|
Getting your Trinity Audio player ready...
|
Last week, the XM Cyber team had the pleasure of attending the annual Gartner Security and Risk Summit at the Gaylord Resort in National Harbor, Maryland. As is usually the case, the show was packed with security leaders, practitioners, and vendors alike. One of the things that sticks out when attending a Gartner conference as opposed to others in our industry like RSA or Black Hat is the distinct focus placed on continuous learning and peer-to-peer engagement.
This year was no different, with sessions ranging from, of course, AI and its increasingly disruptive role in cybersecurity to quantum computing and privacy-enhancing technologies (PETs). After multiple days filled with back-to-back sessions, groundbreaking industry news, and deep conversations with folks across the market, there were a few key takeaways that stuck out above the rest. We felt these were worth digging a bit deeper into, flagging critical insights for those who didn’t have the chance to attend in person.
AI is a disruptive force for cybersecurity, for better and worse.
The dual-nature of Artificial Intelligence was a focal point at this year’s summit, framed perfectly by Jeremy D’Hoinne’s session on the future of AI in cybersecurity.
On one hand, AI is driving an immense amount of positive impact for defenders, be it automating routine compliance, accelerating threat detection, and allowing security teams to scale their operations faster than ever before. On the other hand, it has introduced a wave of sophisticated, unpredictable risk. Attackers are leveraging these exact same tools to craft hyper-convincing phishing campaigns, automate exploit discovery, and bypass traditional defenses.
Threat actors now possess a distinct advantage when leveraging AI-augmented attacks, prompt injections, and agentic automation hijacks. AI isn’t just a defensive shield; it’s a battleground where both sides are racing for the upper hand.
The urgency is no longer just an industry talking point; it has officially reached the highest levels of national policy. Just days ago, the White House released an Executive Order on Promoting Advanced Artificial Intelligence Innovation and Security, which explicitly mandates the creation of a federal AI cybersecurity clearinghouse to coordinate the scanning, discovery, validation, and patching of software vulnerabilities.
However, Gartner warns organizations not to get swept up in the hyper-focused narrative, predicting that by 2027, 90% of organizations using large language models (LLMs) primarily to reduce false positives and costs will miss their objectives to lower breach rates.
Is Mythos An Expanding Hype Machine or Shift in Vulnerability Landscape? Probably Both.
Nearly every session, every booth in the expo hall and vendor pitch had a mention of AI, and too many that seemed to start and stop with Anthropic’s Mythos. The narrative is powerful, and there is no question that folks across the industry at all levels of seniority have these frontier models at the forefront of their minds – and one would assume by the buzz – their shopping lists.
What is clear, however, is there is a differing opinion on the true impact that these models are having on operating models, with some first-movers working to re-tool their tech stacks proactively and others greeting the fanfare with eye rolls. The context of the conversation has evolved, moving beyond the awe in vulnerability discovery capabilities to unpack whether they can move the needle where pain is actually most felt in the vast majority of vulnerability programs: prioritization, validation and mobilization.
Net-net, whether you believe these models will upend the entire industry, settle as a feed into existing exposure management platforms or are just a flash in the pan, the CISOs winning this battle aren’t the ones with the most AI tools. They’re the ones who’ve done the hard work of knowing and proving which exposures actually matter.
That starts with reachability and exploitability, not another dashboard. The reality is there are only a finite number of paths an attacker can take and techniques they can use to exploit the exposures they consist of. By proactively identifying every possible path and systematically eliminating those that lead to critical assets, the potential blast radius of an AI-fueled attack will be muted by default.
In case you missed it, I had the opportunity to dive deep on this topic during a Fireside Chat with XM Cyber’s CISO, Dan Anconina and Senior Sales Engineer, Alex Welin. Be sure to give it a watch!
CTEM is Here to Stay, and XM Cyber’s Vision Is Becoming Reality Before Our Eyes.
It is clear that Continuous Threat Exposure Management (CTEM) is no longer just a buzzword; organizations finally understand what exposure management means, and they are actively adopting and investing in it. This adoption has had real impact, with organizations seeing tangible reductions in mean time to remediate (MTTR) and exposure dwell times. However, the vendor landscape is shifting rapidly to deliver on this vision.
Gartner’s Mitchell Schneider held a session where he dove into the recently-published Exposure Assessment Platform (EAP) Magic Quadrant, which continuously identifies and prioritizes misconfigurations and vulnerabilities across broad asset classes. During the session he also highlighted where he views the market going in the near future, with the market moving toward a convergence, with Exposure Assessment Platforms (EAPs) gradually merging with (or consuming) Adversarial Exposure Validation (AEV) capabilities. In their sessions, Gartner has started teasing a new, combined market category called Unified Exposure Management Platform (UEMP), which aims to capture this ongoing convergence. While it’s unclear when that research will kick off in earnest, I for one am happy to see the market internalizing the shift XM Cyber has been pioneering for nearly a decade now.
This represents a significant shift for an industry that historically treated exposure validation as a distinct, siloed function managed by isolated offensive teams playing with Breach and Attack Simulation (BAS) or standalone Penetration Testing tools. By transitioning to a CTEM and AI-driven model, security teams are able to stop treating CVSS scores as gospel. Instead, they focused heavily on the attacker’s perspective, threat-informed control contexts, and filtering down the noise to focus on the few exposures that matter most.
In fact, Gartner projects that by 2027, organizations that integrate exposure assessment data directly into their workflows will experience 30% less unplanned downtime from exploited vulnerabilities.
At XM Cyber, we have been operating at this exact intersection since day one. Our foundational thesis has always been that the only way to effectively manage the scale, speed, and complexity of modern enterprise attack surfaces is to focus on real-world attack path validation, validating what is truly exploitable and protecting the critical assets and data that actually matter.
Security and GRC are on a collision course, with business resiliency a mutual imperative.
Historically, there has been an undeniable tension between technical security teams and Governance, Risk, and Compliance (GRC) functions. For years, they operated in silos, feeling at odds due to differing motives, separate toolsets, and entirely distinct operating realities. However, the rise of enterprise AI, disruptions to traditional vulnerability management, and an increasingly volatile regulatory environment are forcing a long-overdue convergence.
Gartner’s Deepti Gopal delivered a compelling session on moving from “chaos to clarity” by replacing inflexible, legacy risk systems with Adaptive Cyber-Risk Governance. The reality of modern enterprise operations is defined by daily, ephemeral cloud-native tech shifts and instantaneous capital flows. You simply cannot manage real-time threat vectors and daily infrastructure changes using legacy, quarterly risk oversight checklists or static Value at Risk (VaR) modeling.
This collision is an entirely necessary and welcome evolution. Both functions are internalizing a shared ultimate goal: improved business resilience. According to Gartner’s CISO survey, the top factors limiting a CISO’s ability to influence board-level decisions are an insufficient understanding of cybersecurity among board members (49%) and the sheer complexity of communicating technical risk in business terms (41%).
People and Process Remain the Critical Hurdle to Cybersecurity Efficacy
By shifting the focus toward prioritizing exposures based on actual exploitability, lateral movement, attack paths, and true business impact, organizations can finally bridge the gap between technical risk and corporate governance. This alignment allows companies to transform GRC from a passive “security tax” into a real-time telemetry stream that supports risk-aware innovation.
To pull this off, Gartner has begun recommending dedicated headcount in the form of a new functional role: the Mobilization Coordinator. While organizations have successfully automated identification and prioritization, they often hit a wall when transitioning from automated machine speeds to human-led fixing conversations.
Gartner predicts that by 2030, organizations that implement a dedicated mobilization coordinator will reduce critical exposure dwell time by up to 60%. This role acts as the ultimate bridge, working hand-in-hand with GRC to prioritize exposures impacting regulatory obligations, coordinating with IT operations to navigate patch deployments, and feeding active exposure data directly into the SOC to improve threat detection and response.
The overwhelming consensus from the 2026 summit is that technology is no longer the primary barrier to effective exposure management; processes and people are. Security leaders must move away from defensive gatekeeping and step into the role of strategic business enablers.
