During a recent FireCompass fireside chat, celebrated security technologist Bruce Schneier sat down with our Field CISO, David Randleman, to explore how AI is reshaping the cybersecurity landscape. From the origins of attack trees to the future of penetration testing, Schneier shared invaluable insights that help us see where security is headed—and how we can adapt.
The Evolution of Attack Trees
Bruce Schneier is known for pioneering the concept of “attack trees” in cybersecurity back in the late 1990s. He explained that he originally approached security as a series of moves and counter-moves, which led him to develop a tree structure to break down potential attacks. Think of it like physical security: one branch might represent “break in through a window,” while another addresses “unlock the door.” Each scenario branches further into possible defenses and additional steps an attacker could take.
By laying it out as a tree, experts in different areas—physical security, software security, network security—could each build their piece of the puzzle and then plug it back into the larger assessment. This modular approach transformed how many people in cybersecurity think about threats and how they methodically plan defenses.
AI’s Role in Modern Security
Although attack trees were never designed with automation in mind, Schneier now sees AI as a game-changer in how we traverse and update these threat models. Imagine a “continuous attack tree” that can adapt in real time as vulnerabilities come and go and attackers develop new techniques.
“Automation allows you to have a continuous attack tree that is constantly evolving to both the changing nature of vulnerabilities and attacks,” Schneier said. If someone invents a new lock-picking technique (like a bump key) or if advances in quantum computing threaten RSA encryption, that sudden shift in the threat landscape can be reflected immediately in your defensive posture.
The Future of Penetration Testing
Traditional penetration tests, or “pentests,” often happen at planned intervals—maybe once a year—mostly because they rely on skilled humans with limited time. Schneier predicts that AI will change this by making it possible to run continuous testing, uncovering vulnerabilities around the clock. However, he was quick to emphasize that AI won’t replace human pentesters:
“There will always be aspects on the edges that’ll be unique. I don’t see it taking the place of humans. I do see it augmenting humans really powerfully.”
In other words, AI can handle the grunt work of scanning and testing, while human creativity and expertise still matter for the trickier or more nuanced threats.
AI: Augmentation vs. Replacement
A theme that popped up again and again was AI’s value in augmenting rather than replacing human capabilities. Schneier pointed out that the best use of AI in fields like journalism is to analyze massive amounts of data—sifting through documents, spotting unusual patterns—and then hand over the results to human investigators who can interpret and act on them.
It’s the same story in cybersecurity. AI is excellent at discovering anomalies and producing a shortlist of suspicious activities, but people bring context and decision-making to the table. By combining both, organizations can strengthen their defenses without losing the invaluable human touch.
Defenders vs. Attackers: Who Benefits More?
One of the big questions in cybersecurity is whether attackers or defenders will gain more from AI. Schneier believes that, in the short term, defenders stand to benefit most. Attackers already operate at digital speeds, but now defenders can use AI to respond just as quickly:
“In the near term, defenders benefit more from AI than attackers. The reason is basically that you’re already being attacked at computer speeds, and the ability to at least in part defend at computer speeds is incredibly powerful.”
Still, Schneier acknowledged that this will remain an arms race. Over time, the advantage could shift back and forth as attackers find ways to exploit new AI tools.
Looking Ahead: Quantum Computing and Encryption
Another hot topic was quantum computing’s potential impact on today’s encryption standards. While quantum computers could eventually break many common public-key algorithms, Schneier noted that we’re still “generations away from a working quantum computer.” Even so, cryptographers aren’t resting on their laurels—NIST has already standardized several post-quantum cryptographic algorithms that organizations can begin using now.
“The math is well ahead of the physics,” he said, highlighting that by the time quantum computing becomes a serious threat, much of the security world will be prepared with quantum-resistant solutions.
AI and Security Culture
When asked if AI could help create a stronger security culture within organizations, Schneier was skeptical. He argued that poor security culture often stems from economic considerations—companies weigh the cost of investing in security against the risks and sometimes choose to roll the dice. In that sense, technology alone can’t fix fundamental budget and priority issues.
The Road Ahead
Looking forward, Schneier envisions AI infusing every corner of cybersecurity, from threat modeling to vulnerability scanning. Yet he also stressed the importance of maintaining human oversight, explaining that the best approach is to let AI handle what it’s best at and let humans do the rest. Security pros who want to stay relevant should stay plugged into the community—attending conferences like RSA, reading widely, and keeping up a network of industry contacts.
In the end, as AI continues to mature, the future of cybersecurity will be defined by how effectively we blend artificial and human intelligence. Organizations that figure out this balance will be better equipped to tackle not only current threats but also the ones just over the horizon.
