This article was originally published by Robert E. Johnson, III on LinkedIn — read it here.
There's a dangerous idea taking hold in the cybersecurity industry right now. It sounds modern. It sounds like progress. And it's incomplete.
The idea goes like this: if attackers are going to use AI, defenders just need better AI.
I understand the appeal. It's clean, it's symmetrical, and it lets us believe the problem is fundamentally the same as it's always been — just faster. Buy the better engine, win the race.
But think about what that race actually is. The attacker runs a machine that generates thousands of probable paths to compromise. The defender answers with another machine trying to predict which path is most likely to be used. Two probability engines, pointed at each other, both guessing at scale.
We haven't solved anything. We've made the guessing game faster, louder, and more expensive.
Cybersecurity cannot be one probability engine fighting another probability engine. At some point, you need something neither machine can give you: truth. You need to know what changed, and whether the system still matches its known-good state. This isn't a probabilistic question. It's an integrity question — and the difference between those two things is about to matter more than it ever has.
Mythos should be a wake-up call
Anthropic's Claude Mythos Preview should make every security leader stop and rethink the future of vulnerability management.
In Anthropic's own testing, Mythos identified thousands of zero-day vulnerabilities across every major operating system and every major web browser — including a 27-year-old bug in OpenBSD, an operating system famous for being hard to break. It didn't just find flaws. It chained them together, reverse-engineered systems, and wrote working exploits autonomously.
Here's the part that should change how you think about the next eighteen months. This capability wasn't the product of specialized cybersecurity training. It emerged from a general-purpose model. And it produced functional exploits in hours, at a cost measured in tens or hundreds of dollars.
Anthropic itself estimates a six-to-twelve-month window before adversaries can replicate the capability.
Not someday. now.
For most of the history of this field, the economics protected us. Finding a serious vulnerability tool skill, time, and patience — a scarce combination. The scarcity was, quietly, one of our most important defenses. It meant the number of people who could turn a subtle flaw into a working exploit was small, and the time it took them was long enough for defenders to keep pace.
Frontier AI collapses that scarcity. When the cost of finding and weaponizing a vulnerability drops toward zero, the economics that protected us for decades stop protecting us. And our entire operational model — find the vulnerability, prioritize it, patch it, verify the patch, repeat — was built for the old economics.
The cycle was already strained. AI will break it.
This is no longer just industry chatter
If you think this is hype confined to security vendors and AI labs, look at what just happened.
On June 2, 2026, the White House issued an executive order, "Promoting Advanced Artificial Intelligence Innovation and Security," that treats AI-enabled vulnerability discovery as a national security matter. It directs the Treasury to stand up an AI cybersecurity clearinghouse to coordinate vulnerability scanning, validate flaws, and prioritize the distribution of patches. It tasks the NSA with building a classified process to benchmark the cyber capabilities of AI models and define the threshold at which a model becomes dangerous enough to warrant special handling. It even points federal grant funding toward "advanced AI vulnerability detection."
Set the politics aside. Whatever your view of any administration, the signal here is unambiguous: the federal government now considers machine-speed vulnerability discovery serious enough to build new institutions around it.
And notice what those institutions are built to do. Scan. Discover. Validate. Prioritize. Patch. Distribute.
That is the right instinct, and it tells you how real the threat has become. It is also, almost entirely, an effort to win the discovery-and-patch race faster. Which brings us to the uncomfortable question this article exists to ask: what happens when you can't win that race by going faster?
The end of human-speed defense
For years, organizations have lived inside the same loop.
A vulnerability is disclosed. Teams scramble. Vulnerability scanners run. Tickets open. Patches get tested. Change windows get negotiated. Exceptions get granted. Compensating controls get documented. And before the work is finished, the next wave arrives.
Every security leader reading this knows that loop intimately, because they've been living in it for their entire career. It was exhausting, but it was survivable, because it moved at human speed on both sides. Attackers were people too. They got tired. They made mistakes. They took time.
Now imagine that same loop when one side no longer operates at human speed. When AI can discover more vulnerabilities, faster, across more code, in more environments, with far less human expertise required.
The problem was never simply that attackers get better tools. It's that the tempo changes — and the underlying math was already lopsided.
Attackers need to find one path. Defenders have to protect every path, across every system, every configuration, every file, every user, every service, every dependency, every cloud setting, every device — every day. That asymmetry has always existed. It's the oldest unfair fight in security. AI doesn't invent the imbalance. It pours fuel on it.
You cannot win that fight by getting faster at the thing you were already losing at.
AI defense is necessary. It is not sufficient.
Let me be clear about something, because it's easy to read this as anti-AI. It isn't.
AI belongs in cybersecurity. It can triage alerts at a scale no human team can match. It can summarize incidents, surface patterns across noisy telemetry, accelerate investigations, and help write more secure code in the first place. Used well, it genuinely helps defenders move faster. Anyone telling you to keep AI out of your security program is handing your adversary a permanent advantage.
But AI doesn't remove the need for deterministic controls. It increases it. And to see why, you have to understand what makes these two kinds of security fundamentally different — not just in quality but in kind.
A probabilistic control answers the question "how likely is this to be bad?" It's trained on the past. It reasons by resemblance: this looks like something I've seen before, so I'll flag it. That's powerful, and it generalizes well — right up until it meets something genuinely novel. And AI-generated attacks are novel by design. They won't match yesterday's signatures. They may exploit a logic flaw no scanner was built to understand, abuse a perfectly legitimate process, quietly alter a configuration, add a user, weaken a policy, or modify a firewall rule.
A deterministic control answers a completely different question: "is this exactly what it was before — yes or no?" It doesn't reason by resemblance. It doesn't need to have seen the attack before. It doesn't care whether the change is novel, clever, or unprecedented. It only knows the trusted state, and it knows the moment something deviates from it.
That's the distinction that matters. When an attack is novel, a probabilistic model has to guess whether it's dangerous — and its accuracy falls precisely as the threat gets more unfamiliar. A deterministic control doesn't follow that same curve down. It doesn't need any prior knowledge of the technique to determine that a protected asset has deviated from its trusted state. It isn't a complete defense on its own — no single control is — but the one thing it does, it does regardless of how novel the attack is.
So the useful question during an incident isn't "what does the model think happened?" It's "what changed?"
A probabilistic model says: "This looks suspicious." Integrity monitoring says: "This file changed at this time, on this system, and here is exactly what changed and by whom."
One is a guess with a confidence score attached. The other is a fact. In an AI-driven threat environment, you need both — but only one of them is ground truth, and the more unpredictable the attacks become, the more you'll find yourself reaching for the one that doesn't guess.
The whack-a-mole model is failing
Most organizations are still playing whack-a-mole.
A vulnerability appears — hit it. A patch drops — apply it. A new exploit lands — block it. A new malware variant shows up — detect it. A new technique emerges — write a rule. A new AI tool gets buzz — buy another AI tool.
That isn't a strategy. It's exhaustion with a budget.
And now the moles are automated. This is the uncomfortable truth the industry keeps dancing around: you cannot out-patch an infinite vulnerability-discovery machine. You cannot out-alert an infinite attack-generation machine. You cannot out-guess an adversary that can generate, test, refine, and retry at machine speed, indefinitely, for almost no cost.
This is a game of whack-a-mole that you will never win.
So the defensive model has to change. Not be optimized. Change.
Teams can no longer rely solely on finding every weakness before attackers do — because the assumption underneath that strategy, that defenders can find things at roughly the same rate attackers can, no longer holds. They need controls that detect when the system has actually been altered from its intended state. That's the shift: from chasing every possible attack to protecting the integrity of the environment itself.
The better question
The core question is not "can we predict every attack?" We can't. We never could, and AI just made the pretending harder to sustain.
The better question is, "can we know when something critical changed?"
That one is answerable. And it's far more powerful than it first appears, because nearly every successful compromise eventually requires change. A binary changes. A script changes. A permission changes. A service changes. A registry key changes. A scheduled task changes. A cloud policy changes. A network device configuration changes.
An attacker may use AI to discover the path. They may use AI to write the exploit. They may use AI to evade every behavioral model you own. But to persist, to escalate, to move laterally, to weaken your defenses, or to accomplish anything that actually matters to them — they still have to alter something meaningful. The exploit is how they get in. The change is how they stay, spread, and win.
That's where integrity becomes foundational. The more unpredictable attacks become at the front door, the more valuable it is to monitor what should never change once they're inside.
Real-time integrity monitoring answers the questions that actually reach the boardroom, the incident responder, and the regulator. What changed? When did it change? Who changed it? Was it authorized? What was the trusted state before? Can we compare before and after? Can we prove the system is still in an approved state — and restore it if it isn't?
Those aren't abstract questions. They're board-level questions, incident-response questions, regulatory questions, operational-resilience questions. And increasingly, they're AI-era questions, because they're the ones that decide whether you're actually in control of your environment or just hoping you are.
AI creates noise. Integrity creates clarity.
Security teams are already drowning in alerts. AI may help reduce some of that noise — and it may also generate a great deal of new noise. More synthetic phishing. More automated reconnaissance. More exploit attempts. More false positives. More things that look suspicious but arrive without context.
Integrity monitoring cuts through it. It doesn't need to understand every possible exploit chain. It doesn't need to predict every attacker's decision. It doesn't need to invent a plausible explanation for what it's seeing. It simply asks whether a protected asset has deviated from its trusted state.
In a world built increasingly on probabilistic uncertainty, that kind of certainty becomes one of the most valuable things a defender can have.
The controls that age well
Here's a question worth sitting with: not every security control benefits equally from the arrival of capable AI. Some get more reliable. Some get less.
Controls that work by recognizing the past — signatures, known-bad patterns, historical similarity — become less reliable exactly as attacks become more novel, because novelty is the one thing they can't recognize. AI is a novelty engine. These controls don't stop being useful, but their best days are behind them, and the curve bends the wrong way.
Controls built on a trusted baseline age in the opposite direction. The more unpredictable attacks become, the more valuable it is to simply know what your environment is supposed to look like. A baseline doesn't care whether the change in front of it came from a human exploit developer, a criminal LLM, a jailbroken model, or a future frontier system. The baseline remains the baseline. The question remains the same: Did something change that should not have changed?
As attack generation becomes more automated, that question becomes more important, not less. Which is the whole reason a control like this is worth talking about right now.
Where CimTrak fits
This is the idea CimTrak was built on, and it predates the current moment by years: your critical systems should not change without your knowledge.
CimTrak establishes an authoritative baseline across the assets that matter — files, configurations, systems, users, policies, network devices, cloud settings — and then it watches. It detects change in real time. It shows exactly what changed. It helps determine whether that change was authorized. And where appropriate, it can restore systems back to a known-good state.
That's not just detection. It's integrity assurance. And in an AI-driven threat environment, integrity assurance is one of the few controls that doesn't depend on correctly guessing the attacker's next move. It doesn't need to recognize the technique. If the attack changes something critical, CimTrak sees it.
That's the entire point.
The bottom line
AI will change cybersecurity. It already has. Tools like Claude Mythos show us that vulnerability discovery and exploit development have crossed into a new era, and there's no crossing back.
The old model — chasing every vulnerability, every exploit, every patch, every new attacker technique — was already buckling. AI will finish the job. Even the federal response unveiled this week is built to make us faster at finding and patching, and we should be. But we cannot answer a problem created by probability at scale with nothing but more probability at scale.
The future of cybersecurity isn't AI versus AI. That framing is too small, and it leads to an arms race no defender can win. The real future is AI plus deterministic controls. AI for speed, scale, and analysis. Integrity for truth. Baselines for trust. Change detection for accountability. Rollback for resilience.
Because the teams that come out ahead won't be the ones with the flashiest AI story. They'll be the ones who can answer a single question quickly and confidently:
Did something change that should not have changed?
If the answer is yes, they'll know. If the change was unauthorized, they'll respond. If the system needs to be restored, they'll restore it.
When AI accelerates the attack, the defender needs more than another guess.
The defender needs to know…the defender needs certainty.
.png?width=50&height=50&name=Robert%20(1).png)
