Back to All Insights Subscribe on Substack

The Monks and the Machine

Published on

At 3,795 words, this post will take 15 minutes to read.

Stone monastery scriptorium with arched corridors and natural light, visual metaphor for gatekept knowledge in cybersecurity

AI offensive security tools will make the world safer. I swear that sentence will age well. What used to cost billions and a security clearance now costs pennies and a prompt.

I sat across from a founder building autonomous offensive tools last month, and he couldn’t sit still.

He kept pulling up terminal windows. Scrolling through output. Talking with his hands. He described an operation that would have required four separate teams and six months of planning when I was in uniform: breach an external interface, land on a software stack, escape the sandbox, survey the environment, execute vulnerability recon, punch through a cross-domain solution, and land inside an internal secure network. His timeline for all of it today was minutes. Maybe less.

But the part that stuck was what he said next. “The entire bureaucracy separating vulnerability research, development, operations, and analysis? That starts to break down. Positioning our people to operate in a world like that is what we wake up for.”

He wasn’t afraid of what’s coming. He was electric.

I’ve spent enough time around people building dangerous capabilities to recognize fear when I see it. This wasn’t that. This was the particular excitement of someone who understands what a capability shift means and wants to be on the right side of it. I recognized the feeling because I’ve been on both sides. I sat on the watchfloor at Cyber Command, where the tools and tradecraft that made offensive cyber expensive and rare were the daily reality. Building that expertise took the US government decades and billions of dollars, and even then it lived inside a few hundred people with the right clearances, the right mental acuity, and the right instincts. I now evaluate security companies and technologies. What I keep seeing is that expertise, that same offensive intuition honed in the most classified environments on earth, compressed into software that any developer can run on a Tuesday afternoon.

A few weeks ago, Nicholas Carlini stood on stage at [un]prompted 2026 and demonstrated something that made the room go quiet. He pointed Claude Code at the Linux kernel’s NFSv4 server code and let it iterate through source files looking for vulnerabilities. The setup, in Carlini’s words, was “disarmingly simple.” The machine found a remote heap buffer overflow that had been sitting in that code since 2003. Twenty-three years. Every human reviewer, every static analysis tool, every security audit for over two decades missed it. An AI found it by methodically reading files and asking the right questions.

Then he aimed the same approach at Ghost CMS, a beloved open-source platform with over 50,000 GitHub stars and a spotless security record. In minutes, he had a blind SQL injection (CVE-2026-26980) that allowed unauthenticated access to the admin database. Ghost’s first critical vulnerability ever, found during a live demo.

That caliber of work, finding a remotely exploitable heap overflow in kernel code, chaining a blind SQL injection against a hardened target, used to require the kind of expertise that governments spent decades cultivating and closely guarding. Carlini did it with a prompt and a for-loop. The most exquisite offensive expertise on earth got democratized.

I keep coming back to one analogy.

Before Gutenberg, literacy belonged to monasteries. The monks controlled who could read, what they could read, and what conclusions they were allowed to draw. Knowledge was scarce because the monks kept the gates. The printing press broke the monastery’s monopoly on access to existing knowledge, and the world that followed was incomparably better for it.

The cybersecurity industry has its own monks and its own monasteries. And it just got its printing press.

The Monks

On March 27, leaked documents revealed that Anthropic’s Mythos system could hunt for vulnerabilities without human guidance. The cybersecurity sector’s response was immediate and visceral. Seven individual stocks cratered 10% or more in a single session. Billions in market capitalization evaporated because an AI demonstrated it could do what these companies charge their customers to do.

Calling this “disruption” lets the industry off too easy. Economists have a term for when a market consistently fails to produce the outcomes it promises despite decades of investment and expansion. They call it a market failure. The cybersecurity vendor ecosystem, in my assessment, is exactly that. A market that rewards treating symptoms while leaving the disease structurally intact.

The code we ship is riddled with vulnerability classes first catalogued in the 1990s (and sometimes the exact same vulnerabilities). Buffer overflows, injection attacks, authentication failures. The TCP/IP stack’s implicit trust model, BGP’s lack of route authentication, DNS’s original design assumptions. Foundational protocols unaddressed for nearly fifty years. And the vast majority of software running in production has never been audited by anyone because the people with the offensive expertise to find these bugs were extraordinarily rare, extraordinarily expensive, and had no economic incentive to audit anything below the profile of Chrome or iOS. The knowledge of how to think like an attacker lived inside a few hundred elite researchers and a handful of classified government programs. Everyone else shipped code and hoped for the best.

The vendor ecosystem built products around every one of those weaknesses. It sold detection. It sold response. It sold insurance against the consequences. What it never sold was a fix for the underlying causes because fixing the causes would shrink the market. Every breach creates demand. Every new threat category creates a new vendor category. The total addressable market grows precisely because the participants fail to make it smaller. These are the monks. They controlled who got access to security expertise, what kind of security you were allowed to buy, and they made sure the underlying problem stayed unsolved because the problem was the business.

And the monks aren’t just failing to fix the problem, they’re actively contributing to it. CISA maintains a Known Exploited Vulnerabilities (KEV) catalog as a running list of software flaws that attackers are actively using in the wild. Cisco’s own Secure Firewall products landed on that list in September 2025 (CVE-2025-20333, CVE-2025-20362), exploited by a China-linked campaign that had been living inside Cisco devices since at least 2024. CISA issued an emergency directive requiring federal agencies to patch within a single day. F5’s BIG-IP, a product that sits at the core of enterprise network security, hit the KEV catalog in March 2026 with a CVSS 9.8 remote code execution vulnerability that F5 initially classified as a denial-of-service. They upgraded the severity after obtaining “new information,” which is a polite way of saying someone demonstrated the exploit was worse than they thought. Fortinet has 24 vulnerabilities on the KEV catalog. Thirteen were used in ransomware attacks. These are the companies selling you security. The BIC lighter is selling fire insurance and the market somehow treats this as normal.

The CyberWire Daily Podcast published Episode 10 on January 7, 2016. The show notes read: “Electrical utilities look to their cyber defenses in the wake of the hack in Ukraine. Malware is being distributed with compromised certificates. WordPress and SilentCircle issue patches. Ransomware-as-a-service tool ‘Ransom32.’ And we talk with the CyberWire’s editor about phishing and other topics of perennial interest.”

I joined that company in 2021, five years after that episode aired. The headlines hadn’t changed. By the time I became executive editor in 2023, they still hadn’t. The vendors sold product. The problems repeated. Phishing was a topic of “perennial interest” in 2016. The industry’s own flagship daily news program described its central threat as perennial, and nobody flinched, because the market had normalized the problem.

Trail of Bits used to find 15 bugs per week on their best engagements. After going AI-native, they now find 200. Twenty percent of all bugs they report to clients now come from AI discovery. The machine finds 13 times more bugs than humans, not because it’s faster at the mechanical work (although it is), but because it applies the offensive expertise of elite vulnerability researchers to codebases those researchers would never have touched. The knowledge that used to live in a few hundred heads now runs on every engagement. And the market that spent three decades building detection products around those bugs just watched its value proposition collapse in a single earnings cycle.

Good! It’s about damn time.

We’ve Been Here Before

In 1991, Phil Zimmermann released PGP, a piece of software that let anyone encrypt their email using the same math the NSA used to protect classified communications. In 1993, the US Justice Department opened a criminal investigation. The charge was distributing a munition. Encryption sat on the same export control list as rocket launchers and hand grenades.

The government’s argument was intuitive and wrong. If everyone has encryption, terrorists will use it. Drug dealers will use it. Law enforcement will go dark. All of this proved partially true in the short term. And all of it was overwhelmed by the long-term benefit: universal encryption enabled e-commerce, secure communications, and a level of digital privacy that became foundational to the modern internet. Zimmermann took the NSA’s math and put it in every inbox. The security of the entire internet improved because the capability stopped being exclusive.

The DOJ dropped the case in 1996. Export controls collapsed by 2000. The internet got safer. That pattern is happening again.

The cybersecurity industry looked at AI finding zero-day vulnerabilities and saw an existential threat to its business model. The open-source community looked at the same capability and raised $12.5 million. In March, the Linux Foundation announced a grant funded by Anthropic, AWS, GitHub, Google, DeepMind, Microsoft, and OpenAI. Its purpose is to help maintainers handle AI-generated vulnerability findings and move “beyond discovery to deploying fixes.”

Same input, opposite reactions. The vendors saw something that could destroy their market. The open-source community saw something that could give every maintainer the offensive security expertise that used to require a six-figure retainer and a waiting list. That divergence tells the whole story.

Zimmermann was Gutenberg. He took the monastery’s most guarded capability and made it public, and the world got safer because of it. The government tried to classify math as a weapon in the nineties and they lost. The cybersecurity industry is trying to frame AI vulnerability discovery as primarily a threat. They’ll lose too. The capability already escaped containment. Claude Code found the twenty-three-year-old kernel bug with a script that iterated over source files. XBOW, the autonomous offensive security company founded by the creator of GitHub Copilot, sits atop the HackerOne leaderboard. RunSybil, founded by OpenAI’s first security hire, runs continuous autonomous penetration testing without humans in the loop. None of these tools require a government license.

The Engineering Case

The real question: do these tools actually make software safer, or do they just accelerate the arms race?

In March 2026 alone, XBOW raised $120 million at a unicorn valuation led by DFJ Growth. RunSybil raised $40 million from Khosla Ventures. Kevin Mandia, who built Mandiant and sold it to Google for $5.4 billion, raised $190 million for his autonomous cybersecurity agent company, Armadin. That’s $350 million deployed into autonomous offensive security in a single month. Khosla, Sequoia, DFJ Growth, Altimeter. This is conviction capital.

But capital doesn’t prove the thesis. Engineering results do.

Google’s Big Sleep project, a collaboration between Project Zero and DeepMind, became the first AI agent to proactively prevent a zero-day exploitation in the wild. It found vulnerabilities in FFmpeg, ImageMagick, and other open-source projects before attackers could exploit them. The capability moved from “find bugs faster” to “find bugs first.”

I think that’s the structural shift. For thirty years, the offense/defense asymmetry has defined cybersecurity: cheaper and faster to attack than to defend. The attacker only needs one way in. The defender must protect everything. But that asymmetry assumed defenders couldn’t think like attackers, and for most of the industry’s history, they couldn’t. Thinking like an attacker required years of specialized training, access to classified tooling, and an adversarial creativity that the security industry euphemistically called “elite.” It lived inside NSA, inside Cyber Command, inside a small constellation of boutique firms that charged accordingly. A junior developer shipping code to production had exactly none of that expertise available at the moment it mattered most (while they were writing the code).

That’s what changes. When a development team runs continuous autonomous offensive testing on every commit, every developer on that team, from the principal engineer to the new hire writing their first microservice, gets their code reviewed by something that thinks like a nation-state operator. The AI attacks the codebase continuously, with the offensive intuition that took governments decades and billions to cultivate, before the human attacker arrives. Vulnerability discovery stops being an annual audit you outsource to a vendor. It becomes something that happens on every pull request, performed by something with the expertise of the best offensive researchers on earth.

The shift-left movement promised this for a decade but it never delivered because the tooling didn’t exist. The tooling now exists.

CISA has been pushing “secure by design” principles for years. The EU’s Cyber Resilience Act mandates them. The aspiration was always the right one. Stop bolting security onto finished products and build it into the development process from the start. But the aspiration lacked a mechanism. You can’t audit every line of code with human reviewers. The economics don’t work. And even if you could, those reviewers aren’t the people who spent careers learning how adversaries actually break software. The offensive security expertise required to catch the vulnerabilities that matter, the heap overflows and race conditions and logic flaws that sophisticated attackers chain together, lived in a world most developers never touched. AI collapses that gap. You can now audit every line of code with something that costs pennies per query, runs on every commit, and brings the offensive mindset of an elite vulnerability researcher to a junior developer’s pull request. That’s the step change. Secure by design stops being a policy aspiration and becomes an engineering reality when autonomous offensive tools sit inside your CI/CD pipeline, finding vulnerabilities before a single line of code reaches production. No vulnerability ships. No vendor charges you to detect it after deployment. No CyberWire headline ten years from now reads exactly like one from today. The cycle breaks because you eliminate the bug at the source. For fuck’s sake, why has it taken us thirty years to force the vendors to do this?

The implications extend beyond enterprise engineering teams. The Linux Foundation’s $12.5 million initiative means volunteer-maintained open-source projects get the same offensive security scrutiny that used to be reserved for the Pentagon’s supply chain. A ten-person startup can run continuous penetration testing that previously required a $500,000-per-year engagement with a firm like Trail of Bits. A solo developer maintaining a critical library from their apartment gets the same caliber of vulnerability review as a contractor building software for Fort Meade. Nations without billion-dollar cyber programs can assess their own critical infrastructure vulnerabilities. The expertise that was hoarded at the top of the pyramid for thirty years just became core infrastructure. The monastery is open. Everybody can now read what they want, whenever they want.

The competitive moat in cybersecurity shifts from “finding bugs” to “building systems where bugs become structurally harder to create.” A fundamentally different industry. And a better one.

The Fear Case, Fairly Stated

The fear case deserves honest treatment too because it’s not wrong about the short term.

Thomas Ptacek, one of the most technically credible voices in security, published Vulnerability Research Is Cooked in late March. Carlini, using Claude Opus via what Ptacek called “trivial bash scripts,” generated 500 validated high-severity vulnerabilities with a nearly 100% success rate on verified exploits. Ptacek’s core observation is that vulnerability research survived for decades because of “attention scarcity.” Elite researchers were rare and expensive. Their knowledge was bespoke and masterful. Most software was never audited because the auditors didn’t bother looking at anything less glamorous than Chrome. AI eliminates that scarcity. “A hundred instances of Claude” will aim at everything. Open-source projects will face, in Ptacek’s words, “a steady feed of verified, reproducible, reliably-exploitable” high-severity vulnerabilities. His money quote is that, “Researchers have been spending 20% of their time on computer science, and 80% on giant, time-consuming jigsaw puzzles. And now everybody has a universal jigsaw solver.”

He’s right about the mechanism, and the short-term asymmetry is very real. Attackers adopt new tools faster because they face no compliance burden, no change management process, and no legal review. Ransomware breakout times collapsed from eight hours in 2022 to 22 seconds by 2025, partly accelerated by AI-assisted tooling. Malicious LLMs stripped of safety guardrails are commercially available on dark web markets. Anthropic itself privately briefed government officials that Mythos makes large-scale cyberattacks much more likely in 2026.

I don’t dismiss any of that. The adoption gap between attackers and defenders is the danger zone and we’re standing in it. But Ptacek’s own framework contains the rebuttal.

His argument rests on attention scarcity as the protective barrier. Elite researchers were rare. Their expertise was bespoke and hard-won. Most software was never audited because the people who knew how to break it had better things to do. The scarcity kept the system stable. I read that and thought, “Stable for whom?” The scarcity regime didn’t produce security. It produced blind ignorance. Software only survived because nobody with the right offensive expertise bothered to look. That twenty-three-year-old buffer overflow in the Linux kernel wasn’t hiding. It was just in a part of the codebase that the world’s small population of elite vulnerability researchers deemed not worth their time. The market I described earlier, the one producing identical CyberWire headlines for a decade, thrived under that scarcity regime. The scarcity wasn’t protecting us plebeians. It was protecting the shitty failed market.

Democratizing that expertise is what breaks the cycle. When offensive security knowledge stops being the province of a small priesthood and becomes something any developer can invoke on every commit, the entire calculus of software security changes. The question stops being “can we afford to audit this?” and becomes “why would we ship anything we haven’t?” (side note: this requires the buyers to demand such a framework, which they need to start doing immediately.)

Rebuilding DevSecOps pipelines and CI/CD workflows to absorb continuous autonomous offensive testing is genuinely hard. Enterprises face integration complexity that attackers skip entirely. I’m not pretending that’s a weekend project. But the question we need to ask is whether restricting the capability produces better outcomes than accelerating its adoption. And on that question, history has already voted.

The Verdict History Already Delivered

Every time a government has tried to restrict a dual-use technology to preserve its monopoly on capability, the restriction failed and widespread adoption made things better. PGP. GPS civilian access. The internet itself. The pattern is the same. Panic -> restriction -> failure of containment -> net benefit.

Ben Thompson framed it cleanly in Stratechery when he wrote, “AI is going to be bad for security in the short-term, but much better than humans in the long-term.” That’s the 90s Crypto Wars pattern restated. The short-term danger holds. The long-term trajectory points one direction. And every catastrophic failure mode I can construct involves restricting access, not proliferating it.

Consider the worst outcomes. Restrict AI vulnerability tools to licensed entities and you create a black market while leaving most software unaudited. Let legacy vendors capture regulatory frameworks and you get “approved” AI security tools that preserve the market failure instead of correcting it. Treat AI-discovered vulnerabilities as classified and you prevent open disclosure and patching. Let the hackback debate consume all the policy oxygen (Schneier, Lawfare, and CSIS all published on this recently in the same week, which is the think-tank equivalent of a bar fight) and legislators spend their energy arguing about who gets to hack rather than how to design and build secure systems. The danger in every scenario is that good actors don’t get the tools fast enough.

I’ve thought about the governance problem. I wrote about it at length last December in The Business of Containment. where I proposed a constitutional blueprint for private offensive cyber firms. It includes mission-locked charters, guardian shares with veto power, two-key operations through hardware security modules, immutable logging, cryptographic kill-switches, and incentive structures that make restraint rational. The framework exists. The question isn’t whether AI offensive tools can be governed responsibly. It’s whether we govern them while making them widely available, or whether we let the instinct to restrict create the exact asymmetry that makes things worse.

I argued in that piece that “human virtue can steady a company for a while, but it rarely survives sustained pressure from market gravity.” The same applies here. Hoping that restricting AI offensive tools will keep bad actors from getting them is a bet on virtue. Deploying those tools widely into defensive engineering pipelines, while governing them structurally, is a bet on design. I’ll take design.

The Scholars

I wrote in February that the indicator-of-compromise model was broken. A system built on chasing where the ball was while the ball kept picking up speed. That was the diagnosis. This is part of the treatment.

The founder I sat across from last month sees a future where the artificial barriers between offensive specializations dissolve, where the mechanical work that made these operations slow and expensive gets handled by machines, and where the human operators focus on judgment, creativity, and the strategic decisions that machines can’t make (yet). The cybersecurity vendor ecosystem sees that same future and panics because it threatens a business model that spent thirty years treating symptoms while the disease metastasized.

The monks didn’t disappear when Gutenberg’s press started running. They became scholars. The best of them contributed more to human knowledge as scholars than they ever did as gatekeepers. The cybersecurity vendors who survive won’t disappear either. They’ll become companies that build software that is safe by design, audited by machines before it ships, and structurally resistant to the vulnerability classes we’ve been recycling since the Clinton administration.

That’s the paradigm. Not safe by policy. Not safe by compliance checkbox. Not safe by buying another vendor’s detection product to monitor the first vendor’s detection product. Safe by design, because every developer now has access to the offensive expertise that used to require a clearance and a decade of specialized training. Enforced by machines that think like the best adversaries on earth, applied to every line of code before it ever reaches a user. And God damn does that sound like a day on the French Riviera.

The monks won’t disappear. They just aren’t the only ones who can read anymore.