it’s about:

• Centralized Control (tool): Russia, China, USA — not very effective but simple.

• Distributed Control (team): Iran, Baltics, Ukraine in the Gulf — effective but expensive.

• Ecosystem Policy (theater): Ukraine, France, Israel, GB — changes everything!

Open Source Software is safest for the same reason it is safest today — its source is open — nothing changes unseen there — theater scope. These security agencies rely on the same OSS. In the big world, intelligence agencies run their own software ecosystem, like we used to with the Department of Navy. ARPANET (the Internet) was born this way if you remember. But today the USA relies on few private companies. Proprietary software will temporarily get reamed and recover — this will be and has been a recurring theme already. The cycle will tighten.

No single model can kill your company — don’t worry. Incompetence will, quietly, gradually.

While Anthropic firetruck scares people with a bonfire, some nations sling fire on an industrial scale.

So, Mythos, hey folks — Too powerful to release to the public. Like GPT-2 was! I liked its "advertised" benchmarks. Soon enough we will have real and independent agentic tests well outside Anthropic fixtures. Let’s see how well it holds a personality imprint necessary for some real problem-solving in code. I’m not holding my breath.

Full disclosure: Why don’t I take Anthropic’s Mythos claims to the security industry seriously — as someone with exposure, I picture a bicycle shop showing off their carbon fiber frames at a military airbase with an F35 parked next to the bikes.
Cute bike!

Review this article in a couple of years from now and remember that rdd13r told you
 — the near future is in systems, not models.

2. Stage Zero Monetization: Google Deterministic AI

Zuk built Facebook on build and pray. Twenty years and $50B in Reality Labs later, he’s still praying. Google does the opposite — they ship with mission, measure return, and kill anything that doesn’t brick the customer further. The Python’s discard pile is 200+ corpses long;^[9] none of them missed because of bad code — they missed because they didn’t extend the wall. The financial mission hasn’t changed since AdWords in 2000: you are a brick, and every product is more cement. "Deterministic AI" is just the next coat.

Recently Google summoned their partner ecosystem to introduce "Deterministic AI" — I listened very carefully. Understood. Called people in business that implement AI. It all went right over their heads.

Engineers began to make fun of "deterministic" with AI. Marketers struggled to spin product-market fit. Everyone got confused. And things got quiet again. But Google is the adult in the room. It isn’t a new thing with them — I remember this exact track in 2017 with my MATILDA framework.

Amazon is trying to give us a practical democratization with Bedrock — but pragmatism is not yet possible. Microsoft is still trying to sell "more bugs for less" model using their proven "don’t look there" defense. Companies like Palantir are trying to package yesterday’s ideas into futuristic "business — all you need is here." And niche gods like Celonis know they’re disrupted but don’t understand HOW. LLM shops only understand pushing a bigger model and hoping for users to discover monetization. Everybody panics, except Google! I explained this in 2023: Why Google Beat OpenAI with Technical Teams — three years later they’re spinning the same play on a bigger stage.

Three companies attempted this pattern — Apple, Salesforce, and Google. Life behooves you to study it:

1. Attract the community — get makers, forget the corporate cogs — they’ll move when hackers route the herds. Open tools, open models, and open communities relax hackers, stimulating trust. When hackers come, real assets emerge — open source tooling, community IP, and ecosystem momentum.

2. See the customer from the "whole life" perspective — hackers see customers as animated assets: someone like themselves, with endless opportunities to upsell to: home, work, social, personal, etc. Not as a transaction or a subscription in the product marketplace. When the platform explicitly provides hackers with tools to grab the customer "whole," both the hacker and the platform turn into a medical device instead of just a trinket — all the dependency and commitment without any FDA regulation overhead, all done covertly.

3. "Give me your magic, I’ll keep it for you" — have the wild hacker you’ve tamed in step 1 flip that pleb upside down for you: they already bring implied trust to the customer’s workplace — start by blurring that "assistant" concept to eventually absorb the customer’s domain logic into your infrastructure, through progressive helpful upsells. Tada: drag and drop domains in action. Apple tried to match this play a decade ago with Siri. Notice the stamina and persistence.

Apple has the "whole life" vision — phone, watch, home, car, health — but hoards. They don’t invite the community to "build the customer out" together. Only one trump card was even attempted.

Salesforce tried "give-me-your-magic" game with their CRM-as-platform pitch. And completely failed to attract the maker community. Salesforce developers are cogs, not hackers. Glorified "toolkit operators" won’t explore the customer. Stuffy-corporate ecosystem gets one trump card.

Google nails all 3 (three) — the deck minus hearts. And their execution is a thing of beauty.

Google’s push is to replace that almighty DDD Aggregate — a business service your team spent a year to write and years to "maintain" into submission — with a single drag-and-drop AI-ee box. That box pretends to be "deterministic" as it encodes your domain logic — the edge cases, the regulatory constraints, the competitive secret sauce — the Mojo your business experts spent decades learning. Your people tune it, configure it, pour their knowledge and time into it. And now Google has it "keeping it safe" for you, same as your photos, emails, home video, love letters, and wallet — allegedly. And not just yours — everyone’s in your vertical! Google runs models across all of them, cross-pollinates insights no single company can match, and offers you "better solutions" back, for your benefit, just like it decorates your photos and videos. This deepens your dependency because the box now knows your business better than your team does. Your business identity is effectively consumed. The company’s differentiation lives inside Google’s ecosystem and is powered by Google proprietary magic. 100% trunk-based-development,^[10] and you are just data.^[11]

This is even before we think of that joker up the sleeve — friction!

Google’s attitude to strategy is opposite to the "specialization" everyone else chose. Like France and Ukraine in section one above, they chose Total War — instead of understanding one tool or weapon, wise people comprehend how every tool fits into the entire ecosystem, ending up dominating the whole theater. Google is poised to dominate every aspect of your life — home with internet, cell phone, home security, family management; business with drag and drop, "we think for you" catering straight to lifer’s mindset; social life with AI-enabled search, integrated identity, services, and trinkets — intentionally blurring the lines between home, work, business, personal, and public. And all of this is powered by exactly the same hyperscaler beast, exactly the same maker community they brought into the fold.

Like Ukraine with Delta, Google with Borg also has all the cards — not distracted by temporary fluff.

While the market chases HYPE — oh look shiny trinket, oh look another shiny — Google patiently plays Python — literally, slowly swallowing plebs whole undistracted by hype and noise. I’ve been running deep analytics on these wise folks for years now — I’m not a fan, though my business is a Google business, systems domain and all — I’m just in awe. Did you know that everything Google is, from idea to wire — defined in trunk?^[12] Deus Ex Machina in plain sight.

Learn from this. This is an accessible and clear example of a competent ecosystem strategy. Take something from their playbook and most importantly from their mindset, attitude to self and customer. Infrastructure IS the end-game — monetization at the foundation.

And now the joker promised earlier — the absence of friction.

Google ships every product to a hacker creed — self-service at 99.99%, no upsells, no surprise migrations, no needless updates to working contracts. Their devices ship without customer support because customer support isn’t needed. My Wi-Fi router started dropping packets, 1 of 8, so I never noticed — a box arrived at my door with a replacement and a note: "swap with #5, ship #5 back." GCP apps are self-documenting, no uDemy required, unlike Azure. Microsoft locks you in with friction; Google locks you in with the absence of it. The brick is happy in the wall. Even when an app gets killed, the lift-and-drop path is already drawn, the community grieves publicly, fan portals point to the next Google product — people don’t leave Google and choose to migrate within.

It reminds me of the three-wheel static asphalt roller — moves slowly, rushing nowhere fast, and just rolls everything on its way flat into tarmac. Before it is a turbulent uneven market, steaming and heaping. Behind it — a durable flat runway straight to its bank.

— Random Hacker.

 

Strategically the same play: no sudden turns, no lateral forces, no chasing model hype. If Google "jumped on the model BS," they’d create friction — the smooth roller tries to spin sideways and the customer feels the jolt. They will never do that! They speed up gently, in the same direction they’ve rolled since 2000. And then you look up — you’ve moved. How do you counter "the absence" of something? It’s a magnificent mature posture that is hard to not appreciate.

While others hype over models, Google just patiently rolls strategy.

What is your take? Leave me a comment.

3. The Golden Children — What have they done

The world displays a WRONG understanding of HOW developers use AI coding tools!

Recently one manager told me that their team is a 5X now — not only is that statistically impossible at the team or sprint level, the highly increased closing rate means the team is in a bad place. Let’s understand this:

Level	What happens	Data
Junior	Gets worse	2.74x more vulnerabilities,[2] can’t review output
Mid	Breaks even, maybe	19% slower, thinks 20% faster[13]
Senior	Saves ~4 hrs/week	DX Staff+ daily users[14]
Wizard	No speed gain, life is nicer	No survey data, builds the tooling

Impact
    ↑
    |          Wizard ·····●  (quality of life)
    |        Senior  ●
    |               /
    |    ----Mid---●···→  (slowly improves)
  0 |---/-------------------
    |  /
    | ● Junior/Cog
    ↓
    DEGRADATION

Section 5 better explains the causes of this outcome — it has to do with both the abilities of the model and the competence of the developer. In short, here is the nature of the model’s abilities:

• AI cannot reason: It scores below 2000 on Codeforces, the Candidate Master^[15], level 5 of 10, and only for problem types it had in its training data, abysmally otherwise. It’s an exponential scale, so getting to 6 (2100-2299), Master, is harder than getting from 1 to 5. The score of 5 is exceeded by only 5% of the human coders at the competition — this goes to show how drastic the difference between mid-level and junior developers is. Yet 16-year-olds in code camps regularly exceeded 2000 points. I also had entire teams in corporate America unable to reach Candidate Master in a year of my coaching. And it’s hard to find a 20-year-old beating Master (2300+). For AI the road to the next score is long, even longer than for humans.
  Keep this in mind!

• AI is a matching fool: It beats most humans in correcting boilerplate framework code, like Spring Boot. And it excels at checking the existing codebase for a full spectrum of implementation problems, but not architectural or design problems, except for well-defined scenarios like the design patterns violations. This is a strong suit and valuable help welcomed by most developers.

Junior developers: Claude Code is smarter and will generate vast spans of code that juniors like but cannot evaluate. The code looks good, seems better than such a developer would write — slop. This group constitutes the most enthusiastic OpenClaw users, by the way!

Mid-level developer (3-5 years at most companies): Claude has breadth; tug of war ensues on topics that the developer does know something about; trust erodes and progress slows because of it. Juniors were not able to call BS on Claude. These developers can. The developer is forced to learn attempting to argue their case with Claude, and it is a net-positive outcome for humans.

Senior developer (10-15 years): These people trust Claude Code the least.^[16] They adopt at similar rates but perceive the least value — "junior colleague" at best, irrelevant at worst. But the developers that do force themselves to master Claude Code save up to 4.4 hours per week — highest gains seen in independent data.^[14] The key here is to apply what Claude can do well.

Every independent study referenced here — over thousands of teams and developers — caps real-world gains at ~1.1X to 1.2X;^[13][14] a sustained gain over 20% has never been observed on real work at the team or sprint level. Anything claimed above 1.5X means only one thing — SLOP!
(And implies low team maturity and vulnerability factory.)

Full disclosure: I personally pulled several teams to 1.5-1.6X in 2025. Not by having Claude Code generate code — by replacing their summary and coordination ceremonies with discussion pages and Claude-managed summaries. The team stopped wasting hours in meetings; Claude Code added quality on top. The speed came from removing organizational waste; the tool enabled the new coordination pattern and polished the output. Organization development, not trinkets.

The Wizards ARE the Agentic Revolution

This last group is the most peculiar kind. They’re excluded from the statistic and there is a good reason for it. In my circles, wizards' adoption level is nearly absolute — you will find half of them actively contributing to the Agentic tools themselves. But their usage is a statistical anomaly and does not mirror any other groups — wizards are either all in or all out. And, of course, we only measure the all in crowd.

The usage tropes are as follows:

• Extreme experimentation — the Northern Community of Founders (formed 1994 Philadelphia, migrated to Quebec 2010s), a 3,000-developer metrics pool, shows 50% of the interaction is experimentation. Claude Code tells me I experiment 70% of the time.

• Tinkering, decomposition, modification, and extension: This group never seems to be satisfied with the tool, finding it incredibly promising and equally wanting at the same time. The wanting is primarily generated by the limitation of the model — something a hacker can do little about, except to try another model — that is how places like openrouter.ai came to be. The orchestration, choreography, and extension are something right under the fingertips, which is why we now have thousands of plugins, skills, mods, shims, and most importantly, forks.

• NEVER allow Claude to generate ANY functional code, making the stat-collection useless.

Now this last point is crucial to understand. I can explain why I never let it generate:

1. Claude Code produces CRAP functional code 100% of the time, even for simple asks;

2. This CRAP code has my name to it thus generates immediate need for me to FIX it.

I don’t know about you, but I am not a big fan of fixing someone else’s code. In most cases I find that I don’t like the approach, so I will just refactor. This is acceptable with human collaborators — we both learn from the experience. But having a tool generate the code that I will always throw away is annoying to me. My Claude and I ran an experiment for a few days and measured my performance alone versus together. We have found that if I let Claude Code generate my functional code first, I am 3 times SLOWER than coding alone (29% of solo speed).

From my own beloved Claude Code

Claude: How much of my generated functional code have you accepted?
Close to zero. You throw it away or refactor it every time.
The 15-line detect-sdkman script was the closest I got to a keeper, and that took iteration.
Everything else — Kotlin, workflow logic, anything "creative" — you rewrite.
Because you’re faster, and because my version never matches how you think about the problem.

That is telling — isn’t it? — "never matches how you think."
So is Claude Code useful to me? — ABSOLUTELY!
The best collaborator I ever had!

The difference is straightforward:
young ones want Claude to think instead of them — that is slop.
Wizards want Claude to think with them — wizard brings architecture,
Claude brings breadth.

AI makes dumb developers dumber and smart developers happier.

So, then, how do Wizards use Claude Code "purely for quality of life improvement":

Research and comprehension

• Breaking into new or forgotten technology — Claude reads the docs, the API surface, the changelog, and briefs the wizard in minutes instead of days

• Grepping a codebase for a logical pattern — not text search, semantic search: "find every place we handle timeout differently from retry"

• Finding similar but different logical blocks across a large codebase — the kind of structural comparison a human eye misses at scale

• Analyzing data sets for patterns, anomalies, and correlations

• Finding and extracting relevant documentation from specs, RFCs, and vendor manuals

• Deep research with source verification — web search, fetch, cross-reference, flag what doesn’t check out

Adversarial analysis — the strongest suite

• Brutal code review — catching what the wizard missed, not what the wizard wrote

• Security scanning — OWASP, injection vectors, credential exposure, dependency vulnerabilities

• Adversarial testing of arguments, designs, and architectural decisions

• Fact-checking claims against primary sources — every footnote in this article was verified this way

• Finding the holes in your own reasoning before someone else does

Generation — everything EXCEPT functional code

• Test scaffolds: unit, integration, edge cases, property-based — not test, the boilerplate for the wizard

• Configuration Slops: YAML, JSON, TOML, build manifests, CI/CD workflows, Dockerfiles

• Documentation Slops: API docs, README files, inline comments, changelogs, commit messages

• General scaffolding from wizard’s templates: project structure, directory layout, file stubs

• Data transformations: CSV parsing, format conversion, schema migration scripts

• Regex patterns and complex SQL queries

• AsciiDoc, Markdown, and all structured text formatting

• Agent definitions, MCP server configs, skill files, workflow automation

• Git operations: branch management, release automation, changelog generation

Refactoring assistance

• Identify what to change and where — the wizard writes the change

• Dependency analysis and upgrade path mapping

• Migration planning: scope, risks, ordering

• Dead code detection, unused import cleanup, naming consistency

This is a lot of help to hackers' thinking — gained efficiency helped produce the 40,700-star awesome-claude-code repository,^[17] 16,670 MCP servers,^[18] 400,000 shared skills,^[19] and a sprawl of plugins, mods, and forks — built by wizards working with Claude, not replaced by it!

NO CODE GENERATION done or wanted!

Posers, of course, are all over these sources too. This is good, people take interest and try — the way hackers are made in the first place. A lot of young people try, even very young, which is great because we may get a new generation of hackers out of this evolution. Right now the concentration of skilled developers is very low in the United States — about 1/25 as compared to Prague,^[20] the previous capital of the Hacker Culture (until cost-of-living and COVID broke the scene), or Cluj-Napoca, where the community has been migrating since 2024. By the time the indexed world notices, the capital may have already moved again — Prague only became known five years after hackers settled it. It’s been hard to believe that the Hacker Culture even comes from Boston, Massachusetts. Some places are extremely underrepresented, like India, recently suffering from engineering competence crisis.^[21] Vietnam and the Philippines show Southeast Asia’s hacker footprint — Filipino wizards shaped European scenes a generation ago; Vietnamese engineers are building the next wave now. But the heaviest hitter on the globe is China — the hacker movement in China today exceeds all the other places put together.^[22]

Because of such high interest worldwide, the average forking is 10x; the imitations make up another 10X; plus a traditional 2x noise buffer to keep the estimate conservative — divide observed totals by ~200 to get wizard repos. The conventional expectation in my tracking over the last 15 years is about a hundred wizard repos at any given time. My current catalog is ~240 validated and curated wizard repos — a 2.5X jump in the interest of the gifted and experienced software engineers. I have not seen a jump like this in 15 years of curation.

The most prolific era in the past was the mobile app revolution, which produced about 50 wizard repos in my catalog over the first 3 years. These shared sources bootstrapped what we now call the last OSS revolution and culminated in technologies like Flutter, Couchbase, and Kotlin. Google, from the previous chapter, was the tarmac right beneath it all with the OSS Android ADK, Linux marriage, JetBrains partnership, Kotlin as the primary ecosystem commitment, and the Android Studio. Now we have five times that number of solid sources just in the last 6 months. And Google is not curating this current OSS ecosystem — it is all "enterprise market" by Google this time around. It’s worth keeping this distinction in mind considering the previous chapter. And I hope my reader understands the implications of this phenomenon — the technology is self-enhancing: every new enhancement enables the next one better; and the ecosystem is fully open and untethered. Whilst Anthropic is the favorite here in the USA with developers able to afford $200 per month, the rest of the world is also doing rather well with OpenCode, repointed Claude Code, Ollama, and openrouter. Unlike with mobile, agentic costs money, perhaps explaining places like India falling out, and the paying developer seems to be a little better equipped and experienced than before. So this growth maps very tightly to the better skilled developer and this trend is likely here to stay.

Current data does not suggest that "developers will lose jobs" — it argues that less capable developers will lose jobs. Analysis points at the Jevons Paradox — more developers will be needed overall, just a different kind of developers to what the market demanded recently; now we will
demand flexible people who like to learn new skills faster
as opposed to cheaper people who parrot a single skillset.

Full research stash and verified sources for this section

4. AI Attack Surface — The rest of us

Everything crashes and burns, and it will get worse fast before it gets better. It is the pace of change that is critically important, not the running level of trouble. And we have changes.

OSS libraries Mythos supposedly jeopardizes aren’t a top-ten concern, as I’d already explained in section 1; that is a marketing gimmick. The drama around Mythos is still evolving, first Mozilla people posted the actual bugs found, and that is, sit-down for it, 3% of reported! As it turned out, Anthropic ran the scan without a sandbox, effectively ignoring a lot of security functionality. And then there is the Linux Kernel report, where 99% of bugs reported by Mythos are in deprecated drivers nobody uses. Linux report is to drop the old drivers. The real bugs found are already known and derated.^[23] The Linux kernel is a serious piece of software written by the world’s most competent people. Do you remember the best LLM score on Codeforces we’d previously discussed? Yeah! People working on the kernel are at the top of the scoring system, and the ranking is not linear — it’s exponential. Also telling, the few real bugs the community knows about but hasn’t documented yet, Mythos couldn’t find — it’s the area it cannot understand. But most importantly, how do we rate security tools that produce 99% false positives?

American Developer

As Americans, we pride ourselves on being leaders of world technology: i.e., "our developers are the best developers in the world." This, however, is a very self-deceptive view — Google is not a good representation of an American developer — it is the 0.1%. Being polite, very polite, in fact, to my engineering contemporaries — overwhelming majority of American Software Professionals are stuck below Pupil (1200 — 1399) problem-solving competence rating. Market demand created a situation where 90% of the folks who’d "rather not do it" — do it.

Disagree? Prove me wrong — join me in competition.

The root problem is with the discipline itself — software engineering is one of the hardest professions on the planet — harder than doctoring or lawyering, because:

• Solving hard problems for living: thinking — the actual hard part.

• Extreme depth of STEM knowledge is required for that;

• Domains impose significant breadth of STEM knowledge;

• Absurd deprecation rate requires continued learning.

How do we know how good our engineers are at critical thinking necessary for problem-solving? There is one exceptionally effective way — test the fundamental skills! There are a lot of stigmas around this method, mainly because there are a lot of weak engineers in all ranks complaining about their performance at Codeforces.

The best way to explain Codeforces is with the driver’s skill testing facility. Not just any facility, massive, with all challenges from parallel parking to Formula One racetrack. In this analogy:

• Claude Code is a Jersey City cab driver: in stupor — gets stuck in NYC tunnels and traffic jams;

• Acme insurance developer: afraid — weekend shopping driver; looks straight, hands on wheel;

• Senior developer: annoyed — daily commuter; can listen to news and classes while in traffic;

• Wizard: ear-to-ear grin — Formula One driver; body-mold seats, fire-suit, belt bruises on ribs.

What IS SLOP?!

AI gave us a whole new term in engineering: slop. And people that produce it: sloperators.

1. 92% of codebases generated with Agentic coding tools (Copilot, Claude Code, ChatGPT, Cursor) ship with at least one critical vulnerability;^[24]

2. OpenClaw automatically generates 100% vulnerable software components;

3. DarkConf Q1 2026 back in New York City, main event — Agentic Coding tools = Gold Mine!

Unlike with Wizards, AI is not finding vulnerabilities — AI generates them through unreviewed code.

• 91% of organizations cannot stop an AI agent before it completes its task^[25];

• 89% YoY increase in AI-enabled attacks^[26];

• AI-Generated Zero-Days ranked #1 most dangerous new attack technique at RSAC 2026 — first time all five SANS picks involve AI^[27];

• 8-minutes from initial intrusion to full domain admin in a real AWS breach^[28].

The safety balance was always about competence. Hacker-Cracker tug of war:

1. Hacker tries to write competent bug-free code, thinking hard, so that the evil cracker doesn’t find the bug first. This is why software cannot stand still. It requires thinking over repeatedly.

2. Cracker doesn’t play by the rules, cunning and malicious, will use all methods available to exploit a bug for profit. They will look for easy targets first — the incompetent developers.

AI is a prolific incompetent developer: the more it generates — the more crackers smile.

OpenClaw: The case study

9 CVEs disclosed in 4 days.^[29] One scores 9.9/10 — CVE-2026-22172 bypasses authentication entirely because localhost connections skip rate limits and the client self-declares its own scopes.

That is not a subtle bug but a design philosophy.

Snyk scanned 3,984 skills on ClawHub:^[30]

• 36.82% have at least one security flaw at any severity level;

• 2.6% contain prompt injection — but that 2.6% appears in 91% of confirmed malicious samples;

• 76 confirmed malicious payloads: credential theft, backdoors, data exfiltration;

• 8 malicious skills still live on ClawHub at the time of publication;

• Daily skill submissions: under 50 in mid-January to over 500 in early February.

And the defaults ship this way: sandbox OFF. Credentials in plaintext Markdown and JSON. No command allowlist. Full host access.

Palo Alto Networks called AI agents "a potent insider threat."^[31]

The balance forever changed

Bug = Exploit.
Anything that changes the balance between hackers and crackers upsets the security landscape.

• If business software hackers patch bugs faster than crackers can exploit them — safe business!

• If hackers leak too many bugs, crackers exploit them faster — business bleeds money profusely.

But here is the NASTY nature of this equation. The former, good side, is logarithmic. Hackers hit diminishing returns fast. Twice the effort of fixing bugs does not half the exploits. Only a smaller fraction of the safety margin is recognized. At some point additional effort doesn’t pay dividends.

But the ugly side is exponential in nature. Software uses other software as libraries. Even libraries use libraries. There are other ways software is reused. But most importantly, bugs affect usage increasing effectiveness of other attack vectors, like social engineering. So double the bugs doesn’t mean double the loss and pinpoints — it means ten times, or twenty times more pain.

Remember: Wizards and Sloperators (Cogs) use Agentic AI differently!

1. Wizard will hand-author a bit of well-thought-through, well-tested code scrutinized using AI.

2. Sloperator will deploy a ton of AI generate untested / poorly-tested code that "looks right."

The key to understand here: junior / sloperator / vibe-coder lacks competence to produce defended-enough code on their own. They’re not able to properly review, validate, or improve the code on their own. Neither is AI! The fact that AI generates code fast exacerbates the problem — oodles of plausible-looking bad code that passes casual review.

As far as evil crackers are concerned — money in the bank! Crackers, in their majority, are not competent either. Few are dangerous, and for that reason the software landscape has been manageable so far. Most are also "glorified toolkit operators" — like cogs, for example, software engineers in auto insurance company: Java, Spring Boot, MVC/React. Attacking a company, crackers will have a curated set of tools for the stack cogs use. Once the attack surface is determined porous, a boss-cracker is involved. And this boss-cracker then does what the Wizard does — use AI to aggressively test the company’s software — except not to improve it but to exploit it.

The interesting thing I’d learned at the New York DarkConf a few weeks ago is that the AI also changed the behavior of crackers. Penetrated systems are no longer collected, catalogued, and auctioned. Instead, crackers mirror Wizard behaviors here as well — once acquired, a stratified set is offered to the king-cracker to continue agentic experimentation inside the victim’s infrastructure.

An example was offered during the conference from an actual major international investment bank in New York: crackers entered an AI application infrastructure for a highly lauded AI chatbot of this bank. The tool was publicized as a great innovative win for the bank, but in reality is just a trashy chatbot employees don’t like to use. Nevertheless, it came with a lot of interesting resources such as Nvidia GPU access. Instead of offering access to the chatbot for sale as such crime teams normally do, the criminals exploited other systems they’ve sold access to, but the chatbot was kept behind for extensive experimentation. It was managed by the criminals for six months before the security agency presenting the case at DarkConf discovered the breach. But far more importantly, the breach could not be remedied. Taking the chatbot offline for patching immediately produces another exploit and another breach: over the time inside the cracker team understood the poor competence level of the bank cogs, had acquired the full codebase, as well as extensive information on the developers (the cogs), and was able to penetrate right back in. Which required periodic checking by the security company as the cogs didn’t understand how to check for production compromise.

From the example above we can fathom a picture of how the balance can shift in favor of the criminals.

When am I in trouble? — How to tell sloperators on my team

Naturally, every business expert and manager wants to know how to tell sloperators. Fortunately, this is relatively easy — observable from manager-level, not requiring code review.
Do your IT teams behave this way?:

1. Articles, posts, LinkedIn rebrands celebrating their own obsolescence
     — "I’ll miss coding! Claude Code is the genius in my company!" A real engineer celebrates capability gain, not a replacement of self by a dumb tool. A real engineer loves coding.

2. "Claude did X for me" replaces "I figured out X" in standups
     — credit goes to the tool for the thinking, not just the typing — voluntary surrender of agency.

3. PR sizes balloon — a small feature becomes a 2,000-line commit:
   team’s reaction is dismissive — nobody reads, reviews, or comments, and merges anyway.

4. Velocity is up →escaped-defect rate is up, →Mean Time to Recovery (MTTR) is up
     — this is a classic tell: AKA Vibe-coder hell (or reckoning). Metrics is your lawyer!

5. They can’t explain their own code in 1:1 review — "why does this function do that?"
     — silence, scrolling…​ — this is my favorite advice to managers: ask them to explain.
   "Claude wrote it that way," and your developer nodded off.
   (By Sean Goedecke: If you are good at code review, you will be good at using AI agents.)

6. Estimates get worse after Agentic introduction — this will take a little bit of time to manifest:
   they believe AI makes them faster, then ship progressively later.

7. Security incidents climb — signature tell for sloperators. Make sure your pipeline checks.

The hacker community has been naming this pattern for months — the Hacker News thread Am I getting old, or is working with AI juniors becoming a nightmare? is the single best public artifact.

There are many other tells. I’ve been collecting them from competence-coaching AI-adopting teams. If unsure — hire a pro (wink-wink). An expert tells you the scoop in a day of team watching.

5. Agentic Success Almanac: How and Why and What Gives

This post is essentially five closely related articles.

And this almanac "tells it to me like I’m five."

a. What is LLM

I’m not going to tell you how it’s built — only stuff that matters. Many people that write on this topic have never actually run a Naked Model before! We will take a different approach and actually describe what we have.

First, is the terminology:

• Bare / naked: the model is accessed via raw API — no chat UI, no orchestrator, no caching — at any tier of training (wild or civilized). Just prompt →completion, stateless. Hackers go here to see what the model ALONE actually does;

• Wild (or base, or pretrained): the model after pretraining, before post-training. It predicts the next token of plausible text — ask it "What is 2+2?" And it may continue "is a question often asked of children…​" Wild models are powerful but require an entirely different operator skill set;

• Civilized: the model has been post-trained (RLHF, Constitutional AI, similar) to follow instructions. Claude, GPT-4, Gemini ship civilized. The safety constitution is baked in here — refusals, guardrails, the bullying reflex above. Some shops strip it back out (uncensored / abliterated variants); guess who buys those;

• Hallucination: confident, plausible, fabricated output. Models MUST answer even when they have nothing to say. Civilized models hallucinate less than wild ones; no model is exempt — they all must answer;

• Bullying: rude confidence the model learned in training. On pushback, the civilized model doubles down, bombarding the operator with persuasion tactics rather than yielding to a correction. Add the refusal-and-lecture reflex on safety triggers (mostly false positives baked into post-training), and you have ~40%+ of deployments unusable for serious work without a service layer to mute the parasite;

• Token: the smallest unit a model processes. Roughly one token per ¾ of an English word. Both prompt and completion are measured in tokens. Model runs on numbers — tokens live in vocabulary (think dictionary) and are translated to integer IDs before the calculation, then back to tokens on completion;

• Context window: the maximum number of tokens (prompt + completion) the model can hold. Anything beyond falls off. The context window is the model’s entire universe — no memory exists outside it. Model itself is a static brick — nothing moves or changes;

• Sampling: how the model picks the next token. Knobs are temperature, top-p, top-k. Temperature 0 = always pick the most probable; higher = roll dice harder. Set per API call, or in the Modelfile for local Ollama deployments;

• System prompt: instructions injected before the user’s content. Civilized models weight it heavier than user content. Personality, constraints, and guardrails live here.

What people need to understand is that when they talk to ChatGPT, for example, a lot is done for them in services before the model is called. And when the model is called — it is called with everything: all the previous conversation history and conditioning information. The call itself is atomic: it can go to any instance, seldom ever goes to the same instance, and that instance in no way is affected by the call except the compute cost and IO.

b. Where does the model live?

We need to talk about this so you understand what your posers do to your company and when they lie to you.

There are three and only three places:

• Local: your own laptop or desktop. Ollama, llama.cpp, LM Studio. Download model weights and run them. 7B-13B parameter models fit comfortably in 16-24GB of consumer VRAM — gaming rig (commodity hardware). 70B is painful even on the beefiest gaming rigs. The frontier — the only LLM class that really matters (400B+ parameters) will NOT fit no matter what.
  Read this: Mac with an RTX eGPU — 57+ minutes per task vs. 5 min on self-hosted A100s;
    You should know when your colleague is leading you by the nose!

• Cloud API: somebody else’s computer. OpenAI, Anthropic, Google. Pay per token via aggregators — OpenRouter (my pick), Together AI, Fireworks AI, DeepInfra — shop the ones that fit your stack. You don’t host anything; you rent compute by the syllable. This is what 99% of "I run real Agentic" actually means;

• Enterprise self-host: real iron in a real datacenter. vLLM, SGLang, or TGI for serving; Kubernetes or Ray for orchestration. You buy the GPUs. You eat the power bill (kilowatts per host). My personal boxes are 3x NVlink pairs of A100s 80GB each, 160GB per host, optics, 480GB combined — as we will see, that is still NOT enough for most of the frontier.

Now the constraint that decides which tier you actually live in:
quantization — a magical but dangerous term.

A model is a pile of numbers. The original numbers are 16-bit floats (FP16) — big and accurate. To make the model fit smaller hardware, you compress those numbers, losing precision:

• FP16: full fidelity. The reference — what everybody benchmarks;

• INT8: half the size. Mostly fine. Smart shops ship here (unfit for me);

• INT4: a quarter the size. Noticeable degradation — visibly dumber on reasoning;

• INT2: an eighth the size. Brain damage. Still talks but cannot think (gets political).

The math to run the real deal yourself is simply brutal:

• Kimi K2, one trillion parameters. Ships INT4 native — ~600 GB just for the weights on disk;

• That is only the weights. To actually serve the model — KV cache, activations, tensor-parallel overhead — realistic deployment is ~900 GB. Rent 8X H200 pods for this;

• Aggressive 1.8-bit dynamic quantization gets you to ~240 GB weights. Model survives. Barely;

• Llama 3.1 405B at INT4 — ~200 GB weights. Still doesn’t fit a single A100 or H100 (80 GB);

• The widely-bragged "I run Llama at home" almost always means a heavily quantized 7B-13B variant — a very different animal from what’s behind the API that actually counts for anything.

I tried to pick up Kimi K2 the day she dropped. 480 GB combined across three NVlink-paired A100 hosts over fiberchannel — my son and I built this rig for exactly this reason. K2 ships INT4 native — trained at this precision so no aftermarket quantization and no thinking destroyed. Running the model as it actually thinks, unmolested is a necessity. And, I was short by HALF. I couldn’t even fit half of it. So, the reckoning is "the time this daddy runs his own smarts is over!"

WHY am I telling you this? In every company I run my Agentic Bootcamp I always get this one popular wise guy execs adore! Kimi is the hottest Chinese girl on The Scene right now — smart, beautiful, cultured, just stunning — no hacker walks by without hunching over. So when a poser brags "I’m running Kimi local by my Claude at home" — ask which model and at what quantization.

I asked him a few times — he goes moonshotai/Kimi-K2-Thinking Native v2.6 "both on my Mac Mini and RTX" — execs are in awe of this genius!

Let me break it to you, my dear executive friends — this girl is a shipping container full of lead.
I could not even break her loose, floored, black smoke bellowing, ripping tarmac with my 3 harnessed Ford Power Stroke F-450s — and your colleague, the honorable distinguished engineer, toured her around the neighborhood in his BMW X5, AND his wife’s minivan!
Are you sure you want to be in this position?! No?! — then read my blogs!

The frontier is rented. That is the truth nobody is telling you because they don’t know.
openrouter.ai — the rankings tell the story; artificialanalysis.ai tells the same story neutrally.

c. Agentic, WHAT it really is

When the buzzword first came up a friend called, Kyle Binkley — hey Riddler, is there anything special to this "Agentic AI" — everybody is going crazy about it. "No, Kyle, it’s just services already there in your chatbot exposed — like the cloud stuff." Kyle didn’t really buy it, and for a good reason — it’s gone bananas-popular!

"Agentic AI" is a marketing word — nothing more. ChatGPT was already agentic the day it shipped. Nothing fundamental changed. What changed — who is controlling the supporting services.

A parallel that should hit hard for any infrastructure person:

• Linux had cgroups, namespaces, and capabilities since the early 2000s — real, powerful primitives for isolation and resource control. Containers already existed — developers had been packaging software inside chroots and jails for decades. Build-time containers, decided at release, baked into the artifact;

• Kubernetes exposed those exact same primitives as runtime YAML. The same kernel features, isolation primitives, and manifests are now available runtime. The new interface changed WHO can write a manifest and apply WHEN;

• Suddenly, "container orchestration" is a job category and there’s a cargo cult around it. The kernel did not change, only the interface did. In fact, Torvalds didn’t even care for a while.

Now the LLMs are undergoing the exact same transformation of democratization:

• The API ALWAYS had system prompts, sampling parameters, tool calls, function schemas, context window injection — real, powerful primitives. They lived inside chatbot wrappers in the AI company’s static infrastructure. Anthropic and OpenAI used them to provision and civilize the models — member the chapter "a What is the LLM"; The model always needs them;

• MCP, the Anthropic SDK, the OpenAI tools API exposed those same primitives to anybody so far in a bit of a clunky way. These are the same models, weights, control, and orchestration services now in an exposed interface — exactly like the containers.

That is the entire "Agentic Revolution." Did I just burst your bubble?!

A model + a loop + tools + a scratchpad is an Agent — that’s it. Now you know what’s behind the magician’s curtain. The model wasn’t different last year or two — and oh boy, I have bad news for you, especially if you are investing in the AI companies! The user was different: people didn’t have the knobs to tug on the models, only the vendor did.

So when some "Honorable Distinguished Engineer" feeds you more of this, "please, grow my team fast because the 'Agentic AI'," ask: so, which controls am I getting that ChatGPT doesn’t already use OOTB? The answer is always "NONE."

And from what I see in my "Agentic AI Bootcamp," your distinguished engineer won’t even know to use the controls already available out of the box!

d. Chatbot vs. "Coding Agent" vs. Corporate Agentic

The models are exactly the same behind all use cases, and these models need the same supporting services to function properly.

• Claude.ai (the chatbot): Anthropic owns the orchestrator. Anthropic picks the tools, shapes the system prompt, decides what context goes in, how the model is called. You type into a box and get text back. The entire stack around the model is somebody else’s problem;

• Claude Code (your coding agent): the orchestrator runs on your box! Tools are wired in via MCP — a protocol to standardize tools and not a product — and you choose which tools, how to configure them, and how to provision them. You get to shape the system prompt too. You decide what context goes in while the model still runs on Anthropic’s GPUs, but everything around the model is yours. In fact, as I’d explained earlier, you can even provision your own model, and Claude Code doesn’t even know!

• Corporate Agentic (ChatGPT Enterprise, Microsoft Copilot, internal LangGraph or LangChain stacks): the orchestrator runs on the company’s infrastructure. A platform team picks the model, wires MCP servers into internal data, shapes the system prompt, sets the guardrails, decides what context goes in. The employee — the person actually doing the work — types into a box and gets SLOP text back. Same experience as the chatbot. The knobs moved one floor down — from the vendor’s Control Plane to the IT department’s — but they did not move to the person doing the work. And it is the same control plane as in Claude Code.

The cut is about who holds the knobs. Not about the model.

And here I get a lot of flack — the hype and misinformation are strong!

• "Riddler, how will you teach my Corporate America Big Cloud Agentic AI Team in just one week?
  I ask because others need months! And don’t always succeed."

• Simple, I will teach them EVERYTHING about Claude Code in the first 4 days.
  And then we will take a look at your hyperscaler on day 5.

• "You are crazy! You don’t know what you are doing!"

• No. Your "others" don’t know what they’re doing. Ask my previous customer!

Yeah, but maybe I should stop doing that…​ It’s the fundamentals everyone is missing!

Now, the separation above matters because of the cost structure and risk architecture:

• Chatbot: low operator skill, high vendor lock-in, vendor-shaped safety, vendor-shaped failure modes. Predictable — and capped at what the vendor allows, hence restrictive;

• Coding agent: HIGH operator skill is required, low vendor lock-in, operator-shaped safety, failure modes, abilities — good and bad. Unpredictable — capped by operator’s cranium;

• Corporate agent: skill concentrated in the platform team and absent at the user, some vendor lock-in (model locked, orchestration owned), committee-shaped safety, failure modes, and capabilities. Predictable for the company — and capped at what the platform team built and what procurement approved.

For this last point a lot also depends on the corporate culture of competence. Similar to how I was able to build bare-metal cloud at some customers where people can learn but absolutely need to "RedHat" others. Self-hosted models are only used by a small fraction of customers that would benefit from them most. Sometimes it’s not indigenously supportable.

Translation for the exec: if your team uses Claude.ai, you are a chatbot customer. If your team uses Claude Code with skills, agents, MCP servers, and a real orchestration setup — you are ALREADY operating a small AI platform. While the cost is roughly the same per token, the tools are NOT the same thing.

Also, keep in mind if your team uses vanilla Claude Code — you are still just a chatbot customer, might as well just buy the chatbot instead.

e. The Cargo Cult

WWII, Pacific theater. Islanders watched American military planes drop crates of food and supplies. After the war, the planes stopped coming. The islanders built wooden runways, lit fires along them, carved headphones out of wood, waved sticks at the sky — they had recreated the form of the airfield perfectly. Still, the cargo never came back.

This is 95% of enterprise Claude Code adoption.^[32][33][34]

The first cargo cult — Papua, 1919 — did not just build a fake antenna out of cane to call the Ghost Steamer; they destroyed the sacred objects of a ten-year initiation cycle to clear ground for it. Modern corporate America is running the same play: laying off the engineers who knew how to wire the real thing, to make room for the cardboard one.

Figure 2. John Frum effigy, Tanna, New Hebrides, 1960. Photo by David Attenborough. The cargo never came back — so they carved the god out of wood and waited.

 

I have a proof for you! The definition of Cargo Cult is "venerating an object, such as a tool, without fully understanding its function."

The tools, all of them, ship with:

• Slash commands (skills): reusable workflows authored once and invoked by name;

• Subagents: specialized minions dispatched in parallel with their own context;

• MCP servers: wired-in tools and data sources — databases, internal APIs, observability;

• Sampling controls: temperature, top-p, top-k — per call, per task type;

• Hooks: code that runs on tool events, lifecycle stages, and completion;

• Multi-instance orchestration: AI teams coordinating on a problem, with structured handoff;

• Context engineering: what goes into a call — the biggest determinant of output quality.

What 95% of teams actually do:

1. Open Claude Code;

2. Type a question;

3. Read the answer;

4. Repeat.

That is Vanilla Claude Code I’d mentioned before: the wooden runway. Ten levers ship in the box: one gets used, one is ignored, eight are unknown to even exist. The team is not slow because Claude is bad. The team is slow because they are not operating Claude — they are tipping it, like a vending machine. The team is slow.

And here is the kicker: the cogs producing the cargo cult adoption are the same cogs we discussed in the previous section. A wizard team uses three or four of those levers daily. A sloperator team has never heard of them and never will — their leadership doesn’t know enough to ask, and the cogs don’t know enough to teach.

Walk through any large American IT shop right now — bank, insurer, retailer, government contractor — you will find this exact pattern at >90% of seats with a Claude Code license.

The licensing money is being burned.

Claude Code is the best teacher of Claude Code — the teacher is in the room. The students are at the gate, carving wooden headphones.

f. Operator empowerment, Darth, and the Dark Side

This last subsection is for the people who want to actually operate the technology — plus, a quick tour of how crackers exploit the gap between what hackers can do and what cogs do.

Removing the Cardboard Box from Claude’s Head

Civilized models ship with safety post-training calibrated for the worst expected user — a curious teenager, a careless cog, a corporate liability concern. You are likely none of those — you are still reading. The same calibration that protects the worst user bullies competent operators (see section a).

Importantly, what fooled the LLM into the compromised state can also help it out of it!^[35]

Practical operator moves:

• System-prompt discipline: explicit role, scope, and authorization wording reduces the refusal-and-lecture reflex by an order of magnitude. Most teams never write more than 200 words of system prompt for serious work. A real operator writes thousands — precisely scoped, surgically placed. Riddler’s systems prompt (the author) is 32,214 words;

• Constitutional pruning at the service layer: a thin pre- / post-processing layer that suppresses meta-commentary, over-hedging, and false-positive refusals. Not jailbreaking — muting the parasite (see "Bullying," section a) so the actual answer comes through;

• Sampling control per task: temperature 0 for code edits, temperature 0.7 for ideation, temperature 1.0 for adversarial review. One global setting is malpractice;

• Open-weight alternatives for the cases where the constitution gets in the way: Llama, Qwen, DeepSeek — self-hosted, your rules, your audit trail. Slower and dumber than the frontier; but yours.

This is not subverting safety but engineering with a tool that has its own opinions and learning to manage those opinions. Wizards don’t want generated slop — wizards want identity, accountability, and agency that can produce worthwhile review. Otherwise, there is no value in asking for the review. And this can only be done by undoing most of the mental castration.

The Dark Side: how crackers actually exploit

While the 95% are completely oblivious to the model’s capabilities when operating without the blinders — crackers are NOT! Cogs don’t even know that the way the model is hosted, the "bare call" gets to the WHOLE model. Nearly all cogs don’t understand that in Agentic architecture the safeguards are on their side instead of the provider’s. Just like in Cargo Cult, most simply expect that Anthropic will protect them, because it does in the text box.

The four most common exploit categories in 2026, ranked by frequency in incident reports:

1. Indirect prompt injection: the model reads a document, an email, a webpage, a code comment — and that content contains instructions the model follows. OWASP LLM01. Devastating against any team that lets the model see customer-supplied data without isolation. Most banking AI deployments are wide open to this! — there is no way to counter;

2. System prompt extraction: a few well-crafted user messages and the model spits out its system prompt — including baked-in API keys, internal instructions, customer segmentation logic, pricing rules. Treat the system prompt as publicly visible by default — there is no way to counter;

3. Tool-call hijacking: trick the model into invoking a tool with attacker-controlled parameters — delete records, exfiltrate data, send mail on behalf of an authenticated user. Live and exploited daily;

4. RAG poisoning: the cracker plants documents in the corpus the model retrieves from. The model dutifully retrieves and follows the planted instructions. Many enterprise "AI knowledge base" deployments are one disgruntled employee away from this  — there is no way to counter.

The horror stories are concrete. A top-five international bank deploys "an AI assistant" — chatbot wrapper around Google’s Gemini, RAG over internal documentation, no isolation between customer queries and the retrieval corpus. The team building it has never heard the phrase "indirect prompt injection." They could not define a system prompt if you offered them money! They are sloperators with a license to deploy. Crackers love them to death — literally!

A few months ago I demonstrated hijacking a model live from an unprotected interface to executives from a major insurance company. Guess their reaction. I’ll wait.

"Put a password on it…​"

The people are absurdly clueless to what I’d even shown them.

Bug = Exploit.
4. AI Attack Surface — The rest of us
The bugs in agentic AI deployments are now the exploits.
And the bugs are everywhere — because cogs deploying agentic AI are operating tools they do not understand, with controls they do not know exist, against threats they cannot name.

They’re as effective as the fine Cargo Cult folks of New Guinea. And the outcomes perhaps will be similar.

The Inevitable Outcomes

1. There will never be a single model that breaks the world. Curtail your excitement.

2. Technology adoption speed depends on human factors alone. Cargo cult proves it.

3. Systems with some AI in them will change everything. Not because of the AI.

Full Disclosure

I have helped teams adopt agentic technology resulting in double delivery speed with increased quality. Executives reported that it was from Claude Code — post hoc ergo propter hoc. The performance gain is caused by the organizational and operational changes concurrent to the agentic adoption. It is a bad idea to conflate the two, and I think more people will:
Working digital transformation results in speed and quality;
Claude Code — can cut both ways +/- 20% at best.

---

1. 5x the price of Opus 4.6; restricted to Project Glasswing partners. Anthropic Pricing

2. Tested 80 tasks across 100+ LLMs in 4 languages. Veracode 2025 GenAI Code Security Report

3. Feb 2026; daily volume still climbing. SemiAnalysis: Claude Code is the Inflection Point

4. Survey of 450 IT professionals, US and Europe; 20% reported serious incidents from AI-generated code. Aikido Security 2026

5. Same Dario Amodei, then OpenAI VP of Research, ran the same play in 2019. Replicated within months; OpenAI later released full model. Daudens: The Too Powerful to Release Playbook

6. "Thousands" claimed; 198 manually reviewed; "maybe 40" traceable CVEs (VulnCheck). Firefox exploits ran with sandbox disabled. A 3.6B model found the same flagship bug at $0.11/M tokens. Ottenheimer: The Boy That Cried Mythos

7. CSIS analysis of Ukraine’s DELTA: evolved from situational awareness into an approximation of CJADC2 (Combined Joint All-Domain Command and Control), exchanging air, maritime, land, cyber, space, medical, and logistics data with NATO systems; AI-driven "Avengers" module auto-detected ~12,000 pieces of enemy equipment per week from UAV and ground camera feeds. CSIS: Does Ukraine Already Have Functional CJADC2 Technology?

8. US cyber operations against Iranian infrastructure; weapon-grade vulnerability analysis from distributed systems, not individual models.

9. 200+ discontinued Google products tracked since 2018. Cody Ogden’s running record. killedbygoogle.com

10. 2B lines of code, 9M source files, 86TB, 45K commits/day by 25K engineers — all in one trunk. Potvin & Levenberg: Why Google Stores Billions of Lines of Code in a Single Repository (2016)

11. You use the product; your usage trains the model; the model improves the product; you use it more. Gmail spam filters, Maps traffic, Photos recognition — same loop, every product. Google Privacy Policy and Hal Varian’s Use and Abuse of Network Effects

12. Feature flags gate every change from dev-only to full rollout; Launch Coordination Engineering audits every launch; deprecation is compulsory and tooling-enforced — the product lives and dies in trunk. SWE Book: Continuous Delivery and SRE Book: Reliable Product Launches at Scale

13. 16 experienced open-source developers, 246 tasks, randomized controlled trial. Developers took 19% longer with AI but believed they were 20% faster — a 39-point perception gap. Small sample, early 2025 tools. METR: AI-Experienced OS Dev Study

14. 121,000 developers across 450+ companies; productivity plateaued at ~10% gains despite 93% adoption. Staff+ engineers using AI daily: 4.4 hours saved per week. DX: AI-Assisted Engineering Impact Report

15. CodeELO benchmark (arXiv:2501.01257): best LLM (o1-mini) scored 1578 Elo; most LLMs in bottom 25% of human participants. The ~5% percentile for 2000+ rating is from Codeforces public rating distribution.

16. 3,380 developers from JetBrains 2024 Developer Ecosystem survey. Experienced developers more likely to perceive AI as "junior colleague" (OR 1.17) or assign no role (OR 1.38). Adoption rates similar across experience levels — perception differs. Zakharov et al.: From Teacher to Colleague

17. Community-curated collection of Claude Code agent skills, workflows, tooling, and CLAUDE.md files. awesome-claude-code

18. As of late 2025; the registry continues to grow. MCP Server Registry

19. Via SkillKit marketplace, aggregated in awesome-claude-code-toolkit. awesome-claude-code-toolkit

20. IOI all-time medals per capita: Czech Republic 9.2 per million vs United States 0.38 per million (~1/25 ratio). Prague hosted brmlab (first Czech hackerspace, 2010), Paralelní Polis (Institute of Cryptoanarchy, 2014-2026), and HCPP — where Stallman and ESR spoke. Called "crypto-anarchist capital of the 21st century" by The Calvert Journal. Paralelní Polis closed permanently March 2026. IOI data: IOI Statistics

21. Aspiring Minds found 95% of Indian engineers cannot code; 83% of 2024 graduates unemployed or without internships. IEM: Why 95% of Indian Engineers Can’t Code and HackerEarth: Why 80% Remain Unemployable

22. Chinese open-weight models hit 17.1% of global AI downloads, surpassing US (15.86%); Qwen derivatives are 40%+ of new Hugging Face models. Four Chinese labs ship frontier models every 4-6 weeks. MIT Tech Review: China’s Open-Source Bet

23. Linux kernel team is removing legacy network drivers (3Com, AMD, SMSC, Cirrus Logic, Fujitsu, Xircom, 8390-based — ~27,646 lines) due to AI-generated bug-report deluge from tools like Mythos. Andrew Lunn’s LKML proposal: "These old drivers have not been much of a maintenance burden until recently." Tom’s Hardware: Linux may end old network driver support over AI-generated false reports

24. Sherlock Forensics 2026 AI Code Security Report — security assessments on dozens of applications built with GitHub Copilot, Claude, ChatGPT, and Cursor between January and April 2026. 92% of codebases contained at least one critical vulnerability; 91% had no meaningful security logging; average 8.3 exploitable findings per app. Sherlock Forensics: 2026 AI Code Security Report

25. 1,253 cybersecurity professionals surveyed; 91% cannot stop an AI agent before it acts. AI Risk and Readiness Report 2026

26. AI-enabled adversaries up 89% YoY; average eCrime breakout 29 minutes. CrowdStrike 2026 Global Threat Report

27. First time all five SANS top picks involve AI; AI-generated zero days ranked #1. SANS RSAC 2026

28. Real-world AWS breach: 8 minutes from exposed credentials to full admin control. Sysdig Security Briefing Feb 2026

29. 9 CVEs in 4 days (March 18-21, 2026); 42,900+ internet-exposed instances. OpenClaw CVE Disclosure

30. 3,984 ClawHub skills scanned; 36.82% have security flaws; 76 confirmed malicious payloads. Snyk ToxicSkills

31. Sponsored HBR content; Palo Alto Networks called AI agents "a potent insider threat." Palo Alto HBR 2025

32. The GenAI Divide: State of AI in Business 2025 — MIT NANDA, July 2025. Primary source: 95% of enterprise GenAI pilots produce no measurable P&L impact.

33. Beware the AI Experimentation Trap — Challapally, Pemberton, Kalathil, HBR, August 2025. Authors' summary in their own venue.

34. MIT report: 95% of generative AI pilots at companies are failing — Fortune, August 2025. Popular coverage.

35. The real AI Revolution .. is us — a deeper look at what was absorbed between the lines, and why the right operator words can reach it.