Olivia
Online
Sergej Epp
@EppSecurity
Frankfurt/SF
Joined February 2009
827 Following
248 Followers
201 Posts
Pinned Tweet
Last week I launched https://t.co/NbtVGIfAyJ.
It went viral. Here's why:
One graph. One question.
In 2018, attackers needed 2.3 YEARS to weaponize a vulnerability.
In 2026, they need 1.6 DAYS.
What this means for all of us 🧵
Friday afternoon @gadievron says "I'm working on a CISO community document for Monday. Want to collaborate? Releasing Monday." I said "Sure." (I have a problem with that word.)
@AnthropicAI had dropped Mythos on Monday. @cloudsa is running an emergency CISO Zoom on Tuesday. @SANSInstitute was already building BugBusters this Thursday with Ed Skoudis, Joshua Wright, and Chris Elgee. The entire community was asking the same question: what do we actually DO about this?
Three nights later we have a 30-page strategy briefing with 60+ contributors. "Sure" turned into barely sleeping Friday, Saturday, Sunday while @gadievron and @rmogull dragged this thing into existence. (My son checked to see if I was still breathing around hour 40. I think he was mostly concerned about if Uber Eats delivered Five Guys yet.)
The contributing authors list reads like someone raided a cybersecurity hall of fame: Jen Easterly, Bruce Schneier, Chris Inglis, @philvenables, Heather Adkins @argvee, @RGB_Lights, @sounilyu, @jimreavis, Katie Moussouris @k8em0, Jon Stewart, Maxim Kovalsky, David Scott Lewis, Joshua Saxe, John Yeoh, Ramy Houssaini and James Lyne. Every single one said yes within hours.
Cloud Security Alliance @cloudsa, @SANSInstitute, [un]prompted, @OWASPGenAISec -- four organizations that don't usually build things together at this speed. This is the start.
SANS reviewers who showed up: Chris Cochran @chrishvm, @edskoudis, Viswanath S Chirravuri @vchirrav, @bettersafetynet, Ciaran Martin
Thursday @edskoudis, @joswr1ght, and @chriselgee stop talking and start showing.
Live AI-assisted vulnerability discovery against real code. No slides about the future. Terminals and bugs. (The kind of demo where something breaks and that IS the point.)
Full reviewer list is in the doc. If you know someone on it, send them a note. They earned it.
But an even bigger thank you -- seriously -- from the entire cyber security community needs to go to @gadievron for once again bringing the avengers together -- like in Endgame (is that what Mythos is?) -- and you all know the scene -- but we need someone to create the meme with Gadi Evron with his shield and Mjölnir saying "Avengers..... assemble!" because that is exactly what he does. A lot it seems.
Read it: https://t.co/pppV1gi4Vc
Going to sleep now. Setting my alarm for Thursday. (Not joking.)
#CyberSecurity #AISecurity #SANSInstitute
An Expedited Strategy Briefing on Mythos, Glasswing, and building a security program for what comes next, by 250 CISOs, and the wider community.
It is still a draft, with some design incomplete, but we felt it was imperative to release.
Link:
https://t.co/pQc8LM6Tga
Zero stolen credentials to full AWS admin.
Eight minutes.
CVE to exploitation used to take 18 months.
Now it's under a day.
A SOC analyst isn't losing because they lack tools.
They're losing because the loop is too slow.
#cloudsecurity #CISO @EppSecurity @sysdig
Who to follow
Tommy M (TheAnalyst)
@ffforward
Threat Researcher @proofpoint | @Cryptolaemus1
BSides London
@BSidesLondon
📅 12th Dec 2026 | 📍 Novotel London West
Grassroots-driven security conference.
Built by the local InfoSec community, for the community.
#BSidesLDN2025
chrisrohlf
@chrisrohlf
Waging algorithmic warfare since 2003. Engineer, Researcher. MTS @ Anthropic,
Non-Resident Research Fellow @CSETGeorgetown CyberAI
You can now train @physical_int style robots in 1 day for only $5k. Anvil’s devkits have all the hardware, software, controls, cameras, and more ready-to-go. (1/5)
🔴 https://t.co/ydmycN9Ax9
📉 The Collapse → https://t.co/qFMFOvNhh9
📢 Call to Action → https://t.co/0TTl4TE31u
✍️ Signatories → https://t.co/IWvHToLWqG
Last week I launched https://t.co/NbtVGIfAyJ.
It went viral. Here's why:
One graph. One question.
In 2018, attackers needed 2.3 YEARS to weaponize a vulnerability.
In 2026, they need 1.6 DAYS.
What this means for all of us 🧵
That's why we built the Zero Day Clock.
This isn't about selling anything. It's about making this data impossible to ignore - for CISOs, boards, researchers, and policy makers. If you need one slide for your board, this is it.
Backed by Schneier, Adkins, Moss, Evron, Venables.
This isn't a tech problem. It's a market failure.
The people who build insecure software don't pay when it gets hacked. Users do. Hospitals do. Governments do.
No industry in 150 years fixed safety voluntarily. Not aviation. Not pharma.
Software isn't special. It's just late.
Five things to change. Today.
→ Software liability. Builders pay, not victims
→ Secure by design. Enforced, not suggested
→ Patch in hours. Monthly cycles are dead
→ Unleash defensive AI. Regulate insecure software.
→ Assume breach. Build to be replaced, not patched
AI helps attackers more than defenders. Here's why.
Offense: did the exploit work? Yes or no. Instant. AI learns at machine speed.
Defense: is this secure? Maybe. Check in 3 months.
AI scales with cheap verification. Offense has the cheapest verifier. Game over.
Is Patch Tuesday is now the most dangerous day of the month?
When a vendor ships a fix, AI reverse-engineers it, finds the exact flaw, and writes an exploit - in hours?
The defense creates the offense.
Every patch is now an exploit blueprint.
Only 2% of all vulnerabilities get exploited today.
Sounds manageable - until you remember why: exploits used to be expensive to build.
At $4 per exploit, that 2% won't stay 2% for long.
50,000+ CVEs a year. Do the math.
67.2% of exploited vulnerabilities in 2026 are zero-days - weaponized before or on the day of disclosure.
In 2018 it was 16.1%.
There is no patch. There is no warning. The attack IS the disclosure.
Exploit generation now costs less than lunch.
40 exploits for 1 bug → $50
100 kernel vulns in 30 days → $600
Cost per bug → $4
Anyone with a cloud account can now do what took a government lab a year.
The barrier to offensive cyber just collapsed.
AI just broke the disclosure model.
Anthropic pointed Claude at codebases tested for decades. Millions of hours of fuzzing by humans.
It found 500+ high-severity zero-days.
Their own red team: "90-day disclosure windows may not survive this."
The old rules are gone.
The collapse is exponential.
2018 → 2.3 years
2021 → 10.8 months
2023 → 4.9 months
2024 → 56 days
2025 → 23 days
2026 → 1.6 days
This isn't a trend line. It's a cliff.
What are we measuring?
TTE = Time-to-Exploit. The gap between when a software flaw is disclosed and when attackers have a working weapon for it.
How much time do defenders have to fix it before the bad guys show up?
It used to be years. Now it's hours.
Last Seen Users on Sotwe
वीर
Seen from India
ksatria
Seen from Indonesia
ankho_kro ekrar
Seen from India
KingWang B
Seen from Ghana
PECINTA IBU IBU
Seen from Indonesia
pendosa
Seen from Indonesia
Passnewsmg
Seen from United States
dirumah aja
Seen from Switzerland
Türk Cuckold
Seen from Turkey
Vijay Rathod
Seen from United Arab Emirates
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers