Sunil

Exploitation timelines have gone negative. Mandiant M-Trends 2026 report found that mean time-to-exploit collapsed from 63 days in 2018 to an estimated negative seven days in 2025. Negative. Exploitation now begins before a patch exists. Security teams have spent 20 years building programs designed to find risk after it reaches production and fix it before it's exploited. That window no longer reliably exists. The question now is what security programs look like when the exposure window keeps shrinking. We're going to talk a lot more about this over the next week.

The internet is built on shared code. npm and PyPi are the places we share the code for javascript and python respectively. The developers of the shared code have GitHub accounts that can get stolen. GitHub is where the devs publish the code. Once stolen the hackers can push malware to the very popular shared code those accounts have access to. The malware then spreads to other developers of other shared code's GitHub accounts and implants itself there too. Turning it into what we call a worm. Self spreading malware. All the while stealing lots of other secrets from these computers like passwords and API keys that let the hackers into other non-GitHub accounts to do bad guy hacker stuff. We all rely on all this shared code whether we know it or not because nobody writes anything from scratch and we all borrow these bits of code for common things we all do.

𝗧𝗵𝗿𝗲𝗲 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁𝘀. 𝗧𝗵𝗿𝗲𝗲 𝗰𝗼𝗺𝗽𝗮𝗻𝗶𝗲𝘀. 𝗢𝗻𝗲 𝘂𝗻𝗱𝗲𝗿𝗹𝘆𝗶𝗻𝗴 𝗽𝗮𝘁𝘁𝗲𝗿𝗻. Vercel. Lovable. Vimeo. In each case, the breach wasn't in the target's own code. It was in a third-party tool with token-based access into connected environments. Once the token was compromised, the blast radius was defined by what that token was allowed to do. 𝗜𝗻𝗶𝘁𝗶𝗮𝗹 𝗮𝗰𝗰𝗲𝘀𝘀 𝘀𝗲𝘁𝘀 𝘁𝗵𝗲 𝗲𝗻𝘁𝗿𝘆 𝗽𝗼𝗶𝗻𝘁. 𝗘𝗻𝘁𝗶𝘁𝗹𝗲𝗺𝗲𝗻𝘁𝘀 𝘀𝗲𝘁 𝘁𝗵𝗲 𝗯𝗹𝗮𝘀𝘁 𝗿𝗮𝗱𝗶𝘂𝘀. In practice: service principals accumulate permissions. Third-party integrations inherit broad access. Tokens sit dormant until they don't. When something goes wrong, permissions decide how bad it gets. https://t.co/GxnxJxxfOI

If you read this and don’t understand why it’s happening it’s an opportunity to reset your understanding of how the real world works. The real world will need a ton of help actually getting agents going in the enterprise. Companies have legacy tech stacks they need to modernize, data in tons of fragmented tools, knowledge that isn’t captured or digitized, and change management needed to actually utilize agents effectively. And they have to do all this while still running their business day-to-day, unlike startups. This is why there is so much opportunity for companies (software or services) to actually deploy agents in specific domains and workflows. This remains a big opportunity for both existing services providers but also tons of new startups as well. Every new technology wave produces a new era of consulting firms that can deliver on that technology. It’s also why the FDE model is going to be alive and well for a long time because companies will want to have their vendor actually help drive the change management and implementation for their new workflows. The people aren’t going away. Far from it.

Thx for sharing. Your argument on what Microsoft could be willing to pay to fix ALL vulnerabilities is very interesting. I think if you take AI model capability improvements to the limit, one could potentially treat this as a onetime cost of finding and fixing every issue in the existing code base. In that world patching becomes one time issue for all existing systems. Interesting thought exercise. Not sure if we have any evidence at this time on models getting to that stage in a realistic timeframe. Would be great if that's the future

The obvious headline is that Mythos could make zero-day discovery dramatically cheaper, faster, and more scalable. The bigger issue is what happens next. Even if access to Mythos is tightly controlled, the industry should expect a surge in dangerous vulnerabilities being found across major platforms. And once patches are released, threat actors are often able to reverse engineer them and turn them into working exploits fast. Teams need to up-level their remediation operations now, with continuous visibility into exposed assets, a clear understanding of likely attack paths, and the ability to mitigate risk at machine speed. Industry is not ready for this.

9.8 CVSS. High EPSS. Apache Tomcat. Potential RCE. Looks urgent. Fix it first? What if it’s not reachable? The CVE is critical. The risk isn’t. CVSS ≠ risk. In this case: - No exposure - No meaningful path to impact Not what you fix first. That’s what Remediation Ops enables. At scale.

Security is shifting. From finding issues → to actually fixing what matters. That shift is starting to show up more clearly. Averlon was named a winner at the Global InfoSec Awards by Cyber Defense Magazine in the category: Groundbreaking Agentic Remediation Operations Platform Not for finding more. But for helping teams reduce real risk across their environment. See how this works in practice: https://t.co/OP82gpueRN