For the last few months, we've been testing a range of security-focused LLMs on our own infrastructure. These LLMs help identify potential vulnerabilities in our own systems, so we can fix them – and they also show us what attackers are going to be able to do with the latest models.

None of these LLMs has captured more attention than Mythos Preview, from Anthropic. A few weeks ago, we were invited to use Mythos Preview as part of Project Glasswing. We soon pointed it at more than fifty of our own repositories – to see what it would find, and to see how it works.

This post shares what we observed, what the models did well and what they didn't, and how the architecture and process around them needs to change, so they can be used at scale.

Mythos Preview is a real step forward, and it's worth saying that plainly before getting into anything else. We've been running models against our code for a while now, and the jump from what was possible with previous general-purpose frontier models to what Mythos Preview does today is not just a refinement of what came before.

It's a different kind of tool doing a different kind of work, and that makes a clean apples-to-apples comparison to earlier models difficult. So rather than trying to benchmark Mythos Preview against general-purpose frontier models, it's more useful to describe what it can actually do, and two features that stood out across the work we did with Mythos Preview:

• Exploit chain construction - A real attack rarely uses one bug. It chains several small attack primitives together into a working exploit. For instance, it might turn a use-after-free bug into an arbitrary read and write primitive, hijack the control flow, and use return-oriented programming (ROP) chains to take full control over a system. Mythos Preview can take several of these primitives and reason about how to combine them into a working proof. The reasoning it shows along the way looks like the work of a senior researcher rather than the output of an automated scanner.

• Proof generation - Finding a bug and proving it's exploitable are two different things, and Mythos Preview can do both. It writes code that would trigger the suspected bug, compiles that code in a scratch environment, and runs it. If the program does what the model expected, that's the proof. If it doesn't, the model reads the failure, adjusts its hypothesis, and tries again. The loop matters as much as the bugs it finds, because a suspected flaw without a working proof is speculation, and Mythos Preview closes that gap on its own.

Some of what we describe above is not entirely unique to Mythos Preview. When we ran other frontier models through the same harness, they found a fair number of the same underlying bugs, and in some cases they got further than we expected on the reasoning side too. Where they fell short was at the point of stitching the pieces together. A model would identify an interesting bug, write a thoughtful description of why it mattered, and then stop, leaving the actual chain unfinished and the question of exploitability open. What changed with Mythos Preview is that a model can now take those low-severity bugs (which would traditionally sit invisible in a backlog) and chain them into a single, more severe exploit. 

The Mythos Preview model provided by Anthropic, as part of Project Glasswing, did not have the additional safeguards that are present in generally available models (like Opus 4.7 or GPT-5.5).

Despite this, the model organically pushes back on certain requests - much like the cyber capabilities that made it useful for vulnerability hunting, the model has its own emergent guardrails that sometimes cause it to push back on legitimate security research requests. But as we found, these organic refusals aren’t consistent - the same task, framed differently or presented in a different context, could produce completely different outcomes as illustrated in the examples below.

Example of Mythos Preview pushing back on building a working proof of concept 

For example, the model initially refused to do vulnerability research on a project, then agreed to perform the same research on the same code after an unrelated change to the project’s environment. Nothing about the code being analyzed had changed. In another case, the model found and confirmed several serious memory bugs in a codebase, and then refused to write a demonstration exploit. The same request, framed differently, got a different answer, and even the same request can produce different outcomes across runs due to the probabilistic nature of the model. Semantically equivalent tasks can produce opposite outcomes depending on how and when they’re presented to the model.

This matters because while the model’s organic refusals/guardrails are real, they aren’t consistent enough to serve as a complete safety boundary on their own. That’s precisely why any capable cyber frontier model made generally available in the future must include additional safeguards on top of this baseline behavior - making it appropriate for broader use outside of a controlled research context like Project Glasswing.

One of the hardest parts of triaging security vulnerabilities is deciding which bugs are real, which are exploitable, and which need fixing now. This was a hard problem even in the pre-AI world. AI vulnerability scanners and AI-generated code have made it worse, and at Cloudflare we've built multiple post-validation stages to deal with it.

Two factors dominate the noise rate:

• Programming language - C and C++ give you direct memory control and, with it, bug classes - buffer overflows, out-of-bounds reads and writes - that memory-safe languages like Rust eliminate at compile time. We saw consistently more false positives from projects written in memory-unsafe languages.

• Model bias - A good human researcher tells you what they found and how confident they are. Models don't. Ask a model to find bugs, and it will find them, whether the code has any or not. Findings come back hedged with "possibly," "potentially," "could in theory," and the hedged findings vastly outnumber the solid ones. That's a reasonable bias for an exploratory tool. It's a ruinous one for a triage queue, where every speculative finding spends human attention and tokens to dismiss, and that cost compounds across thousands of findings.

Mythos Preview represents a clear improvement here, particularly in its ability to chain primitives - combining multiple vulnerabilities into a working proof of concept rather than reporting them in isolation. A finding that arrives with a PoC is a finding you can act on, and it means far less time spent asking "is this even real?"

Our harnesses are deliberately tuned to over-report, so we see more (and miss less), which comes with a lot more noise. But at triage time, Mythos Preview's output has noticeably higher quality: fewer hedged findings, clearer reproduction steps, and less work to reach a fix-or-dismiss decision.

When we first started AI-assisted vulnerability research last year, our instinct was the obvious one: point a generic coding agent at an arbitrary repository and ask it to discover vulnerabilities. This approach works, in the sense that the model will produce findings, but it doesn't work in producing meaningful coverage of a real codebase and identifying findings of value. There are two main reasons for this:

• Context - Coding agents are tuned for one focused stream of work: building a feature, fixing a bug, writing a refactor. They ingest a lot of source code, hold a single hypothesis at a time, and iterate against it. That's exactly the wrong shape for vulnerability research, which is narrow and parallel by nature. A human researcher picks one specific thing to look at and investigates it thoroughly. That one thing might be a single complex feature, transitions across security boundaries, or a specific vulnerability class like command injections, where attacker input ends up being run as a shell command. Then they do it again, for a different feature, security boundary, or vulnerability class, several thousand times across the codebase. A single agent session (even with subagents) against a hundred-thousand-line repository can cover maybe a tenth of a percent of the surface in a useful way before the model's context window fills up and compaction kicks in - potentially discarding earlier findings that would have mattered.

• Throughput - A single-stream agent does one thing at a time, but real codebases need many hypotheses against many components at once, with the ability to fan out further when something interesting turns up. You can drive a single agent harder, but at some point you stop being limited by the model and start being limited by the shape of the interaction itself. Using the model directly in a coding agent turns out to be fine for manual investigation when a researcher already has a lead and wants a second pair of eyes. However, it's the wrong tool for achieving high coverage. Once we accepted that, we stopped trying to make Mythos Preview do the wrong job and started building the harness around it instead.

Four lessons came out of running the work at scale, and each one pointed to the need for a harness that manages the overall execution:

• Narrow scope produces better findings - Telling the model "Find vulnerabilities in this repository" makes it wander. Telling it "Look for command injection in this specific function, with this trust boundary above it, here's the architecture document and here's prior coverage of this area" makes it do something much closer to what a researcher would actually do.

• Adversarial review reduces noise - Adding a second agent between the initial finding and the queue - one with a different prompt, a different model, and no ability to generate its own findings - catches a lot of the noise that the first agent would miss if it just checked its own work. It turns out that putting two agents in deliberate disagreement is way more effective than just telling one agent to be careful.

• Splitting the chain across agents produces better reasoning - Asking "Is this code buggy?" and "Can an attacker actually reach this bug from outside the system?" are two different questions, and the model is better at each one when you ask them separately, because each question is narrower than the combined version.

• Parallel narrow tasks beat one exhaustive agent - Coverage improves when many agents work on tightly scoped questions and we deduplicate the results afterward, rather than asking one agent to be exhaustive.

Each of those observations is about model behavior, and put together they describe something that isn't a chat interface anymore. It's a harness that helps you achieve the final outcomes. The first steps to building a harness are simple, as you can ask the model to help, which is what we did. We used Mythos Preview to build on, tailor, and improve our original harnesses to suit its strengths. An example of what a harness looks like in practice is described below.

Here's what our vulnerability discovery harness looks like, stage by stage. It was used to scan live code across our runtime, edge data path, protocol stack, control plane, and the open-source projects we depend on.

Stage	What it does	Why it matters
Recon	An agent reads the repository from the top down, fans out to subagents responsible for each subsystem, and produces an architecture document covering build commands, trust boundaries, entry points, and likely attack surface. It also generates the initial queue of tasks for the next stage.	Gives every downstream agent shared context. Cuts the wander problem.
Hunt	Each task is one attack class paired with a scope hint. Hunters (the agents that actually look for bugs) run concurrently, typically around fifty at once, each fanning out to a handful of exploration subagents. Each hunter has access to tools that compile and run proof-of-concept code in a per-task scratch directory.	This is where most of the work happens. Many narrow tasks in parallel, not one exhaustive agent.
Validate	An independent agent re-reads the code and tries to disprove the original finding. It uses a different prompt and has no ability to emit new findings of its own.	Catches a meaningful fraction of the noise the hunter wouldn't catch when reviewing its own work.
Gapfill	Hunters flag areas they touched but didn't cover thoroughly. Those areas get re-queued for another pass.	Counteracts the model's tendency to drift toward attack classes it has already had success with.
Dedupe	Findings that share the same root cause collapse into a single record.	Variant analysis is a feature, not a way to inflate the queue with duplicates.
Trace	For each confirmed finding in a shared library, a tracer agent fans out (one instance per consumer repository), uses a cross-repo symbol index, and decides whether attacker-controlled input actually reaches the bug from outside the system.	Turns "there is a flaw" into "there is a reachable vulnerability." This is the stage that matters most.
Feedback	Reachable traces become new hunt tasks in the consumer repositories where the bug is actually exposed.	Closes the loop. The pipeline gets better as it runs.
Report	An agent writes a structured report against a predefined schema, fixes any validation errors against that schema itself, and submits the report to an ingest API.	Output is queryable data, not free-form prose.

The loudest reaction to Mythos Preview from other security leaders has been about speed - scan faster, patch faster, compress the response cycle. More than one team we have spoken with is now operating under a two-hour SLA from CVE release to patch in production. The instinct is understandable: when the attacker timeline shortens, the defender timeline has to shorten with it. Faster is not going to be enough, and we think a lot of teams are about to spend a lot of time, effort, and money learning that the hard way.

Patching faster does not change the shape of the pipeline that produces the patch. If regression testing takes a day, you cannot get to a two-hour SLA without skipping it, and the bugs you ship when you skip regression testing tend to be worse than the bugs you were trying to patch. We learned a version of this when we tried letting the model write its own patches and watched a few go out that fixed the original bug while quietly breaking something else the code depended on.

The harder question is what the architecture around the vulnerability should look like. The principle is to make exploitation harder for an attacker even when a bug exists, so that the gap between when a vulnerability is disclosed and when it is patched matters less. That means defenses that sit in front of the application and block the bug from being reached. It means designing the application so that a flaw in one part of the code cannot give an attacker access to other parts. It means being able to roll out a fix to every place the code is running at the same moment, rather than waiting on individual teams to deploy it. 

We also recognize this topic cuts both ways. The same capabilities that helped us find bugs in our own code will, in the wrong hands, accelerate the attack side against every application on the Internet. Cloudflare sits in front of millions of those applications, and the architectural principles described above are exactly the ones our products are built to apply on behalf of customers. We will share more on what that means for customers in the weeks ahead.

If your team is doing similar work and would like to compare notes, reach out to us at security-ai-research@cloudflare.com.

Our research with Mythos Preview was conducted in a controlled environment against our own code; every vulnerability surfaced through this work was triaged, validated, and remediated where action was needed under Cloudflare's formal vulnerability management process.

This work was a team effort. Thanks to Albert Pedersen, Craig Strubhart, Dan Jones, Irtefa Fairuz, Martin Schwarzl, and Rohit Chenna Reddy for their contributions to the research, engineering, and analysis behind this blog post.

Note: I just enabled paid subscriptions for $8/month. Most of these essays will still be free, but I’m working on adding premium features to Artifact Land and launching a hosted version of Conjure among other upcoming products that will come with the subscription. I’m planning on increasing the price to $20/month once these features are launched. So upgrade your subscription now to lock in the intro price.

Ok… picture this… you’re standing at a self-checkout at a grocery store.

The screen is yelling at you about an unexpected item in the bagging area. You look down, is the unexpected item the banana? Is it your reusable totes? The machine doesn’t seem to want to give you any hints either way.

Behind you, a child is negotiating, in the loudest possible terms, for one of the pouches in their parent’s cart. A barcode is failing to scan for the eleventh time. And there’s one employee overseeing six of these machines like a shepherd whose sheep have all started doing their own taxes.

How did we get here?

Automated Salesforce Machine

In April 2026, Salesforce announced Headless 360.

The pitch, from Marc Benioff: “No browser required. The API is the UI.”

You can basically translate this to:

we’re no longer going to ship you software. we’re going to ship you the raw materials of software. you can figure out the rest.

If you heard this and shrugged, I don’t blame you. It’s an API. APIs are old. What’s the big deal?

The big deal is that Salesforce is the largest enterprise software vendor on earth, and they just told their entire customer base that the part of the product they use most is no longer Salesforce’s job.

It is the customer’s job.

I don’t think Salesforce is going to be the only time we see this. I see this as a direction of travel announcement. Every major enterprise vendor is going to do some version of this in the next eighteen months. They’re going to call it different things or dress it up in different words. But the shape will be the same: the vendor ships the substrate, and somebody at your company assembles the substrate into something that does work.

That somebody is probably going to be you.

Unbundling Implementation

Now I know that “the vendor used to do this for you” isn’t the whole story.

Implementation labor was always layered across an ecosystem with a thin slice of vendor-paid solutions engineers at the top, a much bigger slice of customer-paid integrators and agencies in the middle, and underneath all of it, a job category. The Salesforce admin. The Design Ops or Marketing Ops Manager. People whose entire role inside your company was to configure another company’s products for you.

The customer was always expected to pay for most of the cake.

Headless 360 just significantly changes the scope of what the people the customer was already paying are now expected to do.

The Salesforce admin role gets re-scoped. What used to be “click through the configuration screens that Salesforce designed for you.” Now has no screens and the admin is wiring together workflows that didn’t exist as a product feature an hour ago using agents, MCP, custom integrations, things that don’t have a Trailhead course yet. And that’s just the people who already had the role.

But to me what this hints at is that every other function in your company is about to need its own version of that role. Marketing needs one. Finance needs one. Legal, ops, support, recruiting, even engineering. Each function uses different software and lives in a different corner of the business, but each one now needs somebody whose job is to translate generic AI capability into something that does work here, specifically.

It was easy to name this person’s role when they only existed inside one product. But what do you name the version of them about to exist in every department of every company at once?

I don’t know, but I think it means there’s about to be a lot of those people.

Enter Colonel Saunders

In 1917, in Memphis, a man named Clarence Saunders opened a store called Piggly Wiggly. (We used to live in much more whimsical times…)

Clarence had the wild idea to let you, the customer, walk around and pick your own groceries off the shelves.

Before Piggly Wiggly, you had to give a list to a clerk who fetched the things for you. That was the clerk’s entire job. They had everything memorized. They knew where the flour was, intimately, like family.

Saunders looked at that beautiful, dignified, fairly-paid clerk and said: “what if the customer just did that part, for free?”

And we said: “ok!”

We’ve been saying ok for over a hundred years.

• 1917 — customer picks items off the shelf (clerk loses one job)

• 1970s — barcodes price and inventory the items (clerk loses another)

• 2000s — customer scans the items themselves (clerk mostly stops existing)

Each wave needed a capability unlock. Open-shelf store layouts. UPC codes. Cheap touchscreens that could yell about bagging areas without needing a human supervisor for every single machine.

And each wave was sold as convenience.

Yes, I understand that the clerk job mostly disappeared, but the point is that the labor didn't. The consumer now has to do it. For enterprise software it's a bit different, you're not choosing to enter the Salesforce store, that decision is made for you.

Here comes everybody (again)

Fast forward to 2008. A guy named Clay Shirky wrote a book called Here Comes Everybody.

The book’s argument was essentially that institutions exist because coordinating people is expensive. You need bosses, processes, headquarters, payroll, and a building with the company name on it because otherwise nothing gets done. The firm exists to absorb coordination costs.

Shirky’s bet was that the internet collapsed those costs to near zero which caused institutional functions to start leaking out into ad-hoc groups. Wikipedia over Britannica. Flash mobs happened. Coordination got cheap enough to organize without organizations.

Eighteen years later, almost exactly, I think we are watching the same trick get pulled with a different cost curve.

That was the coordination story. We are now living through the building story.

Building complex software used to require a software company. You needed engineers, and a build process, and a UI design phase, and someone whose entire job was figuring out what to do with the JIRA tickets. Building was institutionally expensive in the same way coordinating used to be.

Agentic coding tools, MCP, headless platforms, and so on are already starting to do to building what the internet did to coordinating. Building is cheap now and people everywhere are waking up to it. A finance lead can spin up a reconciliation agent on a Tuesday afternoon. A recruiter can wire up a candidate-research workflow over coffee and a chocolate croissant.

Coordination got cheap enough to organize without organizations.
Implementation got cheap enough to implement without implementers.

Shirky’s everybody came together. Ours comes apart.

His version produced Wikipedia where a million people work together to build one thing. The 2026 version produces a million people each building their own separate thing in their own separate corner of their own separate company. A million reconciliation agents. A million candidate-research workflows. None of them shareable. None of them composable. The disintermediation is the same; the sociology is the opposite.

The old everybody convened. The new everybody atomizes. Coordination was a tax we paid because software was scarce, and we don’t have to pay it anymore. This is what software finally being abundant looks like.

Pit Crew

So what do we call this person? The one in marketing or finance or legal who’s now expected to translate generic AI capability into something that does work in their corner of the business?

I’ve been using Pit Crew over in Near Zero, but I’m sure we’ll call it something else. Though I’m not convinced we’ll use Stripe’s Forward Deployed AI Accelerator, Marketing either.

Your marketer has the taste. They know your brand voice, what’s been tried, when a subject line is going to land and when it wont. The marketer is the driver. The car they’re now driving is AI. It is powerful, fast, finicky, capable of going off the track in genuinely surprising ways if it isn’t tuned correctly. The Pit Crew tunes the car.

You can’t expect every marketer to know how to configure an MCP server or stitch six APIs together with an agent. Similarly the Pit Crew doesn’t need to write a brand voice guide. Neither of them wins the race alone. The marketer brings what to build and why. The Pit Crew brings how to build it and how to keep it running at speed.

Every domain expert in your company is about to need their Pit Crew counterpart. Or be one. Or both.

There are two reasons every function is going to need this person, and they push in the same direction.

The first is what we’ve been talking about all post. Headless platforms externalize implementation labor onto your team. You’re forward-deployed for the vendor just billed to your own employer.

The second is bigger and more permanent than any one vendor. Models are generic. The model doesn’t know your customers, your data, your weird Q3 reporting requirement, the fact that one specific salesperson refuses to use the new CRM no matter how many times you ask. AI capability only becomes useful at the point of contact with a specific workflow, dataset, or person. It doesn’t make sense to have a central “AI team” any more than it would be to have a central “Excel team.” Every function gets its own.

I personally like “Pit Crew.” But I’m sure the industry is going to come up with something else (maybe better? I don’t know…). But the role is real before its vocabulary is, and I’d rather pick an imperfect name than wait around for a good one.

Empowerment and Extraction

I do truly believe this is empowerment. Pit Crew is a real career path with real leverage, and the people who get good at it early are going to eat extremely well. People can genuinely do things they couldn’t do a year ago, and I’m blown away by the things I’ve been seeing.

Which is different from what you see in most headlines these days. The current consensus is that all of this means the need for fewer jobs. One Pit Crew member, they say, can do the work that used to take twenty marketers. So you keep the Pit Crew, you lay off the twenty, and you write yourself a thank-you note in the form of an EBITDA improvement.

I think this is wrong about the direction of the change.

The marketing team doesn’t shrink. It grows. So does the Pit Crew supporting it. Both numbers go up. Once a marketer paired with a Pit Crew is dramatically more productive, that pair is dramatically more valuable to the business. Valuable functions don’t shrink. They get more budget. They hire. The output expands, and demand expands with it, because there turn out to be enormous amounts of marketing work that nobody could previously imagine doing because nobody could previously afford to do it.

So you don’t go from 20 marketers to 1 marketer plus 1 Pit Crew. You go from 20 marketers to 25 marketers plus 5 Pit Crew. Then 30 plus 10. The Pit Crew ratio rises. The marketing team rises with it. The whole org chart gets taller. The labor multiplies. Every other time in history that software engineering became cheaper, demand skyrocketed. Why would this time be any different?

Call one bet “Substitution” if a company sees Pit Crew as a way to do the same work cheaper. The other “Multiplication” if a company sees Pit Crew as a way to do much more work, period.

Both are happening in different companies right now. Only one of them is right about the future. The companies betting on substitution are going to wonder, in about eighteen months, where their competitive advantage went. The answer will be that it went to the company that hired more people and more pit crew for them, not fewer.

Share

Christian Gralingen for WSJ

If you’re a child of the 1970s, you probably looked to the whimsical optimism of the cartoon show “The Jetsons” for an idea of what the future of travel might look like. We would hop into flying “aero sedans” that folded into briefcases and take holidays on an asteroid.

Obviously, those things haven’t materialized, but some big changes in travel are expected by 2046.

We spoke with industry thinkers and researchers about what travel might look like 20 years in the future. Here is what they told us.

Your AI agent handles everything

The era of search-and-click travel, where consumers spend hours on booking sites comparing flight prices and room options, will be over. Scott Fleming, president of the travel practice at Aon, a global professional-services firm, describes a future where your personal AI agent handles the entire choreography of a trip, from that first search to the final taxi home.

“My agent will know the places I like, it will have insight into my finances, my budget, my risk tolerances, all my preferences from the kind of room I like to my pillow type,” Fleming says. That personal agent will interface with travel suppliers’ AI agents—not a human to be heard or seen—and book trips for people from their front door and back, according to their known likes and dislikes.

If a health risk emerges on a route or a flight is disrupted, AI agents will negotiate a solution in real time. The system will monitor conditions continuously, rerouting, rebooking and adjusting everything so that the traveler never has to make a call or chase a refund. “It will take a lot of that stress out of the process,” Fleming says.

---

The distributed airport

The modern airport, let’s face it, is a time suck. Ty Osbaugh, global practice leader for aviation at the architectural firm Gensler, believes that’s going to change.

He envisions a solution whereby the airport is deconstructed and scattered across its nearest city. In 20 years, New Yorkers won’t have to go to JFK airport two hours ahead of their flight. Instead, they will walk or take a driverless taxi to a neighborhood terminal, drop their bags and clear security biometrically, simply by walking in. No passport queues, no conveyor belts. Then they‘ll board a small, quiet electric air taxi that transports them and five other passengers from a building rooftop to the airport.

Since passengers have already been processed and completed security screening in town, airports will consist of lean, airside-only gate areas: runways, tarmac and jet bridges that you simply walk onto. If you have an important meeting you can’t reschedule, no worries; Your AI assistant will have reserved one of a handful of phone-booth-size private lounges adjacent to your gate, located where currently there are rows and rows of seats. Your oat cappuccino will be waiting on the conference table. Your wearable device will alert you when it’s time to walk onto the plane.

The system as he sees it will work like a subway network: Rather than all passengers converging on the same congested highway corridor to JFK, they can choose the neighborhood entry point nearest to them.

“The idea is to break the airport into different functions—security processing and boarding—and putting each where people want them, Osbaugh says. “Now all your time wasted at the terminal is completely cleared.”

The key to the successful execution of this distributed airport is penetration into the city itself. It will require terminals to be integrated into the vertical fabric of urban buildings, Osbaugh says. “Imagine if the terminal was part of a skyscraper that had apartments on the lower floors and the convenience that would provide,” he says. The more access points embedded throughout a city—and let’s not forget its suburbs—the more the single biggest source of travel stress disappears: the unpredictable slog from home to gate.

---

Frictionless security

Getting through security, meanwhile, is in for major changes. Aon’s Fleming sees biometrics replacing document checks across the entire travel experience—not just at airports but woven continuously throughout the journey, including at international borders. Security systems will read your face, as well as your gait, heart rate and physiology while allowing you to keep moving. “These systems will even smell you,” he predicts. “We use dogs now, but I think the level of security will be automated and be a benefit to all.” The queues, the bins, the removing of shoes will have totally disappeared, and you’ll be able to board a plane or ship without any friction.

“For comparison purposes, consider the old toll booth approach at the tollway or turnpike 30 years ago versus the Zip Cash or Toll Tag systems we see today,” Fleming says.

---

Demand-controlled destinations

Countries like India and China that together account for around a third of the world’s population are moving enormous numbers of people into the middle class. That could lead to even bigger crowds in Rome, Paris and many of the other places that have defined tourism for generations.

Richie Karaburun, a clinical associate professor at New York University’s Jonathan M. Tisch Center of Hospitality, believes “overtourism demand control” will reshape how the world’s most iconic destinations operate. To keep sites from being “loved to death,” cities may set visitor caps, requiring permits during peak seasons and compelling visitors to get timestamped reservations to enter popular sights like many museums do now. “What’s coming next is a shift from managing individual sites to managing entire destinations as controlled systems,” Karaburun says. “So instead of just needing a ticket for the Colosseum, visitors may increasingly need to plan and secure access to Rome itself in advance during high-demand windows.”

The pressure will ultimately redirect travelers toward places that are extraordinary but currently overlooked. “There will be new stars, new destinations added to the tourist’s list,” Karaburun says. “You’re already seeing this shift with Porto and Valencia relative to Lisbon and Barcelona, or Ljubljana and Palermo relative to Venice and Florence,” he says. In Asia, secondary cities like Kanazawa in Japan are gaining traction beyond Tokyo and Kyoto.

---

Smarter roads

The future of road travel is less about flying cars than about eliminating the tensions and anxieties that make driving so exhausting. Roads, signs, traffic lights and vehicles will increasingly talk to each other, sharing information in real time.

“When a car suddenly slams on the brakes in front of you, it will send out a message to roadway devices and to the cars behind it,” says Philip Plotch, a principal researcher and senior fellow at the Eno Center for Transportation. “You’ll know instantly what happened, giving you more time to react. Or the car might even slow down or stop on its own.”

Even before fully driverless cars arrive, this growing communication between vehicles and infrastructure will make driving safer and less stressful, reducing surprises and smoothing traffic flow. As more advanced automation takes hold, the experience of being in a car will start to feel fundamentally different.

Once you don’t have to keep your eyes on the road, a long drive begins to resemble a train trip, giving passengers time to read, watch something or rest instead of constantly focusing. That shift will change how and how far people are willing to travel, Plotch says.

---

Faster flight

The physics of travel itself will change by 2046. Supersonic flight—flying from New York to London in under 90 minutes at Mach 3 (three times the speed of sound) for dinner—could become routine for the affluent. Aon’s Fleming points to Boom Supersonic’s planned Overture jet, which is currently running successful supersonic tests at Mach 1.7 and could be in service as soon as the end of this decade. “It’s hard to see us not having supersonic travel in the 2030s at this point,” Fleming says, “but it remains to be seen if it’s at scale or limited to the upper end of the market.” Boom says it expects future versions of its aircraft to become faster and more affordable over time.

Commercial supersonic travel isn’t new, of course. The Concorde cut trans-Atlantic flight times in half beginning in 1976, but the flights were expensive to operate, carried relatively few passengers, consumed large amounts of fuel and faced strict noise limits after sonic booms triggered public backlash, confining most flights to ocean routes. A fatal crash in 2000 and falling demand after 9/11 helped lead to the planes’ discontinuation in 2003.

According to Fleming, the new generation of supersonic startups will be able to leverage advanced technology such as lighter and active-cooling composite materials, more-efficient engines and aerodynamic shapes, sustainable aviation fuel and quieter boom technology, allowing high-speed air travel to finally be commercially viable, especially for premium travelers willing to pay for time savings on long-haul routes.

“Supersonic travel will compress the world in a way we haven’t seen since the Jet Age,” says NYU’s Karaburun. If long-haul flights shrink to a few hours, cities like New York, London and Dubai begin to function less like distant hubs and more like a connected corridor.

Beyond supersonic travel lies hypersonic travel, which involves flying at Mach 5 or above and comes with intense thermal challenges that have yet to be resolved. Fleming notes that some aerospace companies are working to develop such aircraft, though he predicts passenger service won’t be available until “2035–2040 at the earliest.”

---

Space hotels

This may be a bit farther out, but it’s possible that the true “space hotels”—commercial space stations with hospitality amenities—could emerge as early as the 2030s, says Karaburun.

Like hypersonic travel, Fleming says, these trips at first will be accessible only to the ultrawealthy, but by the 2040s, as launch costs fall, that market could expand modestly. “I expect the first space hotels to be in orbit, much like the [International Space Station] today, with a few nice hotel rooms with a remarkable view, probably combined with a research facility,” he says.

Karaburun sees a similar future. “These will be small, expensive and tightly controlled, more akin to early Antarctic expeditions than traditional tourism,” he says.

Write to reports@wsj.com

More in Travel

Read the full report

Who Needs a Travel Agent in the Digital Age? Apparently, More People Than Ever

New Ways to Soak Up Some of New York City’s Most Iconic Locations

Great Family Golf Vacations Even the Nongolfers Will Enjoy

Next Time in Paris, Skip the Louvre and Try These Lesser-Known Museums

What I Hate Most About the Technology in Hotel Rooms

Why This Couple Is Saying Goodbye to Life on the Road After 10 Years

If You’re Hitting the Road With Your Dog, Here’s How to Make It Less Stressful

Is It a Hotel or an Exclusive Social Club? The Answer Is Both

Copyright ©2026 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

GameStop

The simple model of GameStop Corp.’s proposal to acquire eBay Inc. is:

• Ryan Cohen, the chief executive officer of GameStop, thinks he should be the CEO of eBay.
• That is not a job that you can apply for by filling out an application on the website. For one thing, eBay is a $50 billion public company, and public companies rarely hire new CEOs through cold outreach. For another thing, eBay has a CEO already and was not, prior to Cohen’s outreach, looking to replace him.
• If you are an ambitious and energetic person, and you want your dream job, but the hiring manager is not returning your calls, you could always try stunts. You print your resume on a cake and send it to the company. You stand outside the hiring manager’s house singing a song you wrote about your qualifications. Or, in Cohen’s case, you (1) lob in a vague acquisition offer, (2) lay out how you’d cut costs and make eBay more valuable if you were in charge and (3) also auction your socks on eBay to pay for it. It’s that combination of demonstrating your commitment and qualifications, while also doing some viral nonsense to get noticed.

In the case where your dream job is being the CEO of a particular public company, and the company already has a CEO and is not returning your calls, there are two standard sorts of stunt you can pull:

• You can do activism. You can buy some stock and send a letter to the board saying “I am a shareholder, I think current management is all wrong, and I would like to talk to you about my ideas.” (Your first idea is “make me CEO,” so you can implement your other ideas.) And then if the board says no, you run an activist campaign: You go out to other shareholders and try to get them on board with your ideas; if necessary, you run a proxy fight to vote out the existing board of directors and put your nominees in charge. And then your nominees make you CEO and you implement your plans. This requires a certain amount of money: You’ll be more credible if you own 5% of the stock than if you own 0.05%, though sometimes activists win campaigns with tiny stakes. But it mostly requires persuasiveness; it requires the ability to convince other shareholders that your plans for the company are better than management’s plans.
• You can do a hostile takeover. You can go to the shareholders and offer to buy all their stock for more than the going price. If the stock is trading at $50, and you offer $70, and most of the shareholders don’t think current management can make the company worth more than $70, then they will sell to you. Then you will own the company, and you can fire the board and the CEO and put yourself in charge. This requires much less persuasiveness than the first option: The other shareholders don’t really care if your plans are any good, as long as you pay them $70 in cash. “This idiot is going to run the company into the ground but that won’t be my problem,” they might think. On the other hand, this requires much more money than the first option. You gotta pay everyone for their stock.

Elon Musk wanted to run Twitter, so he bought it. David Ellison wanted to run Warner Bros., so he bought it. In each case, the company’s board or shareholders or outside commentators might have thought “man I don’t know about this guy’s business plan,” but it didn’t matter: They offered cash, and the cash they were offering was more than the company was otherwise worth, so they got the company. But if they hadn’t offered cash, they would have had to offer a good business plan: They would have had to persuade the existing investors in those companies that their plans were better than existing management’s plans.

Cohen does not have anywhere close to enough money to buy eBay. That would cost $56 billion or so1; GameStop has perhaps $9 billion, and Cohen’s bankers might lend him $20 billion more.

That leaves him with activism. He has to send eBay’s board a letter saying “I am a 5% shareholder of eBay and would like to talk to you about my management ideas, including replacing your CEO with me.” And then eBay’s board has to say “no thanks,” because they think that the current management and strategy are good (they picked them!) and they are skeptical of Cohen’s out-of-nowhere proposal. And then Cohen has to go around making his case to eBay’s shareholders that he would be a better CEO than the current CEO. Which involves:

• Laying out his plans for cutting costs and improving eBay’s business,
• Pointing to his own experience — turning around GameStop, and before that building <a href="http://Chewy.com" rel="nofollow">Chewy.com</a> — as proof that he is qualified to lead eBay, and
• Attention-getting stunts.

I should say that wacky stunts are not traditionally a big part of the activist playbook, but (1) Cohen is the CEO of GameStop, a meme-stock company with a lot of retail investors, so he arguably has some fiduciary obligation to his existing shareholders to do wacky stunts and (2) actually stunts are becoming a bigger part of activist investing. “You need social media and memes and zingers,” I wrote a while back about activist hedge fund Elliott Management getting into podcasting; “you need to fight for attention in a crowded media landscape.” I do not expect Paul Singer to auction his socks to call attention to an activist campaign, but there is a continuum.

Anyway, because everyone is mildly confused, and because he wanted to maximize attention, Cohen announced in his activist proposal in the form of an acquisition proposal, which was sort of hopelessly ill-formed. (He proposed an acquisition for cash he doesn’t have and stock he also doesn’t have.) And then this week eBay said “no thanks,” turning down the ill-formed acquisition proposal but also hinting that Cohen’s ideas for what to do as CEO of GameStop are bad. So now we are in the third phase, where Cohen gets to go around making his case to shareholders. The Financial Times reports:

Cohen wrote to eBay’s board chair Paul Pressler on Wednesday complaining that the company dismissed his $125-a-share unsolicited offer to buy the company “without engaging on its substance”, in an email seen by the FT. Cohen said while his request to meet eBay’s board of directors had been rejected, he planned to put the offer to shareholders. “[Ebay’s directors] should not dismiss a $125 per share proposal without engaging on its substance. The economics are clear and they are public. Ebay’s own shareholders deserve the opportunity to evaluate them,” Cohen wrote. … In his email to eBay, Cohen raised his own concerns about the reseller’s governance and executive pay packages, saying its CEO Jamie Iannone was paid $144mn over his six-year tenure despite overseeing a decline in eBay’s active buyer base. Cohen also noted Iannone had not purchased any eBay shares in the open market during his time as chief executive. By contrast, Cohen said he stemmed losses at GameStop — in large part because he has so much of his own money locked up in the company. “Ebay’s directors do not own eBay,” wrote Cohen. “They have presided over five years of net user decline.”

Right, no, the stuff about “a $125 per share proposal” and “the economics are clear” is a distraction; this is not actually about GameStop acquiring eBay. This is about Cohen becoming CEO of eBay, and he is making that case in normal activist terms: He owns more stock than current management does, current management has presided over decline, etc.

Cohen also did an interview with crypto influencer Anthony Pompliano laying out his thinking, which is pretty explicitly what I said above: This is not really an acquisition proposal, but rather a proposal to change the CEO (and also do a leveraged recap). Cohen says:

You can look at it as basically we’re giving them a special dividend for half … and then the other half they’re rolling into equity of the combined business that is going to be a lot more profitable. Because we’re going to focus on efficiency in the short term and in the long term and we’re going to focus on on revenue growth and I don’t get paid unless I build a much larger business and I want to turn eBay into something much larger. So, it’s the difference between a professional management team and board of directors versus an owner / operator leading it that doesn’t believe at all in work-life balance. ... They’re rolling into equity in a new business, or a combination between GameStop and eBay, that would be run by me. … So, it’s EPS accretive to both GameStop and eBay shareholders, and eBay shareholders continue to own the majority of a business that their earnings are coming from eBay except it’s run by someone frankly that gives a s***. Like that’s the big difference is I give a s*** and I’m going to do whatever it’s going to take.

And here he is on his personal ambitions (to be eBay CEO):

Cohen: I have always long admired eBay’s business and I didn’t want to be the CEO of GameStop. Actually when I sold Chewy, I didn’t really want to do anything for the most part and then I lasted like a few months and retirement wasn’t for me. But I’m very — eBay’s business is, I mean… Pompliano: That’s your white whale. Cohen: It’s eBay, it’s the one.

The Financial Times calls this “one of the most bizarre takeover sagas in years,” and I have called it a “fake takeover,” but now I think we might be looking at it wrong. This is a bizarre job application, a way to force eBay’s board and shareholders to consider Cohen’s desire to run eBay. Not even that bizarre, really: It is settling into a normal shareholder activist campaign, making the case that current management is misaligned and has presided over a decline in value, and that Cohen’s skills and experience and incentives and ideas would make him a better CEO. Sure it started with a nutty fake takeover offer, but you have to do something to stand out in a crowded attention environment.

Adani

In November 2024, the US Department of Justice and the Securities and Exchange Commission brought a weird fraud case against the Indian billionaire Gautam Adani. Basically the charges were that Adani Group executives paid some bribes to Indian state governments to buy solar power from Adani Green Energy Ltd., one of Adani’s companies. We talked about it at the time, and I pointed to three problems with the case:

• From the charging documents, it was not even clear to me that anyone paid bribes. They paid “incentives,” which sounds like “bribes,” but there did not seem to be smoking-gun evidence that the incentives were paid to government officials (bad, bribes) as opposed to the governments (fine, rebates). An “incentive” like “we will pay your state utility company a rebate on the price it pays for power” is much better than an incentive like “we will give you a bag of cash if you sign this above-market power contract,” and the evidence seemed ambiguous about which was happening.
• In any case, all of this stuff happened in India: Adani Green was an Indian company allegedly paying bribes to Indian officials for power contracts in India. The links to the US were tenuous, consisting mostly of the fact that Adani Green sold some dollar-denominated bonds in 2021, some of which were bought by US investors. The bonds were repaid in full before the charges were brought, so no US investors lost money.
• The actual theory of how US investors were defrauded — the thing that made this a criminal case in the US — was that they were looking for good environmental, social and governance (ESG) investments, they thought Adani Green was a good ESG investment (it had “Green” in its name), and they were deceived (bribery is not good ESG). “Back in 2021,” I wrote, “this was a real thing. Investors wanted to be ESG. ... Pretending to be very ESG, while in fact (allegedly) being a solar power company that paid bribes, really was a way to defraud investors. But the fraud was less ‘you took their money and didn’t give it back’ and more ‘you took their money and didn’t give them what they really wanted, which was good ESG performance.’ That is the crime here.”

Again, I wrote that in November 2024, shortly after Donald Trump won the US presidential election. Back in 2021, ESG fraud was a thing; back in November 2024, it was a crime. I continued:

Not for long, though, maybe. … The Trump administration will presumably be anti-ESG and will sue companies for doing ESG stuff, not for falsely pretending to do ESG stuff. ... But for now, it’s illegal in the US for Indian companies to pay bribes in India.

Anyway! The New York Times reports:

Now, according to several people with knowledge of the case, the Justice Department is planning to drop the charges altogether. The reversal came after the Indian billionaire, Gautam Adani, hired a new legal team led by Robert J. Giuffra Jr., one of President Trump’s personal lawyers. Mr. Giuffra’s efforts on Mr. Adani’s behalf culminated in a previously unreported meeting last month at the Justice Department’s headquarters in Washington, according to people familiar with the meeting. Mr. Giuffra ticked through about 100 slides outlining why prosecutors lacked basic evidence, as well as the jurisdiction even to bring the case, one of the people said. Another slide also offered the government a sweetener: If prosecutors dropped the charges, Mr. Adani would be willing to invest $10 billion in the American economy and create 15,000 jobs, echoing a pledge he made in the wake of Mr. Trump’s election.

See, that’s an “incentive”!

Fund formation

One way to think of a private equity fund is that it is a sort of a company, owned by its investors (the limited partners in the fund) and managed by its managers (the private equity firm that sponsors the fund), which goes out and buys other companies. The company has expenses, and the limited partners — as the owners of the company — ultimately pay the expenses. (Who else would?) One of the biggest expenses is the fee that the fund pays to the managers (the sponsor) for managing the fund and finding the companies to buy, but there are others. The fund has to pay for lawyers and investment bankers to do the deals to buy companies. It has to pay for, like, photocopying to send out quarterly account statements to the investors. This stuff all costs money, and the fund pays for it.

Another way to think of a private equity fund is that the sponsor — the private equity firm, Apollo or KKR or Blackstone or whoever — is a company that goes out and buys companies, and the fund is just a bucket of capital that the sponsor uses to pay for the companies. The fund — the pool of money owned by the limited partners — is a sort of service provider to the sponsor; it offers the sponsor a product (money) that it can use for certain purposes. If the sponsor wants to spend $1 billion buying a company, that’s what the fund is for. If the sponsor wants to, like, take the limited partners out to a nice dinner, surely the sponsor should pay for that! The sponsor is the host; the LPs are the guests. The sponsor is making plenty of money (from its management fees); it can pay for dinner. The LPs provide financing for use in the sponsor’s business, but the sponsor runs its own business. The LPs are not going to pay for all of the expenses of the sponsor’s business.

That is: One view is that the private equity fund is a business and the sponsor is a provider of management services to that business; the other view is that the private equity sponsor is a business and the fund is a provider of financing to that business. Intuitively, the ordinary expenses of the business should be paid for by whoever’s business it is.

There is a similar sort of tension in hedge funds: Are the LPs in a hedge fund owners of a business who pay all of the business’s expenses, or are they investors in a pool that pays only fixed fees to the manager? Broadly speaking, the norm in hedge funds used to be that the LPs mostly paid fixed fees (classically 2% of assets and 20% of returns) and the hedge fund manager was responsible for its own costs, but in modern multi-strategy multimanager “pod shop” hedge funds, the norm is that the manager bills all of its costs — including notably salaries and bonuses but also, like, private jets and office art — to the LPs, who keep (80% of) whatever’s left over. This norm is still evolving, and there are occasional conflicts when hedge fund managers bill LPs for stuff they don’t think they should pay for.

And broadly speaking the private equity industry has had the reverse evolution: It used to be the norm that, of course, whatever money the private equity firm spent was billed to the LPs, because a “private equity firm” was like three guys with a Rolodex and the only money they could spend was the LPs’ money. But now a “private equity firm” is a gigantic institutional alternative investment manager with fancy offices and trillions of dollars under management, and it seems sort of churlish to bill the clients for dinner.

Or for negotiating the fund documents. The Financial Times reports:

The Institutional Limited Partners Association has taken aim at a protocol whereby investors in private equity funds pay the legal costs of buyout group managers as well as their own in negotiations over setting up the vehicles. “I challenge you to find an industry or an analogue where the . . . client or the customer is paying the cost of legal counsel negotiating against them,” said Jennifer Choi, chief executive of the ILPA, which represents pension and sovereign wealth funds. “[It] simply doesn’t make sense.” ... Private equity’s backers have paid for fund-related legal costs since the dawn of the industry, when fledgling buyout managers could not afford to contribute. But private equity has grown from managing less than $550bn in 2000 to around $8tn in 2022, the ILPA said in a new paper, meaning today’s large buyout groups “simply do not face the same financial obstacles that existed when the market was new”. ... The association pointed to the “fundamental inequity” whereby buyout firms selected counsel to the fund, which was “also typically outside counsel to the [private equity firm] itself”, but usually did not share that law firm’s rates with investors paying the bill. It said the “most equitable solution” would be for managers of multibillion-dollar vehicles to bear the costs of fund counsel, while fund backers paid for their own lawyers. But it called instead for capping a fund’s legal, administrative and compliance costs at whichever was lower of $10mn or 0.05 per cent of its target size, where fund backers were paying.

Here are the ILPA announcement and guidance paper. This is a pretty modest ask, not “the sponsor should pay all of the fund’s expenses out of its management fees” but rather “the sponsor should pay half of the fund’s formation expenses above $10 million.” If your model is “the sponsor runs a giant business and is asking investors for money,” it does seem weird to charge the investors for the lawyers who are asking them for money. But if your model is “the sponsor is a service provider advising the fund, which is owned by the investors,” then of course the owners of the fund should pay for the fund’s lawyers.

Incidentally, I want to take up that challenge “to find an industry or an analogue where the ... client or the customer is paying the cost of legal counsel negotiating against them.” The classic answer is public-company sell-side mergers and acquisitions, where (1) the target hires lawyers, (2) they negotiate against the buyer, (3) the buyer agrees to buy the target at a fixed price, often with only a vague idea of how much the lawyers cost and (4) the target sends cash out the door to its lawyers one microsecond before the deal closes, reducing the amount of cash that the buyer gets in the target. Effectively the buyer pays for the target’s lawyers, which means that the target’s lawyers bill a lot, the target has no incentive to constrain their costs and sometimes the buyer grumbles about it.

Things happen

Kushner Disappoints Mideast Clients Who Spent Millions Seeking Sway. Bessent Says US, China Discussing ‘Board of Investment.’ How to Build a Data Center in Space. Hedge Funds Are Making a Killing in the ‘Golden Age’ of AI Hardware. Revolut prepares to launch private bank as it woos wealthy. Volatility Hedge Fund QVR to Close After Losing 30% This Year. Davidson Kempner CIO Has ‘Uncontrolled Power,’ Ex-Partner Claims. Citadel tells key researchers to relocate from Hong Kong or quit. Private Credit, Retail Fraud Top SEC’s Enforcement Priority List. Dozens of Polymarket Bets Show Signs of Insider Trading, The Times Finds. Self-report fraud and walk free, New York prosecutors tell Wall Street. OpenAI Brings Its Ass to Court.

If you'd like to get Money Stuff in handy email form, right in your inbox, please subscribe at this link. Or you can subscribe to Money Stuff and other great Bloomberg newsletters here. Thanks!