The Security Strategist 17 July 2026 5 MIN

How Should CISOs Prioritise Risk in the Age of AI-Powered Cyberattacks?

Host Richard Stiennon sits down with Brad Hibbert, COO & CSO, Brinqa, to talk about what changes when AI cyberattacks occur and what to do about it.

Two AI systems reached the offensive and defensive security space five weeks apart. Not because a vendor planned a product launch cycle, but because attackers and defenders are now using the same class of tool. The difference is that only one side built its own to fix things. Attackers are now weaponising a newly disclosed vulnerability in a median of under five days. Most organisations still take more than 60 days to remediate a critical one once a patch exists. 

In a growing share of cases, exploitation starts before the patch is even released. That gap isn't closing, and it has now become the whole problem. This is the subject of this episode of the Security Strategist Podcast, where host Richard Stiennon sits down with Brad Hibbert, COO and CSO at exposure management platform Brinqa, to talk about what changes when AI shows up on both sides of the fight. 

 

Mythos Thinks Like a Pen Tester

Mythos, one of the offensive AI tools now circulating, doesn't just scan for known flaws. It reasons through a codebase the way a skilled human pen tester would analyse binaries, builds, and source across hundreds of instances simultaneously, around the clock. "It's like having a whole team of pen testers looking at things 24 by seven," Hibbert says.

The speed isn't the part that should worry security leaders most, but it's the composition. According to Hibbert, tools like Mythos are chaining together vulnerabilities that individually rate as medium or low severity, combining them into a full system compromise. The exact flaws of a traditional scanner would rank near the bottom of the remediation queue. Stiennon draws the comparison to his own red-teaming days at PwC, when finding an exploit meant manually Googling a known CVE. What's different now, he notes, is that the AI is often generating something that's never been seen before, off the cuff.

Five weeks after Mythos, Daybreak arrived, built for the other side of the fight. Instead of exploiting what it finds, it recommends remediations, aiming squarely at the gap that tools like Mythos are built to open. Hibbert expects this pattern to continue as agentic AI is moving into the software development lifecycle itself. This means it's reviewing code the moment it's checked in, flagging weaknesses before release, and eventually applying its own fixes before a developer even sees the pull request on Monday morning.

What Is the Main Challenge of Vulnerability Management?

The instinct across the industry has been to treat vulnerability management as a volume problem. This means scanning further, uncovering more vulnerabilities, and closing tickets faster. Hibbert offers a different perspective on that framing. Finding vulnerabilities, he argues, has always been the easier half of the job. The real bottleneck is knowing which ones actually matter to your business, and then acting on that knowledge fast enough to outrun both the attacker and your own change-management process.

He points to a familiar scenario where a scan turns up an outdated firmware version on a casino's fish-tank temperature sensor. On paper, it's considered low severity and non-critical, exactly the kind of finding that sits at the bottom of a ticket queue indefinitely. This is treated as an entry point into a broader attack path; that same low-severity finding becomes the opening move in a full breach. The fix isn't scanning harder, but now it's asking a different question of every finding, like what could an attacker reach from here, and how far could they go?

Are you enjoying the content so far?

This reframing from counting vulnerabilities to mapping attack paths is, in Hibbert's view, the actual job of modern exposure management. It also explains why patch counts make for a misleading scoreboard. Remediation itself is often slower than the finding, not because teams are careless, but because patching carries real operational risk. A fix validated in a lab can still take down a banking system or a trading floor in production. Some systems, like that fish-tank controller, may never receive a vendor patch at all, forcing teams toward compensating controls instead.

What Should CISOs Prioritise to Reduce Cyber Risk? 

Hibbert encourages CISOs to look beyond weekly patch counts and focus on whether security efforts are reducing risk. He advises leaders to ask their teams what would happen if their top critical exposures were exploited right now; what an attacker could reach, and how far the blast radius would spread. If the team can answer that clearly, the prioritisation program is working. If they can't, the problem isn't remediation speed; it's visibility.

The uncomfortable implication, which Stiennon raises toward the end of the conversation, is that this shift will widen the gap between organisations that adopt AI-driven exposure management and those that don't, and the latter group won't disappear from the threat landscape. They'll just keep generating the breaches that fund the next generation of attacker tooling.

AI has already changed the exploitation timeline. The real question is whether your team is still being measured by the number of tickets it closes or by how quickly it eliminates real attack-path risk. If you would like to learn more about Brinqa's approach to exposure management, visit their website.

Takeaways

  • AI is making vulnerability discovery and exploitation much faster.
  • Attackers are chaining smaller flaws into major breaches.
  • Fixing vulnerabilities remains harder than finding them.
  • Attack paths matter more than individual CVE scores.
  • Patch counts are a poor metric; risk reduction is a better one.

Chapters

  • 00:00 Welcome to the Cybersecurity space
  • 02:54 Challenges in Vulnerability Management
  • 05:59 The Role of AI in Cybersecurity
  • 08:56 Vulnerabilities: Fixing and Prioritising
  • 12:09 The Future of AI in Offensive and Defensive Security
  • 14:57 Strategic Insights for CISOs and CIOs

Make security chaos work for you with AI-powered Exposure Management, built on data. The Brinqa platform delivers scalable, AI-driven exposure management that unifies every data source for a complete picture of risk. Separate false alarms from real risk by uniting Security and IT, accelerating remediation, and delivering a single, trusted source of truth for the business.

Sponsored insight

Liked what Brad had to say?

Get in touch with the team at Brinqa to continue the conversation.

Brinqa Featured partner

Ready to put Brinqa thinking to work in your stack?

Tell us about your goals. We will put you in touch with the right person on the Brinqa team.

Contact Brinqa