Why the Fundamentals You Ignored Are the Solely Issues That Will Save You
In 2023, a colleague and I wrote a cybersecurity information for companies of any measurement. It was not glamorous work. No one was asking for one more whitepaper about multi-factor authentication (MFA) and community segmentation. The business had heard all of it earlier than: Harden your units, section your networks, deploy endpoint detection and response (EDR), centralize your logs, check your backups, validate your designs. These usually are not revolutionary concepts. They’re the sort of suggestions that get well mannered nods in shopper conferences after which get quietly dismissed someplace between finances approval and implementation.
We wrote the information anyway. Not as a result of I believed we have been saying one thing new, however as a result of after years of incident response work, I saved strolling into the identical rooms, wanting on the identical gaps, and having the identical conversations with organizations that had simply been breached. The assault vectors modified and the tooling developed, however the motive organizations obtained harm was virtually at all times the identical – the fundamentals weren’t in place. In that paper we posed questions that, when answered actually on the strategic degree, may reveal the true state of a corporation’s defenses. We coated endpoints, networks, cloud companies, bodily safety, staffing, and logging. It was designed to be helpful whether or not you had a crew of 500 safety analysts or a single IT particular person sporting a number of hats.
The core thesis was that patching alone will not be a safety technique. You want a basis that holds when patching fails – as a result of ultimately, patching will fail.
This situation ultimately arrived in April 2026.
Anthropic introduced Mission Glasswing and Claude Mythos Preview, an AI mannequin that autonomously found 1000’s of high-severity zero-day vulnerabilities throughout each main working system and internet browser. Not theoretical weaknesses or potential points – working, exploitable vulnerabilities. One was undiscovered for 27 years in OpenBSD, the working system chosen particularly as a result of it’s mentioned to be among the many most safe on the earth. That is what occurs when vulnerability discovery stops being a human-speed exercise.
It dawned on me all the things we wrote about in 2023 – each advice, each query we posed -had simply turn out to be dramatically extra pressing, as pace is the brand new issue within the conventional threat triad. Cisco set out the strategic model of this argument in its Shields Up steerage after working with Mythos Preview. What follows is its operational companion.
The brand new math
Earlier than Mythos and different frontier giant language fashions (LLMs), the vulnerability lifecycle had a rhythm that the majority safety groups had internalized. A researcher discovers a vulnerability, and weeks or months move whereas an exploit will get developed. After a vendor releases a patch, organizations deploy it on their very own schedule. There was slack within the system, which gave organizations time to triage, check, and be sluggish however nonetheless survive.
After AI and LLMs, the primary two phases of that lifecycle collapsed to near-simultaneity. AI discovers the vulnerability and writes the exploit in minutes, not weeks. However the final two phases, patch launch and patch deployment, stay human-driven processes working at human pace. The hole between discovery/exploit and patch/deploy has widened from a manageable delay right into a structural hole.
The numbers make this concrete. The FIRST 2026 Vulnerability Forecast tasks a median of roughly 59,000 new CVEs this 12 months, with a 90% confidence interval reaching as much as 118,000. In 2025, 48,185 CVEs have been printed, a 21% improve over the 12 months earlier than, which works out to roughly 131 new vulnerabilities disclosed each single day. NIST acknowledged that CVE submissions grew 263% between 2020 and 2025. Beginning April 2026, NIST introduced it might solely prioritize enrichment for CVEs showing in CISA’s Recognized Exploited Vulnerabilities (KEV) catalog, software program utilized by the federal authorities, and significant software program beneath Government Order 14028. All the things else goes to the again of the road.
When speaking about this knowledge in buyer briefings, I framed it round three elements: the minutes from discovery to use, the 1000’s of zero-days found, and the way AI accelerates attackers and defenders equally. The Cloud Safety Alliance was specific about this of their April 2026 evaluation. The power to find vulnerabilities at AI scale will not be intrinsically a defensive functionality. It’s a dual-use functionality whose impact relies upon completely on who has entry and what constraints govern their use. We’re fortunate that frontier fashions take accountability for the way they’re used, however there are a lot of open-source fashions with much less oversight.
When vulnerability administration fails, who do you fall again on?
The way in which I take into consideration post-frontier mannequin protection, and the way in which I’ve been presenting it to safety leaders, follows a three-stage fallback mannequin.
The primary pillar is vulnerability administration. Scan, prioritize, patch, repeat. That is the place most organizations have concentrated their safety spending for 20 years. Patch velocity can’t match AI-driven discovery charges. With 59,000+ CVEs projected for 2026 and rising, the amount exceeds organizational capability to triage, check, and deploy (in manufacturing, dwell). Not all vulnerabilities even have patches on day zero; some are deemed as “operational threat,” or it might take years to revamp programs or {hardware}. Vulnerability administration will not be lifeless, however it’s not the first line of protection; it’s now one enter amongst many. That is the place Cisco IQ turns into important. Its digital interface gives full asset visibility, safety hardening insights, and threat assessments, permitting you to proactively determine vulnerabilities and harden your programs within the face of mounting CVE volumes. Automating what you’ll be able to will probably be key to resilience acceleration.
When patching fails, you fall again to the second pillar: the “old style” hardening that appears to be forgotten in period of EDRs. That is the place the 2023 whitepaper turns into a information:
We beneficial constructing golden photos that incorporate applicable safety logging, refreshing them each 6 to 12 months, and making use of the most recent hardening requirements. The whitepaper from 2023 asks questions that the majority organizations nonetheless can’t reply confidently: Are well-known safety requirements for hardening adopted persistently throughout all units? When was the final time core system golden photos have been reviewed for weaknesses? Are golden photos a part of safety critiques?
The third pillar is detection and response. Hardened programs don’t forestall exploitation, however make it more durable, slower, noisier, and survivable. Detection and response are what catches the exploitation that will get by way of, and in a post-AI exploitation world, some exploitation will get by way of. That is given and must be assumed.
This implies EDR, NDR, and XDR for visibility throughout layers. Behavioral detection is vital when zero-days outpace signature updates. An attacker utilizing an AI-discovered vulnerability nonetheless must execute code, set up persistence, transfer laterally, and exfiltrate knowledge. These actions produce behavioral indicators {that a} correctly configured EDR can detect no matter whether or not the precise vulnerability was beforehand recognized. It implies that we will use menace searching to search out what automation misses. It additionally means you want incident response functionality for when prevention fails. New assaults will emerge. The query will not be whether or not you can be compromised. It’s now how rapidly you’ll be able to detect, include, eradicate, and recuperate.
Validation will not be optionally available
Having the appropriate merchandise deployed is important, however not ample. You additionally must know the way they work – and right here is the place most organizations have a blind spot the scale of a continent.
The query each safety chief must be asking proper now could be “Do my controls really work? Not on paper, however beneath real-world assault situations?” Penetration testing solutions that query. So does assessing your configurations towards CIS benchmarks and hardening what falls quick. Risk modeling takes it additional by mapping the assault paths an actual adversary would use towards your particular structure, not a generic threat matrix.
Breakout assessments deserve particular consideration. They check the boundaries between community segments. Can an attacker transfer from a compromised endpoint to vital infrastructure? From IT to OT? From one enterprise unit to a different? In a post-AI world the place a zero-day can present preliminary entry to community section, the integrity of these boundaries is arguably a very powerful architectural property of your community. Discovering out they’re damaged earlier than an actual adversary does is the distinction between a containable incident and an existential disaster.
Then there may be the response aspect, and that is the place I see the widest hole between what organizations suppose they’ve and what they really have. IR playbooks which have by no means been examined usually are not playbooks. They’re hopes. Purple crew workouts are what flip these hopes into muscle reminiscence, the type that determines whether or not your crew freezes or acts when an actual incident hits. Proactive menace hunts catch what your automation missed. When all the things has been examined and nonetheless was not sufficient, emergency incident response is the aptitude that will get you from compromised to recovered.
The complete image is a cycle. You wish to forestall safety points with merchandise and hardening, validate with testing and evaluation, and reply with searching and incident response – all of it backed by menace intelligence, and all of it working collectively as a system, not as disconnected level options checked off a compliance spreadsheet.
What didn’t change
AI is not going to get bored with system exploitation, so threat will get realized a lot sooner than up to now. Due to this, we now add “pace” to threat equation. It turns into Threat = probability x affect x pace versus simply Threat = probability x affect. AI doesn’t change the ideas of cybersecurity. MFA nonetheless blocks credential theft; segmentation nonetheless prevents exploit cascading into the surroundings; EDR nonetheless detects exploitation habits, reminiscence abuse, and makes an attempt to “write” to reminiscence segments; centralized logging nonetheless data occasions for detection and investigation; and examined backups nonetheless allow restoration.
These statements have been true earlier than any LLM/AI vulnerability discoveries, they’re true after LLM/AI, and they’re going to stay true after no matter comes after present stacks. As a result of they function at a layer of the safety stack that’s unbiased of how briskly vulnerabilities are found. They work whether or not the attacker used a recognized CVE or a contemporary zero-day, and whether or not the exploit was written by a human researcher over three weeks or by an AI in three minutes.
That is the structural perception constructed across the whitepaper in 2023. No one had predicted that LLM/AI vulnerability discovery explosion, however we had seen, over and over in incident response engagements, that the organizations that survived breaches weren’t those with the quickest patching cycles. They have been those that had constructed their safety foundations earlier than the breach arrived. The present AI acceleration doesn’t watch for finances cycles, board approvals, or strategic plans. It rewards preparation and it punishes delays.
