Cyber 2028

Anthropic published its Mythos Preview cybersecurity evaluation a few days ago, and a lot of people in cyber are spooked.

Not because it reads like a scenario piece such as AI 2027, but because the point is more immediate: if frontier models are already finding and exploiting serious zero-days across major software targets, cyber is changing right now.

This is a prediction essay about what happens now.

My basic claim is that as cyber moves from a labor-bound craft industry to a capital-bound one, the economics of offense, defense, and state power change with it.

Cyber was a craft industry

The parts of cyber that people usually mean when they say "advanced" or "sophisticated" have historically looked much closer to guild craftsmanship than industrial production. Good operators built intuition over years: they learned how to read massive codebases, infer system behavior from side channels, chain small observations into a coherent exploit path, and adapt when the blue team reacts.

That kind of work did not scale. If you want twice as much output, you usually need roughly twice as many good people, and those people are hard to find, expensive to retain, and slow to train.

This labor bottleneck has protected the world more than most people realize — a lot of current defensive assumptions only work because attackers have historically faced scarcity too. They could not deeply understand every target. They could not afford attacks against every exposed service. They could not customize every social engineering pretext. So they compromised by concentrating their human resources on a few targets that mattered.

In other words, many systems are not secure in the strong sense. They are secure only because the attacker cannot afford to care enough.

Now, at the frontier, cyber power starts to concentrate among states and a small number of well-capitalized firms that can afford the full stack. At the same time, the marginal cost of many offensive actions collapses, which means the rest of the world gets flooded with cheap offensive capability.

That is the story of Cyber 2028.

The bottleneck moves up the stack

Human expertise does not necessarily disappear, but more of it gets externalized into software and wrapped in systems that can be run repeatedly. What we really get are offensive production stacks that can be parallelized at scale:

  • large models trained on code, infrastructure, and logs
  • agent loops that can do end-to-end vulnerability identification and exploitation
  • large-scale sandboxing and replay environments
  • delivery and persistence infrastructure for malware

We often hear that "AI will make everyone a 10x hacker".

While that may be true, it is more important to realise that AI lets a small number of highly capable people scale their judgement far more efficiently than a large number of average people. It is easier to give one top hacker or engineer $100k in tokens than to hire 100 more people and give each of them $1k in tokens.

In this world, we will not have large teams of elite hackers, in the same way that we will not have large software development teams. We will have a handful of skilled operators stretching capital far more efficiently than a large team of average humans ever can.

Actors with deep pockets can buy more parallelism, more data, more evals, more validation, and faster feedback loops. They can run thousands of exploits where a normal team would run ten. They can A/B test phishing variants, exploit chains, and lateral movement plans continuously instead of occasionally. They can fail much faster and improve on each operation so that the next one becomes untracable.

Centralization and democratization, both at once

At first glance, this sounds like a pure concentration story — rich states and hyperscalers win, everyone else loses.

I don't think that's going to be the case. I think that the fixed costs of frontier capability rise while the marginal cost of attacking falls.

The top end of cyber becomes more capital-intensive because the frontier stack is expensive. But once the stack exists, the cost of generating one more phishing lure, one more malware variant, or one more zero-day can become extremely low.

So the paradox is this:

  • strategic cyber concentrates
  • tactical cyber proliferates

Major states and a few top-capitalized actors may dominate the frontier. But criminals, mercenaries, fraud shops, low-tier APTs, and ordinary nuisance actors all get dragged upward by the falling marginal cost of competence.

Cyber as the new strategic weapon

Cyber weapons start sharing many traits with nuclear weapons, but with some key differences: cyber remains harder to attribute, easier to reuse, and far more useful below the threshold of open conflict. Nuclear weapons are mostly valuable because they are not used. Cyber capability is often valuable precisely because it is used continuously, as long as it is not detected or below the threshold of starting a war.

Yet, at the frontier, cyber does begin to acquire some strategic-weapons-like features.

  1. Top-end capability becomes concentrated among a relatively small number of actors who can afford the full stack.
  2. Many capabilities are held in reserve rather than burned immediately, such as zero-days and backdoors that provide on-demand access into critical infrastructure and key software supply chains.
  3. Deterrence becomes even murkier because states can signal capability without disclosing specifics. It is difficult to determine what access has already been established, what can be turned on in a crisis, and what dependencies are already compromised.

The result is not really a one-to-one replacement for nuclear deterrence. It is something stranger: the battlefield is already being built (even though there is no war), yet no one is completely sure what the battlefield actually looks like.

As frontier cyber becomes more nuclear-like, mutually assured destruction means that smaller players like rogue actors and criminals become the day-to-day threat.

1. The mid-market company that can no longer hide

A mid-sized SaaS company in 2020 could survive by being uninteresting. It might not have world-class security, but it also was not worth an advanced attacker burning much time on.

By 2028, that shelter collapses. The company is now probed constantly by agentic offensive systems that can read public documentation, infer likely cloud architecture from job listings and stack traces, adapt phishing lures to individual employees, and continuously scan for new exploits. Nobody on the attacker side needs to think this company is special in order for them to be a target.

So the security posture of the median firm starts to depend less on whether it is important, and more on whether it can automate defense faster than cheap attackers can automate offense. A lot of firms discover, too late, that they weren't actually secure, just uninteresting.

2. The criminal group with industrial-scale personalization

Today, the average scam or phishing campaign is still constrained by quality. Attackers could spray and pray a thousand targets and get 1 potential compromise, or they could focus on ten and have a far higher conversion rate.

By 2028, criminal groups do have to choose as often. A relatively small organization will be able to run campaigns with information built from breached data, public social graphs, and prior communication patterns. Pretexts will be generated, tested, and adapted automatically. Voice and video impersonation will not be perfect, but "good enough" will do for 90% of people.

Once enough of the offensive stack gets productized, the median criminal operator gets much better without understanding much more.

3. The state that never quite attacks

Time to Exploit
Time to Exploit from 2018 to 2026

The median time-to-exploit (TTE) — gap between CVE disclosure and confirmed exploitation — is already negative. The gap between attacker-discovery and defender-discovery is likely much further, and TTE ceases to be a meaningful metric as more capabiltiies are held in reserve.

A capable state in 2028 may have spent years building, validating, and quietly maintaining access into shipping, energy, telecoms, and defense-adjacent supply chains. Not because it intends to use this access immediately, but because this optionality is strategic.

That access sits there in peacetime, allowing espionage while serving as a deterrent.

Cyber at the frontier means that capable nation states have pre-positioned leverage inside the systems that other nation states depend on. If a war breaks out, this leverage allows them to impose devastation on multiple enemy states in milliseconds and without firing a shot. So no war happens, only because starting one would mean the enemy has already won.

Defense is also capital-bound

There is an obvious response to all this: fine, defense gets cheaper too.

Defenders will definitely get better code review, faster triage, and better automated remediation. The best organizations will look dramatically more resilient than they do today.

But this is precisely the problem: resilience starts to become a scale advantage. A large organization with existing capital can restructure into lean teams and concentrate capital on a handful of smart engineers and defenders. A smaller organization will struggle to do the same.

The frontier firms and the strongest states may become more defensible than ever. The median school, hospital, local government, or SMB may become much less defensible, not because defenders there are stupid, but because they cannot afford the fixed costs of industrialized defense.

That has policy consequences because modern societies are only as strong as their softest critical dependencies.

What follows from this?

If this model is even directionally right, then a lot of current cyber policy is aimed at the wrong level of abstraction.

The problem is not simply more cyber attacks. The problem is a structural shift in the economics of capability. Policy that assumes cyber remains bottlenecked mainly by elite labor will age badly.

  1. We should expect security capacity to become more uneven, and plan around that explicitly. It is not enough to harden the top 1% of organizations if the supply chain, local government, healthcare, and industrial base remain easy to breach.
  2. Resilience matters more than perfect prevention. In a world of abundant low-cost offense, the decisive defensive advantage is often the ability to recover quickly and continue operating under partial compromise.
  3. Governments should be careful not to overlearn the concentration half of the story. Yes, frontier cyber may centralize among major powers. But the broader social harm will come less from nation-state capability than from the background radiation of cheap offense everywhere else.

The new cyber order

Cyber stops being a craft industry and becomes an industrial one.

Elite labor gets embedded in capital. A small number of strong actors build offensive and defensive systems that compound.

At the top, cyber power becomes more strategic, more concentrated, and more entangled with state competition. Everywhere else, offensive capability becomes cheaper, more persistent, and much harder to ignore.

The world does not run out of smart defenders. It runs out of organizations that can afford the capital stack required to let those defenders keep up.