InfoSec Opinion Column #8 (Nov 10, 2025)
Consider it the Axios of what matters in cybersecurity. Or the Hacker News comments section, depending on the day. All hand-curated, no AI involved. This week: the epoch theory of cybersecurity.
What: The Epoch Theory of Cybersecurity
Why it matters: Jeremiah Grossman has been one of the most influential leaders and founders in the AppSec space over the last 25 years.
tl;dr:
- "[Attackers] are sentient actors with purpose. They have motivations, preferences, and tradeoffs. [...] The goal is to make attacks less attractive, less profitable, or riskier, which in turn reduces both the likelihood and the impact of breaches."
- "Adversaries often drive the shift from one epoch to the next, but defenders can force transitions too when defensive technologies advance faster than offensive techniques. As threats and incentives evolve, so must security controls."
- "The progression moves from ad hoc manual efforts to repeatable procedures, then to scaled operations, and finally to highly complex models where adaptation itself becomes the defining feature."
Matt's view: I like the epoch theory of cybersecurity because it explains a few things. First, answering the question of "why does it always feel like we're solving the same problems?" Well, because in one sense we are, but in a different sense, it's more of a rinse and repeat - shoring up a cracked house foundation doesn't mean you've fixed a leaky roof, even though both are house maintenance problems.
Second, it helps fit AI into a larger context. Yes, attackers are using it to advance to scaled and complex operations, but it doesn't mean it's the only way they can do that - nor is it the only way we can defend against it. In other words, AI isn't a magic bullet for either attackers or defenders.
Last but not least, it shows a clear role for cybersecurity vendors: help defenders shape their environments and attack paths by moving into a more advanced defensive epoch. It's not that the attackers will go away entirely, it's that defenders can now take a more predictable approach to defense investment ("if we make it harder to attack us here, it's likely that attackers will go there instead, so that's our next area of investment.")