Technology
Riya, Co-founder & CEO of Hawcx
Last week, Anthropic announced something that should have made every security leader stop what they were doing and read it twice.
Claude Mythos, their latest frontier model, found thousands of zero-day vulnerabilities across every major operating system and every major web browser. A 27-year-old bug in OpenBSD. A 17-year-old remote code execution flaw in FreeBSD that grants full root access to any unauthenticated user on the internet. Browser exploits that chain four vulnerabilities together, escape both the renderer and OS sandboxes, and give an attacker direct write access to the operating system kernel, triggered by visiting a normal webpage. The model did much of this fully autonomously, overnight, for under $20,000 in compute costs.
Anthropic made the right call. They quarantined the model, launched Project Glasswing, and are now working with Apple, Google, Microsoft, JPMorgan, CrowdStrike, Palo Alto Networks and others to patch the most critical vulnerabilities before a similar capability falls into the wrong hands.
The software is getting patched. What isn't getting patched is the layer underneath it.
The layer nobody is talking about
Sathya, one of our investors, wrote a detailed breakdown of exactly this problem yesterday. I want to build on it here, because the implications deserve as wide an audience as possible.
The short version: underneath the agents we are deploying in 2026 sits an identity layer that has not materially moved since the late 1990s. While the industry is correctly focused on what Mythos can do to a C codebase, there is a quieter, more immediate attack surface that has been growing for two years and received almost no attention in the coverage this week.
It is the identity layer underneath every agent you are running right now.
Here is what that layer looks like in most production environments today. A human, at some point in the past, clicked through an OAuth consent screen. The resulting token, scoped to whatever the consent screen offered and almost always far broader than any single task requires, sits in an environment variable on the machine running your agent. The LLM process itself can read that credential. It is a bearer token. Anyone who holds it can use it. It does not expire for weeks, sometimes months. When the agent acts, there is no cryptographic record outside the application log of what it was actually authorized to do at that moment.
This is not a theoretical weakness. Recent audits of the MCP ecosystem, the protocol most production agents use to reach external tools, found that more than half of open-source MCP servers authenticate with static API keys or personal access tokens, and roughly four in five pass those credentials through environment variables. A critical CVE was filed last year against a widely-used MCP client's OAuth discovery flow.
We built our credential infrastructure for a world where the authenticating party was a single human, sitting at a single browser, issuing a bounded set of actions per session. We are now placing autonomous agents on top of that infrastructure. Agents that make thousands of tool calls per hour. Agents that act across dozens of services without a human in the loop. Agents whose authority is inherited from a chain of humans, workflows, and other agents, with no cryptographic record of any of it.
Mythos does not need a novel attack. It needs to read your environment variables. The infrastructure we left exposed was always vulnerable. We just never had a reasoner capable of finding every seam, at every layer, without stopping.
Hawcx is the frontier lab for identity
Most security companies start at the application layer and work inward. We started at the silicon and worked out.
Our research spans split private key cryptography, quantum-resistant authentication primitives, task-scoped token architectures for AI agents at fleet scale, biometric-triggered adaptive authentication, and API authentication at the infrastructure layer with no plaintext keys in the path. Each of these represents years of original work. Together they form a coherent protocol, not a patchwork of point solutions bolted onto OAuth.
The patent portfolio reflects where the hard problems actually live: in the cryptographic primitives, in the key management architecture, in the way authority flows from a verified human root down through every agent that acts on their behalf. Identity is not a feature. It is a research discipline. We treat it like one.
This matters now because the problems Mythos has exposed are not problems you can fix with a better UI or a tighter OAuth scope. They require rethinking the trust model from the ground up. That is work we have been doing for years, and it is the only foundation from which a durable answer can be built.
What the right architecture actually looks like
The principles are not individually novel. What is new is insisting on all of them at once, as a default, rather than as advanced deployment options available only to the most sophisticated teams.
The agent runtime is untrusted. Long-lived credentials should never be readable by the process doing the reasoning. They live behind a hardware boundary. The runtime sees only the short-lived artifact it needs for the call it is currently making.
The server can verify intent, not just identity. A user may authorize an agent to take a specific action. That intent is clear to the user. But today, the server receiving that request has no way to verify whether the agent is acting within the boundaries of what was actually authorized. The Hawcx protocol carries the user's intent alongside the credential, so the server can verify that the specific action being requested is one the user explicitly sanctioned. Authentication tells you who is asking. Intent verification tells you whether they were supposed to ask for this.
Authorization is scoped to the invocation, not the session. A tool call that needs to read one file is authorized to read that file, for the next few seconds, and nothing else. This is the opposite of how OAuth scopes work today. Per-session bearer tokens are the wrong primitive for a world where a session can issue a million actions.
Credentials are single-use and replay-resistant by default. The cost of a leaked reusable token scales with the capability of the reasoner holding it. That cost just went up significantly.
There is cryptographic evidence of what was authorized, outside the application log. Every call produces a bilateral receipt that any third party can verify independently of the runtime that produced it. Application logs are forensics. Cryptographic receipts are evidence.
No plaintext API keys anywhere in the path. Not in environment variables, not at the load balancer, not at the CDN. The credential that travels is never the credential that unlocks. That distinction is foundational, and it is one the current ecosystem has not made.
On the human side, we replace passwords entirely. No secret of any kind crosses the network: not a password, not a hash, not a private key. Enrollment is hardware-bound and biometric. On the agent side, every agent a human owns derives its credentials from that same verified root. Revoke the human, and every agent they own locks out instantly.
One root of trust across both worlds. Three lines of code to integrate.
What this moment requires
The Mythos announcement was framed, correctly, as a watershed moment for software security. What has been underframed is what it reveals about the assumptions underneath the agents we are already running.
The vulnerability Anthropic exposed is not only in the software they patched. It is in the credential layer that every serious agentic workflow depends on to operate, and that almost nobody has redesigned for a world where the principal is not a human at a browser, but an autonomous reasoner acting on their behalf.
The good news is that the problem is solvable. The architecture exists. The window to get ahead of it is open right now, before Mythos-class capabilities become broadly available, which is now a matter of months to a few years, not decades.
Project Glasswing is patching the software. Someone needs to patch the identity layer underneath it.
That is what we are building.
Riya is Co-founder & CEO of Hawcx. If you are building agentic workflows on regulated infrastructure and want to talk, connect on LinkedIn.