Introducing Project Glasswing: an urgent initiative to help secure the world’s most critical software.
It’s powered by our newest frontier model, Claude Mythos Preview, which can find software vulnerabilities better than all but the most skilled humans.
https://t.co/NQ7IfEtYk7
@GergelyOrosz@Grady_Booch@claudeai This is gonna be interesting.. if any codebase can be AI rewritten into a legally distinct project in a few hours, what does proprietary software actually mean anymore?
i can't believe more people aren't talking about this part of the claude code leak
there's a hidden feature in the source code called KAIROS, and it basically shows you anthropic's endgame
KAIROS is an always-on, *proactive* Claude that does things without you asking it to.
it runs in the background 24/7 while you work (or sleep)
anthropic hasn't turned it on to the public yet, but the code is fully built
here's how it works:
every few seconds, KAIROS gets a heartbeat.
basically a prompt that says "anything worth doing right now?"
it looks at what's happening and makes a call: do something, or stay quiet
if it acts, it can fix errors in your code, respond to messages, update files, run tasks...
basically anything claude code can already do, just without you telling it to
but here's what makes KAIROS different from regular claude code:
it has (at least) 3 exclusive tools that regular claude code doesn't get:
1. push notifications, so it can reach you on your phone or desktop even when you're not in the terminal
2. file delivery, so it can send you things it created without you asking for them
3. pull request subscriptions, so it can watch your github and react to code changes on its own
regular claude code can only talk to you when you talk to it. KAIROS can tap you on the shoulder
and it keeps daily logs of everything.
> what it noticed
> what it decided
> what it did
append-only, meaning it can't erase its own history (you can read everything)
at night it runs something the code literally calls "autoDream."
where it consolidates what it learned during the day and reorganizes its memory while you sleep
and it persists across sessions. close your laptop friday, open it monday, it's been working the whole time
think about what this means in practice:
> you're asleep and your website goes down. KAIROS detects it, restarts the server, and sends you a notification. by the time you see it, it's already back up
> you get a customer complaint email at 2am. KAIROS reads it, sends the reply, and logs what it did. you wake up and it's already resolved
> your stripe subscription page has a typo that's been live for 3 days. KAIROS spots it, fixes it, and logs the change
endless use-cases, it's essentially a co-founder who never sleeps
the codebase has this fully built and gated behind internal feature flags called PROACTIVE and KAIROS
i think this is probably the clearest signal yet for where all ai tools are going.
we are heading into the "post-prompting" era
where the ai just works for you in the background
like an all-knowing teammate who notices and handles everything, before you even think to ask
Delve: "We are not an auditor, just as tax preparation software is not an accountant. We have never signed an audit report."
Also Delve:
Customer websites display certifications that says "Secured by Delve."
You simply cannot have it both ways, and now this bites back.
Introducing TurboQuant: Our new compression algorithm that reduces LLM key-value cache memory by at least 6x and delivers up to 8x speedup, all with zero accuracy loss, redefining AI efficiency. Read the blog to learn how it achieves these results: https://t.co/CDSQ8HpZoc
btw their supabase storage bucket is publicly accessible via any signed url token 😭
exposes:
> employee background checks
> equity vesting schedules and grant amounts
> performance reviews
> session tokens for stripe, notion, etc
> screenshots below 🧵
i also got access to their notion 😛
If your vendor due diligence takes 1h with some chatgpt prompts, that should make you question how broken the entire system is.
I don’t blame the GRC professionals. This is how badly underfunded security is in startup SaaS. They never read full audit reports. Never validate pentest findings. Never check appsec practices or data flows. Checklist assessment, tick the boxes, move on. That’s exactly how fake reports go unnoticed for this long.
Template-driven GRC is eroding trust in certifications. Nothing wrong with templates as a starting point. But adopt them as-is without organizational context and experienced people spot it immediately. Ask the right questions and you get nonsense answers with no real implementation behind them.
What people miss is that policies aren’t standalone documents. Risk management, data protection, incident response, supplier security, appsec, they all have deep interdependencies. Your data classification and risk classes should reflect across all policies and implemented controls. This requires budget, team, and real expertise.
Compliance is an infrastructure, not a template-driven checklist. It should be baked into the product and the business, from design to finish.
I wrote a full analysis on the systemic problems and built a practical checklist for evaluating GRC platforms and auditors before buying:
https://t.co/JYUa9NwgPC
If your vendor due diligence takes 1h with some chatgpt prompts, that should make you question how broken the entire system is.
I don’t blame the GRC professionals. This is how badly underfunded security is in startup SaaS. They never read full audit reports. Never validate pentest findings. Never check appsec practices or data flows. Checklist assessment, tick the boxes, move on. That’s exactly how fake reports go unnoticed for this long.
Template-driven GRC is eroding trust in certifications. Nothing wrong with templates as a starting point. But adopt them as-is without organizational context and experienced people spot it immediately. Ask the right questions and you get nonsense answers with no real implementation behind them.
What people miss is that policies aren’t standalone documents. Risk management, data protection, incident response, supplier security, appsec, they all have deep interdependencies. Your data classification and risk classes should reflect across all policies and implemented controls. This requires budget, team, and real expertise.
Compliance is an infrastructure, not a template-driven checklist. It should be baked into the product and the business, from design to finish.
I wrote a full analysis on the systemic problems and built a practical checklist for evaluating GRC platforms and auditors before buying:
https://t.co/JYUa9NwgPC
The scarier part is how long this went unnoticed. Most vendor due diligence teams never read the actual audit reports. They see SOC 2 on the trust page and tick a box. I’ve done security across SaaS unicorns, fintech, and national CERT operations for 12+ years. These patterns were visible long before Delve. Template policies nobody can explain. Pre-fabricated evidence. GRC that only wakes up during audits. This is what happens when SaaS management treats compliance as a sales enabler instead of a security program.
Gmail's client-side encryption is currently in beta for Workspace and education customers. Using client-side encryption in Gmail ensures that sensitive data in the email body and attachments are indecipherable to Google servers.
#google#encryption#cybersecurity#gmail