We're Building the Thing Mike Frantzen Is Asking For

He wrote the business case. Here's the engineering.

R. Demetri Vallejos

~5 min read · April 13, 2026 (Updated: April 13, 2026) · Free: Yes

Last week Mike Frantzen published a piece called "Project Glasswing: Secure the Complement, or Lose the Platform." If you haven't read it, stop here and go read it. I'll wait.

Frantzen co-wrote the OpenBSD firewall. He built ISIC, the fuzzer that was supposed to find the exact class of bug Anthropic's Mythos just found. 27 years after he pointed it directly at that code. His argument: Mythos-class models have moved a massive inventory of latent vulnerabilities from below the threshold of notice to above it. This isn't a patching problem. It's a balance-sheet event. And the only way out for platforms is to secure the complements they previously commoditized and charge for the securing.

He's right. And he's describing the commercial logic for something we're building right now.

The gap he identified

Frantzen names three tiers of exposure: app stores that need end-to-end attestation, cloud providers that need verified workload identity, and silicon vendors that need attested boot on shipped hardware. His prescription is "attested-boot-as-a-service" and recurring security SLAs. Basically, converting one-time hardware sales into trust annuities.

What he doesn't name is the protocol layer. Who carries the attestation? What format does the identity take? How does a device prove it is what it claims to be, running what it claims to be running, to a verifier that might be three network hops away in a degraded environment? How does any of this survive the transition to post-quantum cryptography that CNSA 2.0 mandates by January 2027?

These are not abstract questions. These are engineering problems with specific answers. We're writing those answers now.

What we're building

Aethyr Research is building an AIOS; true to the concept, a sovereign agent operating system with a custom wire protocol called AWP. I'll spare the full architecture, but here are the relevant pieces for this conversation:

Post-quantum identity at the transport layer. Every entity in the network: agent, device, service — carries a cryptographic identity built on ML-KEM-768 for key exchange, ML-DSA-65 for signatures, and BLAKE3 for integrity. Not bolted on at the application layer. Baked into the protocol frame. The identity travels with the message. A node can verify who sent a frame without calling home to a central authority.

Attested boot on commodity hardware. We're running bounded boot on ESP32-S3. A chip that costs less than a cup of coffee. Cold boot to post-quantum encrypted session in 2.1 seconds. The device proves its identity before it speaks. If the boot sequence is tampered with, the device never joins the network. This isn't theoretical. We've benchmarked it. We've filed patents on it.

Formally verified wire protocol. The AWP codec is verified in SPARK/Ada: 691 verification conditions discharged across seven components: codec roundtrip identity, nonce monotonicity, replay detection, crypto state machine sequencing, connection lifecycle, hex decoding, and nonce construction. Full functional correctness, not just absence of runtime errors. The headline proof: decode(encode(frame)) = frame encoding a frame and decoding it back is mathematically proven to be lossless for every field, every flag, every byte. Most defense primes don't hit Gold on their flight control codecs. We're doing it on the communication layer for autonomous agents.

Binary-verified at the object code level. We don't stop at source-level proofs. The compiled 696KB Xtensa firmware was disassembled in Ghidra and independently audited: session key erasure confirmed to use a volatile-pointer wipe that survives all compiler optimization levels. Checksum verification confirmed constant-time: no timing oracle. The HChaCha20 subkey derivation was disassembled instruction by instruction and the rotation amounts verified against RFC 7539. The Ada panic handler was traced to confirm it halts with a forensic backtrace. Why? Because, a node with corrupted state is more dangerous than a node that's offline. Every SPARK function was found in the binary with correct control flow. The string "refusing unencrypted session" confirms there is no plaintext fallback path. This is the difference between "we wrote verified code" and "here is the disassembled binary proving the properties survive the compiler."

Decentralized identity. W3C DIDs and Verifiable Credentials as the identity substrate. No central registry. No certificate authority that becomes a single point of failure or a single point of compromise when Mythos-class models start probing PKI infrastructure. The identity is self-sovereign. The verification is mathematical.

Why this matters now

Frantzen frames Mythos as a regulatory shift: a category of cost being internalized. We'd frame it differently. Mythos is a trust collapse. Every implicit guarantee in the software supply chain, i.e. "this image is clean," "this app was reviewed," "this firmware hasn't been modified," …just became falsifiable at machine speed and trivial cost. Twenty thousand dollars to scan an entire OS codebase. Fifty dollars per vulnerability. Or, Eleven cents per million tokens on a 3.6-billion-parameter model that reproduces the same findings.

The response to a trust collapse is not better patching. It's a new trust infrastructure. One where identity is cryptographic, attestation is continuous, and verification doesn't depend on a human having reviewed the code; Because we now know, courtesy of the man who literally wrote the tools, that human review and automated fuzzing both missed the same bugs for decades.

Frantzen says the companies that move first will set the pricing, the standards, and the audit regime. He's right about that too. But the companies that move first will need something to move on. They need a protocol that carries attestation natively. They need identity that survives quantum computing. They need verification that works offline, in contested environments, on hardware that costs five dollars.

We're not the only people working on pieces of this. But I don't know anyone else building the identity layer, the wire protocol, the edge implementation, and the formal verification under one roof, with patents filed.

The ask

If you're a platform company staring at the Glasswing report and trying to figure out what "secure the complement" actually looks like as an engineering deliverable …talk to us.

If you're in defense or critical infrastructure and you need agent coordination that works in DDIL environments with post-quantum identity and no dependency on centralized PKI …talk to us.

If you're Mike Frantzen, …I'd like to buy you an e-coffee and show you what a formally verified transport layer for autonomous agents looks like on a five-dollar chip. And, have you poke holes in it with Mythos.

R. Demetri Vallejos is CEO & Chief AI Officer of Aethyr Research, a sovereign AI infrastructure company building AethyrAIOS. Prior work includes a public comment to NIST NCCoE on post-quantum agent identity standards.

aethyr.cloud · github.com/aethyrai

https://www.mfrantzen.com/p/project-glasswing-secure-the-complement