If AI Builds Your Code, AI Can Break It
3 min readThere is a topic nobody wants to talk about in cybersecurity: the same technology that is writing your new features can also write the exploits to break them. The difference is that the people trying to breach your systems do not have to ask for budget approval or go through compliance processes before using these tools.
The asymmetry problem
Software development used to have a predictable rhythm. Smart humans wrote code, other humans reviewed it, caught some bugs, and shipped the product. Cybersecurity was a game of cat and mouse, but both sides were playing strictly at human speed.
Large language models broke that physics forever.
Today an attacker has a machine that can scan millions of lines of code in seconds to find logic flaws, race conditions, and authentication issues that would take a human auditor weeks to spot. Once it finds the crack, the model generates exploit chains automatically, testing one angle after another without getting tired. By the time your monitoring alerts go off and a human on your team wakes up to check the log, the attacker has already tried a thousand different vectors.
Meanwhile, your security team is still operating at human speed. They are still reading alerts by hand, updating plain text playbooks, and investigating incidents one by one. This is not a fair fight, it is bringing a knife to a gunfight.
Your open source code is a weapon against you
The offensive application of this technology is brutal. If you hand a codebase to a model trained on offensive security, it will find problems faster than any traditional pentest. Imagine what happens when an attacker feeds your public repository to a model, or worse, when they gain access to your private code through a compromised dependency.
Social engineering has also stopped being a poorly written email from a strange server. Today AI generates spear-phishing campaigns at scale that sound exactly like your CTO wrote them, adapting the technical language to your company’s specific architecture that the model deduced by reading your engineers’ LinkedIn profiles.
The double standard will kill you
The most absurd part of all this is the double standard companies maintain. The same executives who approve AI tool licenses so engineers can write code faster refuse to release the budget for the security team to do the same. Engineering gets a brutal force multiplier while security gets a new dashboard that nobody has time to look at.
Your development teams use artificial intelligence to deploy code at a speed you have never seen, generating more attack surface every hour, while your security teams use spreadsheets and old scripts to try and protect that volume. One side accelerates, the other drowns.
Machine speed
The real risk today is not that artificial intelligence becomes sentient, the risk is the complacency of technical teams. Security is still based on the same principles of understanding your attack surface and reducing your vulnerabilities, but the speed and scale of the game just multiplied by a thousand.
If attackers automate vulnerability discovery at machine speed and you try to stop them with auditors reviewing pull requests at human speed, the outcome is already decided. Not using AI in your defense strategy does not make you prudent, it makes you an easy target.