Silmaril CTO Weekly

Good morning, Eduardo. It is Monday, May 25. Here is the cleanest read on last week, May 18 through May 24, Pacific time, without turning it into a scrapbook. In the bulletin: a general-purpose reasoning model produced a serious mathematical disproof, not a toy proof. A big lab is publishing a running ledger of vulnerabilities found by an internal model, and it looks less like a demo and more like the beginnings of industrialized disclosure. Meanwhile, two actively exploited Microsoft Defender CVEs are a reminder that the security tools you trust to watch the perimeter are themselves moving targets. Underneath all of it is the same pattern: once you give software an agent-shaped interface, the unit of security stops being the application and becomes the action. Segment 1: The week the proof held up If you only read one thing from last week, read OpenAI’s write-up on the unit distance problem (research blog post) and then skim the proof PDF itself (paper). It is a rare case where the headline and the artifact match: there is an argument with moving parts, it leans on real number theory, and it was checked by outside mathematicians rather than waved through as vibes. This isn’t about combinatorial geometry; it’s about a system that can generate a long proof without collapsing under its own inconsistencies, and what that implies for multi-step offense and defense workflows. There is a product lesson hiding in that. You do not get trust by asking users to believe your model is “smart.” You get trust by putting the model in a lane where the work can be checked, and by designing the interface so the model has to show its work in a way you can verify. In math, “verify” is the proof checker or the human seminar. In security, “verify” is the test harness, the policy trace, the audit log, and the ability to replay the exact decision with the exact inputs. So I would treat this as a forcing function for Silmaril’s near-term posture. Wherever you can turn a safety claim into something checkable, do it. If the product is making an allow or block decision, record the inputs and the intermediate reasons in a way that can be replayed. If the product is generating rewrites, make the rewrite mechanically testable. In a year where marketing language is cheap, “you can re-run this decision and get the same answer” is a serious differentiator. Segment 2: Vulnerability disclosure starts to look like an assembly line Anthropic’s coordinated vulnerability disclosure dashboard (dashboard) is the most interesting operational artifact I saw last week. It isn’t a one-off “we found bugs” post; it’s a living count, a ledger, and an attempt to turn model-assisted discovery into a process you could actually run in public without it becoming chaos. Two numbers matter for your mental model. First, they publish an aggregate count of vulnerabilities disclosed, and they split their pipeline into stages: discovered, triaged, externally reviewed, reported, acknowledged, patched, advisories published. Second, they admit what you already know from running anything at scale: triage is the bottleneck, not generation. The dashboard makes that explicit, which is a quiet sign of maturity. Their Glasswing update (research blog post) is the narrative companion. It frames the work as scanning a large number of open-source projects and feeding findings through a coordinated disclosure process, and it claims real-world “caught a fraud attempt” style anecdotes alongside the OSS scanning claims. Read it the way you’d read a vendor case study: interesting, but not load-bearing unless you can see the mechanism. The read for Silmaril: the world is heading toward high-volume vulnerability output. You will see more CVEs, and you will also see more “candidate findings” that are halfway between static analysis and a bug report. That changes what “security work” feels like for customers. It will feel less like hunting and more like routing. Who is allowed to file? Who is allowed to patch? How do you avoid flooding teams with plausible-but-wrong reports? If you can help customers separate “model found something that looks scary” from “this is a true vulnerability that will survive reproduction,” you have a wedge that is much more concrete than generic “AI security.” Practically, this argues for two small product biases this week. One is to lean into provenance for findings: a stable fingerprint for the input, the toolchain, and the decision, so customers can de-duplicate and replay. The other is to build a default triage loop that assumes false positives exist and treats the human reviewer as a scarce resource. If the workflow burns reviewer time, it will be abandoned. Segment 3: The scanner is part of the blast radius On Wednesday, NVD published the record for CVE-2026-41091 (NVD CVE record), a local elevation-of-privilege issue in Microsoft Defender tied to link-following behavior. The Canadian Centre for Cyber Security’s AV26-489 advisory (government advisory) bundles it with CVE-2026-45498 and calls out that both were added to CISA’s KEV catalog, which is about as close as you get to an official “this is being used in real attacks” signal. I’m not going to retell Microsoft Defender to you. You know what it is. The reason it belongs in this weekly is the reminder about dependency positioning. A scanning engine isn’t “a safety layer” in the abstract; it’s a privileged, frequently updated blob of code that processes attacker-controlled inputs. When something in that layer breaks, the failure mode is rarely polite. It is privilege, persistence, or simply taking a protection offline at the wrong moment. That is directly relevant to Silmaril even if you never ship endpoint software. You are building a decision engine that will sit in a path where it sees untrusted text and where it is allowed to cause side effects: block, rewrite, log, route, quarantine. Those are privileged effects. Treat the engine and its supporting parsers the same way you would treat a malware scanner. The model is not the only thing to harden. The plumbing is. The operational ask for the coming week is boring, which is why it matters. Make sure every environment you care about has a crisp way to answer: what exact binary and policy version is running, when did it update, and what is the rollback plan if an update goes sideways. If you want Silmaril to be trusted in production, you need to be able to say, with receipts, “this is what ran.” Segment 4: “Beyond Zero” is the right security unit for agents The most useful technical framing last week came out as an arXiv preprint, Beyond Zero: Enterprise Security for the AI Era (preprint). It is a conceptual piece, but it gets the unit of control right: when humans and agents are both making requests at machine speed, “trust the app” stops being granular enough. The paper argues for per-resource and per-method decisions at machine speed, shrinking the trust boundary from applications down to individual actions. Even if you disagree with their proposed architecture, the direction is clear. Agents are not just “users with better autocomplete.” They are request generators that will happily try ten tool calls in a second if you let them. Your enforcement layer can’t be a quarterly policy doc. It has to be a runtime system. This is where OpenAI’s Dell partnership announcement (company announcement) fits. If agentic tooling is moving into on-prem and hybrid environments, it is going to be deployed next to the messiest, most valuable context: internal codebases, tickets, runbooks, and the unglamorous systems that still run payroll and inventory. When that happens, the guardrails can’t be a cloud-only feature. They have to move with the deployment. For Silmaril, I would translate all of this into a simple question to use in every product discussion this week: what is the smallest action we can safely allow, and what do we log so we can explain it later. A strong competitive posture sounds like: “we can let you do useful work, safely, at high tempo, and we can prove what happened after the fact.” Segment 5: Startups are rebuilding old categories around intent, not signals Two press releases last week are worth your time because they describe the same market move from different angles. Ocean’s launch from stealth, backed by a sizable round (press release), is an email-security bet that reads like an indictment of signal-based detection. Their story is that AI makes spearphishing cheap, which erodes the telltale weirdness that old filters were built to catch. Their proposed fix is “investigate every message” with agents, using context and intent rather than surface anomalies. Whether their execution matches the pitch is a separate question, but the framing is important: security products are being re-anchored on intent inference, not just pattern matching. Hellbender’s seed round (press release) is a different kind of bet: push more perception and decision-making to the edge, ship it as a hardware product, and sell a packaged way to get “real-time AI” into physical environments. It sits adjacent to AI security because “where the model runs” is becoming part of the threat model. Edge inference collapses latency and changes what can be automated, and it also changes what can be attacked. A camera that makes decisions locally is a target, not just a sensor. The practical note for you: if customers are starting to buy “agentic investigation” as a product category, Silmaril’s job is to decide which investigations you want to enable, and which ones you want to constrain. There is a difference between “an agent that can check whether an email link is new for this sender” and “an agent that can open the link, log in, and move money.” Your platform needs to make that difference crisp, not philosophical. Operating close: what I would do this week First, treat replayability as a core feature, not a nice-to-have. A decision engine without replay is a black box, and black boxes lose procurement fights when something goes wrong. Second, assume vulnerability volume keeps rising. Design triage workflows that conserve human attention and make it easy to de-duplicate, reproduce, and close the loop. Third, audit your own “scanner surface.” Anything that parses untrusted text and then takes action is part of the blast radius. Put versioning, telemetry, and rollback around it as if you were shipping an antivirus engine. Fourth, keep pushing the product toward action-level policy. That is where the market is converging, and it is the only unit that scales when agents start taking ten steps where a human would take one. Sources https://openai.com/index/model-disproves-discrete-geometry-conjecture/ https://cdn.openai.com/pdf/74c24085-19b0-4534-9c90-465b8e29ad73/unit-distance-proof.pdf https://cdn.openai.com/pdf/1625eff6-5ac1-40d8-b1db-5d5cf925de8b/unit-distance-cot.pdf https://openai.com/index/advancing-content-provenance/ https://openai.com/index/dell-codex-enterprise-partnership/ https://www.anthropic.com/research/glasswing-initial-update https://red.anthropic.com/2026/cvd/ https://nvd.nist.gov/vuln/detail/CVE-2026-41091 https://www.cyber.gc.ca/en/alerts-advisories/microsoft-security-advisory-av26-489 https://arxiv.org/abs/2605.22985 https://arxiv.org/abs/2605.22709 https://arxiv.org/abs/2605.22621 https://arxiv.org/abs/2605.22783 https://www.globenewswire.com/news-release/2026/05/19/3297836/0/en/Ocean-Raises-28M-as-Enterprises-Confront-a-New-Wave-of-AI-Powered-Email-Attacks.html https://www.prnewswire.com/news-releases/hellbender-secures-12-5m-seed-round-to-accelerate-domestic-manufacturing-of-physical-ai-and-launch-its-on-edge-camera-line-302775081.html