The industry is still staring at the 50-meter target. The real shot is much farther out
By: Larry R Orton
The 50-Meter Problem
The cybersecurity industry is staring at the 50-meter target and congratulating itself for having binoculars.
Every conversation about AI in security seems to land in one of two camps. On one side, people are terrified AI is going to create more vulnerabilities than it fixes. On the other side, people are excited because AI might automate some annoying tasks, write better reports, triage alerts, summarize logs, and maybe finally save some poor analyst from drowning in a sea of “medium” findings that nobody is ever going to patch.
Both sides have a point.
Both sides are also missing the bigger picture.
AI is not just going to make cybersecurity faster. It is going to make a lot of our current cybersecurity categories look ridiculous.
Cybersecurity Has a Cheesecake Factory Menu Problem
For years, cybersecurity has been chopped into smaller and smaller pieces. Red team. Blue team. Purple team. Pen testing. Forensics. Threat intelligence. Incident response. Bug bounty. Vulnerability management. Compliance. Cloud security. AppSec. IAM. GRC. The list goes on long enough to make you wonder whether we are defending networks or building a Cheesecake Factory menu.
There was a reason for this. Cybersecurity got complicated. No one person could hold the whole thing in their head anymore, so we specialized. Specialization created expertise. It created roles, teams, tools, processes, certifications, conferences, and a whole lot of people saying things like “circle back” with a straight face.
But specialization also created seams.
And attackers love seams.
Every handoff is a chance for context to disappear. Every dashboard that does not talk to another dashboard is a blind spot with a subscription fee. Every team boundary is another place where the left hand thinks the right hand opened a ticket, the right hand thinks the left hand accepted the risk, and the attacker thinks, “Wonderful, dinner is served.”
This is the part I think the industry is underestimating.
The Polite Version and the Less Polite Version
SecurityWeek’s Cyber Insights 2026 article says offensive security is moving away from isolated exercises and toward continuous, integrated programs. It also points out that penetration testing and red teaming already overlap, even if they traditionally served different purposes. The article goes even further, arguing that the boundary between red teaming, penetration testing, and continuous assurance is going to blur.
I agree with that.
Actually, I think that is the polite version.
The less polite version is this: a lot of these categories are going to collapse because they will no longer make sense.
Pen testing and red teaming are already standing close enough to share deodorant. Add AI to the workflow, and the distinction starts to matter less. One is supposed to find and exploit weaknesses. The other is supposed to act like a real adversary and test whether the organization can survive it. Fine. That distinction made sense when humans had limited time, limited scope, limited tooling, and limited energy.
But what happens when an AI-enabled offensive security system can continuously probe the environment, map attack paths, test assumptions, validate exposures, prioritize risk, suggest fixes, and then retest after remediation?
At that point, are we still doing a pentest? A red team? Continuous validation? Exposure management? Threat-informed defense?
Or are we just finally doing security?
The Real Target Is De-segmentation
That is where I think this is heading. Not “AI helps the red team write reports faster.” Not “AI saves the analyst ten minutes on a ticket.” Not “AI makes vulnerability scanning slightly less soul-crushing.”
Those are nice. Those are useful. Those are also the 50-meter target.
The real target is de-segmentation.
Cybersecurity has spent years breaking itself into pieces because humans needed the work broken into pieces. AI changes that equation. It does not eliminate the need for human judgment, but it absolutely reduces the need for humans to manually carry information from one security bucket to another like we are forming a medieval fire brigade.
Right now, security often looks like a broken chain of information. The red team finds something. The blue team sees something else. The vulnerability team has a score. The asset team has a spreadsheet. The compliance team has a deadline. The business has no idea what anyone is talking about, but it would really like the production system not to catch fire before Thursday.
AI has the potential to connect that mess.
That does not mean we should blindly trust a machine to start patching production systems at 2:00 a.m. because it had a strong opinion and access to a change window. I am not arguing for “Skynet, but with a Jira integration.”
I am arguing that the old model will not scale against AI-assisted attackers.
Attackers Do Not Care About Your Org Chart
Attackers do not care about our job titles. They do not care whether something is a red team issue, a blue team issue, an AppSec issue, or a cloud issue. They care whether it gets them closer to the crown jewels. They move across systems, tools, identities, applications, vendors, and human weaknesses as one connected attack path.
Defenders need to stop responding with a PowerPoint deck and six separate teams who all agree the problem is technically owned by someone else.
This is why offensive security is going to eat more of defensive security.
That sounds dramatic, but it is not really. Offensive security is already defensive security with better posture. It is proactive defense. It is finding the weakness before someone in a hoodie, a government building, or a ransomware affiliate Telegram channel finds it for you. SecurityWeek’s article makes this same point: offensive security is about attacking systems in order to harden them, and AI is pushing that work toward continuous automation and closer collaboration with defensive teams.
So why keep pretending offense and defense are completely separate kingdoms?
The Sight Picture We Actually Need
The future security stack is not going to be a pile of disconnected tools throwing alerts over the wall. It is going to be a living, offensive-informed picture of the organization. It will constantly ask: How would someone attack us? What changed? What is exposed? What matters to the business? What can be fixed now? What has to wait? What risk are we actually carrying?
That is the sight picture we need.
Not a broken sight picture. Not fifteen dashboards, three ticket queues, and a weekly meeting where everyone says “visibility” like it is a magic spell.
A real sight picture.
And that changes the human role.
The Boring Work Gets Automated. The Important Work Gets Exposed.
People keep asking whether AI will replace cybersecurity professionals. I think that is the wrong question. The better question is: which parts of cybersecurity were only jobs because the tools were bad, the data was disconnected, and the workflow was held together with caffeine and suffering?
In the future, humans will still matter. A lot. But we will matter differently.
We may not all need to know how to manually read a PCAP file in the same way people used to. That does not mean deep technical skill disappears. It means the center of gravity moves. The most important human responsibility becomes action.
Decision-making. Prioritization. Risk acceptance. Business context. Accountability. Strategy.
The AI can tell you what is exposed. It can tell you what attack path is most likely. It can tell you which fix would reduce the most risk. It can tell you which compensating control buys time. It can probably tell you which team is going to pretend they did not see the ticket.
But it cannot own the organization’s mission.
That is on us.
Humans will have to decide which remediation supports the business, which risk is acceptable, which system cannot be touched during peak operations, which vulnerability is technically ugly but strategically irrelevant, and which “low severity” issue is actually the first domino in a very bad day.
That is not less important work. That is more important work.
The boring work gets automated. The important work gets exposed.
Do Not Build a Highway Stable
Of course, some people will say, “We segment these functions for a reason.”
Yes. We did.
And horses were useful before cars.
That does not mean you build a highway stable.
Old models usually had good reasons for existing. Then the world changes, and those same models become drag. Holding onto them too tightly does not make you disciplined. It makes you slow. And in cybersecurity, slow is just another word for “already breached, but still scheduling the readout.”
There is no stopping this train. AI is coming into security whether the industry feels emotionally prepared or not. Attackers will use it. Vendors will sell it. Defenders will test it. Regulators will argue about it. Consultants will rename things they already did and add “agentic” to the invoice.
The question is not whether AI changes cybersecurity.
The question is whether we use it to make the old broken workflow faster, or whether we use it to build the workflow we should have had in the first place.
The Future Is Simpler and Harder
I do not think the future is red team versus blue team. I do not think it is pen testing versus bug bounty. I do not think it is more categories, more dashboards, more acronyms, and more meetings where everyone agrees that “alignment is key.”
I think the future is simpler and harder.
Continuous offensive security. Continuous validation. Continuous remediation guidance. Continuous business-aware risk decisions.
A security model where the categories matter less than the mission.
A model where AI connects the information chain instead of forcing humans to duct-tape it together after the fact.
A model where offensive security becomes the heartbeat of defense.
The whiteboard already has the answer on it. We just need to stop standing five feet away from it arguing about whether the marker color is compliant.
The train is moving. We can either jump on and help steer it, or we can stand on the tracks explaining why the old process had a lot of historical value.
History is nice.
I would rather not get flattened by it.
Works Cited
Townsend, Kevin. “Cyber Insights 2026: Offensive Security; Where It Is and Where It’s Going.” SecurityWeek, 28 Jan. 2026.