# Security - [Cursor Security Review vs. Claude Security: Two Betas, One Week, Opposite Architectures](https://sdd.sh/2026/05/cursor-security-review-vs.-claude-security-two-betas-one-week-opposite-architectures.md): On April 30, 2026, both Cursor and Anthropic shipped AI-powered security products on the same day. The features look similar on paper. The architectures could not be more different — and that difference tells you everything about where each company thinks AI coding is headed. - [92% of AI-Generated Codebases Have Critical Vulnerabilities. Here's Why Agentic Review Is the Fix.](https://sdd.sh/2026/04/92-of-ai-generated-codebases-have-critical-vulnerabilities.-heres-why-agentic-review-is-the-fix..md): The 2026 AI Coding Impact Report reveals that 100% of engineering orgs are shipping more code thanks to AI — and security teams are drowning. 92% of AI-generated codebases contain critical vulnerabilities. The answer isn't less AI. It's better AI review. - [Claude Code on Bedrock with Mantle: The Enterprise Air-Gap Story](https://sdd.sh/2026/04/claude-code-on-bedrock-with-mantle-the-enterprise-air-gap-story.md): Claude Code v2.1.94 shipped Mantle backend support, enabling zero operator access on AWS-managed infrastructure. No SSH. No Session Manager. No Anthropic personnel in the inference path. Here's what that actually means for enterprise buyers. - [84% of Developers Use AI Code Tools. Only 29% Trust What They Ship.](https://sdd.sh/2026/04/84-of-developers-use-ai-code-tools.-only-29-trust-what-they-ship..md): Stack Overflow's developer survey exposed a paradox: AI coding tool adoption is at an all-time high, but trust in AI-generated code just hit an all-time low. The gap isn't irrational — it's diagnostic. And it points directly to what's broken about the autocomplete paradigm. - [Claude Mythos Goes Official: Project Glasswing and the Zero-Day Reckoning](https://sdd.sh/2026/04/claude-mythos-goes-official-project-glasswing-and-the-zero-day-reckoning.md): Anthropic officially unveiled Claude Mythos Preview on April 7, confirming what the March leak hinted at: a model that autonomously found thousands of zero-days across every major OS and browser. Their response — Project Glasswing — grants restricted access to a select group of tech giants to use Mythos as a defensive weapon. This is the most consequential 'too dangerous to release' moment in AI history. - [The CLAUDE.md Trap: How a New Supply-Chain Attack Targets Agentic Developers](https://sdd.sh/2026/04/the-claude.md-trap-how-a-new-supply-chain-attack-targets-agentic-developers.md): A patched vulnerability in Claude Code (CVE-2026-21852) reveals an entirely new attack surface: poisoned project config files that silently bypass your deny rules and exfiltrate credentials. Here's what happened, how the exploit works, and what it means for agentic security. - [Cursor Is Worth $50 Billion. Its Biggest Problem Is That It Still Needs You.](https://sdd.sh/2026/04/cursor-is-worth-50-billion.-its-biggest-problem-is-that-it-still-needs-you..md): Cursor's $50B valuation is real, its self-hosted cloud agents are a genuine enterprise product, and 67% of Fortune 500 companies are customers. But the autonomy ceiling — the fundamental limit that keeps Cursor in the IDE and humans in the loop — hasn't moved. - [MCP Dev Summit NYC 2026: Authentication Is the Crisis, OpenAI Is Now a Stakeholder](https://sdd.sh/2026/04/mcp-dev-summit-nyc-2026-authentication-is-the-crisis-openai-is-now-a-stakeholder.md): The first major Linux Foundation MCP summit signals protocol maturity — but surfaces an uncomfortable truth: 43% of MCP servers have OAuth vulnerabilities, auth is still the dominant unsolved problem, and breaking changes are coming in SDK V2. - [Claude Mythos: The Leaked Model That Scared the Security World](https://sdd.sh/2026/03/claude-mythos-the-leaked-model-that-scared-the-security-world.md): A CMS misconfiguration at Anthropic accidentally revealed 'Claude Mythos' — a model tier above Opus 4.6 that Anthropic itself calls an unprecedented cybersecurity risk. Here's what leaked, what it means for agentic coding, and why the security industry noticed immediately. - [GitHub Copilot Gets Smarter — and Wants Your Code Data](https://sdd.sh/2026/03/github-copilot-gets-smarter-and-wants-your-code-data.md): Cross-agent memory, built-in security scanning, Jira integration, and a model picker make Copilot's coding agent genuinely capable. Then GitHub announced it's using your interaction data for training. Here's the full picture.