How AI Has Rewritten the Rules of DevSecOps Automation
Automation has always been the foundation of DevSecOps. The premise is simple: remove manual toil to increase speed and security. However, veteran engineers know that "automate everything" is often a catchy slogan rather than a practical reality. We have always needed human review, approvals, and escalations.
But more importantly, we used to have a very strict rule about Return on Investment (ROI).
The Old Reality: The "Break-Even" Trap
Traditionally, we looked at automation through a strictly mathematical lens. You pay an upfront "development cost" to write the script, with the hope that the time saved over the long run eventually pays back that debt.
In a perfect world, the graph looks like a neat intersection where you eventually profit. But in the real world, the ROI isn't so neat. This struggle sparked some of the most famous engineering humor of the last decade.
The "Rabbit Hole" Problem As illustrated by the classic XKCD 1319, we often fall into the trap of spending time automating a task, only to find that the automation itself requires debugging, maintenance, and constant tweaking.
You needed deep experience to know when to stop before going down the rabbit hole. You had to ask: Is the thing I am automating going to change next week? Did I choose a poor design that will cause more pain than the manual task?
The "Is It Worth It?" Calculation Then there is the sheer math of time, famously chart-plotted in XKCD 1205.
This chart was our bible. It forced us to ask: Is it worth my time?
If a task takes 1 minute and you do it daily, you can spend 12 hours automating it.
But if that automation breaks because a website adds a Captcha, or a stable API suddenly deprecates an endpoint without warning, you have lost that bet.
For years, the smart move was often to not automate the edge cases. The friction was too high.: https://xkcd.com/1205/
The New Reality: The AI Paradigm Shift
That logic was sound for a decade. It is not true anymore.
Artificial Intelligence has fundamentally altered the variables in the automation equation. The "Initial Cost" of development has collapsed.
Here is how AI changes the math:
Lower Barrier to Entry: Generative AI can produce boilerplate scripts, regex parsers, and API connectors in seconds. The "upfront cost" is no longer hours of coding; it is minutes of prompting.
Instant Debugging: The "maintenance nightmare" of XKCD 1319 is mitigated. pasting a cryptic error log into an LLM often yields the solution instantly.
Resilience: When APIs change or code breaks, AI agents can help refactor the automation suite much faster than a human digging through documentation.
The New Break-Even Point
Because the cost of creation and maintenance has plummeted, the break-even point is now significantly lower.
The Old Rule: "Don't automate it unless you do it 50 times a month." The New Rule: "If you do it twice, automate it."
The cumulative savings of automation now kick in almost immediately. While I write this blog I try to consider possibilities where automation isn’t possible. For example, Firepower Management Center is something that would normally take a vision LLM to control, but they do have a rest api and there is a python library named fmcapi; but you can’t do firmware updates via it. Automating this was impossible, but now there are vision LLMs that can take control of a browser and visually operate.
However, even in this more complicated to implement situation the potential savings from a manual process of firmware updates is significant.
Conclusion
While we still respect the wisdom of those old comics, xkcd is one of the greatest ever.
In the age of AI-assisted DevSecOps, the friction of coding is no longer the bottleneck. The new reality is that if you aren't fully automating your pipeline, you’re working hard but not smart.
There is essentially no excuse not to automate anymore.