Cybersecurity Looks Like Proof of Work Now

Origin: A Report Sparks an Economic Perspective The discussion began when the UK's AI Safety Institute (AISI) published an independent evaluation of Claude Mythos Preview's cyber capabilities. The report confirmed Anthropic's claims that the model is exceptionally effective at identifying security vulnerabilities. However, the real insight came from analyst Drew Breunig, who highlighted a key finding from the report: AISI discovered that the more tokens (i.e., money) invested, the more and better vulnerabilities Claude Mythos found. This seemingly simple observation points to a profound shift: the nature of cybersecurity may be evolving from a purely technical confrontation into a game of economic resources. Breakdown: From Technical Cat-and-Mouse to 'Proof of Work' Traditional cybersecurity is a battle of technical skills between attackers and defenders, full of uncertainty. But Drew Breunig offered a new analogy: it now looks like 'Proof of Work.' In blockchain, 'Proof of Work' requires participants to expend significant computational resources to gain the right to validate transactions, thereby ensuring system security. In AI security auditing, the logic is strikingly similar: To harden a system, you need to invest enough computational power (tokens) to discover vulnerabilities. Meanwhile, attackers also need to invest corresponding resources to exploit these vulnerabilities (e.g., using AI to analyze systems and generate attack code). Thus, security becomes a brutally simple equation: the defender's cost of discovery must exceed the attacker's cost of exploitation. As long as your 'budget' is higher than that of potential attackers, the system is more secure. It's like an arms race for security, funded by money. Trend Insight: The Unexpected Return of Open Source Value This trend leads to a counterintuitive conclusion: the value of open-source projects increases rather than decreases. Over the past few years, a prevailing view suggested that with AI-assisted 'vibe-coding,' people could quickly and cheaply create replacements, making the maintenance of large open-source projects seem less appealing.

However, Drew Breunig pointed out that if security relies on high, continuous token investments, the open-source model demonstrates a significant advantage. The tokens spent on auditing the security of an open-source library (like OpenSSL) can be shared by thousands of users. Each user doesn't need to pay this expensive 'security tax' individually. In contrast, a privately owned alternative quickly assembled through 'vibe-coding' would require the entire security audit cost to be borne by a single team or individual, which might be economically unfeasible. Therefore, AI security economics actually reinforces the foundational role of open-source collaboration. Practical Value and Counter-Intuition For developers and architects, this means that when choosing a technology stack, in addition to functionality and performance, they need to add a 'security economics' dimension. Relying on mature open-source components that have undergone extensive, continuous security audits may be more cost-effective and secure in the long run than building in-house or using niche alternatives. Security is no longer just about 'writing more secure code,' but also about 'how to allocate security budgets more wisely.' The most counter-intuitive point is this: we often think AI will drive software development costs toward zero, thereby weakening the moats of large projects. But in the security domain, AI might actually strengthen the necessity of resource concentration and collaboration by raising the baseline cost of 'trusted security,' making large, widely audited open-source projects even more indispensable. Security, once the realm most reliant on human expertise, is being reshaped by AI into a rational calculation about resource efficiency.