AI security is now a token-burning contest. Who's watching the bill?

Simon Willison just reframed AI-assisted security research as proof of work: throw more tokens at the problem, get better results. That's an economic reality, not a metaphor. If your security team is running Claude Mythos and similar tools at scale, you are now in a compute-spend arms race. Someone needs to be watching the bill.

Willison published a piece this week arguing that cybersecurity research with frontier AI is starting to look like proof of work. His full post is worth reading.

The short version: Claude Mythos, Anthropic's security-focused tooling, found exploitable vulnerabilities in every OS and browser it was pointed at. The results scale with compute. More tokens spent, more bugs found.

This is a big deal for a reason nobody's talking about.

What "proof of work" actually means here

In Bitcoin, proof of work means: spend compute, get rewards. The more hash power you bring, the more likely you are to find a block. The economics are direct and brutal. You buy results with electricity.

Willison's framing maps onto AI security research. You aren't solving a fixed problem. You're running a stochastic search where more compute translates into more findings. The team with the bigger token budget finds more bugs.

Defensively, the same logic applies. If attackers are spending $50k in tokens to find vulns in your stack, your red team had better be spending at least that much to find them first.

The problem nobody's scoping

This is the part Willison stops short of saying.

Token budgets in security research are not bounded. A researcher running Mythos on a target isn't spending 10k tokens on the analysis. They're spending 10M. Or 100M. Depending on how deep the agent goes, how many branches it explores, how many retries it takes.

Multiply that by a team. Multiply again by the number of targets. Multiply again by the frequency you want to re-run.

Your AI security research spend goes from "trivial" to "largest line item on the infra bill" inside a quarter.

And because it's nondeterministic, you can't easily predict what next month costs. A new CVE drops, everyone reruns their Mythos suite, the bill triples overnight.

Three failure modes specific to AI security workflows

Unbounded search depth. An agent told to "find exploitable vulns in this binary" has no natural stopping condition. It'll keep looking until someone pulls the plug.

Recursive tool use. Security agents chain tools: disassembler, fuzzer, debugger, more LLM. Each tool returns context that feeds the next call. Token usage compounds like interest.

Rerunning on every release. You don't run Mythos once. You run it on every new build. That's a per-release cost that grows with velocity.

What to do about it

Three controls, in order:

1. Put a budget on every research job. Before the agent runs, set a hard dollar ceiling. When the cap is hit, the job terminates with a partial report. Better to have 70% coverage at budget than 100% coverage at 3x the intended spend.

2. Timeout every session. Wall-clock limit per target. If Mythos hasn't converged on a target in 90 minutes, it probably won't. Kill it and move on.

3. Rate-limit tool calls. A misbehaving agent can generate thousands of tool calls per minute. Cap the rate at the guardrail layer so a stuck loop doesn't rack up 5M tokens before anyone notices.

These aren't observability. They're enforcement. Observability tells you how much you spent. Enforcement stops the spend from happening.

What I use

I built AgentGuard because I was running coding agents overnight and watching some of them go off the rails. Security workloads have the same shape: long-running, tool-heavy, open-ended.

AgentGuard provides runtime budget, loop, timeout, rate limit, and token guards for any agent process. Python SDK, pip install agentguard47, zero dependencies, MIT. Works with Claude, OpenAI, local models, whatever your security tooling runs on.

The proof-of-work framing is accurate. Security is becoming a compute game. The teams that win will be the ones who spend productively without accidentally spending ten times as much.

Building a budget floor under your security research workload is boring. It's also what keeps the program sustainable when the invoice arrives.

Set a runtime budget on your AI agent workloads with AgentGuard →