This is entirely true — we’ve been actively using AI to mitigate DDOS attacks that have most likely been launched using AI. And it’s hilarious coming from Anthropic, the company behind Claude AI, who stands to benefit on both sides of this battle — there is no downside for them whatsoever, aside from reputation.Active software, software backed by either open source teams, or properly resourced internal teams, stay on top of vulnerabilities and release updates to mitigate them — but somebody has to apply those updates to keep your business safe.That’s the core service we do for most of our clients — keep their Drupal or WordPress site fully up-to-date, and make sure everything is backed up so we can recover if some previously unforeseen attack takes down everything.We love Drupal for this, but even WordPress with all its security issues is far better to use for a production environment than an untrusted new app vibe-coded from scratch. We’ve been talking with a lot of developers recently, and often hear derision directed at WordPress and Drupal — “Drupal is still a thing? I thought that died years ago!” And yet both of these platforms have long solved all sorts of problems that the Javascript crowd has to deal with on every project.
AI-Driven attacks raise the stakes
That depends on a bunch of factors, including the sophistication of the attack, the amount of effort put into the attack, and how many impediments are in front of your app to block an attack — but at a certain point, it also comes down to whether your application is vulnerable to an attack.
If you aren’t confident your Drupal or WordPress site can handle an attack, reach out to us, and let us help!
Creating new code is easy, and vibe-coding can be fun. But why take on all the security risk and maintenance burden, when you can use a mature platform that is battle-tested and has a security team coordinating updates?This raises an important question: if AI models can be misused for cyberattacks at this scale, why continue to develop and release them? The answer is that the very abilities that allow Claude to be used in these attacks also make it crucial for cyber defense.
- The average cost of a single cyber incident for small businesses reached $164,000 in 2025.
- Businesses lost an average of $29,000 in revenue due to downtime and disruption per attack.
- 22% of attacked small businesses reported customer churn as a direct result of breaches.
- Customer trust scores (measured by online reviews and NPS) dropped by 15% on average post-breach.
- Among firms that experienced a cyberattack in the past 18 months, 17% are no longer operating as of Q2 2025.
Back in September I was thinking about submitting a speaking proposal for next year’s DrupalCon, about creating a set of requirements to hand off to an AI to build out a Drupal site. I spent a few hours trying to see if the Drupal AI integrations were there yet. They had recently announced some of the work that was done getting Drupal AI to manage “swarms” of agents capable of doing different specific tasks. By the time the deadline flew by, I didn’t have even a starting point — it’s a bit overwhelming out there how many approaches and tools there are.
Can Spec-driven development solve the problem?
Vibe-coding is all the rage today. Who needs a developer when you can get an AI to develop an application for you? There are scads of application development tools now that promise to create that app you always wanted — and surprisingly, these often work! For some definitions of “work” anyway.Cybersecurity has long been an arms race between the attackers and site owners. The statistics are alarming — according to SQ Magazine:The true power of open source? People. Hundreds or thousands of other people working with you to keep your site or application secure.By creating an all-new app to solve your problem, do you realize you are taking on responsibility to keep it current forever? Or at least for as long as you’re going to use it?If you’re not familiar with the term, “Vibe coding” is the practice of getting an AI to create an application for you, by telling it what you want it to look like and do, without necessarily having any coding skills yourself. The phrase is attributed to Andrej Karpathy from a post on Twitter (X) last February.
The power of open source
Fast forward to today, I hopped on a fascinating livestream hosted by JetBrains about Spec-Driven development. They demonstrated the approach outlined in a blog post from last month – Create a requirements doc, have the AI create a detailed plan broken down into phases, and then have it build one phase at a time, complete with tests and human verification along the way.However, there’s still a major problem here: the job is never done. Emerging threats change the requirements around security. As long as you’re still using a piece of software, somebody needs to be paying attention to security around it, if you don’t want to risk it making you the next business to get breached.There’s plenty of good, solid code too — but how can you tell the difference?Most security updates don’t reach this threshold — the vast majority we see are privilege escalation or denial of service — things that may be dangerous when combined with a different vulnerability, or nuisances that can be handled if they arise.
Site Maintenance is not optional
This approach makes a ton of sense to me, and I do think this is the future of coding. Most of my recent work has been heading in this direction — I’ve been using Claude Code and OpenCode to develop tests first that identify exactly what I want to build, and then have it build until the tests pass.New vulnerabilities are discovered every day.So I ask again, do you really trust that your vibe-coded app is fully secure?I say “most updates” because we do monitor security bulletins, and if there’s a vulnerability we assess to be dangerous for your site — either in that it could lead to compromising sensitive data or executing code — we rush it out through a “hotfix” process that automatically does a backup and then applies the patch directly on production.If your website or application can be reached from the Internet, it will be attacked — and probably has been already, whether you know it or not. The main question is, will an attack succeed?
Do you need protection for your site?
The catch is, that shiny new app is as secure as all the code that LLM crawled to create it — and there’s an awful lot of bad, insecure code out there.Security isn’t everything — your site also needs to work. Sometimes applying updates breaks things. This is where our Protection Plans shine — we run all releases through testing before releasing most updates. All of our managed sites have visual regression tests — we test a list of URLs on your site to make sure there are no errors, and any changes are expected. We also run existing integration tests automatically with each release before it goes out — and if something fails, we flag it for review and stop the release process.Anthropic recently posted a fascinating analysis of how attackers are using LLMs to create attacks on sites. From the article:With millions of installations, and use by millions of organizations, both of these platforms can be hardened to be as safe as anything out there. There are always new attacks, so at some point the protection becomes “have good backups”.
