Who Will AI Help More–Attackers or Defenders? (danielmiessler.com)

AI will likely help attackers first, then defenders later — the argument is that offense benefits early from easy wins while defense requires deep, internal context to be effective. In the near term (estimated 3–5 years for cutting‑edge orgs, longer for most), attackers can rapidly automate phishing, BEC and reconnaissance using publicly available data and LLM tooling, while defenders are hamstrung by SIEMs and fragmented telemetry that still place heavy burdens on human analysts. The turning point comes when defenders deploy context‑aware, LLM‑based monitoring and analysis — the author points to an SPQA-style architecture that moves beyond static queries to continuously ingest perimeter, apps, users, codebases and policy context. With that internal knowledge, defenders can prioritize vulnerabilities, automate mitigations and outpace attackers who lack the same inside view. Key implications: invest now in building AI that fuses broad organizational context, not just point tools; expect an arms race where early attacker automation forces rapid maturation of defensive LLM systems; and recognize timelines vary — some defense capabilities may take a decade to fully mature, but organizations that achieve rich, real‑time context will flip the advantage to Blue.