Moonshot — Security Economics Engine

Equilibrium

Security spending is usually guesswork. This models attacker and defender as rational economic agents in a repeated game, and computes the mathematically optimal defense strategy — not the maximal one.

Parameters
Equilibrium Needle
Don't Defend Defend
Equilibrium Result
Interpretation
Sensitivity — Equilibrium Defense Probability vs. Asset Value
The Threshold Law — Θ

Every scenario above is one lever moving a system relative to the same boundary: an attack is rational exactly when effective cost < expected gain. This view shows raw cost vs. gain and how far this system sits from that line.

Repeated Game — Attacker Belief Drift Over 12 Rounds

The static equilibrium above is a snapshot. Real attackers learn from outcomes. This simulates an attacker updating their belief about your defense strength after each probe — showing whether the threat escalates or fades with repeated play.

Validation Against Reality

The Threshold Law makes a falsifiable prediction: real exploit rates should jump sharply near Θ, not rise smoothly. validate.js tests this against two live public datasets — FIRST.org's EPSS scores and CISA's Known Exploited Vulnerabilities catalog — no API key required. Run it with node validate.js on any machine with internet. Its analysis logic is independently verified offline by selftest.js against synthetic ground truth before ever touching real data.

Extension — Ransomware Payment Policy

A different question: the attack already succeeded — should the victim pay? This applies the same threshold logic one step later, with one new mechanism: ransom paid this round funds the attacker's capability next round. That's what makes paying individually rational but collectively self-defeating — the real argument behind proposals to ban ransomware payments outright.

Ransom demand$15,000
Cost to victim if data is lost$200,000
Ban penalty if caught paying$400,000
Financing sensitivity40%
Equivalent API Call