Ido Geffen.
Opinion

You can't outspend an AI attacker

The winners of the AI era won't be the companies that spend the most on AI. They'll be the ones that own and continuously optimize the AI systems they depend on to deliver the best performance at the lowest sustainable cost.

In April, Uber's CTO revealed the company had burned through its entire annual AI budget in four months. By June, Uber had capped every employee at $1,500 a month per agentic coding tool, including Claude Code and Cursor. Uber isn't alone. Corporations are starting to ration AI as costs outrun budgets, and Bain released a survey showing most enterprises are getting less cost reduction from AI than they projected.
This squeeze is showing up everywhere, but it's especially acute in cybersecurity, where attackers and defenders increasingly rely on AI, yet operate under completely different economics.
Every serious company wants to test its own systems the way an attacker would, finding and fixing flaws before someone else does. That used to mean a small team running a penetration test once or twice a year against a handful of applications. That model no longer works.
1 View gallery
Ido Geffen
Ido Geffen
Ido Geffen.
(Eclipse Media)
Applications now change continuously. AI-assisted developers ship code faster than ever, and every change introduces new opportunities for attackers. To keep up, enterprises are increasingly turning to AI to continuously test their applications and validate exploitable risk.
That's where the economics of cyber have changed. An attacker needs AI to target one company, one application, and one attack path. Increasingly, that means running a cheap, capable open-source model, that's already strong at offensive security work, costs a fraction of frontier pricing, and carries none of the guardrails that constrain legitimate defensive use. It can run continuously until it finds an entry point, and it only needs to succeed once.
A defender has to continuously test thousands of applications, every deployment, every workflow, and every potential attack path. Most of that still runs on frontier models, and running frontier models continuously across an entire portfolio costs orders of magnitude more than what an attacker spends on a cheap, unguarded open-source alternative.
Same method, wildly different economics.
The problem isn't just that defenders have more to test. It's that many organizations, and many AI penetration testing platforms, rely on the same general-purpose AI model for every offensive security task. Most of those tasks don't require the world's most advanced AI model. Yet they're all priced as if they do.
Frontier models are extraordinary. Novee uses them too. But they were built for general reasoning across everything, not for the narrow, high-volume specialist work defensive AI actually requires. Running a frontier model at enterprise scale for every task is like paying a Nobel-prize physicist by the hour to check arithmetic. It works. It's just not an economically sustainable way to run continuous offensive security.
The answer isn't to stop using frontier models. It's to stop relying on them alone.
As organizations increase testing frequency and coverage, a frontier-model-only architecture becomes increasingly expensive. Every new application, every deployment, and every assessment adds more premium AI costs.
Changing pricing models doesn't solve that problem. Changing the architecture does.
The mistake many organizations are making is relying on a single frontier model for offensive security, whether through their own AI workflows or through a penetration testing platform built entirely on frontier models.
The platforms that will win won't rely on general-purpose AI alone. They'll combine proprietary models with frontier models, routing each task to the model that performs best for it. Specialized models handle repetitive, high-volume offensive security work. Frontier models are reserved for the problems that genuinely require their broader reasoning.
But choosing the right model isn't enough. The harness around it, the prompts, skills, and tool orchestration that determine how each model actually gets used, matters just as much. AI is evolving too quickly for static architectures. New models release every month, performance shifts, costs change, attack techniques evolve. The companies that win will own the critical layers of the offensive AI stack: the models, the harness, and the routing. That's what makes it possible to continuously benchmark and optimize the whole system, so every task is always handled by the best model at the best cost.
The real shift here is architectural, not financial. Repricing changes who absorbs the cost of the same expensive compute. Routing each task to the right model changes how expensive the work actually is. That's the only architecture where the defender's cost curve can keep pace with the attacker's, let alone get ahead of it.
Uber's AI budget isn't an outlier. It's an early warning. The companies that win won't be the ones spending the most on frontier models. They'll be the ones that build AI systems capable of continuously improving both performance and cost.
The same is true for offensive security. Organizations shouldn't evaluate AI penetration testing platforms by asking which frontier model they use. They should ask whether the platform relies on frontier models alone, or whether it owns and continuously optimizes the full offensive AI stack, combining proprietary models, frontier models, and intelligent routing, and whether that system is actually benchmarked against the metrics that matter: recall, precision, and cost.
That's the future of offensive security.
Ido Geffen is co-founder and CEO of Novee Security.