Full Report
Cybersecurity leaders and practitioners brought their burning AI cybersecurity questions to EXPOSURE 2026. They left with clear answers and a blueprint for building an exposure management program. Get a recap and see highlights from the event in words and pictures. Key takeawaysAs frontier AI models simultaneously accelerate the pace of vulnerability discovery and exploitation and drastically reduce the cost and complexity of launching attacks, cybersecurity faces a critical inflection point where traditional threat models and manual workflows are no longer viable. EXPOSURE 2026 gave attendees a much-needed opportunity to connect with peers, learn how they’re addressing the challenges of AI and building it into their workflows, and develop a game plan, with exposure management at its core, for protecting their organizations from AI-powered adversaries. Tenable Co-CEOs Steve Vintz (right) and Mark Thurmond For the cybersecurity leaders and practitioners who attended EXPOSURE 2026 in Boston this week, the event could not have come at a better time. While momentum for exposure management as a means to proactively reduce cyber risk has been building for more than a year, recent rapid advances in frontier AI models have made it even more critical. EXPOSURE ‘26 attendees arrived at Boston’s historic Park Plaza Hotel on Monday, May 18, 2026, just six weeks after Anthropic unveiled its groundbreaking frontier model, Claude Mythos Preview. They showed up with pressing questions about securing AI, the impact of frontier AI models on cybersecurity, and how exposure management can address all that and more. They left with clear answers, following an intensive day of training and two days of thought-provoking mainstage and breakout sessions featuring Anthropic Field CTO (Cyber) Brett Andrews, CISOs from GEICO, Smithfield Foods, Munich Re, and EōS Fitness, and Tenable experts. EXPOSURE 2026 gave attendees a rare opportunity to catch their breath amid the escalating, machine-speed pace of cybersecurity. It kicked off with an immersive day of training that provided attendees with a blueprint for building a successful exposure management program. And it offered them a chance to compare notes with peers and work collaboratively to develop a game plan for protecting their organizations from AI-powered adversaries with exposure management at its core. Cybersecurity’s quadruple AI challengeFour challenges that AI creates for cybersecurity underpinned every session at EXPOSURE 2026: Frontier AI models like Anthropic’s Claude Opus 4.6 and Mythos make it vastly faster, easier, and more economical for threat actors to discover new vulnerabilities and build exploits for them.AI creates new attack vectors (e.g., prompt injection, jailbreaks, model poisoning, context poisoning in memory, etc.) that traditional cybersecurity controls weren’t designed to address.AI expands every organization’s attack surface, giving threat actors even more entry points to exploit.AI functions as a force-multiplier for threat actors, giving them speed and the advanced, 32-step reasoning capabilities required to autonomously execute an entire network attack chain. Anthropic Field CTO Brett Andrews (left) with Tenable SVP of Product Strategy Eitan Goldstein Anthropic’s Andrews discussed the impact of frontier models on cybersecurity, the threat landscape, and how defenders can leverage AI to their advantage.To illustrate what organizations are up against, several presentations highlighted the sharp contrast between the steady acceleration in vulnerability discovery and exploitation, and the simultaneous deceleration in organizations’ patching and remediation. Tenable CTO Vlad Korsunsky In 2021, for example, the median time to exploit was 84 days, according to Zero Day Clock. Today, it’s 1.6 days. Meanwhile, in 2025, it took organizations an average of 43 days to patch critical CVEs, up 34% from 32 days in 2024, according to data that Tenable Research contributed to the 2026 Verizon Data Breach Investigations Report (DBIR), which was released on the first day of EXPOSURE 2026. Referencing additional data from the DBIR, Tenable Chief Product Officer Eric Doerr noted that 31% of breaches in 2025 began with an unpatched CVE as the initial access vector. This trend will likely intensify, as frontier AI models accelerate vulnerability discovery, unless security teams adapt. Doerr also spoke to data from Tenable showing that nearly two-thirds of breaches begin with something that isn’t a CVE, such as a misconfiguration, stolen credential, or exposed secret. He used this stat to prove the point that if you’re only concerned about CVEs, you’re leaving two-thirds of your organization’s attack surface exposed. It’s this other attack surface beyond just CVEs that exposure management addresses. Tenable Chief Product Officer Eric Doerr AI-powered exposure management: the blueprint for preemptive defensePresenters used these and other statistics from the DBIR, Tenable’s own telemetry, and other sources to make the case for cybersecurity transformation focused on a preemptive and much more autonomous defense. They showed how explosive, enterprisewide adoption of AI combined with AI-enabled threat actors requires that organizations build these exposure management capabilities into their cybersecurity programs: Unified visibility - Continuous, deterministic asset discovery across the entire hybrid attack surface, capturing every vulnerability, misconfiguration, and excessive permission across on-prem and cloud infrastructure, OT environments, and the rapidly expanding AI attack surface.Contextual, AI-powered insights - Moving past standard CVSS scores to focus on real-world exploitability and business impact, and mapping viable attack paths to understand exactly how an attacker could move laterally toward core assets.Machine-speed action - Shifting from manual workflows to automated, orchestrated fixes. Because human teams cannot triage alerts at machine speed, organizations must deploy agentic AI workflows with appropriate guardrails, including human oversight, to proactively harden posture and isolate active threats. Tenable CSO Robert Huber Tenable CSO Robert Huber shared his experience transforming his vulnerability management program and team into an exposure management program and team, which began two years ago. The impetus was the challenge that Huber and his team faced every quarter when he needed to report on cyber risk to the board of directors: His team had to manually gather, aggregate, harmonize, and analyze data from 50 different security tools that each had their own unique way of reporting on risk. Now, Huber’s team can produce reports in minutes. They’ve also extended their scope of visibility from less than 10,000 assets to more than 100,000 assets and reduced alert to ticket volume by 1,500 to 1, all with the same number of staff. A live AI vs. AI attack simulation created and led by Tenable Researchers Robert McSulla and Ben Smith demonstrated the capabilities of a fully autonomous, agentic defense against a fully autonomous, agentic adversary. McSulla and Smith impressed several key points upon their audience, including:Speed is not the only factor in AI-driven attacks. Yes, AI makes threat actors faster. It also makes them smarter. The demo showed how the adversarial agents reason, make decisions, adapt, and find new, unmapped attack surfaces.Defenders can gain the same advantages as attackers. Defensive agents proactively assess posture, develop and deploy patches for vulnerabilities, and take other hardening actions to reduce risk and mitigate threats.Security leaders and their teams need to get comfortable with autonomous defense. Consider your tolerance for fully autonomous defensive agents: Would you let them shut down a service, configure firewall rules, rotate credentials, or write and deploy patches? That’s what it takes to keep up with agentic attacks that achieve their objectives within three minutes.It’s time to build a governance framework for agentic defense. McSulla and Smith built a governance framework for the defensive agents in their simulation that determines intent, evaluates severity levels, and applies rules, such as when to require a human to make a decision or take an action. Bob McSulla (left) and Ben Smith Custom kicks and other fun Amid the seriousness of cybersecurity, attendees got to pick out custom Converse sneakers featuring Tenable’s iconic new branding. The "Sneaker Bar" at EXPOSURE 2026 EXPOSURE attendees also had the chance to experience the perfect summer evening at Fenway Park, home of the Boston Red Sox. An evening at Fenway Park during EXPOSURE 2026 Tenable announcements at EXPOSURE 2026 EXPOSURE 2026 was punctuated by a host of significant announcements from Tenable, including:The general availability of Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform that gives preemptive security teams capabilities to operate at machine speed.New AI initiatives with Anthropic to increase the agentic capabilities of Tenable One.A strategic integration with the Claude Compliance API designed to help customers improve their visibility into Claude usage across their organizations.The release of the Tenable One Open Connector, which allows customers to bring third-party, custom, and internal data from any source into Tenable One.The launch of the Tenable Open Partner Exchange Network.The Tenable Research team’s prolific contributions to the 2026 Verizon Data Breach Investigations Report.
Analysis Summary
# Industry News: Tenable EXPOSURE 2026 and the Shift to Agentic AI Defense
## Summary
Tenable’s EXPOSURE 2026 conference highlighted a pivotal shift in the cybersecurity landscape, moving from manual vulnerability management to autonomous, "agentic" exposure management. The event served as a platform for Tenable to launch various AI-driven tools and partnerships designed to counter the "quadruple threat" of frontier AI models used by modern adversaries.
## Key Details
- **Date:** May 18–20, 2026
- **Companies Involved:** Tenable, Anthropic, Verizon, GEICO, Smithfield Foods
- **Category:** Product Launch & Strategic Partnership
## The Story
At EXPOSURE 2026, Tenable addressed a critical "inflection point" in cybersecurity: the speed of exploitation has reached machine levels, while enterprise remediation remains dangerously slow. Citing data from the 2026 Verizon DBIR, Tenable noted that the median time to exploit a vulnerability has plummeted to 1.6 days, while the average time to patch a critical CVE has risen to 43 days.
To bridge this gap, Tenable introduced the concept of "Agentic AI" defense. Unlike standard AI assistants, agentic AI can reason, plan, and execute multi-step security workflows autonomously. A central highlight was a partnership with Anthropic, leveraging the newly released **Claude Mythos Preview** and **Claude Opus 4.6** models to power Tenable’s defense engines. The conference emphasized that traditional CVE-based tracking is insufficient, as 66% of breaches now originate from non-CVE factors like misconfigurations and exposed secrets.
## Business Impact
### For the Companies Involved
- **Tenable:** Positions itself as the market leader in the emerging "Exposure Management" category, moving beyond its roots as a vulnerability scanner (Nessus) to an orchestrator of autonomous defense.
- **Anthropic:** Secures a dominant foothold in the cybersecurity vertical by integrating its frontier models directly into the defensive stack of a major security vendor.
### For Competitors
- Traditional Vulnerability Management (VM) players face pressure to evolve. Companies still relying on manual triaging and CVSS-only scoring risk obsolescence as the market moves toward "machine-speed" remediation.
- Vendors must now prove their "agentic" capabilities or risk being viewed as too slow for the AI era.
### For Customers
- Organizations gain the ability to consolidate disparate security tools (as demonstrated by Tenable’s CSO, who reduced 50 tools into a unified platform).
- High staff-to-asset ratios can be mitigated; Tenable reported a case of reducing alert volume by 1,500-to-1 with the same headcount.
### For the Market
- This signals the end of "Human-in-the-Loop" as a requirement for every security action. The market is shifting toward "Human-on-the-Loop" governance, where AI acts and humans audit.
## Technical Implications
The release of **Tenable Hexa AI** introduces an autonomous engine capable of mapping attack paths and deploying patches. Technically, this requires high-fidelity "deterministic asset discovery" and the use of the **Claude Compliance API** to ensure AI usage within the enterprise does not create new "shadow AI" risks. The **Tenable One Open Connector** also addresses the "data silo" problem by allowing custom data ingestion at scale.
## Strategic Analysis
- **Market Positioning:** Tenable is shifting its value proposition from *identification* (finding holes) to *anticipation and remediation* (closing holes at the speed of the attacker).
- **Competitive Advantage:** The integration with Anthropic’s most advanced models provides a reasoning engine that competitors using older LLMs may struggle to match.
- **Challenges:** The primary obstacle is "trust." Security leaders must be convinced to let autonomous agents perform sensitive tasks like rotating credentials or writing firewall rules in production environments.
## Industry Reactions
Industry consensus at the event suggests a mix of urgency and caution. CISOs from major brands like GEICO and Munich Re signaled that the "quadruple AI challenge"—faster exploits, new attack vectors (prompt injection), expanded surfaces, and 32-step autonomous attack chains—leaves them with no choice but to adopt similar AI-driven defenses.
## Future Outlook
Expect a "governance gold rush" where organizations scramble to build frameworks for agentic defense. The industry will likely see a move toward "3-minute windows"—the time it takes for an autonomous adversary to complete a breach—requiring defensive agents to operate within seconds.
## For Security Professionals
Practitioners must pivot from being "patch managers" to "AI governors." The skillset is shifting away from manual log analysis toward building and auditing automated workflows. Security teams should prepare to define their "tolerance for autonomy"—deciding which defensive actions they are comfortable letting an AI take without manual approval.