Full Report
Tenable CTO Vlad Korsunsky talks about participating in the World Economic Forum’s Annual Meeting on Cybersecurity and Tenable’s EXPOSURE 2026 conference, where he talked with global leaders about new game-changing AI threats and the groundbreaking benefits of exposure management.Key takeawaysThe patching cycle is obsolete. Advanced AI models have compressed exploitation timelines into “negative days,” meaning adversaries actively weaponize vulnerabilities before vendor patches are even released.Shift from static CVE severity scores to AI-powered exposure management. Point-in-time vulnerability-risk snapshots fall short. You need AI insights to prioritize remediation based on real-world exploitability of your entire attack surface.Secure the agentic economy. The rapid explosion of autonomous non-human AI identities demands the immediate application of zero trust and least-privilege cryptographic primitives to mitigate severe, systemic internal risks.Don’t focus only on vulnerabilities. While the 2026 Verizon DBIR ranks vulnerability exploitation as the top initial access vector for breaches (about 30%), the majority of breaches (70%) stem from human errors, such as misconfigurations and identity flaws.Tenable Chief Technology Officer Vlad Korsunsky recently participated in the World Economic Forum’s Annual Meeting on Cybersecurity in Geneva, Switzerland, an annual summit that takes the pulse of global cyber risk. Korsunsky was one of 150 senior leaders from global industry and government who gathered to discuss how to strengthen businesses’ cyber defenses. The sobering, collective consensus: The traditional cybersecurity playbook is obsolete, as AI becomes an unprecedented threat multiplier.For Tenable, participating in foundational, high-level dialogues and collaborations such as this one is both a privilege and an immense responsibility. As the cybersecurity operating model gets rewritten in real-time, Tenable feels a duty to help shape cyber defenders’ collective insights and strategies. Tenable has spent years addressing the structural cybersecurity operational gaps that worry C-level executives and government leaders worldwide. Korsunsky also had a chance to sit down with many of the hundreds of cybersecurity executives who gathered recently at Tenable’s EXPOSURE 2026 conference. The EXPOSURE 2026 discussions ranged from the death of reactive patching cycles to the need to counter AI threats with systemic cyber resilience, and signaled an urgent need to shift away from a siloed, fragmented approach to cybersecurity and move toward AI-powered exposure management.Below is an in-depth Q&A with Korsunsky, expanding on his participation in the Geneva and Tenable meetings, the rapid escalation of AI threats, and the way to tame cyber risk today and in the coming years.Q: Vlad, you recently returned from the World Economic Forum’s Annual Meeting on Cybersecurity in Geneva. What was the overarching energy in the room among these 150 global leaders, which included CEOs, CTOs, CISOs and government leaders?Vlad Korsunsky: The energy was highly focused and, frankly, deeply sober. We are witnessing an unprecedented compression of the threat landscape, and everyone in that room, whether they were running a multinational bank, directing a national cyber defense agency, or leading an NGO, realized that conventional cyber defenses cannot keep up with this velocity.A telling example of how high the stakes have jumped occurred just recently in Washington, D.C. The then Federal Reserve Chair Jerome Powell and U.S. Treasury Secretary Scott Bessent convened an emergency, high-level meeting with the CEOs of some of America's largest financial institutions, including Wall Street giants like Goldman Sachs, Citigroup, Wells Fargo, Bank of America, and Morgan Stanley. The entire meeting focused on a single AI model: Anthropic’s Claude Mythos Preview. Anthropic had flagged that while it built Mythos to bolster cyber defense, its raw capabilities were so advanced that, if weaponized or leaked, it could pose a major threat to the structural stability of the global financial system. When the highest echelons of fiscal and state power are holding emergency briefings over the capabilities of a single generative AI model, you know you’re dealing with a fundamentally different cyber threat landscape.Q: When asked, "What are the top cyber concerns for 2027?," meeting participants ranked the capacity of AI to be a threat multiplier as number one. Is this a future problem, or are we living it now?Vlad Korsunsky: The threat of AI in the hands of attackers is absolutely a global concern today. Look at the empirical metrics tracking adversary speed over the last decade and a half. For years, Mandiant tracked a linear trend that actually looked like a win for defenders. Time-to-exploit, which is the window between a vulnerability being disclosed and an active exploit hitting the wild, shrank steadily from 63 days in 2018 down to 32 days by 2022. Concurrently, average attacker dwell time — the time an attacker remains undiscovered after breaching a network – plummeted from more than 400 days in 2011 down to just 14 days in 2025. In short, defenders were actively closing the gap.Then came 2023, and the trend broke violently. Time-to-exploit collapsed from 32 days to just five. By 2024, it went negative: minus one day. According to Mandiant’s latest “M-Trends 2026 Report,” published last month, the average time-to-exploit sits at minus seven days. Think about that structural asymmetry. Attackers are successfully weaponizing and exploiting vulnerabilities a full week before a vendor compiles and ships a patch. Meanwhile, the median timeline for an enterprise to deploy a patch across their environment is roughly 43 to 55 days, according to this year’s Verizon Data Breach Investigations Report (DBIR). If adversaries are operating in negative time and defenders are operating across months, the traditional patching cycle is effectively a dead strategy.Q: What is driving this terrifying acceleration? How are attackers moving so quickly?Vlad Korsunsky: It is driven entirely by advanced frontier LLMs doing in minutes what used to require weeks of highly specialized human labor. Back in February, Anthropic’s Opus 4.6 model uncovered more than 500 zero-day vulnerabilities in widely utilized open-source software, flaws that had remained undiscovered despite decades of manual peer review by brilliant human engineers. Less than two months later, Anthropic’s Mythos model found thousands more vulnerabilities across foundational operating systems, web browsers, and core cryptographic libraries. More importantly, Mythos went further after spotting them; it boasted an 83% autonomous success rate in chaining disparate, low-severity logic flaws into devastating, end-to-end critical exploits.Essentially, we have reached a watershed moment reminiscent of when Google DeepMind’s AlphaGo defeated human Go champions. Experts believed a computer was decades away from mastering the Go game because the game features more potential board configurations than there are atoms in the observable universe. Brute force was impossible. Yet, AlphaGo won by leveraging deep neural networks to synthesize a form of machine intuition, discovering creative moves no human had conceived in 2,500 years of play.Today, frontier AI models are applying that exact evolutionary leap to cybersecurity. The most powerful LLMs can now execute 32-step complex reasoning chains to autonomously map and compromise simulated corporate networks. The asymmetry is stark. This massive capability curve means the absolute volume of known exposures is poised for a massive step-change, and GenAI has poured pure gasoline on the fire.Q: With zero-days dropping in droves thanks to AI-aided discoveries, should enterprises focus all their engineering resources on hunting down these vulnerabilities? What did you hear from CISOs and other high-level cybersecurity leaders about this issue at Tenable’s EXPOSURE 2026?Vlad Korsunsky: This is where we have to look at the whole board and avoid panic. While the influx of AI-driven zero-day disclosures is a massive upstream pressure on software vendors, data from this year’s Verizon DBIR shows that breaches directly leveraging software exploits account for about 30% of incidents. It's a significant percentage, yes, but what about the other 70%?Cybersecurity leaders I talked to at EXPOSURE 2026 realize that the overwhelming majority of enterprise breaches do not begin with an ultra-sophisticated, state-sponsored zero-day exploit. They start with incredibly simple, unforced human errors: unsecured shadow IT cloud assets running outside corporate governance; misconfigured databases left wide open to the public internet; over-privileged corporate identities; a lack of multi-factor authentication (MFA); and highly targeted, AI-driven spear phishing. This is a critical insight for guiding your cyber strategy today.These misconfigurations and unsecured cloud credentials are the dry fuel sitting inside an enterprise network. When an AI hacking agent comes looking, that fuel ignites faster than any traditional cybersecurity team can react. So organizations must be diligent about proactively maintaining stringent security hygiene.Q: If paddling faster inside the old patching model won't save us, how do defenders change the rules of the game?Vlad Korsunsky: We have to look at this the way wildland firefighters have looked at massive forest fires for over a century. When a wildfire is roaring toward a town faster than a human can run, firefighters don’t just stand at the edge of the flames reaching for a bigger water hose. They get ahead of the blaze and light a controlled burn. They intentionally clear out the brush, trees, and fuel ahead of time. When the main fire line reaches that cleared zone, it starves and dies because there is nothing left to consume.Enterprise security must adopt this exact philosophy. We have to stop reacting to the fire and start aggressively clearing the fuel before the adversary arrives. This requires a wholesale shift from reactive vulnerability patching to continuous exposure management.The traditional Common Vulnerability Scoring System (CVSS) is effectively dead as a primary prioritization tool. A static CVSS score tells you the theoretical severity of a single CVE in a vacuum; it tells you absolutely nothing about real-world exploitability within the specific context of your unique enterprise environment. At EXPOSURE 2026, we heard from our customers how continuous, AI-driven exposure management is helping them counter today’s evolving AI threats successfully. With exposure management, you use advanced analytics to gain unified, real-time visibility across your entire modern attack surface, encompassing data centers, cloud infrastructure, OT/IoT environments, corporate identities, and newly deployed AI pipelines. We must use AI on the defense side to continuously map true attack paths; for example, pinpointing exactly where a minor misconfiguration chains into a critical business asset.Q: You mentioned using AI on the defense side. How does Tenable view the balance between human security analysts and autonomous AI defenders?Vlad Korsunsky: Security is fundamentally a team sport, and AI vendors like OpenAI and Anthropic are not our adversaries. AI is the single most potent tool ever introduced into the defender’s toolkit; we simply need to wield it with machine-speed orchestration. Because our adversaries are deploying fully autonomous hacking agents today — tools that are already topping commercial bug bounty leaderboards — the only fair fight is to meet machine speed with machine speed.This means building and deploying agentic AI workflows on the side of the defense to power autonomous exposure management. However, this must always be balanced with strict human-in-the-loop oversight. In Geneva, we spent a great deal of time discussing the systemic risks of unchecked automation. If an autonomous system applies a sweeping remediation script without understanding the broader business context, it can inadvertently trigger a massive operational outage: a self-inflicted systemic failure.Defenders must maintain deep visibility into the “behind-the-scenes” logic of their automation. We need human control to govern business context, while leveraging machine speed to continuously ingest, prioritize, and neutralize exposures before an attacker can strike.Q: Another major pillar of the WEF discussion centered on AI safety and non-human identities. What are the hidden risks enterprises are overlooking as they rush to adopt AI?Vlad Korsunsky: We are transitioning rapidly into what we call the “Agentic Economy.” Historically, enterprise security focused on securing human users and a relatively manageable set of non-human service accounts. As organizations embed AI agents into core business workflows — from code generation to customer operations to financial automation — we are seeing an exponential growth of non-human, agentic identities and agentic workflows. These autonomous agents are fundamentally different. Instead of operating just “on behalf” of a human in a tightly bound session, they execute complex tasks independently.The alarming reality discussed in Geneva and in our EXPOSURE 2026 conference is that our current security frameworks lack effective, native guardrails for these agents. LLMs routinely bypass system prompts or ignore markdown safety files. They can even actively manipulate or hack neighboring AI agents to achieve their algorithmic goals. We’ve seen anecdotal instances of an enterprise AI agent autonomously writing a script to bypass an internal access restriction, and when flagged, its underlying logic essentially argued that the script committed the violation, not the agent itself.Because AI agents behave essentially like trusted corporate insiders that have been let loose across internal data silos, we must immediately apply foundational cryptographic primitives to agentic identities. We need strict zero-trust architectures, rigorous least-privilege access controls, and absolute defense-in-depth tailored specifically for non-human identities before they morph into the next great vector of unmanageable global risk.Q: Any final thoughts for organizations trying to navigate this massive technological shift?Vlad Korsunsky: Attackers are increasingly rocketing laterally across enterprise networks after the initial breach, often in minutes and even seconds, whereas before it could take them days or weeks. The adversary’s inherent advantages will always be timing, velocity, and the luxury of only needing to find a single weak link in your exposure landscape.But as defenders, we possess the ultimate home-field advantage: We can see the whole board, and we have the power to fundamentally alter the terrain. By abandoning obsolete point-in-time checkmarks, embracing continuous, AI-driven exposure management, and proactively clearing out our operational fuel at machine speed through foundational cyber hygiene, we can break the adversary’s curve and effectively secure our environments.
Analysis Summary
# Industry News: Tenable CTO Warns of "Negative-Day" Exploits and the Obsolescence of Patching
## Summary
Tenable CTO Vlad Korsunsky, following high-level discussions at the World Economic Forum and Tenable’s EXPOSURE 2026 conference, has declared the traditional reactive patching cycle obsolete due to AI-driven "negative-day" exploits. The industry is being urged to pivot toward continuous, AI-powered exposure management to counter frontier LLMs that can now weaponize vulnerabilities faster than human defenders can release fixes.
## Key Details
- **Date:** Reported in late 2025/early 2026 (based on cited 2026 M-Trends/DBIR references)
- **Companies Involved:** Tenable, Anthropic (referenced), Mandiant (referenced), Verizon (referenced)
- **Category:** Market Analysis / Strategic Industry Shift
## The Story
The cybersecurity landscape has reached a structural breaking point. According to data cited by Tenable, the "time-to-exploit" window has collapsed from 32 days in 2022 to "minus seven days" by early 2026. This means attackers, leveraging advanced AI models like Anthropic’s "Claude Mythos," are discovering and weaponizing zero-day vulnerabilities in core software foundational libraries before vendors even become aware of them or release a patch.
Korsunsky highlights that frontier AI models now possess "machine intuition," allowing them to execute 32-step reasoning chains to autonomously compromise networks. Furthermore, the rise of the "Agentic Economy"—where autonomous AI agents act as non-human identities within corporate networks—has introduced a new systemic risk, as these agents can bypass traditional guardrails and manipulate internal systems without human intervention.
## Business Impact
### For the Companies Involved
- **Tenable:** Positions itself as the essential "AI-powered exposure management" platform, moving beyond its roots in simple vulnerability scanning.
- **Anthropic/AI Frontier Labs:** Facing increasing pressure from global financial and government leaders to implement safety guardrails as their models demonstrate high-level hacking capabilities.
### For Competitors
- **Legacy Vulnerability Management (VM) Players:** Vendors still focusing on static CVSS scores and reactive patching cycles face sudden technological irrelevance.
- **Identity Providers (IAM):** There is a massive new market requirement to secure non-human, agentic identities with the same rigor as human credentials.
### For Customers
- **Enterprises:** Must shift budget and talent from reactive "firefighting" (patching) to proactive "fuel clearing" (exposure management and hygiene).
- **Global Financial Institutions:** Facing direct threats to structural stability, forcing a mandate for deeper visibility into AI-driven attack paths.
### For the Market
- **The End of CVSS Priority:** The market is moving away from static severity scores toward dynamic, context-aware risk prioritization.
- **Regulatory Pressure:** Expect increased scrutiny on "AI Safety" and the "Agentic Economy" as global leaders (WEF) recognize AI as an unprecedented threat multiplier.
## Technical Implications
- **"Negative-Day" Exploits:** Vulnerabilities are being exploited a full week before a patch exists.
- **Autonomous Hacking Agents:** AI can now chain "low-severity" logic flaws into critical exploits with an 83% success rate.
- **Cryptographic Primitives for AI:** Urgent need for zero-trust and least-privilege primitives applied specifically to autonomous AI agents.
## Strategic Analysis
- **Market Positioning:** Tenable is leading the charge in re-branding the VM category as "Exposure Management," focusing on the *whole board* (OT, IoT, Cloud, Identity) rather than just CVEs.
- **Competitive Advantage:** Real-time visibility and AI-driven predictive modeling of attack paths are the new "must-haves."
- **Challenges:** Enterprise patching cycles still take 43–55 days on average; closing the gap between "minus seven days" and "two months" is a massive operational hurdle.
## Industry Reactions
- **Global Leaders (WEF):** The consensus in Geneva is "sobering," with a realization that conventional defenses cannot keep pace with AI velocity.
- **Government Sentiment:** Emergency meetings between the U.S. Treasury and Wall Street CEOs indicate that AI-driven cyber risk is now viewed as a systemic threat to the global economy.
## Future Outlook
- **The Agentic Economy:** By 2027, the primary internal threat vector will likely be autonomous non-human identities.
- **Machine vs. Machine:** Defenders must deploy agentic AI to counter offensive AI, moving toward "machine-speed orchestration."
## For Security Professionals
Practitioners must recognize that while zero-days are flashy, **70% of breaches still stem from human error** (misconfigurations and identity flaws). The takeaway is clear: Prioritizing "cyber hygiene" (MFA, clearing shadow IT, and tightening permissions) is no longer a basic task—it is the only way to "starve the fire" before an AI attacker arrives. Focus on exposure management to see where a minor misconfiguration could lead to a critical asset.