Betting on a Future Where My Expertise Is No Longer Needed
Table of Contents
Why someone who spent over 20 years on the cybersecurity front lines went all-in on AI
Security work is still, to a surprising degree, done by hand.
When an alert fires at two in the morning, deciding whether it's a real breach or just noise comes down to a person reading the logs line by line. When a new vulnerability is published, a person has to work out whether it actually affects this particular setup, and whether applying the patch will break something else. To earn an ISO 27001 (ISMS) certification—and to keep it—a person has to write the policies, prepare the statement of applicability, and fill in the risk assessment tables, year after year.
For more than twenty years, I watched this mountain of manual work pile up—from the front lines and from the business side both.
And like most people in this industry—as I once did myself—I long believed this: "Only a human can do this. Judgment needs context, and in the end a person has to be accountable. AI can't do it."
This past year, that belief changed.
I want to bet on the side where "only a human can do it" disappears
I'll be honest: as a specialist, this is a little frightening to say out loud. Because what I'm describing is wishing for a future in which the skill I spent more than twenty years building is no longer needed.
And yet, that is the future I've come to want to bet on.
First-line incident triage. Checking whether a vulnerability actually applies to your environment. Drafting ISMS documents. Much of the work people are killing themselves over today is, by rights, work humans shouldn't have to do. While many specialists draw a line and insist their own domain is the one AI can't touch, I want to do the opposite—to erase that line myself.
Because, honestly, that is what's best for the people on the ground. The endless alert handling, the never-ending document upkeep—if a human doesn't have to carry it, all the better.
And over the past year, this stopped being a fantasy. AI agents have begun to genuinely reach the technical work that was supposed to be the exclusive domain of experts. The recent news that Anthropic's Mythos found more than 10,000 vulnerabilities—with accuracy beyond human specialists—was one milestone in that current. The technology is already that far along.
Meanwhile, the era of "building a big product as a company" is over
I've also looked at security as a business. Which is why I can see the other reality, too.
AI is relentlessly eating away at the livelihood of existing security solutions. What you sold yesterday with people and specialized tooling starts being replaced by a general-purpose AI today. At that speed, the very idea of a company settling in to develop a large product over years no longer holds. In a world repainted every few months, multi-year development isn't even a bet—it's a non-starter.
The longer you've been in this industry, the heavier this change lands. It means the old winning formula—holding a team and an organization, stacking up a complex product over time—no longer works at all.
So: small, alone, all-in on AI
What, then? The path I chose was not to build a big product as a company.
I chose the exact opposite. Small, alone, a micro-SaaS with everything riding on AI.
Because there's no team to carry, those costs don't get baked into the price. Because I'm not selling complexity, you don't need a specialist to use it. And above all, instead of waiting for someone else to build "a future where the manual work disappears," I get to build it with my own hands—the hands that watched that work up close for more than twenty years.
I set down the title, the organization, and the old winning formula, all of it, for now. What I kept was the memory of what was genuinely hard on the ground, and the conviction that AI should be able to take it on.
This series is the record of that experiment
Whether it works, honestly, I still don't know. Betting that my own expertise will become unnecessary—win, and the front lines get lighter; lose, and I've only proven my own misjudgment. It may turn out to be shadowboxing.
Even so, I think it's worth trying.
In this series, I'll write—as honestly as I can—about what I built over the year, where I stumbled, and what I gave up to bet on what. Can AI truly take over the "manual work" of security? This is the very first record of that experiment.
The product of that experiment is a micro-SaaS I'm building, called PentaTrail. If you're curious, take a look at your own company's "externally visible attack surface." See PentaTrail / CTEM
Sources
Visualize your attack surface with PentaTrail/CTEM
From discovery to vulnerability validation and remediation — all powered by the CTEM framework.
Get Started