Security is still a function of the complexity of the system

Security expert Drew Reinig argues that cybersecurity has become a proof-of-work problem, where hardening a system requires spending more tokens on discovering exploits than attackers spend exploiting them. The author adds that system complexity is now more critical than ever, as AI-generated exploits make smaller codebases inherently more secure due to reduced surface area. Simple, well-written open-source projects are recommended over homespun code.

Drew Reinig makes a very interesting point https://www.dbreunig.com/2026/04/14/cybersecurity-is-proof-of-work-now.html : “If Mythos continues to find exploits so long as you keep throwing money at it, security is reduced to a brutally simple equation:to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them.” Here, I want to qualify this statement with an angle that’s actionable for new organizations and small teams: from a security perspective, the system size/complexity is more important than before. A system of three thousand lines of code will have less bugs than a system with ten thousand. The relation is probably superlinear so that 3x the line count is perhaps 10x the bug count . This was true before AI entered the exploit scene. But with exploits now being AI generated, it’s more valuable to have a small system, because there’s less surface area to secure. Drew mentions popular open source projects as being a better alternative than homespun code, since it’s more hardened. I would emphasize the use of simple, well-written open source projects, since those are the ones that will have less bugs to start with and hardened by public scrutiny, to boot . Perhaps the metric to look for in libraries is simply the size of the code including its dependencies, and the dependencies of its dependencies .