Why the Fundamentals You Ignored Are the Only Things That Will Save You
In 2023, a colleague and I wrote a cybersecurity guide for businesses of any size. It was not glamorous work. Nobody was asking for another whitepaper about multi-factor authentication (MFA) and network segmentation. The industry had heard it all before: Harden your devices, segment your networks, deploy endpoint detection and response (EDR), centralize your logs, test your backups, validate your designs. These are not revolutionary ideas. They are the kind of recommendations that get polite nods in client meetings and then get quietly dismissed somewhere between budget approval and implementation.
We wrote the guide anyway. Not because I thought we were saying something new, but because after years of incident response work, I kept walking into the same rooms, looking at the same gaps, and having the same conversations with organizations that had just been breached. The attack vectors changed and the tooling evolved, but the reason organizations got hurt was almost always the same – the basics were not in place. In that paper we posed questions that, when answered honestly at the strategic level, could reveal the real state of an organization’s defenses. We covered endpoints, networks, cloud services, physical security, staffing, and logging. It was designed to be useful whether you had a team of 500 security analysts or a single IT person wearing multiple hats.
The core thesis was that patching alone is not a security strategy. You need a foundation that holds when patching fails – because eventually, patching will fail.
This scenario eventually arrived in April 2026.
Anthropic announced Project Glasswing and Claude Mythos Preview, an AI model that autonomously discovered thousands of high-severity zero-day vulnerabilities across every major operating system and web browser. Not theoretical weaknesses or potential issues – working, exploitable vulnerabilities. One was undiscovered for 27 years in OpenBSD, the operating system chosen specifically because it is said to be among the most secure in the world. This is what happens when vulnerability discovery stops being a human-speed activity.
It dawned on me everything we wrote about in 2023 – every recommendation, every question we posed -had just become dramatically more urgent, as speed is the new factor in the traditional risk triad. Cisco set out the strategic version of this argument in its Shields Up guidance after working with Mythos Preview. What follows is its operational companion.
The new math
Before Mythos and other frontier large language models (LLMs), the vulnerability lifecycle had a rhythm that most security teams had internalized. A researcher discovers a vulnerability, and weeks or months pass while an exploit gets developed. After a vendor releases a patch, organizations deploy it on their own schedule. There was slack in the system, which gave organizations time to triage, test, and be slow but still survive.
After AI and LLMs, the first two stages of that lifecycle collapsed to near-simultaneity. AI discovers the vulnerability and writes the exploit in minutes, not weeks. But the last two stages, patch release and patch deployment, remain human-driven processes operating at human speed. The gap between discovery/exploit and patch/deploy has widened from a manageable delay into a structural gap.
The numbers make this concrete. The FIRST 2026 Vulnerability Forecast projects a median of roughly 59,000 new CVEs this year, with a 90% confidence interval reaching up to 118,000. In 2025, 48,185 CVEs were published, a 21% increase over the year before, which works out to roughly 131 new vulnerabilities disclosed every single day. NIST acknowledged that CVE submissions grew 263% between 2020 and 2025. Starting April 2026, NIST announced it would only prioritize enrichment for CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) catalog, software used by the federal government, and critical software under Executive Order 14028. Everything else goes to the back of the line.
When talking about this data in customer briefings, I framed it around three factors: the minutes from discovery to exploit, the thousands of zero-days discovered, and how AI accelerates attackers and defenders equally. The Cloud Security Alliance was explicit about this in their April 2026 analysis. The ability to discover vulnerabilities at AI scale is not intrinsically a defensive capability. It is a dual-use capability whose effect depends entirely on who has access and what constraints govern their use. We are lucky that frontier models take responsibility for how they are used, but there are many open-source models with less oversight.
When vulnerability management fails, who do you fall back on?
The way I think about post-frontier model defense, and the way I have been presenting it to security leaders, follows a three-stage fallback model.
The first pillar is vulnerability management. Scan, prioritize, patch, repeat. This is where most organizations have concentrated their security spending for two decades. Patch velocity cannot match AI-driven discovery rates. With 59,000+ CVEs projected for 2026 and growing, the volume exceeds organizational capacity to triage, test, and deploy (in production, live). Not all vulnerabilities even have patches on day zero; some are deemed as “operational risk,” or it would take years to redesign systems or hardware. Vulnerability management is not dead, but it is no longer the primary line of defense; it is now one input among many. This is where Cisco IQ becomes essential. Its digital interface provides complete asset visibility, security hardening insights, and risk assessments, allowing you to proactively identify vulnerabilities and harden your systems in the face of mounting CVE volumes. Automating what you can will be key to resilience acceleration.
When patching fails, you fall back to the second pillar: the “old school” hardening that seems to be forgotten in era of EDRs. This is where the 2023 whitepaper becomes a guide:
We recommended building golden images that incorporate appropriate security logging, refreshing them every 6 to 12 months, and applying the latest hardening standards. The whitepaper from 2023 asks questions that most organizations still cannot answer confidently: Are well-known security standards for hardening followed consistently across all devices? When was the last time core system golden images were reviewed for weaknesses? Are golden images part of security reviews?
The third pillar is detection and response. Hardened systems do not prevent exploitation, but make it harder, slower, noisier, and survivable. Detection and response are what catches the exploitation that gets through, and in a post-AI exploitation world, some exploitation will get through. This is given and needs to be assumed.
This means EDR, NDR, and XDR for visibility across layers. Behavioral detection is critical when zero-days outpace signature updates. An attacker using an AI-discovered vulnerability still needs to execute code, establish persistence, move laterally, and exfiltrate data. Those actions produce behavioral signals that a properly configured EDR can detect regardless of whether the specific vulnerability was previously known. It means that we can use threat hunting to find what automation misses. It also means you need incident response capability for when prevention fails. New attacks will emerge. The question is not whether you will be compromised. It is now how quickly you can detect, contain, eradicate, and recover.
Validation is not optional
Having the right products deployed is necessary, but not sufficient. You also need to know how they work – and here is where most organizations have a blind spot the size of a continent.
The question every security leader should be asking right now is “Do my controls actually work? Not on paper, but under real-world attack conditions?” Penetration testing answers that question. So does assessing your configurations against CIS benchmarks and hardening what falls short. Threat modeling takes it further by mapping the attack paths a real adversary would use against your specific architecture, not a generic risk matrix.
Breakout assessments deserve special attention. They test the boundaries between network segments. Can an attacker move from a compromised endpoint to critical infrastructure? From IT to OT? From one business unit to another? In a post-AI world where a zero-day can provide initial access to network segment, the integrity of those boundaries is arguably the most important architectural property of your network. Finding out they are broken before a real adversary does is the difference between a containable incident and an existential crisis.
Then there is the response side, and this is where I see the widest gap between what organizations think they have and what they actually have. IR playbooks that have never been tested are not playbooks. They are hopes. Purple team exercises are what turn those hopes into muscle memory, the kind that determines whether your team freezes or acts when a real incident hits. Proactive threat hunts catch what your automation missed. When everything has been tested and still was not enough, emergency incident response is the capability that gets you from compromised to recovered.
The full picture is a cycle. You want to prevent security issues with products and hardening, validate with testing and assessment, and respond with hunting and incident response – all of it backed by threat intelligence, and all of it working together as a system, not as disconnected point solutions checked off a compliance spreadsheet.
What did not change
AI will not get tired of system exploitation, so risk will get realized much faster than in the past. Because of this, we now add “speed” to risk equation. It becomes Risk = likelihood x impact x speed as opposed to just Risk = likelihood x impact. AI does not change the principles of cybersecurity. MFA still blocks credential theft; segmentation still prevents exploit cascading into the environment; EDR still detects exploitation behavior, memory abuse, and attempts to “write” to memory segments; centralized logging still records events for detection and investigation; and tested backups still enable recovery.
Those statements were true before any LLM/AI vulnerability discoveries, they are true after LLM/AI, and they will remain true after whatever comes after current stacks. Because they operate at a layer of the security stack that is independent of how fast vulnerabilities are discovered. They work whether the attacker used a known CVE or a fresh zero-day, and whether the exploit was written by a human researcher over three weeks or by an AI in three minutes.
This is the structural insight built around the whitepaper in 2023. Nobody had predicted that LLM/AI vulnerability discovery explosion, but we had seen, over and over again in incident response engagements, that the organizations that survived breaches were not the ones with the fastest patching cycles. They were the ones that had built their security foundations before the breach arrived. The current AI acceleration does not wait for budget cycles, board approvals, or strategic plans. It rewards preparation and it punishes delays.
Leave A Comment