AI powered vulnerability discovery has quickly moved from research labs into mainstream security conversations. Between projects like Mythos and Glasswing, and the broader rise of AI assisted offensive research, security teams are facing a new reality: vulnerabilities can now be discovered faster, at greater scale, and with lower barriers to entry than ever before.
To better understand what this shift actually means for defenders, Minimus sat down with several industry leaders and security practitioners, including Bruce Schneier, Frank Kim, Chenxi Wang, and Justin Somaini.
Across all four conversations, a few consistent themes emerged. The biggest problem is not discovering vulnerabilities. It is handling the speed, scale, and operational burden of fixing them.
One of the clearest takeaways from every conversation was that AI is accelerating vulnerability discovery far faster than most organizations can adapt operationally.
Chenxi Wang described AI powered vulnerability research as enabling discovery “at a speed, velocity, and depth that was not possible before.” Frank Kim similarly framed the issue as fundamentally about “the speed of discovery” and the “speed of potential exploitability.”
That acceleration matters because most enterprises already struggle to keep pace with existing vulnerability volumes. AI simply compresses the window even further.
As Wang noted, “the time to fix is really, really squished today.”
What makes this shift especially challenging is that the technology will not stay confined to frontier labs forever. Several speakers pointed out that capabilities that are expensive and difficult to deploy today will likely become cheaper, more accessible, and easier to operationalize over time.
A recurring theme throughout every discussion was that most organizations are not suffering from a lack of visibility. They are suffering from an inability to remediate vulnerabilities quickly enough.
Bruce Schneier summarized the issue directly: organizations already know they have thousands of vulnerabilities, but “the problem is about deploying the fixes for the vulnerabilities.”
Justin Somaini echoed the same point, noting that defenders already struggle to maintain environments free from known high and critical vulnerabilities today, even before AI driven discovery reaches full scale.
Frank Kim described environments containing “millions of vulnerabilities” where teams had to prioritize only the newest issues because the backlog had become impossible to process manually.
This is an important distinction because much of the current conversation around AI security focuses on discovery itself. In practice, most enterprises are already overwhelmed with scanner output, cloud findings, SBOM data, and dependency alerts. The operational bottleneck has always been remediation.
Several speakers also pointed out that patching is fundamentally harder than discovery. AI can increasingly identify vulnerabilities through large scale analysis, but remediation requires understanding downstream integrations, business logic, operational dependencies, and the risk of breaking production systems.
Chenxi Wang explained that while AI detection capabilities are improving rapidly, remediation remains far more context dependent because models often lack visibility into the broader environment.
Bruce Schneier made a similar distinction between finding vulnerabilities and safely deploying fixes into production environments.
That challenge becomes even harder in environments where downtime is unacceptable. Many organizations remain hesitant to rapidly deploy patches into mission critical systems because unreliable updates can introduce operational failures.
AI may dramatically increase the speed of vulnerability discovery long before remediation workflows become equally automated and reliable.
As vulnerability volume increases, every speaker emphasized the importance of reducing unnecessary attack surface before software ever reaches production.
Justin Somaini described the need for a “disciplined approach” to stripping down assets, code bases, and infrastructure to only what is necessary. “I don't need to patch something that isn't there.”
Frank Kim similarly pointed to “secure by design” and “secure by default” frameworks as foundational for scaling security operations.
The logic is straightforward. If organizations continue deploying bloated software stacks filled with unnecessary packages and dependencies, AI accelerated vulnerability discovery only magnifies the operational burden.
Reducing the number of packages, services, binaries, and components inside an environment directly reduces the number of things attackers can discover and defenders must maintain.
Several conversations also reinforced that security hygiene remains critical even in an AI driven future. Organizations still need mature CI/CD practices, validation processes, dependency management, and strong operational discipline. AI does not eliminate the need for fundamentals.
While much attention has focused on offensive AI capabilities, every conversation also highlighted the defensive advantages AI can provide.
The strongest opportunity is not replacing security teams. It is automating repetitive operational work that humans have historically struggled to scale.
Justin Somaini described a future where AI assists throughout the entire AppSec lifecycle, from threat modeling to validating scanner output to generating remediation suggestions engineers can review and commit.
Frank Kim pointed to AI’s ability to sift through enormous amounts of vulnerability and cloud security data more effectively than humans can manually process.
Bruce Schneier discussed the idea of “VulnOps,” where vulnerability discovery becomes an integrated part of the software development process itself.
The common thread across these perspectives is automation. Organizations cannot hire their way out of the problem. They need systems capable of operating at machine speed.
Importantly, most speakers were careful not to frame AI as a magic solution. Human validation, operational context, and process discipline still matter, especially when remediation decisions can affect production systems.
Multiple discussions highlighted the growing risk surrounding legacy infrastructure and industrial systems that cannot easily be patched or upgraded.
Frank Kim discussed environments containing medical devices, manufacturing systems, and IoT infrastructure where patching is either operationally difficult or outright impossible.
Bruce Schneier described similar concerns around industrial infrastructure and suggested that long term defenses may rely heavily on AI driven monitoring and dynamically generated perimeter protections.
Until then, many organizations will continue relying on layered defenses, network segmentation, access controls, monitoring, and compensating controls to reduce exposure.
These environments illustrate why AI driven vulnerability discovery creates such operational tension. Many organizations simply cannot patch critical infrastructure at the speed modern threats may require.
Despite all the discussion around frontier AI models, every conversation ultimately circled back to the same conclusion: the organizations best positioned for this future are the ones already executing the basics well today.
Asset management, patch management, dependency hygiene, CI/CD discipline, secure by default infrastructure, and automation all remain foundational.
As Justin Somaini put it, “focus on the basics.”
That may ultimately be the biggest takeaway from all four conversations. AI changes the scale and speed of the problem, but it does not fundamentally change what strong security programs need to do. It simply makes operational discipline, automation, and attack surface reduction far more important than they already were.
AI is accelerating vulnerability discovery, but most organizations are already struggling to keep up with today’s remediation workload. As discovery speeds increase, reducing attack surface and operational overhead becomes even more critical.
Minimus helps organizations stay ahead by starting with minimal, hardened container images built to dramatically reduce CVEs from the outset. Instead of spending time triaging thousands of unnecessary vulnerabilities from bloated public images, teams can focus on the issues that actually matter.
For organizations looking to reduce remediation burden, improve software supply chain security, and adopt a more secure by default approach to containers, Minimus provides a practical path forward.
.svg)
.svg)
.svg)
.svg)
