Right now, Artificial Intelligence is fundamentally rewriting the rules of cybersecurity—and we do not have the luxury of waiting before taking action.

However, the underlying mechanics of both fields can feel frustratingly inaccessible. By design, cybersecurity is meant to be an invisible shield. Unless you are deeply involved in computing, you usually only notice it when it fails, or when it creates daily friction—like remembering a complex password. The inner workings of how your data stays safe remain mostly opaque, exactly as the engineers intended.

A similar dynamic applies to Artificial Intelligence. Today, it’s easy to experience AI through chatbots. You can ask questions, spiral into deep conversations, or generate images in seconds. But as impressive as that is, talking to a chatbot is just the tip of the iceberg. Behind the scenes, by some estimates, over half of all AI usage today is dedicated to a single task: writing computer code. It is an invisible shift of significant scale.

To understand why applying AI to cybersecurity is so critical right now, we first have to confront a widespread misunderstanding about what software actually is, and why it breaks.

The Myth of Perfect Software

If you don’t have programming experience, it is natural to assume that building software is like publishing a newspaper: you plan the layout, write the articles, print the edition, and the final product is permanently finished. In reality, writing software is much more like writing and maintaining Wikipedia.

When a printed newspaper hits the stands, it cannot be changed; tomorrow brings an entirely new edition, sharing little other than a layout, typeface, and name. But Wikipedia is an ongoing, living document. A single event sparks the first version of an article, but editors will argue over, revise, and correct it for years. Software engineers do the same thing. They write code, users report that something doesn’t work the way they expected, and the engineers go back and revise it.

Because fixing one piece of software often accidentally breaks another, they don’t stop there. They write entirely separate scripts—automated tests—whose only job is to constantly check the original code and ensure that older features keep working as the software evolves.

Testing exists because programmers are human. We misunderstand what users want. We misunderstand the limits of our computer hardware. We mistakenly rely on flawed code written by someone else. Testing protects programmers from their own fallibility.

Historically, programmers wanted their software to be deterministic. That means for every specific action, there is one specific, predictable reaction. If you move $100 from your savings to your checking account, savings goes down exactly $100, and checking goes up exactly $100. It sounds simple. Simple rules like this allow simple tests.

But users are highly unpredictable. They click buttons in the wrong order, type words into boxes meant for numbers, and combine features in ways the engineers never imagined. Add to this the physical realities of computing—hardware inevitably degrades, and surges in user traffic can consume all available memory—and the environment becomes chaotic.

Resilience

This dynamic chaos is difficult enough to manage when users are innocently fumbling around. To manage it, engineers must add another layer of complexity to their work: resilience. They don’t just program what happens when things go right; they have to spend countless hours programming exactly what happens when things go wrong, trying to ensure small failures don’t add up to large failures. This relentless pursuit of perfection makes building software exponentially harder.

Enter the Attacker

Attackers live in the gaps of a programmer’s incomplete plan. They look for the scenarios the engineer forgot to test. Sometimes, this looks like extreme user behavior: What happens if I type 10,000 characters into a password field meant for 20? What if I send thousands of requests at the exact same millisecond?

This doesn’t stop by “acting like a user”. Software has internal communication channels, invisible to users, and attackers will do their best to access and utilize these too.

An attacker is entirely happy with chaos as an outcome. They only need to find one weak spot, one forgotten variable, to force the software to do something it shouldn’t.

The AI Magnifying Glass

How does AI interact with this cat-and-mouse game? Fundamentally, AI is a magnifying glass. For attackers, it is a tool to scan for weak spots faster and more comprehensively than manual reviews allow.

The most obvious response is for defenders to use similar tools. If an attacker is using AI to find the cracks in your walls, you need AI to find—and patch—those cracks first. In the long run, the ability of AI to rapidly spot human errors in code will be a substantial advantage to defenders. But where this was useful before, it’s critical today. As the cat-and-mouse game accelerates, staying ahead is more critical than ever.

But this brings us to another major misconception about cybersecurity: finding the vulnerability isn’t actually the hardest part. Neither is fixing the vulnerability.

To an outside observer, fixing a security flaw sounds highly complex. Often, it isn’t. The majority of security vulnerabilities are born from tiny, simple mistakes: a list that is one item too short, a user granted one permission too many, or a line of code that says “and” when it should have said “or.” In a vacuum, a programmer could fix these errors in five minutes.

There is a worry that a little change might have a bigger impact. Other code may have tried to compensate for the mistake and now breaks after the fix. This is always a worry, and automated testing was a tool to minimize that worry. So fixes aren’t always easy, but they still aren’t the core challenge.

The real challenge is deploying that fix. Modern software is woven into complex corporate environments. A simple five-minute fix might have to pass through multiple testing environments, bureaucratic approvals, and compliance checks before it ever reaches the user. The quality of different companies’ deployment processes varies greatly. The best companies can deploy thousands of small fixes a day. Many other businesses struggle to deploy one update a month.

There are over 40,000 known vulnerabilities, with over 100 more discovered each day. And those numbers only cover known software and libraries. Code a company develops for itself can introduce unique vulnerabilities that aren’t part of vulnerability databases. While these won’t all apply to any particular company’s environments, enough will that one update a month, or even one per day, is not sufficient.

Attackers act as relentless inspectors who will punish a company for any delay. If AI helps an attacker find a flaw today, but your company’s approval process takes three weeks to deploy the fix, you are at a serious disadvantage.

The Economics of Cyber Warfare

This might sound like a losing battle, but the defenders actually have a distinct advantage: economics.

Cyber attackers generally fall into two categories: people who just want to cause random destruction (who are thankfully rare and usually lack the focus to execute complex plans), and people who want to make money.

That second group is large, but they are doing math. If the payoff is too low, or the effort required to break in is too high, they will give up and look for an easier target. You don’t need a perfectly impenetrable wall to stay safe. You just need a wall that is sufficiently expensive for a hacker to penetrate.

This is where AI will shift the landscape. High-value targets (like major banks or tech giants) are already rapidly adopting AI to patch their weak points faster than ever. Attackers will likely find these targets too expensive to hack, assuming they avoid the deployment trap. The security organizations meant to protect are sometimes the impediment, creating the delays that bring risk.

This varies significantly between organizations. All organizations realize the importance of security, but only some have been able to turn that knowledge into reality and bring about the changes that allow for rapid deployment.

Efficient deployment is part of the design of many organizations. Newer organizations with a tech focus usually started out this way, as the template has been demonstrated many times. Older organizations have sometimes moved up, but many older or non-tech-focused organizations sit in an uncomfortable gap here.

For those that have failed to keep up, their fallback is often more layers of security—which carries high costs, but remains effective in raising the barrier to entry for attackers.

The real danger zone will be moderate-value targets—companies that have something worth stealing but may operate with slow, outdated security practices, and lack the justification for the most expensive layered capabilities. AI will turn a harsh lens on organizations that have managed to scrape by unnoticed in the past. These companies will face a strict ultimatum: modernize their security, or risk severe breaches.

Again, there is significant variability. Those with efficient deployment will stay ahead. Those that don’t are at risk, unable to match the expensive high-value protections, but also behind their peers.

Ironically, the lowest-value targets—everyday individuals and small businesses—might actually see an immediate benefit. Because their core reliance is on outsourced platforms (like cloud email providers), they will instantly inherit the new AI-driven spam and scam detection tools built by the tech giants, without having to lift a finger. While outsourcing has its weaknesses, when it comes to core functionality with a broad user base, it’s hard to beat.

A Brief Aside: Adversarial Revenue

This mandatory modernization creates an interesting, somewhat circular side-effect in the tech industry: a concept known as “adversarial revenue.“

Because attackers are rapidly adopting AI, every potential target is forced to buy AI-driven defensive tools just to keep pace. Who sells those tools? Often, it is the broader tech industry that is developing these AI capabilities in the first place. For the companies providing AI security platforms, the rising tide of empowered hackers guarantees a sustained, highly motivated market. The threat itself creates the demand for the cure, making AI defense a uniquely lucrative sector of the economy.

Security revenue is a bit different than other adversarial roles. Here there’s a clear bad guy. In fields like laws and finance, two sides exist, but neither is clearly creating the inefficiency. It’s theoretically possible we might improve the ratio between productive and adversarial revenue here by self-policing or regulatory efforts, though that requires convincing those industries to give up some potential revenue.

Setting aside the financial balance sheets and returning to the mechanics of the conflict, a much simpler question often arises about these adversarial dynamics: why not just prevent attackers from accessing AI to begin with?

Why Not Just Ban the Bad Guys?

Unfortunately, it’s a deeply complex challenge. The best success leverages lesser amounts of privacy, but it would be naive to think a loss of privacy can provide a total solution.

There are two main ways people access AI. One approach is through “open-source” models, which are freely available for anyone to download and use privately on their own computers. Protections here are limited. Creators train them to refuse malicious requests, but determined attackers consistently figure out how to bypass those guardrails (“jailbreak” them). The best protection here is that, so far, open-source models are less capable, and degrade a bit more after being jailbroken.

A more common method is through “controlled hosting”—the major platforms where you must log in to use the AI. Here, the AI companies actually do fight back every day. This isn’t just a theoretical threat; companies like Anthropic and OpenAI routinely detect and disrupt coordinated attackers attempting to use their networks.

But their expectation isn’t to build a flawless barrier. Instead, they use the mechanics of bureaucracy to drive up the attacker’s costs. They require an email to create an account. They monitor activity for suspicious patterns. When they see something shady, they issue a “soft-block,” refusing the prompt. When an attacker repeatedly tries to bypass that block, the company bans the account entirely, forcing the hacker to create a new account. And then they block account creation patterns that look shady.

Even with controlled hosting, stopping malicious actors entirely is difficult. “Shady” is a judgment call, and the other side has the option of changing tactics. They’ll try to look like regular users. They can’t hide forever in this way, but the provider risks harming regular users if they react too quickly by blocking patterns that describe regular users.

The AI Apprentice

AI companies seem highly capable, so why can’t they stop this, even though it’s difficult? You might ask, if they are motivated enough. If you doubt the AI companies are sufficiently motivated, consider the story of “distillation” attacks, which demonstrates the limits of their control.

To understand distillation, imagine a hacker who knows they will eventually get caught on the major, guarded platforms. Instead of using the heavily guarded AI to find vulnerabilities directly, they use it as a master tutor. They feed the secure AI complex coding problems, record its brilliant answers, and use that data to train their own private, open-source AI models.

Think of it like sneaking a camera into a master locksmith’s workshop. You don’t need to steal the locksmith’s tools; you just record how they work, go home, and teach your own apprentice. Once the attacker’s private AI learns enough, they no longer need the major platforms. They have their own unrestricted hacking assistant, operating entirely under the radar.

Distillation attacks also come from rival attempts to improve their own AI model, using outputs from a better model. It should be obvious that the leading AI companies want to retain their lead, and stopping distillation attacks would help. That said, all have reported activity of this type, and while they’ve had partial success in detecting it, it’s only partial. Anthropic reported millions of requests it believes were distillation attacks. Google reports hundreds of thousands of requests too.

Major AI providers are highly motivated to prevent this. Distillation isn’t just a security threat; it’s the outright theft of their multi-billion-dollar intellectual property. The fact that tech giants actively try—and often struggle—to stop distillation proves that preventing misuse isn’t a matter of lacking the desire or financial motivation to build a flawless barrier. They desperately want to build that barrier, but the technical reality makes absolute control nearly impossible.

Privacy and Security

Placing the best models in controlled environments provides some improvements. It does then place some of our privacy in the trust of those controlling those environments. Such environments are designed to preserve privacy in a balanced way. Your requests do go through automated review, but there are internal guardrails on how those are maintained, and who and when someone sees violations. But we have to place some trust elsewhere that’s significantly different from the type of validation we’d need regarding the privacy of a locally run model.

What’s Your Role?

Knowing that this massive contest is occurring behind the scenes, what can you, as an everyday user, actually do?

While the tech giants fight over deploying complex code fixes, attackers will still try to go after the easiest target: you. AI allows hackers to create highly personalized, perfectly spelled scam emails and incredibly realistic fake websites. To stay safe, a few standard pieces of advice are more important than ever:

1. Enable Multi-Factor Authentication (MFA)

With just a username and password, your security depends entirely on no one ever guessing or stealing your password. If you reuse a password, or accidentally type it into a fake “phishing” site created by AI, it’s compromised. MFA, while occasionally annoying, ties your access to something physical that you have—like a phone that receives a prompt or an authentication app. Even if an attacker steals your password, they can’t get in without your phone.

2. Learn to Read a Web Address (and Spot a Fake Browser)

Attackers frequently build fake login pages designed to steal passwords. Because AI makes it easy to perfectly clone the look of a legitimate site, attackers have escalated to a new trick: the “browser within a browser.”

A web browser displays content from the sites it loads. As a side effect, malicious sites can draw a fake window inside the webpage that looks exactly like your browser’s top bar, complete with a perfectly secure-looking—but entirely fake—web address. To protect yourself, you must be familiar with the normal layout of your browser. The real address bar is part of the secure surface of your browser at the very top of your screen, not nested down inside the web page’s content.

Once you are certain you are looking at the real address bar, the URL can look like a long string of gibberish, but there is a simple rule of thumb: find the very first single slash (/) after the https://. Then, look at the word immediately to the left of the .com, .gov, or .org.

• If the address is consumer.ftc.gov/articles/..., the controlling word is ftc. You are on a government site.

• If an attacker tries to trick you with ftc.security-update.com/login, the controlling word is security-update. You are not on a government site; you are on an attacker’s site.

3. When in Doubt, Search

If reading the URL feels confusing, use a search engine instead of clicking a link in an email. Type the company name into Google. It is incredibly difficult for an attacker to manipulate search algorithms enough to place their fake website higher than the real company’s official site. Just be sure to skip past the first few results if they are explicitly labeled as “Sponsored” or “Ad,” as attackers sometimes buy ad space.

4. Be Wary of Voice Calls and Texts

You should never give out your MFA codes or passwords by email or by phone call. However, verifying who is actually on the other end of the line has become much harder. AI makes it trivially easy for scammers to clone voices or generate convincing, conversational text messages. If you get a call from your bank—or even a panicked loved one—asking for money or a security code, hang up. Look up their official phone number yourself, and call them back.

5. Keep Things Updated

You should get to know your computer’s operating system and web browser. Both have built-in mechanisms to install updates automatically. Don’t delay or avoid these updates. As we discussed earlier, deploying fixes is the hardest part of cybersecurity. When you see an update ready to install on your phone or computer, you are often receiving the exact “five-minute fixes” software engineers just wrote to patch a vulnerability. Install them.

What are AI Companies Doing to Protect You?

While your personal vigilance is the last line of defense, the tech industry isn’t sitting idle. AI companies are actively deploying countermeasures:

• Limiting Access by Attackers: When an attacker is identified, their accounts are deactivated. AI companies use complex pattern recognition—analyzing the content and origin of requests—to hunt down malicious users. It is a constant cat and mouse game. While it doesn’t stop all access, it raises the cost significantly. Every moment an attacker spends trying to defeat these protections is a moment they can’t spend conducting destructive attacks.

• Utilizing Guardrails and Training: AI models are trained with guardrails that inspect incoming and outgoing traffic, automatically refusing or modifying prompts that appear intended to facilitate harmful activity. Again, these techniques are not foolproof, but they disrupt access and diminish the utility of the AI for hackers.

• Scanning for Vulnerabilities and Orchestrating Remediation: Vulnerability scanning isn’t new, but AI enables broader and deeper results. AI companies (Google CodeMender, Claude Code Security, OpenAI Aardvark) are working directly with the cybersecurity industry to execute massive scans, instantly generate remediations, and orchestrate campaigns to deploy those fixes before attackers can act.

Securing AI Itself

It is worth noting that protecting traditional software from AI-empowered attackers is only one slice of the overall security story. A complete view of AI security must also engage with other massive topics: how to deploy AI safely within an organization, how to manage how your private data is used by an AI model, and how to manage “agentic” systems (AI that can take actions on its own).

There are also vital, high-level theoretical debates about preventing AI from being used for massively destructive weapons, authoritarian surveillance, or sci-fi “AI overlord” scenarios.

But every conversation needs a focus, and right now, the most immediate, practical threat to the average user and business is the invisible arms race occurring in everyday software.

A Reason for Optimism

Ultimately, the integration of AI into cybersecurity is a narrative of optimism.

Yes, the equilibrium will shift. There will be chaotic periods as attackers test new AI tools. But relying only on defense means attackers get to choose the time and place of the next battle. By using AI to significantly speed up how we write, test, and fix software, we take the initiative away from the attackers. We make the cost of doing bad business too high.

As Dario Amodei, CEO of Anthropic, has noted, the balance between offense and defense is actually tractable in cybersecurity. There is real hope that defense can outpace attacks—but only if we actively invest in it. The tools are here. Someone must do the hard work of putting them to use for good, lest they only be put to use for harm.

Related Articles