Most enterprises are managing risks based on a threat model built for a different era. You set a risk threshold. You focused on the vulnerabilities above that line — the ones critical enough to keep you up at night. Everything below it, you managed. That was a reasonable tradeoff.
AI-powered cybersecurity tools have changed the model. They don’t just accelerate known exploits; they can find and weaponize everything below your threshold, including the vulnerabilities you decided weren’t urgent and the legacy devices you hadn’t gotten around to replacing. The bar hasn’t just moved. It’s been dropped. That realization is reshaping how we operate and defend our own network at Cisco, and we think it should reshape how every enterprise thinks about cyber defense.
“The stuff we used to not worry about — that’s now exactly what we worry about. The bar has been dropped, and we must rethink the whole model.”
Cisco’s corporate network carries traffic for millions of devices, thousands of applications, and a fast-growing population of AI agents. It is a prime target for the same adversaries our products are built to stop.
For years, we have operated on the same vulnerability-patching model most enterprises still use today: vulnerability disclosed, patch developed, change-window scheduled, manual approvals collected, fix deployed. That cycle — measured in weeks — made sense when adversaries needed months to weaponize a newly disclosed flaw. That window is now hours, with the trajectory pointing to minutes, and no amount of process improvement closes a gap that wide.
With new frontier AI models, traditional approaches to defending the network are no longer sufficient. The same capabilities that help us find and fix vulnerabilities faster are also landing in the hands of threat actors who can now scan, exploit, and weaponize weaknesses at machine speed. This dynamic extends well beyond our own code: our broader supplier ecosystem is racing to patch vulnerabilities while adversaries leverage these same models to discover and exploit them, often in parallel. The result is a rapidly compressing window between disclosure and exploitation, forcing us to evolve just as quickly.
Our teams focus on finding and fixing vulnerabilities and use approved, commercially available AI coding agents governed by contractual and technical controls to scan complex products with millions of lines of code. This helps us surface vulnerabilities that humans alone might miss.
Operationally, informed by our work with Anthropic’s Project Glasswing and OpenAI’s Daybreak, as well as other frontier models, we’ve reorganized our internal defense around four pillars, prioritized from the outside in — starting with the broader supplier and threat landscape and working inward to our own environment.
In this model, tools and agents don’t operate as a checklist but as a continuous loop, reinforcing each other at machine speed.
One of the most concrete shifts we’ve made is how we sequence our response. When the scope of exposure is large and you can’t do everything at once, triage structure matters as much as technical capability.
Our approach: work from the outside in. Internet-facing edges carry the greatest exposure risk and move fastest, so that’s where we’ve focused patching velocity and shielding first. As we move toward the core, the pace becomes more deliberate — the boundaries there are among our most critical. The segments separating our largest security zones — the firewalls protecting our most sensitive assets — get prioritized because protecting them limits lateral movement and contains blast radius if something gets through.
From there, every decision runs through the same risk-based logic: determine what is most exposed, most vulnerable, and what is the proper response — remove it from the network, segment it, apply runtime protection, or accelerate the patch. End-of-life and unsupported assets get eliminated or isolated. Externally exploitable vulnerabilities get addressed first. Assets that can’t be patched within operational windows get runtime-first protection while remediation proceeds.
All of this points to something more fundamental than a faster patch cycle. The model we’re building toward isn’t a hardened fortress. It’s an agile and adaptable system that can move continuously to a more secure state without taking a time-out to do it.
“The game is always being ready to redeploy new, secure technologies. This notion that I’ve got to take a time-out and do patching work — that’s the game of the past.”
As the industry is entering a period of intense infrastructure evolution, businesses must adapt security practices and operational models to build and maintain resiliency. Our participation in trusted initiatives like Project Glasswing and Daybreak provides us with the deep insights necessary to navigate this shift, yielding immediate changes in how we operate. But we aren’t done. As we continuously mature our operating model, we will continue to prove every capability internally — at scale and in production — sharing our learnings and best practices that help our customers evolve their own security operations.
The window to get ahead of AI threats is still open. The organizations that build this operational muscle will compound their advantage. Those that wait compound their risk.
“We don’t just sell the network; we defend every minute of every day with the same tools we offer to our customers.”
Jason Lish is Senior Vice President, Chief Information Security Officer at Cisco where he provides strategic leadership and oversight for Cisco’s Information Security functions, including enterprise information security, data protection, attack surface management, and security operations. He also oversees value chain security and the Security and Trust Organization’s mergers and acquisitions service.
More resources
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。