AI Is Collapsing the Cost of Cyberattacks

There's a line Damien Lewke drops early in his conversation with EO that I want to sit with for a moment: "The talent gap has collapsed to a subscription model."

That's not a metaphor. That's a structural change in who gets to be dangerous.

Lewke spent his career on the defense side—building cyber ops teams at the DoD, joining CrowdStrike after its Series C, running AI detection research at Arctic Wolf, and writing a graduate dissertation at MIT's computer science and AI lab. He's now CEO of Nebulock, a contextual security platform that raised a $25M Series A to tackle what he calls threats "hidden between the layers" of your existing tools. He has more institutional credibility on this topic than most people who talk about it publicly, which makes his framing of Mythos worth paying close attention to.

Mythos—Anthropic's AI model built specifically to find software vulnerabilities—is the catalyst for this conversation, but it's almost beside the point. Lewke's argument is that Mythos isn't a surprise. It's a confirmation. The Anthropic decision not to release it publicly reflects exactly the kind of asymmetric risk Lewke has been watching build for two years: a model capable of finding decade-old bugs, kept out of public hands while defenders scramble to get first access. Whether or not Mythos ever reaches a threat actor directly, models at that capability level establish a new ceiling for what's possible—and that ceiling is what attackers are now building toward.

The kill chain, priced out

Lewke maps the cyber kill chain in a way that makes the economics impossible to ignore. Reconnaissance: basically $0. Phishing emails: very cheap and getting cheaper. Vulnerability exploitation: "getting significantly cheaper." Establishing persistence: also relatively cheap. It's only in the final stages—lateral movement and action on objectives—that human involvement is still required, which keeps the cost curve elevated at the end.

But here's what that graph actually looks like: AI has automated roughly the first four of six steps. The expensive part is shrinking. And the implication Lewke draws is precise: "You've gone from a few score highly sophisticated groups to, honestly, two people in a GPU who with enough conviction can target a company."

This is where I think the framing deserves scrutiny alongside the insight. Lewke is right that the barrier to entry for early-stage attack execution has dropped dramatically. But "two people in a GPU" still assumes some baseline of technical literacy—knowing what to do with the output, how to not trip obvious detection, how to move laterally once you're in. The genuinely scary scenario isn't just cheaper attacks; it's AI that handles the orchestration of later-stage actions too, which by Lewke's own account hasn't fully arrived yet. He's honest about where the ceiling currently sits. The question is how long it stays there.

The nation-state dimension adds a different layer of concern. Lewke notes that US Cyber Command is already incorporating AI into its operations—which means this isn't a future problem for governments. It's a present one. But he flags the ungoverned actor as a more existential risk: "They aren't governed by geopolitics and rules of engagement. They can do what they want." A nation-state has constraints, even if loose ones. A motivated individual with Mythos-level capability doesn't.

What "assume breach" actually means in practice

The operational posture Lewke advocates—assume breach—isn't new language in security circles. It's been a recommended stance for years. What's shifted is the urgency behind it, and Lewke does a better job than most of translating the philosophy into something concrete.

His analogy: a traditional alert system is a smoke detector. It fires when the fire is already burning. Threat hunting is a fire marshal—someone who walks the building before anything ignites and identifies where the risks are concentrated. The premise of threat hunting, he says, is that you treat attacker presence as a given and work backward from there.

That reframe matters more than it sounds. Most security teams are optimized to respond to alerts. The alert model, by definition, catches things after they've happened. And modern attackers—Lewke is emphatic about this—are specifically designed to look like nothing is happening.

"Attackers are going to try and blend in. They're going to log in at normal hours. They're going to steal your username and password so it doesn't look suspicious or malicious."

He identifies three behavioral signals that distinguish a compromised account from its legitimate owner. First: slow, consistent data exfiltration that mimics backup behavior—desktop files trickling to a personal Google Drive. Second: role-scope violations, like a marketing intern accessing financial systems. Third: persistence mechanisms—remote management tools being quietly installed, or service accounts being created by what should be a regular human user.

None of these signals fire a traditional alert in isolation. Each one, on its own, is explainable. It's the sequence and context that reveals the pattern. Which is precisely why Lewke's pitch for Nebulock centers on contextual correlation across existing tools rather than adding another point solution. His diagnosis of the industry's fundamental problem is that everyone bought the best tools and still got compromised, because "different point solutions to specific problems were not the way to solve how to get breached."

That's a fair critique of how enterprise security has been architected. It's also, conveniently, the problem his company sells against. The distinction between genuine insight and motivated reasoning is worth holding in mind—not because Lewke is wrong, but because his framing of the problem naturally centers the kind of solution Nebulock provides.

The window question

The most important claim Lewke makes isn't about what AI can do to attackers today. It's about timing.

"We have a very unique window of time right now where we understand what is coming and we have the ability to adapt technology. The question is, can defenders adjust as quickly as the attackers can?"

This is the tension that doesn't have a clean answer. Defenders have institutional friction that attackers don't. A threat actor can update their tools overnight. A Fortune 500 security team needs procurement approval, implementation timelines, and staff training before anything changes operationally. That structural asymmetry doesn't get fixed by good intentions or even good tools.

What Lewke is arguing, essentially, is that the window to close that gap is open now—not because the threat isn't urgent, but because the tools to respond exist and the patterns of attack are, for the moment, legible. Mythos-era AI attack capabilities are visible enough that defenders can see them coming. That visibility is temporary.

His closing framing on this is the one I'd push back on least: "What I would tell them to fear or be concerned about is inaction."

That's not fear-mongering. It's a resource allocation argument. The organizations that treat the current moment as a planning window rather than a crisis will be better positioned than the ones waiting for the breach notification to arrive. Security investment made before an incident is orders of magnitude cheaper than the response after one.

The hard part is that "act now" advice is easy to give and genuinely difficult to operationalize when budgets are constrained, security talent is scarce, and the threats are still abstract enough to feel deferrable. Lewke's answer to that is a platform that democratizes threat hunting for organizations that can't afford a 1,200-person SOC. Whether that solution delivers at the scale the problem demands is a question only Nebulock's customer data can answer.

What's not really in question is the direction of travel. The cost of attacking is going down. The sophistication required is going down. The number of potential attackers is going up. Whatever comes after Mythos will be better at all of it.

The organizations that treat that as tomorrow's problem are making a bet that the window stays open longer than Lewke thinks it will.

---

Rachel "Rach" Kovacs is Buzzrag's cybersecurity and privacy correspondent.