← Back to Payloads
security2026-05-19

Buns Rust Rewrite , Remote Cache CDC , AWS Security Agent

Bun's 750k-line Zig-to-Rust port landed in May — 99.8% tests passing, prepped by humans, run by LLMs. AWS Security Agent hit GA on April 1 at $50/task-hour. Karrot's remote-cache/CDC pattern is the unsexy foundation most feature platforms skip. Plumbing is the new moat.
Quick Access
Install command
$ mrt install security
Browse related skills
Buns Rust Rewrite , Remote Cache CDC , AWS Security Agent

Bun's Rust Rewrite 🦀, Remote Cache CDC 📦, AWS Security Agent 🥷

Jarred Sumner quietly merged a 750,000-line Zig-to-Rust port of Bun this month, Anthropic's AWS Security Agent hit GA, and a feature platform called Karrot open-sourced a remote cache pattern that ties CDC streams to a build-time invalidation layer. Three different bets on the same idea: the hard part of 2026 is plumbing, not models.

What You Need to Know: Bun completed its long-rumored rewrite from Zig to Rust in May 2026 — roughly 750k lines of Rust with 99.8% of tests passing. AWS DevOps Agent and AWS Security Agent both went GA on April 1, 2026, after a five-month preview. Karrot published a reference architecture for tying CDC (change data capture) events to a remote cache in their feature platform.

Why It Matters

  • Bun's rewrite is a real-world benchmark for LLM-assisted ports. Jarred Sumner says it took a week. The Hacker News thread on the merge had the most honest developer discussion of AI-generated code I've read this year — including one comment that read the prep work, mapped Bun's existing bun_collections smart-pointer types 1-to-1 to Rust equivalents, and concluded the team had been planning the port "long time ago." That's the part nobody selling AI tools will tell you: the prep is 90% of the work, and the LLM just runs the script.
  • AWS Security Agent is the most aggressive move yet into autonomous security tooling. On-demand pen testing at $50/task-hour, with an average 24-hour evaluation costing up to $1,200. That's a fraction of the $10,000–$50,000 a human pen test costs, and AWS says some customers are seeing 70% to 90% savings. Microsoft shipped its Azure SRE Agent on March 10, 2026, but nobody else has the security-side agent yet.
  • The Karrot remote-cache/CDC pattern is what most "feature platform" vendors aren't telling you. Tying cache invalidation directly to CDC events from Aurora means the cache can't drift from the source of truth. It's a cheap pattern, and it works in any stack, not just Karrot's.
  • Plumbing is the new moat. All three stories are about plumbing: the runtime, the security tester, the feature store. None of them are about a smarter model. The teams that own the boring parts own the platform.

What Actually Happened

Bun's Rust rewrite lands

The PR landed on May 14, 2026, and Hacker News thread #48132488 is worth reading end to end. The headline number from a community post that summarized Sumner's announcement: 750,000 lines of Rust, 99.8% of tests passing. The "took a week" claim got pushed on — multiple readers noted the Bun codebase was already structured with internal smart pointer types and a Rust crate (bun_collections) that mapped cleanly, suggesting the port was prepped before the LLM-assisted push.

One comment that's stuck with me: "Porting an application with source available and a huge existing test suite is pretty much the ideal use case for an LLM. It has everything it needs to succeed." That's the part the marketing copy skips. If you don't have the test suite and the type mapping, the LLM is guessing. Bun had both. Most teams don't.

The thread also surfaced a real concern about LLM-assisted rewrites at this scale: maintainability. If the rewrite is LLM-generated, who understands it? The Bun team has Sumner and a small core group. For a smaller project, "we ported it in a week" can quietly mean "nobody here can debug the Rust."

  • Source: Hacker News, "Rewrite Bun in Rust has been merged" — https://news.ycombinator.com/item?id=48132488
  • Source: GitHub commit, oven-sh/bun — https://github.com/oven-sh/bun/commit/46d3bc29f270fa881dd5730ef1549e88407701a5

AWS Security Agent and DevOps Agent hit GA

AWS went GA with both frontier agents on April 1, 2026, after a five-month preview. The pricing is the news. DevOps Agent runs at roughly $0.50 per minute, billed per second, only when active. Security Agent runs at $50 per task-hour; an average 24-hour autonomous pen test costs up to $1,200. AWS says customers in preview saw 70% to 90% pen testing cost reductions.

The real differentiator is the Security Agent's reach. It's the only hyperscaler autonomous pen tester on the market — Microsoft has the Azure SRE Agent (GA March 10, 2026, with Microsoft reporting 1,300+ internal agents and 35,000 mitigated incidents) but no first-party autonomous pen test. Google Cloud is selling the Agent Development Kit for customers to assemble their own, plus Gemini Cloud Assist Investigations, but no equivalent autonomous testing product. AWS is also the only one that runs the Security Agent across AWS, Azure, Google Cloud, and on-prem systems through the Model Context Protocol.

The constraints matter too. DevOps Agent cannot directly modify infrastructure — it diagnoses, recommends, then a human implements. Security Agent is still a nascent category; organizations with strict compliance requirements may still need certified human pen testers. And the agents launched in only six AWS regions. Per the Forbes analysis by Janakiram MSV, DevOps Agent processes inference across US regions regardless of customer region, which has data residency implications for EU and APAC shops.

  • Source: Forbes, "AWS Deploys AI Agents To Do The Work Of DevOps And Security Teams" — https://www.forbes.com/sites/janakirammsv/2026/04/01/aws-deploys-ai-agents-to-do-the-work-of-devops-and-security-teams/
  • Source: AWS, "AWS Security Agent" — https://aws.amazon.com/security-agent/
  • Source: AWS, "AWS DevOps Agent" — https://aws.amazon.com/devops-agent/

Remote Cache + CDC, the feature platform plumbing

Karrot (the Korean community app, not the rideshare one) published Part 2 of an architecture series on AWS's blog in mid-2025 that's getting a second wind this year. The pattern: CDC events from Aurora flow into a consumer that uses those events to invalidate a remote cache. The cache can't drift from the source of truth because every cache update is a downstream effect of a CDC event.

The reason it matters: most "feature platform" vendors sell you a feature store, an online store, a vector index, and a freshness SLA — and quietly hide the fact that freshness is a polling problem they can't fully solve. The Karrot pattern says no, freshness is an event-routing problem, and you can solve it with CDC plus a cache that consumes the events. It's the same pattern Stripe and Lyft have used internally for years, and it's free to copy.

The AWS architecture blog has the full diagram. The short version: source Aurora → CDC stream → consumer that does both feature computation AND cache invalidation → consumers read from the remote cache, never from the source.

  • Source: AWS Architecture Blog, "How Karrot built a feature platform on AWS, Part 2: Feature ingestion" — https://aws.amazon.com/blogs/architecture/how-karrot-built-a-feature-platform-on-aws-part-2-feature-ingestion/
  • Source: AWS, "ICYM May 2026 @AWS Security" — https://aws.amazon.com/blogs/security/icymi-may-2026-aws-security/

The Take

Three plumbing wins in one digest. Bun's rewrite works because the team had the test suite and type discipline before the LLM touched it — the lesson is "do the prep work," not "let the AI do the rewrite." AWS Security Agent is the first hyperscaler product that competes with human security consultants on price, and the customers in the Forbes piece are already seeing 70-90% savings; the constraint is that it only does autonomous pen testing, not the certified-compliance work some audits require. And the Karrot remote-cache/CDC pattern is the unsexy foundation that most "AI feature platform" pitches skip over.

The thread that ties them: in 2026, the moat is plumbing. Smarter models are a commodity. Better runtimes, better autonomous tooling, and better event-driven architectures are how you ship something the model alone can't do. Build the boring layer first.

Quick Summary

Bun is now Rust (750k lines, ~one week of LLM-assisted work, prepped by humans), AWS Security Agent is GA at $50/task-hour, and tying CDC streams to a remote cache is the cleanest pattern for keeping feature freshness honest. Plumbing wins.


Sources

  • Hacker News, "Rewrite Bun in Rust has been merged" — https://news.ycombinator.com/item?id=48132488
  • Forbes, "AWS Deploys AI Agents To Do The Work Of DevOps And Security Teams" — https://www.forbes.com/sites/janakirammsv/2026/04/01/aws-deploys-ai-agents-to-do-the-work-of-devops-and-security-teams/
  • AWS, "AWS Security Agent" — https://aws.amazon.com/security-agent/
  • AWS Architecture Blog, "How Karrot built a feature platform on AWS, Part 2: Feature ingestion" — https://aws.amazon.com/blogs/architecture/how-karrot-built-a-feature-platform-on-aws-part-2-feature-ingestion/
  • AWS, "ICYM May 2026 @AWS Security" — https://aws.amazon.com/blogs/security/icymi-may-2026-aws-security/
Related Dispatches