Ashish Popli profile photo

Offense Scales With Compute. Defense Scales With Headcount.

Ashish Popli April 09, 2026

There's always been an asymmetry in cybersecurity: attackers need to find one way in, defenders need to cover every way in. That asymmetry is structural and well-understood.

What's changing is how each side scales.

The attacker's scaling function

Attackers adopt AI tools with zero friction. No procurement cycle. No change management. No headcount approval. No compliance review. When a new capability appears, an AI-powered exploit generator, an automated reconnaissance tool, an LLM that can analyze patches and identify vulnerabilities, it's deployed immediately.

CrowdStrike's 2026 Global Threat Report quantifies the impact: AI-enabled attacks surged 89% year-over-year [1]. Average eCrime breakout time, the time from initial access to lateral movement, fell to 29 minutes. The fastest observed breakout: 27 seconds [1]. ReliaQuest's data is even sharper: threat actors using AI and automation now achieve lateral movement in as little as 4 minutes, 85% faster than the prior year. The median time from initial access to passing action to a secondary threat stage: 22 seconds [9].

At RSAC 2026, Kevin Mandia said: "The scale and scope and total recall of an AI agent compromising you and swarming you is not humanly comprehensible" [2]. Alex Stamos added: "It's quite possible that all this development we've done in memory-unsafe languages... none of that is actually secure in the presence of superintelligent bug-finding machines" [2].

The attacker's cost per operation is dropping while their speed and coverage increase. They scale with compute, and compute is expected to increase 3x in 2026 [3]. Researchers have already demonstrated multi-agent AI systems that automatically convert CVE descriptions into working exploits with no human in the loop [7]. Anthropic's own research showed their model replicating the Equifax breach autonomously, recognizing a CVE and writing exploit code without looking it up, using only standard Kali Linux tools [8]. Even the companies building the models are warning that "substantial research is needed to equip cyber defenders with AI-enabled tools to keep pace" [8]. The gap between vulnerability disclosure and weaponization is being automated.

The defender's scaling function

Defenders scale with headcount. Hiring cycles, training programs, retention challenges, burnout. Every security team has a fixed number of analysts, and every analyst has a fixed number of hours. There are 4.8 million unfilled cybersecurity roles globally, and 67% of organizations report being short-staffed [10]. Even where teams are fully staffed, the skills gap has overtaken headcount as the top workforce challenge: 60% of organizations now say skills gaps are the bigger problem, compared to 40% citing raw headcount [10].

The humans who are there are burning out. U.S. cybersecurity professionals work an average of 10.8 extra hours per week beyond their contracted schedules, effectively a six-day week [11]. Nearly half say the job feels emotionally exhausting more often than rewarding [11].

The work is growing faster than the teams:

  • CVE volume: 48,185 in 2025, projected 59,000+ in 2026 [4][5]
  • Scanner findings: proportional to CVE volume x environment size
  • Attack path complexity: grows with cloud infrastructure complexity
  • Exploitation speed: 5-day average time-to-exploit [6]
  • Remediation capacity: unchanged (same team, same change windows, same organizational processes)

SecurityWeek described the state of vulnerability management as "stuck with the same time-consuming and error-prone manual tasks of the past decade" [3]. The tools have improved incrementally. The workflows haven't fundamentally changed. And the volume has doubled.

The result is a widening gap: attackers operate at machine speed with expanding coverage, while defenders operate at human speed with fixed capacity.

Where the gap shows up in practice

Triage bottleneck. Every finding from every scanner needs an analyst to evaluate context, determine priority, and route for action. As scanner output grows, the triage queue grows. Analyst capacity doesn't. The backlog becomes a permanent feature, not a temporary spike.

Context assembly. For each finding worth investigating, an analyst needs to determine: is it exploitable in our config? Is the resource reachable? What's downstream? This requires correlating data across multiple tools: the scanner, the CMDB, the cloud console, the network topology, the identity system. It's manual, it's slow, and it's the same work repeated for every finding.

Cross-team coordination. Vulnerability management doesn't end at the security team. Remediation involves platform engineering, application developers, network operations, IT, and sometimes leadership approval. Every handoff introduces delay. Every team has its own priorities, backlogs, and capacity constraints.

Reporting and compliance. Tracking posture, demonstrating progress, answering leadership questions about exposure. This work scales with the complexity of the environment and the volume of findings, another tax on the same fixed team.

Each of these scales linearly (or worse) with volume. None of them get faster when the team stays the same size.

The only way defense scales with compute

Headcount growth won't close the gap. Even organizations that double their security teams will face double the volume by the time the hires are onboarded.

The only way defense keeps pace is by shifting work from humans to intelligence that's pre-computed:

Pre-computed exploitability. Instead of analysts manually evaluating whether conditions are met, verify automatically against the environment. The analyst reviews the verdict, not the conditions.

Pre-computed exposure. Instead of analysts tracing attack paths manually across tools, model the environment as a graph and compute paths continuously. The analyst sees the path, not the raw topology data.

Pre-computed remediation options. Instead of analysts researching what to do about a finding, surface the options automatically: upgrade, mitigate, compensate, with the risk-reduction impact of each.

Self-service access. Instead of every question routing through a security analyst, let platform engineers, developers, network ops, and leadership query the data directly. The security team sets policy and handles exceptions, not every individual question.

This doesn't replace the security team. It shifts their work from data assembly and manual investigation to judgment calls and exception handling: the work that actually requires human expertise.

The attacker scales with compute. The defender needs to scale with intelligence: pre-computed, continuously updated, and accessible to every team that needs to act.

Most of that intelligence work today is investigating findings that aren't exploitable. Why the noise exists and how to cut through it.

References

[1] CrowdStrike. (2026, February). "2026 Global Threat Report."

[2] CyberScoop. (2026). "Security leaders say the next two years are going to be 'insane.'"

[3] SecurityWeek. "How to 10x Your Vulnerability Management Program in the Agentic Era."

[4] Gamblin, J. (2026, January 1). "2025 CVE Data Review."

[5] FIRST.org. (2026, February 11). "Vulnerability Forecast for 2026."

[6] CyberMindr. (2025). "Average Time-to-Exploit in 2025."

[7] Ullah, S. et al. (2025). "From CVE Entries to Verifiable Exploits: An Automated Multi-Agent Framework for Reproducing CVEs."

[8] Anthropic. (2026, January). "AI Models' Expanding Cyber Capabilities."

[9] ReliaQuest. (2026). "Threat Actors Achieve Lateral Movement in as Little as 4 Minutes."

[10] Viva-IT. (2026). "The Cybersecurity Talent Cliff: Closing the 4.8 Million Skills Gap by 2026."

[11] Help Net Security. (2026, March). "Cybersecurity professionals are burning out on extra hours every week."