Cheap AI has changed the economics of hacking

COMMENTARY: There’s a war of attrition happening across corporate networks right now, and defenders are losing it the same way armies lose wars of attrition: by spending more per engagement than their opponents. The cost of mounting a cyberattack has plummeted, and most security budgets are not attuned to that reality.

To understand the problem, conisder a different kind of conflict zone. On the front lines of modern warfare, first-person-view drones have become a dominant offensive instrument. They cost a few hundred dollars to build, are flown by a single operator, and are produced at industrial scale. The tactical problem for defenders is economic. Shooting down a $400 drone with a $400,000 missile does not represent a victory. It might offer a short-term advantage, but it's a clumsy, economically unsustainable strategy.

Cybersecurity faces the same dynamic.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Security teams have long operated on the premise that sophisticated attacks require sophisticated attackers. That expertise acted as a natural rate limiter on offensive activity, making hacking expensive, slow, and difficult to scale. Defenders could keep up because attackers faced the same scarcity constraints as everyone else: time and talent. AI has removed both constraints simultaneously.

The defenders adapting to the drone era are not the ones trying to shoot down every threat with expensive ordnance. They rethink the economics of engagement — operating leaner, faster, and continuously. Modern militaries are already experimenting with cheaper countermeasures like nets, jamming systems, and directed-energy weapons to counter low-cost drones. Cybersecurity has begun to see the same shift.

Tasks that historically required large analyst teams — anomaly detection, log analysis, alert triage, attack-path mapping — are increasingly automated or augmented by specialized models operating continuously at scale. But most organizations are still deploying AI as an efficiency layer on top of workflows designed for a slower era, rather than redesigning operations around the new economics entirely.

The industry needs an economically feasible defense

Browser-use, a browser automation company, published benchmarks showing its purpose-built model outperforms frontier models at web navigation while costing roughly 50 times less to run. Cursor made the same bet: its in-house code-editing model operates at a fraction of the cost of frontier alternatives while performing just as well within its domain. It’s a consistent pattern: optimize for a narrow task, and customers stop paying for capabilities they do not need. Applied to offensive security, the implications are profound.

Hacking function as a set of specific, repeatable tasks: scanning for exposed services, identifying software versions, correlating vulnerabilities, crafting payloads, probing authentication logic, and chaining weaknesses across systems. These tasks do not require general intelligence. They reward deep, narrow competence.

A model built for offensive security does not need to write poetry or summarize contracts. It just needs to run faster, more thorough, and cheaper than a human red teamer doing the same job. An attacker running that kind of model can probe attack surfaces at a scale and speed no human team can match, and at a cost that makes sustained campaigns viable for actors who previously lacked the resources. The same arithmetic that makes a $400 drone dangerous makes a cheap, purpose-built attack model dangerous: volume, persistence, and favorable exchange rates.

Security teams need to adapt. There’s no one-size-fits-all response, but a few moves are becoming clear:

Replace point-in-time audits with continuous, automated attack surface management.
Push vulnerability triage further toward automation. Teams are already drowning in CVEs they will never patch, and the problem compounds as attack tooling scales.
Reduce reliance on signature-based detection as a primary defense layer. AI-generated attacks will increasingly evade known signatures, even if signature-based systems still retain tactical value.
Treat exposure reduction as a primary metric, not an afterthought.

If offense runs at machine speed, defense has to match the cadence.

Compliance was built for a different threat environment

Security teams must also focus on their organizational challenges. Compliance has been the financial lifeblood of security investment for two decades — SOC 2, PCI, HIPAA, and the broader ecosystem of frameworks that justify headcount and tooling budgets. That budget source is real and worth protecting.

But compliance frameworks are built around point-in-time audits, annual assessments, and static control lists — mechanisms designed for a world where attacks were slower and more expensive. Retaining compliance as a budget source while reorienting operations toward continuous, automated, economics-optimized defense represents the political challenge many security leaders navigate every day, even if few discuss it openly.

Cheap AI has caused the cost of hacking to plummet. But has the cost of defending against it fallen at the same rate?

That gap represents the actual risk. Price it accordingly.

Klaas Meinke, Head of AI, Hadrian

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.