How AI Breaks Everything We Know About Cyber Economics

Thumbnail for article

I've been thinking a lot about economics lately. Not the boring kind with GDP and interest rates, but the kind that actually affects my day job, the economics of attacking and defending.

For as long as I've been in security, there's been a fairly stable economic model. Controls cost money to build and maintain. Attacks cost money to develop and execute. Your job as a defender was to make attacking you more expensive than attacking the person next door. Harsh, but that's how it worked.

AI is breaking this model. Completely.

The old maths

Let me paint the picture of how security economics has worked for the past two decades.

You want to implement multi-factor authentication across your organisation. That'll cost you licensing, integration work, support staff, user training, and an endless parade of "I've lost my token" tickets. Call it six figures for a mid-sized organisation, conservatively.

You want to build a detection capability for lateral movement. You need a SIEM, log sources, detection rules, analysts to monitor it, and a process to respond to alerts. Another six figures, probably seven.

On the attack side, building teams, developing tooling and farming exploits has a cost. Running a sustained campaign against a well-defended target was expensive. This meant attackers had to be selective. They couldn't afford to attack everyone, so they went after the easiest targets first.

The strategic implication was clear: raise the cost of attacking your organisation above the expected return for the attacker, and you'd be left alone.

Security economics 101.

Both curves are collapsing

Here's what's happening now, and why it matters.

On the defence side, AI is making everything cheaper:

  • Writing detection rules? AI can generate and test them in minutes, not days.
  • Vulnerability scanning? AI finds things that have been latent in codebases for years.
  • Security tooling? What used to require a team of engineers to build can now be prototyped in an afternoon.
  • Incident response? AI can triage, investigate, and even remediate certain categories of incident faster than any human.

This sounds great. And it is great. The backlog of "security improvements we know we need but can't afford to build" is being cleared at an astonishing rate.

But on the attack side, the same thing is happening:

  • It's now easier to become an attacker, to find and develop exploits. AI lowers the skill barrier dramatically.
  • Phishing campaigns that used to require human effort to personalise can now be crafted at scale with perfect grammar and context.
  • Voice cloning, deepfake video, synthetic identities. All approaching commodity pricing.
  • Vulnerability discovery isn't just faster for defenders. Attackers are finding the same vulnerabilities, and they don't have change boards to slow them down.

Both cost curves are approaching zero. But they're not collapsing symmetrically.

The asymmetry problem

This is the bit that keeps me up at night.

Defenders benefit most from cheaper routine activities: patching, monitoring, configuration management, log analysis. Yes, it's security hygiene again! These are the "boring but essential" tasks that have always been the backbone of good security. Attackers benefit most from cheaper novel activities: finding vulnerabilities, crafting attack chains, creating convincing fakes.

When everything is cheap, the advantage goes to whoever can exploit novelty faster. And right now, that favours attackers. They don't need to submit change requests. They don't need to test in staging. They don't need to write a business case.

I was chatting with a penetration tester last month who told me his team's AI-augmented workflow had cut their average time to initial compromise by about 80%.

Things that change

If the old game was "reduce the cost of controls to deploy more per pound spent," the new game is fundamentally different. Here's what shifts:

1. The constraint moves from budget to speed

When controls are cheap to build, the bottleneck isn't money, it's how fast you can deploy them. The organisation that can discover a vulnerability, develop a fix, test it, and push it to production in hours will massively outperform the one that takes weeks, regardless of how much either spends.

This has practical implications. All those change boards, approval chains, and deployment windows? They need rethinking. Not eliminating, that would be reckless. But fundamentally accelerating.

2. Validation becomes more important than implementation

When AI can generate and deploy a control in minutes, how do you know it actually works? How do you know it doesn't have unintended side effects? Does by business still function as I would expect? How do you know it'll hold up against a real attacker?

3. Complexity becomes the real enemy

Every system, every service, every connection point in your environment is something an attacker can probe at near-zero cost. In the old world, complexity was a nuisance. In the new world, it's an existential risk.

The organisations that will win are the ones with simpler, more modern architectures. Fewer systems, less heterogeneity, smaller blast radius. Every bit of technical debt you're carrying just got more expensive in risk terms, even as it got cheaper to fix.

4. Headcount loses to leverage

A team of 10 people who can effectively orchestrate AI-augmented security tools will outperform a team of 100 doing manual work. The skills that matter shift from "can you write a detection rule" to "can you design a system that writes, tests, and deploys detection rules automatically."

If you're building a security team right now, hire for judgment, architectural thinking, and the ability to validate automated outputs. The hands-on-keyboard skills are being commoditised whether we like it or not.

Can you adapt, at pace, in a safe way?

We're living through a phase change in the economics of security. Both attack and defence are becoming dramatically cheaper, but the strategic implications are asymmetric. Speed matters more than budget. Validation matters more than implementation. Simplicity matters more than comprehensiveness.

The organisations that invested in modern architectures, fast deployment pipelines, and automation-first cultures are about to see those investments compound dramatically. The ones still running legacy environments with manual processes are about to find the gap between themselves and both mature organisations and increasingly capable attackers widening at an alarming rate.

The good news? Fixing things just got cheaper too. The bad news? So did breaking them.

Start moving faster. It's the only competitive advantage that matters now.