Posted by laurex 5 hours ago
Basically, we are entering the ransomware apocalypse. It is insane what a godsend gen-AI has been to the cybercrime sector. When all you need to do is make something good enough to fool some of the people some of the time, genAI is perfect.
Things that used to work reliably - like trusting google ads or sponsored links not to be malvertizing sites - are meaningless now that gangs can trivially spin up networks of thousands of fake interacting sites and linked profiles to sneak by fraud detection. Phishing attacks are ridiculously sophisticated, combining voice, text, and video impersonation. Supply chain attacks are going to mean package managers are handgrenades. Ransomware gangs are running full on SaSS services allowing script kiddies access to big gun material. Attacks that were previously only in reach of nation-state-sponsored actors are now available for peanuts. And all of this is going to worse because of everyone and their dog using gen-AI to pump out huge amounts of vulnerable code. And then there is the world of prompt engineering for data exfiltration...
If you are young and wanting a promising trade in tech, security would absolutely be a good choice. Shit is going to get CRAZY.
1) One can no longer trust things out on the web. 2) One no longer needs things out on the web.
For 1), I hope the defense mechanism kicks in time to bake security into our computing culture and pervades throughout the stack.
If AI is capable of performing these attacks, what would stop AI from replacing the security engineers?
Because the threat model is one-sided - if an AI attack fails, the controller simply moves to the next target. If an AI defense fails, the victim is fucked.
Therefore, there is still value in being the human in Cyber Security (however you are supposed to capitalise that!)
There are still protections and mitigations that targets can do, but those things require humans. The things that attackers can do require no humans in the loop.
Compare how fast real attackers could iterate vs the defenders.
I recall there being Malvertising campaign problems ~12-15 years ago or so, and then they seemed to get on top of it.
Yes, but you can't be a CISSP or SOC monkey - that has no future.
You need to be an actual Software Engineer who understands development fundamentals, OS internals, web dev fundamentals, algorithms, etc as well as offensive and defensive concepts.
To many "cybersecurity" graduates in North America aren't even qualified to do L1 IT Helpdesk, which is a shame because the IT to Security talent pipeline is critical (along with the SRE, SWE, and ML to security pipeline).
There does not have to be a term committee or term police for colloquial use, but to me referring to somebody calling it out when terminology makes no sense as “making a stink” says something about the objector.
i suppose it is similar to "exponentially" being used when it doesn't mean exponentially.
Words change meaning all the time. I vividly remember when 'coder' was used as a diminutive, much like the later script-kiddie or code-monkey - "A software developer of little skill or knowledge". Today, people habitually call themselves that.
Nowadays I'm not sure anyone is employed writing only HTML and CSS but in the 90s and 00s it was definitely a distinction worth making.
> on April 7, 2026 … U.S. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent, in-person meeting in Washington with the chief executives of [major US banks] to brief them directly on the cyber risks posed by [Anthropic’s] Mythos
Then a similar meeting happened with the Canadian Financial Sector Resiliency Group (i.e. the Bank of Canada, the Canadian government’s Department of Finance, the Canadian Deposit Insurance Corporation (Canada’s FDIC) and Canada’s six major banks).
Multiple central banks don’t usually do that right?
https://www.ctvnews.ca/sci-tech/article/anthropics-new-ai-mo...
1. Fear that a major vulnerability is found in a commonly used software package that puts multiple major banks and e-commerce sites at risk
2. Fear that major vulnerabilities are found in multiple, widely used software packages that lead to market downturn as IT company stocks crash.
Probably others as well. Sounds more like a brief on worst-case scenarios that may happen and how they would effect the US banking sector. This is an important mid-year election this year too, so any big economic shock would be bad for the GOP.
Companies need to get serious about levels of security. Only some things need to be protected, and you have to accept a substantial level of inconvenience and cost for those items. In my aerospace days, we had a bidding rule of thumb that running a project at SECRET doubled the cost. Running a project at TOP SECRET had an even bigger cost multiplier. A surprising amount of material was not classified at all, for cost reasons.
Banks and credit card processors get this. Most other businesses don't.
The point is that the people, who self-identify as the ones the author is supposedly asking for help, are the ones who are refusing to acknowledge the elephant in the room so they can feel smug. Just like your "but i read about every incident mentioned, where's my cookie"
More or less, I am the attractive resume, and: the game has changed folks.
For what it is worth, I am taking my ball and going home in about 12 months. I've saved enough, locked in a perma-middle class lifestyle in a great nondescript city, and swapping over to offensive consulting and a AI-free, non-tech trade that won't take too long to get into - think a PA, nurse, plumber, etc.
I'm not quite old enough and with the end of responsibilities as to FIRE, but I can read the writing on the wall enough to understand an AI-proof FI needs to be locked in before everyone else realizes the same. Many others in sec are feeling this.
I think tech will find security pros willing to throw themselves into the fray for pay and optimism. There are others like me who are extracting their final nuts. There are others who have golden-handcuffed themselves into this ride with their mortgages and private school tuitions. And I'm sure some others will stick it out. There will also be an AI-enabled version of sec eng soon enough.
But if private sector doesn't wake up to AI integrations - internal doc rollouts hoovering up PII that wasn't supposed to be stored there, externally-facing customer support portals social engineered and pivoted into, PRs via Slack comment via marketing hires who are ATO'd - this is going to be a 1990's-style BBQ where 0days on critical systems are dropped at happy hours at conferences nightly.
And: your security teams are going to be burned out, banking up, and quitting. The risk acceptances, the double-speak, the slow-rolling, the half-baked risk thinking for engineering and product leads, the corners cut, the public endpoints opened up just this one time - that's going to be enough rope, and already is enough, to hang yourself in this offensive context that's building now.
It is deeply humorous that SWE and engineering leadership has worked itself into this position via its AI push to unemploy itself while thinking it's the 1x white collar job exempt from automation threats.
All it'll take is another recession like '08, and the leaves get shaken off the trees finally. Thankfully there is only one (wait, there are two probably), thankfully there are only two-to-three (wait, there are like 10) systemic market threats right now.
Sure, hedge your bets. Get financially secure. But also consider that "nothing ever happens" is usually correct and the world has a way of ensuring things keep going in the direction they have to in order to give stability to the establishment (which we are generally a part of).
So, what can derail AI out of left field? Maybe building DCs for it in Arizona and EMEA can, for one.... choosing very "water-rich" locations there for water-cooled systems.
So, how could this land longterm, assuming AI works sort of good, sort of bad against the use cases? The real questions here for industry people though should be this:
1) How does this play out, over the 5-10 yrs we have to see it occur of trying it/redoing it/trying a new version/going back to the old version, all the while it's occurring over my career, all the while when I have bills to pay and relationships to maintain.
Ans: I think that's a hell of a lot of financial and employment stress induced on us by people who don't understand the tech they're rolling out, the state change that's occurring, and don't need to deal with the consequences. All the while, I go mid career, to late career, dealing with what AI can actually do in the background.
2) What is actually going to work wrt being relevant to my job?
Ans: I think what actually works is the vuln research aspect of AI, feedback loops rapidly, rapidly speeding up on that.
And, what is the most stressful, obnoxious, high burnout part of the job - sec arch and vuln remediation, or IR and vuln response. Both about to go on overddrive, and already are if you're minding bug bounties and IR these days.
3) Has this happened to other industries, how did it go?
Ans: trading, trading, trading, trading. Check it out.
I just did some quick research:
- ~4.8 million unfilled cybersecurity roles globally as of 2025–2026
- Global workforce ~5.5 million, but ~10.2 million needed to meet demand
Not to mention the growth in the industry has slowed to ~0.1% year over year and you're seeing those shortages are outpacing the current workforce. Add in the most senior folks like yourself are just noping out and leaving the industry wholesale is troubling and unsettling.
Its not surprising we're seeing an unprecedented level of successful attacks. We simply don't have the resources to keep up with the criminals/hackers out there who are moving significantly faster than the companies they are targeting.
As others have pointed out, I'm not sure how this can get anything other than much worse in the near future.
I'm not sure if personal assistant or nurse are going to be AI-free. Plumber, welder, bricklayer, pest exterminator, sure. Don't underestimate the downsides of physical labor, though. Low pay and backbreaking.
What writing on the wall? If anything, I think you'll be more needed, not less, in times to come.
Ya I get the need but you miss the point - no, you can't pay me anymore to wade into that and own risk, beyond a consulting context with low skin in the game.
There is a wave of senior leads thinking like this, because the knife's edge of "enough risk to game it for pay" finally tilted too far, and the career has changed.
In terms of going home after work and not yelling at my kids and spouse due to work stress due to the 10th 0day in a week on my corporate VPN/my retail-facing app/my..., there's a real QoL issue to consider. Many outside of security consistently misunderstands the mental health/career satisfaction/pay triad.
"Consulting, if you're not a part of the solution there's money to be made prolonging the problem" - Despair.com :)
/i'm a consultant
In a situation of triage, "owning risk" is off the table.
I hope this all lands somewhere in the middle but honestly who knows at this point.
And if you're planning it, plan it soon b/c vendors like Dropzone are carving out the entry sec eng ops/ir jobs in-house or at the MSPs, and Trail of Bits skills foss on GH are carving out the 2-3x extra $3-400k TC line sec eng roles .
Good news: All the data of elected officials will be public soon, and we may finally get some regulation.
[1]: https://idtechwire.com/opinion-in-an-ai-world-every-attack-i...
I don't think the claims about capability are ridiculous. The idea that the general capability is proprietary and that it will be exclusive to the trusted partners of one company is ridiculous.
And yet, the public conversation around them has been quiet to the point of being strange.
There's a lot current events that once would have been considered historical: trip around the Moon, war out of nowhere, unprecedented explosion of kleptocracy l, enormously scandals and so long. Noone of these are moving much of the needle among general public.
Why? I think such indifference or rather apathy/torpor is a result of people becoming tired of constant stream of crises (either imaginary or real) that we're being flooded by. The capacity to react with something more than a shrug is finite. And I think we are being drained.
The fact that humanity sent people back to the moon barely even registered. Crazy times.
Are you sure that people would have cared much even in better times?
Although I'm just as subject to the fatigue as everyone else, this just isn't a pursuit that I see as important.
TBH I think dealing with global warming, cancer, homelessness, AI impact on human cognitive development, and the loneliness epidemic are far higher priorities.
I mean, part of why they cut the Apollo program short was because nobody cared back then either, after the first ~2 landings, so they muddled on a while longer but support simply vanished in a hurry. It'd be surprising if people started caring more now. I suppose if we land people on the moon it'll be a bit more of an event than this one (the landing, not the launch) but I'd expect interest to plummet again after that. Hopefully they have better-selected video feeds for the landing than they did for this launch, I had my kids watch it and it was bad enough I think I'll have trouble getting them to sit down for another NASA launch stream.
They aren't tired, they're distracted. X/TikTok/et. al. are all fire and motion mechanisms.
I think it's more that the impact of all these constant string of "crises" ends up having very little impact on the average American's lifestyle. Groceries a bit more expensive, gas higher, rent continues to creep up. Some giant incomprehensible national debt number gets higher. Those all suck and people complain about them - but they are complaining about them in packed bars while they drink $7 beers and eat $30 burgers and fries.
You can only yell so many times that the world is ending before people tune it out since their day to day lives are largely unchanged. Just look at the focus on complaining about almost irrelevant things like the price of eggs or whatever totally irrelevant culture war topic of the day. It's societal bike shedding.
I am firmly of the belief (and have been for quite some time) that the "average" middle class American is going to need severe pain - as in widespread great depression level pain - before anything really changes at all at the ground level. Americans have simply become so used to living the lifestyle being part of an insulated hegemonic superpower empire that they have taken that for granted as how things generally will always be no matter what happens. There is zero consideration for the amount of sheer effort, will, and constant vigilance it took to build and maintain such a state of being.
Or put another way: Inertia is a hell of a drug.
It's the phones, humans are being DDoSd. We need government intervention against many aspects of modern technology.
The profit motive works when it comes to reducing manufacturing costs and passing some of that on to consumers through the beauty of competition. It doesn't work so great when it's X training a transformer model to maximize the amount of time you spend doom scrolling so they can feed you gambling advertisements.
Lmao that cybercriminals are closing M&A deals to create vertically integrated SaaS companies.
Do you think anyone was made redundant through kinetic means?