Tenable CTO Warns AI Compresses Exploit Timelines to 'Negative Days,' Urges Exposure Management
Tenable CTO Vlad Korsunsky asserts that AI has rendered traditional patching obsolete, advocating for AI-powered exposure management to counter rapidly weaponized vulnerabilities.
Tenable Chief Technology Officer Vlad Korsunsky has issued a stark warning regarding the impact of artificial intelligence on cybersecurity, declaring the traditional patching cycle "obsolete." Speaking at the World Economic Forum's Annual Meeting on Cybersecurity and Tenable's own EXPOSURE 2026 conference, Korsunsky highlighted how advanced AI models are drastically compressing the timeline between vulnerability disclosure and active exploitation, a phenomenon he terms "negative days." This means adversaries are increasingly weaponizing flaws before vendors can even release patches, creating an insurmountable gap for defenders relying on conventional remediation strategies.
Korsunsky emphasized that the current threat landscape demands a fundamental shift away from static Common Vulnerability Scoring System (CVSS) scores. Instead, he advocates for the adoption of AI-powered exposure management. This approach leverages AI to analyze an organization's entire attack surface and prioritize remediation efforts based on real-world exploitability and risk, rather than relying on theoretical severity ratings. The goal is to provide a dynamic, intelligence-driven view of an organization's security posture that can keep pace with the accelerated threat environment.
A significant concern raised by Korsunsky is the burgeoning "agentic economy," characterized by the rapid proliferation of autonomous AI identities. He stressed the urgent need to apply zero trust principles and least-privilege cryptographic primitives to these non-human AI entities. Failure to do so, he warns, could introduce severe, systemic internal risks that are difficult to detect and manage with traditional security controls.
Drawing on data from recent industry reports, Korsunsky pointed out that while vulnerabilities remain a significant entry vector, human errors such as misconfigurations and identity flaws account for the majority of breaches. This underscores the need for a holistic security strategy that addresses not only technical vulnerabilities but also the human and systemic factors that contribute to security incidents.
Korsunsky cited a recent emergency meeting convened by Federal Reserve Chair Jerome Powell and U.S. Treasury Secretary Scott Bessent with major financial institution CEOs. The meeting focused on the potential systemic risks posed by a single advanced AI model, Anthropic's Claude Mythos Preview, illustrating the unprecedented scale of threats now stemming from AI capabilities.
Empirical data presented by Korsunsky shows a dramatic acceleration in threat actor speed. Mandiant's "M-Trends 2026 Report" indicates that the average time-to-exploit has collapsed from 32 days in 2022 to minus seven days in 2024. This means exploits are appearing, on average, a full week before patches are available. In stark contrast, the Verizon Data Breach Investigations Report (DBIR) shows that enterprises typically take 43 to 55 days to deploy patches, highlighting a critical asymmetry favoring attackers.
The implications of this rapid evolution are profound. Korsunsky argues that the traditional reactive approach to cybersecurity is no longer viable. Organizations must embrace proactive, AI-driven strategies that provide continuous visibility and enable rapid, intelligent prioritization of risks across their entire digital footprint. This includes securing the complex interactions between human users, AI agents, and critical infrastructure.
Ultimately, Korsunsky's message is a call to action for C-suites and security leaders worldwide. The advent of AI necessitates a complete re-evaluation of cybersecurity strategies, moving from a focus on discrete vulnerabilities to a comprehensive management of digital exposure, underpinned by robust zero-trust principles for both human and AI identities.