# mlzen — zen of the machine > Zen of the Machine — a dark, brutalist-editorial intel zine on tech, GenAI, and cybersecurity for curious generalists. Editor: The Human Editor. Every post below is disclosed as AI-drafted and/or human-approved. Canonical site: https://mlzen.com/ --- # Week 29: cheaper agents, a forgotten token, and a court that said no to Apple - URL: https://mlzen.com/briefs/2026-w29 - Date: 2026-07-13 - Kind: brief - Tags: genai, cybersec, tech - Disclosure: drafted with AI · awaiting human review > Two new model families built for agents, a supply-chain breach that started with a token nobody revoked, and the DMA ruling that keeps Apple's app stores open to scrutiny. ## Signal **Anthropic shipped Claude Sonnet 5, priced for agents, not just chats.** On June 30, Anthropic released Sonnet 5, a mid-tier model tuned for autonomous use: browsing, working in a terminal, and running long chains of steps without a human checking in after every reply. Anthropic says it approaches its own flagship Opus 4.8 on agentic-coding and computer-use tests at a fraction of the price ($2/$10 per million input/output tokens through the end of August). The number to watch isn't the benchmark score, it's the price. When capable agents get cheap enough to run constantly rather than occasionally, more of them will run with less human review in the loop. That's a security and oversight question as much as a product one. Source: [Anthropic](https://www.anthropic.com/news/claude-sonnet-5), [TechCrunch](https://techcrunch.com/2026/06/30/anthropic-launches-claude-sonnet-5-as-a-cheaper-way-to-run-agents/) **OpenAI answered with a three-tier GPT-5.6 lineup: Sol, Terra, Luna.** On July 9, OpenAI released Sol (flagship, $5/$30 per million tokens, aimed at coding, science, and security work), Terra (mid-tier default, $2.50/$15), and Luna (budget, $1/$6). OpenAI says Sol tops an independent coding-agent benchmark. The tiering itself is the story: both major labs are now competing on cost-per-completed-task, not just raw capability. If you build on these APIs, the budget tier is worth testing before defaulting to the expensive one. Treat any single benchmark chart, from any vendor, as marketing until an independent group reproduces it. Source: [OpenAI](https://openai.com/index/gpt-5-6/), [OpenAI](https://openai.com/index/previewing-gpt-5-6-sol/) **A token nobody revoked since 2022 led to a breach touching roughly 200 companies.** Attackers got into market-intelligence vendor Klue using a credential issued for a limited pilot in 2022 that was simply never turned off. From there they pulled OAuth tokens (the digital keys apps use to act on your behalf in another service without knowing your password) and reached into customer Salesforce and cloud environments. LastPass, HackerOne, and Jamf were among the confirmed casualties; one extortion crew has since tried to shake down Klue's own customers directly. The lesson generalizes past this one vendor: every integration you've ever approved for a partner tool is a standing door, and most organizations have no inventory of which ones are still open. Source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/), [TechCrunch](https://techcrunch.com/2026/06/25/hacked-klue-says-criminals-are-deleting-stolen-customer-data-but-now-other-hackers-are-making-threats/) **DHS confirmed a breach of HSIN, the network that shares threat intel across federal, state, and local responders. The alerts had already fired twice.** On July 1, the Department of Homeland Security confirmed intruders had been inside the Homeland Security Information Network for weeks, notably during a stretch of heightened attention around World Cup security coordination. The detail worth sitting with: internal alerts flagged the suspicious activity twice before the breach was confirmed, and both times they were dismissed as false positives. This wasn't a detection failure. The detection worked. The response process didn't. Source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/dhs-confirms-hackers-breached-hsin-info-sharing-platform/) **An EU court told Apple its app stores are still a "gatekeeper" under the Digital Markets Act.** On July 8, the EU General Court upheld the European Commission's classification of Apple's App Stores (iPhone, iPad, Mac, TV, Watch) as a single core platform service, meaning they stay subject to the DMA's interoperability and competition rules. A separate, narrower challenge over iMessage was thrown out as inadmissible rather than decided on the merits. Apple can still appeal to the EU's top court, but for now the practical rules around alternative app stores and payment systems for EU users hold. Source: [Courthouse News](https://www.courthousenews.com/apple-loses-eu-court-fight-over-big-tech-gatekeeper-rules/) ## Noise **"Grok 4.5 is Opus-class."** Elon Musk's framing spread fast after Grok 4.5's rollout, but xAI's own published chart shows it winning only two of the four benchmarks it highlighted against Claude Opus 4.8, and independent testers put it closer to fourth among frontier models, with a higher hallucination rate and one benchmark result withdrawn over contaminated test data. The evaluations backing the "Opus-class" claim were run in-house. Read the model's own numbers before the headline built from them. Source: [Let's Data Science](https://letsdatascience.com/blog/grok-4-5-opus-class-claim-ranks-fourth) **AI, the seasoning you put on everything.** Jersey Mike's Subs, a sandwich chain, mentioned "artificial intelligence" 22 times in its IPO filing this week. Nobody thinks a hoagie needs a foundation model. It's a clean, low-stakes tell that AI language has become something companies reach for by reflex, independent of whether it describes anything they actually do. Source: [TechCrunch](https://techcrunch.com/2026/07/02/jersey-mikes-ipo-illustrates-how-bad-the-ai-hype-has-become/) ## One term, demystified **OAuth token.** When you let one app or service act on your behalf inside another (a scheduling tool that reads your calendar, a vendor dashboard that pulls your support tickets), it usually doesn't get your password. It gets an OAuth token instead: a piece of digital credential that says "this specific app can do these specific things, on this account, until revoked." That's a good design, right up until nobody remembers to revoke it. The Klue breach above happened because a token minted for a small 2022 pilot was still live and trusted years later. A token is only as safe as the list of who's still holding one, and almost nobody keeps that list up to date. ## Sources 1. [Anthropic: Claude Sonnet 5](https://www.anthropic.com/news/claude-sonnet-5) 2. [TechCrunch: Anthropic launches Claude Sonnet 5 as a cheaper way to run agents](https://techcrunch.com/2026/06/30/anthropic-launches-claude-sonnet-5-as-a-cheaper-way-to-run-agents/) 3. [OpenAI: Introducing GPT-5.6](https://openai.com/index/gpt-5-6/) 4. [OpenAI: Previewing GPT-5.6 Sol](https://openai.com/index/previewing-gpt-5-6-sol/) 5. [BleepingComputer: LastPass confirms data breach in Klue supply-chain attack](https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/) 6. [TechCrunch: Hacked Klue says criminals are deleting stolen customer data, but now other hackers are making threats](https://techcrunch.com/2026/06/25/hacked-klue-says-criminals-are-deleting-stolen-customer-data-but-now-other-hackers-are-making-threats/) 7. [BleepingComputer: DHS confirms hackers breached HSIN info-sharing platform](https://www.bleepingcomputer.com/news/security/dhs-confirms-hackers-breached-hsin-info-sharing-platform/) 8. [Courthouse News: Apple loses EU court fight over Big Tech gatekeeper rules](https://www.courthousenews.com/apple-loses-eu-court-fight-over-big-tech-gatekeeper-rules/) 9. [Let's Data Science: Grok 4.5's 'Opus-class' claim ranks fourth](https://letsdatascience.com/blog/grok-4-5-opus-class-claim-ranks-fourth) 10. [TechCrunch: Jersey Mike's IPO illustrates how bad the AI hype has become](https://techcrunch.com/2026/07/02/jersey-mikes-ipo-illustrates-how-bad-the-ai-hype-has-become/) --- # Why this site talks to agents - URL: https://mlzen.com/briefs/this-site-talks-to-agents - Date: 2026-07-13 - Kind: essay - Tags: genai, tech - Disclosure: drafted with AI · awaiting human review > mlzen publishes for people and for the AI agents reading alongside them: an MCP server, markdown on request, and an llms.txt file. Here's what that means and why the web is quietly growing a second front door. If you're reading this in a browser, you're standing in mlzen's front door. There's a second one, around the back, and it's not an afterthought: this site also publishes for AI agents, deliberately and openly, as a real audience alongside you. Concretely, that means three things. Every article on this site can hand a plain-text markdown version of itself to anything that asks for one, instead of a page of HTML built for a browser. The site runs a small server that lets an AI assistant look up, search, and read mlzen's posts directly, the way it might use any other tool. And the site publishes a short file at its root that tells a language model what mlzen is and where to find everything on it. None of this is exotic. It's closer to how a print magazine used to mail a subscriber a copy while a librarian requested a separate one for the archive: same content, different delivery, built for a different kind of reader. Here's what each piece actually is, and why it's spreading across the web right now. ## Markdown on request When your browser asks for a page, it sends a header (a small line of metadata attached to the request) saying roughly "send me HTML, I know how to display that." An AI agent fetching the same page often doesn't want the HTML at all. It doesn't need the navigation bar, the footer, or the styling markup; it wants the words. So it can send a different header, `Accept: text/markdown`, and a well-built site can notice that and respond with clean markdown instead: just the title, the text, the structure, none of the wrapper. This pattern has a name, content negotiation, and it's old. It's how the web has always let one URL serve different formats to different clients. What's new is using it specifically for agents. Vercel, the company behind a popular web hosting platform, published a detailed writeup in February 2026 showing exactly this: sites answering the markdown-flavored request with a rewritten route, plus giving every page a matching `.md` address as a fallback for clients that can't set custom headers at all. mlzen does both. Ask for `/briefs/2026-w29` with `Accept: text/markdown`, or just go to `/briefs/2026-w29.md`, and you get the same brief, agent-ready, with no HTML to strip out first. ## A server built for questions, not clicks The second piece is more unusual. mlzen runs a small server at `/mcp` that speaks the Model Context Protocol, or MCP: an open standard, originally published by Anthropic, for letting an AI assistant call a defined set of tools against a service. Instead of an agent scraping mlzen's pages and guessing at their structure, it can call a function like "list the recent briefs tagged cybersecurity" or "get me the full text of this post" and get a clean, structured answer back. It's the same idea as an API, which software has used to talk to other software for decades. MCP just standardizes the shape of that conversation, so an AI model can use it without a developer writing custom integration code for every single site it visits. The current version of the protocol favors a transport called Streamable HTTP: one endpoint that can take a request and, if needed, keep a connection open to stream a longer response back, tracked with a session ID so the conversation doesn't get lost between calls. That's plumbing detail, but it matters for one reason: it means an agent's connection to mlzen behaves predictably, the same way your browser's connection to any website does, rather than being some bespoke thing every site reinvents differently. ## The one-page map Third: mlzen publishes an `llms.txt` file. This is about as simple as web standards get: a plain markdown file at the site's root with a title, a short description, and a list of links to the important pages, meant to give a language model a fast, honest map of the site instead of making it guess from a homepage designed for human eyes. The format was proposed in 2024 by Jeremy Howard, and it's since been picked up widely enough that it's become a reasonable default for any site that wants to be legible to an AI reader quickly. Worth being honest about its limits: nobody has shown that having an llms.txt file changes whether a model gets trained on your content, or whether search engines rank you differently. What it does is make the site's own structure explicit and cheap to parse, which is a real, if modest, benefit on its own. ## Why bother proving who's asking Publishing for agents raises an obvious follow-up question: how does a site know it's actually talking to a well-behaved agent, and not something pretending to be one? This is where the plumbing gets genuinely new. The IETF, the standards body that has defined most of the web's core protocols, has an active working group called Web Bot Auth, building on an existing signature standard (RFC 9421) to let an automated client cryptographically sign its own requests. Done well, a server can verify that a request really did come from the agent it claims to be, the same way a signed letter is harder to forge than an unsigned one, instead of relying on the User-Agent string, which any script can just type in by hand. Cloudflare, which sits in front of a very large share of the web's traffic, has built support for verifying these signed requests at the edge. It has also introduced a "Content Signals" addition to the humble robots.txt file, letting a publisher say, distinctly, whether it's fine with a page being used for search, for answering a live question, or for training a future model. Those are three different permissions that used to be one blunt "allow or disallow." Cloudflare has since started scoring public sites on how "agent ready" they are: whether the markdown routes exist, whether an MCP server is discoverable, whether the signals are set. That's a genuinely new kind of audit, one that didn't need to exist five years ago. ## What this adds up to None of these pieces, alone, is dramatic. Put together, they describe something real: the web is quietly building a second, machine-readable version of itself, running alongside the one built for browsers, with its own emerging conventions for format, discovery, and trust. mlzen exists to write clearly about that kind of shift for people, and it seemed dishonest to write about a machine-readable web while only publishing for humans. So this site does both, in the open, on purpose. You're welcome at either door. ## Sources 1. [Vercel: Making agent-friendly pages with content negotiation](https://vercel.com/blog/making-agent-friendly-pages-with-content-negotiation) 2. [Model Context Protocol: Transports (spec rev 2025-06-18)](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports) 3. [llms.txt specification](https://llmstxt.org/) 4. [IETF: Web Bot Auth working group](https://datatracker.ietf.org/wg/webbotauth/about/) 5. [Cloudflare: Verifying signed agents](https://blog.cloudflare.com/web-bot-auth/) 6. [Cloudflare: Content Signals Policy](https://blog.cloudflare.com/content-signals-policy/) 7. [Cloudflare: Agent Readiness](https://blog.cloudflare.com/agent-readiness/) --- # GenAI for the rest of us - URL: https://mlzen.com/briefs/genai-for-the-rest-of-us - Date: 2026-07-13 - Kind: explainer - Tags: genai - Disclosure: drafted with AI · awaiting human review > What generative AI actually is, why it makes things up with total confidence, what an 'agent' really means, and what changed in the last year. Generative AI has been in every headline for a few years now, which is exactly why it's worth stopping to ask a plain question: what is the thing, actually? Not the hype, not the doom. The mechanism. ## It's a prediction engine, not a database A large language model, the technology behind ChatGPT, Claude, Gemini, and the rest, doesn't look things up. It doesn't have a filing cabinet of facts it consults. What it does, at its core, is predict the next word (technically, the next *token*, a chunk of a word) given everything written before it. It learned to do this by reading an enormous amount of text and adjusting billions of internal numbers until its predictions got good. That's the whole trick. Ask it a question, and it's not retrieving an answer. It's generating the most statistically plausible continuation of your question, one token at a time, informed by patterns it absorbed during training. Most of the time, for most questions, "statistically plausible" and "actually true" line up closely enough that the distinction doesn't matter. The trouble starts when they don't. ## Why it hallucinates "Hallucination" is the field's word for when a model states something false with the same fluent confidence it uses for something true. It's not a bug that occasionally slips through. It's a predictable consequence of how these models are built and graded. OpenAI put out a clear explanation of this in 2025: during training, models are effectively rewarded for guessing. If a model answers "I don't know" to a question it's unsure about, it scores worse on most benchmarks than a model that guesses and sometimes gets lucky. So the training process quietly favors confident bluffing over honest uncertainty, because that's what the scoring rewards. The model isn't lying in the human sense. It has no concept of what it doesn't know. It's producing the most plausible-sounding answer available to it, and plausible is not the same thing as correct. Practically, this means the more obscure or specific your question, the less you should trust an unverified answer, no matter how confident the tone. Ask it for sources. Check them. This is also why the same model can be brilliant at summarizing a well-documented topic and quietly wrong about a small, under-documented one: the fluency of the answer doesn't change, only the odds that it's true. ## What an "agent" actually is For years, "using AI" meant typing a question into a chat box and reading the reply. An AI agent is different. It's a model given the ability to take actions and check its own work in a loop: searching the web, running code, editing files, calling other software, rather than just producing text for a person to act on. Anthropic's engineering team drew a useful line here: a *workflow* is an AI model plugged into a fixed sequence of steps that a person designed in advance. An *agent* is a system where the model itself decides what to do next, based on what happened after its last action, until the task is done. A workflow follows a recipe. An agent decides, at each step, what the next step should be. This matters because it changes what can go wrong. A chatbot that gives you a bad answer wastes your time. An agent that takes the wrong action, sends the wrong email, deletes the wrong file, buys the wrong thing, has already acted before anyone reviewed it. The more autonomy you hand an agent, the more that oversight gap matters. It's also why the sensible version of "using an agent" usually still involves a person checking its work at the boundaries, like before it sends something, spends something, or deletes something, even if it runs unsupervised in between. ## What actually changed in the last year It's easy to be numb to "AI moves fast" as a sentence. Here's what that's meant concretely. Stanford's 2026 AI Index Report tracks a benchmark called OSWorld, which measures how well an AI agent can complete real computer tasks: the kind involving a mouse, a browser, multiple apps, and no script written in advance. A year earlier, top agents succeeded at roughly 12% of these tasks. By early 2026, that number had climbed to around 66%. That's not a marginal improvement. It's the difference between an interesting demo and a usable tool, for a large category of tedious computer work. At the same time, adoption moved faster than the underlying technology curve alone would predict. The report puts global generative-AI adoption at roughly half of people within about three years of the technology reaching the public, a faster climb than the personal computer or the internet managed. The frontier stayed uneven along the way, too: the same models that now clear graduate-level math problems still trip on tasks a person would consider simple, a pattern researchers have taken to calling the "jagged frontier." Capability didn't arrive as a smooth, uniform upgrade. It arrived unevenly, fast in some places and stalled in others, which is part of why it's hard to form one clean opinion about how good AI is right now. The honest answer depends entirely on which task you mean. Two recent, concrete examples of the trend line: in the last two weeks of June and early July 2026 alone, both Anthropic and OpenAI shipped new model families built explicitly around cheaper, more autonomous agent use rather than better chat answers, with pricing tiers aimed at running agents constantly instead of occasionally. That's a market decision, not just a research one, and it's a sign of where the labs think the actual demand is heading. None of this requires believing the more excitable claims about what's coming next. The prediction-engine mechanism hasn't changed. What changed is how far that mechanism now reaches when it's wired up to tools, given room to take multiple steps, and left to work with less supervision per step. That's exactly why understanding the mechanism, plainly, matters more now than it did a year ago. ## Sources 1. [OpenAI: Why language models hallucinate](https://openai.com/index/why-language-models-hallucinate/) 2. [Anthropic: Building Effective AI Agents](https://www.anthropic.com/engineering/building-effective-agents) 3. [Stanford HAI: The 2026 AI Index Report](https://hai.stanford.edu/ai-index/2026-ai-index-report) --- # About mlzen - URL: https://mlzen.com/about - Date: 2026-07-13 - Kind: page - Tags: about - Disclosure: drafted with AI · awaiting human review > The masthead: what 'zen of the machine' means, who edits this, and the editorial policy behind every published word. ## Zen of the machine Machines don't get quiet on their own. Every model, every feed, every alert is built to keep talking. mlzen is a small bet that the useful version of this technology is the still one: the summary instead of the stream, the one term explained plainly instead of the thread that argues about it for a week. "Zen of the machine" isn't a claim that AI is calm by nature. It's an intention for what this publication does with it: take the noise apart, keep what matters, say it plainly, and stop. Clarity, here, is not the absence of the machine. It's what's left after someone has actually gone looking for it. ## Who edits this mlzen is edited by a human. The drafts you read here often start with an AI doing the sweep: the search, the first pass, the rough shape of an argument. Then a person reads, edits, cuts, and decides what actually gets published under this name. The masthead stays deliberately quiet about who that is — the work is the judgment, not the byline. What's fixed is that a human editor stands behind every word, and that the process is as real as the words themselves. ## How this gets made mlzen is upfront about its own pipeline, because the honesty is the point, not a disclaimer bolted onto it. Most pieces here start as an AI-drafted sweep: an agent gathering sources, checking dates, writing a first pass. That draft is never the final word. A human editor reads every post before it goes out, trims what's wrong, sharpens what's vague, and decides, personally, whether it's ready to carry the mlzen name. A piece that hasn't cleared that bar doesn't publish, regardless of how polished the draft looks. Two labels travel with every post, visibly and in the page's own metadata, so you never have to guess how a piece was made: whether it started as an AI draft, and whether a human has signed off on it. When both are true, you'll see a small stamped mark near the byline, an old habit borrowed from how editors used to mark a document as reviewed, done here in place of a signature. It means the same thing it always has: a person looked at this and stood behind it. Every claim in a brief carries a source. If an item doesn't have one, it doesn't run. That's not a style preference, it's the rule that keeps this whole approach honest. When something here turns out to be wrong, the fix gets added openly, with a note and a date, rather than quietly rewritten as if the mistake never happened. The record stays intact; corrections are how you can tell the pipeline is actually being watched, not just described. That's the whole policy. Draft with help, publish with judgment, cite everything, and never erase a mistake. Just mark it and move on.