惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Recorded Future
Recorded Future
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Palo Alto Networks Blog
Google Online Security Blog
Google Online Security Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
WordPress大学
WordPress大学
博客园 - 聂微东
L
LINUX DO - 最新话题
月光博客
月光博客
小众软件
小众软件
T
Troy Hunt's Blog
A
Arctic Wolf
量子位
I
Intezer
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
S
Schneier on Security
Schneier on Security
Schneier on Security
NISL@THU
NISL@THU
T
Threat Research - Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园_首页
有赞技术团队
有赞技术团队
N
News and Events Feed by Topic
美团技术团队
The Cloudflare Blog
P
Privacy International News Feed
S
Security Affairs
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
N
News | PayPal Newsroom
Apple Machine Learning Research
Apple Machine Learning Research
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LINUX DO - 热门话题
V
Vulnerabilities – Threatpost
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
宝玉的分享
宝玉的分享
Application and Cybersecurity Blog
Application and Cybersecurity Blog
IT之家
IT之家
Hacker News: Ask HN
Hacker News: Ask HN
雷峰网
雷峰网

The Stack

How Lloyds has transformed its trusted critical data for AI Micron's revenue surges with no end to the memory shortage in sight Ubiquiti UniFi OS vulnerabilities exploited in the wild Mistral's new OCR 4 model shows size matters EU approves €76m in state aid for chip testing firm Even FedEx is a winner of the data centre boom Why AWS thinks AI coding assistants need a new place to run Why China is forging closer ties with open-source foundations China's CPU-only supercomputer tops power list Runtime: Why 'Bring-your-own-Cloud' is taking off; the TRAIT&R framework for agents, and... AWS adds yet another security tool to speed up patching Scattered Spider: UK teen pleads guilty to TfL attack OSS security finally gets a Magic Quadrant Places for People forking out £60m for new ERP system Google offers ATT&CK for bad AI, with surging cost forecast STACKUP: The Stack's weekly tech startups and funding wrap Bring Your Own Cloud: why more enterprises are buying in AWS takes NVIDIA "G7" Blackwell instances GA Runtime: Vercel sets up a new framework for agents, Databricks finds a new Genie, and… Borussia Dortmund's IT head has to sometimes think "outside of the box" Accenture stumbles after Middle East, AI, merger questions Cabinet Office offering £100k+ for AI "ambassador" Critical Splunk Enterprise vulnerability being exploited Accenture buys majority stake in OT security company Dragos npm's security rethink, Satya’s warning, a COBOL win, and... US spending billions to counter China's tech influence NatGeo Society CTO on migrating 15 years of video data to the cloud Alibaba opens French data centres in Europe cloud push SpaceX to take over Cursor in $60bn play for AI coding market Hosting firm Hetzner hikes prices sharply amid supply chain pain HSBC's CIO: AI is easy. True impact is hard. Databricks' Ali Ghodsi: 'Your processes have to change' Rackspace’s "30MW" AMD deal: The devil's in the details The Stack acquires Runtime What is npm doing to protect the JavaScript ecosystem Ron van Kemanade, Group COO, Lloyds, on agents, COBOL, IAM. Langflow instances are getting exploited – again Red Hat's $5 billion answer to Mythos: fix all the code OpenAI acquires German startup to spin up cloud dev environments for better agent control STACKUP: The Stack's weekly tech startups and funding wrap Microsoft CEO warns over concentrated AI model dependency Internet pillar cURL takes a summer holiday from security Anthropic knee-capped by abrupt export controls Months after losing its CEO, now Adobe's CFO gets poached Oracle zero-day exploited for nearly two weeks by Shiny Hunters HM Treasury needs a new CTO, the salary is below average AMD joins UK's Sovereign AI train with Cambridge "AI lab" Oracle PeopleSoft vulnerability exploited: 100s reported hit Oracle reports a $638 billion backlog The UK wants to record court hearings - but not an actual plan Bank of England restarts stalled £24m data collection refresh Anthropic warns LLMs can crank out N-day exploits cheap and fast Defender under Attack: June's Patch Tuesday in the spotlight The CISO needs to get focused on business resilience LibreOffice denounces Euro-Office as Microsoft Trojan Horse Apple's revamped Siri AI leans on Google models and cloud AI could be driving IT hiring in Europe, new report finds UK calls for “device-based” nude controls Cult browser project Ladybird cuts off code community UK gets $1.5bn AI Hardware Plan, and a big-coalition sovereign model plan too STACKUP: The Stack's weekly tech startups and funding wrap Fake IT support staff are walking in to US law firms to steal data Apple found a way to sharply cut token use Apache Livy graduates to Top-level project for Spark support Supabase raises $500m, looks to horizontal Postgres scaling GitLab Field CTO on unlikely customers pulling ahead with AI Killing the card? The UK’s banks eye a payments revolution MPs call on UK government to drop £330m Palantir-NHS deal The Tokenomics Foundation is coming for AI Finops Microsoft's new models give it a better moat The EU dropped its latest tech sovereignty package – what to know HMRC digital transformation: new customer service platform Tokenmaxxing is dead. Finops for AI is emerging slowly. This database company wants to take on Palantir ChatGPT 5.5 and Codex now on Bedrock for easy AWS access Multicloud gets sweeter with a 500 Mbps free private link Alphabet raising $80bn to keep up with ballooning AI CapEx How to get visibility and isolation for AI in Kubernetes Red Hat packages injected with worm in supply chain attack STACKUP: The Stack's weekly tech startups and funding wrap Dell COO says “pain” of price hikes will continue NVIDIA, MS tease tighter agent-native security primitives in Windows Microsoft turns down temperature amid Nightmare Eclypse row IBM to put $5bn and 20,000 engineers into OSS security fight MongoDB eyes more federal work, snaps up partner Clarity Chinese cyber victims overlapping with industrial strategy - ESET Microsoft stirs a hornets nest over “criminal” zero day disclosure threats Snowflake's AI coding tool is "flywheel" for data platform “Headless” Salesforce hits 1 trillion API calls MySQL gets a foundation with no Oracle, but Alibaba presense GCHQ teases “blueprint” for national AI cyber defense BNP Paribas moves to “zero copy” data model Snowflake joins US federal discount scheme Can Dropbox's new CEO save it from stagnation? Zscaler CEO drools over Mythos tailwind, but Jason's and Joe's departures spook markets Google chases a Kubernetes moment for AI agents UKHSA sticks with Oracle after outsourcing payroll Lenovo eyes “personal AI super agents” in $100 billion drive US eyes physics-based safeguards for water cyber threats Accenture beats IBM in Post Office's latest bid to ditch Horizon
Sumedh Thakar: CISOs need to think Shock, WoW, and "AWE"
Stephen Pritchard · 2026-06-01 · via The Stack

For Sumedh Thakar, CISOs are risk managers. In his 23 years at Qualys, and five years as CEO, Thakar has seen his industry evolve, from IT and information security, to including a far broader range of risks, from geopolitics to business operations.

As a cybersecurity vendor, Qualys is best known for its vulnerability detection and management. It helps enterprises identify risks in their applications, devices and cloud infrastructure. And it gives security and IT teams the tools to manage, or ideally, eliminate them.

But Qualys also provides asset management, cloud security and compliance applications, as well as its Risk Operations Center (ROC).

Qualys positions this as a central hub for threat intelligence and risk management, in the face of increasingly complex and effective cyber attacks, including those driven by AI.

ROC and threat landscapes

The ROC goes beyond vulnerability detection, identifying CVEs, and triaging them based on CVSS scores. The ROC brings together risk information from across the business, including its cloud and on-premises applications, and adds threat intelligence and wider, external risks to the picture. The ROC, Thakar says, provides that critical business context to security operations.

“You might have certain actors that are targeting certain industries and not others,” Thakar explains. “That tailored threat intelligence of what you as a company are being targeted for is very important, and that does change when geopolitical situations change. 

“Depending on, geopolitically, where you're situated, you might be more prone to being attacked. At the end of the day, having a vulnerability is not a guarantee of an exploit. It is just the fact that you have a vulnerability. But if somebody is specifically targeting you very directly, the chance of that vulnerability becoming an exploit goes much higher, because now somebody is focused on you,” he warns. “Having that high quality threat intelligence continuously integrated into your overall Risk Operation Center becomes very important.”

Things have changed...

This, he says, also reflects a wider change in businesses’ views on cybersecurity risk, and the changing role of CISOs. Previously, security teams would detect and catalogue threats and vulnerabilities. But fixing them, by isolating devices or patching, was usually left to IT.

“What has changed is that what we and many other folks focused on initially was vulnerability detection or vulnerability scanning,” Thakar explains. “I feel like Qualys put the ‘M’ back in vulnerability management... a vulnerability that is not fixed is not managed, it’s just detected.”

Dashboards that simply show executives how many vulnerabilities they have do little to improve practical security.

It will not, Thakar says, show the impact of a CVE on a business, or help security and IT teams decide what needs to be patched immediately, and what can wait.

“The number of vulnerabilities and the timeline for exploits has been changing quite dramatically,” he says. “So it really becomes important to be able to figure out what action needs to be taken very quickly. If the attackers are exploiting vulnerabilities in matter of hours, you don't have the time to first build a dashboard, have a human analyse it, then create tickets for somebody to fix it. The speed of response becomes very important.”

Shock, WoW and AWE

This change in the speed of attack has prompted Qualys to review how vulnerabilities, and risks, are measured. Measures designed for patching and remediation cycles of 90, or even 30, days are no longer good enough.

Metrics such as the mean time to respond, or mean time to remediate, are too generic to give an accurate view the threats businesses face, Thakar argues. And they fail to reflect the speed at which malicious actors now exploit vulnerabilities.

Instead, Qualys proposes a “window of weaponisation”, or WoW, for exploits, and the “average window of exposure”, or AWE, to measure how long an enterprise is at risk.

“Even if you fix 90% of your stuff within a short period of time, the long tail of the 10%, which is not captured by when you talk about a mean, could be the thing that gets you in trouble,” he says. “Instead of those metrics, we are looking at the window of weaponisation. How long it takes an attacker, once a vulnerability comes out, to weaponise it, becomes more important.

“Similarly for the defenders, the AWE is important. How long are you exposed for those specific exploitable vulnerabilities, instead of a very generic MTTR for all of your vulnerabilities?” Organisations are at risk, if the window of weaponisation is shorter than the AWE.

“If your average window of exposure is less than your window of weaponisation, you are generally in a good operational cadence,” he says. “If it is the opposite, where your window of exploit weaponisation is smaller and your average window of exposure is much larger, then you have to mind the gap.”

Risk range

And changing the way IT and security leaders measure threats is vital, as the volume and speed of cyber attacks continues to grow, Thakar says.

The number of vulnerabilities can only increase as enterprises deploy more software. “I was a developer myself, so I know when you write code, there’s some bugs introduced.” But nor can security teams go after, and fix, every vulnerability. Last year, researchers found 62.5m vulnerabilities, but under one per cent were exploitable. CISOs have to prioritise.

“There is definitely more and more of a push from the boards and the CISOs themselves to be a business partner and be able to put what they are doing more in the context of the business,” Thakar says.

“There's nothing like zero risk in anything. Are we in an acceptable range? That is the key point for boards.”

Delivered in partnership with Qualys.