US chip export controls restrict physical chip sales but do not effectively control cloud compute access. Chinese AI labs can rent H100 clusters from cloud providers in Singapore, Malaysia, or the Middle East that are not subject to the same end-use restrictions. Training a frontier model requires 3-6 months of continuous compute rental, after which the trained model weights exist independently of the hardware. This persists because export controls were designed for physical goods crossing borders, and applying the same framework to compute-as-a-service creates jurisdictional nightmares -- a server in Singapore owned by a US company rented by a Chinese entity through a Malaysian intermediary falls into a regulatory gray zone that BIS has not resolved.
Real problems worth solving
Browse frustrations, pains, and gaps that founders could tackle.
Intelligence agencies are encountering AI-generated fake source reports (HUMINT) planted through human intermediaries, each internally consistent and plausible enough to require full analytic workup before being identified as fabricated. Generating 1,000 fake reports costs an adversary hours; analyzing each one costs the target agency 4-8 analyst-hours. This creates an asymmetric denial-of-service attack on intelligence analysis capacity. This persists because HUMINT validation relies on corroboration across sources, and AI can generate corroborating details across multiple fake sources that appear independent, defeating the traditional cross-referencing methodology.
A swarm of 100 modified DJI drones costs under $50,000 total. Engaging each with a $150K Stinger missile costs $15M; with a $3M Patriot interceptor, $300M. Even purpose-built C-UAS systems like Coyote ($100K/shot) cost $10M to defeat the swarm. The attacker's cost advantage is 200-6000x. No military budget can sustain this exchange ratio in a prolonged conflict. This persists because decades of air defense investment optimized for expensive aircraft threats, and pivoting industrial capacity to produce millions of cheap effectors (directed energy, electronic kill, kinetic micro-interceptors) requires retooling defense production lines that currently produce hundreds of expensive missiles per year, not millions of cheap ones.
A defense startup that wins a classified contract needs cleared engineers immediately, but new clearance applications take 12-18 months (Secret) to 24+ months (TS/SCI) to process through DCSA's backlog of 200,000+ pending investigations. The startup must either hire pre-cleared engineers (who command 30-50% salary premiums) or start uncleared engineers on unclassified work while waiting, reducing the team's productivity on the actual contract. This persists because DCSA's investigation capacity has not scaled with the explosion of defense tech startups since 2018, clearance reciprocity between agencies is inconsistent, and the continuous vetting (CV) program that should have replaced periodic reinvestigation is still rolling out years behind schedule.
After the October 2022 chip export controls, NVIDIA created the A800 and H800 as China-specific variants with reduced interconnect bandwidth to comply with BIS thresholds. When BIS updated rules in October 2023 to close this loophole, NVIDIA began designing yet another variant. Each rule revision triggers 6-12 months of chip redesign at NVIDIA, during which Chinese customers stockpile the current-generation chips. This creates a permanent lag where export controls are always one chip generation behind the market. This persists because the controls use static performance thresholds (TOPS, bandwidth) that a chip designer can engineer around, and BIS lacks the technical staff to write rules that capture capability without using easily-gamed numeric thresholds.
As AI-generated media becomes indistinguishable from real footage, military tribunals and courts-martial face a crisis of evidence authenticity. Defense attorneys can claim any incriminating video or audio is a deepfake (the 'liar's dividend'), while prosecutors cannot prove provenance of battlefield footage captured on uncontrolled devices. The Uniform Code of Military Justice has no standard for authenticating digital media against deepfake manipulation. This persists because military evidence handling procedures were written for physical evidence and unedited film, the technical expertise to perform forensic media analysis is concentrated in a handful of DoD labs with months-long backlogs, and legal precedent for AI-generated evidence does not yet exist.
Testing a 50+ drone swarm in the US requires an FAA Certificate of Authorization covering the test airspace, which takes 3-6 months to process. Each test flight gets a 30-60 minute window in a restricted area. A defense startup developing swarm algorithms needs hundreds of flight tests to iterate, but at 6-month approval cycles and 30-minute windows, a single year of development yields perhaps 20 real-world test flights. Simulation cannot substitute because swarm behavior in wind, RF interference, and GPS multipath diverges significantly from simulated environments. This persists because the FAA treats drone swarms as 50 individual aircraft each requiring separate risk assessment, and has no expedited process for developmental military drone testing.
When a startup subcontracts to a defense prime (Lockheed, Raytheon, Northrop), the prime's contract often includes data rights clauses that give the prime unlimited rights to the startup's technical data delivered under the contract. The startup built the core technology with venture capital, but the prime claims derivative data rights on any improvements made during the contract. Startups that push back on data rights lose the subcontract. This persists because primes have procurement leverage (they control the relationship with the government customer), startup founders rarely have defense contracting attorneys on retainer during the subcontract negotiation, and the FAR data rights framework is ambiguous enough that primes routinely claim broader rights than the regulation intends.
A cloned audio clip of a head of state announcing military action or economic sanctions can propagate through financial news networks and algorithmic trading systems in under 60 seconds, triggering market movements before any human can verify authenticity. In 2023, a fake Pentagon explosion image briefly moved markets. Audio deepfakes are harder to detect than images because there is no visual artifact to inspect. This persists because financial markets are optimized for speed (HFT operates in microseconds) while deepfake verification requires minutes, and no circuit breaker mechanism exists for unverified audio attributed to state leaders.
When a drone swarm autonomously selects targets, routes, and engagement sequences using neural network-based planning, the decision process is not human-interpretable. After an engagement, commanders cannot reconstruct why the swarm prioritized target A over target B, or why it chose a route that resulted in collateral damage. This makes after-action review, accountability, and doctrine refinement impossible. This persists because the neural networks used for swarm planning are inherently opaque (millions of parameters with no symbolic reasoning trace), and explainable AI research has not produced methods that work in real-time for multi-agent autonomous systems.
Defense startups working on classified programs must operate from a SCIF (Sensitive Compartmented Information Facility), which requires DCSA accreditation taking 8-14 months and costs $50-100K/year in lease premiums, construction requirements (RF shielding, intrusion detection, access control), and compliance overhead. A 10-person startup spending 15% of its Series A on a SCIF before writing a line of classified code is common. This persists because SCIF standards (ICD 705) were designed for permanent government facilities and large defense contractors, not for startup office spaces that may relocate every 18 months as they grow, and DCSA has no expedited accreditation pathway for small businesses.
During the Israel-Gaza and Russia-Ukraine conflicts, AI-generated fake atrocity images and fabricated news articles spread across social media platforms within minutes, reaching millions before any fact-check is published. The debunk-to-reach ratio is approximately 1:100 -- a correction reaches 1% of the audience that saw the original fake. This asymmetry means AI-generated propaganda permanently shapes public opinion even after being identified as fake. This persists because generative AI can produce novel fake content at zero marginal cost while fact-checking requires human journalists spending hours per claim, and social media algorithms amplify engagement (outrage) regardless of veracity.
A 200-drone swarm with 25-minute flight times consumes 200 batteries per sortie. At 4 sorties per day, that is 800 batteries daily -- each requiring 1-hour charging. A battalion running multiple swarms needs thousands of batteries, hundreds of chargers, and dedicated power generation that does not exist in current military Table of Organization and Equipment. The logistics tail for drone swarms dwarfs the logistics for the drones themselves. This persists because military logistics planning is based on ammunition expenditure rates for conventional weapons, and no supply chain model exists for the consumable-drone paradigm where the weapon system itself is a single-use munition that needs continuous battery replenishment.
The SBIR program funds promising defense technology through Phase I ($150K proof of concept) and Phase II ($1M prototype), but Phase III -- the transition to production contracts -- has no dedicated funding. Startups must find a Program of Record willing to adopt their technology, which requires navigating a different contracting office, different requirements documents, and a new program manager who was not involved in Phase I/II. The average wait between Phase II completion and Phase III award is 2-3 years, during which the startup burns through venture capital with no revenue. This persists because SBIR is managed by the Office of the Secretary of Defense while production contracts are managed by individual service acquisition offices with no institutional connection to SBIR outcomes.
Real-time deepfake face-swapping tools now run at 30fps on consumer GPUs, enabling an attacker to impersonate a cleared defense contractor employee during a video call KYC check. The attacker passes liveness detection (blinks, head turns) because the face swap operates in real time. Defense contractors using video calls for identity verification in remote work environments are exposed to insider threat impersonation. This persists because liveness detection was designed to stop static photo spoofs, not real-time neural face rendering, and the detection arms race favors attackers who only need to fool the system once while defenders must catch every attempt.
The Army, Navy, Air Force, and Marines are each developing separate drone swarm programs (OFFSET, CCA, MQ-25, LOCUST) with proprietary communication protocols. An Army swarm cannot coordinate with a Marine swarm in the same battlespace because their mesh networking protocols, command message formats, and swarm behavior algorithms are incompatible. Joint operations -- the fundamental principle of US military doctrine since Goldwater-Nichols -- breaks down when each service's drones cannot talk to each other. This persists because each service's program office has independent funding, requirements, and contractors, and the DoD's Joint Staff lacks the authority to mandate a single swarm communication standard before each service has fielded its own system.
The next evolution of drone warfare is autonomous swarm-vs-swarm combat, where offensive drone swarms engage defensive drone swarms without human operators directing individual units. No military has conducted a swarm-vs-swarm engagement, so there is zero empirical doctrine for how to command, deconflict, or disengage such forces. The legal question of accountability when an autonomous swarm kills civilians during swarm-on-swarm combat has no answer. This persists because swarm-vs-swarm is a phase transition in warfare that has no historical analog -- every existing doctrine framework assumes human combatants making decisions, and retrofitting human oversight onto swarm-speed autonomous combat (decisions in milliseconds) is physically impossible.
Generative AI can now produce synthetic satellite imagery indistinguishable from real commercial satellite photos, showing troop movements, vehicle concentrations, or infrastructure that does not exist. An adversary could feed fabricated satellite images into OSINT channels that military intelligence analysts monitor, triggering real mobilization responses based on phantom threats. The US NGA has acknowledged this threat but has no deployed countermeasure. This persists because satellite image authentication relies on metadata and provenance chains that are trivially forged, and the OSINT analysis pipeline that feeds decision-makers has no systematic deepfake detection layer.
NATO's current drone doctrine (ATP-3.3.8.1) covers single UAS operations under a dedicated operator. It has no framework for commanding swarms of 200+ autonomous drones that must coordinate without centralized control in a jammed environment where radio links drop unpredictably. Ukrainian and Russian forces are already fielding semi-autonomous swarms, but NATO has no agreed-upon command structure, rules of engagement, or communication protocol for swarm operations. This persists because NATO doctrine development requires consensus among 32 member nations, each with different drone capabilities and legal frameworks for autonomous weapons, and the 3-5 year doctrine revision cycle cannot keep pace with a technology that evolved from concept to battlefield reality in 18 months.
AI voice cloning now produces convincing replicas from 10 seconds of audio, and adversaries are using cloned voices of commanding officers to issue fake orders over tactical radio nets. Troops receiving a retreat order in their CO's voice have no field-deployable method to verify the speaker's identity -- radio authentication codes exist but are rarely used under fire. In Ukraine, Russian forces have used cloned Ukrainian officer voices on intercepted radio frequencies to sow confusion. This persists because military voice communications were designed for an era where voice impersonation required a skilled human mimic, and retrofitting cryptographic voice authentication onto legacy tactical radios requires hardware replacements across entire force structures.
The most critical phase of a cloud penetration test is initial access -- typically via phishing or credential stuffing against the production identity provider -- but 80%+ of clients exclude this phase from scope, restricting the test to 'assume breach' scenarios where the red team starts with valid credentials. This means the most common and dangerous attack vector (credential compromise via phishing) goes completely untested. This persists because phishing real employees disrupts business operations, creates HR liability if employees feel tricked, and risks triggering incident response processes that waste SOC time on a known-friendly exercise.
For years, red teams bypassed EDR userland hooks by making direct syscalls to the Windows kernel, skipping the hooked ntdll.dll functions entirely. EDR vendors responded by adding ETW kernel-level telemetry that flags any syscall originating from non-ntdll memory regions as suspicious, turning the bypass itself into a high-confidence detection. Red teams now face a catch-22: use ntdll (hooked and detected) or direct syscall (kernel telemetry detects the bypass). This persists because Microsoft keeps adding kernel telemetry providers that give EDR vendors visibility into syscall origins, and each new evasion technique creates a new detection surface.
A standard penetration test engagement produces a 60-120 page report that takes 40-80 hours of senior consultant time to write, yet client surveys show fewer than 15% of stakeholders read beyond the 2-page executive summary. The detailed technical findings that would actually help defenders fix vulnerabilities are buried in appendices that nobody opens. This persists because compliance frameworks (PCI DSS, SOC 2) require a written report as the deliverable, not actual remediation, so the report exists to satisfy auditors rather than inform defenders. The consulting firm's revenue model bills for report writing, not for vulnerability remediation.
Military aircraft carry IFF transponders broadcasting encrypted Mode 5 signals, but small tactical drones under 25 kg have no standardized IFF system -- a friendly ISR quadcopter looks identical on radar to an enemy kamikaze drone of the same size. In Ukraine, friendly drone shoot-downs by own forces account for an estimated 10-15% of drone losses. This persists because IFF transponders weigh 200-500g and draw 5-10W, a significant penalty for a drone with 1kg payload capacity. Additionally, NATO has no agreed-upon IFF standard for sub-25kg UAS -- each nation uses different drone models with different telemetry protocols.
Quality control for military FPV drones requires custom test jigs that check motor spin direction, ESC calibration, receiver binding, and video link -- each jig is designed for a specific frame geometry and component layout. When the drone design changes (which happens every 2-4 weeks in active conflict), the test jig must be redesigned and rebuilt at $10-15K per iteration. Over 6 months, a production line can spend $150K+ on test fixtures for a drone that costs $200. This persists because no one has built a universal test platform that adapts to arbitrary drone geometries, and the rapid design iteration driven by battlefield feedback makes fixed-geometry test fixtures inherently disposable.
Zerodium pays $2.5M for a full-chain iOS zero-day while Apple's Security Bounty pays $200K for the same vulnerability class, creating a 12x price gap that economically incentivizes researchers to sell to offense rather than defense. The result is that the most capable exploit developers rationally choose the broker market, leaving defenders with lower-severity reports. This persists because defensive bug bounties are funded from security budgets with ROI pressure, while offensive buyers (nation-state intelligence agencies) have black budgets with no comparable cost constraints. The market will never reach parity because the offensive value of an exclusive zero-day exceeds its defensive value by definition.
FPV drone frames are CNC-routed from carbon fiber sheets, and Chinese routing services (Shendrones, AliExpress vendors) charge $3-8 per frame including material, while US-based CNC shops charge $35-60 for identical geometry due to higher labor costs and carbon dust OSHA compliance requirements. For military expendable drones at 2,000 units/month, this is the difference between $6,000 and $120,000 monthly in frame costs alone. This persists because carbon fiber routing produces carcinogenic dust requiring expensive ventilation and PPE that Chinese shops externalize, and US manufacturing wages make the per-unit labor cost uncompetitive even with automation.
High-energy laser systems like DE-SHORAD need to hold a focused beam on a drone for 5-15 seconds to burn through the structure, but small drones executing evasive maneuvers at 2-5 Hz break the beam-target lock every 0.5-2 seconds, resetting thermal damage accumulation. A drone that simply zigzags at 3m amplitude while approaching can survive laser engagement. This persists because HEL designers optimized dwell time against rockets and mortars that fly predictable ballistic trajectories, and increasing laser power to reduce dwell below 1 second requires megawatt-class systems that are 10x heavier and 100x more expensive than current 50-100 kW prototypes.
Organizations run purple team exercises by mapping red team actions to MITRE ATT&CK technique IDs (e.g., T1055 Process Injection), but a single technique ID encompasses dozens of distinct implementation variants with completely different detection signatures. Checking off T1055 after testing one variant gives false confidence that the SOC can detect all 15+ process injection methods. This persists because ATT&CK was designed as a knowledge base for threat intelligence, not an operational testing framework, and sub-techniques only partially address the granularity gap. No standard maps specific evasion variants to specific detection rules.
ExpressLRS, the dominant open-source control link protocol for FPV drones, uses a shared binding phrase for authentication but has no cryptographic handshake or encrypted command channel. An adversary with a $20 SDR can sniff the binding phrase from a single packet and inject control commands to crash or redirect the drone. For hobby use this is acceptable, but for military operations it means any drone within RF range can be hijacked. This persists because ExpressLRS was designed for racing drone latency optimization (sub-1ms) and adding crypto handshakes would add 5-10ms latency that the racing community won't accept, so the military use case is bolted onto a protocol that was never designed for contested environments.