Thoughts on AI and the future of AppSec

A lot is changing due to assistive AI and agentic workflows, clearly affecting the state of Cybersecurity and AppSec. Today it is a real effort to find a tool without AI enhancements, even if that is done just to keep it relevant. Would you buy a tool without an AI assistant today?

At the same time, AI innovation won't spark from any old-fashioned vendor, still selling fossil-like software with AI sprinkles on top, and good-looking marketing buzz-words. As with any type of innovation, AI needs sacrifices if it is to be done right. There are of course many companies, big and small, that are serious in the game. Those that are consumers of LLM services, but not simple wrappers around them.

To put it differently, those who stay ahead of the curve will prevail, and that applies both to consumers of AI services and creators of AI services. The speed of change is so fast and relentless, that this is a train noone wants to miss. We are already experiencing improved reasoning, simpler code generation, signal analysis (video, audio, image) and more, all done in a matter of seconds or minutes. Tasks that would take hours or days to complete, just a couple of years ago, now require a fraction of that time. It feels like cheating.

But the more indulged we become in consuming AI, the more obvious its current limitations become. Whether it is an LLM, or an advanced AI ecosystem that can achieve deep research and advanced code generatios, they all suffer from limitations. Hallusinations, an unexplainable urge to answer positively to any question, and unresonably authoritative answers become common. One could argue that this resembles a teenager exploring the world and leaning how to behave.

So what is it that we have learned so far? What does that mean for AppSec?

AI is here to stay and it's an exciting journey, but there is a long road ahead of us. There are limitations, for now. No AI can easily replace senior members of R&D, IT and Cybersecurity. At the same time, AI can already assist with simpler tasks, automations and decision making in less complex scenarios.

Where am I going with this? What is my one piece of advice?

Do your due thinking.

What are you trying to solve? What do you need to achieve it? Simply throwing a new technology at an issue cannot magically solve it. It is often the combination of personal involvement, culture, correct choice of technology and tooling, communication and collaboration that work wonders. And that is exactly where you, as a human, really excel.