CyberWire Daily - Vulnerability response: Built for humans, outpaced by machines. [CyberWire-X]
Episode Date: June 21, 2026For years, security teams had time between discovery and exploitation. Time to triage. Time to validate. Time to prioritize what to fix first. AI has compressed that window. Frontier models now discov...er and chain vulnerabilities faster than human analysts can confirm them, and the gap between finding and fixing is shrinking in both directions. In this episode of CyberWire-X, N2K’s Dave Bittner and Federico Kirschbaum, Head of XBOW Security Lab, explore what it actually means to run autonomous offensive security, why validation workflows built for quarterly testing cycles struggle to keep up, and how practitioners are redefining what a tested application looks like when the pace of offense has fundamentally changed. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Welcome to Cyberwire X. I'm Dave Bittner.
For decades, vulnerability management has operated on a simple assumption.
Defenders would have at least some time between discovering a weakness and seeing it exploited.
That assumption is rapidly breaking down.
Advances in AI are changing the economics and speed of offensive security.
Today's frontier models can identify vulnerabilities, connect attack paths, and surface exploitable conditions at a pace that challenges traditional security workflows.
Processes built around quarterly assessments and human-led validation are being pressured by systems that can operate continuously and at machine speed.
So what happens when the bottleneck is no longer finding vulnerabilities but confirming and fixing them fast enough?
joining me today is Federico Kirchbaum, head of Expo Security Lab.
Federico brings more than two decades of experience in cybersecurity
and is also the co-founder of Faraday Security and Eco Party,
one of Latin America's most influential hacking conferences.
We'll discuss autonomous offensive security,
the growing gap between machine discovery and human validation,
and how organizations are redefining what it means for an application to be
truly tested in the age of AI.
Stay with us.
Just by seeing the news, we can tell that not only the finding of vulnerabilities has changed,
but also the exploitation and the time to exploit those vulnerabilities.
So, yes, we're living quite special times in how AI it's increasing our discovery,
the reporting, and even the validation in an automated fashion.
So we are living special times indeed.
Can we touch on AI here?
I mean, obviously it helps find the vulnerabilities,
but I think people often think about incremental improvements.
How significant is this shift compared to previous advances that we've seen in security tooling?
Security tooling has been trying to mimic hackers
and how vulnerabilities are found just for the scale.
this idea of creating
scanners or the
deterministic tooling
that can help us find
a vulnerability in a system
that is what the industry
has been trying to pull
to increase our breadth
and our capabilities
but LLM's and AI
it's not about
increasing that tooling
it's about synthesizing
the questions
and the methodologies
that hackers
have to find and create this new tooling.
So we're not talking about a next generation scanner
or we're talking more on how we can create
an AI version of a thing that can find and create the tooling
to find vulnerabilities.
So we are redesigning how vulnerability discovery is actually performed.
You know, you've been at this for a while now.
I'm curious, how does this particular moment rank among the major changes that you've witnessed over the time of your career?
Yeah, definitely. So I'm currently reading a book called Conquistadors of the Useless.
And it's about the story about continuing in the 60s post-war and I was reading this part where
the first pioneers in this sport, you know, they would go with,
little insurance and their equipment was quite basic. To be honest, it was pretty dangerous.
And in a moment, it starts comparing with the modern mountaineering where you can have nylon
ropes, lighter equipment. And I'm having the same thoughts on the exploitation and the bull
discovery that we have so far. The first people that were doing this, it was,
manual work. It was intense, deep knowledge and learning. And now you have this fast-paced,
machine speed that can help you understand topics faster than ever. So indeed, it is challenging
as a practitioner how this is going to change my everyday work. But at the same time,
it is quite exciting because these gives us the tool.
to change things that we have been trying to change for so, so long.
So it is a bit nostalgic that this practice is changing,
but at the same time it's definitely exciting
because we have a lot of ideas on how we can improve this
thanks to AI and LMs.
Well, help me understand this new reality.
I mean, I think it's fair to say that security teams
have never had more findings,
but more visibility.
doesn't necessarily make organizations feel more secure.
Is that an accurate assessment?
Yes. I think, and this is not you,
teams have been trying to survive on the amount of findings,
and this is just pre-LMs.
Pentesting edits, at least in my vision,
the ultimate way of having prioritization.
Currently, discovery has become cheaper than ever,
teams from all over can access and have pretty cool findings by using these models.
But right now, the bottleneck for me is how from all these findings are you going to invest
time in fixing them?
So that's where in my experience, pen testing comes handy.
It is proving the exploitability and prioritizing what actually matters.
this idea that we are trying to discover all this amount of vulnerabilities
has been something that the teams have been struggling a bit for quite a bit
but if we are able to provide these teams with our ambition on which of these vulnerabilities
are actually useful for an attacker we are giving them a perfect way to invest their time
which is also limited.
What does this do?
This increase in volume and speed.
How does that affect a security team
on a day-to-day basis?
Most teams are overwhelmed with vulnerabilities.
And there is a threshold
where you have to say,
I'm not going to fix this
or that this is not going to be a priority.
It's an unwinnable game.
you keep playing because if you don't play, you're going to lose.
These amount of influx of vulnerabilities that are in your infrastructure,
in your applications, in the technology that makes your company run,
it is pretty difficult to solve it,
even by using all the alarms that are currently available.
So it is a matter of making a decision of what we're going to fix
in an urgent matter.
And in our case,
we're providing that
help by finding
the problems that are actually
exploitable in a really
faster fashion.
So discovery has
been like this for a long time.
But if we can give more
people the ability to
exploit their own systems in ways
they can understand how
their defense is actually
working, it is a way
to prioritize their fixing.
Help me here with the human element of this,
because obviously everyone talks these days
about things running at machine speed.
But what I'm hearing you say is that
there's an element of, let's call it,
wisdom or experience that is irreplaceable.
Do I have that right?
Yeah, security teams don't need more
and verify alerts.
I think what they need is
proof. Like, is this real? Is this reachable? Can be exploited? These are all questions that can be
provided by offensive teams, but most companies don't have one. Or if they do, they get to talk to them
a couple times a year. So providing this evidence, it is for me the strategy to get the signal out
from the noise.
Can you give us a little peek behind the scenes?
I mean, how do you go about prioritizing your findings and deciding what things you're
going to pursue?
There are many vulnerabilities and there are multiple classes.
And with the modern systems, there are ways to mitigate these bugs.
So the question is, when a bug?
it's a security bug, and when that security bug is actually exploitable.
So at the end of the day, it becomes if I can use this bug for my own benefit as an attacker,
if I can prove you that using these set of problems or a chain of problems,
can I actually get access to somewhere that I shouldn't have access to
or see information that I was not supposed to.
That, for me, it's the ultimate way of making a prioritization,
understanding the impact and blast radius of a vulnerability or a bug.
What do you say to people who feel like they are having a lot of anxiety over moving too slowly?
They feel as though things have gotten so fast that the level of risk is there,
and they're afraid of being left behind.
It is a challenging times for everyone in this industry,
and I mean not only the cybersecurity one,
but in technology in general.
Technology, the ground where we're standing is moving quite fast.
And I mean security has been, for a long time,
sort of a gatekeeper of change,
when things are changing.
Normally, security had a strong opinion on how we change or should not change part of our workflow.
But nowadays, everyone is becoming a software engineer.
Most companies are, most company CEOs are finding themselves creating new products from their own machines.
And the change is here and it is changing whatever we like it or not.
So sometimes cybersecurity, it is about keeping up and how we can provide a better guardrail for this enhancement.
Personally, I find it extraordinary because, yes, it is challenging to keep up.
It is difficult to see all these things changing every single day.
But at the same time, as a fan of technology, I feel an excitement of all this new endeavors that now we can do with technology.
Definitely the future, it is a bit unknown.
But I think me personally, I'm finding this moment quite right.
To what degree do you think organizations need to rethink their validation workflows?
You know, I think in the past, people have thought about things like quarterly assessments or annual penetration tests.
Are those cycles no longer adequate?
I think big part of our threat model has been model around humans.
And the limitations of humans are, you know, attention span, time.
that someone would dedicate to a target.
And that has changed.
And it's normally we would discuss this, you know,
human defenders versus human attackers.
And each of them would have its own attack points and defend points.
But right now, AI is such a force multiplier
that even the smallest attackers can have not only the breadth,
but also the depth of a larger attacker.
Humans are creative, they have good instinct.
I think they have good taste.
But AI, it's relentless.
It's going to help attackers to find things
that even the attacker is not aware of.
So having companies understanding this
in terms of, I think most companies
have a security debt.
And right now, that dead, it is becoming really visible for people who want to attack.
I think most people didn't thought they would need security because of their size or the
location.
But thanks to LMs, attackers are becoming more sophisticated and they are deploying a speed
in terms of discovery and exploitation that we,
haven't seen before. So we need to redesign our threat models in terms of what would happen
if now attackers are way more sophisticated. So it's not longer the model of human defenders
facing machine speed offense. I think we need to think on how defenders also need to think
at machine speed to triage, prioritize, and ultimately fix the problem.
So there's been a lot of discussion about autonomous offensive security.
To you, what does that mean?
How do you define that and what part can it play in an organization?
Sure.
So I think for a long, long time, the skill was a scarcity, right?
How a company can hire hackers to help them with their vision and knowledge
and ultimately their tradecraft into finding this problem.
And I think now when we talk about autonomous AI security, we are talking about that specific judgment and reasoning of a hacker but synthesize through an LLM.
So can we use this to help our teams that might not have the specialty to see that through the eyes of a hacker?
and when we talk about autonomous,
it is not longer this idea
that we have a human in the middle using tools,
but having this reasoning machine
finding the problems for us
or even building the tooling to find the problems for us.
So what we are seeing, at least at Expo,
is this capability of helping companies
that might already have some
pen testing program on, but on a calendar that is maybe once a month or even once every six months,
but the company is going way faster.
So if we can provide this tooling and this set of glasses to help these companies find
an exploit their vulnerabilities in a faster pace, I think we're ultimately allowing them to be able
to see more problems,
but at the same time,
fix the problems
that are really important
for them.
So, yeah,
it's right now
it's not the lack of hackers.
It's how we can provide
this tooling to more people
and help them fix faster.
What sort of elements do you see
in organizations
that are finding success here?
Are there things that they have in common,
the ones who are doing well?
The companies that are doing well on this or who are using this technology to improve is first companies who think about defense in depth, which it's not longer about just one bug.
It's about how you contain a class of vulnerabilities.
And that it's a lot of decisions in your architecture, in your infrastructure, and how you design.
decided to build the application.
So if we have companies that are as mature as many of the companies that we have the pleasure
to work with, are companies that have already a pentest program in place.
But there are many applications and many sectors of their companies who didn't have the
privilege of getting a pen test, maybe because of, you know, scoping reasons, or maybe they
They couldn't pay as much attention to everything because, you know, the time of PENTUS companies is quite limited.
But now with the full scale of agents, that's no longer a problem.
So companies can allocate time for more internal systems or even staging areas.
And to be honest, those are the companies that I found that they're becoming.
becoming more successful, which is not just testing the same, but allowing themselves to test more
attack surface, but with the expertise of the product that we are building that provides
verification as an output.
What is your advice to the people out there who feel as though they want to do a better job
with their validation and their testing? Maybe they're not quite sure where to start.
Maybe they're a little intimidated by all the changes that we're seeing these days.
Any words of wisdom?
There are many ways where we can improve and depending on the size of the team and the expertise of the team.
But first, I would suggest everyone to have some sort of vulnerability management program.
Findings are becoming sort of a laundry list or a technical debt.
So we need to understand what vulnerabilities we currently own, what's the pace of ingestion of these vulnerabilities, but also the remediation rate.
And once we have this idea, we need to understand where these vulnerabilities live.
Normally, companies get a bit lost on where their assets are living, who maintains those systems.
So that is kind of what I call security hygiene moments, right?
Where companies need to have the basics a little bit on a program.
And thanks to LLMs, I think that it's becoming easier.
But if you're a system admin or you're a Pantessor in a company, even a red teamer,
everyone in my area of colleagues are using LMs in one way.
of the other. Most of them
are just trying to get
the basics done. They're reporting,
the tracking. It doesn't
need to involve what we do at Expo,
which is the most offensive
part of detection and exploitation.
Most of the things that
teams are drowning are
in everyday task, not just
sophisticated exploitation.
So my tip to everyone is
what is getting your
time from the day and how can you improve this cycle from identification, classification,
and ultimately fix.
And I think agents for that are the perfect answer.
So if you can get those basics done, you can have a more healthy security program.
The challenge is if you are not doing the basics of having this program on point, you will
start getting new and new alerts and you will get the fatigue and you eventually will lose track.
So if you have that program set, I think the next step is getting the proof on your program.
Do you suppose we're headed towards a time when organizations will have continuous, autonomous pen testing,
that it'll just happen automatically in the background?
Totally. I think we are getting quite close to having that.
As someone who has spent a fair amount of his professional time finding, exploiting, and reporting vulnerabilities to companies, having the continuous in the picture, I find it super interesting.
Because we get, in the past, we got maybe once or twice or maybe in the most mature company three times a year, the moment in time to go and find those problems.
report them. But I think now our companies are close to having that part of their cycle,
such as when we start including application security testing in the development,
I think pen testing it is going to be part of that pipeline, and we're going to be able to
find problems faster than attackers.
Our thanks to Federico Kirchbaum, head of Expo's Security Lab for joining.
As AI accelerates offensive security capabilities, organizations are being forced to rethink
long-standing assumptions about testing cycles, risk prioritization, and what constitutes adequate security
coverage.
The pace of change is raising new questions about how defenders allocate resources and how security
programs evolve to operate in a world where discovery happens continuously.
My thanks to Federico for joining us and sharing his perspective.
I'm Dave Bittner. Thanks for listening to CyberwireX. We'll see you back here next time.