> > exploiting software is someone’s full-time job, whereas the engineers already have one—building it.

> But the attackers needs to spread their attack over many products, while the engineers only need to defend one.

Are you assuming every piece of software has a dedicated defender team? Strikes me as unlikely.

Realistically, you have people whose job or passion is to develop software, who often work not on one but on N projects at the same time (especially in OSS), and who definitely aren’t going to make finding vulnerabilities their full-time job because if they do then there’ll be no one to build the thing in the first place.

> Except that's true even without LLMs.

Of course. That’s why I put it before I started taking into account LLMs. LLMs multiply the pre-existing imbalance.

> once attackers develop some skill, that skill could spread to all defenders through tools with the skill built into them

Sure, that’s an interesting point. I’m sure the attackers try to conceal their methods; the way we tend to find out about it is when an exploit is exhausted, stops being worth $xxxxxxxx, and starts to be sold on mass markets, at which point arguably it’s a bit late. Furthermore, you still mention those mystical “defenders”, as if you would expect an average software project to have any dedicated defenders.

(Edited my reply to the latest point, I didn’t read it correctly the first time.)