[muvlon]

There's a major caveat to the half-full view: You'll only stop adding new vulns that your model can find.

A threat actor with access to a better model or more money to burn on tokens may yet find more. Some of them have deep pockets, and not nearly every project will get the Glasswing treatment of free Mythos tokens.

[spacebanana7]

There's an interesting economic contest here as well - is it more sustainable for a malware group to spend $500 in tokens looking for an issue in my app? or for me to spend $500 scanning for issues on every deployment?

Systemically this usually favours the offence, as they could scan my app once every 6 months whereas I'd need to do it on weekly releases.