Here is the number that should make every security engineer put down their coffee: less than fifty dollars. That is reportedly what it cost an AI system to autonomously discover a vulnerability that had been sitting undetected in code for 27 years. Not flagged by a human researcher. Not uncovered after a million-dollar pen test engagement. Found by a machine, on its own, for roughly the price of a decent lunch.
To understand why this is a big deal, you need to appreciate just how hard legacy bug hunting actually is. Vulnerabilities that have lived in codebases for decades tend to be deeply embedded in logic that was written by developers who have long since moved on. The institutional knowledge is gone. The documentation is sparse or nonexistent. Human auditors can spend weeks combing through old code and still miss the thing that an attacker would eventually find. The fact that an AI system can now do that work faster and cheaper is not a minor efficiency gain — it is a fundamental shift in the economics of security research.
The implications cut both ways, and that is where things get genuinely uncomfortable. Security teams gaining access to cheap, autonomous vulnerability discovery is obviously a good thing. Defenders have historically been outgunned on resources, forced to prioritize which parts of their attack surface even get looked at. A tool that can sweep through legacy systems and surface decades-old weaknesses changes that calculus significantly. Suddenly the dusty, untouched corners of an infrastructure stack are no longer safe hiding spots.
But the same capability sitting in the hands of a well-funded threat actor is a different story entirely. If the cost of finding a 27-year-old exploitable bug drops to under fifty dollars, then the barrier to launching a sophisticated attack on legacy infrastructure drops with it. Critical systems — power grids, hospital networks, financial infrastructure — often run on older codebases precisely because updating them is expensive and risky. Those environments just became more attractive targets.
What this really signals is that the security industry's longstanding assumption about time is broken. The conventional wisdom held that old code, while potentially vulnerable, was at least obscure enough to provide some passive protection. Attackers had to invest serious effort to find the old bugs. That friction is disappearing.
Security teams that are still relying on periodic human-led audits need to rethink their cadence. The threat model has changed. When AI can autonomously identify critical flaws in hours that humans missed for nearly three decades, waiting for an annual review is not a strategy — it is a gamble. The organizations that adapt fastest to AI-assisted defense will have a meaningful edge. Everyone else is running a tab they do not know about yet.
POLICY
FISA Section 702 Mass Surveillance Authority Expires in Days
A surveillance law that allows the federal government to access Americans' private communications without a warrant is about to expire — and the fight over whether to reform it before renewal has produced one of the strangest political coalitions Washington has seen in years. Progressive Democrats and hard-right Freedom Caucus members are on the same side. That alone tells you how charged this debate has become.
Section 702 of the Foreign Intelligence Surveillance Act, originally passed in 2008, was designed to let intelligence agencies monitor foreign nationals located outside the United States. The FBI, NSA, CIA, and National Counterterrorism Center can access communications of non-US persons abroad without seeking a traditional warrant. The problem, critics say, is the backdoor it creates for monitoring Americans. All the government needs to do is establish that an American is communicating with a foreign target, and that American's messages are suddenly fair game. No warrant required.
The last reauthorization in 2024 was chaotic enough that the authority technically lapsed for a few minutes around midnight before being renewed. This time, the expiration date is April 20th, and House Speaker Mike Johnson has reportedly slowed the legislative process in a move that critics believe is designed to suppress the reform effort rather than engage with it.
The political backdrop makes this debate significantly more fraught than it was even a year ago. Declassified records have already shown that between 2018 and 2020, the FBI used Section 702 authority to conduct searches on a sitting member of Congress, donors to political campaigns, more than 130 people connected to Black Lives Matter protests, and a broad category that included journalists and political commentators. These were not foreign adversaries. These were Americans.
Now privacy advocates are raising alarm about what the current administration might do with the same tools. Stephen Miller, one of the most influential figures shaping White House policy, has reportedly told people in ongoing FISA discussions that he views Section 702 as essential to homeland security — particularly as it relates to immigration enforcement. That framing worries civil liberties groups, who see a clear line between surveillance authority and the administration's aggressive immigration agenda.
President Trump has also invoked military necessity, arguing on Truth Social that FISA is critical to ongoing operations and that military leaders consider it indispensable. The national security argument is a powerful one, and it tends to win these debates even when the civil liberties case is strong.
The reform coalition is pushing for a warrant requirement before Americans' communications can be queried — a change that intelligence officials argue would cripple operations. What happens in the next few days will determine whether a surveillance authority that has operated largely unchecked for nearly two decades gets a genuine rethink, or just another rubber stamp.
Source: The Verge
Section 702 of the Foreign Intelligence Surveillance Act, originally passed in 2008, was designed to let intelligence agencies monitor foreign nationals located outside the United States. The FBI, NSA, CIA, and National Counterterrorism Center can access communications of non-US persons abroad without seeking a traditional warrant. The problem, critics say, is the backdoor it creates for monitoring Americans. All the government needs to do is establish that an American is communicating with a foreign target, and that American's messages are suddenly fair game. No warrant required.
The last reauthorization in 2024 was chaotic enough that the authority technically lapsed for a few minutes around midnight before being renewed. This time, the expiration date is April 20th, and House Speaker Mike Johnson has reportedly slowed the legislative process in a move that critics believe is designed to suppress the reform effort rather than engage with it.
The political backdrop makes this debate significantly more fraught than it was even a year ago. Declassified records have already shown that between 2018 and 2020, the FBI used Section 702 authority to conduct searches on a sitting member of Congress, donors to political campaigns, more than 130 people connected to Black Lives Matter protests, and a broad category that included journalists and political commentators. These were not foreign adversaries. These were Americans.
Now privacy advocates are raising alarm about what the current administration might do with the same tools. Stephen Miller, one of the most influential figures shaping White House policy, has reportedly told people in ongoing FISA discussions that he views Section 702 as essential to homeland security — particularly as it relates to immigration enforcement. That framing worries civil liberties groups, who see a clear line between surveillance authority and the administration's aggressive immigration agenda.
President Trump has also invoked military necessity, arguing on Truth Social that FISA is critical to ongoing operations and that military leaders consider it indispensable. The national security argument is a powerful one, and it tends to win these debates even when the civil liberties case is strong.
The reform coalition is pushing for a warrant requirement before Americans' communications can be queried — a change that intelligence officials argue would cripple operations. What happens in the next few days will determine whether a surveillance authority that has operated largely unchecked for nearly two decades gets a genuine rethink, or just another rubber stamp.
Enjoyed this?
Get stories like this delivered every Tuesday — free.