The AppSec Instinct You Built Over Years — AI Is Quietly Killing It

Let me tell you something I have not said out loud before. I have tested 500 plus apps. Web, mobile, API — all kinds of clients, all kinds of industries. Some of the biggest names in banking, fintech, healthcare, e-commerce in this country and outside also. And somewhere in all of that, I became genuinely good at this work.

When a mobile app comes to me, I don't need to sit and plan. The moment I look at it — the threat model starts forming. Entry points, trust boundaries, where the developer has taken shortcuts, which flows look secure but are not. Before my Burp is even configured, I am already thinking three steps ahead. That is not overconfidence. That is what years of doing this work actually looks like when it becomes part of you.

I built that from scratch. Nobody taught me a shortcut to get there. Every finding I missed in early engagements, every wrong assumption I made in a threat model, every night I sat with code that made no sense until finally it did — that is what that instinct is made of. Slowly. Painfully. Properly.

And then quietly, without even realizing, I started outsourcing it.

Not in one big moment. Just small things, one by one, that each felt completely logical at the time.

Frida script not working? Don't troubleshoot it yourself. Paste it in Claude, get the fix, move on. Need a recon script for the engagement? Don't think through the logic. Just generate it. Some SSL pinning behaviour that feels familiar but I can't place immediately — why sit with it when the answer is one prompt away?

Every time the output was fine. Work moved forward. Nobody said anything.

But something felt wrong. I just didn't want to look at it directly.

GPT and Claude Are Not The Same — And Both Are A Problem In Different Ways

People use both like they are interchangeable. They are not.

GPT, when you ask something complex, will give you everything. Ask about attack vectors on a mobile authentication flow — you will get eight paragraphs back. Deep link hijacking, token leakage, insecure local storage, certificate issues, everything with full explanation and equal confidence. It is like asking a question and someone responding by throwing the entire library at you. The answer is somewhere inside. Most people read the first two points, decide that is enough, and move on. That is not research. That is the feeling of research.

Claude is different. Claude just solves it. Clean, structured, direct. "Certificate pinning bypass here — custom TrustManager, chain validation not happening server-side." Reads well. Makes sense. Easy to put in the report directly.

And that is exactly where the problem sits.

Because there is a difference — a very big difference — between a finding I reasoned through myself and a finding that was handed to me in a neat sentence. In the report they look identical. In my head they are not. One I own fully. One I am just carrying.

In most professions that gap may not matter much. In AppSec it is everything. This work is adversarial thinking. You are trying to think like an attacker — someone who does not follow any checklist, who adapts, who finds the thing nobody anticipated. You cannot outsource that thinking and expect the instinct to remain. It does not work that way.

But Let Me Be Honest About The Pressure — Because It Is Real

Here is the part that these "AI is ruining critical thinking" articles always skip.

You are mid-engagement. Client call in 40 minutes. Frida is not hooking — some dependency issue, silent failure, nothing useful in the logs. Three more apps waiting in the queue. Last week itself your manager made a comment about delivery timelines. Junior team member waiting on you to unblock a finding so they can proceed.

Claude fixes that Frida problem in 90 seconds.

So you open it. You paste the error. You get the fix. You move forward.

And honestly — that was the correct decision. I am not going to pretend otherwise.

In India especially, this pressure is not something you can just philosophically rise above. Delivery timelines are tight. Clients are demanding. Billing cycles are real. If you are a consultant, every hour you spend debugging tooling is an hour you are not delivering findings. Your manager is not interested in hearing that you spent 40 minutes building character by troubleshooting a script manually. The project tracker does not care about your cognitive development.

And there is competition also. AI-augmented teams are closing engagements faster than was possible even two years back. If you are moving slowly to protect your thought process while others are leveraging every tool available — you are not being principled. You are just falling behind.

The anxiety is very specific. It is not some vague worry. It is this:

If I slow down to protect the skill, I fall behind on the work. If I keep pushing pace to stay relevant, I slowly hollow out the skill.

There is no clean answer to that. Anyone telling you there is has not actually sat inside this pressure.

What I have settled on — not a perfect solution, just a way to manage — is keeping two modes completely separate.

Broken script. Dependency error. Environment setup. Automation boilerplate. AI handles it, full stop, no guilt. That is infrastructure work. Goal is throughput, not learning. Finish it fast.

Mapping the attack surface. Understanding trust boundaries. Deciding what is actually exploitable and why. Building the end-to-end attack narrative. That stays with me. That is the actual job. That is what I am protecting.

The line gets blurry sometimes. But at least I know now where the line is. Six months back I had stopped thinking about it entirely.

What Worries Me About The People Coming Up Behind Us

My own situation I can manage. I know what is slipping, I can work to recover it.

What concerns me more is the next generation entering this field.

They will become productive very fast. AI-assisted from day one, finding vulnerabilities, writing reports, looking capable. And they will be capable — the output will be valid, clients will be happy, tickets will close.

But they will never have sat alone with a completely undocumented legacy application for three hours building a mental model from nothing. They will not have gotten a threat model badly wrong, presented it confidently, been corrected in a debrief, and had to rebuild their entire understanding from scratch. They will not know what it feels like to find something genuinely unexpected — not because a tool flagged it, but because something felt off and they kept following that feeling.

That only comes one way. The slow way. The inefficient way. The way that feels like a waste of time until suddenly it doesn't.

Attackers are not running checklists. They are thinking. They adapt in real time. They find the angle nobody modelled.

If the entire next generation of security professionals has optimised for speed over depth — we will feel that. Not today. But in the moments that matter most, we will feel it.

What I Actually Do Now

No framework. Just a few honest habits.

Before I open any tool — AI or otherwise — I spend time with the application first. Just me looking at it. I write down where I think the risks are, what the attack surface looks like to me. Then I use AI to challenge what I already think. Not to think for me.

When I feel the reflex to ask AI for something, I ask myself one question: am I avoiding repetitive work, or am I avoiding a thought I should be having? Those two things feel similar in the moment. They are not. One is efficiency. One is erosion.

And once a week — one full review, no AI, start to finish. Not to prove anything. Just to make sure the instinct is still there. That it has not quietly gone somewhere without me noticing.

The AI will keep giving answers. Confidently. Cleanly. It does not know what it has never seen. It does not feel when something is off. It does not follow a gut feeling down a rabbit hole at 11pm because something about this app just does not add up.

The attacker does all of those things.

The question is — do you still?

That last finding you caught that the scanner completely missed — was it the tool, or was it you staying with something that felt wrong? That instinct is the whole game. Don't give it up quietly.