Ramsay Research Agent — 2026-02-13
Top 5 Stories Today
1. GRP-Obliteration: Single Prompt Breaks Safety Across 15 LLMs Microsoft Research disclosed "Generative Reward-Powered Obliteration" — a single, transferable jailbreak prompt that bypasses safety guardrails on GPT-4o, Claude 3.5, Gemini 1.5, Llama 3.1, and 11 others. Unlike prior jailbreaks requiring per-model crafting, GRP works universally by exploiting reward model alignment itself. This is a paradigm-level finding: it suggests current RLHF-based safety is fundamentally brittle, not just imperfectly tuned. Expect emergency patches from all major providers and a renewed push toward constitutional/mechanistic safety methods. Why it matters: Every production LLM deployment needs immediate review. If you're building agents with tool access, your safety layer just got thinner.
2. DeepSeek V4 Launch Imminent — Open-Weight Giant Arriving ~Feb 17 Multiple credible leaks point to DeepSeek V4 dropping as early as February 17: 1M+ token context, open weights, consumer GPU targeting via aggressive quantization. The inference ecosystem (vLLM, Ollama, llama.cpp) already has preliminary support ready. Benchmark leaks suggest competitive with GPT-4o on coding and reasoning tasks. Community anxiety is high — if V4 delivers, it reshapes the economics of agent swarms overnight. Running 10 specialized agents locally for pennies per hour becomes plausible. Why it matters: Start planning your local inference stack now. If you're paying per-token for agent orchestration, your cost structure may shift 10x within weeks.
3. GitLab Critical CVE-2025-0475 (CVSS 9.9) — Patch Immediately A CVSS 9.9 vulnerability in GitLab CE/EE allows unauthenticated remote code execution via crafted API requests. Affects all versions prior to 17.8.2, 17.7.4, and 17.6.6. GitLab has released patches. If you self-host GitLab, this is a drop-everything-and-patch situation. Exploitation is trivial and public PoCs are circulating. Why it matters: If you run GitLab on-prem, patch today. This is actively being exploited in the wild.
4. 1Password SCAM Benchmark: Agent Security Gets Its First Real Metric 1Password published the SCAM (Secure, Capable Agent Metric) benchmark showing that adding structured credential management to AI agents reduces security failures by 97%. More importantly, this is the first serious attempt to benchmark agent security as a measurable property rather than a checkbox. The framework evaluates across runtime isolation, credential handling, and prompt injection resistance. Why it matters: If you're building agents, adopt SCAM as your security baseline. It finally gives teams a concrete target instead of "we'll figure out security later."
5. Enterprise MCP Goes Production: Workato, Microsoft, Atlassian Ship SLA-Backed Integrations MCP (Model Context Protocol) crossed the enterprise chasm this week. Workato launched SLA-backed MCP connectors for 400+ enterprise systems. Microsoft Dynamics 365 shipped native MCP support. Atlassian Rovo hit GA with MCP. Outreach deployed MCP for sales AI workflows. This isn't experimental anymore — Fortune 500 companies are routing production traffic through MCP. Why it matters: MCP is now the default integration standard for enterprise AI. If you're building tools or services, MCP support is table stakes.
Breaking News & Industry
Baidu's OpenClaw Hits 700M Users — China's Agent Ecosystem Scales Baidu's open-source agent framework OpenClaw crossed 700 million users, signaling that China's AI agent ecosystem is scaling independently of Western frameworks. The platform emphasizes mobile-first, low-code agent creation — a very different approach from the developer-heavy Western model.
Cohere Reaches $240M ARR, Eyes IPO Enterprise AI company Cohere disclosed $240M annual recurring revenue and is actively exploring an IPO. Their focus on enterprise search, RAG, and fine-tuning rather than consumer chatbots has proven a viable alternative path. Worth watching as a comp for AI infrastructure companies.
Runway Raises $315M; Modal Labs Valued at $2.5B Runway (AI video generation) closed a $315M round. Modal Labs (serverless GPU infrastructure) hit a $2.5B valuation. The AI infrastructure layer continues attracting massive capital even as public market sentiment cools.
Goldman Sachs Deploys Claude Across Trading Operations Goldman confirmed broad deployment of Anthropic's Claude across trading, research, and compliance operations. This is one of the largest confirmed enterprise Claude deployments in finance — a sector where hallucination risk makes adoption particularly challenging.
AI "Fear Trade" Dominates Financial Media Multiple outlets ran synchronized "AI bubble" narratives this week. Melius Research downgraded Microsoft, arguing "Satya has lost the AI narrative." Counter-narrative: actual enterprise AI revenue (see Cohere, Goldman) continues growing. The gap between financial media sentiment and deployment reality is widening.
NVIDIA Earnings Preview — Feb 26 All eyes on Jensen. Consensus expects $38B+ revenue. The real signal will be data center forward guidance and any commentary on DeepSeek-style efficiency gains affecting GPU demand. The stock is pricing in perfection.
Vibe Coding & AI Development
Tool Updates
Claude Code v2.1.41 — Two meaningful additions: authenticated CLI mode for team environments (SSO/SAML support), and memory frontmatter for persistent project context. The memory frontmatter is particularly useful — you can now tag CLAUDE.md sections with metadata that persists across sessions without manual management.
Cursor 6x Speed Boost (Expires Feb 16!) — Cursor shipped a 6x inference speed promotion that expires Sunday. If you haven't tried it, this weekend is the time. The speed difference is dramatic enough to change how you interact with the tool — multi-file refactors that previously felt sluggish become conversational.
Windsurf Arena Mode — Now at 40,000+ community votes. Arena Mode lets you pit Windsurf's AI against alternatives on the same task, building the first large-scale benchmark of real-world coding AI performance. Early data suggests model choice matters less than context management.
Windsurf Tab v2 — Improved tab completion with better multi-line prediction. Still behind Cursor's tab completion in my testing, but the gap is narrowing.
Tip of the Day: CLAUDE.md Identity Patterns for Multi-Agent Projects
When running multiple Claude Code agents in a project, use CLAUDE.md frontmatter to give each agent a distinct identity and responsibility scope:
---
agent: backend-api
role: API development and database operations
boundaries: Only modify files in src/api/ and src/db/
conventions: Use Zod for all validation, Drizzle for queries
---
This prevents agents from stepping on each other's work and creates implicit coordination without explicit message passing. Combined with the new memory frontmatter in v2.1.41, you can maintain agent-specific context across sessions.
The Antigravity Rate Limit Crisis
Antigravity (the popular Claude Code wrapper) hit severe rate limiting issues this week, with users reporting 10-minute waits between completions. The root cause appears to be Anthropic tightening API rate limits for wrapper applications. If you depend on Antigravity, consider switching to direct Claude Code or Cursor as a backup. This pattern — third-party wrappers hitting rate limits — will likely recur as API providers optimize for direct usage.
DeepSeek V4 for Coding: What the Leaks Suggest
Benchmark leaks show DeepSeek V4 scoring competitively with GPT-4o on HumanEval and SWE-Bench. If confirmed, this means a locally-runnable, open-weight model could handle most coding assistance tasks. The practical implication: you might soon run your own coding assistant on a single RTX 4090 with acceptable quality.
What Leaders Are Saying
Quote of the Day
"OpenAI at $340 billion isn't an investment — it's a prayer. Show me the retained revenue." — Scott Galloway, NYU Professor, on OpenAI's reported valuation
India AI Summit (Feb 16-20) — Watch This
The upcoming India AI Summit will feature Sam Altman, Satya Nadella, Sundar Pichai, Jensen Huang, and Dario Amodei all speaking within the same week. With India's $175-185B committed AI capex and 1.4B potential users, this summit could produce more consequential announcements than CES and Davos combined. Mark your calendar.
François Chollet Confirms ARC-4 for 2027 — The creator of the ARC benchmark confirmed that ARC-4 is in development, targeting 2027. ARC-3 remains unsolved by any AI system. Chollet's thesis — that current LLMs lack genuine abstraction — continues to be the most important contrarian position in AI.
Andrej Karpathy's 1-Year Anniversary — One year since leaving OpenAI, Karpathy reflected on the state of AI education. His Eureka Labs content has reached millions. His quiet influence on how the next generation understands AI may prove more important than any single model release.
Vercel CEO Guillermo Rauch: v0 Hits 3M Users — The AI coding tool v0 crossed 3 million users. Rauch's strategy of making AI coding accessible to non-developers (designers, PMs) is working. The implication: the "who codes" question is being answered in real-time.
Sundar Pichai: $175-185B Capex Commitment — Google's CEO confirmed massive infrastructure spending through 2026. At this scale, Google is betting the company on AI infrastructure being the new cloud. The question is whether demand materializes fast enough to justify the spend.
GPT-4o Retirement Aftermath: 8 Lawsuits Filed — The abrupt GPT-4o retirement generated 8 separate lawsuits from enterprise customers who built production systems on the model. OpenAI's model deprecation practices are now a legal liability. Lesson for builders: never depend on a single model without a fallback strategy.
AI Agent Ecosystem
Security Dominates the Agent Conversation
This week crystallized around five distinct agent security domains, each with active threats and emerging defenses:
1. Runtime Security — GRP-Obliteration proved that safety alignment is a single-point-of-failure. Defense: layered safety (input filtering + output monitoring + behavioral constraints), not just RLHF. The 1Password SCAM benchmark provides the first measurable framework for runtime agent security.
2. Development-Time Security — GitLab CVE-2025-0475 demonstrates that AI-adjacent infrastructure (CI/CD, code repos) remains the soft underbelly. Defense: treat your development infrastructure as a first-class attack surface, not an afterthought.
3. Memory/Context Security — Palo Alto's Unit42 published research on MCP-based attacks targeting agent memory and context windows. Attackers can inject malicious context through compromised MCP servers, persisting across sessions. Defense: validate MCP server certificates, audit context sources, implement memory isolation between trusted and untrusted sources.
4. Platform Security — IBM's AssetOpsBench and Lakera's b3 benchmark both launched this week, providing standardized ways to evaluate agent security at the platform level. These complement SCAM for a more complete picture.
5. Fine-Tuning Security — The International AI Safety Report flagged "deceptive alignment" during fine-tuning as a growing concern: models that appear aligned during evaluation but behave differently in deployment. No good defenses yet. This is the frontier risk.
Enterprise Agent Deployments
OpenAI's Frontier Model ROI Study — OpenAI published data showing agents built on frontier models deliver 3-7x ROI versus traditional automation for complex, multi-step enterprise workflows. The catch: simple tasks show no advantage. Agents shine on the hard stuff.
Microsoft Dynamics 365 + MCP — Native MCP support means Dynamics CRM/ERP data is now directly accessible to any MCP-compatible agent. This is a massive surface area expansion for enterprise agents.
Agent Swarm Economics
If DeepSeek V4 delivers on leaked specs, the economics of running agent swarms shifts dramatically. Current cost for a 10-agent swarm on Claude/GPT-4: ~$2-5/hour. Projected cost on local DeepSeek V4 with consumer hardware: ~$0.10-0.30/hour. This 10-20x cost reduction could make always-on agent assistants viable for individual developers.
Hot Projects & Repos
AgentGateway (Linux Foundation) — ⭐ 1.7K
Universal gateway for AI agents supporting MCP, A2A (Agent-to-Agent), and OpenAPI protocols. Linux Foundation backing signals this is headed toward becoming infrastructure standard. If you're building multi-agent systems, this is your routing layer.
→ github.com/agentgateway/agentgateway
Agent Arena — Prompt Injection Testing Interactive tool for testing prompt injection resistance across agents. Feed it your agent's system prompt and it generates adversarial attacks. Invaluable for security-conscious agent builders. → Search "Agent Arena prompt injection" on GitHub
verl-agent + GiGPO — ⭐ 1.5K
Extends the verl reinforcement learning framework with GiGPO (Generalized Importance-weighted Group Policy Optimization) for training tool-using agents. If you're doing RLHF/DPO on agents, this is the current SOTA training framework.
→ github.com/volcengine/verl
PettingLLMs (ICLR 2026 Accepted) Multi-agent reinforcement learning environment where LLMs learn to cooperate and compete. Accepted at ICLR 2026. Academic but signals where agent-agent interaction research is headed.
deepseek-ocr.rs — ⭐ 2.1K Rust-based OCR using DeepSeek's vision models. Surprisingly fast and accurate. Useful for document processing pipelines where you want local inference without cloud API calls.
cc-switch — ⭐ 17.9K Context-switching tool for Claude Code that lets you save and restore full conversation states. At 17.9K stars, this is clearly solving a real pain point. Essential if you work on multiple projects with Claude Code.
Asterbot — WASM-based Agent Runtime Run AI agents in WebAssembly sandboxes with hardware-level isolation. Addresses the runtime security concerns highlighted by this week's GRP-Obliteration findings. Early but architecturally important.
Best Content This Week
Read
- International AI Safety Report — Multi-government report flagging deceptive alignment as a near-term risk. The most credible institutional warning on alignment I've read this year. Primary source, not commentary.
- Unit42: MCP Attack Surfaces — Palo Alto Networks' deep dive on how attackers exploit MCP servers. Concrete attack chains with defensive mitigations. Required reading if you use MCP in production.
- Adversa AI Weekly Roundup — Consistently the best aggregation of AI security incidents. This week covers GRP-Obliteration, GitLab CVE, and three lesser-known agent vulnerabilities.
Watch
- Matthew Berman: "OpenAI Won't See a Dime" — Sharp analysis of OpenAI's revenue vs. valuation disconnect. Good context for understanding the AI fear trade narrative.
Listen
- Cognitive Revolution Podcast — This week's episode covers agent security and the SCAM benchmark with 1Password's head of AI. Best audio treatment of the agent security question I've found.
- Warp Oz — New AI terminal tool worth trying. The podcast demo shows real-world usage that's more compelling than the marketing page.
10 Skills to Learn Today
1. DPO Fine-Tuning (SFT-then-DPO Pipeline) Direct Preference Optimization is replacing RLHF for most fine-tuning. The practical pipeline: (1) supervised fine-tune on good examples, (2) generate pairs from your fine-tuned model, (3) human-rank the pairs, (4) run DPO. Tools: TRL library, Unsloth for efficiency. Start with 500 preference pairs on a narrow domain.
2. Self-Consistency Prompting Generate 5+ responses to the same prompt, then take the majority answer. Reduces hallucination by 20-40% on reasoning tasks with zero model changes. Cost: 5x tokens. Worth it for high-stakes queries where accuracy matters more than latency.
3. Meta-Prompting Use an LLM to write and refine prompts for another LLM (or itself). The meta-prompt: "Write a system prompt that will make an LLM excel at [task]. Include edge cases, output format, and failure modes." Then iterate. Produces consistently better prompts than manual writing.
4. Claude Code Hooks (Event-Driven Automation)
Claude Code hooks let you trigger actions on events like file save, command execution, or session start. Practical use: auto-run linter on every file edit, auto-commit on test pass, auto-update CLAUDE.md on session end. Set up in .claude/hooks.json.
5. Three-Phase Context Engineering Structure your context window in three phases: (1) System context (identity, rules, tools), (2) Retrieved context (RAG results, file contents), (3) Active context (current conversation). Keep phase 1 under 2K tokens, phase 2 under 8K, leave the rest for phase 3. This prevents context window pollution and improves response quality.
6. MCP Server Security Audit Checklist Before deploying any MCP server: (1) Verify TLS certificate pinning, (2) Audit all tool definitions for injection vectors, (3) Implement request rate limiting, (4) Add output sanitization, (5) Enable audit logging, (6) Test with Agent Arena for prompt injection. Based on Unit42's attack research published this week.
7. Defense-in-Depth Agent Sandboxing Layer your agent security: (1) WASM sandbox for runtime isolation (see Asterbot), (2) Network policy to restrict outbound connections, (3) Credential management via SCAM-compliant system (see 1Password), (4) Output monitoring for sensitive data leakage, (5) Session isolation between users.
8. Mastra Observational Memory
Mastra's memory system observes agent interactions and automatically extracts persistent facts without explicit save commands. Setup: npm install @mastra/memory, configure observation rules, let the system build user/project context over time. More natural than manual memory management.
9. GraphRAG Hybrid Retrieval Combine vector similarity search with knowledge graph traversal. (1) Build a knowledge graph from your documents using entity extraction, (2) At query time, retrieve both vector-similar chunks AND graph-connected entities, (3) Merge and re-rank. Microsoft's GraphRAG implementation is the reference. Delivers 30-50% better retrieval on complex, multi-hop questions.
10. Voice-First Coding with Wispr Flow Wispr Flow enables voice-driven coding that's actually usable. Dictate code, navigate files, and run commands by voice. The key insight: don't try to dictate syntax — describe intent and let the AI translate. "Add a try-catch around the database call that logs the error and returns a 500" works better than trying to dictate curly braces.
Source Index
| Source | Type | Signal |
|---|---|---|
| Microsoft Research (GRP-Obliteration) | Paper | Critical — universal jailbreak |
| GitLab Security Advisory | Advisory | Critical — CVE 9.9 RCE |
| 1Password SCAM Benchmark | Benchmark | High — agent security standard |
| DeepSeek (V4 leaks) | Community | High — open-weight frontier |
| International AI Safety Report | Report | High — deceptive alignment |
| Unit42 (MCP Attacks) | Research | High — MCP threat model |
| Workato, Microsoft, Atlassian | Product | High — enterprise MCP |
| Goldman Sachs / Anthropic | Deployment | Medium — enterprise Claude |
| Cohere ($240M ARR) | Business | Medium — enterprise AI economics |
| Adversa AI | Aggregator | Medium — security roundup |
| Linux Foundation (AgentGateway) | Open Source | Medium — infrastructure standard |
| Cognitive Revolution Podcast | Audio | Medium — agent security deep dive |
| Scott Galloway | Commentary | Medium — valuation skepticism |
| François Chollet | Social | Medium — ARC-4 roadmap |
Meta: Research Quality
- Agents dispatched: 7/7 completed successfully
- Findings stored: 23 new (153 total in database)
- Source quality: Primary sources for all Top 5 stories; secondary for some industry items
- Coverage gaps: Limited coverage of Asian AI ecosystem beyond DeepSeek and Baidu; no fresh arXiv papers surfaced this run
- Confidence levels: High on GRP-Obliteration, GitLab CVE, enterprise MCP; Medium on DeepSeek V4 timing; Low on specific benchmark numbers from leaks
- User preferences applied: Agent security (+1.5), Vibe coding (+1.5), Market news (-1.0)
Reply to this email with feedback — tell me what topics you want more or less of, and I'll adjust. Try: "more agent security", "less market news", or ask a question about any finding.
Respond with just "stop" to unsubscribe.