Issued April 2026 Standing brief, no. 01

The Mythos-class threat window has a closed loop now.

Mill Creek operates Olympus — a closed agentic loop running inside your tenancy. Nemesis red-teams your code. Delphi audits the source. Vulcan opens the pull request that closes the finding. The loop runs continuously, under named partner engagement and monthly attestation to your audit committee. We do not stop at advisories.

Request a briefing See how the loop runs

The firm

Security work that ends in a pull request, not a deck.

The agentic generation of frontier models compressed every attacker timeline. Mythos-class systems now find vulnerability classes faster than most patch cadences were designed to absorb, and they do it without the supervision an enterprise change board can recognize. The firms still treating this as a posture-review problem will be answering hard questions in their next audit cycle.

Mill Creek was built for what comes next. Olympus, our continuous application-security service, runs a closed loop inside your tenancy — adversarial probing, source-backed audit, and remediation that ends in a pull request your engineer reviews and merges. We do not stop at findings. We ship the diff.

Olympus

A closed loop, holding the line on application security.

Olympus is Mill Creek's continuous application-security service. Three sprites run inside a single autonomous loop. The loop is the offering — not findings reports, not advisories, not slideware.

We do not stop at advisories. Vulcan ships the pull request.

  1. Adversarial reconnaissance

    Nemesis

    Continuously probes your sanctioned agents, integrations, and tool-use surface. Operates at machine pace; reports with replayable evidence and tool-call provenance. Tenant-scoped — never leaves your VPC.

  2. Source-aware audit

    Delphi

    A multi-agent council that reads your code against your policy library, grades findings by impact and likelihood, and drafts the remediation plan. Each finding lands with a named human owner.

  3. Pull request, not advisory

    Vulcan

    Drafts the actual code, IAM, and policy changes that close the finding. Opens a pull request like any other contributor; your engineer reviews and merges. The diff is preserved with the finding. Rollback plan attached.

Visit Olympus in operator view → See the engagement catalog →

Buyer

CIO, CISO, VP Engineering

Board-visible risk reduction without outsourcing judgment. We work alongside your standing leadership, not above it. Engineering signs off on the workflow.

Method

Tool and team

Olympus runs the loop. Senior humans review the work, attend the board, and own the answer afterwards. Theater stays out of the report.

Fit

High stakes only

Regulated software, critical integrations, AI-heavy product teams. We say no to engagements where we cannot move the risk curve.

Threat brief

Mythos did not invent the threat. It compressed the timeline.

The agentic generation of frontier models took the industry by surprise. Tool use, browser control, autonomous code execution, and durable memory landed in production faster than most security organizations could draft acceptable-use policy. Four pressure points show up in every engagement.

  1. I.

    Sanctioned agents, unsanctioned blast radius.

    Agents your finance committee approved are now executing code, opening tickets, and posting in customer channels. Change management has not caught up. Most clients cannot produce a list of which agents exist, who owns each, and what they are authorized to touch.

  2. II.

    A prompt-injected supply chain.

    Third-party tools, browser extensions, and document pipelines are the new untrusted input layer. A single poisoned PDF can pivot across half a dozen integrations before any human notices. The traditional vendor security review does not catch this.

  3. III.

    Evidence gaps the board cannot defend.

    Regulators and audit committees are asking the same question: prove the agent only did what it was authorized to do. The logs most companies keep cannot answer it. Olympus rebuilds the evidence layer first.

  4. IV.

    Remediation, not discovery, is the new bottleneck.

    Frontier models now find vulnerability classes faster than most patch cadences were designed to absorb. The remediation loop is where firms break. Olympus closes it — Vulcan ships the diff, your engineer merges, the evidence is preserved with the finding.

Additional engagements

When the Loop is not the right starting point.

Olympus is the firm's flagship engagement. Some clients begin elsewhere and convert; some need a one-off. Five named engagements support the rest of the work.

  1. I.

    Assess

    Application Security Posture Audit

    Two-week, fixed-fee read across every sanctioned and shadow agent. Often converts to Olympus.

  2. II.

    Red team

    Adversarial Sprite Engagement

    Scoped, project-based use of Nemesis. Replayable evidence, no continuous loop.

  3. III.

    Audit

    AI Audit

    Board-level deliverable on agentic AI exposure. Often the entry point for board-anxious buyers.

  4. IV.

    Review

    Secure Code Review

    Manual and Delphi-assisted code audit for codebases not yet on Olympus.

  5. V.

    Respond

    Incident Response, Agentic-Aware

    Four-hour SLA for Olympus clients, twenty-four for everyone else.

Read the full engagement catalog →

Leadership and advisory bench

Operators boards have already heard of.

Mill Creek is engineering-led, advised by a standing bench of sitting and former CIOs and CISOs from regulated industries. We name them, because boards expect to see who is in the room.

Founder & chief executive

[Name placeholder]

Background in offensive security and platform engineering. Previously led red-team for a top-five U.S. financial institution. Holds engagement leadership accountability across every Mill Creek program.

Head of engineering

[Name placeholder]

Architect of Olympus. Twenty years in distributed systems and applied AI. Ships the parts of the codebase that regulators care most about.

Advisory bench

CIO Council, four seats

Sitting and former CIOs from a Fortune-100 healthcare system, a federal civilian agency, a global asset manager, and a top-three U.S. retailer. Reachable to clients on engagement.

Specialist affiliates

Named security experts

A vetted bench of incident-response, cryptography, and AI-policy specialists. Pulled into engagements by name when the work requires depth our staff team cannot match alone.

View the full leadership and bench →

Standing order

If you cannot say who is responsible for the agent, brief us this week.

Mill Creek holds a small number of intake slots each month for board-sponsored engagements. The forty-five-minute brief is run by a partner, under non-disclosure, and ends with a written read on whether you need us, someone else, or nothing at all. Olympus comes online inside ten business days of signing.

Schedule the brief desk@Mill Creek.example