The advent of AI-assisted vulnerability discovery and autonomous exploit development has brought about a new age in cybersecurity—one in which we can no longer rely on patching as a primary defense mechanism. Patching is, by definition, a reactive approach to security. It cannot occur until after a vulnerability is discovered and a vendor fix is made available, an operational delay that all too often lands well after an exploit is already weaponized in the wild. As frontier models like Claude Mythos collapse the time-to-exploit from months into mere hours, they create an unsustainable asymmetry: the machine-scale generation of vulnerability disclosures is now growing exponentially faster than human teams can write, test, and apply patches.
Proponents of Continuous Threat Exposure Management (CTEM) would have you believe that this crisis can be solved through superior prioritization—sorting the backlog by layering CVSS scores, asset criticality, and adversary threat intelligence. But the reality is that micro-prioritization does not solve the underlying structural flaw; it is merely a more optimized form of backlog management. While exposure mapping tools can help you identify that a missing patch opens an attack path across a given asset, they remain a stop-gap measure. Patching an individual browser or office application only halts the specific exploit of the day. It does nothing to prevent tomorrow’s inevitable zero-day, because it never actually eliminates the systemic attack path—it merely places a temporary closure over it until the next vulnerability in that same product or protocol reopens the gate.
We must break this perpetual cycle of reactivity by shifting our entire paradigm from backlog management to deterministic attack path erasure. While basic cyber hygiene mandates that software updates should always be executed in a timely manner, we must stop treating the patch queue as a primary defensive control. True defensive finality requires moving away from evaluating individual branches of an attack graph and instead focusing on a macro-engineering metric: the Path Erasure Rate (PER).
Instead of exhausting cognitive cycles trying to decide whether to remediate Path A versus Path B, architects must evaluate the net delta of attack terrain an engineering action can permanently eliminate. For example, rather than racing against a compounding patching clock, utilizing constraints to natively prevent browsers and office applications from launching child processes instantly achieves a massive PER delta—structurally destroying whole clusters of lateral and local attack paths simultaneously. By embracing an architecture of subtraction, we stop trying to out-prioritize automated exploitation and begin using native infrastructure boundaries to deny the adversary the terrain they need to move. We need to start taking a subtractive approach to security whereby we begin to focus on path elimination, privilege minimization, and other architectural constraints that establish deterministic boundaries within our network.
Subtractive security is not only how we correct the asymmetry that currently exists between attackers and defenders but how we flip the script so the asymmetry eventually comes to lie in favor of the defense.
Moving beyond theory: Calculating the PER Delta
To understand the operational power of this metric, consider how a standard enterprise evaluates a critical remote code execution (RCE) vulnerability found within an application tier.
Under a legacy CTEM or vulnerability management workflow, a scanning tool flags the flaw. Security operations then score it against asset value and threat intelligence. A ticket is created, engineers schedule a downtime window, and weeks later, a patch is applied. The vulnerability count drops by one. However, the underlying conductive pathways of the host operating system—its ability to establish arbitrary outbound internet connections, execute child processes, or broadcast legacy LLMNR/NetBIOS protocols across the local subnet—remain completely untouched. When an automated AI agent generates a variant or a fresh zero-day for that same application stack tomorrow, the entire reactive triage pipeline must start over from zero.
A subtractive engineering workflow flips this equation completely by shifting the focus from the software flaw to the systemic host configuration. By deploying targeted subtractive policies to the operating system, an organization can systematically enforce structural non-conductivity.
Consider the mathematical impact when an organization implements a minimal baseline of native endpoint constraints—such as blocking untrusted binary execution from user-writable directories, disabling legacy LLMNR, and enforcing strict host-level egress filtering. When calculated using the PER equation, these baseline constraints do not merely mitigate an isolated CVE; they mathematically erase an entire class of adversary Tactics, Techniques, and Procedures (TTPs) across 100% of the deployed asset base.
LEGACY PATCH QUEUE MODEL
Net Path Reduction: 1 isolated path closed temporarily.
SUBTRACTIVE PARADIGM (PER)
Net Path Reduction: Systemic terrain destruction via a high ΔPER.
Know thyself
The primary friction point holding infrastructure teams back from enforcing strict configuration boundaries is the fear of operational disruption. Because legacy environments often contain undocumented dependencies, engineers hesitate to move from a state of monitoring to a state of strict blocking.
To overcome this hurdle, organizations must take the time to understand where a given functionality is needed and where it is not. While some subtractions can be performed universally if they have no legitimate use, path erasure does not need to always be global to be effective. With some basic detection engineering it becomes possible to map out the use cases for different types of attack behaviors such as Living off the Land techniques (LotL). For example, if we were to build detections for SSH use we would likely find that SSH is used by staff within IT but likely never used by staff within HR and other departments. It therefore becomes possible for us to create endpoint policies that block SSH execution on all non-IT endpoints and still achieve a sizeable PER delta since the lateral movement potential of a large portion of the environment has been reduced. We may even be able to use the same data to show that we can also block egress traffic over port 22 on the same endpoints and achieve true defense in depth – architectural erasure at two different levels.
Ultimately, the math of the modern threat landscape is clear. We can no longer afford to spend millions of dollars buying more leak detectors and bigger buckets while leaving the underlying infrastructure pathways wide open. The path forward requires a fundamental return to systems engineering: stop just mapping the traffic, start erasing the unneeded roads.
Leave A Comment