Hardening software
won't save the architecture beneath it.

1. The class of threat now exists.

On April 7, 2026, Anthropic disclosed Claude Mythos Preview — a frontier model with cyber capabilities substantial enough that Anthropic chose not to make it generally available. The disclosed capabilities include autonomous discovery of zero-day vulnerabilities in major operating systems and web browsers, autonomous chaining of multiple vulnerabilities into working exploits, and end-to-end completion of corporate-network attack simulations estimated to take human experts more than ten hours. Anthropic made the model available to a small set of cybersecurity partners through Project Glasswing — AWS, Apple, Microsoft, Google, the Linux Foundation, JPMorgan Chase, and others — specifically to defend critical infrastructure before comparable capabilities reach less restrained actors.

Mythos itself is not the threat. Mythos is the data point. The threat is the class of capability Mythos represents, and the class will not stay confined to Anthropic's partner program. The capabilities that demonstrably exist today will reach actors with very different incentives, and the question of when is not in serious dispute among people who track this work.

2. The capability will diffuse. It always has.

Three independent pressures move frontier capability toward broader availability: model weights leak, frontier-to-open-source gaps close, and labs make different release decisions over time. None of these pressures requires an adversary to do anything particularly clever. They are properties of how the AI ecosystem has worked since 2022. The lag between a capability appearing at the frontier and a comparable capability appearing in actor hands without restraint has been measured in months, not years, and the trend is shortening.

We do not need to predict the specific path. We need only to observe that, by the historical record, the path exists. Every prior frontier capability with cyber implications — vulnerability discovery at scale, code generation that bypasses static analysis, autonomous reconnaissance against unfamiliar networks — has followed the same pattern. There is no structural reason to expect Mythos-class capabilities to be different.

3. Hardening does not address the threat at the level it operates.

The standard response to a new attack capability is to harden the targets. Patch faster. Run more scans. Pay more vendors more money to do the patching and the scanning. That response works against attacks that reuse known patterns. It does not work against an attacker who can generate novel attacks on demand.

Mythos finds zero-day vulnerabilities autonomously. It chains them. It tailors them to specific targets. You cannot patch faster than a model that can find new bugs faster than your patch cycle. The cycle has become generative, and the defender who stays in the cycle loses by definition. A defense built on "patch faster" is a defense built on outrunning a process that does not have a bottom speed.

The structural answer is to remove the target from the surface where novel attacks can find it. Not to patch the target; not to hide it behind a perimeter; not to be on that surface at all, for the categories of data and service that have no business being there. That is a different defense than the one the security industry has been selling for thirty years. It is also the only defense that the threat environment ahead does not erode.

4. The incumbents cannot deliver the architectural answer.

The networking-coordination industry — Cisco, Palo Alto, Tailscale, Cloudflare, the SASE vendors, the managed-mesh providers — sells products that depend on the public-Internet topology being the topology. The revenue model is a recurring fee in exchange for mitigating the danger of that topology without changing it. An architectural alternative that removes the topology is, for these companies, the elimination of the revenue category they exist within.

This is not a moral failure on their part. It is a structural one. A Cisco that ships FrogNet ends Cisco. A Palo Alto that ships FrogNet ends Palo Alto's perimeter-based product line. A Tailscale that ships FrogNet ends the managed-coordination business that is its entire product. Their boards will not let them. Their customer bases will not let them. Their compensation structures will not let them. The pivot that would save them in the long run cannot be funded by the revenue model the pivot would destroy.

This is the same shape of failure that ended proprietary Unix in the 1990s. Sun, HP, IBM, DEC, SGI did not lose to Linux because Linux had better marketing or because they failed to coordinate. They lost because their shared revenue model — proprietary OS bundled with proprietary hardware — was the dinosaur, and Linux made the model uneconomical for everyone in the category at once. Dinosaurs die even when they are only thirty years old. The networking-coordination incumbents are committed to traditional security augmented by AI, and that commitment is the only path their economics allow. It is not going to work against the threat ahead, and they will not pivot in time.

5. What's at stake at the individual level.

Modern identity is not a thing you have. It is a set of records held about you by entities you do not control. Your credit history is held by three companies. Your medical history is held by your providers, your insurer, and the lab networks they use. Your tax records, your immigration status, your educational credentials, your criminal record, your employment history — each of these is a record held by an entity, and each of those entities operates infrastructure that is reachable from the public Internet.

When those records are compromised, what's compromised isn't data — it's you, in the form modern life requires you to take. The credit history that's leaked impairs your ability to rent, borrow, and work. The medical history that's altered can affect your treatment. The criminal record that's tampered with shows up at the next background check. Equifax 2017 wasn't an event; it's the permanent state of 147 million people whose records are now in adversarial hands forever. No patch fixes that. No remediation is possible. The records simply are exposed, and the people they describe carry the consequences.

FrogNet does not, by itself, solve this problem in general. It does eliminate, completely, one category — the data generated inside your own family or business, which lives on hardware you own and a network only your family or business is on. In a threat environment where every reduction in exposure matters, that is a useful intervention, and it is the one FrogNet is built to provide.

But the larger argument follows from the architecture's existence, not from any individual person's deployment. Read on.

6. FrogNet's existence changes the standard of care.

Decisions made fifty years ago, when the Internet was a small cooperative network of researchers, became the substrate for every infrastructure decision since. Sensitive records on Internet-reachable infrastructure was never an architectural requirement; it was an architectural convention that became invisible through familiarity. The entire forty-year body of perimeter security was built to defend that convention from its consequences. The convention is no longer the only available choice.

FrogNet is the architectural alternative. Open source, Apache 2.0, deployable on commodity hardware, functionally proven on a continent-spanning production mesh, with stronger structural security properties than perimeter security can provide. The whole system is publicly available, in source form, on May 11, 2026. It is now a fact about the world that this alternative exists.

The legal and regulatory landscape facing custodians of sensitive data is therefore going to change. When an alternative exists, the choice to hold sensitive records on the public Internet becomes legible as a choice. The "industry standard" defense erodes — not by argument, but by the existence of an industry alternative that the holdouts are choosing not to use. The cost of holding records correctly drops to "configure FrogNet"; the cost of holding them on the public Internet remains "the next breach, plus the one after, plus the one after that, plus their cumulative civil and reputational consequences."

This is the same shift that ended asbestos as building insulation, that ended lead in paint, that has been ending coal-fired electricity wherever it has ended. The alternatives existed, the industry-standard defense became visible as a choice, and the legal landscape adjusted to the choice's consequences. FrogNet does not predict any specific legal outcome. It changes the structural conditions in which custodial liability is evaluated. That change does not require us to argue for it; it follows from the architecture's existence.

The architectural answer pre-existed the threat by a year.

FrogNet's foundational work — local discovery and routing without an upstream coordinator — was completed in late 2025, twelve months before Mythos was publicly disclosed. The cross-network capabilities and BLDC-1 codec were completed six months before. The architecture was not built in response to Mythos. Mythos changed only the timing of the open-source release. The work was already done because the foreseeable category of threat was already foreseeable.

What FrogNet defends well against, and what it doesn't.

Architectural defenses succeed or fail per threat model. Honest accounting of FrogNet's effectiveness, by adversary class:

• Mass-internet autonomous scanning — very strong defense. The dominant Mythos deployment profile is automated reconnaissance of the public Internet for exploitable services. FrogNet's internal applications aren't on that search space. The broker presents an opaque ciphertext relay on an operator-chosen address. There is no application banner to fingerprint, no synchronous parser to fuzz, no fixed protocol layer below the codec to attack. Mythos-class automated discovery cannot exploit what it cannot identify. This is what "off the public Internet" actually means.

• Targeted attackers with prior knowledge — layered defense. Against an adversary who already knows you operate a FrogNet, three independent layers compound: WireGuard's cryptography gates session establishment; FNWP-1/BLDC-1 add structural opacity even if encryption breaks; the gap-and-dropbox layer (below) makes network-jumping itself the exploit primitive that's missing. None of these are individually impregnable. They fail in different ways, and a successful attack requires defeating all three. That's defense in depth in the actual sense, not the marketing sense.

• Compromised peer or insider — no architectural defense. Once an attacker is on the mesh as a trusted peer, FrogNet's WireGuard layer treats them as legitimate. Mesh-internal segmentation is a separate problem and not what FrogNet's architecture solves. Standard defense-in-depth applies: peer key management, segmentation between zones, behavioral monitoring on hosts that matter most.

• Phishing, credential theft, social engineering — orthogonal. No network architecture solves these. Most breaches start with a human being deceived; FrogNet shrinks one large attack class architecturally, doesn't touch the others. MFA, phishing-resistant credentials, security awareness, and least-privilege access remain necessary regardless of network architecture.

• Supply chain compromise — orthogonal. Malicious updates, dependency confusion, and compromised package registries reach FrogNet hosts the same way they reach any host. Reproducible builds, signed artifacts, and disciplined release management are the answers. FrogNet ships under Apache 2.0 with the source open to review; that's a starting point, not a complete solution.

The honest version of the FrogNet pitch: structurally unable to be attacked through the path Mythos uses, doesn't touch phishing or insider compromise. Adopted alongside endpoint hardening, MFA, social-engineering training, and supply-chain discipline, FrogNet removes one large attack class while the other controls handle theirs. Adopted alone, expecting it to replace those other controls, you're back where you started in a year — just with different bug classes.

What makes the gap-and-dropbox piece different.

The mechanism that breaks Mythos-class network-jumping specifically: Internet-side and FrogNet-side never share a live socket. Data lands as bytes in a dropbox. Nothing on the FrogNet side processes those bytes synchronously. A reader picks them up when it decides to, runs validation at whatever depth — schema, type, range, semantic plausibility, AI-assisted review for content-level checks the schema can't express — and only then does anything interpret the contents. Validation happens in a context the attacker can't reach into.

Every Mythos-published win is an exploit against a synchronous parser receiving crafted input. TCP SACK, FFmpeg H.264, netfilter ipset, Botan certificate parsing — all of them assume the attacker's bytes reach a parser that will run on them as they arrive. The gap removes the synchronous parser from the attack path entirely. The bytes sit. They get validated by code the attacker doesn't control, on a timeline the attacker doesn't control, with as many passes as the receiver wants. There is no exploit primitive against bytes in a file the receiver hasn't opened yet.

This fails only if the validation logic itself has a bug, AND that bug can be triggered through textual data within the schema, AND the resulting state is dangerous. Three independent conditions, each addressable separately, none subject to the network-speed pressure that makes most defenses fail. Defenders have unlimited time per item; attackers have one shot per item with no feedback. That's the inverse of every Internet-facing service.

What this leaves the reader with.

If you are an individual: the Family page is the version of FrogNet for you. A small box per home, your family's data off the public Internet, optional AI watching the people you love.

If you run a small business: the Small Business page is for you. A box between your modem and switch; your back-end disappears from the surface; your customer-facing site stays where it is.

If you're an engineer evaluating the architecture: the Technical page describes the implementation in full detail, including the text-handoff architecture that makes the front-end/back-end split structurally stronger than a perimeter. The repo opens May 11; clone it, run the reproduction harness, verify the claims yourself.

If you're a policy reader, a regulator, or a custodian: the architectural alternative now exists, on a timeline you cannot defer past. The standard of care is going to evolve. The work that's available to you is to recognize the shift early, rather than after a court has done it for you.