The Defender's Loop: LLMs Go From Finding Bugs to Fixing Them

The Defender's Loop: LLMs Go From Finding Bugs to Fixing Them

Anthropic published a detailed guide on using Claude Opus to build threat models, discover vulnerabilities, and verify, triage, and patch them — and the core takeaway deserves the headline: discovery is now straightforward to parallelize, and the bottleneck has shifted to everything that comes after. As of late May 2026, the team had disclosed 1,596 vulnerabilities in open-source software; only 97 had been patched. That ratio tells the whole story about where the field actually stands. (more: https://claude.com/blog/using-llms-to-secure-source-code)

The guide distills a six-step pipeline refined from working with offensive-security teams: define the threat model, build a sandbox, discover vulnerabilities, independently verify findings, triage by root cause and severity, then patch and re-scan. Several details stand out for practitioners. First, prescriptive prompts make discovery worse — frontier models perform better with goal-and-context framing than with long checklists. Second, separating discovery from verification is critical: when agents try to do both simultaneously, they self-censor and filter out true positives. One team reported that adding an adversarial verifier roughly halved the false-positive rate, and requiring a proof-of-concept on top brought it to near zero. Third, one offensive-security team found that giving the model a live test bed — not just source code — improved their true-positive rate to nearly 100 percent. The sandbox, it turns out, is the biggest single lever.

The disclosure gap matters because on the other end of the pipeline, breached organizations are taking longer to tell people about it. Troy Hunt loaded the 1,000th breach into Have I Been Pwned and used the occasion to document an accelerating pattern: Carnival took 43 days to notify customers after ShinyHunters leaked 8.7 million records. Zara managed 45. In both cases the data was publicly available within days — posted on dark-web sites, reposted across hacking forums and Telegram channels — while the companies were still telling customers no breach had occurred. Hunt's working theory: the proliferation of class-action lawsuits after breaches is driving a "litigation posture" that prioritizes legal exposure over customer protection. Privacy regulations like GDPR and CCPA contain carve-outs for when notification is required, and companies are exploiting them. The result is that HIBP, 12.5 years into its existence, still fulfills a function that regulation was supposed to make redundant. (more: https://www.troyhunt.com/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever/)

The Agentic Coding Ecosystem Keeps Fracturing

The tools wrapping AI coding agents are multiplying faster than the models themselves. ECC — the self-described "harness-native operator system for agentic work" — has grown to 182K+ stars, 64 agents, 261 skills, and support across Claude Code, Codex, Cursor, OpenCode, Gemini, Zed, and GitHub Copilot. Version 2.0-rc.1 adds a Rust control-plane prototype, operator workflows for brand voice and billing ops, an AgentShield security scanner, and a Tkinter dashboard. The philosophy is that agent harnesses converge while the model underneath remains interchangeable — the value is in skills, hooks, memory persistence, and continuous learning, not in any single provider. (more: https://github.com/affaan-m/ECC)

Backdoor takes that provider-agnosticism to its logical extreme: a lightweight proxy that intercepts Claude Code's API calls and reroutes them to any OpenAI-compatible backend. The pitch is blunt — 500 million tokens cost $9,834 through Anthropic's API versus $5.34 through DeepSeek V3 Flash. That 2,000x cost difference is the kind of number that makes enterprise procurement teams ask uncomfortable questions. The proxy translates request formats, handles streaming and tool calls transparently, and short-circuits Claude Code's internal housekeeping requests to avoid burning provider quota. Setup is three commands. (more: https://github.com/ajsai47/backdoor)

Meanwhile, Graphify — the knowledge-graph builder for codebases covered here last month — continues gaining traction. A detailed walkthrough demonstrates the workflow: tree-sitter parses code into nodes and edges deterministically (no LLM involved), a second pass transcribes any video and audio, and a third pass uses an LLM for semantic analysis of docs and images. The resulting graph gives Claude Code a navigable map instead of forcing it to grep. One comparison showed roughly 40% of the token cost for equivalent answers, with the graph auto-rebuilding on each commit via a post-commit hook at zero API cost. (more: https://www.youtube.com/watch?v=ChskqGovoHg)

On the design-to-code front, ky-design-to-html is a skill for Codex and Claude that structures the screenshot-to-HTML pipeline into explicit stages: decompose the layout, separate visual assets from code structure, set the canvas ratio, generate HTML/CSS, take a browser screenshot, and compare against the original to correct visual errors. The insight is that forcing the AI to work in stages — rather than generating everything at once — prevents the tangled output that makes designers distrust AI code generation. (more: https://github.com/KyrieCheungYep/ky-design-to-html-skill) Separately, Gitdot launched as an open-source GitHub alternative written in Rust, though details remain sparse beyond the landing page (more: https://gitdot.io/).

1000 Tokens Per Second on a Trillion Parameters

Xiaomi and TileRT broke 1,000 tokens per second on a trillion-parameter model using a single 8-GPU commodity node — no custom silicon, no wafer-scale integration, just aggressive model-system codesign on standard hardware. MiMo-V2.5-Pro-UltraSpeed combines three techniques. First, selective FP4 quantization: only the MoE expert layers (the vast majority of parameters, and the most quantization-tolerant) are compressed to MXFP4, while attention and routing modules retain full precision. Quantization-aware training keeps benchmark scores essentially on par with the FP8 original. (more: https://mimo.xiaomi.com/blog/mimo-tilert-1000tps)

Second, DFlash — a block-level masked parallel prediction method for speculative decoding — replaces the traditional serial draft model with a single-pass fill of an entire masked block. In coding scenarios, the system achieves an average acceptance length of 6.3 out of 8 draft tokens per verification round, meaning the large model confirms 6-7 tokens "in one breath." Third, TileRT's execution model eliminates operator-boundary overhead entirely: the compute pipeline stays persistently resident on the GPU, with warp specialization decomposing communication, data movement, and tensor computation into independently orchestrated execution domains. At 1,000 tokens per second, each operator's lifecycle is compressed to microseconds, and the traditional per-operator-launch paradigm becomes the bottleneck — so TileRT discards it.

On the training side, a paper from Seoul National University introduces POISE (Policy Optimization with Internal State Value Estimation), which extracts a baseline for reinforcement learning from the policy model's own hidden states rather than training a separate LLM-scale critic (PPO) or sampling multiple rollouts per prompt (GRPO). A lightweight linear probe predicts expected reward from prompt hidden states, reasoning-trajectory hidden states, and token-entropy statistics. A cross-rollout construction — where each rollout's value is predicted from an independent rollout's internal states — preserves gradient unbiasedness. On Qwen3-4B, POISE matches the DAPO algorithm while requiring roughly 25% less wall-clock time, because it allocates the saved compute budget to more distinct prompts per batch rather than repeated sampling of the same prompt. (more: https://arxiv.org/abs/2605.07579v1)

On-Device Search and the Privacy Pivot

Omni is a macOS app that indexes local files and searches them by meaning — not filename — using Jina's omni-modal embedding model running entirely on Apple GPUs via a native MLX-Swift port. Text, code, PDFs, images, audio, and video all land in a single shared vector space. The model downloads once (~2-3 GB depending on variant); after that, indexing and search run with no network at all. Airgap the Mac and Omni keeps working. Search is brute-force exact cosine: one MLX matmul of the query against a resident bf16 matrix on the GPU, no approximate index, no recall tradeoff. The matrix is split into a GPU-resident base plus a small delta of rows added since the last rebuild, scored by a second fused matmul so indexing never forces a full matrix recopy per query. Idle search latency is a few milliseconds. Embeddings are stored as bf16 (2 bytes per dimension), halving the size of fp32 with negligible recall loss on L2-normalized vectors. The architecture is a Qwen3 text tower, a Qwen3-VL vision tower (also used for video frames and scanned PDFs), and a Whisper-style audio tower — all modalities in one shared space. (more: https://github.com/hanxiao/omni-macos)

Apple's broader play in the same direction got a fresh coat of paint with the "Siri AI" announcement: next-generation Apple Intelligence with a standalone conversational app, personal context search across photos, email, and notes, Visual Intelligence on iPad and Mac, Spatial Reframing for photos, and live translation across Messages, FaceTime, and AirPods. The recurring theme is "on-device processing" — your data is never stored, used only for your requests, with Private Cloud Compute handling what the local model cannot. Whether this constitutes genuine technical progress or a marketing-cadence refresh of capabilities announced at WWDC will depend on the implementation details that ship later this year. (more: https://www.apple.com/apple-intelligence/)

LLMs Meet Bare Metal

The ESP32 Bit Pirate is an open-source firmware that turns an ESP32-S3 into a multi-protocol hardware hacking tool: I2C, SPI, UART, 1-Wire, JTAG, CAN, Bluetooth, Wi-Fi, Sub-GHz, RFID, infrared, USB HID, and more, all accessible via serial terminal or a web-based CLI. It supports sniffing, sending, scripting (Bus Pirate-style bytecode or Python), EEPROM/flash dump tools, baudrate auto-detection, and over 80 infrared protocols. Compatible devices range from the $8 ESP32-S3 dev kit to the M5 Cardputer with its built-in keyboard, screen, and battery for fully standalone field use. It is, in effect, a Swiss Army knife for protocol analysis at a fraction of the cost of commercial bus analyzers. (more: https://github.com/geo-tp/ESP32-Bit-Pirate)

At the other end of the firmware stack, Arthur Heymans documented porting the ThinkPad X61 to coreboot — and his honest account of using Claude Opus 4.6 to speed up reverse engineering is more instructive than most AI productivity claims. The GM965 northbridge and ICH8 southbridge had no leaked documentation, so the only path was reverse engineering the vendor BIOS. The LLM extracted the raminit initialization sequence from a Phoenix BIOS using Ghidra's MCP bridge and radare2 for 16-bit real-mode code. Then came the punchline: "The LLM was able to extract all of the raminit initialization sequence. 2 prompts, done. I wasn't even looking at the code since I was doing a workout at the gym and when I got back it worked on first try. The previous section was a complete lie." In reality, the model needed constant hand-holding — wrong register sizes, confused CAS semantics, hallucinated register block semantics, multiple raminit copies in the firmware that confused it. What months of manual RE compressed to was a few weeks, not a few prompts. The reviewer found wrong register names, reserved bits treated as real, and timing tables indexed backward. Vibe reverse engineering, Heymans concludes, won't be upstreamable without a real engineer anytime soon — but the economics of firmware RE have permanently shifted. (more: https://blog.aheymans.xyz/post/thinkpad_x61/)

When the Data Can't Be Trusted

Researchers have documented more than 450 images bearing signs of manipulation in Thermo Fisher Scientific's online antibody catalog — Western blots with identical bands after flipping and rotation, conspicuous Photoshop-style brushstrokes visible under contrast adjustment, and copy-pasted blocks of background noise. One background pattern appeared in verification data for at least 50 different antibodies, each with the band repositioned to match the expected protein of interest. Thermo Fisher's response was to state that "some images may have been adjusted to clarify for presentation purposes" — a phrase repeated six times in a 15-point FAQ. Given that antibodies cost $400-500 per vial and that members of an independent validation initiative have found more than 50% of all antibodies fail in one or more applications, unreliable vendor-provided verification data isn't just an integrity problem — it's an obstacle to reproducible science that costs labs weeks of wasted experiments and thousands of dollars. (more: https://reeserichardson.blog/2026/05/28/how-much-of-thermo-fishers-antibody-data-has-been-manipulated/)

The institutional erosion extends to the digital record. Over 340 local news outlets are now blocking the Internet Archive's Wayback Machine crawlers, citing concerns that LLM chatbots would "improperly cite" their content. Meanwhile, these same outlets are happy to let paid archiving services like ProQuest and LexisNexis index their work — revealing a financial incentive dressed up as an AI-scraping concern. The direct effect: when content vanishes during a system migration, buyout, or bankruptcy, the independent archival record vanishes with it. (more: https://hackaday.com/2026/06/08/news-sites-are-blocking-internet-archive-over-ai-scraping-fears/) Microsoft is adding its own form of data impermanence: OneDrive data now has an expiry date, a policy shift that transforms cloud storage from "permanent backup" to "rental with terms" (more: https://ms365news.com/blogs/f/your-onedrive-data-now-has-an-expiry-data). A blog post coining the term "dopamine fracking" captures the broader dynamic — the systematic extraction of the most concentrated engagement signal from any activity, destroying complexity, nuance, and long-term sustainability in the process, the way synthetic strawberry flavoring erases the experience of an actual strawberry (more: https://igerman.cc/blog/dopamine-fracking/).

Building-Block Agents and the Science They Enable

A Hugging Face engineer asked a coding agent to build a 3D Paris gallery from Gaussian splats — and never opened an image generator or touched a 3D reconstruction tool. The agent called two HF Spaces via their agents.md endpoints: one for image generation, one for single-image 3D reconstruction. No client library, no hardcoded integration. The agent read the API schema, drove each Space end-to-end, noticed that TripoSplat outputs were Y-down and flipped them upright, compressed files to SPLAT format (3x smaller), and built a Three.js viewer with scroll-to-switch and drag-to-rotate. The thesis: every Gradio Space now exposes a plain-text interface that makes it a callable building block, and the real unlock is composability — the output of one Space becomes the input to the next. (more: https://huggingface.co/blog/mishig/spaces-agents-md)

That composability principle extends well beyond multimedia. Sidewinder, a new DNA synthesis method from Caltech, assembles dozens of genetic sequences simultaneously in a single test tube with one incorrect junction per 10 million assembly events — orders of magnitude better than conventional methods. Each oligo fragment gets a unique molecular barcode that ensures it links only with its intended neighbor, like page numbers on a manuscript. A software tool called PyWinder generates the barcodes in minutes on a standard laptop. In a demonstration, the team used Evo 2 to redesign a 12,500-letter DNA sequence of a viral genome, then built it from scratch with Sidewinder — no errors. What would have taken a month with conventional commercial methods took days. The company Genyro was founded to commercialize the technology. (more: https://spectrum.ieee.org/faster-dna-synthesis-sidewinder)

The building-block philosophy also shows up in a 20-year-old computational design project: thi.ng, a collection of over 200 TypeScript packages in a monorepo totaling ~245K lines of code, covering everything from transducers and reactive streams to cellular automata, distance fields, and DSL infrastructure. With 185 documented example projects, it represents the kind of well-documented, composable toolkit that Mitchell Hashimoto's "building-block economy" thesis predicts AI agents will increasingly prefer to assemble rather than write from scratch. (more: https://thi.ng) On the research side, the ST-PT framework reinterprets the Transformer as a programmable factor graph — a Conditional Random Field where graph topology, factor potentials, and inference protocol become explicit design levers for time-series modeling, achieving competitive results on long-horizon forecasting benchmarks by injecting symbolic priors (periodicity, trend, lag) directly into the graph structure rather than through architectural hacks (more: https://arxiv.org/abs/2604.26762v1). The SANA-WM bidirectional model from the Efficient-Large-Model group rounds out the emerging stack of composable generative primitives now available on the Hub (more: https://huggingface.co/Efficient-Large-Model/SANA-WM_bidirectional).