Jagged Frontier (AI Cybersecurity Capability)
AI capability is jagged: it does not rise smoothly with model size, model generation, or price. A model strong on one task can fail an easier-looking adjacent task, and the capability ranking across models reshuffles from task to task. The term comes from knowledge-work productivity research (Dell’Acqua et al., “Navigating the Jagged Technological Frontier,” 2023); Stanislav Fort (AISLE) applies it to AI cybersecurity capability.
Evidence in cybersecurity
Fort tested the showcase vulnerabilities from Anthropic’s Claude Mythos announcement on small, cheap, open-weights models once the relevant function was isolated.1
- Detection is commoditized. A straightforward FreeBSD NFS stack overflow (Mythos’s flagship find) was detected by every model tested, including one with ~3.6 billion active parameters costing about $0.11 per million tokens.1
- Hard reasoning separates models, but not by size. The 27-year-old OpenBSD TCP SACK bug, which needs reasoning about signed-integer overflow, was recovered in full by a ~5.1B-active open model (GPT-OSS-120b), while a larger 32B dense model declared the same code “robust.”1
- Near-inverse scaling appears. On a trivial OWASP false-positive task (a Java servlet that only looks injectable), small open models outperformed most frontier models from every major lab.1
There is no stable “best model for cybersecurity.” The capability ranking is task-dependent.
Sensitivity versus specificity
Jaggedness also shows up between finding bugs and recognizing safe code. Across the tested suite, sensitivity was high (models find the bug in vulnerable code) but specificity was uneven (many of the same models false-positive on the patched version, fabricating an incorrect signed-integer bypass). Only one model in the suite was reliable in both directions.1 The gap is the argument for a triage and validation layer around the model rather than trust in raw model output.
Why it matters
If capability is jagged and much of the detection work is commoditized, the design consequence is to deploy cheap models broadly, scanning everything and compensating for lower per-token intelligence with coverage, rather than betting on one expensive model to look in the right place. This is the capability premise behind the claim that in AI cybersecurity the moat is the system, not the model (see the AISLE analysis). It also bounds the frontier-AI-for-vulnerability-discovery thesis: the discovery-and-analysis layer is broadly accessible today, while novel constrained-exploit construction is where frontier-scale capability still separates. Brown’s talk illustrates the same jaggedness in offensive security: general models handle atomic tasks (spot an LFI or XSS) but fail multi-stage vulnerability chaining, motivating task-specific post-training.
Notes
Sources
Footnotes
-
Stanislav Fort (AISLE), “AI Cybersecurity After Mythos: The Jagged Frontier” (2026). aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier. Figures and per-model results are from the post’s published test tables and linked transcripts; these are scoped single-call probes on isolated functions, not end-to-end autonomous discovery. ↩ ↩2 ↩3 ↩4 ↩5