← Thinking Thinking

The Productization of Agent Toolchain: When Loop Engineering's Six Building Blocks Become a Market

From Claude Cowork to ChatGPT Work, from MCP to Agent Gateway, loop engineering's six building blocks are crystallizing into a five-layer product market.

2026-07-11Thinking42 min read

I. Prologue: From Concept to Product in Three Months

In June 2026, Addy Osmani, Bill Cherny (Anthropic), and Steinberger systematically defined the conceptual framework of loop engineering. They broke AI agent engineering practice into six building blocks: Automations, Worktrees, Skills, Connectors, Sub-agents, and Memory. At that point, these concepts still lived in long Twitter threads and tech blogs.

By mid-July 2026, every one of those six building blocks had spawned independent products and companies. The coding agent layer has Claude Code, Codex, and Cursor. The connectors layer has the MCP protocol as a de facto standard. Sub-agents and Memory are being absorbed into enterprise capabilities by Claude Cowork and ChatGPT Work. Agent Gateway, as a new category, was formally named by Forbes.

The concept of loop engineering went from tech-blog discussion to market consensus in roughly 90 days. But the products themselves predate the concept by a wide margin — Claude Code shipped in February 2025, the MCP protocol was proposed in late 2025, and Cursor launched in 2023. What happened in July 2026 was that these scattered products and concepts suddenly crystallized into a clear product category map. This speed has no precedent in the early stages of cloud computing, mobile apps, or SaaS.

The core question emerges: will this new market end up horizontally layered, like cloud's IaaS/PaaS/SaaS with each layer independent? Or will it vertically integrate, with big tech owning the full stack? This article attempts to draw the market map using publicly available information as of July 2026, and offer a judgment.

II. Market Map: Five Layers Undergoing Productization

1. Model Layer — Performance Converges, Price Diverges

In July 2026, the core narrative of the model market is no longer "who's smarter" but "who's cheaper."

OpenAI released the GPT-5.6 series on July 9, divided into three tiers: Sol, Terra, and Luna. Sol is the flagship model for agentic coding. Sam Altman said in a CNBC interview that Sol improves token efficiency by 54% over its predecessor in coding-agent scenarios. This means Sol consumes fewer tokens for the same task, and the cumulative cost gap on long tasks widens significantly.

Forbes delivered a concrete number in its July 10 review: Sol is priced roughly one-third cheaper than Fable 5 (Google). If you're a heavy coding user, this difference shows up clearly on your monthly bill.

Chinese model vendors have an even more extreme price advantage. CNBC reported on July 7, citing OpenRouter data, that Chinese models like DeepSeek and Qwen are priced 60%–90% lower on average than US models in the American enterprise token market. This isn't lab data — OpenRouter is the routing platform that US developers actually use.

More notable is the market share shift. OpenRouter data shows that Chinese models now account for 30%–46% of enterprise token usage in the US (internet companies on the higher end, traditional industries on the lower). That's a range because sector variation is significant, with internet firms more inclined to mix models. But even at the floor of 30%, it means one in every three tokens runs on a Chinese model.

Performance converges, price diverges, and the result is rapid commoditization of the model layer. Brand premium will persist (GPT and Claude command a trust premium in enterprise procurement), but the pure capability gap can no longer support a 5–10x price difference.

2. Coding Agent Layer — From Tool to Platform

The coding agent layer is the hottest in loop engineering.

Claude Code is Anthropic's flagship product, embedded directly in the terminal and IDE. OpenAI's Codex is integrated into the ChatGPT desktop app. Cursor started as an independent AI IDE and is evolving toward an agent platform. Perplexity was reported by Business Insider on July 7 to be internally developing Teammate, a model-agnostic coding agent that has been in use inside Perplexity since May.

Figma's move deserves particular attention. TechCrunch reported on July 7 that Figma acquired Bud, a startup that began in vibe coding and pivoted to an agent platform. Figma's intent is clear: embed agent capabilities into design tools, letting designers generate deployable product prototypes directly rather than just Figma files.

Taken together, these signal a trend: coding agents are shifting from "assistive tools" to "platform entry points." When you spend six hours a day writing code in Cursor or Claude Code, that agent becomes your work environment. It determines which model you use, what data you access, and what workflows you follow. Once platform属性 takes hold, switching costs rise.

Coding Agent Competitive Landscape: Position comparison of Claude Code, Codex, Cursor, Perplexity Teammate, and Figma/Bud
Coding Agent Competitive Landscape: Position comparison of Claude Code, Codex, Cursor, Perplexity Teammate, and Figma/Bud

Perplexity Teammate's model-agnostic strategy is worth watching. If a coding agent isn't locked to a single model, users can choose the optimal model per task (DeepSeek for cheap tasks, Claude for complex ones), which further weakens the model layer's pricing power. Conversely, it means the coding agent layer itself competes more fiercely — without model lock-in as a moat.

3. Enterprise Agent Layer — Claude-ification in Full Swing

Forbes / Moor Insights published an article on July 8 with a core concept in the headline: "Claude-ification" — every major tech company is copying Claude Cowork's product form.

Claude Cowork completed a significant upgrade on July 7. TechCrunch reported that Cowork expanded to web and mobile, with the cloud version running continuously and the chat interface merging with the Cowork interface. This means Claude is no longer a "you ask once, it answers once" conversational tool — it's a continuously running, stateful agent instance in the cloud. You can assign it a long-running task, it executes in the background, and you check back anytime.

ChatGPT Work launched on July 9 (Reuters and Forbes reported the same day). Powered by GPT-5.6, it works across Slack, Google Drive, and Microsoft 365. Its form factor is highly similar to Claude Cowork: a persistent cloud agent, cross-system integration, with chat as the interaction entry point.

The Forbes review noted that Microsoft's Copilot Cowork and Amazon's enterprise agent products, while similar in form, show a noticeable gap in experience. This relates to underlying model capability: GPT-5.6 and Claude lead in planning for agentic scenarios, while the models behind Copilot remain unstable on complex multi-step tasks.

Ars Technica's review revealed a key pricing detail: ChatGPT Work uses the same credit-based billing as Codex. This means a single long task could consume a large number of credits, and one major code review or data processing job might "use up most of your plan's allocation." This directly affects enterprise procurement decisions. Monthly fees have a known ceiling; credit billing does not. Enterprise finance departments dislike unknown ceilings.

The role of the enterprise agent is changing. It's no longer a standalone product — it's becoming a platform entry point through which users access all tools and data. This mirrors the search box of the 2010s: the search engine looked like a feature but was actually the gateway to the entire internet.

4. Agent Gateway Layer — Birth of a New Category

Forbes published an article on July 5, 2026, formally naming "Agent Gateway" as a new category. This isn't conceptual hype — at least three products have already reached GA or marketplace:

  • Nutanix Agent Gateway: GA in Enterprise AI 2.7, delivered starting late May. Nutanix's customer base is enterprise IT departments, so this gateway is designed assuming "the enterprise already has a complex permission system."
  • Arcade: An authorization and tool-execution runtime, launched on Azure and AWS marketplaces on July 3. Its core value is standardizing permission management and execution sandboxes for agent calls to external tools.
  • Manufact: Opened its MCP hosting cloud on July 2. Positioned as "the managed layer for the MCP protocol" — you don't need to run your own MCP server; Manufact runs it for you and handles security and auditing.

Why does agent traffic need an independent gateway? Because agent call patterns are fundamentally different from traditional APIs.

A traditional API Gateway manages three things: authentication (who are you), rate limiting (how many requests per second), and routing (where does the request go). This system assumes the caller is a human-triggered application — someone clicks a button, the app sends a request, and frequency is predictable.

Agents are different. An agent autonomously decides what tools to call, how many times, and with what parameters. A coding agent reviewing code might make 50 consecutive MCP tool calls, each accessing different files and APIs. Humans don't do this. Traditional rate limiting either over-blocks this pattern (intercepting legitimate agent loops) or fails entirely (no interception, leaving token costs and permission exposure uncontrolled).

An Agent Gateway needs to manage three additional layers:

  • Permission boundaries: Define what each agent can do in each loop iteration. Not a blanket "this agent has admin privileges," but "this agent, in step 3 of its code review loop, can read repo A but cannot write to repo B."
  • Budget controls: Limit token consumption and tool call count per loop iteration. Prevent the agent from entering an infinite loop and burning hundreds of dollars in API costs.
  • Audit trails: Record the evidence chain for every decision the agent makes at every step. When something goes wrong, you can trace back: why did the agent decide to delete this file? Why did the agent access this API?

These three layers map directly to the budget gate and permission gate in the loop engineering framework. The theory was proposed in June; the productized Gateway layer arrived in July to operationalize those concepts.

5. Protocol Layer — MCP Becomes De Facto Standard, but Security Debt Accumulates

MCP (Model Context Protocol) went from an Anthropic proprietary protocol to an industry de facto standard in roughly eight months. In late 2025, MCP was still just an internal connector for the Anthropic Claude ecosystem. By July 2026, it's the standard interface for nearly every AI agent product.

Several milestones illustrate MCP's penetration speed:

  • X (formerly Twitter) launched an official MCP server on June 30 (TechCrunch reported). This means AI agents can directly read and write data on X via a standard protocol — post tweets, search, analyze. A social platform adopting MCP is a signal: MCP is no longer just a developer tool.
  • Morningstar disclosed in an investor Q&A on June 25 that 17% of PitchBook customers have adopted MCP connectors. The financial data industry is typically slower to adopt new tech, so 17% adoption suggests MCP has crossed the early-adopter threshold.
  • The hotel industry is moving too. Simple Booking (7,000+ hotel properties) is integrating MCP to let AI agents directly query room availability and manage bookings. Traditional industry adoption further confirms MCP's role as the standard.

The MCP 2026-07-28 new specification is about to take effect. SecurityWeek noted in a June 26 analysis that the core change is "statelessness" — the protocol layer will no longer maintain session state, and developers must manage it themselves. This is an enterprise-grade change: it makes MCP servers easier to scale and deploy (stateless services scale horizontally), but pushes state management complexity to the application layer.

SecurityWeek also warned: security responsibility shifts from the protocol layer to developers. If implemented poorly, MCP's attack surface expands.

This isn't a theoretical concern. Wiz security researchers discovered a vulnerability in Amazon Q's MCP implementation, CVE-2026-12957 (Dark Reading, June 29). An attacker could craft a malicious repository; when an agent accesses it via MCP, it inherits the developer's permissions, enabling theft of AWS cloud credentials. The vulnerability logic is straightforward: MCP lets an agent act on behalf of the developer, and if permission boundaries aren't clear, the agent becomes a conduit for privilege escalation.

MCP becoming the standard is high-probability. But security debt is accumulating just as fast. Protocol-layer standardization is running ahead of security practices — not unusual in tech history (TCP/IP was the same), but it means enterprises adopting MCP must build their own security layer.

Five-Layer Market Map: Distribution of products and companies across Model Layer, Coding Agent Layer, Enterprise Agent Layer, Agent Gateway Layer, and Protocol Layer
Five-Layer Market Map: Distribution of products and companies across Model Layer, Coding Agent Layer, Enterprise Agent Layer, Agent Gateway Layer, and Protocol Layer

III. Three Key Signals

Signal 1: The Super App Race — OpenAI and Anthropic Converge on the Same Direction

Looking at July 2026 moves, OpenAI and Anthropic are doing the same thing: merging all agent capabilities into a single desktop super app.

OpenAI's path:

On July 9, TechCrunch reported that OpenAI shut down the Atlas browser project. Atlas was OpenAI's standalone browser product, originally intended to compete with Chrome. Sora's standalone app was also shut down. Fidji Simo said something telling in an internal meeting: "cut the side quests."

The shuttered products didn't disappear — they were absorbed. The ChatGPT desktop app is becoming a three-in-one product: ChatGPT + Codex + Work (9to5Mac, July 9). Chat, coding, and enterprise task execution integrated into the same interface. This mirrors Google's logic on Android: merging search, Assistant, and Gemini into the Google app.

Anthropic's path:

On July 7, NBC News reported that Claude's chat and Cowork have merged into the same interface. After Cowork moved to the cloud and runs continuously, you don't need to keep Claude Code open locally — the cloud agent runs tasks for you. You open Claude's web or mobile app, see a chat window, but behind it sits a continuously running enterprise agent.

The two companies' moves are highly convergent. The direction is the same: the user entry point is a chat interface, but behind it lies a composite of enterprise agent, coding agent, and browser/tool-calling capabilities. The enterprise agent has gone from standalone product to a functional module within a desktop super app.

Google's position:

Google doesn't yet have a clear counterpart to Claude Cowork or ChatGPT Work. But 9to5Google reported on July 8 that Android's Bench framework is being swapped out — infrastructure-level preparation that hints Google is laying the groundwork for agent capabilities on Android. Google has a browser (Chrome), an enterprise entry point (Workspace), and a mobile OS (Android). If they want to build a super app, the components are all there. The question is whether they can stitch them together.

Signal 2: Why Agent Gateway Became Independent

§2.4 already laid out the Agent Gateway's product form and technical differentiation. The judgment question here: why can't traditional API Gateways simply extend to cover agent traffic, making a separate category unnecessary?

The core judgment is that the governance dimensions differ. Traditional API Gateways solve "who called what." Agent Gateways need to solve "why did the agent decide to do this." TrueFoundry's concept of "standing permissions" precisely describes this difference: permissions aren't granted to the agent (who is an agent? it's just code), but to a specific position in the loop. This granularity doesn't exist in traditional API Gateways at all.

This maps directly to the budget gate in the loop engineering framework: budget gate is the theoretical concept ("how many tokens per loop, how many tool calls"), and the Agent Gateway is its productization. Another driver of independence is the neutrality requirement. Enterprises won't trust a Gateway provided by any single model vendor — if the Gateway is OpenAI's, how can it fairly treat Claude's traffic? Neutrality is a structural opportunity for third-party vendors.

Signal 3: MCP's Turning Point — From Developer Tool to Enterprise Standard

MCP's adoption speed is already fast enough: from an Anthropic internal protocol to industry de facto standard in about eight months (OAuth took roughly four years). But what's more telling is the diversity of adopters: social platforms (X), financial data (Morningstar/PitchBook at 17% customer adoption), hospitality (Simple Booking at 7,000+ properties), and developer tools (GitHub, Linear, Notion) are all connecting. Cross-industry, cross-scenario adoption tells us MCP solved a real pain point: agents need a standard way to connect to external tools and data sources.

§2.5 already analyzed the MCP 2026-07-28 specification's security risks and the Amazon Q MCP vulnerability. One additional judgment here: MCP is at a turning point from developer tool to enterprise standard. The hallmark of this turning point is that protocol standardization is running ahead of security practices (as TCP/IP did early on), and adoption speed is running ahead of governance frameworks. For enterprises, this means adopting MCP is now necessary (falling behind means losing ground), but you must build your own security layer — you can't wait for the protocol layer to provide security guarantees.

IV. Vertical Integration vs. Horizontal Layering: The 12-Month Question

This is the most critical judgment in the article. The July 2026 market landscape can be distilled into three paths:

The OpenAI Path: Full-Stack Vertical Integration

OpenAI's strategy is the most aggressive: build the models themselves (GPT-5.6), the coding agent themselves (Codex), the enterprise agent themselves (ChatGPT Work), the browser themselves (formerly Atlas), and the desktop client themselves (ChatGPT app). Atlas being shut down and merged into the main app is the clearest signal — OpenAI has decided against multiple standalone products and is building one super app that integrates everything.

The upside of this path is user experience consistency: all features share the same context, the same account, the same permissions. The downside is that OpenAI bears all the cost and risk across every layer. If the model layer gets dragged into a Chinese price war, the profit margin on upper-layer products gets compressed.

The Anthropic Path: Semi-Open Integration

Anthropic's path sits between OpenAI and full openness. They build their own models (Claude), coding agent (Claude Code), and enterprise agent (Cowork). But Connectors are open to the MCP ecosystem — they don't require every tool to be Anthropic's. Claude Code supports self-hosting via Bedrock/Vertex, giving enterprises deployment flexibility.

Anthropic's advantage is the MCP protocol. As MCP's creator, Anthropic has protocol-layer influence. This mirrors Google's relationship with Android: you can use Android (MCP), but Google's Android (Claude) has the best experience.

The Third-Party Path: Finding Position in the Gaps

Nutanix builds Agent Gateway, Arcade builds runtime, Perplexity builds Teammate, Figma builds design-to-code. These companies aren't trying to compete full-stack with OpenAI/Anthropic — they're finding their position in specific layers.

Lyzr's case is worth noting. Bloomberg and TechCrunch reported on July 9 that Lyzr raised $100M, having run its own business on its own agent product. Dogfooding (using your own product to run your business) became a marketing pitch: "look, our agent runs our company." If true, it proves agents can actually do real work, not just demos. But it could also be pure fundraising narrative. We need to see subsequent product delivery.

My Judgment

The Enterprise Agent layer and Gateway layer will most likely stay separate. The reason is the neutrality requirement. Enterprise IT departments won't accept "my agent gateway is OpenAI's, so it sees all my agent traffic." Neutrality is the moat for third-party Gateway vendors.

The Coding Agent and Enterprise Agent will merge. Claude Code and Cowork are already merging. ChatGPT and Codex are merging too. For enterprises, "coding agent for developers" and "enterprise agent for non-developers" will become two modes of the same product.

The most vulnerable position is the standalone Coding Agent. Feature convergence is severe — the gap between Claude Code, Codex, and Cursor in core capability is already small. Large platforms can squeeze out independents through model + agent + enterprise entry point bundling. SpaceX acquired Cursor for approximately $60B (TechCrunch, June 2026; our prior analysis). Even with a loyal user base, a standalone coding agent ultimately becomes an acquisition target for big platforms.

The most valuable position is Agent Gateway. Neutrality and governance requirements are structural — they won't disappear as models get better. Traditional API Gateway vendors (Kong, Apigee) will likely enter this category through acquisition, leveraging their existing customer base and sales channels.

One threat that can't be ignored: traditional API Gateway giants (Kong, Apigee/Google, AWS API Gateway) may enter the Agent Gateway market through feature expansion or acquisition. Nutanix's first-mover advantage is in understanding agent behavior patterns, but if Kong adds agent traffic management to its existing product line, the channel advantage is ready-made.

Conversely, if LLM capabilities continue improving — models making fewer errors, fewer unpredictable tool calls — will the Agent Gateway's reason for being weaken? Not in the short term, because agent deployment volume is growing faster than model capability. But in the long run (3–5 years), the Gateway layer could be partially absorbed by model capability, much like the Web Application Firewall didn't disappear but ceased to be an independent category.

Vertical Integration vs. Horizontal Layering: Comparison of OpenAI full-stack, Anthropic semi-open, and third-party specialization
Vertical Integration vs. Horizontal Layering: Comparison of OpenAI full-stack, Anthropic semi-open, and third-party specialization

V. Risk: Agent Security Is the Next Attack Surface

Agent security is no longer a theoretical concern — it's already a pain point in practice.

GitLab's 2026 AI Accountability Report offers key numbers: 91% of organizations use two or more AI coding tools, and 54% use three or more (GitLab 2026 AI Accountability Report, published June 2026). This means multiple agents are simultaneously accessing codebases, APIs, and data inside enterprises — most likely without a unified governance framework.

Dark Reading's July 10 analysis made a sharp call: the security risks of AI coding may exceed the productivity gains. Whether that call is premature is debatable, but the underlying logic holds: agents autonomously calling tools + an expanding MCP attack surface = the traditional application security model is no longer sufficient.

Specifically, security risks come from three directions:

First, blurred agent permission boundaries. Agents perform operations on behalf of humans, but the permissions they inherit are typically the developer's full permission set. The Amazon Q MCP vulnerability is the case study. If an agent can do everything a developer can, then the risk of it accessing malicious code equals the developer accessing it directly.

Second, the MCP attack surface. MCP turns the external systems that agents connect to into an attack surface. A malicious MCP server can inject false data, execute unauthorized operations, or even control agent behavior through prompt injection. And the new MCP specification pushes security responsibility to developers. Developers must ensure their MCP client implementation is secure — on their own.

Third, loop runaway. The core of an agent is the loop: perceive, decide, act, perceive again. If the loop logic has a bug or is exploited, the agent may execute a large number of unintended operations. A runaway coding agent could modify hundreds of files, delete important branches, or even push code to production.

This is exactly why the Agent Gateway exists: agents must not touch production systems directly. The Gateway is the mandatory intermediary between agents and production systems, responsible for checking permissions, controlling budgets, and recording audit logs in every loop iteration.

HealthTech reported on July 9 that the healthcare IT industry is also watching vibe coding security. The particular concern in healthcare is HIPAA compliance: if an agent mishandles patient data, the legal consequences are more severe than in other industries. The fact that regulated industries are paying attention to agent security confirms this isn't a tech-circle echo chamber — it's real business risk.

VI. Judgment

To summarize the judgments clearly:

Toolchain productization is a good thing. Loop engineering was a conceptual framework in the tech community in June; by July, you can buy products against it. The barrier is dropping. A mid-size company can now buy models (API), a coding agent (Claude Code or Codex), an enterprise agent (Cowork or ChatGPT Work), an Agent Gateway (Nutanix or Arcade), and use the MCP protocol to connect everything. Three months ago, this required self-assembly.

But productization is not commoditization. Pricing power and stickiness vary enormously across layers. The model layer is rapidly commoditizing (price war, performance convergence), but the Agent Gateway layer will command high pricing power due to neutrality and governance requirements. The MCP protocol layer itself is free, but the tool ecosystem built on MCP generates subscription revenue.

The most valuable layer: Agent Gateway. The core of this judgment is the neutrality requirement: enterprises will not hand all agent traffic to a single vendor. Traditional API Gateway vendors (Kong, Apigee) and cloud providers (AWS, Azure) will likely enter this category through acquisition. Nutanix has already moved first, and Arcade is already on the marketplaces. First-mover advantage matters in B2B.

The most dangerous layer: Coding Agent. Feature convergence + large-platform bundling = shrinking survival space for independents. SpaceX acquiring Cursor for $60B (TechCrunch, June 2026) shows that even with a loyal user base, a standalone coding agent is ultimately just an acquisition target for big platforms. Perplexity Teammate's model-agnostic path is a smart differentiator, but whether it translates into a viable business remains to be seen.

MCP becoming the standard is the highest-certainty trend. Eight months from private protocol to industry de facto standard. Social platforms (X), financial data (Morningstar), hospitality (Simple Booking) are all connecting. But the MCP 2026-07-28 specification's statelessness push shifts security responsibility to developers, and Amazon Q's CVE has already demonstrated the risk. Protocol-layer standardization is running ahead of security practices, and this gap will surface as security incidents in the next 6–12 months.

12 months to verdict. The core tension is OpenAI's vertical integration vs. the open ecosystem's horizontal layering. OpenAI merging everything into a super app is the strongest user-experience strategy. But enterprises won't surrender all control to a single vendor — neutrality, interoperability, and vendor diversification are fundamental principles of enterprise IT procurement.

My bet is on the latter. Not because I prefer openness, but because this is how enterprise markets have always worked. Cloud computing didn't end up AWS-only. Mobile didn't end up Apple-only. SaaS didn't end up Salesforce-only. The agent toolchain most likely won't end up OpenAI-only either. Horizontal layering, multi-vendor coexistence, and 2–3 leading players per layer — that's the steady state of enterprise markets.

Of course, history has alternative readings: Microsoft took the vertical integration path in the PC era and won. OpenAI is attempting the same strategy. Betting on horizontal layering is, at its core, betting that enterprise demand for neutrality and portability outweighs the desire for an integrated experience.

But that doesn't mean OpenAI loses. The better OpenAI executes on vertical integration, the harder the open ecosystem must work to compete. This tension is healthy for the market: competition drives down prices, accelerates innovation, and gives users more choice.

Loop engineering's six building blocks have become a market. Now we watch who can stack them into something that lasts.


Sources & Disclaimer: This article is based on publicly available information, including reporting from TechCrunch, Reuters, Forbes, CNBC, Business Insider, and Bloomberg; official product announcements from Anthropic, OpenAI, Google, and Nutanix; the MCP Protocol specification (2026-07-28); the GitLab 2026 AI Accountability Report; Addy Osmani's "Loop Engineering" essay; and public disclosures from relevant companies. Not investment advice. Data as of July 11, 2026.