Podcast: The Security Strategist

Host: Richard Stiennon, Chief Research Analyst at IT-Harvest

Guest: Nathan Rollings, CISO at Zafran

The cybersecurity enterprise space has been transforming for years, going beyond traditional vulnerability management. According to Nathan Rollings, CISO at Zafran, the next shift is already underway in the B2B Enterprise technology space. It is being driven by automation, AI, and a deeper understanding of context within enterprise environments. 

Rollings sat down with host Richard Stiennon, also the Chief Research Analyst at IT-Harvest on The Security Strategist podcast to talk about the need for security teams to move beyond dashboards and risk scores to something more operational–agentic exposure management.

“Attackers are already using automation and AI,” Stiennon says to Rollings during the podcast. “Meanwhile, most defenders are still focused on risk scores, dashboards, and ticket backlogs.”

Rollings believes the real opportunity lies in allowing intelligent systems to analyse exposure continuously and act on it.

The Discourse to Agentic Exposure

Exposure management often appears as a new discipline, but Rollings believes its roots are much older.

“If you were to look at a vulnerability management maturity model five or 10 years ago, the characteristics of the most mature programs aligned with what we consider continuous threat exposure management today,” he said.

Traditional vulnerability management focused heavily on scanning and prioritising flaws. Continuous threat exposure management (CTEM) builds on that by adding context such as internet reachability, compensating controls, and real-time telemetry from security tools.

Agentic exposure management goes a step further, where autonomous systems help drive the processes themselves. “When we look back at the early days of vulnerability management, we did much of this manually,” Rollings said. “Then we moved toward automated processes. Now, we are moving toward autonomous.”

Instead of security teams manually distributing vulnerability reports or setting rigid rules for ownership and remediation, AI agents can interpret available telemetry and handle those workflows dynamically. Over time, those same systems may even take remediation actions on their own.

The challenge is trust, according to Zafran’s CISO. “Enterprises must trust that the actions taken by these systems are safe and effective within their environments.”

Anthropic’s AI announcement sends industry ripples

The podcast also covered a recent announcement from Anthropic regarding AI-driven code security. This move quickly sparked debate about how generative AI might reshape vulnerability management.

Stiennon suggested the technology could disrupt parts of the market focused on application security. However, Rollings believes its impact on exposure management will be more limited. “Code analysis is incredibly powerful,” he said. “But it’s very much a shift-left capability."

Exposure management operates on the opposite side of the lifecycle. It focuses on production environments, where context decides whether a vulnerability is actually exploitable.

“A good exposure management platform considers your defence-in-depth strategy,” Rollings explained. “That means tens of integrations across an organisation to understand the residual risk of specific exposures.”

Runtime behaviour, network paths to the internet, endpoint protection policies, and segmentation controls all influence whether a vulnerability is a real risk. Analysing source code alone cannot provide that operational picture.

Why context matters more than another risk score

For many security teams, vulnerability prioritisation still relies heavily on numerical risk scoring. Rollings argues that this approach often misses the bigger picture. “You’re spending so much money on these security tools,” he said. “The real question is, what is the return? What is the business value?”

Understanding the effectiveness of existing controls, such as intrusion prevention systems, endpoint detection, or micro-segmentation, can dramatically change how vulnerabilities are prioritised.

Research cited by Rollings suggests that only around one in 50k vulnerabilities is truly exploitable in a given environment once contextual factors are taken into account. “That means organisations spend enormous effort remediating vulnerabilities that may never actually be reachable,” he added.

Agentic systems that correlate telemetry across security tools could narrow that focus significantly. This would allow teams to prioritise the small subset of exposures that really matter.

“Security teams were so focused on detection, assessment, and ticketing that they didn’t have time to dig deeper,” Rollings tells Stiennon. “Agentic capabilities free them to concentrate on the things that truly make a difference.”

Key Takeaways

  • Exposure management prioritises vulnerabilities using real-world context, not just CVSS scores.
  • Agentic AI can analyse exposures and automate remediation workflows.
  • Security context—controls, network paths, and runtime data—determines real exploitability.
  • Only about 1 in 50,000 vulnerabilities are truly exploitable in most environments.
  • AI-secured code won’t remove runtime risk in live infrastructure.

For more information, please visit em360tech.com and www.zafran.io.

Follow: 

EM360Tech YouTube: @enterprisemanagement360

EM360Tech LinkedIn: @EM360Tech

EM360Tech X: @EM360Tech

Zafran LinkedIn: Zafran Security

Zafran X: @Zafran_io

#AgenticAI #ExposureManagement #VulnerabilityManagement #CTEM #Cybersecurity #CISO #SecurityStrategist #RichardStiennon #NathanRollings #Zafran