CyberWire Daily - Vulnerability management at AI speed. [CyberWire-X]
Episode Date: June 14, 2026In large enterprise software companies, vulnerability management teams are facing unprecedented speed and scale as AI accelerates both discovery and exploitation of security issues. In this episode of... CyberWire-X, N2K’s Dave Bittner is joined by Adobe’s Daniel Ventura, Senior Manager of the Vulnerability Operations Center, and Sangeeta Arora, Director of Vulnerability Management, to discuss how Adobe is evolving its vulnerability management strategy to keep pace with AI-driven threats. They share real world insights on prioritization, crossteam partnership, and how modern programs can balance speed with meaningful risk reduction. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Welcome to this edition of CyberwireX. I'm Dave Bittner.
Vulnerability management has always been a race against time,
but as artificial intelligence accelerates both a discovery of software flaws
and the speed at which attackers can exploit them, that race is moving faster than ever.
For large enterprise software companies,
the challenge is no longer just finding vulnerability,
It's determining which ones matter most, mobilizing the right teams and reducing risk at scale.
Joining me today are Daniel Ventura, senior manager of Adobe's Vulnerability Operations Center,
and Sangita Aurora, Director of Vulnerability Management at Adobe.
Together, they share how Adobe is evolving its approach to vulnerability management in the age of AI.
from improving prioritization and strengthening cross-functional partnerships
to balancing the need for speed with meaningful security outcomes.
That's all ahead on this episode of CyberwireX.
Adobe empowers everyone everywhere to imagine, create, and bring any digital experience to life.
From creators and students to small businesses, global enterprises, and non-profit organizations,
customers choose Adobe products to ideate, collaborate, drive business growth, and build remarkable experiences.
But in today's digital world, trust is what makes bold ideas possible.
Trust empowers creativity, and it starts with security,
by protecting the customers and communities who use Adobe products every day.
That's why Adobe partners with the global security research community through its bug bounty program.
Hosted on Hacker 1, the program, the program,
invites ethical hackers from around the world to help find and report vulnerabilities,
helping keep millions of customers secure and maintaining the trust that powers the Adobe brand.
So if you're a researcher ready to make an impact, check out Adobe's public program at
Hacker1.com slash Adobe.
Well, before we dig into talking about vulnerability management, I'd love to learn a little bit
about each of you.
what led you to your position at Adobe?
Sangeeta, why don't I start with you?
So I've actually been at Adobe for over 20 years now,
and my career here has evolved quite a bit over the last two decades.
I spent the first half of my career in IT doing various different things,
and then I moved into cybersecurity about nine years ago.
In the beginning, I started out by building our third-party security review capability,
and then I took on penetration testing for all of our products and services.
And then about three years ago, I stepped into leading vulnerability management at Adobe.
Today, I lead the broader vulnerability management function,
which includes penetration testing, our BugBounty program on Hacker 1,
vulnerability operations end-to-end, as well as third-party security.
Dan, how about you?
Yeah, so I've been with Adobe for about six and a half years now.
I started out as an IC, an individual contributor working on the P-CERT team.
At that time, we were primarily focused on application security and bug bounty related vulnerabilities.
But as I'm sure we'll get to in this discussion, there was a strong need to have a much heavier volume management presence.
And so our team evolved over time to take on additional roles and responsibilities that encompasses the broader volume management lifecycle.
Well, I think when people hear vulnerability management, a lot of folks will initially think of things like scanning and patching.
Can you give us a sense of what the work actually looks like inside an organization that operates at the scale of Adobe?
Yeah, sure.
So it really, it takes a tribe when we think about volum management at a large organization.
We have various teams across Adobe Security that are performing different types of manual testing, automated testing.
looking for vulnerabilities in different pieces of our tech stack and different types of product offerings that we published to customers.
We have a team that will review and assess those vulnerabilities for severity and impact.
And then we also have folks that work directly with product teams to help them prioritize their backlog and strategize around effective remediation.
Sangita, anything to add?
Yeah, I think Dan pretty much covered it.
But in a large enterprise like Adobe, it definitely includes the end-to-end vulnerability management
lifecycle.
So five core things, I would say, we want to make sure that there's asset discovery.
So we have a way to discover all of our assets, our cloud environments.
And then like Dan said, testing at multiple layers.
So we're going to have various different teams that are doing either pen testing.
We have our external bug bounty program.
We're going to have vulnerability scanning as well, any DASD tools.
And then when we get the findings from those tools,
we want to be able to do context-diven prioritization.
So use multiple different parameters to prioritize those vulnerabilities
and then be able to create tickets for our product teams
or alert them that they need to be working on remediation.
And then lastly, remediation tracking and validation is a big piece of vulnerability management.
We want to make sure that in the end those issues are truly fixed, validated,
and we feel comfortable that the vulnerability has been resolved.
I'm curious in the time that you all have been at this, what are some of the things that you've seen change?
Have there been evolutions in the way that you all come at your jobs?
Yeah, I think the biggest change that we've noticed over the last couple of years has been the evolution of AI as it relates to adversaries and our bone management processes.
So this applies both to defenders and adversaries alike.
You know, on one end, we have product teams that are able to generate code and ship much faster.
But at the same time, attackers and threat actors can also move from a bug to an exploit at a much faster clip as well.
For example, from the Crowdstrikes 2020 global threat report,
they documented that an AI-enabled adversary has increased their operation from 89% year over a year just last year in 2025.
We also came across some research from IBM in their cost of a data breach report last year.
Their research showed that the average breakout time for an adversary,
which is the speed that an attacker can move from initial access to lateral movement,
fell to just 29 minutes,
with the fastest observed breakout time happening at a staggering 27 seconds.
IBM also goes on to mention that one in six of those incidents involved in AI-driven attack.
Another piece that I found very interesting is, aside from the exploitation piece of this,
just the sheer number of CVEs being published across the industry is also accelerating very quickly.
Year over year, there has been a 28% growth in the number of CVEs published.
And more specifically, with critical CVEs, there has been a 62% increase to the number of CVEs being published.
So I think when we talk about speed and velocity as it relates to,
AI, it really means that our vulnerable management processes within organizations need to evolve
too. It's not just about more vulnerabilities. It's less time to respond, more ways to be attacked,
and a higher likelihood of exploitation as well. Is it fair to say, Sengita, you know,
this is sort of a triple threat that we're, when we've got an increase in the volume of vulnerabilities,
the speed of exploitation, and even the sophistication of attacks, are, our, are,
Are you tracking all three of those concerns?
Absolutely.
Yeah, we have seen a really big change with AI.
Basically, AI is becoming the security expert at this point.
So like Dan said, it's speeding things up.
It's becoming really easy for attackers to move from vulnerability details
to making a usable exploit attempt pretty quickly.
Also, in addition, like the fishing and social engineering is becoming so much easier
and it increases the chances of access for these advertisements.
series as well. Lastly, I think from an attack surface perspective, it's becoming easier for them to be
able to identify the exposed services on the internet. So if they have a POC, they're able to find out
entry points much faster. So yes, we are basically all companies are having to deal with like this
large surge due to AI. And I know Dan cited some numbers, but these are, this is a pretty dramatic
increase when we see a 60% increase in critical CBEs from year over year, just from.
2025 to 2026. So it is something that is top of mind for all of us. It's as defenders,
we just have less time to react. And so prioritization becomes key. And we really need to make sure
that we are prioritizing based on exposure and impact to be able to deal with that large volume.
How do you balance the speed that's necessary to respond these days with the accuracy that you
want your security teams to have? They're under a lot of pressure to move faster than
but you don't want to miss things.
That's a very good question,
because when everything looks critical,
it's tough to decide what gets fixed first
and how do you make sure that you're not missing anything?
These type of AI-driven threats that we've been seeing
have really changed how we think about
using the CVSS score to determine our prioritization with product teams.
At Adobe, we've begun treating CVSS scoring
as a baseline severity signal,
not the final decision.
We've added and embedded additional factors into our risk assessment process,
such as threat intelligence and exploitability on top of that base CVSS score
to really help us assess what needs to be fixed first and determine that prioritization order.
We also use additional parameters to help us evaluate prioritization,
including vulnerabilities that are published on the known exploited vulnerabilities catalog,
exposure is a good one, such as whether a vulnerable asset is internet-facing or internal.
And then also we heavily consider the vulnerabilities that are found against our crown jewel assets.
So lastly, to really help us prioritize remediation, we also found it crucial to keep our
management program dynamic by reprioritizing as the intel changes.
Threat actors and exploits evolve over time, and so must we.
How has this affected your teams, this shift to AI, the need to prioritize things?
How has this changed their day-to-day?
I would say that we are leveraging a lot of automation and AI as well,
because it definitely changes the day-to-day due to the large volume.
We want to make sure that we're really giving our engineering and product teams the signal out of the large volume, right?
And so prioritization becomes difficult.
and we're trying to use all of these contextual parameters
in addition to CVSS score, like Dan outlined,
like looking at the exposure, whether this is a crown jewel,
is there any revenue impact, do we have any mitigating controls?
But in order to do that, we have to definitely look at some automating ways.
So that's the day-to-day change for the teams,
like the Vulnerability Operation Center,
is to be really innovating on how can we automate
some of this prioritization and triage to be able to give
give the product teams, the signal out of the noise.
I think one thing to add on top of that is Adobe Security and our vuln management function
are using AI to augment a lot of our existing capabilities.
So as Sankey mentioned, like detections and testing, patch development, prioritization that
we already spoke about, AI-assisted PR, pull request creation.
If adversaries are using AI, we must too.
And so we're looking for ways to augment and embed AI into our existing vol management functions.
How do you all interact with your engineering team?
What's the collaboration like there?
Maybe I'll speak to the general guidance and recommendations that we've had over the years
and then talk about the evolution with the introduction of AI.
So some of the core tenants, I believe, represent a strong security and product team partnership
include things like meeting engineers where they work, whether that's in Jira, ServiceNow, GitHub,
providing actionable findings to those developers and engineers, not just a simple raw scanner output.
We're actually up-leveling in this area by moving to an action-based ticket function
that helps us scale our engagement efforts and paint a clearer picture.
on overarching risk for product teams to understand what the issue is, what the impact is,
and more importantly, what do they need to do to fix the issue.
Also, defining clear SLAs based on risk.
This goes back to the prioritization conversation we had, not just arbitrary deadlines.
So by implementing a more intelligent risk assessment matrix, we're able to embed additional
factors and threat intelligence into those decision-making pieces.
I think lastly, having an embedded security champion that lives and operates with each of the product teams has been extremely valuable to us.
And having security toolkits to assist with patch development and secure code improvements as well has really helped us.
I think more specifically on the AI piece in the world of AI vulnerabilities,
it's really important for our security organization to help these product teams understand new classes of risk that they might not have been aware.
of before. Things like prompt injection and model leakage or data exposure are all very prevalent
and new with all of these AI tools and features becoming public to customers. Also, leveraging
threat models to provide secure design patterns is also really helpful to make sure that product
teams are building their software and features in a secure method.
San Guida, I'm curious how do you foster
a sense of true collaboration between security and engineering to make it feel as though it is,
that you're equal partners in this effort to make everything that Adobe does be as good as it can
possibly be. Absolutely. It is always a partnership. And one of the things that we aim for
is to really bring along and work towards the betterment in improving the security posture at
Adobe. So we have the security champions embedded within the product teams. That really,
helps when we're making improvements or changes to any of the processes, we definitely partner
with the champions so that not only are they aware, but they're also like really championing
the effort within the product teams and giving us really good feedback on how we could help,
how we security can help them get to a better state faster and in a more automated fashion.
So that has really been helpful as a model.
And then also one of the things that we're doing is embedding AI in the
the entire life cycle. So for example, threat modeling, right? So when they're developing the
product or when they're developing the release, we want to make sure that they're able to come
to security and get that feedback early on in the in the life cycle and not wait for once it's
released. Post that, we also work with them on pen testing. We want to make sure that any new features,
any new scope is pen tested in a timely manner. And then after that, we also were continuing to work
with them on how to give them better context and be able to give them fixes and patch fixes within
the tickets or even like PR fixes and how can we develop things that will really help them
so that they can build better products. So we really just want to make sure that they're
enabled to do what they're best at while security is really helping them and working with them
in parallel. So it's really a true partnership and we are striving to continue to make that
better, especially in this AI era. I'm curious for our listeners,
Are there any words of wisdom that you have,
your lessons that you all have learned along the way
that they could benefit from, your wisdom,
the successes and the mistakes that you've made along the way?
Any lessons to share?
If there are a few things that I would want, you know,
folks to take away is three main things.
I think we really need to know our exposure and attack surface.
Like that is key.
If we don't have visibility into that,
that can definitely lead to us having gaps.
So really making sure, you know, invest in a real asset inventory,
know what's internet facing, no what's widely deployed,
because that is really critical to be able to prioritize the vulnerabilities,
especially with a really large volume.
Secondly, I think we talked a little bit about this,
is prioritization is key, use context, not just CVS.
In these times, it is very important for us to be looking at business criticality,
exploitability signals, have a threat intel team that is giving you signals,
that you can use to prioritize,
not just at the time of the vulnerability creation,
but also reprioritize as time goes by
and the threat until changes.
That is very important right now.
Also, be looking for compensating controls
that can be used for prioritization as well.
What can be mitigated fast?
Because as we know, the time to exploitation
is getting really, really small.
So we need to move fast.
So where we can look for mitigations
until it can be remediated.
And then lastly,
embed AI into all aspects of the vulnerability management lifecycle.
This is a journey. I think we're evolving as well in this space.
But since the adversaries are using it, I think the defenders have to use AI as much as we can.
So use it to test your code, use it to test your products for triage, for prioritization,
for ticketing, for providing context to your engineering and product teams,
as well as just automating all aspects to remove the manual toil.
So those are the three things that I feel have been really key that we have discovered in this journey.
Dan, how about you? Anything to add?
Yeah, I think Sanky had covered most of the takeaways that I could think of.
I think maybe the one last piece to add is that one of the advantages that an organization has
when leveraging AI to help drive vulnerability management is context.
I think there's a lot more information and conversation.
context that we as employees of an organization have to help us orient ourselves around prioritization
and where our most risky assets are and maybe where there are strong protections or areas that
can be further hardened. My main takeaway would be to leverage those internal contexts to help
us speed up the vulnerability management function. I'm curious how each of you measures success.
if vulnerability management is ultimately about reducing risk,
how do you put a measuring stick on that?
Yeah, so I'll take a stab at answering this first.
We've invested a lot of effort into evolving our vulnerability management metrics
and security posture at Adobe.
It's no longer sufficient to just measure SLA adherence
and our product teams fixing vulnerabilities by the given SLA that the security org sets.
We're measuring things like threat intelligence trends and time to remediation
and accuracy and risk rating, time to triage.
There's a lot of different aspects that go into vulnerability management.
And so those factors all contribute to the overarching metrics of success
when we think about vulnerability management.
On the product side, we've also developed a security risk posture scorecard in which we present to this data, everything I just mentioned, in a consumable way to product teams and their leadership to help them understand how they are performing and across the various different types of vulnerability management and initiatives that the security org has product teams working on.
Sangida, anything to add there?
Definitely, like Dan said, in addition to just like looking at SLA adherents,
we want to see time to triage, time to remediate.
Time to attribute is another one.
Like I touched on asset inventory, but really making sure that the time from vulnerability
discovery to when it can be attributed to an owner is really, really small and can be done
real time.
That is critical.
And then the lastly, one thing I would say is looking for systemic trends is another metric
to keep an eye on is not.
just one vulnerability at a time, but just making sure that you have metrics that identify
or dashboards that identify any systemic trends that need to be looked at for a particular product
or a particular area. And of course, the scorecard that the Dan mentioned has been really helpful
because it gives the product teams like one place to go to to be able to see what their security
posture looks like from different areas. And it includes vulnerability data as well.
One other metric of success that I forgot to mention is very interesting, and that's visibility.
It's interesting. When we think about ticket SLA is even time to remediation and all the things we just talked about, it only goes so far as what the security organization can see.
And so, for example, if we have a 99% SLA adherence and we're crushing it across all of our metrics, but we're actually only able to see maybe 20% of the company.
company as an example, that paints a very different picture compared to those metrics alone.
And so that's one area that we're also measuring success and is making sure that our security
org is able to see what's going on across our organization at different levels of the tech stack.
Our thanks to Daniel Ventura, senior manager of Adobe's Vulnerability Operations Center
and Sangita Aurora, Director of Vulnerability Management at Adolph.
Adobe for joining us and sharing their perspectives on how vulnerability management programs are
adapting to a rapidly changing threat landscape. As AI continues to reshape both offense and
defense, organizations will need strategies that help them move quickly, focus on what matters most,
and drive measurable risk reduction. Thanks for listening to this episode. For more conversations
with industry leaders tackling today's most important cybersecurity challenges, visit the
cyberwire.com. I'm Dave Bittner. We'll see you back here next time.