Finding vulnerabilities was never the hard part
The funniest thing about the "AI will replace cybersecurity" take is that it gets the problem completely backwards.
The logic goes like this. The industry is about finding vulnerabilities. AI can find them faster. So the industry is redundant.
In my experience talking to security people, most organisations already have more known vulnerabilities than they can fix. The queue is months long. Security teams aren't sitting around waiting for something to scan. They're sitting on a backlog they have no realistic way of clearing.
So the bottleneck was never discovery. I honestly think finding vulnerabilities was never the hard part. I say that as someone who used to do it for the wrong reasons: the finding is the easy, almost mechanical bit.
The hard part is everything that happens after. A vulnerability in a queue is not a fixed vulnerability. Getting it fixed means someone in dev has to prioritise it over the feature they were told to ship, and someone in the business has to accept the trade. That's a negotiation, not a scan.
If anything, the more interesting application of AI sits here. Not another scanner adding to the pile, but something that bridges the gap between security, dev and the business so that the vulnerabilities already sitting in the queue actually get fixed. Translating a finding into the language each side responds to. Showing the business what the exposure costs in terms it understands. Turning a line in a report into a ticket someone will action.
Automate the scanning and you've automated the part that was never the problem. The queue stays exactly where it is.
← Back to writing