A few days ago I spoke at AI Birras, an event organized by Montevive AI. The topic: how AI is changing the offensive security landscape. I wanted to share my thoughts on where things are headed, not from a hype perspective, but from someone who actually works on this stuff day to day.

The speed of exploitation

One of the first things I covered is something we’re already seeing in the wild. The time between a vulnerability being disclosed and a working exploit appearing is shrinking fast. What used to take weeks of manual work, reverse engineering patches, understanding the bug, crafting a reliable exploit, is now being done in a matter of hours.

N-day exploit development has always been a manual, skilled effort. You take a patched vulnerability, figure out what changed, and write something that works against unpatched systems. That process required deep knowledge and patience. With AI assistance, the bottleneck is no longer the technical skill itself, but rather how well you can orchestrate the tools at your disposal.

Autonomous vulnerability discovery

We looked at examples of frontier models like Claude Opus and GPT discovering and exploiting vulnerabilities autonomously. Not theoretical stuff. Actual models analyzing code, identifying weakness patterns, and producing working proof-of-concept exploits with minimal human guidance.

This is where agentic harnesses come in. The idea is simple but powerful: you wrap a model in an agentic loop that can read source code, run tests, iterate on failures, and refine its approach. The harness gives the model structure, tooling, and feedback loops. Without a proper harness, the model is just guessing. With one, it becomes a reasonably effective vulnerability researcher.

The barrier to entry for sophisticated attacks is dropping because of this. And the window for patching is getting narrower every month.

The human factor

Despite all of this, I made a point that I genuinely believe: the human isn’t going anywhere. The role is evolving, not disappearing.

What AI gives us is raw capability, speed, scale, coverage. But someone needs to direct all of that. The value shifts toward the person who can design agentic architectures, chain tools together intelligently, and make judgment calls that models still can’t make on their own. The offensive security engineer of the future is less about manually crafting every payload and more about building the systems that do it at scale.

And let’s be real: knowing how to build those systems, knowing what to point them at, knowing when the output is wrong, that’s still a skill. A different kind of skill, but a skill nonetheless. The people who understand the fundamentals will be the ones getting the most out of AI. The ones who don’t will just be running tools they don’t understand.

Why this matters

I think we’re at a genuinely important moment. Not because the sky is falling, but because the tools are getting powerful enough that everyone in this industry needs to pay attention. This should motivate us, not paralyze us.

Every professional in cybersecurity needs to adapt to this reality. The ones who do will find themselves with capabilities that would have been unthinkable just a couple of years ago. The ones who don’t will be outpaced.

Thanks to Montevive AI for organizing AI Birras and for having me. Sharp questions, good conversations, and a really well-run event. Looking forward to the next one.