Every headline wants you to believe AI has rewritten the rules of cybersecurity.
Eric Doerr, the Chief Product Officer at Tenable a Resilient Cyber Partner, is not so sure.
After running security response at Microsoft and leading security products at Google Cloud, he came on to separate the genuine transformation from the noise, and his read is refreshingly grounded.
The tools changed, but the fundamentals did not, and the teams that win are the ones who finally act on that.
Why this conversation matters
Eric sits at a rare intersection, having lived the post-breach world of the SOC and now building the pre-breach world of exposure management. That vantage makes him a sharp guide to what AI actually shifts for defenders, from why cheaper discovery makes prioritization more valuable to how AI becomes its own attack surface once agents start touching your data. If you own vulnerability or exposure management and you are trying to spend your next dollar well, this conversation is a practical map of where the real risk lives and what to automate first.
Key takeaways
Attackers are ruthlessly economical. Eric calls bad actors the perfect capitalists, spending the least effort needed to hit their goal, which is why so many still get in through unpatched basics rather than anything AI-powered.
AI has not rewritten the offense-defense balance. The attacker only ever had to be right once, layered defense and zero trust still hold, and the real lever is accelerating your program with fewer human loops rather than lamenting the asymmetry.
Cheaper discovery makes context more valuable, not less. Reachability and exploitability mean most findings are not worth chasing, so as AI floods teams with more of them, telling the truly scary hundred from the theoretical ten thousand becomes the whole game.
Being too small to target is a strategy on borrowed time. As automation drives the cost of attacks toward zero, the quiet bet that adversaries will hit weaker neighbors stops paying off, and Eric would move off that mentality now.
Humans should not be the bottleneck on every fix. Getting the workflow and tooling right is most of the work, and the rest is the organizational willingness to let validated automation act, even when a business partner would feel better with a human in the loop.
AI is special and not special at the same time. It is mostly just another attack surface, and Eric estimates 80 to 90 percent of securing it maps to patterns the industry already learned during the move to cloud.
Shadow AI is the first surprise in almost every environment. When teams scan the endpoints they already interrogate for AI artifacts, nearly all of them find something they never sanctioned, which is why discovery has to come before control.
The real AI risk is interconnection. A misconfigured database was a needle in a haystack until you wire it to an agent, and then a harmless question about the budget quietly returns data the asker should never see.
Most breaches are not even CVEs. Citing the Verizon DBIR, Eric notes roughly two-thirds of breaches trace to misconfigurations, and since about a third of Tenable’s findings are non-CVE, a third of your findings can carry two-thirds of your risk.
Agentic automation is finally killing the toil. Early users are automating drudgery like asset tagging and full remediation workflows, with one manufacturing customer letting automation handle 80 to 90 percent and scheduling the rest for change windows with a human notified.
Notable quotes
“Bad actors are the most perfect representation of capitalism”
Eric Doerr, on why attackers do the least work necessary and often skip AI entirely.
“a third of their findings are two-thirds of their risk”
Eric Doerr, on why misconfigurations, not CVEs, drive most breaches.
“you’re on the wrong side of history”
Eric Doerr, on insisting a human eyeball every automated fix.
Listen and Watch
Resources
Tenable AI Exposure and Hexa AI, part of Tenable One
Subscribe
If this kind of grounded, signal-over-noise take on exposure management is useful to you, subscribe to Resilient Cyber for more conversations and writing on cybersecurity, AI, and the forces that shape both.









