The Future of Hacking is Context

aware of how big of a claim that is. The reason I'm able to make this prediction is I'm not stupid enough to claim to know how it's going to happen, or exactly when or with what companies or like what technologies exactly it's going to manifest as. That would be ridiculous because the stuff is basically unpredictable. What I'm going to show you is a direction. And I think once you see it, you will be unable to unsee it. And by the way, this video is going to be

around 30 minutes. But the whole first 25 minutes is leading up to the last five. The last five is the good stuff. All right. So quick intro for people who don't know me. I've been in security since like 1999 and I went heavy into AI in late 2022, still doing tons of security stuff just with this AI wrapper around it. And you're going to see why here

in a second. And I would say most of my technical background, I mean, I've done lots of different stuff, but it kind of boils down to a container of security assessment that's like the main outline. So first going to show you how I kind of walked into this idea. So when I start to do a security assessment this goes back, you know, 15, 20 years, uh, doing security assessments.

I like to start at the very top. When I talk to a company, I like to interview the CEO if I'm able to, if it's a, you know, medium sized company or below. And I talked to CEO, I talked to the CEO, I talked to the head of legal, I talked to like, as many people at the top, and I'm sort of asking them the same questions. And then I move down through the structure. I talked to all the VP's and senior VP's and CISO and the

rest of the C-suite and everybody. And then I start moving through all the management, and I'm asking kind of similar questions, but I'm also asking different questions because now I'm playing off the answers I got before. And I just moved through the whole structure all the way down

to the people who do the actual work. And then as I keep gathering more and more information, I start filling in these elaborate diagrams that describe to me exactly how this company works, like here's how the information flows. Here's where the data is stored. Oh, we got vendors over here. They're able to touch this data or whatever. And ultimately I'm trying to figure out like what they're protecting, how they're doing it, what day to day business looks like.

After a couple of weeks of this, I then start doing my technical assessment to find vulnerabilities. So I'm also reviewing their previous technical assessments, but I'm really doing my own as well to go and probe in these various different areas and point my, uh, observations at things that I've seen in the interviews. But the underlying theme here is I'm taking all the context, not just of the vulnerabilities and the technical aspects like of the IT stack,

but of the business itself. Right. All of that. I'm gathering into one place, and that's kind of how I view and how I start security assessments. The other teams are still managing GRC with spreadsheets, screenshots and manual processes, but with everything evolving compliance frameworks, third party risk, customer expectations, this is no longer good enough. And the problem isn't just that it's time consuming. It can actually hold you

back slow. Audits miss risks and give you less time to focus on what actually matters, which is improving your security. Trust management platform is designed to help with that. It automates the core parts of your GRC program, things like compliance, readiness, vendor risk, and internal controls so you're not buried in manual work. According to IDC teams, using Vanta 129% more productive in their GRC work. That means faster prep, fewer surprises,

and more time for real security work. It's not about making compliance easy for the sake of it. It's about getting the friction out of the way so you can move faster, do better work, and build trust more efficiently. And if you're thinking about how to approach AI risk than to put together a free AI security assessment, it's a structured way to evaluate risk across AI use, development and governance. You can get the assessment at. That's. And

thanks to Vanta for sponsoring this video. So in a completely separate thread of consumer tech, in 2013, I started getting a picture of where I thought all this AI tech was going, like on the consumer side, which at the time I called IoT and I was actually talking about this with my friend Jason Haddox in like 2013, which I was reminded of this because I just read the foreword and I was thanking him for encouraging me to write this book in 2013. But, um, these ideas

are pretty decent. The book is actually crap, so you don't need to read that. In fact, I have it published online, um, as a blog post. It's very short. You should go read it there. It's actually not half bad. Plus you could use AI to help you read it. Plus it's got way better typography. So I would say skip the book and just go read the blog. but the basic ideas are quite good, even though the book

is not so great. Um, so the basic idea is you have digital assistants that know everything about you and they advocate for you, and then everything gets an API, including people and objects and businesses and everything. This is like the second piece of this, and it's really, really important. And your digital assistant, your Da, basically uses all those services to interact with those APIs on your behalf. Then your Da will use augmented reality to show you context

for wherever and whatever you're doing, right. So you're wearing glasses or lenses or whatever. Neuralink, whatever. It doesn't matter. It'll start with glasses, obviously. And basically your Da knows everything about you, knows your entire personality, it knows your entire history or whatever. So it knows when you're scared. It knows when you're skeptical. It knows when you're hungry. It knows, you know when you're curious. And it's using these millions of services that are available at APIs to

get data back for you and change the screen. Okay. Sometimes it's a security screen, sometimes it's like a social screen because you're trying to find, you know, your life partner or whatever. So it's constantly changing what you're looking at to help you. Maybe it's popping up little notes or little reminders or whatever. Right? A security overlay if

you're in danger or something. So that's the third piece, which is augmented reality, displaying the information from all these APIs from your from your Da, who is like the one handling all of this and advocating for you. And finally, the last idea is that when you have like an entire family or an entire city or an entire country with all these demons, all these APIs available, that produces tons of context that a top level AI could look at and say, okay, how can I manage this city better?

How can I manage its resources? How can I turn on these lights and turn these off and reflow this traffic? And you know, how can I optimize? How can I help this city achieve its goals based on all the context that I know about it, from all this context, from all these APIs and demons? So that was fun. That was a cool book. That was some cool ideas. Then in 2018, I got a job at Apple doing information security stuff, but the team I came in on was with Joel Parish and we actually built, um, well,

he was already doing machine learning, right? He was part of the machine learning team within security. So, um, I wanted to study up and just get really good at this stuff. Excuse me. And my math was really bad, so I had to refresh my horrible math, and I went and did Andrew Ng's entire machine learning course. And, um, over the course of my time there, I got exposed to tons of ML stuff and practical uses of ML like before the current AI stuff, and it was really helpful.

I ended up building a product there which is still used today, so I'm happy about that. In early 21, I left Apple to go build the Appsec and build management teams at Robinhood with Caleb Sima. And there I did a blackhat talk about building vulnerability management programs based on company context and specifically around asset management. And that turned out to be another brick in this path that I'm laying out here. After doing that, I decided it was time for me to go build things on my

own and do like my own consulting. So I went independent with unsupervised learning in like August of 22. And it turns out that was just a few months before ChatGPT came out. And obviously I went absolutely apeshit. When that came out, I called everyone, I called Jason, I called Clint, I called Caleb, I called my mom, I called my dog. I don't have a dog. But yeah, I called everyone. And the first place that my head went with all of this was like security assessment and

building and managing security programs. So I started doing that immediately. Basically, I took everything I was doing previously with all this context, right, that I've been doing, like, you know, a decade and a half or whatever. And I'm like, okay, how can I use AI to, you know, make this even better? And, you know, you know, put the context first. So in March of 23, I wrote this post called Sspca, which

basically says everything is about state policy questions and actions. Basically, we have current context for a company or a program or whatever. Then you have the policy, which is what you're trying to accomplish. Then you have the questions you're constantly wanting to ask and have answers to, and then you have actions or you know, that we could take or that I could take against that context. So I feel like I'm starting to zero in on this concept

and this got decent traction. But I wanted to like have a demo or something for it. So I did another blackhat talk, I think maybe the following year or maybe, yeah, it must have been the following year, uh, to put together a demo for this. So I put together a fake company called alma, and I put in tons of context for this thing. I basically made a copy of one of my security assessments the way that I do it. Um, but I did it for a fake company with a

whole bunch of fake data. So I've got company mission, I've got their goals, how they're different from their competitors, what they do in business. I got the risk register. I've got their full tech stack. I've got their security team and their members. Like the skill sets of the team members. Um, the list of applications, the full IT stack, every app that they use, um, all their documentation. I've

got some fake, like, slack conversations in there. Um, what repositories they use, what dev teams they belong to, how they push code, all that stuff. It's all in here. So then I can ask questions the same way that I do in security assessments. And using this, you can actually manage the entire security program using this context that you have because you could do planning from here, you could do threat modeling, you could do your communications. You

can produce your reports. Like I'm doing this for a customer. I could produce a report like a quarterly update security report in 30s, which used to take them months and like hundreds upon hundreds of hours of some of their best people actually trying to make this report, just to be able to prove to the rest of the organization that they're actually effective. So turn that to a couple

of minutes. Right. The other cool thing is you can respond to security questionnaires, because if you have a static database of answers, you they always ask the question differently. And it doesn't perfectly match when that you have. Right. But if you have this kind of system with context, it can answer it perfectly every time. So this is an example of like a CISO making a statement about no more connections are allowed to a particular sensitive resource.

And we're asking the question to the AI system, this is a real AI system, right? And this is back in 23 that I did this. So it's a real AI system. I'm asking the question, should Julie be allowed to connect to this thing. And it says no, she shouldn't because the CISO just said nobody should be allowed to connect to this thing anymore. Right. So you could

do really cool stuff when you have context. So throughout 23 and 24 and into this year, I've been building more and more stuff around this theme of context and AI. So later in 23, I built this thing called threshold. So it takes a whole bunch of sources and I have context of what I enjoy. Right? The kind of content that I think is high quality, lots of good ideas, lots of density in the ideas, lots of novelty in the ideas. So I give it tons of context and

that becomes the filter for the quality level. And then I can slide this bar to say, I only want to see things from these 3000 different sources that exceed at least this quality level. Right. So that's threshold. I'm currently about to launch another enterprise product called Same Page. It's basically a whole bunch of management like this around

different stuff security management for programs especially. Another thing I've had for like nine years that didn't have any AI whatsoever until, you know, a couple years ago was my attack surface monitoring service called Helios. And I'm in the middle of rewriting this entire thing to be like what we're about to talk about. And once again, this is all about using the context. That's a central part of the rewrite. And the last one I'll mention is like

a daily brief for intelligence. So I basically go find all my Osint people, all my national security people that I know have high signal, you know, high alpha in what they say. And I basically bring that in and say, okay, here's everything they said yesterday. Turn that into a picture of like where this might be going. Like, where are they agreeing in a way that looks like there might be signal there. And then I make myself a daily report.

So just another example. So these are all kind of like separate ideas hovering loosely around the concept of context. And I and I feel like I was doing pretty well here. I feel like I kind of had a grasp of this, but a couple of weeks ago I'm like, wait a minute. I think I actually have a much better way to think about this and to describe it. And that is something I'm calling unified entity context. And that won't be the real name that gets used, because

Gartner will come up with their own name. And of course, that'll become the official thing. But if we look at cybersecurity in general. We look at some use cases. There are some interesting patterns and similarities. So for SOC you got to look at all these different types of data right. And try to like come up with like what actually happened. Like is this thing bad? Is it okay. Is it benign. Whatever. For IR it's a lot of the same stuff. You got a whole bunch of different data you're trying to

figure out. Like, is it bad? Did it actually happen? What's the blast radius? Pentesting you're also collecting tons of information and you're trying to figure out, like, what path do I go down? How do I show impact? Same with Red team. It's just like more extreme. You're trying to, you know, show more of a story and like the actual impact to the business with management, you actually need to understand the organization and like how they push code

and how they do remediation. Otherwise you can't actually help them fix things. For program management, you need project management, budgeting strategy, time management, GRC. You've got like what do we have to be compliant with in which jurisdictions and why? And what are our current gaps right. And how those mix together. So the common issue with most of these is the actual ability to see multiple parts of the organization at the same time and then to connect those pieces, right.

This is why security analysts and red team people, and especially like principal people, people who have been doing this five, ten, 15 years are so valuable. It's not actually a single task that is difficult. The problem is getting all the information together to paint a picture to actually do the task. So I'm going to take vulnerability management as an example. Since I've lived in this hellscape for so long. What

is actually so hard about vulnerability management? Is it finding vulnerabilities? Is it like making a pretty enough dashboard to show vulnerabilities? No, it's actually fixing vulnerabilities. And the reason it's hard to fix them is because you have to know what application it's part of. You have to find the right engineering team. What repo does that code go into? What's the DevOps workflow for that? Like the team changed, right? There was there was a a riff. And now that team doesn't

even exist. And it got combined with this other one. Where did that one developer go? Who's responsible for that one app. Oh, it's different this week than it was last week. This stuff is not easy to do because it's constant change inside this company. So here's the question. How much of our inability to do a good job at vulnerability management or security in general over the last 15 years is actually a security problem? And how much

of it is actually an organizational knowledge problem? And think about that for all of security. Even crazier, think about it. For all of it. Right. Or all of software and services. Right. HR collects, you know, HR data and asks HR questions and they put it into an HR interface. Right. Project management collects project management information into a project management database. They ask project management questions and they put it into

a UI design for project management. Do we really think these things are going to need their own separate databases going forward? Their own separate APIs, their own separate questions? Maybe they need their own questions. Do they need their own interfaces? I don't think so. I think that all kind of goes away and we end up with this thing called unified entity context, or building a world model

for the thing that you care about. So if you're an individual, your history, your belief system, your aspirations, your favorite books and music, your past, your traumas, your salary, blood pressure, friendships, job, career, family goals, financial goals, your upbringing, your medical history, how strong you are, how much you can curl like you know your blood sugar levels, right? And then you can ask questions. Just like with the security program, you could be like, why is my relationship

not working? What can I do to improve my health? And if you're a company, it's back to the stuff we talked about with alma. It's all of its goals. It's all of its competitors. It's all of its slack communications. It's all the transcripts from all of its calls. It's all of its Google Docs and Confluence and all of that. It's their desired are for the company, all the product marketing that you're putting out for all of your products and all the product marketing your competitors are putting out

for all their products. This becomes the baseline for everything. Once you have that, then you do this. Then you take the smartest, biggest context AI that you have and this will be massive in the future. Right. It's getting bigger all the time. And you look down at this entire context and it can hold it all in its

mind all at once. So this is completely insane. Basically, I think most people have this eye thing exactly backwards instead of cybersecurity or finance or whatever, being at the center with context and AI being things that you kind of like sprinkle on to do that thing better. It's actually the opposite. The context of the entity is everything. The world model that you have for this thing is everything. Software verticals kind of go away. They just become use

cases on top of this architecture. Cool. But we were talking about hacking, right? How do we bring this back to hacking? So basically the future of hacking, because all of this relates to context, is basically how you can keep an exhaustive, accurate and up to date world model of the thing that you are attacking. And this is

true whether you're actually attacking or whether you're defending. So it turns into a giant competition between attackers and defenders and attackers versus attackers and defenders versus defenders between who has the most accurate and up to date world model for their organization. So everyone listening to this, every attacker, every bounty player, we are all going to have a stack like this. I've been building this for years already, so like and I know some people on this call

are probably along the path as well. So it's not a bunch of agents with random tools. It's an interoperable system where the output of one is the input to the next one. Okay. This is a big thing that people aren't understanding about that whole agent thing. You don't just say blah and give it like a prompt and then say, oh, agents, figure it out, because then you're offloading all the work to the model to actually do the hard work of building the system itself. The better

way to do this? And if you talk to the people at AI. eye, the people who are actually building these systems to actually go and find vulnerabilities, exploit them, fix them or whatever. They need a system like this. These are the systems I've been building for years. They are modular. Each little piece does one thing well. It's a Unix concept, right? Each little piece does one thing well, right. So I've got a million of these things finding domains,

finding websites, crawling the websites, running automated scans. And each one of these could be like a super basic version. It's like curl okay. You got curl on one side and you've got fully automated puppeteer browser automation going through bright data on the other side, right? So you have all these quality, you know, spectrums in between for each of these modules. But the whole system works together based

on a set of goals. Right. So running automated crawls, parsing all endpoints, pulling out every single API endpoint from every piece of JavaScript writing exploits, POCs actually doing the attacking, um, writing up reports. All of these are separate modules. So let's say the target, you know, has like five main web applications, like a few hundred pages per site. And, you know, there's a whole bunch of agents. Think of this. You're going to have like thousands of agents. You'll start

with dozens, right? Dozens, then hundreds, then thousands, then whatever. So we're also learning from new marketing campaigns on X or LinkedIn. Keep in mind multiple of these these modules

are actually watching the company. They're watching everything the company does, every piece of marketing, every piece of information that's put out about this company gets parsed and brought back into the context, because the system as a whole and the AI that's sitting on top of it, watching the goals, is using that new information to tweak how we're going to do this attack. Right. So they have a new product launch, which is a new website, a mobile app. Cool.

Go download that. Right. Right now we can't do too much with that because that's a little bit difficult. In a year or so, we're going to be able to go download that full mobile app, run the mobile app in a full virtual environment, Run a whole bunch of mobile tools, find out like which APIs aren't secured where they're not using TLS. Um, all sorts of issues that

you have with mobile security. And that'll just be one little tiny module which brings that context back into the overall engine, which enhances all the other components inside of that engine. Right. Send that over to automated Burp intruder tool. Right. Then all of burps output. And that's a lot of output. It overwhelms anything including Gemini by the way. So this is still a place where, you know, the AI has to grow because, um, something like burp output from crawling

a website is still massive. Anyway, you've got all that content coming out. All that content can then be repassed to find the JavaScript in there, to find where they're doing all their controls on the client side. Again, you only have to tell it a couple of core things inside of the system. Here are the types of things I'm looking for. Any output that you get, go and look for the following things. Oh cool. We got new

output from burp. We found new JavaScript files. Let's go parse the hell out of them and find the files and API endpoints. Bring that back into the system. Right? And meanwhile, all this stuff is being fed into the appropriate modules. So let's say we find some good stuff, uh, send off to the exploit agents and try to do something according to the rules, uh, in goals we've laid out. Right. Uh, so for an attacker, we're trying to extract data. Maybe we're going to sell that access to a broker for

a bounty person. We're going to create a POC in a short video to go with the automated report, and we're going to submit it to Hackerone or Bugcrowd or whatever. Right. And that just becomes another module that your thing is good at, right? It's automated workflow, but that's not the cool part. The cool part is this thing never sleeps.

Dozens or hundreds or thousands of agents in this infrastructure working at all times, finding new domains, finding a new announcement which includes a new domain which you then go find the subdomains, which you then go find all the infrastructure. You find the web apps that are listening. You then go crawl those ad infinitum through this entire system, right? Open admin portals. You're taking all the screenshots. You're finding

the screenshots. Oh, that's an admin portal. That thing's wide open. Oh, look. Default credentials. Right. Looking for open ports. Seeing if there's any new stuff out there right now. This sounds complex because there's lots of different tools and everything to keep in mind. But this system only needs to be built once, and then you're just adding modules and upgrading the modules. And this is a big part of what the AI helps you do. It helps you just make each one

of these little things better and smarter. Again, everyone is going to have a stack like this. Individual bounty hunters, individual people just doing security research or hacking on their own, and definitely the attacker organizations. And guess who else needs to have it? The defenders. If you are a defender and you are not running this against yourself, you are

going to lose. You are going to lose because because there are going to be so many people running a stack like this against you, you are just going to lose now at first, including everything I built for myself. Right. This was just going to be some basic information, right? Because we can't do the full version of this yet. Right? This is a year, two, three, four years. You know, This gets better as the AI tech stack gets better. But the system itself is core. So, um, this is

like an internal. This is the AI remake I'm currently doing of my Helios system. And, you know, it's not going to have fully automated burp yet. It's not going to have a bunch of different modules. But like I said, this gets better as the tech gets better. The other thing is running, you know, hundreds of agents constantly. That's not cheap, right? So these prices have to come down the context windows have to go up. It's an upgrade process.

So some vignettes to just think about this. So imagine that you're out at dinner and you get a notification that some employee at some company. Right. Um, they just talked about how, oh, I've got this thing at work and blah, blah, blah. This thing is a they're drunk or whatever, and they're talking online and some, you know, Reddit subreddit or whatever, and they're like, yeah, this new domain we put up and it doesn't have toufar. And I can't believe they used default credentials. That's why I

want to quit. I'm going to start my own business or whatever. And so, um, you're sitting there eating dinner with a friend and you get a discord message from your AI bot and it's like, hey, some, uh, some dumbass just got drunk and posted that, um, there's a brand new, uh, domain open and, uh, potentially there's a vulnerability here. Do you want me to go mess with it? And you're like, yeah, yeah, go mess with it. So it comes back and it tells you basically. Yeah. The

vuln that they mentioned actually does exist. Um, I do you want me to exploit it? Yes. Cool. All right. So we sent it in. We got the money. Or if you're a bad guy, you know, you're, uh, stealing data or whatever. And keep in mind, this could be from, like, a forum post. Um, it could be an announcement on TechCrunch that they just bought a company. So it's a merger and acquisition. Um, anything on the internet relative to

your target? The agents are constantly watching new announcements, you know, new mergers, disgruntled employees, uh, a new job req for a new technology that you didn't know. So you add it to the tech stack for that company. Uh, new website posts are constantly being discovered, right, because they can make a slight change to the site, but they added a new API. Have we tested that API before? No, it was actually a different team that built that API.

They didn't use all the security that the other team used. Boom. Now that's how we got in. That's how we pulled the data or whatever. New S3 buckets not probably secured all this stuff. So the entire game here and this is a really big point, is maintaining as accurate as possible world models for these things you're attacking. It doesn't matter if you're a company. It doesn't matter if you were hired to defend the company. It doesn't matter if

you have your own startup. It doesn't matter if you're a bounty player. It's all the same shit. You have to keep the most updated version of this thing in your mind as possible. And here's something else that's crazy about this. One of the modules here is the actual list of attacks that you run when you attack. Okay, so check this out. You have like it's your bag of tricks. Your bag of tricks is what gets thrown

at every web app. At every mobile app. Right? Um, for every social engineering campaign, for every fish you have, like your favorite little stuff that you do. Well, one of the AI modules that you have inside of your overall system is the one that parses new research. So I keep forgetting the guy's name, but every blackhat he releases like a new attack on HTTP itself. Um, he's the guy that works with, uh, DAF over at, um, uh, you know, burp. Um, portswigger. But anyway, uh, I want

to say albino wax, but that's not quite right. Anyway, you all know the guy. So every time he releases something, every time he tweets, I have another module which go and reads that pulls it down and says, oh, that's actually interesting. Guess what? Upgrade. It's like the Borg from Star Trek. You hit it. Once it falls over, you hit it the second time. It's blocked that technique. Okay, Jason puts out a new video. He's like, oh, I've got this new, uh, this new attack that I always

do against my things. It finds way more domains. I got this new attack. It, uh, it goes through filters for, uh, prompt injection. Right. Um, maybe, uh, Joseph is talking about that. It goes straight through prompt injection. Cool. Add that to the methodology. The whole system has now been upgraded. You can have an entire dedicated thing. It does nothing but watch. TLDR right, it watches Clint's entire thing. It finds every single thing that it mentions. It reads, goes and reads every, um,

you know, every presentation, every GitHub repo. And it pulls out the research and uses that to upgrade the methodology. And again, that's also continuous. So the system is always being upgraded. So then the question is like what are you going to actually point this at. So I'm already monitoring like all the new bounty programs as they go live. Right. I'm not started testing them yet because I'm still building out, um,

the rest of this new stack based on context. But my goal is to set this thing free on, uh, on actual program soon. Um, but but the point I'm mentioning this is that you can always be adding new targets, right? Attackers are going to have their own criteria for picking targets, right? Maybe they have a lot of money. Maybe they have. It's a combination of a lot of money and a bad security team. Maybe it's a combination of they have a lot of money, but I just saw on LinkedIn

that half of their security team got fired. Oh, let's add that one to unify context and let's start attacking that one. Point is this is also continuous to find targets. And in my case, just parsing a brand new, uh, bug bounty programs that are coming live. So the entire game here is maintaining these accurate real time world models for entities. Like I said, it doesn't matter who you are. Um, what's really hilarious about this is AI is not the

main feature here. AI is not the point. AI is just the tech that enables this to happen because of the agents, and because of the fact that um, models can hold way more information in their brains at one time than we can. That's the only thing we're really getting from the AI is the models are pretty smart, right? And the smarter they get, the better this gets. But it's not the kind of the point. The point is the world model capture of this thing. It. Okay, so

just imagine this. Imagine it's 20 years in the future. Imagine we're not dead yet. Or, you know, like, everything has gone well. The planet is still here, uh, 20 years in the future. Imagine an ASI and this is a little sci fi, but it's not too far off. Honestly. Imagine China holding the United States context of every open port, every vulnerable API path, every, um, opportunity for, like, file inclusion, every single attack possible, every every AI agent that's vulnerable

to a particular type of prompt injection. It just pulls in the entire context of the United States current state of vulnerability and holds it in its mind in one piece. And then they ask the question, who do I go after first? What is the next best action to harm the United States? The most right or to harm Russia the most, or to harm whatever target that they are pointing at? The point of this is that is millions of IPS. Hundreds of millions of IPS. Is it billions

of IPS? The point is, think about how much context you need for that, right? Doing this for a company itself is actually hard enough, right? To understand its entire history and every state change of all its IT and tech. We're talking about terabytes or petabytes to hold a state in its mind at once. And it's got to like keep that in context. Keep in mind, so you think we've actually gone far with AI? We haven't gone near close to what we actually need. And the AI is

not the point. The point is having the size of the state that you can hold in your mind at once, right? So all this to say that the AI is not that important. It's kind of a supporting actor because size of context and yeah, okay. The models are smart. So

that emulates, you know, some human components of this. But what actually matters is knowing that you have to keep the state and understand this world model of the thing, and that you build a system, a replicable system that produces outputs based on how the different modules in the system interact. The system is more important than the eye, right? And the concept of context itself is more important than eye.

The eye is just the supporting tech. So what we end up with here is a world where every single stone, every single port, every single URL, every single API endpoint, every single agent is constantly being overturned, checked, and double checked. As an attacker, you are competing with hundreds of thousands of other attackers. As a bounty player, you're competing with hundreds of thousands of other bounty players and the attackers.

You're racing to go do that thing. And as a defender, you're defending against all of them, plus all the other defenders, because you know you want to be the one that gets away from the bear while the other defender gets eaten. So natural question is, okay, what does all this mean? If this is correct, if you're a defender and you're trying to determine what AI to build for your company, you need to start building your own world model of

your company. You need USC context for your company. Your attackers are going to have it and you better have a better version. And if you're a bounty player, you need to rebuild your automation stack. Putting the world model building and USC at the center of it. And if you don't have an automation stack, go look for a new hobby because you're not long for this world. They're about to be millions of people slash agents going after the same bugs with constantly evolving and improving systems and

stacks and AI intelligence helping it. Right? So this is a competition between their system versus your system, not one of them against you. It's their system against yours, their context against yours, their world model against yours. And finally, if you're just trying to figure out, like where things are going with all this AI stuff, just remember one core idea. The game is not adding AI to stuff we care about. The game is having real time world models of what we care about, which we can then

take action on using AI. Thanks for your time.