Cybersecurity: The Infinite Chess Game
Almost everyone has seen a chess game at some point. Even those who have never learned to play can recognize the board, the pieces, and the basic tension of the game: two players facing each other across 64 squares, each one trying to outmaneuver the other until the moment one king has nowhere left to go. It is perhaps the most studied strategic game in human history. It has generated libraries of theory, entire careers built around its mastery, and a culture of analysis that breaks every possible scenario into known patterns, named openings, and documented endings. Chess is elegant precisely because it is complete. It has a beginning, a middle, and an end. Someone wins. Someone loses. The board goes back into the box.
But the title of this article adds a word that no chess manual has ever used: Infinite. And that word changes everything.
What happens when the game never ends? What happens when there is no condition that closes the board, no moment where one player is declared the winner and the pieces are put away? What happens when the adversary simply keeps playing, regardless of how many times you block their attack or contain their advance? That is not a hypothetical question. That is a precise description of cybersecurity. And understanding it at that level of depth, not just tactically but philosophically, is what separates organizations that build genuine resilience from those that spend resources chasing a finish line that does not exist.
The Anatomy of the Game: Players, Pieces, Board, and Something More
Before we talk about what makes this game infinite, it is worth understanding what makes it a game at all. Because chess is not simply a board. It is an architecture with several components that work together, and that architecture translates to cybersecurity with uncomfortable precision.
For any game to exist, there must be at least two players, or two sides. Without an opponent, there is no game, only practice in a vacuum. In cybersecurity, those two sides are the attacker and the defender. One is trying to compromise systems, steal data, extort organizations, disrupt operations, or achieve objectives that range from financial gain to geopolitical influence. The other is trying to protect critical assets, detect threats before they escalate, respond to incidents with speed and precision, and maintain the continuity of the business and the trust of those who depend on it. Without both sides, the dynamic does not exist. Every investment in security, every framework, every tool, every detection rule exists because there is someone on the other side of the board who intends to cause harm. Remove that intent, and the entire discipline transforms into something fundamentally different.
Then there are the pieces. In chess, each piece has a defined role, a specific way of moving, and a level of strategic value. The attacker in cybersecurity has pieces too: malware engineered to evade detection, ransomware designed to encrypt and extort at scale, phishing kits that impersonate trusted entities with near-perfect accuracy, exploit frameworks that transform known vulnerabilities into operational weapons, credential harvesting tools, lateral movement techniques, and increasingly, artificial intelligence that automates at machine speed what previously required human skill. The defender has pieces as well: endpoint detection and response platforms, extended detection across cloud and network layers, threat intelligence feeds, identity protection systems, vulnerability management programs, security operations centers, and cyber risk management capabilities that translate technical signals into business-relevant decisions. The pieces available to both sides evolve constantly. What was a sophisticated attack technique two years ago is now a commodity available on dark web forums for a few hundred dollars. What was cutting-edge defensive technology last year is now a baseline expectation. The pieces are always changing, and both players are always looking for the next one that shifts the balance.
But beyond the players and the pieces, there is the board. In classical chess, the board is fixed. It has 64 squares, arranged in the same pattern for every game, fully visible to both players from the moment the first piece moves. That visibility and symmetry are what make chess a perfect information game. In cybersecurity, the board is the digital environment, and it shares almost none of those properties. It is not fixed. It expands with every new system connected to the network, every cloud workload deployed without a complete security review, every third-party vendor integrated into the supply chain, every employee working from a network that the security team cannot see or control, and every AI agent introduced into business workflows with capabilities that even their operators do not fully understand. The board grows continuously, in multiple directions, often faster than either side can map it. And critically, neither player sees the full board at the same time. The attacker is probing for the parts that are not visible to the defender. The defender is trying to build visibility over a surface that never stops moving.
And then there is something that is not physically on the board but determines who has the advantage at any given moment: the tactics, techniques, and strategies that each side brings to the game. In chess, there are opening theories developed over centuries, gambits designed to sacrifice short-term position for long-term control, endgame techniques for converting an advantage into a decisive outcome. In cybersecurity, the attacker’s playbook has been systematically documented in frameworks like MITRE ATT&CK, which catalogs the specific techniques that real adversaries use across the full lifecycle of an intrusion. The defender’s strategic repertoire includes Zero Trust architectures, continuous threat exposure management, risk-based vulnerability prioritization, threat hunting, red and purple teaming, and cyber risk operations (CyberRiskOps) that integrate intelligence, context, and decision speed into a continuous loop. The game is not just about pieces and position. It is about the depth of strategic thinking each side brings to the board.
The Only Technology Discipline with a Human Adversary
There is something about cybersecurity that distinguishes it from every other domain in technology, and I have thought about this for years, including during the decade-plus of collaboration I have had with INTERPOL that fundamentally changed how I understand this field. That distinction is not about the complexity of the systems we protect or the speed at which threats evolve. It is about the nature of the opponent itself.
Think about the other great challenges in technology and engineering. Civil engineers design against gravity, material fatigue, seismic activity, and the slow erosion of time. Aeronautical engineers work against atmospheric physics, mechanical stress, and thermodynamic limits. Medical researchers combat bacteria, viruses, and the biological processes of disease. Electrical engineers design around the behavior of electrons and the properties of materials. All of these are formidable challenges. None of them involve an opponent that thinks.
Gravity does not adapt when you build a stronger foundation. A pathogen does not change its strategy because you developed a vaccine faster than it expected. A storm does not decide to change direction when it detects that the seawall has been reinforced. None of the forces that other technology disciplines contend with have the capacity for intention, creativity, learning, or strategic adaptation in real time. They operate according to physics, biology, and chemistry, which are consistent and, over time, predictable.
Cybersecurity is different. Entirely different. It is the only branch of technology where the adversary is a human being, or a group of human beings, with intention, with motivation, with the capacity to observe what you are doing and respond to it, to learn from their own failures, to communicate with other adversaries and share what works, and to innovate in ways that no threat model fully anticipates. Working alongside INTERPOL for more than a decade, one lesson embedded itself in everything I now believe about this field: cybercriminals do not attack systems. They attack opportunities. And opportunities are not created by technical vulnerabilities alone. They are created by human decisions, by process gaps, by organizational assumptions that were never tested under adversarial pressure, and by the persistent space between what we believe our defenses do and what they actually do.
That adversary takes many forms. It can be a nation-state with resources that dwarf most private sector security budgets, operating with the patience to plan intrusions over months or years, and with objectives that go far beyond financial gain into espionage, sabotage, and the long-term disruption of critical infrastructure. It can be a sophisticated ransomware group that operates with the structure of a professional enterprise, complete with specialized roles, division of labor, customer support departments designed to facilitate ransom payments, and quality assurance processes for their malware. It can be a hacktivist collective motivated by ideology rather than profit, with a willingness to accept risk that commercially motivated criminals would avoid. It can be an insider with privileged access and a personal grievance. It can be a low-sophistication actor who purchased ready-made attack toolkits from an underground marketplace and targeted an organization simply because the attack-as-a-service platform made it easy. The category of adversary changes. The fundamental humanity of the adversary does not.
And this is the point that makes the infinite nature of this game not just a philosophical observation but a historical inevitability: the adversary has always existed. Crime is not a modern invention. It is not a product of digitization or globalization or the invention of the internet. Wherever human societies have built systems for creating, storing, and transferring value, other humans have attempted to exploit those systems outside the rules that govern them. In ancient civilizations, it was trade routes and caravans. Then it was physical banks and wire transfers. Then telecommunications fraud. Today it is cloud environments, digital identities, software supply chains, and the API ecosystems that connect the modern enterprise. The medium through which crime operates has changed in every era. The underlying human motivation has not. Where there is value, someone will attempt to take it by force, deception, or exploitation. That is not a technology problem. It is a human nature problem. And human nature is not something that can be patched, updated, or resolved with a new framework release.
This is why cybersecurity is not an infinite game simply because of its technical complexity or the volume of threats. It is an infinite game because it is grounded in something that predates computers, predates the internet, and will persist long after the technologies we defend today are obsolete. As long as human beings create systems of value, other human beings will attempt to exploit them. That reality is the true engine of this game’s infinite nature.
Finite Games and Infinite Games: A Framework That Reframes Everything
In 1986, a philosopher and theologian named James P. Carse published a short but deeply influential book in which he proposed that all of human activity could be understood through the lens of two types of games. Finite games are played with the goal of winning. They have known players, fixed rules, an agreed-upon objective, and a clear ending condition. When that condition is met, the game is over, a winner is declared, and the players go home. Chess is a finite game. Football is a finite game. A legal dispute resolved by a court judgment is a finite game. Infinite games, by contrast, are played for the purpose of continuing to play. They have known and unknown players. The rules are changeable. There is no agreed-upon objective that, when achieved, ends the game. The goal is not to win but to remain in the game, to keep the game going. Business, Carse argued, is an infinite game. So is politics. So is life itself.
Simon Sinek later extended these ideas into the domain of leadership and strategy, arguing that the most common organizational failure is applying a finite mindset to an infinite game. Organizations that play to win, rather than playing to endure, make decisions optimized for short-term results that progressively weaken their long-term capacity. They measure success against competitors rather than against their own purpose. They declare victory at moments that are not actually endpoints. And then, when the game continues without their permission, they find themselves unprepared, because they had already mentally put the board away.
The parallel to cybersecurity is not metaphorical. It is structural. Cybersecurity is one of the clearest examples of an infinite game in practice, and the most prevalent failure in the field is exactly the one that Carse and Sinek describe: organizations treating an infinite game as though it has a finish line.
I have seen this repeatedly, across organizations of every size and sector. They invest heavily to achieve compliance with a particular framework, pass the audit, and experience a sense of completion, as though the act of certification has resolved a risk rather than documented a point-in-time posture. They implement a new security platform, close the associated project, and move on, as though deployment is the same as defense. They respond to an incident, contain the damage, and declare success, as though the adversary who attacked them has accepted the outcome and decided not to try again. They set goals like achieving zero critical vulnerabilities in their environment, as though such a state, even if momentarily achievable, could be sustained in a world where the attacker is continuously probing for new ones.
These are not failures of execution. They are failures of mindset. They are the result of treating a game that never ends as though it does. And the adversary exploits that misunderstanding with remarkable consistency, because the attacker has never once believed the game was over. The attacker does not interpret a blocked intrusion as a defeat. They interpret it as information about where to probe next. They do not interpret a failed phishing campaign as a loss. They interpret it as data for refining the next one. They do not stop because the defender deployed a new control. They start looking for the gap that the new control created or the process assumption it depends on that can be invalidated. The attacker has always been playing the infinite game. The question is whether the defender has finally accepted that they are too.
The Asymmetry at the Heart of the Board
Understanding the infinite nature of the game also illuminates its most fundamental structural imbalance, and that imbalance is something I believe every security leader, board member, and executive needs to internalize clearly, not as a reason for pessimism, but as a reason for honest strategic thinking.
In chess, both players face a symmetric board. The rules are the same for both sides. Each player has the same number of pieces with the same capabilities. The game is designed for fairness. The cybersecurity game is not designed at all. It emerged from the collision between the expansion of digital systems and the persistent human motivation to exploit them, and that collision produced an asymmetry that cannot be engineered away, only understood and managed.
The defender must protect the entire board, all the time. The attacker needs to find one opening, in one moment, from one direction. Every asset, every system, every identity, every access path, every vendor integration, every new technology introduced into the environment represents a potential entry point that must be considered. The attacker needs to find one. Just one opening, in one moment, from one direction, is enough. The defender must be right continuously. The attacker only needs to be right once. That is not a description of a fair game. It is a description of the actual game, and no amount of investment changes that fundamental ratio. What investment changes is how visible those entry points are, how quickly anomalous behavior is detected, how effectively the organization can contain the damage when a piece falls, and how rapidly it can recover and continue playing.
The asymmetry extends further. The defender operates within a set of constraints that the attacker does not recognize or respect. Defenders work inside organizational structures with governance processes, budget cycles, approval chains, compliance requirements, and the need to justify every action to multiple stakeholders with different priorities and risk tolerances. They must protect what the business needs to function, which means they cannot simply lock everything down. They must balance security with the operational requirements that make the organization valuable in the first place. Every defensive decision carries trade-offs, and those trade-offs must be documented, approved, and explained.
The attacker has one constraint: does it work? That ruthless simplicity of purpose gives the attacker a decision speed and operational agility that defenders cannot match through process alone. The attacker does not wait for a budget cycle to acquire a new capability. They do not need a steering committee to approve a change in tactics. They do not need to explain their methodology to a board of directors. They move, observe, adapt, and move again, at a tempo that organizational structures are not designed to counter. This is why, as I have argued before, attackers do not need to outsmart defenders or outspend them. They only need to move faster than the defender’s decision-making process can respond. And in many organizations, that bar is not as high as it should be.
Playing to Endure: Resilience, Mindset, and the True Strategic Objective
If the game is infinite, and if there is no condition that ends it, then the entire concept of winning needs to be replaced with something more honest and more useful. In an infinite game, the objective is not to defeat the opponent. It is to remain capable of continuing to play. It is to ensure that when the attacker succeeds in one area, the organization can absorb that impact, contain it, recover from it, and come back to the board stronger than before. That is not a consolation prize for not winning. It is the actual goal. It is the only goal that is coherent given the nature of the game.
That goal has a name in cybersecurity: cyber resilience. And cyber resilience is fundamentally different from the concepts that have traditionally dominated the security conversation. It is different from compliance, which tells you whether your documented controls meet a standard at a point in time. It is different from hardening, which reduces the attack surface but cannot eliminate it. It is different from detection, which identifies threats that have already entered the environment. Cyber resilience is the organizational capacity to continue functioning under adversarial pressure, to absorb the impact of incidents that prevention did not stop, to recover operations with a speed and precision that limits the damage, and to extract from every incident the intelligence needed to play the next round better.
Cyber Resilience requires a continuous operating model, not a project with a start and end date. The Continuous Defense Loop, which I have described in previous work, captures this dynamic: cyber risk management that is always running, always updating, always translating new intelligence into adjusted defenses, always connecting the signals coming from detection systems to the decisions that reduce exposure before those signals become incidents. It is not a loop that starts when an attack begins and stops when the incident is closed. It is a loop that never stops, because the game never stops.
This shift in objective also changes what it means to measure success in cybersecurity. Success in a finite game is measured by the final score. Success in an infinite game is measured by how well-positioned you are to keep playing. For a security organization, that means measuring not just whether threats were blocked, but whether the organization’s cyber risk posture is actually improving over time. It means measuring decision speed, not just decision correctness. It means measuring recovery capability, not just preventive controls. It means having a clear, quantified, continuously updated understanding of which risks exceed the organization’s tolerance and ensuring that the right decisions are being made while they can still influence the outcome, not after the window of meaningful intervention has closed.
I have worked with hundreds of security leaders over the course of my career, and I have come to believe that the most important difference between effective CISOs and less effective ones is not technical expertise. It is mindset. It is whether or not they have accepted, truly accepted, that they are playing an infinite game. The infinite player does not measure success in terms of checkboxes completed or projects delivered. They measure it in terms of capability built and cyber risk genuinely reduced. They do not treat a passed audit as evidence of security. They treat it as a minimum floor that says nothing about their actual cyber resilience under adversarial pressure. They do not celebrate the blocking of an attack as a decisive victory. They treat it as a data point that tells them something about attacker intent and technique, and they use that information to prepare for the next move. They understand that the adversary is always still playing, and that the posture required to remain in the game tomorrow is never identical to the one that was sufficient yesterday.
Finite game thinking wants certainty. It wants to close every vulnerability, map every risk, and eliminate every uncertainty before declaring readiness. Infinite game thinking understands that certainty in an adversarial environment is not a state you reach but a direction you move toward continuously. The unknown is not evidence of failure. It is the permanent condition of operating in a space where the adversary is actively working to create new unknowns faster than you can map the existing ones. The response to that condition is continuous investment in visibility, in intelligence, in decision speed, and in the organizational capacity to respond effectively to what you did not see coming. And the board that demands that response is not the board that was mapped last quarter. It is the board as it exists right now, including all of its newest expansions, all of its recently introduced unknowns, and all of the assumptions that have not yet been tested under real adversarial pressure. That is precisely what the next challenge requires us to confront operationally.
Thinking Moves Ahead: From Reactive Defense to Cyber Risk Operations
There is a reason that the greatest chess players in history are not remembered for how well they responded to their opponent’s last move. They are remembered for how many moves ahead they were thinking while making it. A grandmaster does not sit across the board and react. They build a mental model of how the game might unfold across the next five, ten, or fifteen moves, evaluate the consequences of each possible decision at that depth, and act today based on what they anticipate tomorrow. The further ahead a player can think with accuracy, the greater their advantage over an opponent who is only responding to what is already on the board in front of them.
This is precisely the gap that defines the difference between most organizations’ current approach to cybersecurity and what the infinite game actually demands. The dominant operating model in the industry today is the Security Operations Center, the SOC, which was designed around a fundamentally reactive logic: monitor for signals, detect anomalies, respond to alerts, close incidents. That model made sense in an earlier era, when threats were less frequent, attack surfaces were more bounded, and the pace of adversarial innovation allowed defenders time to observe, analyze, and act within a cycle that was measured in days or weeks. That era is gone. And the SOC, despite decades of investment and genuine evolution, remains reactive by architecture. It was built to answer the question of what is happening right now. It was not built to answer the question of what is most likely to happen next, and what we should do about it before it does.
The challenge with reactive defense in an infinite game is not simply that it is slow. It is that it is structurally misaligned with the nature of the adversary. The attacker is always ahead of the alert. By the time a detection fires, the attacker has already been inside the environment, has already moved laterally, has already established persistence, and has already begun executing the next phase of their plan. The SOC analyst who responds to that alert is not playing the same game as the attacker. They are playing a different game entirely, one where the attacker set the terms, chose the moment, and had the advantage of preparation while the defender had the disadvantage of surprise. And then there is the signal-to-noise problem that anyone who has worked in a SOC understands viscerally: the overwhelming volume of alerts, the high rate of false positives that consume analyst attention and create fatigue, and the constant risk that the one alert that truly matters gets lost in the flood of the ones that do not. Reactive defense at scale is not just a strategic problem. It is an operational one that grinds teams down and creates exactly the kind of decision delays that attackers have learned to exploit.
The answer is not to abandon detection and response. Those capabilities remain essential. But they are not sufficient, and treating them as the primary operating model for cybersecurity is the equivalent of playing chess by only reacting to your opponent’s pieces after they have already moved. What is required alongside them is a fundamentally different operational discipline, one that is oriented toward anticipation rather than reaction, toward cyber risk rather than just threat, and toward decisions made before the attack begins rather than after it has already created damage.
That discipline is what I have called the Cyber Risk Operations Center, the CROC. Where the SOC asks what is happening, the CROC asks what is most likely to be exploited, by whom, through what path, and what we should do about it right now to reduce that probability before it becomes an incident. It operates on cyber risk intelligence rather than just threat signals. It maintains a continuous, dynamic understanding of the organization’s attack surface, including which assets are most exposed, which vulnerabilities have the highest probability of being weaponized in the current threat landscape, which attack paths lead to the systems and data that matter most to the business, and which defensive assumptions have not been validated under realistic adversarial pressure. It translates that understanding into prioritized decisions: not a list of everything that could be done, but a clear answer to what must be done now, given limited resources, to reduce the most meaningful cyber risk before the adversary acts on it.
The chess analogy is direct and deliberate here. The CROC operates at a greater depth of thinking than traditional security operations. It is not looking at the current position of the pieces on the board. It is building a model of how the game is likely to evolve, evaluating what the attacker’s most probable next moves are given what is known about their capabilities, motivations, and techniques, and taking actions today that constrain those future moves before they happen. That depth of thinking is what separates a reactive posture from a genuinely proactive one. And in the infinite game of cybersecurity, where the attacker is always still planning their next move even as the defender is celebrating the containment of the last incident, the organization that can think further ahead, with more accuracy and with faster translation of that thinking into decisive action, is the organization that remains in the game with its most critical assets intact.
This is not a theoretical aspiration. It is an operational requirement that the current threat environment has made urgent. The organizations that will build genuine rcyber esilience in the years ahead are not the ones with the most alerts processed or the most incidents closed. They are the ones that have built the capacity to anticipate, to decide before the window closes, and to reduce cyber risk at the source rather than managing its consequences after the fact.
There is one capability that takes this depth of thinking further than any other, and that I believe represents one of the most important frontiers in proactive cyber defense: the cybersecurity digital twin. In chess, a grandmaster does not only think about moves in the abstract. They build a mental simulation of the board as it will look five or ten moves from now, testing each possible sequence internally before committing to a single action. The digital twin gives security teams the technological equivalent of that mental simulation, applied to the real environment of the organization. It is a continuously updated, data-driven replica of the organization’s infrastructure, systems, identities, and connectivity, one that allows defenders to run attack simulations, test the consequences of adversarial actions, and validate defensive assumptions without touching the live environment where real operations depend on stability and continuity.
The value of that capability in the context of the infinite game is difficult to overstate. Rather than discovering that a critical attack path exists by observing an attacker traverse it, the digital twin allows the security team to discover and close that path before any adversary reaches it. Rather than learning through an incident that a particular control does not perform under realistic adversarial pressure the way it was expected to, the twin surfaces that gap in a simulated environment where the cost of failure is a finding in a report rather than a breach in production. It transforms the question the defender is answering from what happened to what could happen, and from how do we respond to how do we prevent. After more than two decades in this field, I can say with conviction that this shift from awareness to anticipation is not a luxury for organizations with large security budgets. It is the direction that proactive cyber defense must move, because the attacker has always been simulating. They map environments, model defenses, test techniques in controlled conditions, and only execute when they have sufficient confidence in the outcome. The digital twin is how defenders begin to match that discipline on their own side of the board.
When Artificial Intelligence Changes the Board Itself
In May 1997, something happened that shook the chess world in a way that no tournament result ever had. Garry Kasparov, widely considered the greatest chess player in human history and the reigning world champion, lost a six-game match to Deep Blue. It was not the first time a machine had defeated a grandmaster in an individual game. But it was the first time a machine had won a full match against the best human player alive, under tournament conditions, with the world watching. The reaction was not just surprise. It was a kind of existential disorientation. Chess had always been considered the ultimate test of human strategic intelligence, the game where the depth and creativity of the human mind could express itself most fully. And a machine had won. Not by playing more beautifully or more creatively, but by calculating with a speed and a depth that no human mind could sustain across the full length of a competitive match. The game had not changed. The board was the same. The rules were the same. But the nature of what was possible within that game had been transformed permanently.
What happened to chess in 1997 is now happening to cybersecurity, except the stakes are not a championship title. And unlike Deep Blue, which was confined to a board with fixed rules and a defined objective, AI in cybersecurity operates on a board with no fixed boundaries, no complete rulebook, and no referee. Every era introduces new pieces into the game. New attack techniques emerge, new defensive capabilities follow, and both sides adapt. That cycle has repeated itself throughout the entire history of this field. But artificial intelligence is not just adding new pieces to an existing board. It is changing the board itself, expanding it in ways that neither side fully understands yet, introducing squares that did not exist before, and altering the speed, scale, and nature of how the game is played in ways that make every previous assumption about pace and complexity insufficient.
On the attacker’s side, the implications are already visible and will only deepen. AI gives adversaries the ability to automate at a scale and speed that previously required large, well-resourced criminal organizations to achieve. Reconnaissance that once took skilled operators days or weeks can now be compressed into hours. Phishing campaigns that once required careful crafting to be convincing can now be generated and personalized at machine speed, targeting thousands of individuals simultaneously with messages that are contextually accurate, linguistically natural, and behaviorally tailored based on data that is already publicly available. Malware that once required specialized expertise to develop can be accelerated, refined, and adapted using AI-assisted tooling that lowers the barrier to entry for less sophisticated actors while amplifying the capability ceiling for the most sophisticated ones. Agentic systems, capable of making autonomous decisions across a sequence of steps without human intervention at each stage, are already beginning to appear in offensive contexts, not just as tools that execute a single function but as orchestrated workflows that evaluate their environment, adapt their behavior based on what they observe, and pursue objectives across multiple systems in ways that look less like traditional malware and more like coordinated operational campaigns.
And then there is a dimension of this that deserves particular attention, one that I believe the industry has not yet discussed with sufficient seriousness: nation-state actors with the resources and the motivation to develop their own AI models, built specifically for offensive cyber operations, trained on datasets that no commercial vendor has access to, optimized for objectives that are geopolitical rather than financial, and designed to operate in ways that existing detection and behavioral analysis frameworks were not built to anticipate. When we talk about AI in cybersecurity, we often frame it around commercially available models and publicly known techniques. But the most capable adversaries in the world are not constrained by commercial availability. They have research programs, state resources, and years of investment in capabilities that are not published in academic papers or demonstrated at security conferences. The possibility that some nation-state actors are already operating offensive AI capabilities that the defensive community has never seen is not a speculative concern. It is a reasonable inference from what we already know about how those actors invest and operate.
For defenders, AI introduces its own transformation of the board, and that transformation is simultaneously a significant opportunity and a profound source of new risk. On the opportunity side, AI allows defensive operations to process volumes of telemetry, signals, and contextual data that no human team could analyze at the speed the threat environment demands. It can accelerate detection, surface patterns across datasets that were previously too large and too complex to correlate manually, assist in cyber risk prioritization, and support the kind of continuous monitoring that the infinite nature of the game requires but that human capacity alone cannot sustain. AI can help defenders move faster, and in a game where decision speed is one of the most critical variables, that matters enormously.
But AI also introduces entirely new categories of risk that expand the board in directions that organizations are only beginning to map. Every AI system integrated into business operations creates new attack surfaces: the models themselves, the data pipelines that feed them, the APIs that expose their capabilities, the agent frameworks that allow them to act autonomously on behalf of the organization, and the trust relationships between AI components that assume the integrity of signals they cannot independently verify. When AI agents are introduced into workflows with the ability to make decisions, execute actions, access systems, and interact with other agents, the attack surface is no longer just the systems that humans configured and understood. It includes the behavior space of autonomous systems operating at a tempo and a complexity that human oversight cannot fully track in real time. Prompt injection, model manipulation, supply chain attacks targeting AI components, and the exploitation of trust between autonomous agents are not theoretical future threats. They are active areas of adversarial research and, in some cases, already operational techniques.
The chess analogy holds, but it needs to be extended. AI does not simply give both players faster reflexes or more powerful individual pieces. It adds new squares to the board that did not exist in the previous version of the game. Some of those squares are visible to the defender. Many are not. And the attacker, unconstrained by governance processes or ethical review cycles, will explore those new squares faster and with fewer restrictions than the defender can move to understand and protect them. Every new AI capability introduced into an organization’s environment is simultaneously a new piece available to the defender and a new square on the board that the attacker will study, probe, and eventually attempt to exploit. The board is getting larger, and it is getting larger faster than at any previous point in the history of this game.
This does not mean that AI should be avoided or that its risks outweigh its defensive value. It means that the organizations that will navigate this transition most effectively are those that approach AI not as a solution to the infinite game but as a new dimension of it, one that requires the same strategic clarity, continuous cyber risk assessment, and cyber resilience-oriented thinking that the rest of the game demands. AI changes the tempo of the game. It changes the complexity of the board. It introduces new pieces with new capabilities for both sides. But it does not change the fundamental nature of the game. It is still infinite. The adversary is still human. And the goal is still to remain capable of playing tomorrow.
The Game Continues
The board of cybersecurity has never been empty, and it has never been more complex than it is right now. It was not empty before there was an internet, when adversaries exploited telecommunications and physical systems. It is not empty today, as AI agents, autonomous decision systems, and expanding digital supply chains add new squares to a board that was already larger than most organizations could fully map. And it will not be empty in the future, because the human motivation that drives the adversary predates every technology we have ever built to defend against it. That motivation is not a technology problem. It is a constant.
Organizations that understand they are in an infinite game stop wasting resources chasing outcomes that are not available to them and start investing in what the game actually rewards: the capacity to endure, to adapt, and to keep playing with more skill and more cyber resilience than the round before. That means thinking further moves ahead, not just responding to the last one. It means building cyber risk operations as the discipline that continuously maps the board, anticipates the adversary’s next moves, and reduces exposure before an attack begins. It means treating cyber resilience not as a recovery plan that activates after the damage is done, but as the organizational capacity to absorb impact, maintain critical operations under pressure, and come back to the board stronger. And it means understanding that detection and response, as essential as they are, represent only one layer of a much deeper game. The organizations that will remain on the board in the years ahead are those that thwart before they detect, that anticipate before they react, and that build resilience not as a response to failure but as a permanent operating condition. The question every organization, every board, and every security leader needs to answer is not whether they are going to be attacked. That answer is already known. The question is whether they are playing the right game with the right mindset. The infinite chess game never ends. AI has made the board larger, faster, and more complex than ever before. The only meaningful choice remains the same: how you decide to play it.
Castro, J. (2025). What More Than 10 Years Working with INTERPOL Taught Me About Cybersecurity. ResearchGate. https://www.researchgate.net/publication/395524745 DOI:10.13140/RG.2.2.13176.92160
Castro, J. (2025). Attackers Only Need to Be Faster Than Our Decision Making Process. ResearchGate. https://www.researchgate.net/publication/398971490 DOI:10.13140/RG.2.2.14817.98404
Castro, J. (2025). Cybersecurity Paralysis When the Cyber Brain of the Organization Breaks. ResearchGate. https://www.researchgate.net/publication/397927310 DOI:10.13140/RG.2.2.25955.00802/1
Castro, J. (2025). Artificial Intelligence (AI) vs Artificial Instinct (Ai), The Distinction Cybersecurity Can’t Afford to Ignore. ResearchGate. https://www.researchgate.net/publication/397834714 DOI:10.13140/RG.2.2.31096.30725
Castro, J. (2025). Your SOC Was Never Designed to Be Proactive. ResearchGate. https://www.researchgate.net/publication/390796874 DOI:10.13140/RG.2.2.15125.23520
Castro, J. (2025). The Need for Digital Twins in Cybersecurity: From Awareness to Anticipation. ResearchGate. https://www.researchgate.net/publication/394486159 DOI: 10.13140/RG.2.2.17202.31686
Castro, J. (2025). Every Cyber Risk. Every Signal. Continuous Defense Loop. ResearchGate. https://www.researchgate.net/publication/396885730 DOI:10.13140/RG.2.2.30137.22882/1
Castro, J. (2026). Trust Between Machines: The Missing Layer in the Age of Autonomous AI Agents. ResearchGate. https://www.researchgate.net/publication/400799349 DOI:10.13140/RG.2.2.31121.29287
Castro, J. (2025). When Malware Starts to Behave Like an AI Agent: Shai-hulud 2.0 and a Hypothetical Glimpse Into AI-Industrialized Cybercrime. ResearchGate. https://www.researchgate.net/publication/398227112 DOI:10.13140/RG.2.2.13160.74248
Castro, J. (2026). The Attack Happens Before the Attack: How Cybercriminals Exploit Trust, Decision Processes, and Unquantified Risk. ResearchGate. https://www.researchgate.net/publication/401315345 DOI:10.13140/RG.2.2.36419.05927
Castro, J. (2026). CyberRiskOps: The Operating Model for Cyber Resilience in the Age of AI. ResearchGate. https://www.researchgate.net/publication/402149983 DOI:10.13140/RG.2.2.27088.37128
Castro, J. (2025). Cyber Risk Is the Board’s New Responsibility. Not Just the CISO’s Burden. ResearchGate. https://www.researchgate.net/publication/395135919 DOI:10.13140/RG.2.2.11956.31361
Castro, J. (2025). Rethinking “Left of Boom” and “Right of Boom” in Cybersecurity. ResearchGate. https://www.researchgate.net/publication/395890848 DOI:10.13140/RG.2.2.35120.83202
Castro, J. (2025). Cyber Risk Operations Center (CROC) Process and Operational Guide. ResearchGate. https://www.researchgate.net/publication/389350613 DOI:10.13140/RG.2.2.19164.09600
Castro, J. (2026). Risk Management in Uncharted Territory: Lessons from the Golden Gate Bridge for the AI Era. ResearchGate. https://www.researchgate.net/publication/400596430 DOI:10.13140/RG.2.2.11699.69924
Castro, J. (2025). What Is Strategy in Cybersecurity? Rethinking the Way We Lead, Protect and Adapt. ResearchGate. https://www.researchgate.net/publication/393674625 DOI:10.13140/RG.2.2.16703.42409
Castro, J. (2025). What Is Governance in Cybersecurity?. ResearchGate. https://www.researchgate.net/publication/393065290 DOI:10.13140/RG.2.2.30988.63360