The latest developments in AI and cybersecurity, focusing on how frontier models like Mythos are changing the threat landscape by collapsing patch windows weeks to minutes, and what organizations need to do to adapt.
My take: Rosenquist is directionally right, but he’s describing a symptom, not the underlying strategic shift.
His central argument is that frontier AI models such as Mythos are collapsing vulnerability discovery and exploitation timelines from weeks or months to minutes, forcing defenders to operate at machine speed. That is happening. AI is becoming dramatically better at finding attack paths, chaining low-severity weaknesses together, and overwhelming traditional patch-and-prioritize workflows.
Where I think the analysis is strongest:
* AI is compressing decision cycles.
* Vulnerability management as a human workflow is breaking.
* Organizations that depend on quarterly scans, ticket queues, and manual remediation will lose the race.
* Security teams will need AI fighting AI.
Where I think he’s still looking through a traditional cybersecurity lens:
The assumption is that the game is still “find vulnerabilities faster and patch faster.”
That was the game when the primary objective was system compromise.
The emerging game is leverage.
Attackers do not get paid for finding CVEs.
Attackers get paid when they can:
* Steal data
* Encrypt data
* Disrupt operations
* Extort executives
The vulnerability is only a means to acquire leverage.
That’s the Sachsian view.
If AI finds 500,000 vulnerabilities tomorrow, the board still asks one question:
“What can the attacker actually do if they get in?”
That shifts the discussion from:
* Vulnerability management
* Exposure management
* Risk scoring
* Attack-path analysis
to:
* Execution control
* Data theft prevention
* Encryption prevention
* Business continuity
The deeper platform shift is not AI-powered vulnerability discovery.
The deeper platform shift is that AI makes perimeter and detection-centric security less economically valuable.
If both attacker and defender have superhuman discovery capability, discovery itself becomes commoditized.
Control becomes scarce.
That is why I keep coming back to the same question:
What intervenes when a system starts making the wrong decisions in real time?
Not:
* Who detected it?
* Who scored it?
* Who visualized it?
* Who generated the dashboard?
But who stopped it?
Even the latest research suggests frontier models still generate significant false positives and are far from perfect autonomous security operators. Methodology and execution controls remain critical.
The strategic implication for executives is:
Visibility is becoming abundant. Control remains scarce.
The winners of the next decade may not be the companies that find the most problems.
They may be the companies that can reliably prevent the consequences after compromise.
That’s a much larger platform shift than faster vulnerability scanning.
Very comprehensive insights @jackfitzpatrick654632.
A few thoughts:
- Prediction and Prevention AVOID undesired impacts and represent the greatest ROI.
- Detection and Response LIMIT undesired impacts and although they have a lower ROI, they are still needed for the inevitable incidents that get past prevention.
All aspects (Prediction, Prevention, Detection, and Response) are needed for a continuously improving, effective, and efficient cybersecurity program.
- Vulnerabilities (technical, human, and process) are a means to an end, the objective of the attackers (there are many, not just financial gain)
- These new models don't just find more vulns, they can also create the corresponding exploits! That opens the doors for attackers to pursue their objectives to the detriment of victims.
- Visibility is important. If we don't see the vulnerability or its exploit, then all we can detect is the damage after the successful attack. That is not a good model.
My overall emphasis is to apply a strategic view, which includes understanding the greater capability of vulnerability discovery and exploitation, as it relates to overall management of cyber risk.
Prediction and prevention absolutely have the highest ROI when they work, but cybersecurity history is littered with organizations that thought they had predicted and prevented enough. The challenge is that prediction is probabilistic. Attackers only need one path you didn’t predict.
The more interesting question is not whether prediction, prevention, detection, and response are all necessary. They are.
The question is where authority exists when prediction fails.
Visibility tells you what happened.
Detection tells you something is happening.
Response tells you what to do next.
None of those inherently stop the action.
That’s where I think the industry still struggles. We’ve become exceptionally good at observing risk and increasingly good at predicting it. AI will make vulnerability discovery and exploit creation faster on both sides of the battlefield. The volume of known risk will explode.
But discovering more vulnerabilities does not automatically reduce risk. In some cases it simply increases the inventory of things we know we can’t fix fast enough.
The strategic challenge becomes:
* Can we see the vulnerability?
* Can we prioritize it correctly?
* Can we remediate it before exploitation?
* If not, what prevents the exploit from achieving its objective?
That’s the question boards ultimately care about.
I agree that visibility is foundational. You can’t manage what you can’t see. But visibility alone is not a control. It’s awareness.
As AI accelerates vulnerability discovery and exploit generation, the winners won’t necessarily be the organizations with the most dashboards. They’ll be the organizations that can translate visibility into decisive control before an attacker reaches their objective.
Risk management is ultimately about outcomes, not observations. Visibility is the starting point. Control is the finish line.
Great conversation! Yes, as I stated Prediction and Prevention are only part of the required overall strategic capability. Detection and Response represent the safety net that is also required for a continuously adaptable and improving cybersecurity capability.
Discovery of vulnerabilities is a capability. How it is used will determine if it increases or decreases risk. If an organization detects more vulnerabilities but chooses not to do anything about them, then the risk remains intact. When attackers detect more vulnerabilities and can create exploits for them, then the risk of them implementing them goes up. It is a capability that supports their methods in pursuit of their objectives.
Vulnerability management has always relied on strong processes to detect, validate, and prioritize issues. The issue with these new AI tools is the compression of that work beyond what current teams and processes can handle. Overloading controls increases the risks.
I have not stated that visibility alone is a control. It is a capability. A control limits the likelihood, severity, or threat as part of the risk-of-loss calculations.
Risk management is about achieving an optimal level of risk with consideration of costs, business friction, and acceptable residual risk.
Mitigations (controls) is one of several ways of managing risk and often the most focused area.
My take: Rosenquist is directionally right, but he’s describing a symptom, not the underlying strategic shift.
His central argument is that frontier AI models such as Mythos are collapsing vulnerability discovery and exploitation timelines from weeks or months to minutes, forcing defenders to operate at machine speed. That is happening. AI is becoming dramatically better at finding attack paths, chaining low-severity weaknesses together, and overwhelming traditional patch-and-prioritize workflows.
Where I think the analysis is strongest:
* AI is compressing decision cycles.
* Vulnerability management as a human workflow is breaking.
* Organizations that depend on quarterly scans, ticket queues, and manual remediation will lose the race.
* Security teams will need AI fighting AI.
Where I think he’s still looking through a traditional cybersecurity lens:
The assumption is that the game is still “find vulnerabilities faster and patch faster.”
That was the game when the primary objective was system compromise.
The emerging game is leverage.
Attackers do not get paid for finding CVEs.
Attackers get paid when they can:
* Steal data
* Encrypt data
* Disrupt operations
* Extort executives
The vulnerability is only a means to acquire leverage.
That’s the Sachsian view.
If AI finds 500,000 vulnerabilities tomorrow, the board still asks one question:
“What can the attacker actually do if they get in?”
That shifts the discussion from:
* Vulnerability management
* Exposure management
* Risk scoring
* Attack-path analysis
to:
* Execution control
* Data theft prevention
* Encryption prevention
* Business continuity
The deeper platform shift is not AI-powered vulnerability discovery.
The deeper platform shift is that AI makes perimeter and detection-centric security less economically valuable.
If both attacker and defender have superhuman discovery capability, discovery itself becomes commoditized.
Control becomes scarce.
That is why I keep coming back to the same question:
What intervenes when a system starts making the wrong decisions in real time?
Not:
* Who detected it?
* Who scored it?
* Who visualized it?
* Who generated the dashboard?
But who stopped it?
Even the latest research suggests frontier models still generate significant false positives and are far from perfect autonomous security operators. Methodology and execution controls remain critical.
The strategic implication for executives is:
Visibility is becoming abundant. Control remains scarce.
The winners of the next decade may not be the companies that find the most problems.
They may be the companies that can reliably prevent the consequences after compromise.
That’s a much larger platform shift than faster vulnerability scanning.
Very comprehensive insights @jackfitzpatrick654632.
A few thoughts:
- Prediction and Prevention AVOID undesired impacts and represent the greatest ROI.
- Detection and Response LIMIT undesired impacts and although they have a lower ROI, they are still needed for the inevitable incidents that get past prevention.
All aspects (Prediction, Prevention, Detection, and Response) are needed for a continuously improving, effective, and efficient cybersecurity program.
- Vulnerabilities (technical, human, and process) are a means to an end, the objective of the attackers (there are many, not just financial gain)
- These new models don't just find more vulns, they can also create the corresponding exploits! That opens the doors for attackers to pursue their objectives to the detriment of victims.
- Visibility is important. If we don't see the vulnerability or its exploit, then all we can detect is the damage after the successful attack. That is not a good model.
My overall emphasis is to apply a strategic view, which includes understanding the greater capability of vulnerability discovery and exploitation, as it relates to overall management of cyber risk.
I would push back on one point.
Prediction and prevention absolutely have the highest ROI when they work, but cybersecurity history is littered with organizations that thought they had predicted and prevented enough. The challenge is that prediction is probabilistic. Attackers only need one path you didn’t predict.
The more interesting question is not whether prediction, prevention, detection, and response are all necessary. They are.
The question is where authority exists when prediction fails.
Visibility tells you what happened.
Detection tells you something is happening.
Response tells you what to do next.
None of those inherently stop the action.
That’s where I think the industry still struggles. We’ve become exceptionally good at observing risk and increasingly good at predicting it. AI will make vulnerability discovery and exploit creation faster on both sides of the battlefield. The volume of known risk will explode.
But discovering more vulnerabilities does not automatically reduce risk. In some cases it simply increases the inventory of things we know we can’t fix fast enough.
The strategic challenge becomes:
* Can we see the vulnerability?
* Can we prioritize it correctly?
* Can we remediate it before exploitation?
* If not, what prevents the exploit from achieving its objective?
That’s the question boards ultimately care about.
I agree that visibility is foundational. You can’t manage what you can’t see. But visibility alone is not a control. It’s awareness.
As AI accelerates vulnerability discovery and exploit generation, the winners won’t necessarily be the organizations with the most dashboards. They’ll be the organizations that can translate visibility into decisive control before an attacker reaches their objective.
Risk management is ultimately about outcomes, not observations. Visibility is the starting point. Control is the finish line.
Great conversation! Yes, as I stated Prediction and Prevention are only part of the required overall strategic capability. Detection and Response represent the safety net that is also required for a continuously adaptable and improving cybersecurity capability.
Discovery of vulnerabilities is a capability. How it is used will determine if it increases or decreases risk. If an organization detects more vulnerabilities but chooses not to do anything about them, then the risk remains intact. When attackers detect more vulnerabilities and can create exploits for them, then the risk of them implementing them goes up. It is a capability that supports their methods in pursuit of their objectives.
Vulnerability management has always relied on strong processes to detect, validate, and prioritize issues. The issue with these new AI tools is the compression of that work beyond what current teams and processes can handle. Overloading controls increases the risks.
I have not stated that visibility alone is a control. It is a capability. A control limits the likelihood, severity, or threat as part of the risk-of-loss calculations.
Risk management is about achieving an optimal level of risk with consideration of costs, business friction, and acceptable residual risk.
Mitigations (controls) is one of several ways of managing risk and often the most focused area.