Schneier: AI-Driven 'Instant Software' Will Reshape the Attack-Defense Arms Race

Bruce Schneier sketches a near-future where AI writes disposable, on-demand applications alongside traditional software, and where the same models that generate code also hunt and exploit its flaws. He argues attackers already benefit from AI-assisted vulnerability discovery and exploitation, lowering the skill floor for unsophisticated adversaries. Open-source code is the easiest target, but he expects AI tooling to soon find bugs in shipped commercial binaries without source access, putting closed-source and especially low-quality IoT and industrial control software squarely in the crosshairs.

Defenders get the same tools, with potentially larger upside. If AI can both find vulnerabilities and reliably patch them — and eventually write secure code from the start — new software increasingly favors defense. Schneier flags four open questions: how well AI finds bugs in closed-source binaries, how much better AI gets at writing secure code, how fast it can produce trustworthy patches, and how plentiful exploitable bugs actually are.

The optimistic endpoint is a self-healing network where coordinated AI agents continuously scan, patch, and share fixes across deployments. Reaching it requires policy changes, not just technology: software licensing currently lets vendors gate the patch cadence, raising right-to-repair and liability questions. Legacy and unpatchable systems remain the soft underbelly, where AI-driven intrusion detection may be the realistic fallback when automated patching is not possible.