Last month, researchers reported an alarming metric: an AI pipeline that can generate validated, working exploits for published CVEs in approximately 10–15 minutes at an estimated cost of around $1 per exploit. If that throughput generalizes, the tempo of cyber operations could shift sharply.
That made me think about Rebeca Slayton’s paper from 2017 about the meaning of the ‘Cyber Offense-Defense Balance.’
Slayton argues that broad claims about offense or defense dominance are unhelpful unless we assess both sides’ value and costs for specific operations. In reality, the balance is influenced less by some inherent quality of “cyberspace” than by who can effectively mobilize the relevant organizational skills, tools, and processes. Simply put, the advantage goes to the side that can achieve the desired result at a lower net cost.
Applied to the AI exploit report, the key empirical fact is that the apparent cost and time to produce POCs has decreased, at least for a class of open-source CVEs and controlled testbeds. However, a lower per-exploit cost for attackers is only one part of the equation; defenders’ organizational capacity to reduce their effective costs (through automation, testing, rollback, and isolation) determines whether the balance truly shifts toward offense.
Slayton emphasizes that cyber operations’ costs are primarily organizational: the skills required to maintain complex IT, to triage and deploy patches, and to engineer resilient systems. Offense often looks cheap because attackers can aim at simpler goals (e.g., gaining access or exfiltrating data) and use commodified tooling. Defense, by contrast, requires sustained investments in management, process, and coordination — and those are what raise defenders’ costs.
AI-based exploit generation amplifies this logic.
If attackers can cheaply automate POC creation, the marginal cost of generating and testing exploits falls dramatically. However, attackers still require targets that are both valuable and reachable; defenders continue to maintain control over asset configuration, segmentation, runtime defenses, and the speed of safe patch deployment. The contest, therefore, becomes an organizational arms race: can defenders match the speed and scale of automated offensive production with faster, more reliable defensive processes?
Tempo matters: minutes vs. days as a strategic variable
Historically, defenders relied on a temporal asymmetry: advisories, coordinated disclosure, and the time it took human researchers to produce exploits created a “grace period” measured in hours to weeks. Weiss & Khayet’s pipeline short-circuits that assumption by collapsing exploit-creation time to minutes and scaling throughput across the daily CVE stream.
From Slayton’s perspective, this is important because the offense-defense balance is functionally about whether defenders can realize defensive value faster and cheaper than attackers can realize offensive value. When an attacker’s time-to-effect drops to minutes, defenders face a new constraint on their organizational processes. They must reduce their own time-to-mitigation or accept a higher residual risk.
What “cheap, fast exploits” does (and does not) change
- It lowers the marginal cost of exploitation for some attack paths. Automated exploit generation reduces the time and expertise required to turn published advisories into working code, at least for many open-source packages and well-documented patches. That shrinks attacker costs and increases potential throughput.
- It does not automatically make all attacks easy or valuable. Slayton demonstrates that offense can still be costly when precise physical or kinetic effects are required, or when attacks must traverse complex, well-defended operational environments. Cheap exploit generation is most potent where the attacker’s objective is access, data theft, or enabling ransomware — outcomes that require less precision than kinetic sabotage.
- It magnifies the role of the defender organization. The competitive edge now hinges on whether defenders reduce their own costs of detection, validation, and safe remediation faster than attackers can mass-produce exploits.
Framing the future: an organizational arms race, not an inevitability
The AI exploit research is a wake-up call about tempo. But interpreted through Slayton’s framework, it is not a deterministic victory for offense. It is instead a change in relative costs that rewards better organization, automation, and layered defenses. Offense becomes cheaper on one axis; defense can become more affordable on another axis if organizations invest smartly and at scale.
The crucial question is whether defenders — corporations, open-source communities, and governments — will treat organizational capability as the primary strategic variable and act accordingly.
