AI Security ยท AppSec
AI Can Speed Up Security Work, But It Cannot Replace Judgment
AI is useful as acceleration. It still needs context, validation, and a human willing to say no.
AI can be useful in security work, but the value is usually speed rather than independent judgment.
It can summarize unfamiliar code, suggest hypotheses, generate test cases, and help organize notes. It can also be confidently wrong, miss business logic, invent exploitability, or bury the useful idea inside a pile of noise.
The pattern that works best for me is simple:
- Give the model a narrow question.
- Provide the specific context it needs.
- Treat the output as a hypothesis.
- Validate manually before escalating.
- Record why the finding is real or why it was rejected.
The validation step is the work. Without it, AI-assisted security becomes a noise generator with nicer prose.