There are a lot of claims here with no evidence, though it is understandable that companies with lax security measures would want anonymity.

A lot of sites that invest heavily in security leave low hanging fruit because their security efforts are not focused on all fronts. [Ex: A company might be investing a lot of resources making sure Application Code is secure (Application Security) but leave an insecure s3 bucket (Cloud Security)].

It is possible that your agent exploited these structural gaps.

The phases your agent executed mirror standard workflows used by existing, generic systems (e.g., Claude Code, Antigravity Agent, Codex). I'm sure any of these generic agents would find the same vulnerabilities that your agent found. The article makes it seem like your agent is novel technology when it's not.