The Builder Goes First

Why I’m optimistic about what frontier AI does to the fight between attackers and defenders, and why that optimism comes with a body count.

The Wave

The most dangerous sentence in software security right now is spoken by a good engineer: “AI isn’t good enough to secure my code yet, so I’m not going to bother.” I shared that instinct for a while. But it’s wrong, and a little brutally so. The attacker isn’t waiting for the tool to be good enough. The robber has no cynicism about whether the crowbar works. He just picks it up.

I build detection and response systems, and secure agentic AI systems, for a living, so I’m not writing this as an enthusiast. I watch the other side adapt in close to real time. This asymmetry of will is the whole story. Skepticism is a luxury ride into the flames.

Think back to the last time the ocean lifted you off your feet from behind before you ever heard it coming, that half second where you either turned, dug in, and rode it, or got tumbled up the beach with your back to it. That half second is where everyone who builds software is standing right now, whether they feel it or not. This is what I’ve been waiting years for, and I love it. The wave is real and measured: by one count, the length of a task a model can finish on its own is doubling about every four months. Four days into drafting this, Anthropic shipped a model that resolved 95 percent of a standard benchmark for fixing real software bugs. We no longer write applications, we build agents that act on their own, and they won’t wait for your deferred defense mechanisms.

The Lock

For thirty years, security has lived under the defender’s dilemma: the defender has to be right everywhere, every time, and the attacker only has to be right once. It held because “be right everywhere” doesn’t scale on human beings. Here’s what changed. AI doesn’t out-fight the attacker, it dissolves the dilemma, because scale is exactly what a machine adds. You can point a model at all of your code, not a sample, and kill an entire class of bug at build time. The attacker works at runtime, against software that already exists. The builder works at build time, with the whole source in front of him. The same intelligence sits on both sides, but the builder goes first. You can’t exploit a vulnerability that was never written.

Now the hard part. If AI is so good at securing code, why is so much AI-generated code insecure? Because it is. Across a hundred models, 45 percent of what they wrote introduced a vulnerability. But that’s what the tool does when you use it carelessly, as a faster way to type. Point it at the problem deliberately and the number inverts: GitHub’s Copilot Autofix patches the average alert three times faster than a human, twelve times faster for SQL injection. Same model family, only aimed differently. The variable was never the tool, it was the deliberateness. Careless AI opens doors, zealous AI closes them.

No one ever cared how much I love hand-typing my own classes and interfaces, they cared whether the work got done. The craft was never the product. And I’ve watched this refusal before: the AS/400 guys who wouldn’t consider relational databases, certain they’d stay buggy and slow forever, and the walled-garden web apps that wouldn’t open their doors to anyone. The holdouts never stopped the shift. They only decided whether they rode it or got rolled by it.

Then came a reminder of how fragile this all is. I spent three days building secure code with frontier model Fable 5. On a Friday afternoon, the US government ordered it cut off for any foreign national, and because the company couldn’t separate its users in real time, the model went dark worldwide. The trigger, in the company’s own words, was a jailbreak that “essentially consists of asking the model to read a specific codebase and fix any software flaws.” Read that twice. A model was pulled from the whole planet because someone showed it could read your code and fix the holes. The defensive superpower and the thing the government called a weapon are the same sentence.

The Phoenix

Which is exactly why the ban won’t hold. We’ve run this experiment before. In the 1990s, a government decided strong encryption was a munition and made it a crime to export. So people printed the algorithm on t-shirts, and a few had it tattooed on their arms and asked, with a straight face, whether that made them illegal to export. The courts held that source code is speech, the controls collapsed, and strong encryption became the reason you can bank online today. You can’t put math back in the box. Open models will fill the void, the way the algorithms they tried to wall off ended up worn into court.

It’s a pattern, not a hope. Every time a powerful tool arrives, the attackers feast first, the ecosystem burns, and then defense rebuilds the substrate so the old attack class dies. The Morris worm gave us the first coordinated security response. The buffer-overflow era is ending right now as the industry rebuilds on memory-safe languages. New tool, offense feasts, the ecosystem burns, defense rebuilds, the attack class dies. The phoenix. And for the first time the rebuilding runs at machine speed: at DARPA’s AI Cyber Challenge, autonomous systems found and patched real vulnerabilities for about 152 dollars each.

I won’t sell you a clean story, because it isn’t one. The phoenix works for software. It doesn’t cover the people hurt in the fire, the hospitals with their systems locked, the cash taken from direct deposit accounts. An honest optimist counts the ash.

Bonus: A Hand on Your Shoulder

And here’s the irony at the bottom of all of this. The fire doesn’t come for the reckless or the unlucky. It comes for the ones who watched the wave build, called it a fad, and stood there with their backs to it. That’s the only group that loses here, and it’s the exact group I’m writing for. Not to bury them. To grab a shoulder and turn them around while there’s still time to catch the good of this and ride it in.

So that’s my optimism, with its eyes open. The same intelligence that can open every door is the one that can pre-close them, and it goes to whoever is willing to wield it first. The robbers already decided. The only question left is whether the people who build and defend our software will stop debating the crowbar and start locking the doors, before the part of the story that burns.