One Day in a Room, and the Vulnerability Playbook Everyone's Been Using Quietly Broke

I almost didn't get a clean read on this one before walking in. I knew the public version, the AI Vulnerability Storm paper, the post-Mythos noise. I didn't know what the people actually running the most advanced security programs in the world would say behind closed doors. That was the whole reason to be there. It did not disappoint. 

The lightning talks were the part I keep thinking about. CISOs got up one after another and said the unglamorous, useful thing. Here's what we did to fix AppSec. Here's the tool we just open-sourced. Here's how we're securing the agents we've already deployed. No vendor gloss. People comparing notes on work they shipped last quarter. 

Then a thread ran through the whole day that I haven't been able to shake. The way we've reported and disclosed vulnerabilities for twenty years is breaking. People in that room said, “CVEs are dead,” “CVSS is dead.” A few also questioned whether parts of the open-source model survive when you can have AI write your own version of a library instead of pulling in a vulnerable one. I don't think any of it is necessarily dead... yet. I think the ground under it moved, and most of the industry hasn't felt the tremor yet. 

The clearest way I can put it: picture a village of a thousand houses. Two owners leave their doors unlocked. A burglar used to spend days and might never find them. Now the unlocked doors get found instantly, all of them, every time. Security by obscurity is over, as we’ve said forever; now it really is. Which means a publicly exploitable medium is no longer something you let sit in the queue, and CVSS by itself stops telling you what to do first. 

The afternoon got heavier. The rate the models are improving is faster than the room was comfortable with. Inside the companies building these systems, the share of code being written by AI is climbing toward most of it on some projects. Sit with what that does to vulnerability discovery and reverse engineering, and you understand why nobody left that room the same way they walked in. 

Security programs have to adapt, and that's the part you have to hear in person to feel. What's getting more important is obvious once you've sat through the day: faster remediation, faster patching, blast radius reduction, Zero Trust, automation, infrastructure as code, anything that buys speed. The teams that already have that foundation will adapt. The teams that don't will fall behind, and the gap opens faster than anyone in that room used to assume. 

The organizations in that room are the canary in the coal mine. Most of us move slower than the biggest technology companies, which means what landed on them last week is what's coming for the rest of us. I got to see it early. That's the value. 

There are two more of these summits, one in New York on June 8 and one in D.C. on June 9, and seats are limited. If you want to hear firsthand what's coming before it arrives at your door, that's where to be. I'd go again.