Method Security: AI is helping attackers hit orders-of-magnitude scale, and DOD has deployed the company's offensive tools
Aug 13, 2025 with Sam Jones
Key Points
- AI is compressing offensive security assessments from three-month engagements to 30 seconds by automating known attack techniques at scale, not by generating novel exploits.
- Method Security sells offensive and defensive cyber tools to the Department of Defense and is positioned as a dual-use vendor automating capabilities historically locked behind nation-states and elite red teams.
- Congress earmarked $1 billion for offensive cyber operations in the Big Beautiful Bill, a signal Method views as insufficient but one that positions the company in the path of accelerating federal spending.
Summary
Sam Jones, CEO and cofounder of Method Security, is building what he describes as a dual-use cyber platform that automates offensive security tradecraft previously locked behind scarce, expensive human expertise. The company is venture-backed, though Jones has kept a deliberately low profile given the scale of the opportunity he is pursuing.
The AI Threat Shift
The most actionable framing Jones offers is a correction to a common misconception. AI is not yet generating waves of novel zero-day exploits. Instead, it is enabling known attack techniques to be executed at orders-of-magnitude greater scale and speed than was conceivable two to three years ago. A security assessment that once required a three-month engagement with a specialized red team can now be compressed to roughly 30 seconds using a compound AI system capable of mapping an organization's full attack surface and initiating offensive action.
The practical implication is severe for defenders. The global attack surface is too large for any single human or conventional security product to comprehend, but AI systems can enumerate it comprehensively, shifting the asymmetry further toward attackers unless defenders adopt equivalent tooling.
Offense as a Commercial Product
Method's core insight is that offensive capability, historically the domain of nation-states and elite red teams, can be productized and used to continuously stress-test enterprise defenses in a feedback loop. The company sells both offensive and defensive products and is already deployed with the Department of Defense and broader US government, making it an explicitly dual-use vendor.
On the commercial side, Jones notes that most Fortune 500 security executives are still buying against known problem categories rather than experimenting with novel AI tools. Sophisticated teams maintain dedicated AI innovation budgets, but the majority map new purchases to familiar frameworks, a constraint Method appears to be navigating deliberately.
Government Spending Tailwind
The federal budget signal is significant. The Big Beautiful Bill earmarks $1 billion specifically for offensive cyber operations, a figure Jones views as meaningful but still insufficient relative to the threat. He characterizes the current US posture as failing to keep pace and argues the investment needs to go higher. That legislative commitment, combined with Method's existing DOD deployment, positions the company directly in the path of accelerating government cyber spend.