惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
T
The Exploit Database - CXSecurity.com
P
Proofpoint News Feed
Scott Helme
Scott Helme
NISL@THU
NISL@THU
Cisco Talos Blog
Cisco Talos Blog
C
Cybersecurity and Infrastructure Security Agency CISA
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
J
Java Code Geeks
U
Unit 42
The GitHub Blog
The GitHub Blog
H
Help Net Security
T
Tenable Blog
aimingoo的专栏
aimingoo的专栏
Jina AI
Jina AI
Spread Privacy
Spread Privacy
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
L
Lohrmann on Cybersecurity
T
Threatpost
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Engineering at Meta
Engineering at Meta
A
About on SuperTechFans
I
InfoQ
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog
L
LINUX DO - 最新话题
K
Kaspersky official blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Threat Research - Cisco Blogs
C
Check Point Blog
T
The Blog of Author Tim Ferriss
有赞技术团队
有赞技术团队
宝玉的分享
宝玉的分享
Help Net Security
Help Net Security
Google DeepMind News
Google DeepMind News
A
Arctic Wolf
Y
Y Combinator Blog
N
News | PayPal Newsroom
M
MIT News - Artificial intelligence
Latest news
Latest news
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
腾讯CDC
I
Intezer
爱范儿
爱范儿
F
Fortinet All Blogs
P
Palo Alto Networks Blog
C
CERT Recently Published Vulnerability Notes

Security @ Cisco Blogs

We third-party tested our firewall built for AI-scale. The test tools hit their limit first. SharpHound Recon Attack - How AI enhanced the threat hunt Machine Speed, Human Judgement: How AI Changed the SOC in 2026 Elevating Expertise in the SOC Educate at Event Speed: Cisco Live Security Operations Center What Working the Cisco Live SOC Taught Me About AI, Detection, and Response Cable to Cloud - A Product Engineer's Journey Through the Cisco Live AMER 2026 SOC The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth AIM: Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026 Building the Agentic SOC at Cisco Live Americas 2026 Ten Years in the SOC at RSAC: What We Learned in 2026 Uplevelling Black Hat Threat Hunters Making Workflow Runs Explain Themselves: AI-Powered Run Summaries in Cisco XDR Automate Independent Testing Confirms Secure Email Threat Defense’s Email Security Strength Defenseclaw for On-Prem AI SOC Workflow at Black Hat Asia Cisco Secure Access with MCP Infrastructure at Black Hat Asia 2026 The Essence of Black Hat – Collaboration with Partners Black Hat Asia 2026: A Decade in Singapore Black Hat Asia 2026: Threat Hunters’ Corner Unveiling the Power of Integration: XDR, Splunk, Corelight, Arista and Palo Alto Networks in Action at Black Hat Asia Cisco SASE with Meraki: Get in the Fast Lane to SASE Extending Zero Trust Across the Agentic AI Workflow Strengthening the Foundation: A Predictable, Customer focused Response to AI-Accelerated Vulnerability Discovery Quantum Resilience Needs a Common Language. Here’s Where to Start. Security at Cisco Live: Going Shields Up for the Agentic Era Identity Elevated: A New Unified Identity Experience in Cisco Cloud Control Security Needs a New Operating Model Cisco Secure Access and Microsoft Purview Integration for Simplified Data Protection Cisco Secure Access and Island Browser Enable Zero Trust Everywhere Finding what lives between the alerts: Announcing Cisco Talos Threat Hunting From Log Flood to Threat Signal: Cisco and Splunk Bring Context to Modern Defense Cisco Secure Access and Microsoft Edge for Business Integration Why Network Segmentation Projects Fail: Four Patterns Cisco’s Risk-Based Vulnerability Disclosure in the Age of AI Enhancing Cisco Secure Email Gateway: Safer Clicks and Cleaner Files AI-generated reporting: Lessons learned from Cisco Talos Incident Response Inside the SOC: AI-powered DNS defense against ransomware Security Insights: A Threat-First View for the Platform That Enforces Access From Strategy to Architecture: How Cisco is Building a Quantum-Safe Future AI-Ready, Simpler, and More Secure WAN: Cisco SD-WAN Innovations Designing for What’s Next: Securing AI-Scale Infrastructure Without Compromise Preparing for Post-Quantum Cryptography: The Secure Firewall Roadmap Mobile World Congress 2026: AI-powered Network Security Powering MWC Barcelona – Building a Unified SOC and NOC with Splunk in Record Time AI-powered Network Security at the Mobile World Congress 2026 SNOC Inside the Mobile World Congress 2026 SOC: Detecting Shadow Traffic with Firepower 6100 Data Optimization in Security: A Splunk Architect’s Perspective Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders Zero Trust for Agentic AI: Safeguarding your Digital Workforce The Agent Trust gap: What Our Research Reveals About Agentic AI Security Meet Your Incident Responders
Security in the Post-Mythos Era
Yuri Kramarz · 2026-06-09 · via Security @ Cisco Blogs

Why the Fundamentals You Ignored Are the Only Things That Will Save You

In 2023, a colleague and I wrote a cybersecurity guide for businesses of any size. It was not glamorous work. Nobody was asking for another whitepaper about multi-factor authentication (MFA) and network segmentation. The industry had heard it all before: Harden your devices, segment your networks, deploy endpoint detection and response (EDR), centralize your logs, test your backups, validate your designs. These are not revolutionary ideas. They are the kind of recommendations that get polite nods in client meetings and then get quietly dismissed somewhere between budget approval and implementation.

We wrote the guide anyway. Not because I thought we were saying something new, but because after years of incident response work, I kept walking into the same rooms, looking at the same gaps, and having the same conversations with organizations that had just been breached. The attack vectors changed and the tooling evolved, but the reason organizations got hurt was almost always the same – the basics were not in place. In that paper we posed questions that, when answered honestly at the strategic level, could reveal the real state of an organization’s defenses. We covered endpoints, networks, cloud services, physical security, staffing, and logging. It was designed to be useful whether you had a team of 500 security analysts or a single IT person wearing multiple hats.

The core thesis was that patching alone is not a security strategy. You need a foundation that holds when patching fails – because eventually, patching will fail.

This scenario eventually arrived in April 2026.

Anthropic announced Project Glasswing and Claude Mythos Preview, an AI model that autonomously discovered thousands of high-severity zero-day vulnerabilities across every major operating system and web browser. Not theoretical weaknesses or potential issues – working, exploitable vulnerabilities. One was undiscovered for 27 years in OpenBSD, the operating system chosen specifically because it is said to be among the most secure in the world. This is what happens when vulnerability discovery stops being a human-speed activity.

It dawned on me everything we wrote about in 2023 – every recommendation, every question we posed -had just become dramatically more urgent, as speed is the new factor in the traditional risk triad. Cisco set out the strategic version of this argument in its Shields Up guidance after working with Mythos Preview. What follows is its operational companion.

The new math

Before Mythos and other frontier large language models (LLMs), the vulnerability lifecycle had a rhythm that most security teams had internalized. A researcher discovers a vulnerability, and weeks or months pass while an exploit gets developed. After a vendor releases a patch, organizations deploy it on their own schedule. There was slack in the system, which gave organizations time to triage, test, and be slow but still survive.

After AI and LLMs, the first two stages of that lifecycle collapsed to near-simultaneity. AI discovers the vulnerability and writes the exploit in minutes, not weeks. But the last two stages, patch release and patch deployment, remain human-driven processes operating at human speed. The gap between discovery/exploit and patch/deploy has widened from a manageable delay into a structural gap.

The numbers make this concrete. The FIRST 2026 Vulnerability Forecast projects a median of roughly 59,000 new CVEs this year, with a 90% confidence interval reaching up to 118,000. In 2025, 48,185 CVEs were published, a 21% increase over the year before, which works out to roughly 131 new vulnerabilities disclosed every single day. NIST acknowledged that CVE submissions grew 263% between 2020 and 2025. Starting April 2026, NIST announced it would only prioritize enrichment for CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) catalog, software used by the federal government, and critical software under Executive Order 14028. Everything else goes to the back of the line.

When talking about this data in customer briefings, I framed it around three factors: the minutes from discovery to exploit, the thousands of zero-days discovered, and how AI accelerates attackers and defenders equally. The Cloud Security Alliance was explicit about this in their April 2026 analysis. The ability to discover vulnerabilities at AI scale is not intrinsically a defensive capability. It is a dual-use capability whose effect depends entirely on who has access and what constraints govern their use. We are lucky that frontier models take responsibility for how they are used, but there are many open-source models with less oversight.

When vulnerability management fails, who do you fall back on?

The way I think about post-frontier model defense, and the way I have been presenting it to security leaders, follows a three-stage fallback model.

The first pillar is vulnerability management. Scan, prioritize, patch, repeat. This is where most organizations have concentrated their security spending for two decades. Patch velocity cannot match AI-driven discovery rates. With 59,000+ CVEs projected for 2026 and growing, the volume exceeds organizational capacity to triage, test, and deploy (in production, live). Not all vulnerabilities even have patches on day zero; some are deemed as “operational risk,” or it would take years to redesign systems or hardware. Vulnerability management is not dead, but it is no longer the primary line of defense; it is now one input among many. This is where Cisco IQ becomes essential. Its digital interface provides complete asset visibility, security hardening insights, and risk assessments, allowing you to proactively identify vulnerabilities and harden your systems in the face of mounting CVE volumes. Automating what you can will be key to resilience acceleration.

When patching fails, you fall back to the second pillar: the “old school” hardening that seems to be forgotten in era of EDRs. This is where the 2023 whitepaper becomes a guide:

We recommended building golden images that incorporate appropriate security logging, refreshing them every 6 to 12 months, and applying the latest hardening standards. The whitepaper from 2023 asks questions that most organizations still cannot answer confidently: Are well-known security standards for hardening followed consistently across all devices? When was the last time core system golden images were reviewed for weaknesses? Are golden images part of security reviews?

The third pillar is detection and response. Hardened systems do not prevent exploitation, but make it harder, slower, noisier, and survivable. Detection and response are what catches the exploitation that gets through, and in a post-AI exploitation world, some exploitation will get through. This is given and needs to be assumed.

This means EDR, NDR, and XDR for visibility across layers. Behavioral detection is critical when zero-days outpace signature updates. An attacker using an AI-discovered vulnerability still needs to execute code, establish persistence, move laterally, and exfiltrate data. Those actions produce behavioral signals that a properly configured EDR can detect regardless of whether the specific vulnerability was previously known. It means that we can use threat hunting to find what automation misses. It also means you need incident response capability for when prevention fails. New attacks will emerge. The question is not whether you will be compromised. It is now how quickly you can detect, contain, eradicate, and recover.

Validation is not optional

Having the right products deployed is necessary, but not sufficient. You also need to know how they work – and here is where most organizations have a blind spot the size of a continent.

The question every security leader should be asking right now is “Do my controls actually work? Not on paper, but under real-world attack conditions?” Penetration testing answers that question. So does assessing your configurations against CIS benchmarks and hardening what falls short. Threat modeling takes it further by mapping the attack paths a real adversary would use against your specific architecture, not a generic risk matrix.

Breakout assessments deserve special attention. They test the boundaries between network segments. Can an attacker move from a compromised endpoint to critical infrastructure? From IT to OT? From one business unit to another? In a post-AI world where a zero-day can provide initial access to network segment, the integrity of those boundaries is arguably the most important architectural property of your network. Finding out they are broken before a real adversary does is the difference between a containable incident and an existential crisis.

Then there is the response side, and this is where I see the widest gap between what organizations think they have and what they actually have. IR playbooks that have never been tested are not playbooks. They are hopes. Purple team exercises are what turn those hopes into muscle memory, the kind that determines whether your team freezes or acts when a real incident hits. Proactive threat hunts catch what your automation missed. When everything has been tested and still was not enough, emergency incident response is the capability that gets you from compromised to recovered.

The full picture is a cycle. You want to prevent security issues with products and hardening, validate with testing and assessment, and respond with hunting and incident response – all of it backed by threat intelligence, and all of it working together as a system, not as disconnected point solutions checked off a compliance spreadsheet.

What did not change

AI will not get tired of system exploitation, so risk will get realized much faster than in the past. Because of this, we now add “speed” to risk equation. It becomes Risk = likelihood x impact x speed as opposed to just Risk = likelihood x impact. AI does not change the principles of cybersecurity. MFA still blocks credential theft; segmentation still prevents exploit cascading into the environment; EDR still detects exploitation behavior, memory abuse, and attempts to “write” to memory segments; centralized logging still records events for detection and investigation; and tested backups still enable recovery.

Those statements were true before any LLM/AI vulnerability discoveries, they are true after LLM/AI, and they will remain true after whatever comes after current stacks. Because they operate at a layer of the security stack that is independent of how fast vulnerabilities are discovered. They work whether the attacker used a known CVE or a fresh zero-day, and whether the exploit was written by a human researcher over three weeks or by an AI in three minutes.

This is the structural insight built around the whitepaper in 2023. Nobody had predicted that LLM/AI vulnerability discovery explosion, but we had seen, over and over again in incident response engagements, that the organizations that survived breaches were not the ones with the fastest patching cycles. They were the ones that had built their security foundations before the breach arrived. The current AI acceleration does not wait for budget cycles, board approvals, or strategic plans. It rewards preparation and it punishes delays.