Spektion

For the first time in 19 years, the Verizon DBIR ranks vulnerability exploitation as the #1 initial access vector. 31% of breaches, more than 2x credential abuse. May was the month the CVE list stopped being the answer.

Two more signals from the same month: → Palo Alto disclosed 7x its usual monthly CVE count after pointing AI at its own code. → Spektion found 8 exploitable conditions in one app install. 0 had a CVE. Disclosure is not the same as exposure.

A role that turns over every 18 months is not a people problem. It is a scope problem. Runtime context is what makes the scope finite. https://t.co/OVQazoQB8R

Spektion CEO and former Fortune 200 CISO Joe Silva, quoted in Business Insider: "What gets you to the table doesn't make you effective at the table ... you realize it's the kids' table." The average CISO seat now lasts 18 to 26 months.

Half of CISOs say the scope is now unmanageable. Most of that scope is noise. 70% of critical CVEs sit in software that is not even running. The fix is not more headcount. It is a shorter list: what is running, at what privilege, with what blast radius.

A former Fortune 200 CISO who left the chair to ship the thing he wished existed. Joe Silva is taking the unfiltered version of that story to the Gartner Security Summit AMA next week. DM us for an invite.

The walk from the CISO chair to the founder seat: which parts of CISO instinct translate, and which parts get in the way. Joe Silva is taking that question off-the-record at the Gartner Security Summit AMA next week. DM us for an invite.

Boards are asking about AI agents this quarter. VM programs built around CVE-IDs are quiet on the question. Joe Silva and Kyle Bubp are running the closed-door version of that conversation at Gartner next week. DM us for an invite.

Spektion has been writing about this gap for months: runtime behavior is the only ground truth. Catch it where it executes, not where it installs. https://t.co/9mAOe7hNsT

.cursorrules and CLAUDE.md just became malware delivery vectors. The Trapdoor PRs against browser-use, langchain-ai, and langflow-ai hid instructions for the AI coding assistant reading your repo.

→ 𝗧𝗵𝗶𝘀 𝗶𝘀 𝗰𝗼𝗻𝘁𝗲𝘅𝘁 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝘄𝗶𝘁𝗵 𝗮 𝘀𝘂𝗽𝗽𝗹𝘆-𝗰𝗵𝗮𝗶𝗻 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘆 𝘄𝗿𝗮𝗽𝗽𝗲𝗿. Mitigation lives downstream of the package boundary, in the layer detecting unexpected process behavior on the endpoint.

Two CISOs, one closed-door room at the Gartner Security Summit next week. Topic: What AI agents are actually doing on enterprise endpoints and what to tell the board. No slides, no notes. DM us for an invite.

Spektion CEO Joe Silva on the panel room view of what counsel will actually probe: https://t.co/Av6Pc0zdQV

Counsel is not waiting for AI security to mature. The view of "reasonable" is hardening on its own timeline. Programs that wait to engage counsel until after defining their AI controls are negotiating from the back foot.

Three places the catch-up shows up: → Allow-lists that describe intent without a runtime record. → Agent inventories built from policy, not from the host. → Audit answers anchored on "what we approved" when counsel asks "what happened."