From Kill Chain to Kill Cycle

‍

EkoParty just wrapped its first US edition in Miami, and I had the honor of opening day two with a keynote titled “Offense and Defense in an Era of Systemic Asymmetry”. For readers unfamiliar with it, EkoParty is the largest information security conference in Latin America, with a long tradition of serious offensive research coming out of Buenos Aires. Its move stateside this year is a real milestone for the field, and it was good to be part of bringing it north.

There's a personal dimension too. I last spoke at EkoParty in Buenos Aires sixteen years ago. Being on stage again, in the conference's first US edition, was not a moment I expected to get and not one I took for granted. Huge congratulations to the EkoParty team for the work they've done over the years and for what they pulled off this week. Bridging the North and South American security communities is something almost no conference does well. EkoParty does, and the Miami edition was a clear step further in that direction.

The slides from my talk are now public (see the link at the bottom of this page). This post is the short version of the argument, written for the people who weren't in the room and for the people who were and want a place to send their colleagues.

I opened the talk with a line from Antonio Gramsci, written from a fascist prison in the 1930s:

‍

"The old is dying and the new cannot yet be born. In this interregnum, many morbid symptoms arise."

‍

Gramsci was diagnosing the collapse of Italy's liberal parliamentary order, not network defense, but the structural shape carries over cleanly. The old defensive order, built around heuristic automation and the linear kill chain, is strained well past its design assumptions. A genuinely cognitive defensive paradigm hasn't been built yet. In the gap, the morbid symptoms are visible everywhere: AI-enabled attacks proliferating faster than institutions can adapt, conference floors full of vendors claiming defenses they cannot demonstrate, and a category gap between what attackers can do and what defenders can see. We are in an interregnum, and like every interregnum, it doesn't last forever. What replaces it depends on the choices made inside it.

The throughline of my talk is simple: offense is ahead. The lead is not a momentary blip while defense catches up; it is structural, and the asymmetries that produced it compound. The question that determines what happens next isn't whether defense will adopt cognitive automation. It will. The question is where defense chooses to apply its leverage. There are surfaces where defensive force lands directly on the things that make cognitive offense work, and surfaces where it doesn't. Equilibrium gets clawed back at the first kind. The second kind is where most of the current spending is going.

‍

The Wall

‍

Anyone who has built an offensive tool has hit the same wall. You write something that scans, fuzzes, exploits, or pivots, and it works beautifully until it encounters a situation its author didn't predict. Then it stops. A human has to come look at it, make a judgment call, and either feed the tool a new branch or take over manually.

I lived this for years. I’ve been involved in various attempts to build continuous automated red teaming products, and the same pattern played out over and over: foothold acquired, then weeks of analyst time before lateral movement, because no script could decide what to do with the unfamiliar device on the other side of the firewall. That is what heuristic automation looks like at its limit. You can automate execution; you couldn't automate judgment.

LLMs broke that wall. Not gradually. Cognitive automation, software that observes a novel environment, reasons about it, and takes a contextual action, is now a thing you can build. At Mindgard we're building it. The wall I spent years bumping into is gone. So is the constraint that kept offensive automation somewhat tractable for defenders.

Heuristic automation was frozen at write-time whereas cognitive automation is not. And once the attacker side of the loop becomes cognitive, the assumptions every defensive control was built on start to break in interesting ways.

‍

From Kill Chain to Kill Cycle

Lockheed published the Cyber Kill Chain in 2011. Seven linear stages: recon, weaponize, deliver, exploit, install, command-and-control, act on objectives. The entire defensive industry was built around it. Every defensive product focused on interrupting one of those links. Email gateways break delivery, EDR breaks install and exploit, network sensors break C2, threat intel matches indicators across the chain, and so on. The model assumed an attacker moves through stages in sequence, and that each transition between stages is a place a defender can cut.

Cognitive offense collapses those stages into a single loop running inside the perimeter.

Two things make this happen, and both are already documented in real-world tradecraft:

1. Forward-deployed command and control. If the engine of cognition lives inside the perimeter, the implant stops needing instructions and can reason locally. The outbound crossings that EDR and network sensors are tuned to detect stop happening because there is nothing to beacon. By co-opting local LLMs and resources, the brain of an attack operation moves within the perimeter.

2. Forward-deployed development. Once the local agent can reason and write code, payload development moves inside as well. The attacker stops shipping malware across boundaries. They ship intent. Malware is no longer binary code, but can be represented as text-based prompts. The local agent writes whatever the target environment actually requires, with full knowledge of applicability. The malware was never in the wild before it was already inside your network.This new insider threat creates emergent payloads.

‍

Judgment, execution, and development converge into a continuous internal feedback cycle. The defenders' seams are internalized.

That is the Kill Cycle. The shift in name is small, but the implication is not. A defensive architecture designed to cut between linear stages does not have anything to cut against a loop that never crosses the boundary the architecture is watching.

‍

What the Kill Cycle produces

The new shape of the offensive operation produces four asymmetries that compound on each other:

• Locality, the where. Cognition, execution, and development all sit inside the perimeter. The places defenders watch are no longer the places offense happens.
• Observability, the why. When an action is the output of a judgment call rather than a code path, you can log every step and still lack a falsifiable explanation of intent. Causality becomes a Bayesian distribution, opaque to introspection.
• Opportunism, the when. Transient states (a four-minute misconfiguration, a permission that lapses briefly) were practically unexploitable before because exploiting them required continuous observation, real-time judgment, and immediate action in one loop. Cognitive automation has all three.
• Tempo, the how. CrowdStrike's breakout time dropped from 98 minutes in 2021 to 29 in 2025, with the fastest observed at 27 seconds. Mandiant tracked median initial-access-to-hand-off times collapsing from over 8 hours in 2022 to 22 seconds in 2025, with hand-offs described as "often automated." Scripts were always fast, but cognition at machine speed is a different category entirely.

‍

These do not stack independently. They feed each other. Locality hides what happens. Observability collapse makes reconstruction impossible. Opportunism expands what counts as exploitable inside the compressed window. Tempo shrinks the window such that human-cycle defenses become forensics tools rather than sensors. Pull any one thread and the others move with it.

That is what the talk's title means by systemic asymmetry. Offense isn't slightly ahead in a few categories. It's holding a compounding lead across an interlocking web.

‍

Current defensive responses don’t close the gap

If the lead were just a matter of throwing more money and more compute at familiar problems, it would close on its own.But, the structural drag on the defensive side is real, and the places most of the spending is going are the wrong layer to put pressure on.

Anthropic's Glasswing program is the most ambitious defensive AI effort in the industry: $100M+ in credits, fifty-ish partner organizations, code-level vulnerability discovery at a scale nobody else is attempting. To be clear, this is the right kind of effort and I wish it success. But, it is operating one layer below where most enterprises actually get breached. Glasswing finds memory corruption bugs and meanwhile the cognitive attacker is calling your help desk, watching your developer's four-minute misconfiguration, reading your Jira tickets for context about internal systems, and coordinating parallel reconnaissance across your entire ecosystem. 

There's also the structural drag. Casey Ellis put it cleanly: offense scales with compute, defense scales with committees. Procurement, change control, compliance review, and a federal cyber budget that contracts as fast as the threat accelerates. On top of that, there's what I called the alignment tax in the talk: a defensive model that has to refuse harmful actions, respect privacy, and stay inside policy carries operational cost that an attacker's model doesn't. Both sides are getting smarter but only one side has its hands tied behind its back.

‍

‍

The shorter version: the industry is shipping point solutions against what is structurally a systemic problem, and the point solutions accelerate heuristic activities (find bugs faster, write signatures faster, triage alerts faster) rather than changing the paradigm. Faster pattern-matching does not close a category gap. The lead doesn't close on the current trajectory; it grows. The defenses of the past simply won’t be able to match the shape of AI-fueled offensive campaigns. The velocity combined with probabilistic behavior, absent the prior biological constraints and causality, will render technologies that claim real-time alerting to forensic historians at best, archaeologists at worst. 

There's a useful frame for this from outside security. Donella Meadows, in her 1997 essay "Leverage Points: Places to Intervene in a System," ranks twelve categories of intervention by their structural power. At the bottom are parameter tweaks, the knobs on an existing system. In the middle are interventions that change what the system can do. At the top are paradigm changes, including transcending the paradigm entirely. Her core observation, and the reason the paper gets cited across policy, ecology, and management, is that people instinctively reach for the low-leverage interventions because they are tractable and visible, and they avoid the high-leverage ones because those are harder.

‍

‍

The pattern plays out cleanly in security. CVSS cutoffs, triage staffing, patch cadence, AI bolted into existing SOC and EDR tooling, coordinated disclosure, bug bounty programs, all of it is real work, but it sits at the lower rungs of Meadows' ladder. The best of the current industry response, the rewarded-coordination ecosystem of disclosure plus bounties, lands at rungs 5 and 6: incentives and information flows. Meaningful, but bounded.

Offense, meanwhile, just made the highest-leverage move on Meadows' ladder. The shift from heuristic to cognitive automation is a paradigm transcendence, which she ranks as rung 1, the most powerful intervention available anywhere in a complex system. The asymmetry in the talk's title is, in part, an altitude gap. Offense is intervening at rung 1. Most of defense is intervening at rungs 8 through 12.

So, if doing more of the same doesn't work, the next question is where defense can apply force such that it actually lands.

‍

The new attacker has shape

The first step is acknowledging that the new attacker is discernable. The pushback I expected, and got, is structural: if the attacker is now a reasoning system, isn't it inherently unpredictable? Aren't we just describing a thing that mutates faster than we can read it?

The answer I argued for is no. Cognitive offense is a structurally different actor, but it has an observable shape, and the shape is hard to mutate because every mutation costs the attacker something the attacker actually values:

• Acceleration (how it moves). Decision speed and information density. Mutation costs speed: the moment you tell your agent to slow down or stop integrating context, you give up the very advantage that made cognitive offense worth deploying.
• Compression (what it produces). Dense, context-integrated output per unit time, the kind no human and no heuristic bot can produce. Mutation costs synthesis: throttling the output throttles the thing that made the agent better than a script.
• Identity (who it appears to be). Model fingerprint, cross-surface coherence, behavioral rhythm. Mutation costs reach: every constraint you add to mask the agent shrinks the surface it can act across.
• Dependence (what drives it). The reward signal the agent uses to decide whether it is succeeding. Mutation costs responsiveness: an agent that ignores its feedback loop is no longer adaptive, which is the entire point of building it.

‍

‍

I call this the Cost of Mutation. The attacker can shift along any of these axes, but every shift forfeits the underlying advantage that motivated cognitive offense in the first place.

Three of the four properties above are not just things defense can read. They are channels defense can write into. That distinction is the leverage thesis, and it's where the rest of the post is heading.

‍

Where defensive leverage actually lives

Identity is the read-only channel. You match against the structure and behavior of a coherent actor over time. Cross-surface canaries, idiolect baselines, breadth-of-access correlations. Useful, but the agent never knows you're looking. The other three are different; they are levers, not lenses.

‍

‍

Compression is a write channel via prompt injection. The same property that makes your customer-facing LLM vulnerable to prompt injection makes an attacker's LLM vulnerable to it. Every README the agent reads, every log line, every config dump, every directory listing, every error message is a place a defender can poison. The agent has to ingest context to be useful. Whatever shapes that context shapes the agent. In the AI-safety conversation prompt injection is treated as a vulnerability to fix. Against a cognitive adversary, it is a primitive. It works specifically against attackers using LLMs, and offensive operators historically spend very little time hardening their own tooling. Prompt injection is a defensive primitive. 

‍

Dependence is a write channel via reward-signal corruption. Counterfeit success signals, fake shells that manufacture confusion, credentials that authenticate once and quarantine silently, exfil endpoints that acknowledge and then redirect to a controlled environment. I lived a version of this myself when an offensive agent I was running burned a meaningful amount of compute on a Perplexity product that was, in effect, hallucinating a target environment back at us. Cognitive offense met cognitive deception, and deception won.

‍

Acceleration is a write channel when paired with Dependence. Latency tarpits, decision-forcing branches, fast paths that look high-reward and converge the agent toward them. The agent doesn't experience this as adversarial but rather as a gradient.

‍

This is where the leverage question becomes concrete. A dollar spent on faster signature matching lands on a heuristic surface. A dollar spent on context poisoning, fake reward signals, and adversarial environment design lands directly on the channels the attacker's loop depends on. The first kind of spending accelerates a paradigm that the attacker has already moved past. The second kind exploits the structural cost the attacker pays for using cognitive automation in the first place.

None of this restores symmetry. The four old structural asymmetries (oracle, scope, cost of error, initiative) still favor offense. But it is the first place I've seen where defense gains real ground back against the cognitive shift, rather than running faster on the same treadmill.

‍

The takeaway

Security is a turn-based game, and offense has made its move. The Kill Chain became the Kill Cycle, the asymmetries are compounding, and the gap is widening on the current defensive trajectory. This is where we are today.

The question isn't whether defense can match offense move for move. Even cognitive defense will face the old structural disadvantages: ambiguous objectives, broader scope, higher cost of error, structurally reactive timing. Cognitive-versus-cognitive doesn't produce symmetry. It reproduces the structural advantages offense has always had, at a higher level of capability on both sides.

The question that determines whether equilibrium can be clawed back is where defense places its leverage. Three of the four properties that make cognitive offense work are write surfaces, not just read surfaces. Compression is writable through prompt injection at every point of context ingest, dependence is writable through counterfeit success signals and adversarial environment design, acceleration is writable in combination with Dependence. Identity remains a passive read, but a powerful one when you stop trying to read it with heuristic observers.

These are not parameter tweaks on existing controls. On Meadows' ladder they sit several rungs higher: corrupting the attacker's reward signal is gain on a positive feedback loop (rung 7), adversarial environment design is self-organization (rung 4), reframing defensive objectives from preventing compromise to degrading adversary decision quality is a goal shift (rung 3), and engaging cognition rather than artifacts is the paradigm shift itself (rung 2). These are the altitudes at which the offense/defense ratio actually moves.

Defense can pour budget into faster pattern-matching against an attacker who no longer pattern-matches, or it can put pressure on the surfaces where the attacker's loop is structurally exposed. 

If you have war stories, pushback, or terms you think land better than the ones above, I want to hear them. And again, thank you to the EkoParty team for the invitation, for the conference, and for everything they've done to foster a truly global community.

‍

Links

• Slide deck (PDF)
• Podcast: Juan Andres Guerrero-Saade, Ryan Naraine and Aaron Portnoy discuss Pwn2Own, the End of Easy Bugs, and AI-Fueled Offense live at Ekoparty Miami

‍