May 2026
Offence Scales with Compute. Your Defence Scales with Committees. Now What?
AI hasn't created the defender's dilemma. As Casey Ellis puts it, "AI has taken the knob that used to go to eleven and turned it to seven hundred." If your security strategy is still built around prevention, here's why that's no longer enough and what to do instead.
The Asymmetry
Casey Ellis frames it like this: "an operator is running an AI-orchestrated pipeline that can generate, test, and deploy weaponized n-day exploits across tens of thousands of targets while they go get lunch." The model has no change advisory board, no pentest budget waiting on next fiscal cycle, and no vendor risk assessment to fill out for itself.
Meanwhile, your organisation's response to "we need to patch this" involves a change request, a test environment, a rollback plan, a compliance review, and at least two people who are on holiday.
This isn't a new problem. Attackers have always moved faster than defenders. What's new is the scale of the gap. The cost of offensive failure is trying again. The cost of defensive failure is loss of availability and revenue. AI has massively amplified the attacker's side of that equation without doing anything to simplify the defender's.
Why More Tools Won't Fix It
If you've been in security for any length of time, you know the pitch: "our AI will sit on top of your existing stack and make sense of it."
Many SOCs already run dozens of disconnected tools. The average analyst is drowning. Adding an AI layer on top of tools that don't talk to each other does not fix the problem. It adds another tool that also needs to be tuned, trusted, governed, audited, and renewed.
The underlying architecture of enterprise IT was never designed to be defended at the speed attackers can now operate. No amount of dashboards changes that.
What Actually Helps
Ellis lays out a practical agenda. The five items below adapt his recommendations for SMEs, with one addition of my own (#3, mapping reachability) and his call to engage in industry norm-shifting set aside as outside the scope of this piece:
1. Stop optimising for prevention you can't achieve
"How do we keep them out" doesn't go away, but it's now secondary. The primary questions are:
- How fast do you know? When something is compromised, how quickly does someone find out? Is there logging? Alerting? Or do you discover it when a customer mentions it?
- How fast do you contain? Once you know, can you isolate the affected system? Do you know what it's connected to? Do you know the blast radius?
- How fast do you recover? Can you restore from backup? Can you rotate credentials? Do you know which credentials to rotate?
If your incident response plan hasn't been updated in twelve months, it was written for a different threat model.
2. Inventory the bottom ten turtles
What firmware are you running with no update path? What middleware does a critical business flow depend on that hasn't shipped a patch since your youngest engineer graduated? What DNS records point to servers that were decommissioned two years ago but never removed?
These aren't hypothetical. Every organisation has them. They're the real attack surface, not the things you already know about and have controls around.
3. Map your exposure and reachability
"You have 47 medium-severity vulnerabilities" is not useful information. What's useful is: "this vulnerability on this system means an attacker can reach your customer database through this path." Severity scores describe a vulnerability in isolation. Reachability describes it in your environment.
4. Build blast radius accordingly
If you can't see a system, assume it's already compromised. Then ask: what can it reach? What data does it have access to? What other systems trust it? The answers define your blast radius, and your blast radius defines your containment plan.
5. Build what you can build now
Nobody is coming with a ten-year plan. No ten-year plan survives a two-year funding cycle. The organisations that will be in the best position are the ones that started with what they could do this quarter, not the ones that waited for the perfect strategy.
What This Means for SMEs
Ellis is writing for the security industry broadly, but the implications hit SMEs hardest.
Enterprises have SOCs, dedicated security teams, and the budget to absorb a few extra tools. They're likely to manage the asymmetry with internal capability, even if slowly.
SMEs don't have that luxury. You probably don't have one person whose full-time job is security. But you still have the forgotten middleware, the cloud account nobody has reviewed, and the DNS records pointing to decommissioned infrastructure.
The good news: the starting point is the same regardless of size.
Know what you have. Inventory your external footprint, your cloud infrastructure, your suppliers, your dependencies. You can't defend what you don't know about.
Know what's exposed. Not just vulnerability counts, but which vulnerabilities are reachable, which systems they affect, and what data is at risk.
Understand the blast radius. If one system is compromised, what can the attacker reach from there? The answer tells you where to focus containment and where to invest in monitoring.
Make recovery decisions in advance. When the incident happens, you don't have time to figure out your response. Decide now: what gets isolated first? What credentials get rotated? What's the communication plan? Who makes the call?
Start now, with what you have. A free passive scan of your external footprint takes five minutes and tells you what an attacker already knows about you. That's not a ten-year plan. That's Monday morning.
ThreatControl helps organisations understand their attack surface, map their blast radius, and build resilience they can actually achieve. Our free Flash Briefing is the five-minute starting point. Our Security Suite maps reachability and prioritises what an attacker can actually use. Our Fractional CTO service builds the recovery decisions before you need them. Get in touch.