The new cybersecurity economics: Why defense now looks like cryptocurrency mining

The UK’s AI Safety Institute recently published findings that reveal a fundamental shift in how cybersecurity actually works. Their evaluation of Claude Mythos Preview — an AI system exceptionally good at finding security vulnerabilities — showed something striking: the more computational tokens they spent running security tests, the better results they got. This isn’t just about efficiency gains. It’s about a complete transformation of the security economics equation.

We’ve moved into an era where securing a system means you need to spend more computational resources discovering exploits than attackers will spend exploiting them. This mirrors cryptocurrency’s proof-of-work system — success goes to whoever can afford more computational power. It’s a low-temperature lottery where you buy the tokens and maybe find an exploit. You don’t get points for being clever anymore; you win by paying more.

This shift has profound implications for how we think about software security. Traditional security relied on human expertise, code reviews, and testing protocols. Now it’s increasingly about raw computational spend. Organizations with deeper pockets can afford more thorough AI-powered security audits, while smaller projects get left behind. The irony is that this computational arms race might actually favor open source projects, since the tokens spent securing widely-used libraries can be shared across all their users.

What emerges is a security landscape that looks remarkably like mining pools — collaborative efforts to share computational costs become not just efficient but necessary. The expertise now lies not in finding individual vulnerabilities but in systematically applying computational power across entire codebases. For developers, this means security is becoming less about understanding attack vectors and more about understanding economics: can you afford better defense than your potential attackers can afford offense?

The challenge ahead is ensuring this computational security divide doesn’t create a two-tier internet where only well-funded projects get proper security coverage. We need frameworks that democratize access to these AI-powered security tools, or we risk a future where cybersecurity becomes purely a function of treasury size rather than engineering quality.