All Digests
Week 15, 20266 stories

17 Years, Gone in an Afternoon

Claude Mythos finds a 17-year-old FreeBSD zero-day and gets locked behind Project Glasswing. Anthropic hits $30B ARR and passes OpenAI. Managed Agents, Cowork GA, and a Code update all ship on the same day. Meanwhile OpenAI proposes robot taxes and a four-day workweek, publishes a Child Safety Blueprint, and quietly gets outshined at its own industry's biggest conference.

01.Claude Mythos and Project Glasswing

SecurityFrontier Models

On Tuesday, Anthropic pulled the wraps off Claude Mythos Preview, a general-purpose frontier model that also happens to be extremely good at finding security bugs. Extremely, uncomfortably good.

In the weeks leading up to the announcement, Anthropic pointed Mythos at real software and watched it autonomously surface thousands of previously unknown zero-day vulnerabilities across every major operating system and every major browser. The most eye-catching discovery: a 17-year-old remote code execution bug in FreeBSD's NFS implementation (CVE-2026-4747) that gives an unauthenticated attacker root on the server from anywhere on the internet. Mythos found it, triaged it, and wrote a working exploit, end to end, with no human in the loop.

Thousands
Zero-Days Found
17yr
Oldest Bug Surfaced
$100M
Usage Credits Committed
$4M
Open Source Security Grants

Project Glasswing

Anthropic's response to building this capability was to not ship it broadly. Project Glasswing is a gated program restricting Mythos access to defensive security teams at AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, and Nvidia. The stated goal: coordinated hardening of critical infrastructure before the same capability lands in adversaries' hands via an open-weight model a year from now.

thinkidiot take: This is the first frontier release where the security story isn't "here's an evaluation of misuse risk" — it's "we built the misuse." A model that autonomously finds and exploits RCE in 17-year-old battle-tested C code is not a research curiosity. It's the jagged frontier arriving in one specific domain ahead of the others. Glasswing is the right call. The uncomfortable follow-up: what happens when Qwen or GLM ships a comparable capability as open weights?

02.Anthropic Passes OpenAI

BusinessMarket

It finally happened. Anthropic's annualized revenue run rate crossed $30 billion, clearing OpenAI's reported $25B for the first time. Fifteen months ago Anthropic was at $1B. The jump from $9B to $30B took four months.

$30B
ARR
80%
Enterprise Revenue Share
1,000+
$1M+ ARR Customers
4x
Less Training Spend vs OpenAI

The composition matters more than the headline

OpenAI still has a larger user footprint; Anthropic has a much denser enterprise book. Roughly 80% of Anthropic's revenue is B2B, and the count of customers spending over $1M/year doubled in two months (from 500+ in February to 1,000+ now). OpenAI projects $14B of losses in 2026 and has slid its breakeven target to 2030. Anthropic's internal model shows positive free cash flow by 2027 on roughly a quarter of OpenAI's projected training spend.

The company also signed a 3.5-gigawatt compute deal with Google and Broadcom, quietly solidifying the infrastructure side of the same story.

thinkidiot take: A year ago the two-horse race was "OpenAI, and Anthropic if you care about safety." Now it's "Anthropic in the enterprise, OpenAI in the consumer market, and everyone else fighting over the remainder." The really interesting number in here isn't $30B — it's 4x. If Anthropic can keep shipping competitive frontier models on a fraction of OpenAI's training spend, the economics of this industry look very different five years out than what the consensus sell-side model assumes.

03.The April 9 Triple Announcement

Developer ToolsEnterprise

On Thursday, Anthropic dropped three shipping announcements simultaneously. Each would have been a headline on its own.

Claude Managed Agents (public beta)

A hosted runtime for agents. You bring the logic; Anthropic handles sandboxing, state, credentials, tool execution, and scale-out. Pricing is consumption-based: standard token rates plus $0.08 per session-hour of active runtime. Notion, Rakuten, and Sentry were the three named launch customers — workspace delegation, Slack-embedded agents, and automated production debugging, respectively.

Claude Cowork GA

Cowork graduates from preview. The GA release adds six enterprise features: role-based access controls, group spend limits, usage analytics, expanded OpenTelemetry support, a Zoom MCP connector, and per-tool connector controls. This is the feature set procurement teams have been waiting on.

Claude Code update

A substantial Code release: policy controls for managed deployments and a Bedrock setup wizard for AWS-native teams. Plus the usual model routing and cache improvements.

thinkidiot take: The shape of this release matters. Anthropic is no longer shipping "a model with a chat interface" — it's shipping an agent platform with a runtime, governance surface, and distribution channel. Managed Agents in particular is the piece that closes the loop with Cowork: build an agent, deploy it to a runtime Anthropic operates, expose it to your org under the same RBAC and spend controls your IT team already signed off on. It's the same move AWS made in 2006 with EC2 — turning a capability into infrastructure that other companies build on top of.

04.OpenAI's Economic Blueprint

PolicyEconomics

On Monday, OpenAI published a 13-page policy document laying out its vision for how the US should rewrite taxes, the safety net, and the work week to absorb AI-driven labor disruption. The headline proposals:

  • A public wealth fund modeled on Alaska's Permanent Fund, holding equity stakes in AI companies so that gains flow to citizens rather than pooling at the top of the cap table.
  • A robot tax — the Bill Gates 2017 proposal, reheated — where firms pay in roughly what a displaced human worker would have contributed in payroll tax.
  • A tax base shift away from labor income and payroll taxes toward corporate profits and capital gains, tracking where the economic activity actually goes.
  • A subsidized four-day workweek with no reduction in pay.
  • Automatic safety-net triggers — unemployment and wage insurance benefits that ratchet up when displacement metrics breach preset thresholds, then phase out when the labor market stabilizes.

The timing is the story

OpenAI is reportedly preparing for an IPO as early as October. Publishing a progressive-redistribution blueprint months ahead of that roadshow is an unusual play. Read one way: sincere engagement with the political economy of AI. Read another: pre-IPO positioning to inoculate the company against the inevitable "AI ate my job" backlash.

thinkidiot take: The proposals themselves are directionally reasonable and politically dead on arrival in the current Congress — which OpenAI knows. What's actually interesting is that the frontier lab with the most to lose from redistributive policy is the one publishing the blueprint. That's either leadership or preemption. Probably both.

05.OpenAI's Safety Double

SafetyPolicy

OpenAI also shipped two safety announcements this week.

Child Safety Blueprint (April 8)

A policy document developed with NCMEC, Thorn, and the Attorney General Alliance's AI Task Force. Three pillars: modernize laws to cover AI-generated and altered CSAM, improve provider reporting and coordination, and bake safety-by-design into AI systems. The data point anchoring the whole document: the Internet Watch Foundation logged over 8,000 cases of AI-generated CSAM in H1 2025, a 14% year-over-year jump.

OpenAI Safety Fellowship (April 6)

A funded fellowship for external researchers, engineers, and practitioners working on alignment and safety. The program runs September 14, 2026 through February 5, 2027. Priority areas: safety evaluation, robustness, scalable mitigations, privacy-preserving safety methods, agentic oversight, and high-severity misuse domains.

thinkidiot take: Two safety announcements in one week from OpenAI is not a coincidence with the IPO calendar. That's fine — we'll take the substance regardless of the motive. The Child Safety Blueprint in particular is the kind of concrete, stakeholder-grounded policy document that the field needs more of, and less of the "Responsible AI Principles" corporate-comms template.

06.Quick Hits

Claude's rough Monday/Tuesday. Elevated errors on login, chat, and Claude Code hit on April 6 from 15:00–16:30 UTC (~8,000 Downdetector reports) and recurred April 7 (~3,000 reports). Both incidents resolved within ~90 minutes. Two back-to-back outages in a week where Anthropic also announced a gigawatt-scale compute deal is a useful reminder that infrastructure growth and infrastructure reliability are two different problems.

HumanX 2026, aka "Claude Mania." 6,500 execs, founders, and investors descended on Moscone South April 6–9. The reporting consensus: Anthropic owned the conference, not OpenAI. One attendee: "It has become a religion." Claude Code is now generating $2.5B+ in annualized revenue on its own, and the CIO conversation has shifted from "should we use this?" to "how do we roll it out without our engineers revolting if we don't?"

Wall Street's vibe shift. Fortune's top analyst roundup this week argues the "AI trade" as retail investors have known it is over — the easy long-NVDA-and-hyperscalers phase — but the AI opportunity is just beginning, moving from infrastructure into application-layer economics. Relevant context for anyone interpreting public-company AI revenue disclosures this earnings season.

Global AI investment projected at $2.5T in 2026. Announced at HumanX. Take the precision with a grain of salt; take the order of magnitude seriously.

Sources

Claude Mythos & Project Glasswing:

Anthropic $30B ARR:

April 9 Triple Announcement:

OpenAI Economic Blueprint:

OpenAI Safety:

Quick Hits:

Try the related labs

understanding backpropgradient descent

Join the Idiots

New lab every Sunday. No spam, unsubscribe anytime.

Previous Digest

Week 14