These days, in almost all my discussions I get asked what I think about AI and the future of security, so I figured I should share it here
Short version: I try not to have a strong opinion yet. We are clearly in a transition phase, and outside of people working directly on foundation models, no one really has a solid view of where this is going
Over the past months, LLMs improved a lot. The releases at the end of 2025 were a real step change. In practice, most people I know (myself included) have barely written code in the past 2-3 months. For security, we went from "this is fun" to "this is actually useful"
Right now, the best mental model I have is that we effectively jumped from having no tooling to having an advanced static analyzer or fuzzer. A lot of bugs that used to take time to find can now be surfaced quickly
Does that mean security researchers disappear in 2 years? Based on today’s tech, I do not think so. There are a lot of bugs to be found. Some are found by humans, some by traditional techniques, and now some by LLMs. But it does not mean all bugs get found. If anything, history suggests there are always more bugs than anyone expects, and that gap does not go away easily
The real question is: do LLMs get another capability jump, or just steady iteration? There are reasonable arguments both ways. To be honest, I do not have enough understanding of how these models evolve to have a confident answer. And anyone giving a very definite answer is probably overconfident, unless they are working directly on the models
Depending on that, the role of security researchers could change a lot, including the way we work. The demand could decrease if models get very strong at finding bugs. But it could also increase if the amount of code grows faster than the models’ ability to reason about it. We could even end up with a shortage of experienced researchers in a few years if fewer juniors enter the field while seniors move elsewhere. It is hard to predict because everything depends on how model capabilities evolve
On the business side, I am skeptical about "AI audit as a service". If models keep improving, it is hard to see how these companies compete with native offerings from OpenAI or Anthropic. Especially if those providers stop exposing raw capabilities and push everyone into their own products. I tried codex security, and while it is not perfect, it is clear where this is going. Mythos / Capybara seem to be around the corner, and it will be interesting to see how far it goes
My current bet is that within a few months, tools like codex or claude security will be great at finding blockchain issues, and they will integrate directly into most dev pipelines. At that point, the marginal value of an extra "AI audit SaaS" becomes limited
So what to do as a security researcher? Be adaptive. This is a transition period, and things will likely move fast in 2026. Stay curious, and keep working on skills that give you an edge. Regularly reassess where you are strong or weak, and where AI helps you versus where it replaces you. If you like challenges, see AI as one that pushes you to improve
Also, be careful with what people call "cognitive debt" or "brain rot". I was skeptical at first, but I do see it now. The more I rely on LLMs during an audit, the more I lose part of the intuition that I normally build while going deep into code. That intuition is still critical to find complex bugs. I have not found the right balance yet, but it is something to watch
It probably makes sense to revisit your view on LLMs every 3-6 months. I have already been wrong a few times on this, and I am fine with that, as long as I don’t get locked into a fixed view
Finally, a lot of people focus on the downside for security researchers. But there are also upsides. I can explore codebases much faster, build custom tooling easily, and spend less time on boring tasks. Maybe it’s my last few years/months as a security researcher, maybe not. But at least LLMs let me have some fun before doomsday 😅
Been getting deeper into cybersecurity lately and wanted to get certified.
In case anyone on here finds it helpful, I documented my OSCP study process as well as the important commands, tools, guides, and courses that I’ve found helpful:
https://t.co/CwnST6ml7k