Right, but what is interesting is that you can buy it off the rack for the price of tokens. You don’t have to do a specialist search for a security expert, pay a recruiter, hire them, wait for the specialist to start, pay them a signing bonus, pay them an expert-level salary, pay their social security taxes, healthcare benefits, and finally pay for an exit package when you lay them off because the project got canceled. You buy tokens when you need them and you stop buying when you don’t. This was the same dynamic that made cloud computing more interesting than company-owned servers in a company-owned data center. It’s more responsive to business needs and it falls under the development expense budget, not payroll, so you can do it even during hiring freezes.

But, you do have to have at least an employee or contractor skilled enough to actually understand the scope of a given bug report from the agent in order to determine validity. I've seen plenty of legit bug reports by humans get dismissed because the reviewer didn't understand the material impact or how the bug/exploit worked.