> Your proposal of relying purely on static analysis is over-idealistic and just not feasible for large, diverse codebases in the real world.
"Just not feasible" is thought terminating, but regardless, I thought we were talking about ideals? Ideally you want the static analysis to work, not to rely on the non-deterministic bullshitter.
> piss away yet more tokens
> non-deterministic bullshitter.
You're so ideologically opposed to AI that you bury your head in the sand in cases where it genuinely does a fantastic job today, right now, in the real world (like developing end to end exploits using noisy signals like static analysis results, fuzzer results, etc).
Instead you assert that we should go a route no company has successfully proven out despite throwing billions of dollars and some of the best cybersecurity talent in the world at.
Anyways, if you develop a static analysis solution that works across large, diverse production codebases and develops end to end working exploits without AI, I will literally buy it off you for millions of dollars. Or you could start your own company. You'd be an overnight decabillionaire.
I actually do use AI, I wouldn't say I'm ideologically opposed lol. Maybe I'm ideologically opposed to thought terminating clichés, or how FAANGers see it as a cudgel to cram in wherever we find an open gap just to shit infinite tokens into?
You just haven't suggested a single solution that achieves the same level of risk reduction as AI driven end-to-end exploit generation.
You claim static analysis does the job, but you haven't backed it up with any proof that it works across large diverse codebases. Meanwhile, we have proof that AI works at least somewhat, here and now.