← all posts

Slopdemic, Not Vulnpocalypse (Yet)

I joined Sherrod DeGrippo on the Microsoft Threat Intelligence Podcast this week to talk about how AI is reshaping vulnerability research, disclosure, and patching. It was her first video episode, and it turned into one of those conversations that wanders the whole landscape — triage load, disclosure timelines, vibe crime, chaotic threat actors, and why the humans still matter. Show notes and a full transcript live over at the CyberWire.

A few of the threads, for those who prefer reading:

We were already in the vulnpocalypse. Software has been full of holes since long before generative AI showed up. What's changed is that the "you must be this tall to ride" bar has dropped for everyone at once: new researchers, new attackers, and a pile of new tooling. Signal is up, and noise is up with it. I went on record last year predicting that 2026 would be a triage crash fire for basically the entire internet, and that's roughly where we've landed — a slopdemic more than a spontaneous combustion.

AI makes elite researchers faster and enthusiastic newcomers louder. Chompie's post-Pwn2Own thread is the best recent example of the first: she hasn't outsourced her creativity, she's automating the tedious parts — harnesses, tooling, the boring middle — and getting to the interesting problems faster. "Super saiyan capabilities," as she put it. The same leverage applies to the adversary, and to the wave of newcomers who bring 12/10 enthusiasm and 3/10 usefulness. They're not malicious; they're load. Triage teams feel both at once.

Disclosure runs on aligned expectations. Full disclosure is death and taxes: the lowest-energy fallback state when coordination fails. You can't wish it out of existence. What you can do is align expectations before the conversation starts. Researchers: tell the vendor you plan to publish, give them a timeline, and apply back pressure at the check-ins. Vendors: say how long you actually need, and why. 90+30 works fine for hosted code; it doesn't work for pacemakers or satellites. Fifteen years of coordinating hacking the internet at scale nets out to this — aligning expectations up front is the one thing that reliably works.

The wild card is the chaotic actor. Nation-states and financially motivated crews are at least modelable — you can reason about what they want and defend accordingly. A bunch of pissed-off kids with AI-grade capability who break things because they feel like it? That's the one that keeps me up at night. Groups like the Com, and the recruitment pipelines running through gaming platforms, are what it looks like in practice. Vibe crime is already here, and the sloppy-but-effective campaigns have been ramping all year.

No robots in the gym. We closed on the human side of all this. Dan Miessler's framing is the one I keep reaching for: automate the factory work, keep doing your own reps. I told the story of noticing my own writing atrophy after leaning on AI too hard for ideation, and deliberately pulling back. Community is the antidote — to the noise, to the cortisol-crash cycle, and to the 5am rabbit holes. When Sherrod asked what still gives me optimism, the answer was easy: people. It's always been people.

Thanks to Sherrod for having me on, and for her ongoing commitment to making the internet fun again. Go subscribe to the show.