Vulnerability management spent years as the chore nobody wanted.
Now it is one of the hottest topics in security, and not for flattering reasons. Attackers turned exploitation into the number one path into organizations, and AI has poured complexity on top of an ecosystem whose public infrastructure was already buckling.
Patrick Garrity has been tracking all of it from inside VulnCheck, and he came back on the show to separate what is real from what is marketing.
Why this conversation matters
Patrick is one of the few people who digs to the bottom of the vulnerability data instead of reacting to the headline. In this conversation he walks through the real state of the NIST National Vulnerability Database, audits the transparency behind one of the loudest AI vulnerability programs, and explains why the flood of AI-discovered bugs does not solve the problem most teams actually have.
If you own vulnerability management, or you are trying to size how much of the AI security wave is signal, this is a grounded reality check from someone who shows his work.
Key takeaways
Vulnerability management got hot because the attackers moved. Exploitation is now the leading initial-access vector, and as Patrick notes, attention follows the attacker, which is why a discipline everyone once dreaded is suddenly the center of the conversation.
The NVD did not just fall behind, it lost its footing. A recent report quietly confirmed that CISA stopped funding the NIST NVD and that NIST lost roughly half its funding, with no real plan to clear the backlog, and the duplicated enrichment effort between agencies left defenders absorbing the damage.
Calling the NVD a government-only resource rewrites history. It ran as a public good for everyone for about twenty-five years, so telling smaller organizations they are now on their own lands hard, especially as a new AI executive order proposes yet another clearinghouse without resolving the coordination failures that broke the last system.
The first AI disclosure wave is measurable and real. CVE volumes jumped 563 percent for Chrome and GitHub advisories climbed 470 percent year to date, and Patrick did the unglamorous work of separating genuine AI-assisted discovery from AI slop and from bugs that simply live inside AI products.
The Glasswing ledger is where the marketing met the receipts. Patrick found roughly 80 related vulnerabilities in his own tracking while the public ledger showed 27, several had passed their own 90-day disclosure deadline, and nothing had been updated in two weeks, which is why he is pushing for follow-through rather than disputing the underlying work.
Finding bugs is cheap now, and that is exactly the problem. Discovery was never the real constraint, and AI makes it cheaper, so the bottleneck moves downstream to the human-heavy coordinated disclosure and remediation process that AI does almost nothing to speed up.
Exploitation is sustaining, not exploding. CISA KEV and VulnCheck KEV track similar volumes year over year, in part because attackers already have a surplus of targets and in part because the world can only count the exploitation it has the capacity to detect.
AI is pushing the security poverty line up before it pushes it down. The most capable discovery tooling is gated behind cost and access, so well-funded teams pull ahead while smaller organizations, who cannot staff the expertise to weaponize open-weight models defensively, fall further behind.
The economics are a loop, and the loop is the business model. AI accelerates the findings and the attacker velocity, then gets sold back as the remediation, so organizations pay to create the demand and pay again to satisfy it, all on consumption pricing that collides with finite budgets.
It probably gets worse before it gets better. Patrick’s read is that real change waits on more pain, clearer market incentives, or regulation, because responsibility ultimately sits with the vendors and maintainers shipping the defects, and some products simply need to be deprecated.
Notable Quotes
“the attention flows to wherever the attacker goes”
Patrick Garrity, on why vulnerability management is suddenly everywhere.
“That’s not where the bottleneck is. The reality is the bottleneck is downstream.”
Patrick Garrity, on why cheap AI discovery does not fix the core problem.
“I don’t dispute these numbers. I don’t dispute that this is real.”
Patrick Garrity, on auditing the Glasswing ledger and the gap between the claims and the follow-through.
Listen and Watch
Please be sure to like and subscribe!
If this kind of receipts-first take on vulnerability management and AI is useful to you, subscribe to Resilient Cyber for more conversations and writing on cybersecurity, AI, and the incentives that shape both.
