Consequence Defense: Application Security for the GenAI Age

Modern web application security operates under a basic asymmetry. Defense only succeeds when every relevant safeguard holds - but an attack succeeds when any single control fails. Think of a building with many doors and windows: defenders must keep them all secure, all the time; an intruder needs just one that’s ajar. This imbalance is amplified by practical constraints. Attackers choose the time, target surface, and method that suit them best - an overlooked API, a weekend change window, an unusual request sequence - while defenders are bound by customer experience, change control, and regulatory duties. Generative AI accelerates both sides of the equation, though as we'll see it amplifies the asymmetry between attack and defense. It helps attackers by turning slow, manual probing into rapid, low-cost experimentation: payloads are rewritten endlessly, request sequences reshuffled, reconnaissance automated, and feedback signals harvested to guide the next try. It helps defenders and classifiers too: models summarize noisy telemetry, spot weak patterns across services, generate safer test cases and fuzzers, and even draft compensating rules more quickly. Yet the underlying imbalance remains - and is magnified - because attackers still choose timing, surface and method, while defenders remain bound by change control, customer experience and governance. Even as detection quality rises, the volume and diversity of attempts rise more quickly, giving adversaries more chances to find the one weak point that matters.