Shift to threat modeling for AI exploits

Vulnerability management is turning into a race against exploit speed. That is the real story here. Security teams used to get away with a familiar loop — scan, patch, repeat. But the gap has widened between how fast defenders can fix things and how fast attackers can find, chain, and weaponize them with AI. Over the last few weeks, Microsoft, CrowdStrike, Tenable, Wiz, Palo Alto Networks, and CISA have all pushed some version of the same message: stop treating patching as the whole game and start modeling the paths an attacker would actually take. (microsoft.com) ### Why isn’t patching enough anymore? Because patching answers the wrong question. It asks, “What is vulnerable?” Attackers ask, “What gets me in fastest?” Those are not the same thing. Microsoft put it bluntly in April: patching is still critical, but it is not sufficient on its own, especially when autonomous AI can exploit weaknesses across internet-facing assets, open-source software, source code, and baseline hygiene all at once. (microsoft.com) ### What changed this spring? The big change is confidence about AI-assisted offense. CrowdStrike’s 2026 threat report says AI-enabled attacks surged 89% and average breakout time — the time from initial access to lateral movement — fell to 29 minutes. Palo Alto Networks made a similar argument in April, saying frontier models are getting u(microsoft.com)s used to rely on human effort to slow down. (crowdstrike.com) ### What does “threat modeling” mean here? Not the old whiteboard exercise nobody updates. In this context, it means mapping how an attacker would move from an exposed asset to something the business actually cares about — customer data, production systems, identity providers, code repositories, cloud control planes. Basically, you stop counting CVEs like baseball c(crowdstrike.com)a world where AI can discover and exploit vulnerabilities faster than human teams can triage them. (wiz.io) ### So where does CISA fit? CISA has been nudging the market this way for a while. Its Known Exploited Vulnerabilities catalog is explicitly meant to be an input into prioritization, not a complete patch list. The point is to focus remediation on the subset of flaws causing immediate harm in the wild. That is already a threat-modeling instinct — start with what is exposed, reachable, and actively useful to attackers. (cisa([wiz.io)abilities-catalog)) ### Why are vendors talking about “exposure management”? Because most organizations do not have one clean risk picture. They have siloed dashboards — cloud here, endpoints there, identity somewhere else, AI apps in another console. Tenable’s recent AI security writing argues that this fragmentation is the real blocker. If AI creates new attack paths across identities, code, cloud logs, and models, t(cisa.gov)ther pile of alerts. Rapid7 is making the same bet with AI-generated remediation guidance layered onto exposure data. (tenable.com) ### Does this mean patch less? No — patch smarter. The catch is that blanket patch pushes still burn time and often miss the exposures that matter most. If one internet-facing system with weak identity controls can reach crown-jewel data, that path deserves attention before a long tail of isolated medium bugs. Threat modeling does not replace remediation. It decides the order. (micr([tenable.com)-an-ai-accelerated-threat-landscape/)) ### What is the bottom line? AI is compressing the time between “bug exists” and “bug gets used.” That pushes security programs away from volume-based patching and toward business-aware prioritization — which assets matter, which paths are reachable, and which fixes break the attacker’s route first. The teams that adapt fastest will not be (microsoft.com)s. (crowdstrike.com)