AI Security
Transitive Depth: Griffin AI vs Mythos
Most scanners stop at five or six levels of transitive depth. Real production graphs run sixty levels deep, and the most interesting vulnerabilities live in the long tail.
Mar 10, 20265 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Most scanners stop at five or six levels of transitive depth. Real production graphs run sixty levels deep, and the most interesting vulnerabilities live in the long tail.
Training data is a supply chain component. Knowing what went into a model is the precondition for knowing what could come out of it. Few tools track this; the few that do matter disproportionately.
CVSS alone is a bad prioritisation signal in 2026. Reachability plus EPSS gives teams a defensible order to fix the vulnerabilities that actually matter.
Token spend per scan is the wrong metric. Cost per actionable finding is the right one — and it's where engine-plus-LLM economics dominate pure-LLM economics.
Dependency confusion is older than most of the AI tooling trying to detect it. The attacks have adapted to the defences — detection needs to keep up.
Poolside's on-prem code AI is a credible enterprise offering. For security-specific workflows, Griffin AI's grounding architecture targets different ground.
Scanning bursts when a monorepo merges. We explain why Griffin AI absorbs the spike gracefully while Mythos-class tools degrade into rate-limit queues.
Frontier models pass eval benchmarks that open-weight models miss by specific measurable margins. For security workflows, the gap matters.
Claude's prompt caching gives you 90% discount on cached tokens. Security workloads have massive cacheable surface area. Griffin AI takes advantage; direct API use often does not.
Weekly insights on software supply chain security, delivered to your inbox.