The Architectural Answer to the Mythos AI Security Vulnerability: GRIDS
Commercial Brief for the Defence Industry – Primes, Suppliers, and Software Vendors
QPQ AG, Switzerland – 7 May 2026
Every link in this briefing leads to a primary source. QPQ is contactable for verification of any claim not covered by an embedded link.
What has happened
On 7 April 2026, Anthropic announced an AI model called Mythos that breaks into other people’s computer systems on its own, at machine speed, without a human at the keyboard. In Anthropic’s own words, the model can perform “account login bypasses that allow unauthenticated users to log in without knowledge of their password or two-factor authentication code” and “multiple complete authentication bypasses that allow unauthenticated users to grant themselves administrator privileges.”
In defence terms: an attacker can act as any party your systems have been built to verify – your engineer authenticated into a classified development environment, your supply-chain administrator releasing components for delivery, your programme manager signing inter-government correspondence, your operator authorised onto an OT or weapons-platform control plane – against any system whose authentication runs on the same architecture every defence prime, supplier, and software vendor uses today. Anthropic has held the model back. On Anthropic’s own assessment, equivalent capability will be in less responsible hands within six to eighteen months.
Within days, the US Treasury Secretary and the Chair of the Federal Reserve convened Wall Street’s largest bank chief executives in the first joint emergency meeting of its kind since the financial crisis of October 2008. The Bank of Canada convened its Financial Sector Resiliency Group. The Bank of England is convening its Cross Market Operational Resilience Group.
On 13th April the Cloud Security Alliance, SANS, and OWASP jointly published an emergency framework: eleven priority actions, with the report’s own caveat that “long-term goals should be considered a quarter away at most.” Two days later, the UK government’s open letter to business leaders recorded the UK AI Security Institute’s assessment that frontier AI capabilities are now doubling every four months, against the previous estimate of every eight.
Subsequently, on 24 April, the Swiss Financial Market Supervisory Authority told Bloomberg that “the uncontrolled and immediate availability of AI models such as Mythos would be classified as a systemic risk” because “virtually all existing software systems could simultaneously be affected by a multitude of previously unknown zero-day vulnerabilities, which would be exploited immediately and via AI.” On 4 May, the Eurogroup convened in Brussels to discuss Mythos access for European institutions.
The defence sector’s specific exposure
The credential surface that Mythos defeats is, for every defence organisation, the surface through which the most controlled categories of information move: classified material, export-controlled technology, weapons-system design data, OT and weapons-platform control planes, supply-chain integrity attestations, inter-government and inter-allied messaging, security-clearance-derived authorisations. Engineering authentication into a classified development environment, supply-chain administrator authority over component release, programme-manager authority over inter-government correspondence, operator authority on a weapons-platform control plane, contracting-officer authority over award and modification – every one of these sits behind credentials that prove someone is authorised to act. When the credential is defeated, the security-clearance perimeter that everything else rests on is defeated with it.
The exposure for defence carries a dimension other sectors do not: adversarial reach into systems with kinetic and strategic consequence. A breach that exfiltrates weapons-system design data hands an adversary the development cycle the prime spent decades building. A breach that manipulates supply-chain attestations admits unverified components into platforms whose integrity is national security. A breach that reaches an OT or weapons-platform control plane is no longer a data-confidentiality event but an operational-control event. The line between an authentication compromise and a national-security event in modern defence is a single credential-protected boundary.
The 2020 SolarWinds supply-chain attack is the precedent of what credential-perimeter penetration looks like in this sector. APT29, attributed by the US government to Russian Foreign Intelligence Service, compromised SolarWinds in September 2019, injected malicious code into Orion software updates from approximately March 2020, and went undetected for approximately nine months. Approximately 18,000 SolarWinds customers downloaded the trojanised updates; approximately 100 non-government entities and nine US federal agencies were actively compromised by follow-on activity. The customer base included all five branches of the US military, the National Security Agency, the National Aeronautics and Space Administration, the Departments of Justice, State, Commerce, Treasury, Homeland Security, the Pentagon, Lockheed Martin, and Booz Allen Hamilton. The mechanism: trusted authentication credentials moved through a trusted software supply chain into networks that had no architectural defence against either being abused. CISA issued emergency directive 21-01 on 13 December 2020 ordering federal civilian agencies to disconnect Orion immediately. That campaign required a determined nation-state actor working through a sophisticated supply-chain compromise over more than a year. Mythos can do the same kind of credential and authentication-system penetration in seconds, on its own.
The asymmetry that has been dominating recent news flow is instructive: $5,000 drones against a $2 billion navy destroyer that fires $2 million missiles to stop it – and only one drone in the swarm has to get through. Mythos is a step beyond that. The drone is single-use and the swarm is finite, as is the missile supply on the defending ship. The framework being put in front of supervisors asks regulated institutions to keep firing $2 million missiles. One drone gets through and the $2 billion destroyer is gone. Mythos and those AI models that will follow, can attack every system in the world, in parallel, indefinitely, at a marginal cost per attack approaching zero.
The disclosure problem at the heart of the cybersecurity policy response
The CSA / SANS / OWASP framework’s eleven priority actions each assume the same software stack the defence and security population already runs and call for it to be defended harder. None addresses why the stack is vulnerable in the first place. Global information-security spending reached $213 billion in 2025 and is forecast at $240 billion in 2026 – 12.5% growth in a single year against a threat that has just rendered the underlying assumption obsolete.
The framework lists its authors and reviewers on its title page: most are CISOs, vendors, investors in security firms, training organisations, and conference operators whose commercial position is served by an answer that is more of what they sell. Lead author Gadi Evron is chief executive of Knostic, whose tools appear among the recommended options in the framework’s first priority action; the framework’s publishing bodies are themselves named in its adoption pathways. The affiliations are disclosed on the title page; the conflict at the points where the affiliations bear on specific recommendations is not flagged. For a defence audience, the standard the framework applies to its own work is below the conflict-disclosure standard required for award of a defence contract.
The architectural answer
A Swiss company, QPQ AG, has been running an alternative architecture since 22 October 2024: the Internet of Economics, an open economic resource layer designed for value rather than information. The first commercial tool of the Internet of Economics directly relevant to the defence sector is GRIDS – Gajumaru Remote Instruction Dispatch and Serialisation – a free open protocol released under GPL3 at Main Net on 26 April 2026.
The cybersecurity industry has spent thirty years trying to keep attackers away from the place where credentials and sensitive data sit. The architectural alternative does not try harder. It moves the credential to a place the attacker cannot reach. The proof that the user is who they say they are – the signing key – sits in a sealed part of the user’s own device that even the device’s own software cannot read. When the system needs to verify the user, it sends the specific request to the user’s device. The device displays the request in plain language: “approve release of these design files to the named programme team”; “authorise the submission of this contract modification”; “approve this command to the platform control plane.” The user approves. The device produces a one-off cryptographic signature bound to that specific request. The system verifies the signature against a public counterpart on file – useless to anyone else – and acts on it. There is no password to steal. There is no code to intercept. There is no logged-in session left behind for an attacker to take over.
The same primitive serves every credential surface a defence organisation operates: engineer authentication into classified and export-controlled development environments; programme-manager authentication into inter-government correspondence systems; supply-chain administrator authentication into component release and traceability systems; contracting-officer authentication into award, modification, and payment systems; operator authentication onto weapons-platform and OT control planes; inter-organisation authentication for prime-supplier, allied-government, and inter-service workflows.
A five-minute live demonstration is available at https://youtu.be/WkzNErEg51o – login, transfer action, and QR code login. It works today on a laptop or desktop; the mobile reference application follows in July 2026. The first sovereign user is the Liechtenstein Trust Integrity Network, with Telecom Liechtenstein as majority owner, deploying national infrastructure on this architecture in the second half of 2026.
Our commercial position
The GRIDS protocol is open source and free under GPL3; QPQ does not charge for the protocol or for the reference applications, GajuDesk and GajuMobile.
The commercial offer is engineering integration through QPQ IaaS AG, the Swiss operating subsidiary in Einsiedeln: defence primes, suppliers, and software vendors that want GRIDS built into their existing systems by the team that built it engage QPQ IaaS AG on a project basis. We make that point explicitly because the cybersecurity industry’s framework does not.
What deployment looks like
GRIDS deploys at the credential layer beneath the existing identity and access stack. Identity governance, lifecycle, federation, classification-derived entitlement management, and the existing audit and accountability logging continue to be handled by the existing stack. What changes is what gets authenticated and how. The deployment decision is per-surface: at the engineering authentication layer for classified and export-controlled development; at the contracting and programme-management layer for inter-government correspondence; at the supply-chain layer for component release and traceability; at the OT and platform control-plane layer where the operational consequence is most direct.
GajuDesk on desktop today and GajuMobile on iOS and Android from end Q2 2026 implement GRIDS using the device’s hardware-backed keystore (Apple Secure Enclave on macOS and iOS, Android hardware-backed keystore, TPM on Windows and Linux). For populations and credential surfaces where the value at stake warrants air-gapped signing – cleared engineering with full design-file authority, programme-manager authority over inter-government correspondence, control-plane operator authority on weapons platforms – dedicated air-gapped hardware on the protocol roadmap is the definitive answer. The signing device has no network connection of any kind: no Wi-Fi, no Bluetooth, no NFC, no cellular radio. The only communication channel is optical, via QR codes.
The Stage 3 sovereign-provenance hardware programme addresses the dimension defence audiences care about most: hardware provenance and supply-chain integrity. QPQ plans to establish global GRIDS device fabrication facilities in jurisdictions chosen for regulatory stability, manufacturing capability, and audit access, with verified component-to-assembly manufacturing chains and audit access available to sovereign partners. For defence partners that require the capability inside their own jurisdiction rather than purchased from QPQ’s, QPQ is open to establishing fabrication facilities within partner jurisdictions, including full technology transfer. This is the answer to the Swiss-provenance question that some defence audiences will reasonably raise on first encounter: the destination state of the partnership is the partner’s own provenance, not Switzerland’s. Switzerland is the starting point of the architecture, not the necessary endpoint of any deployment.
The credential lifecycle (registration, use, rotation, revocation, recovery) is fully auditable and produces signature events that contain the specific instruction approved, the user’s public key, and the verification timestamp. For defence-sector compliance regimes – CMMC and NIST SP 800-171 for the US Defense Industrial Base, ITAR and EAR for export-controlled technology, ISO 27001 and equivalent national-security-vetted regimes elsewhere – the controls being demonstrated map cleanly because the architecture eliminates the credential surface that most of those regimes exist to protect.
What we are proposing
Immediate: A ten-to-fifteen-minute live demonstration, on your machine or ours. Download GajuDesk from gajumining.com/downloads; your team can sign in themselves during the session and inspect the protocol in operation. For classified or export-controlled environments where local installation is precluded by policy, we screen-share our own live operations.
Near term: Integration of Stage 1 GRIDS at the credential surface you choose – engineering, programme management, supply chain, contracting, or a defined subset. The protocol is open source. The cost is engineering time and any specific customisation, not licensing. QPQ IaaS AG is available to support the integration where the touch points are non-trivial, including the audit and supervisory dimensions of defence-specific compliance.
Strategic: A defence prime that demonstrates to its government customer that the credential surface holding classified, export-controlled, and supply-chain material has been eliminated holds a competitive position no prime still defending the existing architecture can match. For software vendors serving multiple defence customers, the architectural answer travels through the vendor’s product line into every customer at once. The Stage 3 sovereign-manufacturing partnership conversation – including jurisdictional placement of the fabrication facility – is open for partners with strategic exposures that warrant it.
Contact
Greg Chew – CEO, QPQ AG and QPQ IaaS AG
Email: gregchew@qpq.swiss
Signal: @GregChew.14
LinkedIn: linkedin.com/in/gregchew14
The full architectural argument: Un-White Paper
qpq.swiss · gajumaru.io · gajumining.com
Engineering credit: Ulf Wiger (CTO, formerly chief designer of Ericsson’s AXD 301), Craig Everett (CPO and GRIDS architect), Dimitar Ivanov (CDO, co-architect FATE virtual machine and Sophia smart-contract language).
QPQ AG (Industriestrasse 47, Zug) built the Internet of Economics architecture and holds the intellectual property. QPQ IaaS AG (Allmeindstrasse 17, 8840 Einsiedeln) is the integration counterparty for defence sector deployment. Gajumaru and GRIDS operational since 22 October 2024. Main Net: 26 April 2026.