The contest between spear and shield over AI has rapidly emerged as the biggest point of interest in the global cybersecurity industry. As hackers use AI to quickly find gaps in IT systems and carry out attacks, security companies are also speeding up efforts to deploy AI to identify weaknesses and build defences.

In the end, the decisive factor is who, attacker or defender, finds the gaps with AI first. According to a recent New York Times report, Google Cloud Chief Operating Officer and head of security products Francis deSouza (프랜시스 데조자) said, "We have to fight AI with AI. This is the biggest change in the cyber environment."

It is still hard to say that either side has an advantage in the AI-based spear-and-shield confrontation. Experts are also split. The New York Times reported that experts are not sure how the fight will unfold over the next few years.

AI model developer Anthropic said in February it used AI to find more than 500 previously unknown vulnerabilities, so-called zero-day flaws, in various well-known open-source software. In March, an Anthropic researcher drew attention after disclosing that they had found a Linux kernel vulnerability that had existed since 2003 but had not been discovered.

From the attacker’s perspective, AI can become an advanced weapon that sharply increases the speed and scale of attacks.

As AI coding tools such as Anthropic’s Claude Code and OpenAI’s Codex advance, the barrier to developing AI agents that handle various tasks on their own has fallen sharply. It has also become easier to build AI agents that find software vulnerabilities and attempt attacks based on them.

DeSouza said, "Without AI, it can take attackers minutes to break into a computer network, but with AI they can do it in seconds."

Alex Stamos (알렉스 스타모스), chief product officer at cybersecurity company Corridor, warned, "It is less than six months until open-weight models catch up to foundation models’ bug-detection capabilities," adding, "At that point, any ransomware attacker will be able to find and weaponise vulnerabilities without leaving traces."

Some hackers have found pathways into systems and sold them to other attackers, and he explained that a process that once took up to 8 hours can now be done in 20 seconds thanks to AI. DeSouza said, "Hackers often use AI agents to increase speed."

Anthropic, OpenAI and others are adding guardrails to prevent their AI models from being misused for cyberattacks, but attackers are finding ways around them. Some experts say guardrails could instead favour attackers by blocking help that users need to protect systems from attacks.

Many also see AI as a technology that favours the defending side.

Since last year, major global open-source projects have been flooded with submissions from people using AI to find security vulnerabilities. Many contained inaccuracies due to AI mistakes, but the situation has changed in recent months. The New York Times reported that AI has started finding real bugs at a surprising pace, and programmers are moving quickly to fix them.

Daniel Stenberg (다니엘 스텐버그), who runs the well-known open-source project Curl, said, "AI models can augment what people can do," adding, "If you use AI properly, people can significantly improve their ability to find problems in software."

AI is improving, but it is still not free of defects and errors. In security as well, AI still needs the experience of seasoned experts. Professor Coulter and others therefore argue that defenders have an advantageous position in the AI spear-and-shield contest. Defence needs to find vulnerabilities, but attackers must go beyond finding them and cover the process of actually exploiting them. Coulter said, "It is harder to exploit a vulnerability in a meaningful way than to find it."