A former top U.S. cybersecurity official has issued a stark warning, arguing that the growing use of artificial intelligence (AI) to find software vulnerabilities is likely to make the cybersecurity landscape worse, not better. Rob Joyce, who served as President Donald Trump's top cyber adviser and once led the National Security Agency's elite hacking team, cautioned that the problem isn't finding the flaws, but the fundamental inability to patch them in time.
Speaking at Google's Cyber Defense Summit in Washington, Joyce expressed skepticism about the optimism surrounding AI-driven vulnerability management. 'Some set of folks will say, 'That's wonderful, we're going to have LLMs scanning all of our software and finding bugs at scale and patching it before the bad guys can get leverage,'' Joyce noted. 'Well, the problem with that theory is, we suck at patching.'
The core of Joyce's argument is the vast gap between the speed of AI discovery and the human capacity for remediation. He highlighted that many organizations manage diverse technological assets, including unsupported or legacy software that lacks the necessary personnel for timely updates. This creates a dangerous gap. While AI can identify a firehose of vulnerabilities, these warnings simply add to an already overwhelming backlog for overburdened security teams. Joyce warned that unsupported or poorly maintained software will increasingly become the biggest source of risk in a world where AI can identify vulnerabilities faster than people can find or fix them.
This asymmetry gives a clear advantage to attackers. Offensive AI can automate complex attack strategies, allowing attackers to execute campaigns at an unprecedented scale. Joyce illustrated this with the case of XBOW, an AI agent that became the first non-human vulnerability reporter on HackerOne's leaderboard. 'It is going after these networks, and it jiggles every doorknob, everywhere, constantly,' Joyce said, 'and it finds more vulnerabilities and flaws than any human who has to sleep, eat and spend time with their loved ones.' While defensive AI helps organizations anticipate attacks and automate responses, Joyce's warning suggests the balance may be tipping in favor of the attackers.
Beyond vulnerability discovery, Joyce pointed to another emerging risk: agentic AI hijacking. He warned that hackers can get access inside a company's systems and then use its own AI agents to search for the most useful things for a ransomware or extortion attack. This turns a tool meant for productivity into an insider threat. The rapid integration of AI into core business software offerings by major tech companies creates these new vulnerabilities. Furthermore, AI itself can introduce flaws, as AI-generated code can inadvertently introduce vulnerabilities if the models are trained on datasets containing insecure samples.
Joyce's outlook is grim, suggesting a crisis may be necessary to force a meaningful change in cybersecurity practices. 'We may see the equivalent of a West Coast firestorm that has to burn things to the ground for us to build up stronger and better,' Joyce warned. This analogy underscores the magnitude of the problem: incremental improvement may not be enough. While AI has historically helped defenders scale their activities, policymakers should not assume this dynamic will hold indefinitely. Joyce's warning serves as a potent reminder that technology alone is not a panacea, and that without a parallel evolution in organizational discipline and strategy, powerful tools can create equally powerful problems.