Marcus spent eleven years learning to read code the way a detective reads a crime scene. He could spend three days on a single function, tracing how data moved through a system, hunting for the subtle logic error that would let an attacker slip through. Last month, he ran an AI-assisted audit on a target that would have taken him four weeks. It took six hours. The vulnerabilities were there — polished output, categorized by severity, with suggested patches. Marcus sat back and felt something he couldn't immediately name. "I used to know who I was," he said. "Now I'm not sure."
This is the cultural rupture JeffTK mapped in his widely-discussed analysis of how AI tools are fragmenting two distinct vulnerability research traditions. The first is the adversarial culture of black-hat discovery — researchers who find flaws for glory, bug bounties, or darker purposes. The second is the institutional culture of secure development — the code review practices, the penetration testing rhythms, the way organizations have historically built defensive expertise. Both cultures are being restructured by the same technological force, but the human cost falls differently across each.
For institutional security teams, AI triage is mostly welcome. Organizations that once waited months for external penetration tests can now run continuous automated analysis. Senior engineers who once spent weeks on legacy code audits can redirect their attention to architectural problems. The efficiency gains are real and measurable. But this productivity comes wrapped in a subtle dispossession: the day-to-day practice that taught junior engineers to think adversarially — the slow, deliberate work of finding flaws — is being automated away before those engineers have developed the intuition that comes from doing it manually.
The black-hat side presents a starker paradox. AI lowers the barrier to vulnerability discovery, which should mean more researchers entering the field. Instead, many veteran finders report a quiet crisis of meaning. The skills that once commanded respect — patient code archaeology, creative exploitation, the craft of writing a reliable proof-of-concept — matter less when a model can generate plausible candidates in seconds. Status hierarchies built over decades are dissolving not because the work is easier, but because the work feels different. The question "who is a real vulnerability researcher?" has no comfortable answer anymore.
There are counterarguments worth taking seriously. More people can now find vulnerabilities that would have gone uncaught. Bug bounty programs report higher submission volumes and faster resolution times. AI assists rather than replaces the judgment calls that matter most — deciding what's actually exploitable, assessing blast radius, choosing what to report. These are valid defenses of the technology.
But they miss what Marcus and researchers like him are grieving. Professional identity in security was never just about output. It was about the process: the years of pattern recognition, the accumulated intuition, the sense of being part of a craft tradition with its own rituals and values. Automating the output doesn't just change what gets produced — it changes what it means to be someone who produces it.
The security community hasn't yet grappled with this explicitly. Conference talks focus on toolchains and benchmarks. Job postings emphasize "AI-assisted" workflows without acknowledging what gets lost when human attention is redirected or eliminated. Meanwhile, the researchers doing the actual cultural work — defining what expertise means, deciding who belongs — are mostly silent.
What happens to a profession when its craft identity is automated? Other fields offer partial answers. Photography didn't die when smartphones made everyone a photographer; it reconfigured around curation and artistic vision. But security lacks that clean separation. The vulnerability found by an AI and the vulnerability found by a human occupy the same bug report, the same CVE, the same patch cycle. Distinguishing them matters for accountability, for learning, for the subtle ecological balance that keeps the adversarial ecosystem healthy.
Marcus hasn't stopped working. He's learning to use the tools, adapting his practice. But he describes a persistent disorientation, a sense that the ground has shifted beneath expertise he spent over a decade building. "I can still do the job," he said. "I'm not sure I can still do the calling." That distinction — between capability and meaning — is the one the security industry needs to address before the culture cost becomes irreversible.