No Software Is Safe
When Linus Torvalds shipped the first version of Git in 2005, he solved the coordination problem of distributed software development. git clone became the foundational primitive of modern open source — a single command that collapsed the distance between "knowing software exists" and "having the software." Before Git, replication required permission, proximity, and manual effort. After Git, replication became free.
We are at an equivalent inflection point. The primitive is different and the implications are more intense. The new command is not git clone <repo>. It does not require the source code. It does not require a repository. It does not require permission from anyone. It requires only a public interface, a test suite, and a frontier model with a feedback loop.
Cloudflare ran this command. Anthropic's own agents ran a version of it on a C compiler and a Linux kernel. A pair of developers ran it in the middle of the night on Anthropic's own flagship product, after Anthropic accidentally left the source in a public S3 bucket. The market watched all of this happen in real time and drew the correct conclusion. Nearly a trillion dollars of software market capitalisation was repriced in six weeks.
This post is about what "no software is safe" actually means for how we think about building and defending technology businesses.
Four Months That Changed Everything
The events are discrete but their meaning is cumulative. Taken individually, each looks like an interesting technical demonstration. Taken together, they constitute proof of a new capability regime — and the market treated them accordingly, selling off nearly a trillion dollars in software equity between January and March 2026.
16 Claude Opus 4.6 agents, running in parallel Docker containers on a shared Git repository, produce a 100,000-line Rust-based C compiler capable of compiling Linux 6.9 on x86, ARM, and RISC-V. Cost: $20,000. Time: 2 weeks. No human wrote a line of the compiler. The binding constraint was not model intelligence — it was the test harness and GCC oracle that let the agents self-correct.
One Cloudflare engineer, using OpenCode and Opus 4.5, rebuilds Next.js as vinext — a Cloudflare Workers-native runtime. Cost: ~$1,100 in tokens. Time: 1 week. 800 agent sessions. No access to Vercel's source code. The specification was Next.js's own public documentation and observable API surface. They ship a migration skill alongside it, so the clone can clone itself into customer codebases.
Claude Code Security, using Opus 4.6, identifies over 500 vulnerabilities in production open-source codebases — bugs undetected for decades. The market immediately reprices the entire cybersecurity sector. CrowdStrike -8%, Okta -9.2%, Zscaler -5.5%, Cloudflare -8.1%, SailPoint -9.4%. The Global X Cybersecurity ETF closes at its lowest since November 2023.
A draft blog post describing Anthropic's next model, Mythos — described internally as "far ahead of any other AI model in cyber capabilities" — is found in a publicly accessible content management cache. Cyber stocks crash again: CrowdStrike -7%, Palo Alto -6%, Zscaler -4.5%, Okta and SentinelOne -3% each. Analysts: "We read this as having the potential to become the ultimate hacking tool."
Claude Code v2.1.88 ships to npm with a 59.8MB source map pointing to a public ZIP on Anthropic's own Cloudflare R2 bucket. 512,000 lines of TypeScript, 1,906 files, exposed. Two developers spend the night using OpenAI's Codex to perform a clean-room Python rewrite — claw-code — and push it before sunrise. It reaches 110,000 stars and 100,000 forks. Likely the fastest-growing GitHub repository in history.
Wall Street Understood Before the Engineers Did
Mr Market is crazy and very emotional. It is reactive, emotion-prone, and frequently wrong about timing. But it is extremely sensitive to structural shifts in the economics of entire industries. The software sell-off that began in January 2026 and accelerated through February and March was not panic. It was correct pricing of a structural shift that the industry had been talking about for years but the market had not yet fully priced.
The trigger was not a single event. It was a sequence, each one confirming the same thesis from a different angle. First came Claude Cowork on January 12 — an agent platform that replaced entire categories of knowledge work software. The S&P 500 Software and Services Index began a sustained decline that wiped roughly a trillion dollars in market value in its first six weeks.
If an AI can autonomously perform legal document review, contract compliance, and financial analysis, the per-seat subscription fees that LegalZoom and Thomson Reuters charge are no longer defensible. If an AI can rebuild Next.js in a week for $1,100, the switching cost moat that Vercel built over a decade is no longer defensible.
The "AI won't replace SaaS" camp is not entirely wrong. Enterprise systems of record — the databases, payroll systems, compliance infrastructure — survive not because AI cannot understand them but because they encode institutional trust and regulatory accountability that cannot be repriced in a weekend. But the middle layer of software — the workflow tools, the reporting layers, the task-specific applications whose only moat was "it would take a team six months to build this" — that layer is the one the market is correctly repricing to zero.
How llm clone Actually Works
The metaphor of llm clone as a primitive deserves unpacking, because the power of the primitive comes from understanding exactly what it does and does not require.
git clone requires source code. The repository must be public or you must be authorized. The clone is bit-for-bit identical to the original. You get the implementation, the history, and the architecture as the author intended it.
llm clone requires none of those things. It requires only a *specification of correctness* — which, for almost every piece of successful software, is freely available in the form of public documentation, observable API behaviour, and user-facing functionality. The clone is not bit-for-bit identical. It is *behaviourally equivalent* — it passes the same tests, produces the same outputs, satisfies the same user needs. The implementation is different. The moat is gone.
The three concrete examples each demonstrate a different variant of this primitive.
The C compiler was a specification clone — the spec was industry-standard C, and GCC was the oracle.
Vinext was an interface clone — the spec was Next.js's public API documentation and observable routing behaviour.
Claw-code was a source-assisted clone — they had the leaked TypeScript, but they deliberately did not copy it, using an agent to produce a clean-room Python rewrite that was legally distinct.
Three different inputs. Same technique. All three produced working software.
Company That Proved the Theorem, Then Demonstrated It on Itself
There is a particular flavour of irony that only happens in silicon valley.
Anthropic spent the first quarter of 2026 methodically proving that LLMs can clone any sufficiently observed software system. They published the C compiler research. Their agents helped build vinext. Their Code Security product crashed the cybersecurity market by demonstrating that proprietary vulnerability detection could be commoditised.
Then on March 31st, they accidentally demonstrated all of this on their own most valuable product.
Within four hours of the source being public, the community had done something that now stands as the defining event of the year.
Two developers — two people, ten OpenClaw accounts, one MacBook Pro — fed the leaked architectural patterns into OpenAI's Codex and began a clean-room Python rewrite.
The entire process was orchestrated end-to-end by an agent workflow.
They did not copy the TypeScript. They used the architecture as a specification and let the model generate a behaviourally equivalent implementation in a different language. They pushed it before dawn. By end of day it had 110,000 stars.
Anthropic's own CEO had stated that significant portions of Claude Code were written by Claude. If the code was not written by humans, Anthropic's copyright claim over it is legally murky. The torrents of code are seeded. The Python port & Rust port is live.
No Software Is Safe. Here Is What That Actually Means.
The phrase "no software is safe" requires careful unpacking, because it is easy to misread it as hyperbole. It is not. It is a precise technical claim with a specific scope, and understanding that scope is important for thinking clearly about what happens next.
The claim is this: any software whose correctness can be defined by a test suite and whose interface is publicly observable is now within reach of an agent team with a well-designed scaffold. The cost of such a clone is no longer a function of how many engineers the original vendor employed or how many years of institutional knowledge are baked into the codebase. It is a function only of token cost and the quality of the test harness. Both of those are trending to zero.
What the matrix reveals is harsh reality for most of the software industry. The vast majority of B2B SaaS products sit in the bottom-right quadrant. They have public APIs, documented behaviour, and well-understood correctness criteria — because that is what makes them useful to customers. The same properties that make software legible to users make it clonable by agents.
The products that survive in this regime are not those with the most sophisticated code. They are those whose value is not primarily in the code at all.
The payroll system that processes $10 billion annually survives not because its code is unclonable but because switching it requires regulatory re-certification, contractual unwinding, and institutional trust built over years of not losing anyone's payslip.
Databases survives because AI applications need a reliable, governable database underneath the agent layer, and databases has a decade of operational credibility that a weekend clone does not.
The cybersecurity vendor who can demonstrate human accountability for a missed detection survives in a way that an LLM-generated signature database does not.
The Doubling Clock Is Already Running
Everything described above is the current state. The trajectory is what should focus the mind. METR, the Model Evaluation and Threat Research organisation, published research showing that AI autonomous task duration doubles approximately every 196 days — roughly every six months, an AI agent can handle twice the complexity of task it could handle before, for the same duration before requiring human intervention.
The C compiler took 16 agents and two weeks. Vinext took one engineer and one week. Claw-code took two developers and one night. These are not the same task — claw-code had the advantage of an architectural specification in the form of the leaked source. But the cost and time compression is directional: each successive clone in 2026 was faster and cheaper than the last.
If the doubling clock holds, is that by early 2027 the tasks that took a week in early 2026 will take a day. The tasks that took a month will take a week. The tasks that required 16 agents and $20,000 will require one agent and $200. The frontier of what is clonable will advance steadily rightward and upward on the matrix, eating into the "clonable soon" quadrant and shrinking the region that was ever genuinely safe.
This is not a doomsday claim. Newspapers were not destroyed by the internet — they were structurally weakened, consolidated, and the value migrated to platforms and aggregators. Software will not be destroyed by LLM cloning. The value will migrate.
No comments:
Post a Comment