The disbelief was palpable when Mozilla’s CTO last month declared that AI-assisted vulnerability detection meant “zero-days are numbered” and “defenders finally have a chance to win, decisively.” After all, it looked like part of an all-too-familiar pattern: Cherry-pick a handful of impressive AI-achieved results, leave out any of the fine print that might paint a more nuanced picture, and let the...
The narrative positions AI vulnerability detection as a definitive end to zero-day threats, leveraging hype ("zero-days are numbered") to mask the specific, incremental engineering work required to achieve success. This dynamic frames the development process as an aggressive arms race where the focus is on speed rather than methodological rigor. The key insight is that AI utility is not inherent in the model itself, but emerges only when custom systems (harnesses) are built to bridge the gap bet...