The Wild Cyberwest - Trimming Circles

∗ ∗ ∗

“Whatever exists, he said. Whatever in creation exists without my knowledge exists without my consent.”

— Judge Holden

I wake up each day to a world animated by about 3.5 million colorful pixels, full of stories and opinions and surprises engineered to harvest my time and distill it into a feature vector the attention economy can trade. It’s the renewed social contract cyberspace demands. It was not always like this. I’ve spent two decades in this garden of forking paths and, like Tsun, I act anyway and decisively, despite knowing that here every choice is also being unmade. It’s a labyrinth that doesn’t quite paralyze me because at its edges I still walk and hope that there is reward more so than punishment and that some fragment of what I carry might set this garden ablaze.

I’m thinking about software and what does it take to be a dexterous wielder of bits on a daily basis. Every piece of software that falls in — or rises from — my hands carries its builder’s blind spot. For several decades, the cost of finding a critical flaw in a piece of software and the cost of fixing one moved roughly the same, which is to say that both were slow and both required a form of expertise that was not easily acquired. And to some extent, both were confined to the same geometry of human cognitive bandwidth.

But that has changed. In my last piece, I promised more depth on what I called the find-fix asymmetry. If you understand this idea as much as I do, you’ll see why I’m calling this one the Wild Cyberwest.

Lately, in what almost seems like a rare recurring cosmic event I was meant to witness, various entities start warning us about the upcoming patch wave hitting any digitally present organization. “Artificial Intelligence, when used by sufficiently-skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem.” I think you can cross out that part about “skilled and knowledgeable individuals” entirely and the claim would still remain largely true. And that’s the whole point — while it takes skill to hack into Meta or Google, it doesn’t take much skill hacking into an SME or startup. This category lacks serious security because they simply don’t have the resources. And if you know any outfit with an IT department, it’s usually 1-3 people doing what — patch management? Password resets? Windows installs? Also, don’t pretend startups burning million-dollar Bay Area seed rounds are budgeting for security either.

Thus, the exploit velocity makes it so crucially unavoidable that AI-powered defense would emerge as a viable path forward. However, I’m skeptical (and so should you) because the narrative is shaped by the same cartel gatekeeping “better defense” behind an allow-list while the rest of us are told to wait. This deserves scrutiny.

Why despite better offense capabilities (AI-find) the defense capabilities (AI-fix) didn’t change much? And why do we expect fix to change as drastically as find? flyingpenguin had a great writeup on the cartel as a whole, but here’s the money quote:

Discovery is the easy part. The constraint on vulnerability management has been remediation for over a decade. Finding bugs faster without fixing them faster grows the backlog already growing beyond capacity. Anthropic’s own stated justification for Glasswing is defensive uplift, yet their system card measures zero remediation metrics. No patching velocity delta. No mean-time-to-remediation. No partner-reported CVE closure rate. A seasoned security leader would never build a defensive program and then measure offensive capability only, making remediation a second-class story. That is the kind of dog and pony show that any good security initiative would slam the door on. Or it’s like a surgeon telling you they have an even sharper scalpel to cut you deeper and faster. Yeah, so then what?

The “patch wave” will be full of extra bugs because they’ll use AI to patch and a percentage of that will mutate further. They sell both AI-find and AI-fix now, but neither is reliable — AI-find is bloated with false positives, and if you’re using AI-fix you can’t process thousands of lines of code for 3 hours straight at machine speed without becoming mentally numb. You’re outsourcing thinking to the machine hoping you won’t need to think, but you can’t avoid reading what it produced. So you end up thinking anyway. There will be an influx of companies shipping vibe-coded security products, though I’d expect much less of it here because the field is ruthless when it comes to punishing your mistakes. There are scanners, there were always scanners, there will be more scanners — just prepare for an interminable wave of false positives. Hacking groups will pivot to supply chain exploitation. If you’re a startup, you use these tools to buff security — or so you were promised — but you inevitably inherit the tool’s attack surface as...