“In order to survive a bear attack, you don’t need to outrun the bear, but you need to outrun the person running next to you. But with AI, you can think about the fact that there isn’t just going to be one bear, there is going to be a thousand AI bears.” This stark analogy, offered by Daniele Perito, encapsulates the seismic shift occurring in the software security landscape, driven by the democratization of offensive capabilities through artificial intelligence. Perito, Co-founder and Executive Chairman of the AI-native security platform depthfirst, spoke with Jack Altman on the Uncapped podcast, drawing on his deep experience building complex, high-stakes financial and marketplace systems at Square (Cash App) and Faire to frame the new reality of digital defense.
The conversation provided insight into the relentless operational rigor required to scale multi-billion dollar platforms and how those lessons apply directly to the emergent challenges of AI safety. Perito explained that Faire, a B2B wholesale marketplace, was founded on a somewhat contrarian bet that brick-and-mortar retail still had immense growth potential if key friction points could be removed. The core insight revolved around taking risk on behalf of the customer, specifically offering 60-day payment terms and free returns to retailers. This demanded an extreme level of intellectual rigor and data analysis—a theme that permeates all of Perito’s work. He noted that marketplaces, by their very nature, are recursive, chaotic systems where small changes can ripple widely, necessitating constant vigilance and testing. He captured this philosophy succinctly: “The market is an incredible truth-seeking machine for the type of questions that it can investigate.” This commitment to empirically verifying assumptions against real-world systems forms the foundation of depthfirst’s approach to security.
The urgency for better security tools stems from the nature of the software development lifecycle itself. Perito argued that the current state of security tooling is fractured and inadequate, relying heavily on old, rule-based heuristics that generate high false positives and low detection rates for complex, "deeper" vulnerabilities. In the pre-AI era, this deficiency was manageable because the cost and expertise required for a coordinated, sophisticated attack were high. Now, AI agents dramatically lower that barrier, empowering malicious actors to probe systems with unparalleled speed and scale. This is the source of the "thousand AI bears" problem—the sheer volume and capability of automated attacks will soon overwhelm traditional defensive postures.
The mission of depthfirst is to fundamentally change this dynamic by building sophisticated AI that acts as a "superhuman attacker" for defensive purposes. This requires moving beyond simple static analysis (SAST) or dynamic analysis (DAST) tools. Perito highlighted that deep vulnerabilities often require linking together multiple, seemingly innocuous flaws across different components—code, cloud configurations, and business logic—a task that historically demanded immense human expertise and context. depthfirst addresses this by leveraging reinforcement learning (RL) and large language models (LLMs) to perform complex reasoning and pathfinding across the entire software and infrastructure stack. This deep contextual understanding allows the system to identify true vulnerabilities with high confidence, slashing the false positives that plague traditional tools.
Perito detailed how the combination of advanced AI techniques allows their system to go deeper into the code. The hope is to train these models to emulate the creativity and lateral thinking of top-tier human hackers. He explained the technical objective: “I think with reinforcement learning we can teach these LLMs to go deeper, to find those clever ideas that will allow them to put two small vulnerabilities together and combine them into something that is actually real.” This capability is crucial, as defenders must succeed every time, while attackers only need to succeed once. By turning the tables and allowing the defense to operate with superhuman attacking intelligence, the equilibrium of the cybersecurity landscape can be restored.
Furthermore, Perito stressed that the security industry must evolve to eliminate the perceived trade-off between security and productivity. Historically, implementing robust security measures often acted as a drag on engineering velocity. By integrating advanced AI directly into the development workflow—scanning pull requests as they are written and providing contextually relevant, accurate fixes—depthfirst aims to achieve security with productivity. This alignment of engineering goals with security outcomes is essential for long-term viability in the accelerating AI environment. This urgency is compounded by the existential risk posed by software flaws in increasingly powerful AI systems. Perito concluded with a powerful reminder of the foundational stakes: “Without much better computer security, we do not get to play the AI safety and control game.”
