{"id":8782,"date":"2026-07-16T07:00:00","date_gmt":"2026-07-16T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8782"},"modified":"2026-07-16T07:00:00","modified_gmt":"2026-07-16T07:00:00","slug":"flaw-surge-fuels-need-for-cisos-to-rethink-vulnerability-management","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8782","title":{"rendered":"Flaw surge fuels need for CISOs to rethink vulnerability management"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p class=\"wp-block-paragraph\">Security experts are calling on enterprises to revise their vulnerability management strategies and move towards \u201cjust in time\u201d patching in response the increased pace of vulnerability exploitation.<\/p>\n<p class=\"wp-block-paragraph\">Attackers are <a href=\"https:\/\/www.csoonline.com\/article\/4181924\/ai-worm-prototype-shows-attackers-dont-need-mythos-to-take-over-your-network.html\">turning to AI<\/a> to increase the <a href=\"https:\/\/www.csoonline.com\/article\/3632268\/gen-ai-is-transforming-the-cyber-threat-landscape-by-democratizing-vulnerability-hunting.html\">rate of vulnerability exploitation<\/a> and supply chain compromise so that traditional forms of vulnerability management are no longer keeping pace.<\/p>\n<p class=\"wp-block-paragraph\">Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at managed security services vendor Huntress, recently <a href=\"https:\/\/www.csoonline.com\/article\/4176086\/vulnerabilities-have-become-cyber-attackers-no-1-door-to-the-enterprise.html\">told CSO<\/a> that \u201corganizations need to shift their vulnerability management program to a risk-based, continuous [approach], tied to real-time exploitation intelligence \u2014 not scheduled patch cycles that leave exploitation windows wide open for days and weeks.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Wild frontier<\/h2>\n<p class=\"wp-block-paragraph\">Frontier AI tools such as Claude Mythos have <a href=\"https:\/\/www.csoonline.com\/article\/4158117\/anthropics-mythos-signals-a-structural-cybersecurity-shift.html\">signaled a structural shift for cybersecurity<\/a>, readily surfacing vulnerabilities at a huge scale \u2014 a development that, as government security assurance organizations such as the UK\u2019s National Cyber Security Centre point out, is likely to lead to a surge in patches.<\/p>\n<p class=\"wp-block-paragraph\">\u201cMost organizations already struggle to fix known issues quickly, so a spike in AI-driven discovery could easily overwhelm teams and widen the gap between finding problems and fixing them,\u201d Andrew Woodford, CTO at network security vendor Titania, tells CSO. \u201cIn many ways, this just exposes a problem that\u2019s already there.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Shane Fry, CTO at cybersecurity vendor RunSafe Security, argues that <a href=\"https:\/\/www.csoonline.com\/article\/3520881\/patch-management-a-dull-it-pain-that-wont-go-away.html\">patching as a security strategy<\/a> has been in crisis for years, and AI-accelerated vulnerability discovery has simply pushed it over the edge.<\/p>\n<p class=\"wp-block-paragraph\">Some experts contend that virtual patching \u2014 a technique that involves blocking exploit attempts at a security layer rather than fixing vulnerable code \u2014 represents a sound mitigation strategy, but Fry has reservations about the approach.<\/p>\n<p class=\"wp-block-paragraph\">\u201cWhile virtual patching will play a role going forward, its effectiveness is limited and leaves security teams chasing a gap they will never be able to close,\u201d Fry says.<\/p>\n<p class=\"wp-block-paragraph\">Instead, security teams need to shift toward mitigation-first approaches that make it impossible for attackers to exploit bugs in software.<\/p>\n<p class=\"wp-block-paragraph\">\u201cRemoving entire classes of exploits upfront takes the heat out of the patch gap, and allows patching to become strategic rather than reactive,\u201d Fry argues.<\/p>\n<h2 class=\"wp-block-heading\">\u2018Assume Autonomy\u2019<\/h2>\n<p class=\"wp-block-paragraph\">The conventional patch management model was designed around a world where vulnerability discovery happened at human speed: A human researcher finds a flaw, reports it, a CVE gets assigned, vendors ship a fix, enterprises test and deploy it \u2014 a process that can take weeks.<\/p>\n<p class=\"wp-block-paragraph\">AI-powered vulnerability discovery blows this model out of the water.<\/p>\n<p class=\"wp-block-paragraph\">\u201cIf offensive AI can identify, validate, and exploit vulnerabilities without human authorization, a 43-day median patch time, as noted in Verizon\u2019s DBIR, is the least of your problems,\u201d argues Rik Ferguson, vice president of security intelligence at Forescout. \u201cAn AI system doesn\u2019t wait for a proof-of-concept to circulate on GitHub or a CVSS score to land in a dashboard. It finds the flaw, confirms exploitability, and moves.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Ferguson advocates a change of approach toward what he describes as \u201cAssume Autonomy.\u201d<\/p>\n<p class=\"wp-block-paragraph\">\u201cThe question is what compensating controls you put in place between discovery and remediation, and how you constrain what an attacker can do with access they\u2019ve already acquired,\u201d Ferguson explains.<\/p>\n<p class=\"wp-block-paragraph\">Just-in-time patching fits in with this philosophy and is a desirable goal but may be difficult to achieve in practice especially for the many enterprises that struggle with asset management.<\/p>\n<p class=\"wp-block-paragraph\">\u201cJust-in-time patching is sound in principle: prioritize and deploy fixes as exploitation intelligence emerges rather than waiting for the scheduled window,\u201d Ferguson says. \u201cBut achieving it has some real-world requirements: continuous asset visibility, knowing precisely what you have, where it is, and what its current exposure status is.\u201d<\/p>\n<p class=\"wp-block-paragraph\">For example, Ferguson adds, \u201cyou can\u2019t patch just-in-time against a vulnerability in a device you didn\u2019t know was on your network.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Virtual patching<\/h2>\n<p class=\"wp-block-paragraph\">Gunter Ollmann, CTO at pen testing as a service firm Cobalt, notes that just-in-time patching makes sense if and when a patch is available \u2014\u00a0but that\u2019s not always possible.<\/p>\n<p class=\"wp-block-paragraph\">\u201cThe major problem lies in the discovery of new vulnerabilities in code or systems that the business has no rights or capabilities to fix themselves, and they have a dependence upon third parties to develop the fix or patch \u2014 and are therefore subject to external SLA [service level agreement] turnarounds,\u201d Ollmann explains.<\/p>\n<p class=\"wp-block-paragraph\">In such cases, enterprises will need to deploy virtual patches capable of blocking or deflecting the exploitation vectors of the vulnerable system.<\/p>\n<p class=\"wp-block-paragraph\">\u201cBusinesses are in desperate need of quickly deciphering a new vulnerability and dynamically creating an appropriate blocking rule \u2014 or rules \u2014 for their layered defenses,\u201d Ollmann says.<\/p>\n<p class=\"wp-block-paragraph\">Virtual patching may mitigate security threats particularly in operational technology (OT) and IoT environments where applying a vendor patch to a running production system risks unplanned downtime or safety system interruption but only serves as a stop gap, Ferguson tells CSO.<\/p>\n<p class=\"wp-block-paragraph\">\u201cA network-layer control that blocks exploitation of a known flaw, while you work through the testing and deployment cycle for the actual fix, is a compensating control,\u201d notes Ferguson, who warns that virtual patches come with multiple drawbacks.<\/p>\n<p class=\"wp-block-paragraph\">\u201cVirtual patches require accurate detection signatures, they don\u2019t remediate the underlying vulnerability, and they can create a false sense of closure that delays proper patching indefinitely,\u201d Ferguson argues. \u201cThe risk is that temporary becomes permanent. The underlying vulnerability stays open, and the virtual patch becomes the reason nobody revisits it.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Just-in-time risk reduction<\/h2>\n<p class=\"wp-block-paragraph\">Douglas McKee, director of vulnerability intelligence at Rapid7, advocates what he describes as just-in-time risk reduction rather than just-in-time patching because of the practical difficulties with the latter.<\/p>\n<p class=\"wp-block-paragraph\">\u201cIn the real world, especially in OT, medical devices, and business-critical systems, you can\u2019t always patch the second a CVE drops,\u201d McKee argues. \u201cYou still need testing, maintenance windows, rollback plans, and someone who actually owns the asset. However, the old monthly scan, report, and remediation cycle will not survive this pace.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Tips for modernizing vulnerability management<\/h2>\n<p class=\"wp-block-paragraph\">The enterprise attack surface has expanded significantly of late, and patch management models haven\u2019t kept up. In response, security leaders\u2019 vulnerability management strategies have to become more of a continuous monitoring function, not a triage and remediation process.<\/p>\n<p class=\"wp-block-paragraph\">Modernizing enterprise approaches to vulnerability management involves \u201creal-time exploitation intelligence integrated into prioritization, compensating controls deployed at discovery rather than at patch release, and visibility across the full asset estate that conventional patch management tools were never designed to cover,\u201d Ferguson says.<\/p>\n<p class=\"wp-block-paragraph\">Rapid7\u2019s McKee stresses that security teams need to separate \u201cknown vulnerable\u201d from \u201cactually reachable and exploitable in my environment.\u201d<\/p>\n<p class=\"wp-block-paragraph\">This process can be achieved through a combination of asset inventory, internet exposure mapping, KEV tracking, vulnerability intelligence, ownership, and emergency change paths.<\/p>\n<p class=\"wp-block-paragraph\">\u201cPrioritization based on risk factors like public exposure, known exploitation, automation potential, and technical impact is key,\u201d McKee concludes.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Security experts are calling on enterprises to revise their vulnerability management strategies and move towards \u201cjust in time\u201d patching in response the increased pace of vulnerability exploitation. Attackers are turning to AI to increase the rate of vulnerability exploitation and supply chain compromise so that traditional forms of vulnerability management are no longer keeping pace. [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8783,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8782","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8782"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8782"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8782\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8783"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}