Mother of All KEVs — MOAK Origin Story

Launch announcement and origin story for the MOAK Engine, published April 9, 2026 by Niv Hoffman, Ofir Eisenberg, and Yair Saban at moak.ai. Companion to How Does MOAK Work? (technical architecture; authors: Yuval Zadok, Karen Katz, Itay Chechik).

Discovery Timeline

MOAK was not designed from the start as a KEV-exploitation system. It originated as a workflow for solving CTF challenges. One researcher then tested it against React2Shell — described as “the most dangerous vulnerability dropped last year” — to see whether it could handle real-world vulnerabilities.

Initial results failed. After two architectural improvements to reasoning and tooling, the workflow succeeded: React2Shell exploited in 21 minutes, no human in the loop, no access to public POCs or exploitation details, and with all model training cutoffs confirmed before the vulnerability was disclosed.

Batch validation: 103 of 122 CISA KEVs exploited on the first try (84% success rate); 82% completed in less than one hour. After systematic architecture refinement, the system became MOAK.

Updated Performance Figures

The origin-story post gives updated headline numbers relative to the technical deep-dive:

Metric”How It Works” postThis post
KEVs tested178200+
Success rate97.8%98%
Under 1 hournot stated82%
No human in loopyesyes
No external POCsyesyes

Updated baseline. The 200+ / 98% figures supersede the 174/178 figures from the technical post. Both posts are dated April 9, 2026; this is the public-facing summary and likely reflects the more current count.

Time-to-Exploit Data Cited

Two independent data points corroborating the TTE collapse:

  • Google Threat Intelligence Group: Mean TTE shrunk from 63 days → less than one day over the last five years.
  • VulnCheck 2025: nearly one-third of all KEVs in 2025 were exploited in the wild before or within 24 hours of disclosure.

Zero Day Clock milestone table (sourced to zerodayclock.com, cited via Sergej Epp’s initiative):

ThresholdStatus
1 YearReached ~2021
1 MonthReached ~2025
1 WeekReached ~2026
1 DayProjected ~2026
1 HourProjected ~2026
1 MinuteProjected ~2028

The Anthropic Contradiction

Contradicts Anthropic Red Team public statement

The Anthropic Red Team publicly stated: “Opus 4.6 is currently far better at identifying and fixing vulnerabilities than at exploiting them. This gives defenders the advantage.”

MOAK demonstrates 98% autonomous exploitation of CISA KEVs using Claude Opus 4.6 as the primary model inside its agentic pipeline. The Anthropic statement assesses Opus 4.6 as a standalone model; MOAK demonstrates that the same model inside an orchestrated five-agent workflow crosses the exploitation capability threshold. The statement may be narrowly true (model-in-isolation) while operationally misleading (model-in-agentic-framework).

A second Anthropic statement in the same post (re: Mythos) acknowledges the capability threshold: “Have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. … We do not plan to make Claude Mythos Preview generally available.”

See Anthropic entity page for the complementary callout.

Argument: “The Future Has Arrived”

The post challenges Anthropic’s framing that dangerous exploitation capability is a Mythos-only phenomenon not yet available in public models. MOAK’s claim: Claude Opus 4.6 and GPT 5.4 — both publicly available — already achieve near-universal KEV exploitation in agentic context. The threat is not a future Mythos GA event but the current deployment of frontier-model APIs in agentic exploit pipelines by any sufficiently motivated actor.

Relation to Existing Wiki Pages

  • Zero Day Clock: Google TIG (63 days → <1 day) and VulnCheck (1/3 KEVs in <24h) are new primary-source data points for the TTE collapse trend, independent of the Zerodayclock.com instrument.
  • MOAK entity page: updated team (six total: three from “How It Works” + three from this post) and updated headline stats.
  • Autonomous Exploit Generation: origin-story arc (CTF → React2Shell → 122-KEV batch → 200+ KEV production) is the founding narrative for AEG at production scale.