Is it time to accept that the wall has been breached?

Not long ago, vulnerability management could reasonably be described as a prioritisation exercise. Security teams would monitor advisories, review CVSS scores, assess asset exposure, and schedule remediation according to operational risk and available maintenance windows. Imperfect? Certainly. Manageable? Sometimes… yes.

I think that it is safe to conclude that this era is over.

The arrival of highly capable AI-assisted security tooling, alongside automated research platforms such as Mythos and a rapidly maturing ecosystem of offensive augmentation tools, has fundamentally altered the economics and velocity of vulnerability discovery. The consequence is not merely “more vulnerabilities”; it is an industrial-scale acceleration in enumeration, weaponisation, and disclosure that many organisations are structurally incapable of analysing, let alone processing effectively.

The uncomfortable truth is this: most enterprises can no longer patch their way out of trouble. It is probably debatable that this method was ever truly successful in any case.

The Problems

Discovery at machine speed

Modern AI-assisted vulnerability research dramatically reduces the effort required to identify exploitable conditions across software, infrastructure, APIs, and bespoke applications. Tasks that once required specialist reverse engineering expertise can now be partially automated or significantly accelerated.

Researchers can analyse codebases in hours rather than weeks. Misconfigurations are surfaced at scale. Edge-case logic flaws are identified through pattern recognition and iterative prompting. Proofs of concept can be generated with alarming speed.

Meanwhile, public disclosure cycles continue to shrink. The result is a relentless torrent of CVEs, advisories, exploit chains, and “critical” alerts landing on the desks of already exhausted security teams. Many organisations now face hundreds, sometimes thousands, of actionable findings each month across endpoints, cloud environments, SaaS platforms, OT systems, and externally exposed services.

Yet despite this surge in discovery, the operational realities inside most businesses have not materially changed. AI has accelerated offence and discovery far faster than it has accelerated enterprise remediation.

The rise of AI-assisted development and “vibe coding” has further complicated the vulnerability landscape. Organisations are now deploying software at unprecedented speed, often with limited understanding of dependencies, insecure libraries, or opaque AI-generated code paths. Whilst Software Bills of Materials (SBOMs) are increasingly promoted as a solution for supply chain visibility, many enterprises still lack the operational maturity to maintain, validate, and act upon them effectively. Possessing an SBOM is one thing; understanding which component exposures genuinely present exploitable business risk is another entirely.

CVSS is no longer a “strategy”

One of the more damaging side effects of the current environment is the illusion that vulnerability management can still be solved through scoring models alone. Security leaders continue to receive reports prioritised by CVSS severity, EPSS probability, or vendor-defined criticality ratings. Whilst these models retain value, they are increasingly insufficient in isolation.

A “critical” vulnerability on an isolated development server may present negligible organisational risk. Conversely, a medium-severity flaw within an internet-facing identity platform, combined with weak segmentation and poor monitoring, may present catastrophic exposure.

The issue is no longer simply “What should we patch first?” The real question is: “What can realistically cause material business harm in our environment?”

The Solutions

He is saying Defence in Depth again

Returning to Lord of the Rings, fellow nerds will already know what happened at Helm’s Deep. When the Deeping Wall was breached, the defenders of Rohan did not simply surrender. They withdrew into the inner fortress of the Hornburg, creating additional defensive layers that slowed the advance of Isengard’s forces long enough for reinforcements to arrive and ultimately turn the tide of the battle. This is precisely how modern security architecture should function. Organisations must accept that outer defensive layers may eventually be breached; the objective is therefore not simply prevention, but delay, containment, and resilience. Adversaries should encounter segmentation, monitoring, identity controls, and restricted access as they move deeper into an environment, buying critical time for Security Operations Centres (SOCs) and Incident Response teams to detect, contain, and eradicate the threat before material damage occurs.

For years, defence in depth has been discussed almost as a theoretical ideal, a mature-state aspiration for well-funded organisations. In the current threat landscape, it is rapidly becoming the only viable operating model.

Why? Because organisations must now assume that:

• Vulnerabilities will exist in production.
• Some patches will be delayed.
• Exploitation capability will emerge rapidly.
• Adversaries will automate reconnaissance and exploitation.
• Detection opportunities may be fleeting.

In practical terms, this means resilience must become as important as remediation.

Strong network segmentation, identity hardening, privileged access management, application allow-listing, EDR telemetry, immutable backups, MFA enforcement, and robust logging architectures all matter enormously because they reduce the blast radius when, not if, a vulnerability slips through.

The mature organisation is not the one that patches everything immediately. It is the one capable of surviving compromise without catastrophic business disruption.

Practice makes (almost) perfect

Another persistent misconception within vulnerability management is the belief that cybersecurity is primarily a technical function.

It is not.

Major incidents rapidly become business crises involving executive leadership, legal teams, communications departments, operations, insurers, regulators, and third-party suppliers.

This is why exercising matters. Tabletop exercises remain one of the most underutilised tools in enterprise resilience. A well-designed exercise exposes decision-making gaps far more effectively than another dashboard ever will.

• What happens when a critical zero-day affects your remote access infrastructure on a Friday evening?
• Who authorises emergency downtime?
• How are customers informed?
• Can the organisation operate manually for 72 hours?
• What happens if backups are unavailable?
• Who speaks publicly?
• Who liaises with regulators?

These questions cannot be answered during the incident itself.

Similarly, restoration testing deserves far greater scrutiny. Many organisations possess backup strategies that look impressive in architecture diagrams but fail under operational conditions. Restoration speed, dependency mapping, credential recovery, and infrastructure rebuild capability are all crucial during high-pressure scenarios.

An untested recovery plan is merely optimistic documentation.

The Importance of Crisis Communications

Cyber incidents increasingly unfold in public. Customers, partners, regulators, journalists, and threat actors themselves may all shape the narrative before an investigation is even complete. Organisations that fail to prepare communications strategies often compound technical failures with reputational damage.

Crisis communications planning should therefore be integrated into cyber preparedness rather than treated as a downstream PR concern. Clear holding statements, escalation pathways, stakeholder notification plans, and executive media training all contribute to organisational resilience. Silence, confusion, or contradictory messaging during a major incident can erode trust faster than the technical compromise itself.

Getting ahead with Threat Intelligence

In a world saturated with vulnerabilities, cyber threat intelligence (CTI) becomes indispensable.

Not because it magically solves patching, but because it provides context.

Good CTI enables organisations to distinguish between theoretical exposure and genuine operational risk. It identifies which vulnerabilities are actively exploited by relevant threat actors, which sectors are being targeted, and which exploit chains are emerging in the wild.

That distinction is critical.

Without intelligence-led prioritisation, security teams risk exhausting themselves chasing noise whilst genuinely dangerous exposures remain unresolved.

CTI also supports strategic decision-making:

• Which adversaries realistically target our sector?
• What initial access vectors are trending?
• Which technologies are under active exploitation?
• What is our likely exposure window?
• Which controls compensate most effectively for delayed remediation?

This allows organisations to make rational, risk-informed decisions rather than reacting emotionally to every headline CVE.

Accepting the New Operating Environment

The security industry may need to confront an uncomfortable reality: the traditional vulnerability management model is no longer sustainable at current scale.

• The volume is too high.
• The velocity is too fast.
• The dependency chains are too complex.

This does not mean patching is unimportant, far from it. Effective remediation remains essential. But patching alone can no longer serve as the centrepiece of enterprise cyber defence.

The organisations that will navigate this era successfully are those that shift from a mindset of prevention-only to one of operational resilience:

• They will invest in layered controls.
• They will rehearse failure.
• They will strengthen restoration capability.
• They will mature crisis response.
• They will leverage threat intelligence to focus finite resources where they matter most.

Most importantly, they will stop pretending that every vulnerability can be fixed before adversaries arrive.

Because in the age of AI-assisted exploitation, that assumption is no longer realistic.