If US had such amazing offensive cyber capabilities, why are bug bounties like HackerOne not already bankrupt? The NSA hackers could just easily farm all those bounties and make significantly more than they earn at the government.

I feel the answer to this is that most of what we call NSA offensive capabilities are not "real" offensive capabilities in terms of vulnerabilities and exploits, but simple backdoors in US equipment and US tech companies.

And I think they got really complacent because analyzing Facebook, Google and Apple data combined with credit card payments, phone call and browser history is doing the job just fine in 90% of the cases.

Due to large size of US traditional military, they have advanced capabilities in terms of physical network tapping that many other countries don't possess. Maybe they have super binoculars to spy on people typing in their passwords through the window from space. But in the end it is again white-collar "analysts" going through the data instead of clever people actually finding novel vulnerabilities in software, which is also the skill that is rewarded in bug bounties such as HackerOne.

Why invest into learning how to reverse engineer a cisco router if you can just call your buddy at Cisco and tell them to commit a new backdoor to the code.

By not using these skills they atrophy and once you hit a "real" adversary who is not on Windows and permanently uploading their data to Facebook and iCloud while using a credit card with apple pay, they might struggle very much.

I recall things like omg cable being a revolution in red team pentesting. Of course they had prototypes before, but I don't think it was widely utilized. Because why invest into such fancy hardware gimmicks if you can get the data directly from a US tech company who is forced to provide access for you anyways. It's much cheaper and more reliable.

Edit: I just noticed that due to this significant reliance on backdoors in US equipment they also hurt the defensive posture much more. It's difficult to have different versions of firmware floating around and to ensure they are deployed for your own companies. It's much easier to add backdoors to companies from your own country than to add backdoors to foreign equipment. This is totally in line with what we observe with endless CVEs and backdoors in US networking equipment.