AI commoditizes vulnerability markets
NCSC chief warns AI commoditizes premium vulns, threatens offensive talent pipelines OffensiveConTL;DW
- Defense requires high-caliber offensive capability—sophisticated red teams and threat actors drive multi-year, multi-billion-dollar defensive improvements in organizations.
- Everything is vulnerable and always will be; zero-vulnerability systems are economically unviable and technically impossible at scale.
- AI is rapidly commoditizing premium vulnerability classes: memory safety issues once worth premium prices are now broadly viewed as commodity within months.
- Over 80 countries have purchased offensive cyber capabilities on the open market, shifting from R&D investment to buying the best capability with a checkbook.
- Artificial intelligence compressed exploit development from hours, days, or weeks into seconds or minutes; context windows and token costs remain temporary constraints.
- Open-source AI models are lagging frontier models by only 6-8 months—a gap that may narrow further, making exclusive capability access increasingly untenable.
- UK and France via Pammal process are establishing norms for the offensive ecosystem: transparency, customer accountability, and disruption of irresponsible actors.
- Talent pipeline risk: if AI disrupts early-stage learning grounds before practitioners build fundamental understanding of architecture and OS-level mechanics, knowledge will hollow out.
- Memory safety technologies like CHERI CPU architecture and non-phishable multi-factor authentication (passkeys) represent architectural wins over whack-a-mole patching approaches.
- State adversaries are stealing offensive security tools (Carina, Dark Souls breaches); researchers and companies must understand supply chain risks and know their customers.
TL;DW
- Defense requires high-caliber offensive capability—sophisticated red teams and threat actors drive multi-year, multi-billion-dollar defensive improvements in organizations.
- Everything is vulnerable and always will be; zero-vulnerability systems are economically unviable and technically impossible at scale.
- AI is rapidly commoditizing premium vulnerability classes: memory safety issues once worth premium prices are now broadly viewed as commodity within months.
- Over 80 countries have purchased offensive cyber capabilities on the open market, shifting from R&D investment to buying the best capability with a checkbook.
- Artificial intelligence compressed exploit development from hours, days, or weeks into seconds or minutes; context windows and token costs remain temporary constraints.
- Open-source AI models are lagging frontier models by only 6-8 months—a gap that may narrow further, making exclusive capability access increasingly untenable.
- UK and France via Pammal process are establishing norms for the offensive ecosystem: transparency, customer accountability, and disruption of irresponsible actors.
- Talent pipeline risk: if AI disrupts early-stage learning grounds before practitioners build fundamental understanding of architecture and OS-level mechanics, knowledge will hollow out.
- Memory safety technologies like CHERI CPU architecture and non-phishable multi-factor authentication (passkeys) represent architectural wins over whack-a-mole patching approaches.
- State adversaries are stealing offensive security tools (Carina, Dark Souls breaches); researchers and companies must understand supply chain risks and know their customers.
Ollie Whitehouse argues defense requires a functioning offensive ecosystem, then details how LLMs are eroding the premium vulnerability market and gutting entry-level researcher incentives. He outlines the NCSC's Pammal bifurcation strategy—supporting responsible vendors while easing disruption of irresponsible ones—and calls for evidence-based metrics on defensive ROI.
