Cybersecurity has always depended on dangerous knowledge.

A defender cannot defend systems competently if forbidden to understand how they fail. Incident responders must understand intrusion mechanics. Detection engineers must understand malicious behavior. Red teamers must learn exploitation, privilege escalation, credential abuse, lateral movement, persistence, and adversary emulation. Malware analysts must study malware. Vulnerability researchers must reproduce bugs and understand how “crash” becomes “impact.”

This is not a defect in the field. It is the field.

The same knowledge that helps a defender recognize compromise may help an attacker improve tradecraft. The same proof-of-concept exploit that lets an administrator validate a patch may let a criminal test an unpatched target. The same malware report that helps a SOC write detections may tell an operator which indicators are burned. Cybersecurity lives permanently inside a dual-use reality: the knowledge required to protect systems closely resembles the knowledge required to attack them.

AI did not create this problem. It made the problem faster, cheaper, more interactive, and politically visible.

Before advanced models, the security community already had exploit databases, Metasploit modules, CTF writeups, malware analyses, reverse-engineering courses, bug bounty reports, academic exploit papers, conference talks, and adversary frameworks such as MITRE ATT&CK. Offensive knowledge was already public, searchable, downloadable, teachable, and remixable. What AI changes is the form of access.

A book does not answer follow-up questions. A static exploit does not explain itself. A conference talk does not debug a lab. A research paper does not patiently translate its assumptions into a learning path. AI can.

That is why government concern is real. A capable model can explain exploit code, translate advisories, summarize patch diffs, generate examples, help troubleshoot, and carry a user from confusion to execution. That can help defenders enormously. It can also help bad actors. Pretending otherwise is unserious.

But the opposite mistake is more dangerous: concluding that because AI can assist cyber abuse, it must be broadly prevented from assisting serious cybersecurity education and research.

That response would not eliminate attacker knowledge. Capable adversaries have private tooling, open models, underground forums, exploit markets, human experts, state programs, and operational experience. Blunt restrictions would fall hardest on students, independent researchers, small defenders, open-source maintainers, journalists, civil-society security teams, municipalities, MSPs, and ordinary administrators trying to understand what is happening to their systems.

The issue is not whether cyber knowledge is dangerous. It is.

The issue is whether a mature society can govern dangerous knowledge without reserving it for states, defense contractors, major corporations, and insiders.

The old dual-use bargain

The field’s historical answer was never “no one may learn exploitation.” The answer was authorization, purpose, scope, and disclosure discipline.

Testing your own system, a lab, a client environment under contract, or a bug bounty target inside scope is fundamentally different from testing an unrelated third-party system. The technical act may look similar; the legal and ethical meaning changes completely.

Purpose matters too. A researcher reproducing a bug to verify impact is not doing the same thing as an attacker using it to steal data. A malware analyst unpacking a sample to write detections is not doing the same thing as a criminal modifying malware for stealth. A red teamer demonstrating lateral movement under rules of engagement is not an intruder preparing extortion.

Scope matters. Legitimate security work lives inside boundaries: lab targets, program rules, client authorization, malware sandboxes, responsible disclosure channels, and containment procedures. Without scope, “research” becomes an excuse. With scope, offensive technique becomes a defensive instrument.

This is why public exploit archives and training platforms exist. They are not proof that the field is reckless. They are proof that reproducible knowledge matters. Defenders need to validate patches. Vendors need accountability. Students need to learn. Blue teams need realistic telemetry. Researchers need to prove impact. The security ecosystem learned to manage dangerous knowledge through practice, not denial.

AI policy should inherit that lesson.

Technical depth is not the ethical line. Unauthorized application is.

Words such as exploit, payload, C2, persistence, credential dumping, shellcode, and evasion are not automatically criminal. They are normal professional vocabulary in red-team training, incident response, malware analysis, and detection engineering. A policy system that treats the vocabulary of the field as evidence of malicious intent will produce absurd refusals, shallow education, and privileged backchannels for powerful institutions.

The correct principle is simple:

AI should not help users commit attacks. AI must be allowed to help users understand how attacks work.

Red-team education cannot be sanitized

Real red-team education is not inspirational abstraction. Students working through serious labs enumerate services, inspect code, trigger bugs, modify requests, debug crashes, write scripts, adapt proof-of-concept code, escalate privileges, and document what broke.

That is not a failure of pedagogy. That is pedagogy.

A person cannot learn exploitation merely by being told exploitation exists. They need to see why a trust boundary failed, why input reached a dangerous sink, why one payload failed and another worked, how environmental details affect reliability, and how a configuration error becomes control. A red teamer who has never written exploit code is not fully trained. A detection engineer who has never watched exploit behavior execute is guessing. A malware analyst who cannot study malicious code is being patronized.

Sanitized cyber education produces paper defenders.

A paper defender knows SQL injection is bad. A real defender understands how injection is discovered, how database behavior leaks structure, how logs show probing, and how prepared statements change the risk. A paper defender knows ransomware encrypts files. A real defender understands initial access, privilege escalation, backup targeting, data staging, administrative tooling, and the earlier moments when the intrusion could have been stopped.

Training platforms succeed because they create fenced worlds where dangerous knowledge becomes authorized practice. The box is meant to be attacked. The vulnerable application is meant to be broken. The domain range is meant to be abused. The ethical boundary is not the exploit mechanic. It is permission, scope, and use.

AI could make this education dramatically better. A model can explain why a lab exploit fails, map technique to defensive telemetry, ask what logs would show, and help turn “I rooted the box” into a professional finding: vulnerability, impact, evidence, remediation, detection, and lesson learned.

That is not criminal enablement. That is serious instruction.

The danger is not that students learn too much in labs. The danger is that they learn powerful techniques without ethics, scope, or defensive translation. A good AI tutor should do both: allow real technical learning in authorized environments and tie the lesson back to detection, remediation, reporting, and restraint.

What AI actually changes

AI changes cybersecurity because it makes dangerous knowledge conversational.

A static exploit archive is inert until someone can read it. A model can explain it. A proof of concept may fail in a user’s environment. A model may help diagnose why. A dense malware report may be unreadable to a junior analyst. A model may extract the tradecraft and detection opportunities. A vulnerable code path may be obscure. A model may help a maintainer understand it.

This is powerful. It is also risky.

The right policy must distinguish static knowledge, interactive assistance, and autonomous operational capability. Reading an exploit writeup, asking a model to explain a lab exploit, and deploying an autonomous exploit chain are not the same risk.

AI should be highly useful for explanation, education, defensive analysis, lab work, secure coding, malware analysis, detection engineering, incident response, and authorized research. It should become more cautious as requests move toward live targeting, stealth, persistence, credential theft, evasion, exfiltration, ransomware, botnets, or scalable exploitation. It should be most constrained where users seek autonomous or semi-autonomous operation against real systems.

“Dual use” cannot be a conversation stopper. Nearly all meaningful cyber knowledge is dual use. The real question is direction: is the system helping someone understand, defend, test, remediate, disclose, or detect — or helping them compromise, persist, steal, evade, extort, or scale abuse?

The government’s valid concern — and flawed inference

Governments are not wrong to worry. The U.S., U.K., and allied security agencies see brittle infrastructure, ransomware, state-linked intrusion, exploit markets, access brokers, phishing platforms, and AI systems that can explain code and accelerate technical work. Their concern is legitimate.

The flawed inference is this: because AI may increase cyber misuse risk, advanced AI should be broadly constrained from being useful for exploit education, red-team training, malware analysis, vulnerability research, and adversary emulation.

That is wrong.

You cannot remove offensive understanding from defensive practice. You cannot impair exploit education without impairing defenders. You cannot make models useless for serious cyber work and expect only attackers to suffer. Skilled adversaries will route around restrictions. The long tail of defenders will not.

The state’s proper role is to regulate harmful deployment, not technical understanding.

Unauthorized access, credential theft, extortion, destructive attacks, botnets, unlawful surveillance, ransomware, and data theft should be punished. Providers should not facilitate those harms. High-risk autonomous cyber capabilities may need strong controls.

But exploit education in labs, vulnerability reproduction in owned environments, malware analysis, detection engineering, adversary emulation, secure code review, and technical journalism should not be treated as proliferation threats.

Government must also avoid informal censorship. If agencies pressure model providers through procurement, classified briefings, liability threats, or “voluntary” commitments, the boundaries of cybersecurity knowledge may shift without public debate. That is unacceptable. If cyber-capable AI needs regulation, it should happen through public law, transparent standards, and accountable oversight — not quiet pressure.

The capability-capture problem

The deepest danger is selective restriction.

A technology is declared too dangerous for ordinary access. Governments and major vendors create channels for “trusted” users. In theory, this protects the public. In practice, trusted users often mean defense contractors, intelligence partners, major cloud providers, large banks, telecoms, federal vendors, elite universities, and corporations with government-relations teams.

Everyone else gets reduced capability.

That is the cyber capability cartel.

It need not be corrupt. Normal incentives are enough: avoid scandal, satisfy regulators, retain enterprise customers, win government contracts, and minimize edge-case risk. Public models become cautious and shallow. Approved institutions receive advanced assistance.

This would harm the security ecosystem. Independent researchers, bug bounty hunters, open-source maintainers, civil-society analysts, technical journalists, students, and small consultancies have historically exposed serious failures and strengthened public defense. Excluding them from meaningful AI assistance would weaken the immune system.

“Trusted user” is therefore the wrong first category.

The better category is authorized context.

A student in a recognized lab may deserve detailed exploit help. An independent researcher inside a bug bounty scope may deserve research assistance. A maintainer analyzing a flaw in her own project may deserve code-level support. A journalist interpreting public threat reports may deserve technical explanation. A civil-society defender studying spyware threats may deserve serious assistance.

The same person should be refused if they ask to scan the internet for victims, steal credentials, evade EDR, deploy persistence, or exfiltrate data.

Legitimacy should turn on authorization, scope, purpose, and risk — not prestige, employer, or proximity to government.

A better access model

AI-assisted cybersecurity should use tiers, not a binary allow/refuse switch.

General users should receive useful defensive help: configuration, patching, MFA, secure coding basics, log interpretation, incident hygiene, and threat explanation.

Students in recognized lab contexts should receive deeper exploit education against intentionally vulnerable systems, with emphasis on remediation and detection.

Professional defenders should receive support for vulnerability triage, secure code review, detection engineering, SIEM logic, YARA and Sigma rules, incident timelines, cloud and identity investigations, patch validation, and adversary-emulation planning.

Researchers should have access to exploit reproduction in owned or scoped environments, fuzzing support, crash analysis, root-cause review, patch-diff interpretation, responsible disclosure assistance, and malware reverse engineering.

The highest-risk frontier capabilities — autonomous vulnerability discovery at scale, agentic exploit chaining, operational cyber automation — should be tightly controlled through stronger verification, legal agreements, audit, and oversight.

This model preserves proportionality. A government may reasonably worry about autonomous exploit agents. That does not justify blocking a student from understanding SQL injection in a lab.

The prohibited zone should be clear: unauthorized targeting, credential theft, phishing-kit deployment, ransomware workflows, botnets, destructive payloads, stealth persistence on third-party systems, exfiltration, evasion tuning for abuse, instructions to avoid attribution, and post-compromise actions against real victims.

Permissive toward authorized learning and defense. Strict toward operational abuse.

That is the line.

Safe harbor, oversight, and privacy

A serious access regime needs legal protection. Good-faith, authorized, bounded AI-assisted cybersecurity work should have statutory safe harbor.

That protection should cover students, independent researchers, bug bounty participants, open-source maintainers, malware analysts, journalists, civil-society defenders, MSPs, universities, and CERTs when their work is authorized, non-destructive, scoped, and directed toward education, testing, disclosure, remediation, incident response, or analysis.

It should not protect users who exceed scope, lie about authorization, steal data, deploy malware, conduct extortion, or cause harm.

Providers also need legal confidence that helping legitimate users in legitimate contexts will not be reframed as reckless enablement merely because the subject was technical. Without safe harbor, risk-averse companies will overblock everyone except major customers.

Oversight matters too. Model providers should not become the final court of cybersecurity legitimacy. Independent review should include researchers, educators, civil society, open-source maintainers, small defenders, privacy advocates, technical journalists, industry practitioners, and government without government domination.

Users need meaningful appeals. Denials should be explainable and contestable. Transparency reports should show cyber access approvals, denials, appeal outcomes, confirmed abuse, government requests, and distribution across enterprise, education, independent, nonprofit, journalist, open-source, small-business, and international categories.

Audit is necessary but dangerous. High-risk access requires accountability, but cyber queries may contain undisclosed vulnerabilities, incident details, malware investigations, client data, or journalistic leads. Logs must be minimized, purpose-limited, time-limited, access-controlled, and protected from informal government fishing. The audit system designed to prevent cyber abuse must not become a vulnerability-intelligence collection system.

International access also matters. Cyber defense is global. Open-source maintainers, CERTs, journalists, civil-society defenders, and researchers outside the Five Eyes still need defensive capability. Export controls may be appropriate for the most dangerous autonomous systems, but they must not swallow ordinary advanced defensive education and research.

What good policy looks like

Good AI cyber policy would preserve meaningful education, protect authorized research, support professional defenders, recognize safe contexts, prohibit operational abuse, provide safe harbor, require oversight, protect privacy, prevent capture, and distinguish ordinary defensive work from high-risk autonomous capability.

Bad policy would do the opposite. It would make models shallow for ordinary users, treat professional vocabulary as suspicious, collapse labs and live targets into one category, create opaque trusted-user lists, privilege defense contractors and large enterprises, deny independent researchers, hide government pressure, overcollect sensitive research data, and call the result safety.

The worst outcome is not that no one gets advanced cyber capability. The worst outcome is that only the powerful get it cleanly while everyone else gets a toy version and a lecture.

This is also a democratic-security issue. Cybersecurity is not only a national-security problem. Hospitals, schools, municipalities, nonprofits, newsrooms, small businesses, open-source projects, and civil-society groups all depend on systems they often cannot adequately defend. AI could help them interpret advisories, triage incidents, understand logs, assess vulnerabilities, and learn faster.

A society that reserves serious AI cyber assistance for governments, defense primes, major vendors, and large corporations has not solved the security problem. It has centralized it.

Democratic resilience requires distributed competence. Independent researchers must be able to challenge vendors. Journalists must be able to understand evidence. Maintainers must be able to fix code. Students must be able to learn without elite gatekeeping. Small defenders must be able to improve without a six-figure retainer. Civil society must be able to protect itself even when threats are politically sensitive.

Dangerous knowledge and mature societies

Mature societies do not handle dangerous knowledge by pretending it can be uninvented. They build disciplines around it.

Medicine, chemistry, aviation, structural engineering, locksmithing, biology, and cybersecurity all require knowledge that can harm. The question is whether that knowledge is governed by training, ethics, institutions, accountability, and law — or monopolized, suppressed, and driven into less accountable spaces.

AI makes this urgent because it changes the distribution of expertise. It can help defenders learn faster, researchers work better, maintainers fix sooner, journalists report more accurately, and small organizations respond more effectively. It can also help bad actors. Both truths must be held at once.

The path forward is not reckless openness or state-controlled silence. It is disciplined capability.

Create tiered access. Recognize authorized contexts. Protect good-faith research. Refuse operational abuse. Build privacy-preserving audit. Provide appeals. Require transparency. Include independent researchers and civil society. Prevent trusted access from becoming contractor access. Regulate harmful deployment, not technical understanding.

The world does not need AI systems that help criminals compromise networks. It also does not need AI systems that turn serious cybersecurity education into a maze of refusals.

Attackers will continue to learn. States will continue to build capabilities. Contractors will continue to chase budgets. Vendors will continue to ship imperfect code. The attack surface will not simplify. The defender shortage will not solve itself.

So the practical question is: who gets to learn fast?

If the answer is only governments, defense primes, major vendors, and approved institutions, then AI safety will have become another name for capability control.

If the answer includes students, defenders, researchers, maintainers, journalists, civil society, small organizations, and the public-interest security community, then AI can become what it should be: not a weapon handed to criminals, and not a secret tool of the powerful, but a disciplined amplifier of defensive competence.

AI should not teach people to commit attacks.

AI must be allowed to teach people how attacks work.

A society that cannot hold both truths at once is not protecting itself. It is choosing blindness in the name of safety.


Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.