Skip to content Skip to sidebar Skip to footer
Home Resources Blog From vulnerability management to exploitability management

From vulnerability management to exploitability management

4 minutes reading time

From vulnerability management to exploitability management

For years, vulnerability management has relied on a manageable assumption: rank the findings, prioritise the critical ones, and give remediation time to move through ownership, testing and change windows. It’s a model that was already imperfect, but AI is now making it structurally insufficient.

The central lesson from the exchange between Bart Preneel and Karine Goris at a packed Solstice Event organised by the Cyber Security Coalition was not that AI will find more vulnerabilities (although it will). The crucial point was that AI changes the conditions under which vulnerabilities become exploitable. It compresses time, broadens scope, and makes attack paths easier to construct. 

“The time from vulnerability to exploitation is now measured in hours or even minutes,” said Bart Preneel, professor at KU Leuven and a leading expert in cryptography and privacy. Most organisations are not built to respond at that speed. Vulnerability management hinges on accurate asset inventories, coordination between security and IT teams, input from developers, supplier responsiveness, business prioritisation and change governance. AI will force defenders to accelerate. 

When a medium vulnerability stops being ‘medium’ 

AI can correlate weak signals, test combinations and chain weaknesses into plausible attack paths. A medium vulnerability may become more serious if the service is linked to an overprivileged account, exposed through a misconfigured cloud component, connected to a supplier environment, or reachable through a neglected legacy system. 

“We can’t focus only on the highs and the criticals; we also need to pay attention to the lows and the mediums,” said Karine Goris. This implies a shift from vulnerability management to exploitability management. 

More findings, less time 

Preneel cited the example of Firefox: Mozilla fixed 423 vulnerabilities in April 2026, compared with 31 in April 2025. The point is not that Firefox is unusually weak. It is that AI-driven discovery can make hidden weaknesses visible at a scale that existing processes may not absorb. 

Can organisations fight AI-driven exploitation with AI-driven defences? They should, but must avoid becoming overconfident in the technology itself. “We don’t actually understand how these systems work,” Preneel warned. He pointed to brittle AI systems and guardrails, including a prompt injection example that resulted in 28 MB of extracted training data. 

The move from AI assistants to AI agents reinforces that risk. The new generation of systems is autonomous and goal-oriented, capable of perception, planning, execution and verification. Security teams will increasingly face systems that can search for weaknesses, validate them, chain them, and act on them in real time, 24/7. 

A strategic dependency 

There is also a broader European dimension. Preneel estimated that global AI investment in 2026 will reach 2.55 trillion dollars, with the United States accounting for 47%, China for 18% and Europe for 16%. Even if those figures should be read cautiously, they point to a sovereignty issue. European organisations will increasingly depend on AI capabilities, infrastructure and suppliers they do not control. 

Four priorities for the next six months 

Goris’ answer was deliberately practical. She did not present AI as a justification to abandon existing security disciplines, but as a reason to execute them with more urgency. “It’s nothing new,” she said of the cyber foundations, “but we need to be stricter. We need to be faster.”  

For organisations, that means four priorities: 

  1. Identify where slow remediation is no longer acceptable. 
    Do not try to fix everything at once. Define where delay creates disproportionate exposure: internet-facing assets, business-critical systems, privileged identities, cloud workloads, externally connected environments and end-of-life systems. 
  2. Move from severity scores to attack-path thinking.
    CVSS scoresremain useful but should no longer be the only basis for prioritisation. Combine vulnerability data with asset criticality, identity exposure, cloud configuration, segmentation, code dependencies and third-party connectivity. 
  3. Treat third-party connections as part of the attack surface.
    Managed service providers, SaaS platforms, cloud environments, data exchanges, fourth parties and technical interconnections form part of the effective perimeter. Organisations need to know which connections exist, how they aremonitored, and who can isolate them when needed. 
  4. Build defensive AI capability with human control.
    Defenders cannot remain fully manual while attackers automate reconnaissanceand exploit generation and chaining. Organisations should experiment with AI-augmented testing, continuous scanning, faster triage and correlation of weak signals. The aim is not to hand over control to opaque systems, but to make expert teams faster and better informed. 

Goris ended on a cautiously optimistic note. The next two years will be difficult for security professionals, she warned, but they may also leave organisations more resilient than they are today. 

 

Solstice AI in the Ring 18-06-26
Solstice AI in the Ring 18-06-26
About the author
Frank Simkens

Frank Simkens

Frank Simkens is a seasoned marketing and communications expert with a passion for technology and innovation. As a copywriter at The Content Company, he knows better than anyone how to extract the essence from complex stories and translate them into clear messages.
Join our podcast
Please choose your preferred listening platform and language

Spotify

EN

FR

NL

Apple

EN

FR

NL

Join our newsletter

Cyber Pulse keeps you up-to-date on the latest cybersecurity news, community actions and member stories.