Dark Perimeter: True Cybersecurity Stories
Every major cyberattack has a story behind it. A vulnerability no one patched. A phishing email someone clicked. A nation-state with a motive. Dark Perimeter goes beyond the headlines to explore the true stories of the hacks, breaches, and cyber operations that shaped history - told in narrative form for security professionals and curious minds alike. No guests, no panels, no filler. Just the story.
Dark Perimeter: True Cybersecurity Stories
Dark Perimeter: "The Clock Is Broken: AI, Exploits, and the Death of Monthly Patching"
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Welcome back to Dark Perimeter. Security, AI, and the Edge of What's Coming. I'm Cole Draden. The twenty twenty six Verizon Data Breach Investigations report, dropped yesterday, and buried inside the data, is a finding that should stop every security leader in their tracks. For the first time in 19 years of DBIR publication, vulnerability exploitation has surpassed stolen credentials as the number one breach entry point. Nearly a third of all breaches now start with an attacker finding a hole in your software, not stealing a password. That alone would be a headline. But the reason it's happening is the story that deserves your attention tonight. AI is now in the hands of threat actors, and it is compressing the window between when a vulnerability is disclosed and when it gets weaponized. From months down to hours. I've got two guests with me tonight who have been tracking this shift from both the technical and operational sides. Dr. Elliot Vance, who works at the intersection of threat intelligence and machine learning research, and Marcus Hale, who has spent years inside enterprise security operations trying to hold the line. Welcome back, both of you.
SPEAKER_01Good to be here, Cole. This DBIR finding is one of those moments where the data catches up to what practitioners have been feeling for a while. The gut said something was changing. Now the numbers confirm it.
SPEAKER_02And it's uncomfortable data because the response most organizations have to vulnerability management is still built around a monthly rhythm. Patch Tuesday, the monthly vulnerability review, quarterly risk assessments, that cadence made sense when the exploit development cycle was measured in weeks or months. It does not make sense anymore.
SPEAKER_00Let's ground this. Walk me through what's actually changed on the attacker side. Because we've been talking about AI-assisted attacks for a couple of years now. What's different today versus 18 months ago?
SPEAKER_01The capability inflection point is reasoning. 18 months ago, AI tools could help attackers write phishing emails or slightly speed up reconnaissance. That's noise. What changed is that current frontier models can reason through a vulnerability disclosure, read a CVE, read the patch diff, understand the architecture of the affected software, and begin generating working exploit code in a feedback loop. The model tries something, sees why it failed, adjusts, tries again. What used to require a skilled human researcher spending days on that loop now takes hours, sometimes less. The DBIR specifically called out that AI is shrinking the window from months to mere hours for known vulnerabilities. And the key word there is known. These aren't zero days, these are CVEs that have patches available. The defenders have the information they need to fix this. The attackers have AI helping them race to exploit it before the defenders can act.
SPEAKER_02And that asymmetry is what makes this so punishing. The attacker only has to exploit one gap, one system that wasn't patched in time. The defender has to cover everything. AI makes the attacker's side of that equation dramatically more efficient. It doesn't do the same for the defender at the same rate, yet.
SPEAKER_00So let's talk about what this actually means if you're running a security program. Because most organizations I talk to are still on a 30-day patch cycle. Some are better. Critical vulnerabilities in 14 days, critical infrastructure in seven. But the baseline assumption in most policy documents is that monthly is acceptable. Is that still true?
SPEAKER_02Honestly, Cole, for anything internet facing or in a high exposure zone, no, monthly is not adequate anymore. And I want to be precise about what I mean, because I'm not saying you need to patch everything in hours. I'm saying you need to shrink the cycle specifically for high CVSS, actively exploited vulnerabilities. SISA's known exploited vulnerabilities catalog exists for exactly this reason. If something hits the CAVE list, the assumption has to be that active exploitation is occurring or imminent. The federal deadline for K of items is typically two weeks. Private sector organizations should be treating that as a ceiling, not a target.
SPEAKER_01And the tooling to help defenders exists now too. Vulnerability prioritization platforms can ingest threat intelligence, correlate it with your asset inventory, and surface what actually needs emergency attention versus what can wait for the normal cycle. The problem is adoption. A lot of organizations are still doing manual triage from a flat CSV export. That approach cannot keep pace with an AI-assisted exploitation timeline.
SPEAKER_00Attackers use AI to compress time to exploit. Defenders need AI to compress time to patch. And both sides are racing on the same track. Let's pivot. Because the context for all of this is the state of the AI models themselves. Because we can't have this conversation honestly without acknowledging where the frontier actually is right now. Marcus, you've been watching the model releases this month. Give us the landscape.
SPEAKER_02What was the Frontier model three months ago is now mid-tier.
SPEAKER_01The benchmark story is interesting here. The traditional tests, MMLU, human evil, are essentially saturated. Every frontier model scores above 90%. They've lost their diagnostic signal. The research community has had to move to dynamic benchmarks that test fluid reasoning, agentic task completion, and multi-step tool use in realistic environments. And on those newer benchmarks, the models are still improving rapidly. The one that has security implications is what the UK's AI Security Institute published recently. Anthropic's Mythos Preview cleared a 32-step corporate network simulation covering reconnaissance all the way through full domain takeover. It completed the simulation in three of ten runs and maintained a 73% success rate on expert-level tasks. That's a penetration tester operating at a senior level, automated at machine speed.
SPEAKER_00That stopped me when I read it. Because that's not a proof of concept anymore. That's a capability that exists. The question is, how long before that capability is accessible to threat actors who aren't sophisticated nation states?
SPEAKER_01The honest answer is that the gap between frontier capability and accessible capability has been closing faster than anyone predicted. Open weight models, models where the weights are publicly released, are closing the gap with proprietary ones. A model released earlier this year by a Chinese lab came in with a hallucination rate of 1.2% and a price point of 11 cents per million input tokens. That's not a research artifact. That's infrastructure that could be integrated into an attack platform.
SPEAKER_00Which brings us to the question that I think is on everyone's mind, but rarely gets asked directly on a podcast like this. How close are we to AGI? And I mean that with precision. Not the science fiction version, but the capability threshold where AI can do essentially any cognitive task a skilled human expert can do. Because that threshold matters enormously for the threat landscape.
SPEAKER_01The honest answer is that the people who study this most carefully have meaningfully shifted their estimates in the last six months. Earlier this year, a research group tracking autonomous coding capability, basically the point at which AI can replace human software engineers at scale, moved their median estimate from late 2029 to mid-2028. That's a compression of over a year in a single quarter's update. Sam Altman has publicly claimed they've basically built AGI or something very close to it. Satya Nadella pushed back hard and said the industry is nowhere near it. Dario Amoti at Anthropic has placed his estimate between one and three years. Sequoia published a piece in January, arguing that the ability to hire a frontier model today as a cognitive worker, a reasoning agent that can take actions, use tools, and complete complex tasks is itself a form of AGI that we've already crossed.
SPEAKER_02The definition question is real, though. If AGI means a system that can beat every human at every cognitive task simultaneously, we're probably further away. If AGI means a system that operates at expert level across a broad range of domains and can autonomously complete multi-step work in the real world, we are very close or already there, depending on how you define the domain boundary.
SPEAKER_00And from a threat perspective, the definition doesn't matter much. What matters is capability. The question isn't whether we cross some philosophical threshold. The question is whether adversaries have access to systems that can reason, plan, adapt, and execute at expert level with minimal human involvement. That question has a current answer increasingly yes.
SPEAKER_01The agenic piece is the key development to watch. We've gone from models that answer questions to models that reason to models that now plan multi-step actions, use tools, call other AI systems, and execute tasks autonomously. That last step is qualitatively different. Find a vulnerability in this organization's perimeter, develop an exploit, establish persistence, and work toward it without requiring a human in the loop at each step. The time horizon for autonomous action is expanding every quarter.
SPEAKER_00So, where does that leave a security practitioner sitting at their desk tonight? Let's bring this down to earth.
SPEAKER_02A few concrete things. First, your patch management policy needs a tiered review now, not next quarter. Build an emergency lane that bypasses the monthly cycle for anything that hits the SISAKEV list or scores critical with active exploitation evidence. That lane needs to have teeth. Uh defuncy, defined SLA, defined escalation, and the authority to act without waiting for the next change management window. Second, if your vulnerability triage is still manual, you need to automate prioritization. Not because automation is a trend, but because the attacker's timeline now moves faster than a human analyst can read and respond to a flat list of CVEs. Third, the DBIR finding about mobile social engineering deserves attention too. As people get more sophisticated about email phishing, attackers are moving to voice calls and text messages with a success rate 40% higher than traditional email phishing. Your user awareness program needs to address that shift specifically.
SPEAKER_01And at the strategic level, if you haven't started thinking about your cryptographic inventory, now is the time. The quantum timeline is compressing. Research published this year suggests breaking RSA 2048 may require far fewer qubits than we thought two years ago. NIST has set this year as the migration deadline for quantum-resistant algorithms. The harvest now decrypt later threat is not theoretical. Adversaries are storing encrypted data today, betting they can crack it in a few years. If your organization handles data that needs to remain confidential for more than five years, that is an active risk right now.
SPEAKER_00AI has changed the speed of offense. It's in the process of changing the speed of defense. The organizations that fall behind on adopting AI-assisted defensive capabilities while adversaries are already running AI-assisted offensive capabilities are going to find that gap very hard to close. Monthly patch cycles assumed a world where attackers moved slowly. That world is gone. Well said. Elliot Marcus, as always, appreciate you both coming in and thinking through this with clarity. We'll have links and context from tonight's episode at the usual place. Stay sharp, stay current, and we'll see you on the next one. This is Dark Perimeter.