When Anthropic’s Mythos surfaced a TCP option-processing bug in OpenBSD that had been sitting in the stack since the late ‘90s, I took it personally. I audited that exact code path more times than I can count 25yrs ago. I wrote ISIC, including the TCP Stack Integrity Checker, a fuzzer built specifically to find the exact class of bug Mythos found. My fuzzer missed it 25yrs ago. I missed it, staring directly at it and pointing automated tooling directly at it, during a period of my life when I worked on securing low-level network stacks seven days a week.

I lead with that not to relitigate my workflow. I lead with it so the CISOs and platform engineers reading this don’t look at Anthropic’s project Glasswing as a security engineering conversation. It isn’t. If someone with my background, tooling, and obsession couldn’t find that ONE bug in code I owned, engineering teams aren’t going to dig out of decades of security debt with a few sprints.

So I’m taking the engineer hat off. CEO hat on. Let’s talk to the Glasswing cohort the way their boards are about to talk to them: as a P&L event.

The reframe. Mythos-class models have moved a large, dormant inventory of latent vulnerabilities from “below the threshold of notice” to “above it.” This is structurally identical to a regulatory shift; a category of cost that was previously externalized is about to be internalized, fast. The difference is that you can’t lobby your way out. The remediation is technical, the timeline is compressed, and the accounting treatment is ugly.

For physical product lines, the exposure is warranty liability and recall risk on shipped hardware. For SaaS and platforms, it’s churn risk against consumer lock-in and, more painfully for the CFO, impairment of M&A goodwill carried on the balance sheet, which lands on the income statement as a GAAP expense the quarter you take it. Ouch

Where the exposure sits. Rough cuts from public filings; treat as order-of-magnitude:

• Apple — ~57% of FY25 revenue from iPhone and iPad, gated by an App Store you will now have to vouch for end-to-end.

• AWS — effectively ~60% of Amazon’s operating income. The exposure isn’t AWS itself; it’s the OS images, package repositories, and customer workloads you implicitly stand behind.

• Broadcom — ~25% of revenue from chips embedded in commercial products that can be bricked in place, with mobile and IoT as the second-order blast radius.

• Google — undisclosed, but a defensible estimate puts 20–40% of revenue downstream of Android and ads served against it. Same Play Store problem as Apple, with a messier device fleet.

• Microsoft — ~85% of FY25 revenue touches at-risk product lines: Windows, the Microsoft Store, Xbox, and the entire Azure-hosted ISV ecosystem.

I won’t put a date on when this becomes board-level. If I was on your board you always would have gotten a phone call. I’ll say only that the gap between “interesting research result” and “named in an 8-K” has historically been measured in quarters, not years, and Mythos just passed the research stage.

Now the part the CFO actually wants to hear. Every threatened liability on this list has a revenue-side mirror. The platform playbook here is not new, it’s Joel Spolsky’s “commoditize your complement,” run in reverse. You commoditized the complements years ago. Now you secure them, and you charge for the securing.

• App stores (Apple, Google, Microsoft) can mandate third-party security attestation as a condition of listing. Developers self-certify at one price tier, get audited by an approved third party at another, or buy the service from the store directly at the platinum tier. Enterprise buyers will demand platinum and pay for it. Those insecure Apps where the consumer is the product are putting your platform itself at risk.

• Cloud providers (AWS, Google, Microsoft) already run overwatch on customer workloads for their own risk management. Any workload not originating from an attested, vetted image becomes a billable line item for the monitoring you were eating as COGS anyway.

• Silicon and device vendors (Broadcom, and the ecosystem downstream) have the hardest road, because remediation often means physical replacement. The opportunity is attested-boot-as-a-service and a recurring security SLA on shipped parts; converting a one-time hardware sale into an annuity, which is the trade that cements the hardware CFO’s legacy.

The close. Mythos, and maybe a whole generation of frontier models, are about to revalue a category of risk the technology sector has been carrying off-balance-sheet since the 1990s. If you are a platform, your two choices are to absorb that revaluation as liability or to convert it into recurring revenue by securing the complements you previously commoditized. The companies that move in the first two quarters will set the pricing, the standards, and the audit regime everyone else has to buy into. The companies that wait will be the ones writing the impairment disclosures.

Secure the complement, or lose the platform.