A few weeks ago, an adversary broke into a Mexican water utility's IT network. The intrusion itself was unremarkable. Stock techniques, the kind of thing pen testers and threat hunters have seen for a decade, but accelerated by OpenAI and Claude doing the grunt work. The interesting part came next. The model surveyed the environment, recognized that the operators were IT folks who probably did not understand what was on the other side of a particular network bridge, and told the attacker that SCADA was the real prize. It listed the default credentials it expected to find. It described the typical weaknesses. It pointed at the door and said, go through it.
The attacker tried. And nothing happened. The operator had changed the default credentials. The basics were in place.
Rob Lee shared that story on a panel I joined last week with him, Rob Joyce, and Hollie Hennessy from Omdia. It stuck with me because it cleanly inverts the AI-and-security panic of the last six months. The attacker had AI. The defender had information arbitrage. The defender won.
The thesis
Information arbitrage is Rob Joyce's phrase and it names something the security community has understated for years. Attackers do not win because they have zero days. They win because they know the target's network better than the people who own and operate it. Shadow IT, default credentials, an unpatched box behind a firewall nobody documented, a trust relationship that someone set up in 2018 and forgot about. That is the actual asymmetry, and tooling has almost nothing to do with it. Knowledge does.
AI changes how fast attackers can close that knowledge gap. It does not change whether the gap exists, and it does not change which side starts with the advantage. The defender designed the environment. The defender operates it. The defender should know it better than any outsider can learn it, no matter how fast their tooling gets. The fact that most defenders do not is not an AI problem. It is a discipline problem that AI is about to make a lot more expensive.
What AI actually changed
Most of the AI-and-cyber discourse is hype. Anthropic disclosed a China-attributed campaign earlier this year where the operators used Claude as a harness for live operations, and one read of that report is that the LLM was loud, brute-force, and hallucinated success criteria. That read is correct. The other read is that the operators broke the attack lifecycle into primitives, told the model to handle each one, aimed it at real targets, and got intelligence back. Both reads are correct at the same time, and the second one is what matters.
What AI does is compress time-to-knowledge for attackers. It runs reconnaissance at scale. It pulls script kiddies up the bell curve into territory they could not previously reach, and it lets nation states run more operations in parallel because the grunt work no longer requires their best people. It does not invent new techniques, at least not yet, and it does not grant structural advantages attackers did not already have. It just makes the existing advantages faster and cheaper to exploit.
The clearest signal that this is real and not hype is last month's Microsoft Patch Tuesday. 165 new vulnerabilities, the second largest in history, and that number was driven in large part by agentic bug discovery. The slope of that curve is not going to flatten. Which leads to the part of this that I think security teams are still underreacting to.
CVEs are becoming noise
If LLM-driven discovery is producing 150-plus CVEs in a single Patch Tuesday and accelerating, vulnerability management as a primary security strategy breaks. You cannot patch your way out of a flood that grows faster than your remediation capacity, and chasing CVSS scores was never a great proxy for real risk in the first place.
The practical move is to stop optimizing your program around vuln management as the main lever. Vulnerability data still matters as one input among many, but it is noise now, not signal. Signal is attack path. Signal is what an adversary can actually do once they are in your environment. That requires you to understand your topology, your trust relationships, your identity boundaries, and how a compromise at one point propagates somewhere else.
Rob Lee made the related point on the panel that the boundary is dead. I would soften that slightly. The boundary is demoted. It is a component of a defense strategy now, not the strategy itself. The work has moved inside, where detection, segmentation, identity, and a real understanding of what an attacker could do post-foothold are the things that decide whether you have a bad afternoon or a bad year.
Flipping the equation
Here is what leveraging the defender's structural advantage actually looks like. You configure the environment, so you know what normal traffic looks like, or you should. You know which systems talk to which, or you should. You know which identities have access to what, or you should. Every "or you should" in that paragraph is a place where information arbitrage opens up for the attacker, and closing those gaps is the work.
Concretely: know your attack paths cold and pressure-test them continuously, because the paths that exist today are not the paths that existed last quarter. Get identity into a state where a single compromised credential does not cascade across the environment. Sprinkle honey tokens, which Rob Joyce was right to bring back into the conversation. Build detection on tactics, techniques, and procedures that adversaries are actually using in your industry, not on hypothetical futures somebody read about in a vendor white paper.
And use AI on your side of the equation. The same compression of time-to-knowledge that accelerates attackers can accelerate defenders. Translate machine-level output into human-readable signal. Speed up analyst work. Help your team understand a network the way an attacker would, and do it faster than the attacker can.
What the water utility actually proved
The water utility in Mexico was not ahead of the curve on AI. They did not have an AI security strategy. They knew their environment and they had done the basics, and that was enough to defeat an AI-accelerated attacker reaching for what should have been a high-value pivot into OT. The model told the attacker exactly where to go and what to try. The fundamentals held anyway.
That is the takeaway. AI is going to keep changing what attackers can do and what defenders can do. The gap is going to widen between operators who treat the network as theirs and operators who treat it as someone else's problem. Information arbitrage is the lever you have, and it is the lever you have always had. AI just raises the cost of ignoring it.
This is the worldview Frenos is built around. Continuous attack path analysis, a real understanding of what an adversary could do once they are inside your OT environment, all aimed at closing the arbitrage gap before someone else exploits it.
If you want the full conversation, including the parts on regulation, autonomous SOCs, the limits of AI-generated malware, and where this is all heading, the recording of the panel with Rob Lee, Rob Joyce, and Hollie Hennessy is worth your time.
Frenos explored the impacts Mythos has in OT security in the recent webinar, “Blind to the Blast Radius: Why the AI Era’s Biggest Risk Is the Infrastructure Powering It,” featuring Dragos CEO Rob Lee and former NSA Director of Cybersecurity Rob Joyce. Watch now.
Frenos is the industry's first simulated OT penetration testing platform, combining digital twin technology with SAIRA, an AI reasoning agent that thinks like an adversary to reveal every attack path in your OT environment, risk-free.
Learn more at frenos.io.
.jpg)
