All Blogs

When the Distance Between Intent and Capability Hits Zero

An infosec practitioner’s worry — and confidence — in the age of agents

For the past few decades, the entire order of cybersecurity has quietly rested on a premise nobody bothers to state out loud: the people who want to do harm and the people who can do harm are two different populations. Plenty of people have malicious intent, but very few can actually write a working exploit or chain an attack from recon to persistence. Capability is scarce, and scarcity itself has been a natural defensive line. The vast majority of would-be attackers are kept out — not because they were persuaded, but because they don’t know how.

AI agents are removing that line. They are rapidly compressing the distance between intent and capability, pushing it toward zero across domain after domain. This is not a matter of one vulnerability class getting worse. It is the foundational assumption that security depends on starting to fail. That is what I find most worth watching.

The phenomena below look different on the surface, but they are all symptoms of the same underlying shift.

Layer one: vibe coding — democratizing code means democratizing vulnerabilities

The number of people who can write code exploded overnight. That is a good thing. But being able to write code and being able to audit what you wrote have never been the same skill. Vibe coding is putting vast quantities of code into production through people who have had no security training. The issue is not that AI-generated code is “worse” — often it is quite clean — but a lethal asymmetry: AI produces code far faster than the person directing it can review it, and that person typically lacks exactly the knowledge needed to judge what to review.

The result: injection, privilege escalation, hardcoded secrets, broken auth boundaries — the most traditional vulnerability classes — are now being produced at unprecedented volume, by an unprecedented number of hands. These are still “classical” security problems, but their scale and distribution have changed. The attack surface is no longer a surveyable landscape. It is a jungle growing wild every day, unseen by anyone.

Layer two: the agent as attacker

If vibe coding is carelessness amplified, the genuinely new thing is AI being turned into an attacker on purpose. This layer breaks into two parts: the model and the harness.

The model layer: safety guardrails are not the foundation — they are a coat of paint

A model’s “refusal to do harm” depends on its refusal mechanism. But refusal has been shown to be bypassable from two directions:

  • Abliterated open-source models. Abliteration surgically removes the refusal behavior from the weights themselves — the model simply stops refusing. After the procedure, it will answer questions about offensive cybersecurity, biochemistry, or anything else without hesitation. The procedure is open-source; anyone can apply it to any open-weight model. And today’s top open-source models — GLM 5.2, for instance — are genuinely powerful. Strip the refusal away and you are looking at raw, unconstrained capability. The implication: as long as the weights are open, a model’s refusal is just the shipped default — and defaults can be flipped. For a motivated adversary, safety alignment on an open model is close to security theater. This forces us to rethink the open-vs-closed debate: for a sufficiently determined attacker, arguing about whether an open model “refuses” is meaningless. What matters is how much raw capability is sealed inside those weights — because refusal can be cut away, but capability cannot.
  • Jailbroken frontier closed-source models. Even the most capable, most carefully aligned commercial models are not beyond reach. Reports on X (formerly Twitter) have documented jailbreaks against frontier models including Fable 5; I take no responsibility for those claims, but the pattern they illustrate is worth stating plainly: refusal training is empirically defeatable, and we must design on the assumption that it will be defeated — not that it will hold forever.

The harness layer: infosec is the discipline most ripe for agent automation

A model with capability still needs hands. And cybersecurity happens to be tailor-made for agents — because the entire profession already lives inside the command line. nmap, sqlmap, Metasploit, every scanner and exploitation framework: text in, text out, CLI tools that fit LLM tool-calling like a glove. The wall between a model that knows how to exploit a vulnerability and a model that is exploiting one is barely there.

But that is not even the crux. Historically, running tools was never the bottleneck — judgment was. Knowing what to try, how to read an ambiguous response, how to chain steps, where to pivot when stuck. That judgment is the scarce expert resource — and that is exactly the layer agents now automate.

And so you get the loop:prompt → context → harness → loop. An agent can probe, observe, adjust, and probe again, tirelessly, until it breaks through. And here is the real change: the attacker gains inexhaustible persistence and adaptability. It scales horizontally in space (many instances running at once) and vertically in time (it never stops).

Two extremes — and their product

Pull back and you see both ends of the threat spectrum lighting up at the same time.

At the top end: already-resourceful, already-skilled adversaries. Hand a top-tier hacker the leverage of a capable model, add sufficient resources, and the result is an attack of nation-state intensity.

At the bottom end: a sprawling, immature mass of demos and half-built products — vibe-coded apps, hobbyist hardware, things shipped before anyone looked at the security. The danger here is not sophistication; it is sheer volume and softness. A huge, porous attack surface.

The worst part: these two ends don't just add up — they feed each other. The bottom end keeps manufacturing soft targets; the top end keeps harvesting them. Together they land somewhere far worse than either end alone. And there is a middle band being lifted too, often overlooked: the “script kiddy” tier — people with intent but no skill — each now equipped with a capable agent. Code is being democratized; so is attack.

When the attack surface grows a body

Then there is a dimension I worry about just as deeply: robots are walking into our lives. Self-driving cars, drones, industrial arms, household machines — moving from the screen into the physical world.

This changes the math of risk tolerance. In pure information security, we can sometimes accept “get breached occasionally, then recover.” For systems with bodies, some failures are irreversible — they cause physical harm, not data leaks. A compromised chatbot leaks information. A compromised physical robot can hurt someone.

The contradiction: the safety bar for embodied AI should be an order of magnitude higher, yet the development culture around it is stuck in “make a demo, ship fast” mode. That gap is the danger itself. And the foundations these systems run on — ROS 2, for example — were largely designed in an era that did not anticipate adversarial AI. This is exactly why I built ROS2Pot: a honeypot that stands at this intersection, drawing agent attackers into a physical-fidelity robot environment and recording every move they make.

We cannot stop — so we must shape

So what do we do? “Halt development” is not a real option — not only because competition and civilization make it impossible, but because security itself is a capability that must be developed. You cannot have safe AI without doing the work of making AI safe, and that work requires engaging with frontier capability head-on.

Retreat doesn't buy safety — it just buys blindness. This is the deepest reason for people like us to stay at the table: if the people who care about security are not at the frontier, the frontier will be built by people who don’t.

The real question is not whether to develop, but what can security practitioners do to make AI reshape society safely? You cannot control every person’s intent at scale — but you can architect systems that are robust regardless of intent. Hardening ROS 2’s security foundations is one such entry point: fortify the base before it is everywhere. That is the value of this kind of work — it acts on the infrastructure layer, not as an afterthought patch.

And this is far from a cybersecurity-only concern. The same pattern — capability democratized, safety mechanisms bypassable — holds in biology, chemistry, and beyond. What we are seeing in infosec is one special case of a much more general problem.

Worry — and confidence

I have deep worry about all of this, and the worry is honest and specific. But I also have real confidence, and it is not blind optimism — it is grounded in concrete mechanisms like the ROS 2 security work I am doing.

When capability is no longer scarce, security can no longer depend on the premise that “few people know how to do harm.” It must instead depend on the architecture of the system itself. If you cannot control intent, architect systems that are immune to it. That is the deepest answer I can give to the present moment. And the people who can give that answer — and actually do the work — are us.

More Blogs

From Prompt to Loop: Four Paradigm Shifts in AI Engineering, Across My Three Years of College

The Cheaper Tokens Get, the More Ontology Is Worth

First Principles Is a Scalpel, Not a Hammer

Making AI land safely
in the real world

Vīrya — the hero's energy, the root English keeps in virtue. An old creed that runs my work: make the vow, then keep it without pause — small water, always flowing, cuts through stone. If you hold a problem worth years, I want it.