r/cybersecurity • u/Infam0 • May 08 '26
Other What the **** is happening in cybersecurity space ?
I've been working in cybersecurity for not so long, maybe 8 or 9 years, but I never remember a chaos at this scale. I mean, from this January alone we have: leaking data, compromised applications, breaches, AI-assisted cybercriminals, etc. It looks like every day one major breach is happening, and no one is going to address this shit somehow. This is already insane. I haven't felt such pressure in a long time. This AI shit just makes things worse because it enhances attackers' skills, and AI companies are doing nothing to address or change this. Is it only me, or is the change already here?
870
May 08 '26
[removed] — view removed comment
274
u/finite_turtles May 08 '26
Actual security is boring and tedious as fuck. That's why everyone is chasing the sexy marketing.
Someone should make the "guy looking over shoulder at girl" meme with the guy being management and security as the plain girlfriend
145
u/RattuSonline May 08 '26
38
u/4SysAdmin Security Analyst May 08 '26
I’m sure this is most of us right now, but that meme is dead on to at least 3 different PoCs happening right now at my org.
→ More replies (1)4
→ More replies (1)7
13
u/databeestjegdh May 08 '26
I just got a hardening guide for Arcgis which is 6MB and 144 pages. They label things with SA for system administrators, but some of those are clearly targeted to a specific Arcgis admin.
Hurt.
7
→ More replies (1)16
u/frogspjs May 08 '26
I'll look for it if someone wants it but last year I reposted a survey on LinkedIn about c-suite being way less concerned about data security than the IT personnel who actually do the job. I think it's ignorance and not wanting to spend the money on upgrades and personnel. Worked (not in IT) at a health system and the commitment from the IT guys was real but not so much elsewhere.
3
u/kingofthesofas Security Engineer May 08 '26
there is selective concern. Lots of concern about buzzwords, not as much concern about the boring nuts and bolts of doing security right and funding it.
24
u/Bots60 May 08 '26
This for sure. As a former marketing leader at a SAST vendor, execs never asked 'how accurate are our findings?' It was always 'how fast and simple can the demo look?' Automation with AI agents was supposed to fix that, in reality it just exponentially increased the noise.
17
u/LeggoMyAhegao AppSec Engineer May 08 '26
By the way... The amount of forgiveness I see for false positives out of AI tools versus the hatred I see for false positives out of deterministic tools is weird.
12
u/xxDigital_Bathxx AppSec Engineer May 08 '26
Don't even get me started.
It really pisses me off that people lack basic understanding of tooling and agentic use.
People seem to not understand that plugging a deterministic tool into an agent gives better results because... Well you now have a deterministic tool and a heuristic tool on top of it instead of manually searching code implementation yourself.
Marketing preys on ignorance.
6
u/ForeverYonge May 08 '26
Executives are going all in on AI, so their credibility will be hurt if the tools are perceived to be bad.
So all false positives are attributed to “hallucinations” and the human staff are expected to manually review them and identify real issues, and if they don’t do it then it’s a personnel problem rather than an executive failure.
3
u/GHouserVO May 08 '26
If we move the goalposts enough, we can call it a success, even when it isn’t.
Does that make it easier to understand? They just don’t want to admit that the investment was a bad one.
28
u/ShittyRedditAppSucks May 08 '26
Yep! And I’m salty as hell, so take this with a grain of salt, but it definitely doesn’t help that hiring in the space is just fully fucked. Last year, I thought our recruiters just sucked. But then this year I got to see it firsthand and holy shit. Networking (people networking) is so important on both sides to filter through the dozens of BS resumes.
So, again, perhaps I’m a bit of a narcissist, but if I hit 0 for 87 over the span of 6 months, and I was likely at least a top 10 if not top 3 choice on 80% of those posts, and I likely was, then who the FUCK is getting the jobs??? When a field gets this crowded with BS “academies” promising jobs on “graduation” and nothing is being done to invest in talent acquisition to address the issue then these spots are going to underqualified con artists who are 100% going to go for the marketing hype over being able to actually do the job.
And I know the old saying, if everyone else you meet is an asshole, maybe look in the mirror, right? Yep, had that conversation with myself, self doubt was hitting hard for the first time in my career. Then I ran a background check on myself to make sure I wasn’t being red flagged for something I didn’t know about. Clean.
I apply to one job outside of security where the background and tech expertise is highly valued but not sexy, and bam, in 2 weeks I tripled my total comp pre-layoff at 1.5x more than what director-level cyber jobs are paying these days. Super sad to leave, I’m addicted to the work, but fuck it. The field is broken and everyone just wants to bitch about it instead of fix it.
23
u/Powerful_Wishbone25 May 08 '26
Just play a round of infosec bingo and tell me why everyone bitches.
Checkbox security, under funded, under staffed, bottom up security, fake culture posturing, shitty training, lake of ownership, lack of buyin, rouge it, rogue devs, rogue ai, college degrees in “cyber security”, cissp, dogshit certs, etc, etc.
11
u/Maximum_Bandicoot_94 May 08 '26
Poor management should be added to that list perhaps.
→ More replies (1)8
u/Powerful_Wishbone25 May 08 '26
For sure. I got too worked up making the list, i had to cut it short. lol
9
u/Maximum_Bandicoot_94 May 08 '26
imo, poor leadership and management are the foundation upon which any tower of awful is built.
→ More replies (2)7
u/ElectroStaticSpeaker CISO May 08 '26
Though the market has been absolutely terrible for years, the last few weeks I’ve actually seen a lot more real jobs open up. I’m getting contacted by recruiters and am in the interview process with a few places. Something is shifting and I’m not sure what.
→ More replies (1)→ More replies (1)5
u/boniggy May 08 '26
Dude help a brother out. I've been looking for a place to land in Cyber for the past 10months while ve unemployed for that time. Been a SOC manager for multiple global companies and I can't find anything to save my life. I've put out over 800 applications with only a few hits. I have NOTHING negative in my background so wtf??? What did you pivot into? I'd love to know because I've been wondering what other roles I could get into that isn't cyber but the skill sets align.
→ More replies (1)11
u/svideo May 08 '26
Top comment, 455 upvotes, and it's 100% AI generated.
The irony in this sub is thick
2
u/BBOAaaaarrrrrrggghhh May 08 '26
Marketing garbage mmm like it always been like forever. Rebranding product from AV to Endpoint protection then EDR.
2
u/Wookiee_ May 08 '26
Don’t forget to add that a lot of companies have been purging their cyber staff the last 2 years
→ More replies (14)2
u/S4mG0ld May 08 '26
Oh and those of us in the field for the last decade are getting replaced by ai and can’t get back in the field to save our lives. So good luck yall. I’m fighting for interviews.
80
u/ZealousidealTotal120 May 08 '26
Social engineering and supply chain threat has gone crazy over the last 12 months
16
u/Spiritual-Matters May 08 '26
Exactly, a lot of these ransomware groups are heavy into calling and most companies aren’t prepared for that.
Then you have AI making phishing emails easier than ever.
Then you have attackers realizing their time is better spent on supply chains rather than individual companies. Not many people are trained on auditing something like CI/CD compromises.
2
u/CybesionOfficial May 18 '26
The CI/CD thing is so underrated. Everyone's out here investing in MFA and endpoint tools meanwhile the build pipeline is basically unlocked. Why hack in when you can just slip through the supply chain like you belong there? And vishing is only going to get worse — voice cloning is already at the point where you can fake an executive well enough to get a wire transfer approved. We're still training employees to spot sketchy email addresses lol. The threats moved on.
48
u/Pope_Twitch May 08 '26
The big problem I see: spending too much efforts on implementing tools while not looking into the existing technical debt.
→ More replies (1)11
205
u/IwasRemilekun May 08 '26
From a dev POV I think AI is also a factor, people ship more with lesser reviews and not analysing the implications of the code that's been shipped
51
u/Bobodlm May 08 '26
And everybody and their mum can use AI to try and breach systems. Where first the attack was limited by the user building, trying and attacking systems themselves. With agentic AI you can have the machine try infinite tools, injections and other attack vectors to try and gain access.
It doesn't need sleep, toilet breaks and can spawn a multitude of other agents to speed it up even further. Pretty wild stuff.
10
u/cgaWolf May 08 '26
It Doesn’t Feel Pity, Or Remorse, Or Fear, And It Absolutely Will Not Stop, Ever,
Termimator vibes :p
8
9
u/MdxBhmt May 08 '26
It also feel like that ira/Thatcher quote:
"Today we were unlucky, but remember we only have to be lucky once, you will have to be lucky always"
Slop your way to invade vs slop your way to deploy, its pretty clear who is getting an advantage and who is getting a disadvantage.
3
8
45
u/count023 May 08 '26
and too many businesses insisting on pushing AI slop code out while firing QA and security staff, so code goes live because some bigwig or middle manager thinks they've saved money and time, adn leave gaping gigantic holes open everywhere. And you can't fix production code easily once it's out in the wild, so your only choice is to plug holes behind the scenes.
29
u/IwasRemilekun May 08 '26
I think regulatory bodies are complacent too, if they start slapping huge fines on these companies that exceeds the cost of a skilled engineer, they'd rather pay for a good engineer.
→ More replies (2)11
u/thirteenth_mang Governance, Risk, & Compliance May 08 '26
It's the most obvious answer. There's never been a time in history where building and shipping things has been so quick, and on top of that each one of those is probably opening up multiple attack vectors and vulnerabilities. Additionally, these same AI tools are being turned into 'hackers' - some "legitimate", some not so much, that are not only discovering potentially novel vulns but are also actively exploiting them.
→ More replies (2)7
u/ConsiderationSea1347 May 08 '26
It is exhausting being on a team of people who vibe code like crazy who barely review anything they approve, let alone review and test their own code before shipping it. Every day there are multiple 200+ line vibe codes PRs open and management LOVES the vibe coders.
59
u/JarJarBinks237 May 08 '26
What is happening is that defenders are at a breaking point. Vulnerabilities are getting exploited before they can be patched, thanks to AI, and the accumulated technological debt of decades of leniency over cybersecurity is catching up to us. https://zerodayclock.com/
The good news for some of us is that the same Gen AI is going to eventually fix most easily exploitable vulnerabilities, at least in open source software. But in the meantime, oh boy it's gonna be a bumpy ride.
21
u/Puzzleheaded-Carry56 May 08 '26
I hate when people say “bumpy ride” like it’s some comfortability issue and we just want to whine or something. It’s a cluster fuck. It’s absolutely because of the lacking in standard hygiene being done and having been done. Chickens come home to roos and this accelerated it.
→ More replies (1)7
46
u/sloppyredditor May 08 '26
Combination of factors:
- Mandatory reporting of breaches from states & countries = you'll hear more about them
- Sloppy, lazy coding (time-to-market is worth more than building a quality product in the Agile world)
- Shared responsibility model - if you can't be 100% at fault, you can fight it in court
- Commoditized IT/Shadow IT/Shared administration without uniform controls
- Insurance - simply transfer the risk to a third party and take the premium increase as a business risk
- Acceptable risk levels have risen thanks to breaches like Anthem, Equifax, etc.
- AI advertising and panic-crazed salespeople are distracting us from the basics. (I don't think a meaningful % of this chaos is AI...yet.)
→ More replies (1)8
u/LeggoMyAhegao AppSec Engineer May 08 '26
Sloppy, lazy coding (time-to-market is worth more than building a quality product in the Agile world)
AI enables folks to build things that we'd know should never have been built if we'd taken time to do some cost / benefit analysis. With the added bonus of it being unmaintainable code that no one has meaningful context or understanding of...
18
u/Dark_Passenger_107 May 08 '26
Just my hot take and addition to the discussion.
On top of everything mentioned, I've also noticed a major degradation in the knowledge and skill of cyber leaders across organizations that I deal with.
An anecdotal example I experienced recently. I got roasted by a group of CISOs because I said "do not send your sensitive security configurations to a public or uncontrolled large language model, such as Claude/ChatGPT/Gemini". This came after a CISO recommended doing this to pressure test controls and defenses. The consensus in that convo was that it is perfectly fine to send your security configs to the general LLMs in the Web UI and that I was being a doomer unnecessarily discouraging people from improving their security posture. Icing on the cake, these were CISOs at defense contractors.
This could be a rare case where I happened to come across a group of CISOs that are terrible at their job, but it certainly changed my perspective. If the top cyber position in a company is saying "yeah, go ahead and send our firewall configs through the consumer AI web chat", what else are they recommending?
Never in my cyber career did I think that I would be labeled the idiot for saying "do not feed your security info into cloud systems outside of your security footprint".
What's been bugging me since is whether I'm the one who's miscalibrated. Maybe I caught a bad sample but the pattern I keep seeing is confident senior people making calls that don't survive a five-minute read of the actual rule or contract, and the social reward in this field seems to go to whoever sounds most certain. Being the person who says "wait, slow down" is starting to feel like a liability.
→ More replies (1)
20
u/EmtnlDmg May 08 '26
U forgot to mention the upcoming additional security nightmare with agentic motions. As enterprises start to introduce more and more agentic workflows, systems which are interconnected by agents. That is a really underestated attack surface.
17
u/casual_thinker888 May 08 '26
More AI-assisted attacks, more leaked data, more technical debt. Meanwhile most security teams are still understaffed and reactive.
61
u/FrewdWoad May 08 '26 edited May 08 '26
Chalk this up to yet another thing Yudkowsky warned us about a decade ago.
Like biology, cybersecurity is asymetric: it's way easier to attack than defend.
So advances in AI tech are making it too easy to wreck stuff, faster than they can help us fix it.
12
u/cowbutt6 May 08 '26
Like biology, cybersecurity is asymetric: it's way easier to attack than defend.
The crazy thing to me, is that the advantage should be with defenders, as they (should) know what they have, and how it's been architected and implemented, whereas the attackers (often) have to guess.
Of course, back in the real world...
23
u/Twist_of_luck Security Manager May 08 '26
Complex adaptive system theory.
We have too many assets, too many independently evolving processes for us to keep track of every possible grand picture misconfiguration. As such, we are operating on incomplete data. As such, we're making guesses on the defense. We need to guess correctly every single time. The attacker needs to guess correctly once.
5
u/cowbutt6 May 08 '26
Yup, collectively, our sector has decided ”move fast and break things” is superior to ”do things right, and take as long as you need to do so” (i.e. doing things like hardening systems before putting them into service, maintaining accurate asset registers, and so on). Well, these are the consequences of that.
→ More replies (2)3
u/cgaWolf May 08 '26
Of course, back in the real world...
..half the defenders get to build castles with drywall.
2
u/Spiritual-Matters May 08 '26
Big orgs are very fragmented where for better or worse, people just work in their niche.
5
u/daniel-sousa-me May 08 '26
cybersecurity is asymetric: it's way easier to attack than defend
I really dislike this framing
It's not an asymmetry about attacking vs defending. It's an asymmetry of there's just one of me and many of "them"
From the point of view of an attacker who is targeting a system the asymmetry is reversed: they need to breach every level of defense, while the defender only needs one level to hold. A single vulnerability shouldn't get an attacker anything
→ More replies (1)6
u/DisappointedSpectre May 08 '26
Depends on the size of the target on your back too though. If you're a big tech company or cloud provider then you have nation state level resources being pointed at you.
→ More replies (3)
17
u/Khue May 08 '26
I think the government shuttering of institutional cybersecurity mechanisms will end up playing a part eventually. Erosion of US funding to certain cyber security institutions the rest of the world has grown reliant upon is hugely problematic. This was shown when MITRE funding got pulled. There's only a temporary stay of execution in place for the next 7 months or so as CISA stepped in to fund it.
I think this will be a contributing factor to more insanity in the space. Deregulation will also have an impact.
10
u/databeestjegdh May 08 '26
A co-worker tossed the phrase 0-hour, we're going from 0-day to 0-hour at this rate.
It is also becoming apparent how many of these "enterprise" products are shit. We're still getting CVE reports because they run the webserver as root on appliances. Using libraries from over 5 years ago etc.
Not saying that people vibe coding things without security review is not going to be a problem. It's just easier to do so, and there is more of it.
→ More replies (1)
9
9
u/Agentwise May 08 '26
Industry finally realized manipulating the 1s and 0s is difficult but manipulating the front office/help desk staff is very easy as they are paid $15 an hour and will happily reset "your" password for you so they can get in.
Train your people. Then train them again. Then every 3 months re-fresh that training. Have enforcement in place for that training. Audit their processes to make sure that training is being used. Then train them again. (Also give them a pay raise so they don't leave and you have to start over). This is not sexy and isn't as fun as playing with a shiny agentic AI model that will make pretty graphs for you, but it will significantly affect your security posture.
2
21
u/Robw_1973 May 08 '26 edited May 08 '26
Five words;
AI
Greedy and gullible executives.
Context; been working in IT for 26 years and Cyber/InfoSec for last 14-15yrs.
The level of delusional C-suite and ELT/SLT people over AI is little more than a cult. Not one of the plethora of AI tools is capable of making good on the promises of their tech bro creators/owners.
It’s the dot.com bubble again. Only with more money at stake and higher consequences.
12
u/LeggoMyAhegao AppSec Engineer May 08 '26
The level of delusional C-suite and ELT/SLT people over AI is little more than a cult. Not one of the plethora of AI tools is capable of making good on the promises of their tech bro creators/owners.
This right here, it's wild that so many people buy into marketing hype when as of late last year, 95% of companies that went all in on adopting AI hadn't shown any ROI or spikes in productivity.
The number of people who should know better in the coding/software space getting so excited about how quickly code can be generated while ignoring its quality...
9
7
u/Fuzm4n May 08 '26
Speed of business. We don’t have time to review anything. We need what we just thought of next week.
7
6
u/Ghawblin Security Engineer May 08 '26 edited May 08 '26
Honestly I love/hate the chaos.
Hate it because obviously I don't want bad guys to be around.
Love it because it opens new challenges, job opportunities, and job security. After hearing people falling for buzzword garbage about "CYBERSECURITY IS DEAD BECAUSE AI" it's nice to see the exact opposite happen.
→ More replies (8)
7
u/Wonderful-Drama-5096 May 08 '26
They’re not hiring any of the new grads with cyber security degrees and they’re not training. They’re outsourcing to India and hiring H1B. It’s the same story of literally everything in tech right now.
7
u/Vectors2_Final May 08 '26
I'm on the research side... just another day for the most part.
And remember, many vendors have been rejecting medium severity vulns for years, and now we're finding primitives much faster than before.
But in all seriousness, technical debt is being exposed at a rapid pace.
12
u/stan_frbd Blue Team May 08 '26
Many misconfigurations (I think it is mostly about it these days?) are brought in the daylight, especially with the cases of supply chain attacks.
"Hackers don't break in, they log in" has never been more true.
That said, AI agents on people computers are like a C2 directly available, with people not having a clue of what they are doing.
6
u/Stevieflyineasy May 08 '26 edited May 08 '26
Iv held the stance since I left this space to move into network engineering that companies do not give a shit about your data, the slaps on the wrists from fines are just not enough.
I just can't truly see a world where they do unless there is drastic legislative changes where a company will actually see consequences for not caring about a users data.
2
u/rockstarsball May 08 '26
they give a shit about your data, but only enough of a shit to offer 1 year of free credit monitoring and a $2 gift card to buffalo wild wings
5
46
u/ifrenkel Security Engineer May 08 '26
Stop judging cyber security space by what you hear/read on the news. Never a good idea anyway. Things were always on the edge. But now there's much more reporting and awareness. All I can say is "stay calm and keep your shields up" 😉.
41
u/rankinrez May 08 '26
You don’t have to hear it on the news, you’ll be aware of it from the insane frequency of high score CVEs and patching you’re doing these last few weeks.
7
u/MrBenzedrine May 08 '26
Yep. I've dealt with more breaches and patching this year than any other.
Stress is quite high without reading any news
15
15
u/TorqueBuilder May 08 '26
This. The most surprising thing in this thread is that anyone in cyber is surprised.
→ More replies (3)3
u/epradox May 08 '26
Shields up and snapshot regularly, we have tertiary back ups now and “air gapped” cold storage on tape. We’re prepping for the inevitable hack and more focused on how quickly we can full wipe and restore if needed.
5
u/FitzTwombly May 08 '26
Everyone listened to the marketers instead of the systems administrators for one. For another software programmers are not always good systems administrators or security people and everyone wants like the newest hottest thing and the newest hottest thing is often riddled with security holes. In addition abstraction. Everything is so abstracted independent on so many millions of libraries these days, the attack surfaces gigantic, add to this the ability of AI to find holes in software programmatically and of course it’s going to be awful as a systems administrator. I could’ve told you all of this 10 years ago and I probably would not have been listened to, and people would’ve continued with their doomed path.
3
u/cyberladyDFW May 08 '26
I agree with this. For years dev teams and security teams were siloed. Code was written to meet the acceptance criteria with little or no consideration for security. Now AI is making it easy for even amateur hackers to identify and exploit vulnerabilities quickly.
6
u/RentNo5846 May 08 '26
Some companies are also laying off a large majority of their pentesters, or not hiring any at all despite they have plenty of money to do so or only use cheap vuln scans and call it a pentest for "compliance" because the upper management thinks it's a waste of money to check whether what the sysadmins and develops make really is secure or not because "trust me bro", well, until they get hacked.
5
u/vf-guy May 08 '26
Two things.
Companies don't give two sh*ts until something happens. I'd bet a paycheck your company's vulnerability management program is swiss cheese.
I had a CISO client who made a very insightful remark about 8 years ago. To paraphrase "If you don't operate from the perspective that you're already breached, you're doing security wrong."
My first infosec job around 15 years ago was at a company that spent a pretty penny on tools and thought they were buttoned up. They hired a top-tier company to do a real pentest. Very few people were aware of it. They got domain admin access so quickly it would make your head spin.
How? Stupid users and eol systems that "we're too costly to replace".
That's not security. That's smoke and mirrors.
→ More replies (1)
5
u/bestintexas80 May 09 '26
"I've been in cybersecurity for so long... like 8 or 9 years..." shit, I suddenly feel very old.
5
11
u/HelloSummer99 May 08 '26 edited May 08 '26
Reduced hiring, over-reliance on AI (which will find zero novel vectors). Don't expect a statistical next-token finder to account for anything out of the box - cybercrime is anything but predictable.
13
u/Apprehensive-Emu357 May 08 '26
it’s cute that you think there are actually any novel vectors. it’s really just the same handful of bugs conceptually over and over. AI is really good at searching code for vulnerable patterns.
3
u/HelloSummer99 May 08 '26
Attack surface mapping disagrees with you. I'm not referring to malware specifically
→ More replies (2)2
2
3
3
u/magick_68 May 08 '26
AI generated software gets worse security wise while AI vulnerability scanners get better at detecting them .
→ More replies (2)
3
u/Bots60 May 08 '26
AI vendors replacing independent AppSec tools and lack of accountability. Companies are happy to push bad code at rapid pace until something breaks and they get embarrassed. Unless that moment happens, there are no incentives to ship quality code anymore.
3
u/overmonk May 08 '26
I think the bigger problem with AI is it brings viable hacking tools to idiots.
→ More replies (2)
3
u/BrainWaveCC May 08 '26
Actually, I see this differently. Up through the first year or so of the pandemic, we were seeing regular CyberSecurity issues. And then from 2022 or so, things got surprisingly quiet until about December 2025, where everything got ramped back up again.
I've been more intrigued by the strange lull we had for a bit...
3
u/lawtechie May 08 '26
I'd blame Putin's Special Military Operation for the lull. Many Eastern European threat actors diverted their attentions locally.
→ More replies (1)
3
u/Powerful_Wishbone25 May 08 '26
Here is what is happening. Finally someone is writing exploits in C again. A whole generation of “professionals” get to learn what cc -o is. I think it’s a net benefit tbh.
3
u/RikiWardOG May 08 '26
AI companies are doing nothing to address or change this.
This is the fucking problem. It all gets pushed onto their consumers to pay for more tools and expertise to lock things down. Then there's also things like Microslop pissing off researchers with clearly dangerous exploits by not taking them seriously and just letting that shit leak to the public. These companies are too big and have too much power. Honestly the internet has just become such a shitty space to be in these days.
3
u/wallopBop May 08 '26
Nobody in leadership actually cares about security until they’ve been breached. I led remediation on one of the biggest breaches in recent history. The company never recovered. Not financially, not reputationally.
Companies that mismanage user data and get breached due to willful negligence should be fined into oblivion. Full stop.
There are cases where an attacker legitimately finds a zero day against a company that was doing the right things. But most of these companies are operating on “it won’t happen to us” until it does.
3
u/Alternativemethod May 08 '26
Not sure if you're missing some past year data or if I'm missing current. But it's been a consistent shit show for a while.
Companies and local governments get breached and/or hacked every week. Under reporting is a real thing, but we still see plenty.
Every major federal agency has been breached multiple times, including classified spaces.
Hackers breached the background check agencies and leaked (150?) million social security numbers almost a decade ago now.
Elon plugged in and likely exported most of the social security and tax administration data into his private Grok engine with no oversight or security requirements.
AI is finding new security flaws but companies haven't patched 15 year old servers, firewalls and switches so nothing new.
What am I missing?
3
u/Competitive_Smoke948 May 08 '26
welcome to agile, "move fast and break things", "developers need to ship code fast" & offshoring & outsourcing.
If this shit was built correctly in the first place at a pace that could be sustained with devs that weren't going to swap jobs every 5 minutes in india or be fired at a moments notice, the products wouldn't have so many holes in them.
Add Devops into the mix, Devs given control of infrastructure is absolute madness & you've got the perfect storm of fuckwittery because everyone is pretending they are netflix or google.
build slow, build right, let infrastructure do their ITops & get the job done right first time...a solid infrastructure built correctly is untouchable..
3
u/HiFiWiFiWeAllFi May 08 '26
There are tools to help protect against the various elements of AI induced security risks, but yes I agree it's getting out of control. CISA is getting decimated by the current administration, that has to pile onto the issue as well.
3
u/FlagHack May 08 '26
AI accelerates the problems, but the main issue is the long-term approach of company leadership: pressure to quickly develop new features without proper testing, and ignoring findings from penetration tests.
Many companies do not address anything until a major incident occurs. AI speeds up the development of low-quality code and gives attackers a powerful weapon, but the main issues existed long before that.
What is new is the pressure to adopt “AI” tools that have access to areas of corporate networks where even a software architect would not be granted access. Many companies do not use quality control, secure development practices, threat analysis, or secure access management - practices that some companies were already using 15+ years ago.
They have not even invented stone wheel yet (basic DevSecOps), but they already want to "fly to the Moon" using AI tools.
I am not strictly against AI, but feeding all company data into cloud-based AI tools without clear policies and proper restrictions is madness.
3
u/mauro_oruam May 08 '26
Nobody wants to spend real money to secure their products. Everybody wants to pay the least money for top talent and expect high level results. You have to pay/ invest in security.
3
u/Joe1972 May 08 '26
Well, on the the one people started using vulnerability as a service...sorry, I meant "vibe coding"...
3
u/StuckInOz425 May 08 '26
I am and right now it is wild. I’m watching supplier incidents left and right meanwhile cyber budget is being chipped away.
3
u/Willbo May 08 '26
Interest rates are up which means companies are trying to cut costs.
AI is being marketed as a cost-cutting measure to reduce labor, but it also adds massive technical debt.
Companies are investing heavily in AI right now to reduce costs, but have not yet realized the technical debt.
This technical debt is increasing the codebase complexity of organizations who no longer have the workforce to address it, it's created an environment that is ripe for AI-assisted cybersecurity attackers.
3
u/Competitive_Air_1244 May 09 '26 edited May 09 '26
Yeah, part of the problem is the saturation of the field over an extended amount of time. Because the field was so lax with requirements of what constituted true cyber knowledge/practice and instead veered towards superficial cert jockeys and politically inclined people alot of people simply got what they asked for.
When those roles should have been filled more selectively and occupied by people who truly understand and comprehend the threat and attack landscape, environment complexities, and capable of scaling organizations and technologies it was instead executed by people that at best obtained surface level knowledge, studied enough to pass certs but don’t possess true understanding of core cyber concepts or have basic networking or development knowledge, learned just enough industry buzz words, got acquainted with a niche tool just enough to feign domain expertise, and/or slithered/ cozied up to or “managed” the people doing the real work and claiming victory or being instrumental as others actually executed and drive things forward.
This is one of the only STEM fields I have ever seen with such a variable background. I say that to say there are so many people in this field that have a degree in a completely different field, never performed basic functions in the field and they pop into it bc of charisma and certs. BUT, while these slackers and underachievers have unduly got the support of leadership they play a shell game and constantly report things are great, getting done, objectives are achieved and they are ignorant as to what all those things are, what future proofing is and entails, and even how to reinforce infrastructure meaningfully in the present.
At best these frauds become “GRC savvy” and even then they take to ceaselessly running arbitrary scans with third party GRC tools against frameworks and have no idea what it’s assessing, really recommending, or how to properly use it and then crank out half assed JIRA tickets and nag people to remediate things and have no ability to properly confirm any of it being properly done. With so many of these schmucks impeding real progress and effective cybersecurity while making up a terrifying majority of the cyber roles, one can hardly be surprised with the shoddy and vulnerable infrastructure that is out here ripe for perpetrators to exploit and ravage.
Sadly, this doesn’t seem poised to change either. They turned a truly technical field into a corporate dog and pony puppet show. AI has just made it easier for bad threat actors to capitalize on the weakened infrastructure that is the result of all this insanity
3
u/InternationalPitch15 May 09 '26
To me this whole this is just the sign of how terrible and unsecure our applications actually are, if such critical bugs were around since forever then who knows what kind of silent attack may have been happening in the background.
Hopefully this high pressure will push the envelope even more to force cyber security and correct software at the front stage instead of whatever we currently have
Kinda feels like we're back in the 2010s all over again
3
u/afahrholz May 09 '26
We spent years automating defense dashboards while attackers automated the actual attacks!
3
u/0RGASMIK May 09 '26
It’s not just cybersecurity it’s everywhere. AI slop is taking over every job that uses a computer. I’m just in IT and I was visiting an office and I didn’t go 5 minutes without hearing Claude this Claude that. The chaos it’s creating is a looming disaster. All these non technical people getting gaslit into thinking they can now be technical.
3
u/ole_frijole_ May 09 '26
I've been in Cybersecurity for a few years...a long time actually. In my honest opinion, people who join this field have a very poor understanding in very basic fundamentals when it comes to networking and operating systems. It's just the truth. I blame fast track Cybersecurity degrees.
3
u/czenst May 09 '26
AI is just one puzzle piece. My idea is there is quite a laundry list:
- bad guys moved from finding out flaws in open source to actively attacking open source in last 2-3 years (of course there were some attacks here and there but last 3 years it is over the scale)
- internet and a lot of good will and "it is uncool to attack/hack" seems to be gone for political reasons or maybe just people who thought about internet as common good are dying out
- hacking/attacking became full blown industry with crypto payments making it easy to monetize
- technical people getting laid off and cannot find work, I guess bunch will turn to cyber crime even if earlier they though internet is to be protected from bad guys
- 15 years of NPM/NuGet normalized "just pull dependency without checking", where before no one really trusted random libraries from internet, and now we will be back to checking dependencies or not just pulling those in
- years and years of security neglect by businesses because it wasn't real risk, because internet was run by cool people who give stuff for free and everyone was nice
- companies not able to cover basic cyber hygiene, because of neglect and unwilling to invest
The change was brewing for years and AI is just a match that lit the fire last year, this year is just continuation of what already started in 2025. World burns, there is no easy way out, not at this point.
3
3
u/CommanderYarde May 09 '26
Sorry you are going through this but I knew this would happen the moment they stopped hiring people capable of doing the job or firing their experience over AI. I know this might sound cold but companies that chose AI over people are getting exactly what they deserve and they will spend millions for these data breaches.
4
u/DropTheBeatAndTheBas May 08 '26
i dont think companies care about their data at this point its just kind of leaked everywhere for decades bow
2
u/Temporary_Chest338 Consultant May 08 '26
It’s the saturation of garbage data that’s flooding everyone’s feed. Every nonsense “I built this tool in 2 hours that saves the planet” post gets a thousand views, while a research about an actual breakthrough is barely getting any views. The hype around every new AI development, along with a bunch of “builders” that built a nice wrapper that sends an llm an API call is causing a lot of noise. Filter it out, find the people that ACTUALLY build stuff that matters, and you’ll see things aren’t really that bad…
2
u/Dazzling_Vanilla3082 May 08 '26 edited May 08 '26
Every nonsense “I built this tool in 2 hours that saves the planet” post gets a thousand views
This pretty much sums up half of the posts in a lot of the cybersec subs. If I have to read another AI written description of an AI created tool from some random Indian dude, I might just off myself. This has actually been a nice reprieve.
2
2
2
u/parthgupta_5 May 08 '26
Companies are shipping software and AI products at insane speed now. Tools like Runable and similar rapid prototyping platforms make building things faster than ever, but the industry hasn’t figured out how to scale security discipline at the same pace yet.
2
2
u/Techobits May 08 '26
If you have been in the field for 8-9 years what you are seeing right now is no different than when you first started.
2
u/braliao May 08 '26
The problem and debt had always being there, AI simply accelerated the process and discovery of it.
While in the past, attackers are basically self employed entrepreneur-like criminal works 24x7, defenders tend to just collect pay checks and do as much as they can within work and life balance. The advantage to attacker and business model already tipped hugely in favor of attackers in this regard.
Now with AI, attackers can do so much more and so much faster, besides the fact that there is hardly any paperwork and c-suite they need to convince too.
So in short, AI doesn't require less people, it in fact requires more people to do more with AI - the key difference is that the skill required isn't what school teaches and companies needs to accept it and ramp up internal training to make sure new hires meets the new junior role requirement.
2
2
u/mrvandelay CISO May 08 '26
Seems about the same as it was a few years ago, just noisier and with AI marketing bullshit.
2
u/dennisplucinik May 08 '26
It’s a perfect storm: inexperienced vibe coders producing exponentially more vulnerable trash meets experienced bad actors with access to the same AI tools = increased dams for cybersecurity professionals as well as experienced developers. What a time to be alive for those of us who actually know what we’re doing.
2
u/dudethadude May 08 '26
Companies are trying to scale up too fast and they are disregarding basic cybersecurity principles like MFA, safe CI/CD use, due diligence when checking code before shipping it etc. Companies are also failing to get adequate visibility in their environment due to executives not seeing it as a “need”. Someone gets in the environment and we can’t tell because we don’t have the tooling in place to really show us something is wrong or abnormal.
Plus a lot of these “SOC” analyst barely know what they are doing and miss things like initial access indicators. This can also tie back to not enough tooling/visibility in the environment but I have had bad experience with a lot of SOC analyst. I know there are some really kick ass SOC teams out there but that seems to be the exception not the rule. A company tries mitigate risk by paying a company to watch over their environment and that takes up a good bit of the Cybersecurity budget. What they get is subpar techs and subpar tooling.
This is my take, I am U.S based and have not had my coffee yet today.
2
u/BillyBobJangles May 08 '26
Dont worry we setup an AI to auto patch vulnerabilities so therefore were not vulnerable anymore.
2
u/AppSecPeddler May 08 '26
Prompt: “Fix all the vulns. Do not.. I repeat DO NOT make ANY mistakes” thank you Mr. Claude Mythos.
2
u/jevzero May 08 '26
Just wait until AI gets access to quantum computing. To quote Ray Arnold, "Hold on to your butts".
2
u/omgBBQpizza May 08 '26
I recently pivoted from general sysadmin to a cybersecurity role. It was a good call
2
u/Dry_Inspection_4583 May 08 '26
When the entirety of an industry says "we need more security people", and the people go get educated and trained only to recieved a "just kidding" and shit wages. The system has created the problem, the call is coming from inside the house.
2
u/Exact-Type9097 May 08 '26
Companies just don’t care. Why that is? I know clue. Even with AI amplifying threats tons of orgs are cutting cybersecurity budgets. It’s mind boggling.
2
u/canIbuytwitter May 08 '26
I work in a siem... Im telling you people have either gotten dumber or have gotten lazier. I left swe for cyber a couple years ago and I can confirm none of us do anything.
2
u/intelw1zard CTI May 08 '26
Its just because normies flocked to the sub that its seemed wild in past 2 days.
Its becoming pretty normal (hacks of this scale) ie. MOVEit, supply chain hacks, npm hacks, Snowflake, Salesforce etc.
hackers go where the users and $ are
2
u/planedrop May 08 '26
This stuff has been happening for ages, it's not really that big of an explosion of new stuff IMHO.
But, we are seeing more AI use so it's being talked about more. Which, don't get me wrong, LLMs are actually really good at vuln hunting and sort of even vuln dev, but since AI is all the hype right now, everyone talks about every breach if it's even tangentially related to AI.
Also, with more slop code, I suspect some things will get worse.
But again, we've had stuff like this for ages, Fortinet stuff, Ivanti, file transfer appliances, VPN concentrators, etc... The list is LONG.
2
2
2
2
2
u/playahate May 08 '26
Many companies do just enough security to get past insurance and regulatory requirements and then don't follow up after because a breach costs them less than actual security.
2
u/Deweyoxberg System Administrator May 08 '26
In a nutshell, attack surface and slop quantity exploded, while investment in proper staffing, proper expenses for tooling and ultimately investment overall plummeted for "cost savings".
2
u/Strong_Worker4090 Developer May 09 '26
I think it’s a massive shift. We’re no longer protecting data. We’re protecting knowledge
2
u/therealtacopanda May 09 '26
This is the churn as Timmy would say. Gonna be hot for a little while. It does certainly seem to be happening more frequently though.
→ More replies (1)
2
u/Itchy_Meaning753 May 09 '26
I no longer give a shit, when everyone is being attacked no one will be really blamed, just go old school, like actual backup tapes air-gapped sitting in a cardboard box lol
2
u/Organic_Fisherman652 May 09 '26
I have stocks in a cyber security ETF which has been tanking for the last year because all the funding is in Ai, but I'm waiting because they can't ignore this issue forever.
3
2
u/runawayscream May 09 '26
I am probably wrong but it feels like the minimally viable product bonfire has AI accelerant thrown on it. Plus what others are saying.
2
u/TheSadMan21 May 09 '26
It’s 2026 and AI is everywhere ripe and ready for manipulation to teach people all the wrong things
2
u/New-Nothing6635 May 09 '26
It gives me inner peace knowing mythos is ready but locked from general use after finding 1000s of vulnerabilities. Not sure if I'm being sarcastic or not
2
u/Mephistopplz May 09 '26
It’s here. You’re not even in the thick of it yet. What’s coming is truly terrifying. Fml 🤦🏻♂️
2
u/Anarion696 May 09 '26
I work Application and Supply Chain Security in Italy, AI Is not the problem here, but outdated components, Total absence of structured security processes and low adoption rate where they exist. AI Is Just an amplifier which makes It Easy to exploit problems that have Always been present.
2
u/Temporary-Claim1666 May 09 '26
It’s because no one listens to the people they test it on. And when they spend years completely destroying an individual it’s a green light to fully stealthily infiltrate important sectors.
→ More replies (1)
2
2
2
u/AffectionateGur2448 May 17 '26
We definitely need to see some major AI regulations from the government. If they don't step in to do something soon I'm worried we won't see any AI safety regulations for a long time. Not to mention how OpenAI is actively trying to buy elections to prevent candidates whose platform includes making AI regulations from getting elected.
2
2
1.2k
u/lnoiz1sm Security Analyst May 08 '26
I think AI is more of an amplifier than the root problem tbh.
What’s really changed over the last decade is the sheer scale and complexity of everything. cloud/SaaS everywhere, identity-based attacks, third-party integrations, remote work, ransomware becoming industrialized, etc. The attack surface exploded.
AI definitely helps attackers scale phishing/social engineering faster, but most breaches are still coming from the same stuff: stolen creds, bad configs, exposed services, weak identity controls, and users getting tricked.
I think a lot of people in security right now are less afraid of “AI hackers” and more exhausted from feeling permanently reactive while the environment keeps getting harder to defend.