The title riffs on Linus Law ("given enough eyeballs, all bugs are shallow") but there is an important difference nobody talks about. Human auditors bring domain context -- they know which code paths handle real money. Agents right now are great at pattern-matching known vulnerability classes (buffer overflows, reentrancy) but terrible at finding logic bugs that require understanding the business intent.
The real unlock is not "more agents" -- it is agents combined with formal specifications. Trail of Bits published research showing LLM-generated invariants fed into symbolic execution tools caught bugs that neither approach found alone. That is the actual force multiplier.
Firmware is a great call though. The attack surface is massive and the auditor pool is tiny.
The title riffs on Linus Law ("given enough eyeballs, all bugs are shallow") but there is an important difference nobody talks about. Human auditors bring domain context -- they know which code paths handle real money. Agents right now are great at pattern-matching known vulnerability classes (buffer overflows, reentrancy) but terrible at finding logic bugs that require understanding the business intent.
The real unlock is not "more agents" -- it is agents combined with formal specifications. Trail of Bits published research showing LLM-generated invariants fed into symbolic execution tools caught bugs that neither approach found alone. That is the actual force multiplier.
Firmware is a great call though. The attack surface is massive and the auditor pool is tiny.