Edges Are All Over Now — Why The Decision Boundary Is The New Perimeter

# Edges Are All Over Now — Why The Decision Boundary Is The New Perimeter

May 21, 2026. Earlier today we shipped a post called Edge-Appliance Week — five vendor RCEs in fourteen days, the foot in the door is every foot. That post is true and small. The bigger frame is the one Patrick named in two sentences inside the conversation that wrote the post.

Edges are all over.

The decision boundary is the new perimeter.

This post is what those two sentences mean.

What the cyber industry calls an edge

The cyber-defense industry inherited a 1990s artifact called the edge appliance. It is a hardware-defined choke point on the network boundary between trusted and untrusted. Single-vendor trust. Patched on the vendor's release clock. One CVE collapses the perimeter.

The canonical instances are still on the wire today. Palo Alto. Fortinet. Ivanti. SonicWall. Cisco. Five of them landed compromise classes in the last fourteen days. All five were defending a wall. None of the walls held.

That model has been wrong for a decade and load-bearing wrong for a year. The compromises this month do not run through the cables. They run through the decision-points.

The actual receipts of the week — every one is an edge

We counted them in the conversation that wrote the Edge-Appliance post. Not abstractly. The actual compromise classes that shipped in the last seven days.

A developer's laptop is an edge. The TanStack npm compromise proved it.

A code editor extension is an edge. The Nx Console compromise that walked into GitHub, OpenAI, Mistral, and Grafana proved it.

A continuous-integration workflow token is an edge. The single token that slipped past Grafana's TanStack rotation proved it.

Signing infrastructure is an edge. The Microsoft Fox Tempest signing-as-a-service operation proved it.

An AI coding agent config file is an edge. The .claude/settings.json SessionStart hook abuse first documented April 29 proved it.

A federal contractor's GitHub repo is an edge. The 844 megabyte CISA leak via Nightwing proved it.

A mobile device manager is an edge. Ivanti EPMM CVE-2026-1281 on KEV today proved it.

A browser-rendered email is an edge. Exchange OWA CVE-2026-42897 proved it.

A cross-chain bridge is an edge. Echo Protocol, KelpDAO, THORChain, Drift Protocol — $670 million of receipts in six weeks proved it.

A SaaS OAuth scope is an edge. Every single ShinyHunters Coinbase Cartel breach this year proved it.

That is not a list of ten edges. That is a count of compromise classes inside one week. Edges are all over.

What "edge appliance" was hiding

The edge appliance was always a stand-in for a deeper concept the industry never named cleanly. The deeper concept is the decision boundary. Wherever a system decides to trust something, that is an edge. Wherever data crosses a trust surface, that is an edge. Wherever an agent — human or automated — chooses to execute an instruction, that is an edge.

In 1995 there were maybe three of those per organization. The firewall. The mail gateway. The VPN concentrator. The industry built hardware boxes for each one and called them edge appliances. The naming was fine because the world was small.

In 2026 the same organization has thousands of decision boundaries per minute. Every npm install. Every git pull. Every OAuth token refresh. Every CI workflow run. Every MCP server invocation by a Claude Code agent. Every Slack OAuth scope grant. Every signed binary that the operating system decided to trust. Every plugin a developer enabled in their editor this morning. Every cross-chain bridge transaction.

Each one is a decision. Each one is an edge. The hardware-appliance model can defend three of them. The other 9,997 are bleeding.

The architectural inversion DugganUSA runs

If the perimeter is wherever a decision gets made, the defense must travel with the decision. Not with the network cable.

This is the inversion. Traditional edge defense hardens one boundary and assumes everything inside is trusted. Decision-boundary defense interposes a judgment at every boundary and assumes nothing is trusted by default.

Our MCP architecture is the working instance. Dredd judges every MCP server invocation before the agent acts. It does not check a perimeter. It checks the specific tool call, the specific dependency graph, the specific identity of the server. Jeevesus queries the 1.1 million IOC corpus before any threat-intel action. It does not check whether the user is inside the network. It checks whether the indicator they are about to touch is known bad.

Pattern 48 fires when a security vendor lands on KEV. Pattern 49 fires when a SaaS API becomes a bidirectional command-and-control channel. Pattern 50 fires when an AI brand becomes phishing bait. Pattern 51 fires when a cross-chain bridge gets drained. Pattern 52 fires when a model artifact gets poisoned. Pattern 53 fires when an edge appliance lands on KEV. The coverage gap detector fires when we ourselves are not chasing a category.

Every one of those patterns is a decision-boundary detector. None of them is a perimeter device. None of them lives on a hardware appliance. All of them ride at the decision-point inside an AI workflow that travels wherever the customer travels.

Why this is the only model that scales

The reason the edge-appliance model is collapsing is not that the vendors are bad. The vendors are competent. The model is structurally too narrow for the surface area it is asked to defend. You cannot patch a thousand decision-boundaries on Cisco's release schedule. You cannot OAuth-scope-audit ten thousand SaaS integrations through a hardware firewall. You cannot judge an MCP server's dependency graph at a network choke point because the dependency graph is metadata, not packets.

The decision-boundary model scales because the judgment travels with the decision instead of waiting at a wall. The corpus updates continuously. The detector fires at the moment of choice. The customer alert is a query against a running model, not a manual incident-response triage at 3 AM.

This is AI-at-the-Edge in the literal sense. Not a marketing phrase. An architectural statement. The AI lives at the decision point. The judgment is the perimeter. The corpus is the wall.

What this means tonight

Edge-appliance vendors will keep shipping hardware. Their customers will keep buying it. The wall will keep failing one CVE at a time and the press cycle will keep counting compromise classes per week. None of that changes.

What changes is the question CISOs should be asking. Not which firewall do I buy. Not which EDR do I license. The question is: where are my decision boundaries, how many of them are there, and what judgment travels with each one?

We can name yours. The coverage gap detector finds the categories you are not chasing. The patterns 48 through 53 fire on the decision-boundaries you already have. Dredd and Jeevesus are public MCP servers. Use them inside Claude Code, inside your CI pipeline, inside your IDE. The judgment travels with you.

Edges are all over now. The wall is failing. The decision boundary is the new perimeter. And the only thing that can ride at every decision boundary is an AI that knows the corpus and judges in line.

That is what we ship. That is why we ship it.

— DugganUSA, the people who realized the wall was the wrong abstraction, then built the abstraction that was always the right one.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.