AI & Vuln Mgmt: CISOs Shift Budget to BAS

AI has fundamentally changed vulnerability management. The traditional buffer, which allowed months between finding a vulnerability and its weaponization, is now gone. This is because AI can compress discovery-to-exploit times from months to mere hours. What's interesting is that AI has also turned vulnerability discovery into a volume game. For example, Claude Mythos Preview found over 10,000 high- or critical-severity vulnerabilities in important software in just one month. It even found an OpenBSD bug that had gone undetected for 27 years. The window for weaponizing vulnerabilities has also collapsed. The average time-to-exploit is now roughly 24 hours, a significant drop from about 53 days in 2024. This matters because 32% of initial-access techniques are linked to vulnerability exploitation, a number expected to rise as AI coding assistants empower attackers.