Stuart McClure has been making the case against detect-and-respond for over a decade — since the earliest days of Cylance, when the argument was genuinely radical. The core claim was then and remains now: a security paradigm built on the assumption that attackers will get in, and focused on detecting and responding to their presence afterward, is structurally worse than a paradigm built on preventing compromise in the first place. Detection and response accepts the damage; prevention avoids it.
This Fast Company article advances that argument into the generative AI era and argues that large language models create a new opportunity to genuinely break the detect-and-respond cycle in application security. Traditional vulnerability scanning finds code patterns that match known-vulnerable signatures, which means it fails at novel vulnerabilities and produces enormous volumes of false positives that overwhelm development teams. Generative AI can reason about code semantically — understanding what a piece of code actually does, what its execution context is, and what realistic attack paths exist — and can prioritize with far greater precision.
The implications for the economics of application security are significant. Developer time spent on false positive triage is expensive and demoralizing. A system that can reduce the false positive rate dramatically while improving coverage of genuinely novel vulnerabilities does not just improve security outcomes — it changes the business case for investing in application security at all.
The article represents Stuart's effort, consistent across his work at Qwiet AI and his Fast Company writing, to reframe the industry conversation around prevention as the right goal rather than detection speed as a proxy for it.