You Will Be Outspent on Tokens
Outspending attackers on tokens isn't a viable defense strategy. The economics only bend for defenders who weaponize their own context.
Post-AI Security Economics Favors the Attacker
The thing that shifted my thinking on the changing unit economics of offense vs. defense in security wasn't the Mythos report from Anthropic itself — it was a combination of the shifting cost dynamics between attackers and defenders, what we're seeing from our own data running continuous adversarial engagements with customers, and most of all, what's happening to bug bounty programs and open security research right now.
A hundred decentralized hunters can each spend a few hundred dollars on AI agents to probe a single target from dozens of angles over a weekend. The defender has to secure the full attack surface, triage every submission, and sift signal from noisy issue reports — exponentially more work than any individual hunter or attacker.
Security's central objective function has always been, in my opinion, about making offense asymmetrically more expensive than defense. Pre-LLMs, it took capable operators months of manual research, planning, and careful execution to discover eligible attack vectors and exploit them, all while taking great care to preserve their own operational security. The barrier to entry for becoming a meaningfully dangerous threat actor was high, and even with an increasingly high skill cap on operators, they were still fundamentally limited by human capital.
Now that limit has shifted to financial capital. Threat actors can now horizontally scale their operations by just dumping more money into token spend — the same way researchers already are, and the same way Anthropic illustrated in their Mythos Preview report. Run a swarm of agents in parallel to search for and test potentially vulnerable paths in a target system. That swarm can run 24/7, limited only by how many tokens you're willing to pay for and how long you're willing to let it run. More tokens, more time, more paths searched. Even if the probability of finding a truly critical vulnerability on any given run is low, you have effectively ~infinite at-bats to hit a home run.
Offense Is Comparatively Cheap at Scale
Let's walk through the AI-enabled attacker's cost structure as it was laid out in the Anthropic Mythos reports.
From Anthropic's red team blog post:
- OpenBSD zero-day discovery: ~$20,000 for 1,000 runs. ~$50 per successful run.
- FFmpeg zero-day campaign: ~$10,000 across several hundred runs.
- N-day exploit development (turning a known CVE into a working exploit): under $1,000. Half a day of wall time.
- Unix socket privilege escalation exploit: under $2,000. Under a day.
The UK's AI Safety Institute published their independent evaluation of Mythos on a realistic cyber range: a 32-step simulated corporate network attack spanning reconnaissance through full network takeover. The kind of sustained, multi-stage operation that real pentesters and attackers actually perform.
- Mythos solved the full range in 3 out of 10 attempts. A 30% success rate, achieving full network compromise.
- It averaged 22 successful steps out of 32 across all runs. It gets deep into the network but frequently stalls before completing the kill chain.
- Each run consumed up to 100 million tokens. The model continued improving with more tokens, with no plateau in sight.
Per Anthropic's Project Glasswing announcement, Mythos Preview is priced at $25 per million input tokens and $125 per million output tokens. In an agentic loop, the model re-ingests its growing conversation context at every step, so input tokens dominate — a reasonable estimate is 85-90% input, 10-15% output. For a 100M-token run:
- Conservative (90/10 split): 90M input × $25/MTok + 10M output × $125/MTok = $2,250 + $1,250 = $3,500
- Moderate (80/20 split): 80M × $25 + 20M × $125 = $2,000 + $2,500 = $4,500
Call it $3,500-$5,000 per attempt. Multiply by 10 runs: $35,000-$50,000 for a single campaign against a single simulated network. You pay for failures too — you don't know which attempts will succeed in advance. Only 3 of the 10 runs completed the full kill chain, so the effective cost per successful network compromise is ~$12,000-$17,000.
For context, the AISI found the next-best model (Opus 4.6) averaged only 16 of 32 steps. And this is on a range with no active monitoring, no defensive tooling, and no security alert penalties. Real environments are harder.
While these costs are prohibitively high for most threat actors, well-resourced and sufficiently motivated groups would conceivably be willing to churn through this many tokens if the target were valuable enough.
The cost to build a v0 of an offensive security agent is also now trending closer to zero. Anyone with a Claude Code subscription can spin up a "hack0r agent" harness and start churning tokens against easily accessible targets. Scale that up to multiple well-capitalized threat actor groups (whether criminal or nation-state), and as a defender you're fighting a multi-front war against adversaries who can horizontally scale their attacks, in theory without limit, by just spawning parallel agents.
In this model, the defender is at an economic disadvantage.
The Swarm Shift
This is the part I keep coming back to, because I think it changes the shape of the problem rather than just the scale.
The pre-AI security model assumed a relatively small number of sophisticated adversaries. Nation-states, organized crime, skilled independents. You could reason about who might target you and why. Threat modeling was hard but tractable because the capable attacker population was small and fundamentally limited by human capital — you needed humans to write scripts, discover vulnerabilities, run the campaigns, etc.
When the lever for attackers is just "how much are you willing to spend on tokens?", the barrier to entry for frontier-grade offensive capability becomes a credit card and an API key. This is why I don't think the "script kiddie" category meaningfully exists anymore — not because those people went away, but because the floor of capability rose. Everyone with API access can conceivably operate at a level that previously required years of specialization. Script kiddies are just "AI engineers" now.
The interesting consequence: they don't need to coordinate. A thousand independent actors, each probing different parts of an attack surface with thousand-dollar budgets, create emergent coverage without any central orchestration. Even if no single attacker is running a sophisticated campaign, the aggregate effect is as if someone is.
This issue is endemic in the security researcher and startup ecosystem. "Researchers" and startups are just hammering their agents at any target they can find. Open source projects and bug bounties are the first places where things are starting to break.
The sheer volume of noise being blasted at targets, amplified by the new lower barriers to entry, is leading to sloppy (i.e., AI-slop) reports. Many companies and OSS projects are now either sunsetting their bug bounties or going private/closed source. The burden of work lands, yet again, on defenders, many of whom aren't equipped to handle this kind of scale. And yet they're being scolded by bug bounty hunters and researchers for not triaging reports as fast as they were submitted.
Cal.com — one of the largest open source projects on GitHub — just went closed source, mostly citing the changing security landscape as a key driver.
The proximate cause isn't attackers exploiting their code. When your codebase is public, anyone can aim a model or harness at it and generate a firehose of security findings. The slop-cannon fire that large open source projects absorb today is genuinely detrimental to real security research. Critical issues submitted by well-intentioned researchers and contributors get drowned out by the machine-gunned noise.
It's worth sitting with what this represents. The same dynamics that make offense so cheap — lowering the entry cost for new security research talent — are also degrading the overall quality of reports. Open source maintainers are experiencing the pain of the swarm problem before anyone else — not from coordinated attackers, but from a thousand independent "AI pentesters" and researchers each trying to collect CVEs. The cost of producing findings dropped to near zero. The cost of triaging them stayed the same: human attention, which doesn't scale. Throwing AI triage agents at the reports can help, but you still end up with asymmetric costs associated with triaging reports from a hundred different sources.
I've publicly supported Cal.com's decision, and I wager they also know that going closed source only reduces the noise surface. It doesn't reduce the vulnerability surface. The attack surface still exists and the economics are still broken — this just buys them additional time to find attack vectors internally and patch them before they hit production or are discovered by threat actors.
This is a preview of what the broader industry is about to experience. Open source projects are feeling it first because their code is maximally reachable and their attack surface is easily discoverable.
Three Compounding Forces
I think there are three forces that make this worse over time rather than better.
Frontier models are actually getting more expensive. Each new class of LLM released by frontier labs seems to be increasing in price. Mythos, for example, would be prohibitively expensive for most companies at the reported token costs. Even if frontier model pricing drops by orders of magnitude, it does so for both sides of the arena. Trying to outspend attackers on tokens is not a sustainable strategy when you're faced with decentralized threats. On top of that, security budgets in large organizations will likely be competing with development and R&D budgets for AI spend, not to mention sales, marketing, etc. Security is a cost center, and though the sentiment around this is rapidly changing for the better, security teams will still be competing against areas where budget allocation is immediately defensible (e.g., giving engineers more money to spend on AI is much more likely to be approved than giving security the same).
Open-weight models are coming. Anthropic has been explicit in both the Mythos red team post and the Project Glasswing announcement that restricted access is meant to give defenders a head start "before models with similar capabilities become broadly available." My read on the likely timeline: open weights historically lag the frontier by ~9 months, and when that gap closes, it lowers the barrier of access to frontier offensive capabilities for adversaries as well as defenders. Most security teams, however, do not have the facilities or budgets to self-host open source models and reap the economic benefits of doing so, and using third-party inference providers is usually a non-starter (if you're a security researcher, or on a security team deploying open models, we're hiring — or would love to talk).
Attack surfaces are growing faster. Software factories (e.g., coding agents deployed at scale) are combinatorially growing the attack surface as engineering teams use AI to ship faster, which increases the amount of work required to achieve adequate security coverage.
The third point is a structural reality of how modern software is built, and I think it's going to get much harder before it gets easier, making it increasingly urgent for security teams to adapt.
The Context Advantage
The industry's response is already taking shape: bug bounties are being culled in favor of self-hosted agentic adversarial testing. The economics of maintaining a bounty program have inverted — payouts and triage labor are outrunning the benefits as AI-enabled hunters flood the zone with slop. But replacing bounties with your own fleet of offensive agents isn't a solution if the strategy is still "spend more tokens to fix it." That's the same losing trade, just moved in-house.
Where defenders can create a real advantage and shift the economics in their favor is in the fact that they own all the context for how their systems work — what's probably vulnerable, where the security and tech debt lives, what the canonical attack surface is, which complex business logic might be exploitable, where the largest-impact targets are, and so on.
Making this context accessible to an agent makes that agent exponentially more efficient at finding, testing, and patching threat vectors. This isn't "security by obscurity" — it's a pruning of the search space so you can find exploits internally before anyone else. By reducing the search space an agent has to traverse to discover vulnerabilities in your system, you spend significantly fewer cycles (and tokens, i.e., money) to find the issues that attackers would have otherwise found given enough time and capital.
This context can live in docs, architectural diagrams, security policies, or your Confluence and Notion spaces. It can be raw source code or even previous pentest reports. The point is: this is context that you and your organization own, and when you hand it to an AI agent it accelerates the agent's ability to discover, verify, and remediate threat vectors in your systems. It's the same context that has always given your security team the advantage when defending against human threats.
Deploying your own offensive agents can now weaponize these internal sources of context at scale to swing the economics of AI-enabled cyberwarfare in your favor. They have to be deployed, however, in such a way that makes each dollar spent on AI inference (i.e., tokens) for defense asymmetrically more impactful than each dollar spent by an adversary attacking your system as a black box.
That's the bet we're making with Apex — our open source offensive security agent that powers all of our adversarial testing engagements at Pensar from hypergrowth startups to regulated financial institutions.
