Insights at a Glance
Heightened attention around AI-driven cyber risk marks a pivotal moment for vulnerability and exposure management. The recent focus on Anthropic’s Claude Mythos Preview,1 OpenAI GPT-5.5-cyber, and broader hype about autonomous attackers and generative AI misuse has elevated cyber risk discussions well beyond security teams, bringing them into executive and board conversations.
While much of this discourse exaggerates near-term attacker sophistication, it correctly surfaces a long-standing but underappreciated reality: attacker timelines have always been faster than human-centered vulnerability management models can respond. This convergence of perception and reality creates a rare opportunity. Cybersecurity leaders must use this moment to move past reactive assessments and instead redesign exposure management around time, scale, and decision velocity, which are the real factors determining defensive advantage.
Key findings:
AI threat narratives amplify awareness but primarily expose existing weaknesses in traditional exposure management operating models.
Attacker advantages have always come primarily from speed and scale, not from fundamentally new exploit techniques.
Traditional VM programs still favor individual vulnerability assessment without integrating exploitability factors.
The most significant constraint for defenders is the organizational chokepoint due to multiple team involvement.
Only 48% of organizations prioritize exposures based on likelihood and business impact, leaving most business-critical assets exposed for a longer duration.2
Recommendations:
Use the current attention on LLM-driven vulnerability discovery and exploit creation to reset exposure management priorities rather than pursue isolated AI features.
Define shorter remediation SLAs that effectively address a new balance between attack velocity, defensive capabilities and operational risks, especially for critical assets.
Correlate exposures across attack surfaces and control domains to reflect realistic attack paths.
Shift prioritization to explicitly guide actions: what to remediate immediately, validate for exploitability and defer based on risk context.
Implement and test remediation automation processes to ensure quality and consistency at scale.
Pivotal Moment
Increased exploitation of vulnerabilities as an initial access vector started a few years ago. Multiple factors explain this slow initial pivot, with a wave of vulnerabilities targeting public-facing infrastructure, including firewalls and VPN gateways. The recent progress of LLM-driven vulnerability disclosure is amplifying this trend. This exposes a structural weakness in today’s VM/EM programs:
Static scoring models
Manual approvals
Fragmented ownership
As a result, many cybersecurity teams face a primary operational risk — speed and decision asymmetry between attackers and defenders widening the remediation gap, where exposure persists long enough for attackers to act, even when vulnerabilities are well understood.
Why Now
At more than 50 days, the mean time to remediate vulnerabilities remains much higher than the time it would take attackers to exploit using automation.3
Most organizations do not use exploitability factors to prioritize remediations, with highly exploitable vulnerabilities taking an average of 134 days to remediate.3
Stolen credential and phishing remain important initial attack vectors. However, increased sophistication of LLM-orchestrated offensive tools makes it easier to exploit public-facing vulnerabilities to breach an organization and then automate postbreach activities.
Cybersecurity leaders must focus on reducing how long critical assets remain exploitable, assign clear ownership for fixing them, and measure success by how quickly exposures are removed compared to how fast attackers can act.
Achieving autonomous exposure remediation requires more than technology; it depends on changing how teams work, assigning ownership, and embedding remediation into day-to-day operations.
Action Plan
Executive Action: Turn the LLM-Driven Moment Into Real Change
The current focus on LLM-driven cyber risk is not, by itself, the disruption. It is the forcing function that exposes a long-standing reality: organizations are already operating outside attacker timelines. This is not a new problem either, but it is now impossible to ignore. This moment should not be used to justify incremental tooling or isolated AI investments. Its real value is to unlock long-delayed changes to exposure management operating models.
Executives should treat this as a decision point to use this attention to reset expectations, funding, and accountability around time-based risk reduction. Achieving this outcome requires more than faster tooling or incremental process improvements.
Cybersecurity leaders must treat exposure management as a time‑based operational discipline. This means shifting from asking “Which vulnerabilities are most severe?” to “Where does exploitable exposure persist long enough for attackers to act?”
Responding to AI disruption is about addressing the structural and operational constraints that have always limited exposure management goals.
Cybersecurity leaders must modernize their operating model by redesigning exposure management, shifting from static assessments and prioritization to a discipline that is actionable through correlated context and governable through defensible decision making.
Reset the Executive Narrative
Cybersecurity leaders must lead a shift in how cyber risk is discussed and understood at the highest levels. Framing the reality and dispelling misconceptions will enable more strategic decisions. The conversation must be split in three ways:
Make the gap explicit: Show how long critical assets remain exploitable compared to how quickly attackers can act. Focus discussion on time, not volume.
Clarify what AI changes: AI lowers the effort required to exploit existing weaknesses, rather than introducing fundamentally new threats.
Redefine success: Measure how quickly exploitable exposures are identified and fixed.
Leverage the Moment to Justify Structural Investment
The current surge of attention on LLM-driven vulnerability disclosures creates a window to advocate for deeper, structural change. Cybersecurity leaders must use this opportunity to push for lasting improvements. Cybersecurity leaders must use this moment to highlight persistent exposure delays, shift funding toward fixing them, and align executives on reducing time to remediation.
Reducing exposure at attacker speed requires changes to ownership, workflows, and measurement.
Assign ownership: Designate asset-level ownership, set remediation SLAs and track exposure by owning team. Product and platform teams fix exposures in their own systems, with security teams guiding prioritization and monitoring compliance.
Integrate into workflows: Track and fix exposures through existing engineering and IT processes, integrating within the queues. Automatically manage end-to-end workflows by creating tickets, routing to the right owners through existing engineering and IT backlogs.
Measure speed: Focus on how long assets remain exploitable and hold teams accountable for reducing that time.
Initiate a Modernization Strategy
Cybersecurity leaders must initiate a modernization strategy that focuses on measurable outcomes, continuous improvement and operational integration. The following four shifts are critical to align with attacker timeline:
Transition to time-based metrics: Assess success by tracking the duration that vulnerabilities, misconfigurations, and identity risks remain exploitable relative to attack velocity. Success is measured by reducing the “exposure window” (the time your assets remain vulnerable and exploitable).
Prioritize validated attack paths: Focus on exposures that intersect to form viable attack routes within your infrastructure. Employ adversarial testing and continuous validation to confirm you are addressing the specific paths attackers are most inclined to navigate and exploit.
Drive decision-driven response: Replace generic scoring with actionable, risk-based guidance. Clearly define which exposures require immediate action, which need further validation, and which can be deferred; based on business impact, exploitability and attack feasibility.
Operationalize and automate exposure reduction: Embed response actions directly into engineering, DevOps, and IT workflows. Automate wherever possible to ensure exposures are fixed quickly and at scale by closing the feedback loop by verifying that response actions are complete, validated and lessons learned are captured to continuously improve the process.