Between Two Nerds: How NSA will use AI - Risky Bulletin

Summary7 min read

Risky Bulletin – Between Two Nerds: How NSA Will Use AI Podcast by Risky Business Media | February 23, 2026

Episode Overview

This episode of "Between Two Nerds" features cybersecurity experts Tom Uren and the Grugq (“Gruk”) discussing how major intelligence agencies—particularly the NSA—will use AI in their cyber operations. Drawing on new threat reports and their own experiences, they reflect on both the current and future value of AI in offensive and defensive cyber roles, how workflows might shift, and what roles AI can (and can't) usefully fill for state-level professionals.

Key Discussion Points and Insights

1. AI in the Cybercrime Lifecycle ([00:14] – [01:41])

AI is Pervasive in Adversary Operations
- Tom reviews a Google threat report showing "adversaries or cyber criminals, threat actors are using AI at pretty much every step in the... cyber criminal life cycle." ([00:21])
- Reference to a past Anthropic report about a Chinese threat actor using the Claude AI to coordinate campaigns with AI handling “grunt work” and reporting results for human oversight.
AI Favors Risk-Tolerant Adversaries
- Tom previously thought: "AI powered cyber espionage will favor China," as its operational style appeared to fit higher-risk, high-volume approaches. ([01:17])
Professional Agencies Prioritize Correctness
- "An organization like NSA or ASD or the Five Eyes won’t do [AI-driven YOLO ops] because they want to get things right, not screw up and get outed." — Tom ([01:41])
- Grugq: These agencies have a "very high premium on correctness." ([01:41])

2. AI’s Value in “Grunt Work” and Testing ([02:01] – [03:42])

AI for Process Robustness
- Tom mentions Trail of Bits CEO Dan Guido’s approach: use AI for small, clearly verifiable tasks, notably for writing test cases that humans tend to neglect ("it was just way too much work." — Tom [02:54]).
- AI allows coverage that hadn't previously been possible, with little risk if it "somehow manages to stuff up" as nothing is lost. ([03:03])
Area of Maximum Value
- Grugq: "That's probably where AI adds the most value right now, given the state. It's that sort of thing." ([03:16])

3. How Intelligence Agencies Can Safely Use AI ([03:42] – [08:17])

Intelligence Agencies’ Modular Workflows
- NSA and similar agencies divide jobs into many tasks—many of which match the kind of modular, clear-cut problems AI can assist with.
- Tom and Grugq discuss a US military cyber operator job description and how the role breaks down into core knowledge, skills, and abilities. Many "abilities" (e.g., "ability to think critically") aren't suitable for AI today, but knowledge tasks are a good fit.
AI as a Double-Check
- Grugq: "If I'm doing a risk assessment and I think I've covered all my bases, I would say, you know, Claude, do a risk assessment... And then once that comes back... compare and contrast. Did it come up with an angle I hadn't thought of? ...it's basically free... and if you don't [get anything], you've lost nothing." ([06:53])
Private Models for Sensitive Use
- Tom notes agencies can use self-hosted, private AI models, so they're not subject to external limits or trust issues. ([08:17])

4. Limits and Politics of Using Commercial AI ([08:17] – [10:09])

Anthropic vs. US Defense
- Anthropic sought to prohibit surveillance of US citizens and fully-autonomous lethal operations via their models, to which DoD responded with severe supply chain threats.
- Reports suggest Anthropic’s AI was used in "the raid to capture Maduro," showing real-world high-stakes application. ([09:24])

5. Which Roles Are Good for AI? ([10:09] – [17:39])

Critical Judgments, Human-Only
- Grugq: "Anything with the word planner in it is just, it's bad for AI... you want a human to be making human judgments. This is very much weighing up the balance of risks, plus everything I know, plus the political pressures..." ([11:08])
Warning Analyst – Mundane Yet Vital
- AI is well-suited to "warning analyst" style roles: developing cyber indicators, monitoring for changes, and alerting on environmental shifts—tedious but vital work.
- Tom: AI could excel at "what's happening right now... probably do that faster and more reliably than a person would, and could do it 247 without a problem." ([14:27])
Human-AI Teaming
- Grugq: "The human in that role can now do more and a more refined task because they don't have to waste cycles on the grunt work part. They can have Claude do that and... focus on thinking like the other side." ([14:35])
Target Network Analyst – Mapping and Pathfinding
- AI could help plan routes through networks ("like a Google Maps, except for getting around a network" — Tom [16:50]), by mapping out paths and matching available exploits to vulnerabilities, reducing rote labor.
Contrast: Professional vs. YOLO Threat Actors
- Tom: "A YOLO cyber threat actor... would probably go, well, find me a path, press button, let's go. So they will be quick and then do it, but maybe riskier as well."
- In contrast, pros will still "be more cautious about deploying those [AI] benefits or maybe more management oversight..." ([18:12])

6. AI Won’t Replace, but +Human Capability ([18:24] – [21:22])

Augmentation, Not Replacement
- Grugq: "All of the roles that AI is good for have a level of grunt work... [AI brings] a level of vigilance that you might not get normally." ([18:24])
- Some tasks require "political or... contextual" reasoning that AI can’t do—information that’s not formalized in the job itself but comes from human experience and social context.
What Makes 'The Best' Special?
- Tom: "There were some [analysts] that were just head and shoulders above everyone else. And they did that by... knowing a lot of stuff and knowing how to apply it."
- AI might soon know and apply these, pushing humans to focus on subtle, ineffable qualities that make top performers exceptional—such as how to steer the AI for best results. ([21:06])

7. AI and Malware Evolution ([23:40] – [26:45])

Attackers Already Use AI for Fast Malware Dev
- Tom: "Other threat actors... basically code up malware really quickly" with AI. ([23:40])
For Professionals – Longevity > Speed
- State actors want high stealth and flexibility in malware (“Russia used the same... malware for 20 years"). Constant churn isn’t always valuable.
- Test case generation and coverage are areas where AI can help with long-term malware quality.
Custom Tools at Scale—Opportunity for OpSec
- Grugq: "For ideal opsec, every operation would have its own unique tooling... [AI makes it so you] could then feed through 50 different C2s...development work to do in house... But now you could do that, which would mean it’d be much more difficult to link operations together." ([24:43])
Death of Attribution?
- "The rise of AI is actually the death of attribution." — Tom ([25:51])
- Grugq: "It absolutely could be. How could you?...It makes technical indicators less useful, perhaps." ([25:56])

Notable Quotes & Memorable Moments

On How Pros Use AI:
- "If I'm doing a risk assessment... I'd say, Claude, given these two risk assessments, compare and contrast. Did it come up with an angle I hadn't thought of or did I have a comprehensive thing? Because it's basically free." — Grugq ([06:53])
AI’s Limits:
- "Anything with the word planner in it is just...bad for AI because...you want a human to be making human judgments." — Grugq ([11:08])
Re: AI-Enabled Mass Malware Customization:
- "If what you could do is have 50 iterations of different strains of implants...that would be too much development work...But now you could do that, which would mean it'd be much more difficult to link operations together..." — Grugq ([24:43])
On Human-AI Teaming and Careerism:
- "An AI is probably not going to be thinking about your career...these people...do want promotions, they do want raises...When they look at it and go like, this is a very, very important thing. I need to make sure it works...you're going to move heaven and earth to make sure it works..." — Grugq ([19:21])
Attribution and the Role of AI:
- "The rise of AI is actually the death of attribution." — Tom ([25:51])
- "It makes technical indicators less useful, perhaps." — Grugq ([26:04])

Timestamps for Important Segments

[00:14] – Current AI use in cybercrime and intelligence contexts
[03:42] – NSA and intelligence workflow breakdowns: where AI fits
[06:53] – AI as an automated “second opinion”
[08:17] – The Anthropic vs. US DoD controversy
[11:08] – The irreplaceability of human judgment in planning roles
[14:27] – AI excels at tedious, always-on monitoring and "warning analyst" tasks
[16:50] – Target network analysis as "Google Maps for networks"
[17:39] – YOLO cyber actors vs. professional intelligence agencies: approaches to AI
[24:43] – How AI could enable massive diversification in custom malware and make attribution harder
[25:51] – Discussion on the future of attribution in the AI era

Conclusion

Tom Uren and Grugq agree that as AI matures, even cautious, process-driven agencies like the NSA will find opportunities for AI to augment their teams—especially in repetitive, testable, or data-intensive roles. AI will not replace seasoned operators, but will free up their time, allowing humans to focus on risk, judgment, and higher-level planning. The rise of AI could challenge attributions and technical indicators in cyber operations, presaging a new phase in both cyber offense and defense.

End of summary.

Loading summary

Transcript103 lines

[00:00]
Grugq
Foreign.
[00:06]
Tom Uren
This is Tom Uren, I'm here with the Gruk and another between two nodes discussion. G', day, how are you?
[00:11]
Grugq
G', day, Tom. Finding yourself very well?
[00:14]
Tom Uren
This week's edition is brought to you by Socket Socket helps developers manage all their supply chain dependencies. Find them@ Socket.dev so this week Google released a new AI threat report. It went through basically that adversaries or cyber criminals, threat actors are using AI at pretty much every step in the, I don't know, the cyber criminal life cycle. So way back in November, which is a lifetime ago in terms of AI, there was a similar report by Anthropic and they said they had discovered a Chinese threat actor who was using Claude to organize a. I guess it was a campaign, but it was like Claude was doing all the grunt work and it would basically come back to the whoever was in charge and say, you know, here's what I found. Do you want me to go back out? It was like the worker bees and management was sitting back seeing the results of Claude. And at that time I wrote that AI powered cyber espionage will favor China. I think that was maybe, that was the title of my piece. And that was because if you're going to YOLO it, at the time it seemed like, you know, AI would be great for that, you can do it, get a lot more done, but the risks are higher. And that seemed to suit some people
[01:40]
Grugq
with a high risk appetite.
[01:42]
Tom Uren
That's right, Right. Yeah. And my thinking was this is something that organization like NSA or ASD or the Five Eyes won't do because they want to get things right, not screw up and get outed. There's a very high premium on correctness.
[02:01]
Grugq
Right.
[02:02]
Tom Uren
So not that long ago I had an sponsor interview with Dan Guido, who's CEO of Trail of Bits, which is a, a sort of specialist consulting cybersecurity company perhaps would be one way to describe them. And he was talking about how they were using AI and in fact it was to add a lot more robustness to processes to actually make them more secure. And this is my take anyway. The way that they were doing that was breaking down longer chains of work into smaller processes that you could be very confident that an AI machine would do it correctly because it wasn't go and write me some malware. It was do this little thing and then we'll have a check that it's right or wrong. And so for example, they were using it to write test cases that they'd never written before because it was just way too much work.
[02:57]
Grugq
Dull. Yeah.
[02:58]
Tom Uren
Yeah. And it struck me that if you can use it to do test cases, well, you're in a better position.
[03:04]
Grugq
Right, right.
[03:04]
Tom Uren
Because you never had them before. Even if it somehow manages to stuff up well, you know, you've not lost anything, so that seemed like a win. I'm sure Dan's take is more sophisticated
[03:16]
Grugq
than mine, but that was my nuanced. I'm sure there's probably a lot more going on then that was my take. We're leading the charge and we have AI, Right. Tests. That's our value add right there. So I suspect that there's more going on, but I don't think that that's wrong. I think that that's probably where AI adds the most value right now, given the state. It's that sort of thing.
[03:43]
Tom Uren
Yeah. So I'm starting to come around to the idea that even the cyber behemoths. Behemoths. Cyber giants like NSA will benefit from AI, and it's because they already have processes where, you know, a bigger job is broken down into lots of different tasks. And a while back, you sent me a kind of job breakdown of. I think it was. Was it a cyber exploitation role?
[04:14]
Grugq
Yeah. So it was. As I recall, I was looking for the. So, like, the military occupation, specialty, number of an offensive cyber operator, probably because I just wanted to make a joke on Twitter, and I thought it would be good to have that specific detail. And I ended up stumbling across this website, which listed all of the roles, and then it went into, like this, the core skills, the core knowledge, the abilities that you need to have for each of the subsets that they had within offensive cyber. And so I saved that because that was very, very interesting.
[04:55]
Tom Uren
Yeah. So in my file system, you must have sent that to me in 2024, which is, like, so long ago in AI terms. And the document's got. What is that, one, two, three, seven different roles. And each of those roles has, you know, skills, abilities and tasks. So they've spent a lot of time coming up with these lists.
[05:26]
Grugq
Yeah. Like, to be fair, some of them are like, ability to think critically.
[05:31]
Tom Uren
Yep.
[05:32]
Grugq
Ability to evaluate information for reliability, validity and relevance. It's the very army thing of taking, like, stuff that is implicitly obvious and writing it as like, this is a critical thing that you need to do.
[05:47]
Tom Uren
Yeah, yeah. So what was interesting about the list, looking at it today, is that those abilities, many of them were things that I thought I would not trust an AI to do today.
[06:00]
Grugq
Right. Thinking critically, for example, just to pick one.
[06:06]
Tom Uren
But many there's a whole list of knowledges. Knowledge, knowledge requirements, I guess. And so for this one, what is that? That's like 50 different dot points for the Cyber operations planner. And looking at those, for example, knowledge of computer networking concepts and protocols, knowledge of risk management processes, yada yada, yada, yada, I thought, yeah, I would actually think an AI could maybe not understand it, but compellingly regurgitate those principles in a way that it makes you think that it understands them.
[06:43]
Grugq
Yeah. So my take on that is actually if I were in that role, I would want an AI to just double check my work to see if I missed anything.
[06:53]
Tom Uren
Right, yeah, right.
[06:54]
Grugq
If I'm doing a risk assessment and I think I've covered all my bases, I would say, you know, Claude, do a risk assessment with these parameters, blah, blah, blah. And then once that comes back, I say, claude, given these two risk assessments, compare and contrast. And I'd see did it come up with an angle I hadn't thought of or did I have a comprehensive thing? Because it's basically free. Right. And maybe you get something out of it and if you don't, you've lost nothing. So yeah, that's how I would see it being valuable. I think we agree on this. I wouldn't say, Claude, do the risk assessment and then turn that in. Right, like that.
[07:39]
Tom Uren
Yes. I think there's a question about how good it gets and whether you would get it to do the risk assessment and then say, okay, have you missed anything? Or do it the other way around.
[07:47]
Grugq
Right, right, right, right, yeah.
[07:49]
Tom Uren
And so there's the knowledge where it seemed okay, yes, you train a computer on all of human knowledge and it will have knowledge, the skills and abilities I'm less convinced about. But you can see when you break it down into all these different tasks, the small tasks, where I think AI could be helpful and it's certainly within the capability of intelligence agencies to get models that are private, like self hosted models.
[08:17]
Grugq
Right.
[08:19]
Tom Uren
So for example, there's a recent blow up between Anthropic and the US Department of. I still call it Defense.
[08:26]
Grugq
Yes.
[08:27]
Tom Uren
Because Anthropic said they wanted to place limits on what you could do, which to me actually sounded pretty reasonable, like you couldn't surveil American citizens and you. I think the other one was you couldn't use AI to launch lethal attacks all by itself.
[08:46]
Grugq
This is absolutely outrageous. I mean they're just hampering the ability of the US to defend itself in this complex, you know, ever changing threat landscape of. Yeah, I mean, come on, that's part
[08:59]
Tom Uren
of that blow up. The DoD wanted to label anthropic with some really punitive label, which was like, you know, supply chain risk or something like that.
[09:09]
Grugq
Which means that no element of the DoD supply chain can use anthropic.
[09:16]
Tom Uren
Yeah.
[09:17]
Grugq
Otherwise it's like it's a transitive property. So it would basically freeze them out of the entire defense contractor.
[09:24]
Tom Uren
Yeah, yeah. But in that argument, it came out that I think it was Claude, but I don't know if that was the label they used it. But some anthropic product was used in the raid on Maduro or the raid to capture Maduro. So I thought that was very interesting.
[09:43]
Grugq
Yeah. So, I mean, plan a Delta strike to kidnap a world leader, make no mistakes,
[09:54]
Tom Uren
Use the discombobulator. Maybe that's why the discombobulator was used. Claude just said, and we'll deploy the discombobulator. What's that? I don't know.
[10:09]
Grugq
I'm going to tell you one of the reasons why I wouldn't trust Claude to do some of these tasks, because I took that cyber roles list that we had and I pasted into Claude and I said, which one of these would be best for AI versus worst for AI? And it came back and said the six roles are 1, 2, 3, 4, 5, 6, 7.
[10:42]
Tom Uren
So one of the roles I actually do think makes a fair bit of sense for AI, though.
[10:47]
Grugq
The six roles are
[10:51]
Tom Uren
Cyber Operations Planner, Exploitation Analyst, Mission Assessment Specialist, Partner Integration Planner, Target Developer, Target Network Analyst, and the seventh missing role is Warning analyst.
[11:08]
Grugq
The seven of six is warning. It just sort of right off the bat, anything with the word planner in it is just, it's bad for AI because these are, these are things where you want a human to be making human judgments. This is very much weighing up the balance of risks, plus everything I know, plus the political pressures that we're under and all of these other dynamics. What makes sense for us to do, given where we are right now?
[11:41]
Tom Uren
Yeah, I think that planning is an inherently political process and to understand the political pressures, you need to be a person because.
[11:51]
Grugq
Right.
[11:52]
Tom Uren
That's. That's a. That's what people do.
[11:55]
Grugq
So, yeah, like there's that, but then there's the things that we tend to forget about because they're just such boring roles. What they have here as warning analyst. Right.
[12:06]
Tom Uren
Yep.
[12:06]
Grugq
Like that is. It's, it's a. It's absolutely vital and it's absolutely dull. Right.
[12:13]
Tom Uren
So the sort of potted description develops unique cyber indicators to maintain constant awareness of the status of the Highly dynamic operating environment, collects, processes, analyze and disseminates cyber warning assessments. So that is a very like cyber focused description, but for something like the Maduro operation, you can imagine there's a kind of less narrowly cyber like, but exactly the same job.
[12:39]
Grugq
Right. And so what you're looking for is basically from a cyber role. What you'd be looking for is indications that you're about to get burned. So for example, what we saw when we were looking at the Chinese report of those NSA operations, how every time a file was modified on disk that the NSA operators would then go in and try and understand why. Yeah, why did the environment change? What was the reason behind it? Is it that like, did they do a forensics image of the disk and then start it up again? Did they install like antivirus now? Or, you know, are there other indicators that the environment has changed in a way that's more hostile to us and it could indicate we're about to be discovered. So that's the sort of like vital role that you need, but it's also not the most exciting role you can imagine, like monitoring email, monitoring traffic.
[13:36]
Tom Uren
Some of the abilities in the job description, ability to think like threat actors. So I guess there's the sort of surface, I guess I would call it the tactical warning analyst, where you're looking at what's coming in right now and you're making a decision right now about what does that mean? Is the operation blown and you're sort of just alerting someone else to make a decision about what to do about that. And then I think there's a kind of deeper. How would we, what would tell us that we've been pinged?
[14:09]
Grugq
Right.
[14:10]
Tom Uren
Like what are the, you know, the indicators that we need? What do we need to look for
[14:16]
Grugq
in the first place? That would be indicators that they are looking for us.
[14:22]
Tom Uren
Yeah. So I could see like the, something like Claude would be very good at the what's happening right now.
[14:27]
Grugq
Right.
[14:28]
Tom Uren
Based on what we already know. What does that mean? And they would. Right. It would probably do that faster and more reliably than a person would because
[14:36]
Grugq
and could do it 247 without a problem. Right. But you know, to me what that means is it means that the human in that role can now do more and a more refined task because they don't have to waste cycles on the grunt work part. They can have Claude do that and they can focus on the thinking like the other side and then trying to figure out what would be an indication that they're doing something which would be
[15:08]
Tom Uren
yeah, And I think, like, I mean, obviously you'd say to Claude or whatever, AI, you know, what would be the indicators? And you'd look at that and you'd sort of. Did Claude get it right? And is there anything else?
[15:20]
Grugq
Or.
[15:21]
Tom Uren
I think it would be a good baseline, but there's not. I wouldn't rely on it solely, I suppose.
[15:26]
Grugq
No, no.
[15:28]
Tom Uren
But I guess the point of this discussion is that even in somewhere like nsa, there's a role for it and they will be using it, I'm assuming.
[15:39]
Grugq
Yeah. And similarly, the target network analyst, it's not a role I would have thought would be broken out, but apparently they have. And so my understanding is that once you get access to a network, like once you've made your initial breach or whatever, this person would then go in and look around and try and figure out what the best path forward is. In order for us to get to the juicy data that we want, there's network segmentation that we need to defeat. But based on this, we can get access to the admin lan by going through this particular box. So how can we get on that box? Well, and so they sort of plan out, like, given the environment that we're in and the goals that we have, our objectives, how can we do that? And to a degree, part of that is like just path mapping, but also part of it is looking at what's vulnerable compared to the exploits that you have or the capabilities that you have on hand. And that's very much just a database lookup against two things, which, again, AI would be pretty good at. Right.
[16:50]
Tom Uren
It seems a bit to me like kind of like a Google Maps, except for getting around a network with different parameters or whatever.
[16:59]
Grugq
Yeah, pretty much. And again, it's the sort of thing, I think that, like, the way I'm seeing it is a lot of these are sort of free to give to AI, because if AI comes back and says, here's a way to do it, you're going to look at it and you're going to say, okay, this is a good path, and then you do it. Or you're going to say, this is not the best path. I'm sure I could find a better one. And you're going to look for it, which you would have had to do anyway.
[17:23]
Tom Uren
Yep, yep, yep.
[17:24]
Grugq
Right. And it's. It's basically going to be like, if it finds a good one, you're good. If it finds a bad one, you look anyway. And if it can't find one, you're good, you look anyway. And so all you do is you, you save having to find it the first time or else you do what you would have done anyway.
[17:40]
Tom Uren
So, yeah, so I guess to contrast a, you know, YOLO cyber threat actor, they would probably go, well, find me a path, press button, let's go.
[17:53]
Grugq
So they will be quick and then
[17:55]
Tom Uren
do it, but maybe riskier as well. Whereas I suppose the real intelligence agency will be faster.
[18:06]
Grugq
The professionals, if we're going to talk about it. I mean, unlike those sort of day trader, you know.
[18:13]
Tom Uren
So the professionals will still get benefits. Yes, it's just they'll be more cautious about deploying those benefits or maybe more management oversight is perhaps the way to think about it.
[18:25]
Grugq
Yeah, I agree. And I think that it's important to sort of see AI here as adding capabilities that will allow one person to do a better job as opposed to replacing that person. Because from my perspective, all of the roles that AI is good for have a level of grunt work that, that a human can sort of get bored with and start, you know, like, they'll glaze over or whatever. And so I see it as being able to bring like a level of vigilance that you might not get normally.
[19:03]
Tom Uren
Right. Yeah. So for defined jobs where there's pretty clear yes or no answer. Fantastic. Right, but because planning the operations involves decisions about risk that are inherently right. Political or maybe contextual.
[19:22]
Grugq
Yes, I was going to say there's sort of a lot of implicit assumptions and understandings that sort of go on. Like if, if your commander is giving you a mission, but you can send, you can read his body language and see that, like, he really doesn't like this, that's the sort of thing that you can incorporate but you can't explain when you're trying to, like if you're trying to explain to a planner that, you know, his eyes seemed shifty and his body was a little bit, you know, turned inwards, they couldn't experience it in a way and you couldn't describe it in a way that would convey what's actually happening. So it would just be impossible to give that context. But yeah, also to a degree it's things like an AI is probably not going to be thinking about your career. And like, very honestly, like these people, like, it's a job, but it's also a job. Like they do want promotions, they do want raises, they do want to like, you know, do other things. So when they look at it and they go like, this is a very, very important thing. I need to make sure it works, you're going to Move heaven and earth to make sure it works. Whereas this is something that no one cares about. I mean, maybe you don't put your best effort in and you try and do something that's got a higher profile somewhere else.
[20:41]
Tom Uren
Right, right, Yeah. I mean, that sort of fundamentally changes what you do to be good at a job. Like, I think if much of the mundane stuff can be done by computers, and I think mundane is the wrong word in that. Thinking back, the people I knew who did some of these jobs, there were some that were just head and shoulders above everyone else.
[21:06]
Grugq
Right.
[21:07]
Tom Uren
And they did that by basically knowing a lot of stuff and knowing how to apply it. But it seems that my thinking now is that AI will be able to know a lot of the stuff and be able to apply it. So that's not what will separate the best from. Or will it? I don't know.
[21:23]
Grugq
Well, I see. I think that that's. That's how it presented, but I think that there's some sort of quality that's ineffable underneath that, that it, like, it shows up as. That they know a lot of stuff and they know how to use it, but really there's something else below that
[21:41]
Tom Uren
that they just really insulted them.
[21:44]
Grugq
Well, like, yeah, like they're smart people and that means that they learn more stuff and they know how to apply it. But if you take that having to know a lot of stuff in this domain out of their. Out of their specific job role and allow them to do something slightly above it, they're just going to take that cleverness and apply it to the new role and still be head and shoulders above people. Right, right.
[22:07]
Tom Uren
So it might be something like knowing how to get the best out of the computer rather than.
[22:11]
Grugq
Right, yeah. It's probably going to be like knowing a lot of stuff and then guiding the AI to make sure that it's, you know. Well, for now at least, it might be, you know, guiding the AI to make sure that it covers everything. Right.
[22:27]
Tom Uren
Yep.
[22:28]
Grugq
Properly. So, like, I. I'm starting to finish some of my side projects now because I'm using Claude code, and I find that it helps a lot that I know how to program already because, like, it'll sometimes make judgments that are completely wrong. Like, it'll say, you know, I'm going to have to do this really, really complicated thing because the toolkit we're using doesn't have, like, menu items. And I'll be like, yes, it does. And it goes, okay, let me check the docs. Yes, the docs. Oh, my God. Like, wouldn't you have done that time? Why would you just come out and say it doesn't do this before you actually check? And then it goes ahead and does it. So that's great. But on the other hand, it can do things that I would find super tedious and wouldn't get around to doing. So I could say I want this to have themes. And it says, okay, themes are now implemented. Then I go out and I find a palette and I'm like, okay, so here's Tokyo Night. And it's like two minutes later it's like, okay, now you can select Tokyo Night theme. I would never do that. That's a huge pain in the ass and too much dull work. But the fact that I can think of themes and now have them implemented means that I have a different role than I would have had if I was just doing the development right.
[23:41]
Tom Uren
One thing I was thinking about is that one of the uses I've heard that other threat actors do is they basically code up malware really quickly. And that to me seems like for a professional outfit, they tend to have long lasting malware where they put a lot of effort in. And I guess I'm thinking of like Russia used the same, you know, evolution of malware for 20 years.
[24:08]
Grugq
Yeah. If you have 20 years of use, does it really matter that much how fast you code it the first time?
[24:14]
Tom Uren
That's right. And it seems like they'll put a lot of effort in to make it stealthy and hard to detect and flexible. And so test cases, things like that, that would help doing that. But you're right, like, you know, the payoff if you amortize it over a long time, it doesn't matter. Or there may be cases where they'll go, okay, for a particular operation, we want to spin up something new and different that has different look and feel, and in that case it'll help them anyway. And so, you know.
[24:43]
Grugq
Yeah, exactly. So, like, what I where I see it being very useful in this specific subset is like, for ideal opsec, every operation would have its own unique tooling. Now, on the other hand, for actual manageability, that's the last thing you want, because you don't want to have 50 operations with 50 different unique tool sets. But if what you could do is have 50 iterations of different strains of implants that each provide effectively the same functionality, that you could then feed through 50 different C2s that then come back to an interface that's identical and can do the same stuff like that would be too much development. Work to do in house with your actual developers because you want them doing other things, not just writing different malware strains for one shot things. But now you could do that, which would mean that it'd be much more difficult to link operations together based on the malware strains that are discovered. So that could be.
[25:52]
Tom Uren
The rise of AI is actually the death of attribution.
[25:56]
Grugq
Well, it absolutely could be. Right. How could you?
[26:01]
Tom Uren
Well, it makes technical indicators less useful, perhaps.
[26:04]
Grugq
Right, right. So, for example, like when, when Cobalt Strike was basically everyone was just using made identifying who was who from beacons not necessarily impossible, but extremely difficult because everyone was using the same beacon. Now you're going to have now. Or you could have a different problem where the same threat actor uses different beacons for every target.
[26:29]
Tom Uren
Yep.
[26:29]
Grugq
I think that could be interesting. Like that could be an interesting way to use it. I don't know if it will be the way that people do use it, but it's certainly. It's an opportunity there to increase your opsec. Maybe it's not practical just yet, but.
[26:45]
Tom Uren
Yeah. So this seems like one example where I've actually changed my mind in a relatively short period of time. From what, November to February? What's that, six months?
[26:55]
Grugq
Right. Not even that, basically. I mean, you were right the first time and now the world has changed and you're right the second time.
[27:06]
Tom Uren
I like that. Thanks a lot.
[27:08]
Grugq
Thanks a lot, Tom.