This week we sat down with Ivan Dwyer, Senior Product Marketing Strategist at Axonius, to work through what is shaping up to be a defining moment for vulnerability management.
In the span of a single week this April, two things happened that fundamentally changed the math. Anthropic announced Claude Mythos, a frontier model that autonomously found thousands of zero-days and wrote working exploits against code that had survived decades of human review.
Days later, NIST conceded it can no longer keep pace with CVE enrichment and moved everything published before March 2026 into a Not Scheduled status. With FIRST forecasting more than 50,000 new CVEs this year, the exploitation window is collapsing from weeks to hours at the exact moment our primary public source of vulnerability context is contracting.
Ivan and I dug into what this actually means for security teams on the ground. We talked through why programs built around periodic cadences break down when time disappears, why asset management is quietly becoming the most critical discipline in the stack, and how leaders should be answering the harder resilience questions now coming from the board. We also got into the fundamentals that compliance never quite covers, how to prioritize fixes against real business impact, and the remediation metrics that still matter when the volume explodes.
We closed on the question everyone is wrestling with, which is how much of security operations should be fighting AI with AI, and what the tradeoffs look like for the teams building it.
Why the Mythos and NVD one-two punch broke the cadence model, and the mindset shift teams need to make when exploitation windows shrink to hours
How boards are reframing resilience around the ability to absorb the incoming vulnpocalypse, and whether that actually unlocks budget or becomes another do more with less cycle
Why asset management is moving from unglamorous bedrock to critical discipline, and what is driving that shift in the market right now
The gap between 90% control coverage that passes the compliance bar and the weak auth, BYOD, and shadow IT exposures where exploits actually land
How to measure business impact when both the attack surface and the volume of disclosures are exploding at the same time
The remediation metrics that matter most in the AI era, including one measure most teams overlook
How much of security operations should be fighting AI with AI, and the real considerations and tradeoffs for those building AI for security
