Seth Whitworth, who is both acting Associate Deputy Chief of Space Operations for Cyber and Data and acting chief information security officer, said he believes AI tools are shifting the way defenders review cyber risk, both for individual systems and more holistically throughout an enterprise.  

In particular, Large Language Models can be used to systematically implement fixes for the smaller but critical weaknesses that have allowed state-sponsored hackers and cybercriminals to get inside victim networks and live off the land.

“Our adversaries are not looking for the massive cybersecurity vulnerabilities – we’re actually pretty good at [defending] that,” said Whitworth Tuesday at AI Talks, presented by Scoop News Group. “They’re looking for a misconfiguration, a failed update, a tiny little thing that allows them an entry point into a very connected network.”

Many of these basic cyber hygiene problems tend to fall under existing compliance programs, but it can take more than legal mandates to fix them. Many enterprise IT networks – particularly older ones – build up technical debt over time, leading to forgotten systems, hidden routers and other forms of shadow IT that get more insecure over time.

Cybersecurity experts say agents and the Large Language Models that power them – which operate in perpetuity 24/7, – are particularly well-suited to finding these smaller flaws and quickly exploiting them.

But Whitworth argued that the same technology can be used to reshape how organizations measure and track cyber compliance, from a sluggish box-checking exercise to something more nimble and substantive. He claimed that Space Force’s internal process for obtaining Authorities to Operate and other formal security certifications used to take 3-18 months. Now, it “can now be done in weeks and days.”

That in turn can empower program managers to “pull in all of that massive amount of data, allow the AI – who doesn’t get tired, who doesn’t miss patterns, who doesn’t miss these components – to churn on those items and them deliver something” that can inform real-time changes to cybersecurity, he said.

Whitworth also acknowledged the “fear” that many organizations still have around the use of AI, as well as lingering concerns about some of the technology’s enduring limitations like hallucinations and data poisoning. He said he still gives AI-generated outputs “extra scrutiny, because I haven’t seen the trusted validation” yet.

But he also said he gets more valuable insight on the Space Force’s holistic cyber risk from using Large Language Models than he does from other security control assessments, which tend to narrowly focus on the risk of single systems or assets in isolation.

“We are operating in a highly connected, highly orchestrated world, and so moderate risk that’s accepted in one program immediately becomes moderate risk that is accepted in another program,” said Whitworth. “AI can take that whole picture and understand that when this system change impacts this system, it also impacts this [other] system.”

The post Space Force official touts AI’s impact on cyber compliance appeared first on CyberScoop.

SAN FRANCISCO — Every RSA Conference has its buzzwords. Cloud. Ransomware. Zero trust. Plastered across the 87-acre Moscone Center complex on every booth, banner and bar. This year was AI, with vendors pitching AI-powered solutions to every security problem imaginable. But 2026 stood out for a different reason: Industry leaders spent the conference warning about disruption from the very technology everyone was selling.

In an exclusive discussion with CyberScoop at this year’s conference, Kevin Mandia, founder of AI security company Armadin, Morgan Adamski, former executive director of U.S. Cyber Command, and Alex Stamos, a researcher and former chief security officer at several major technology companies, said the industry is entering what they described as an unprecedented two- to three-year period of upheaval, driven by AI systems that are discovering vulnerabilities exponentially faster than defenders can respond and threatening to render decades of security practices obsolete.

“We are just at the inflection point that is going to be pretty insane, at least two to three years,” Stamos said, describing a near-term future in which AI systems flood the threat landscape with working exploits while organizations struggle to patch vulnerabilities faster than attackers can weaponize them.

Mandia put the timeline more bluntly. “It’s a perfect storm for offense over the next year or two,” he said.

The core problem, according to the executives, is speed. AI has made vulnerability discovery almost trivial, while remediation takes time and effort, creating a widening gap that favors attackers across every stage of the kill chain.

“Because of the asymmetry in the cyber domain, where one person on offense can create work for millions of defenders, speed leverages that asymmetry,” Mandia said. “In the near term, there’s an advantage to the attackers as they start to use models and agents to do a lot of the offense.”

Bug discovery goes exponential

The shift is already underway. Stamos, who is currently chief security officer at Corridor, said foundation model companies are sitting on thousands of bugs discovered through AI-assisted analysis that they lack the capacity to verify or patch. 

“The exploit discovery has gone exponential,” Stamos said. “What we haven’t seen go exponential yet is plugging that into working shellcode that bypasses protections on modern processors. But maybe six months or a year from now” AI will be generating sophisticated exploits on demand.

He pointed to examples of AI systems discovering vulnerabilities in decades-old code that had been reviewed by thousands of developers and professional security researchers. In one case, he said, an AI system identified a flaw in foundational Linux kernel code that humans had overlooked for years.

 “This superintelligent system was able to figure out a way to manipulate the machine into a place that, when you look at the bug, I’m not sure how a human could have found that,” Stamos said.

The pace of discovery is creating what Stamos called “a massive collective action problem.” Each successive generation of AI models could surface hundreds of new vulnerabilities in the same foundational software. “It’s quite possible that all this development we’ve done in memory-unsafe languages, without formal methods, that none of that is actually secure in the presence of superintelligent bug-finding machines,” he said. “In which case we need to be massively rebuilding the base infrastructure we all work on. And nobody is doing that.”

The timeline for when those capabilities become widely accessible is measured in months. When Chinese open-source models, like DeepSeek or Alibaba’s Qwen, reach current American foundation model capability levels, Stamos said, “you’re going to have every 19-year-old in St. Petersburg with the same capability” as elite vulnerability researchers.

Models trained on existing shellcode are already “reasonably good” at generating exploit code, he said, and may be capable of producing EternalBlue-level exploits within a year. That NSA-developed exploit, leaked in 2017, was used in the WannaCry and NotPetya attacks and remained effective for years because of how difficult such capabilities were to develop. 

“Imagine when that becomes available on demand,” Stamos said.

Agents already operating beyond human scale

Mandia’s company Armadin has built AI agents capable of autonomous network penetration that he said would be devastating if deployed maliciously. Unlike human attackers who must manually type commands and wait for results, AI agents operate across hundreds of threads simultaneously, interpolating command outputs before they arrive and launching follow-on actions in microseconds.

“The scale and scope and total recall of an AI agent compromising you and swarming you is not humanly comprehensible,” said Mandia, who founded Mandiant and served as CEO from 2016 to 2024. “If the old way was a red team that would get in, there’s a human on a keyboard typing commands. That’s a joke compared to” what AI agents can do.

Those agents can evade endpoint detection and response systems in under an hour, he said, and operate at human speed to avoid rate-limiting detection mechanisms. Once inside a network, an AI agent can analyze documentation, packet captures and technical manuals faster than humans can read them, designing attacks tailored to specific control systems on the fly.

“When you build the offense, it scares the heck out of you,” Mandia said. “If we let the animal out of the cage today, nobody’s ready for it.”

He said Armadin recently tested a Fortune 150 company with a strong security team and found either remote code execution vulnerabilities or data leakage paths in every application tested. “Both of us were shocked,” he said.

The shift changes the fundamental question boards ask after penetration tests. Historically, directors wanted to know the probability a demonstrated attack would occur in the real world. “In the age of humans, you could never really answer,” Mandia said. “But with AI, it’s 100 percent. It’s coming and it’s going to get cheaper and more effective at the same time.”

Defenders face impossible timelines

The compression of attack timelines is colliding with organizational realities that are moving in the opposite direction. Adamski, who is now the U.S. lead for PwC’s Cyber, Data & Technology Risk business, said chief information security officers face pressure from boards to adopt AI rapidly, often with explicit goals of reducing headcount, even as compliance requirements remain unchanged and the threat landscape accelerates.

“CISOs are getting squeezed in that they cannot stop adoption because of demand from the board, from the CEO,” Adamski said. “None of the SOC 2 requirements have changed. ISO 27000, anything that helps people get through from a compliance perspective, all those rules are exactly the same.”

Stamos said patch cycles illustrate the mismatch. Where previously only sophisticated adversaries could reverse-engineer Microsoft’s Patch Tuesday updates to develop exploits, AI will democratize that capability. “You’re going to be able to drop the patch into Ghidra, driven by an agent, and come up with [an exploit],” he said. “Patch Tuesday, exploit Wednesday.”

Many CISOs are trying to bolt AI capabilities onto existing security operations, an approach the executives said is insufficient. “They’re not stepping back and looking at the bigger picture, that we have a fundamental, much more holistic problem in terms of how to reimagine and redo an entire cyber defense ecosystem that is solely driven by AI machine to machine,” Adamski said.

Avoiding Pandora’s box

The national security implications compound the problem. While other former government leaders talked at the conference about what they saw as the United States’ slipping in offensive cybersecurity, the three industry leaders spoke to what they believe nation-states have developed with the use of AI.

“I think we’re seeing less than 50 percent of the AI capability from modern nation-states right now,” Mandia said. “They’re not pressing. Nobody wants to be the first one to open that door.”

Stamos said the operational tempo favors U.S. adversaries. Russian intelligence services can observe and record data from the hundreds of businesses hit by ransomware daily, using that operational experience to train offensive AI models. “We don’t have that kind of operational pace in the U.S.,” he said.

Adamski said any AI capability the United States develops for offensive cyber operations carries inherent risks. “Anything you introduce, you’re introducing it to an ecosystem that they can use back at us,” she said.

Stamos said AI’s impact on cybersecurity will likely produce harmful consequences before other domains because the threshold for cyber operations is already low. “We allow on a Tuesday to happen in the cyber world what we would consider an act of war if it was in any other context,” he said. “I think this is where AI will be used first to hurt people, will be in cyber.”

Two years, maybe

The executives offered limited optimism that AI could also accelerate defensive capabilities, primarily by making security testing affordable at scale and enabling autonomous response systems. But the timeline for when defensive capabilities might catch up depends on immediate action. 

“Two years if we’re good,” Stamos said. “Two years is the minimum if we actually start really fixing code and refactoring stuff into type-safe languages using formal methods.”

Mandia offered optimism “a few years out” if offensive AI built by defenders successfully trains autonomous defensive systems. But he acknowledged the current state is dire. Organizations will need autonomous systems capable of immediately quarantining anomalous behavior, he said, because traditional detection and response timelines will collapse.

“You’re not going to have time to call Mandiant on a Thursday afternoon, get people in, sign a contract,” Mandia said. “You’re going to have to be able to respond at machine speed.”

Stamos said defenders must assume they cannot patch their way out of the problem and focus instead on defense in depth, particularly around lateral movement and persistence, which remain more difficult for AI to automate than initial exploitation.

But even that assumes organizations have time to prepare. The executives suggested that window is closing rapidly, if it hasn’t already shut for good.

Adamski summed up the reckoning facing the industry: “AI is going to potentially make us pay for the sins of yesterday.”

The post Security leaders say the next two years are going to be ‘insane’ appeared first on CyberScoop.

SAN FRANCISCO — The Trump administration’s two-week old cyber strategy that aims to promote more proactive, offensive actions while bolstering federal networks and critical infrastructure, is a significant shift that’s already materializing in meaningful ways, a group of experts said Monday at the RSAC 2026 Conference. 

Despite the federal government’s absence from the industry’s largest annual gathering, and the long-anticipated document’s brevity, representatives from a major cybersecurity vendor, consulting, venture capital and law firm were quick to defend and evangelize the administration’s strategic actions in cyberspace. 

The freshly-released strategy puts the federal government on firm footing to move beyond deterrence and into action, said David Lashway, partner and global leader of cybersecurity and national security at Sidley Austin. 

“We are going to take offensive and defensive action with the most powerful cyber capability that the world’s ever seen, and hopefully will ever know,” he said. 

This doesn’t mean, as some industry observers have suggested, that the Trump administration is pushing private companies to hack back. 

The scale and whole of government response is the key difference between the latest federal cyber strategy and what administrations have called for over the past decade, Lashway said. 

Instead of relying on private lawyers to get a nationwide injunction and collaborate with dozens of governments for massive takedowns, or government agencies collaborating with private security companies on a limited basis, the strategy aims to mobilize “the massive infrastructure and capability of the United States in a more coordinated way,” he added. 

This strategic pivot won’t achieve all of its objectives immediately, but it’s already showing signs of impact, according to Lashway. “It’s been different since they issued the strategy,” he said. “We’ve already noticed a difference.”

Wendi Whitmore, chief security intelligence officer at Palo Alto Networks, said she’s also seen more collaboration in the private sector.

“While there’s no doubt challenges related to current staffing and the dynamic environment going on with the government, I have never before seen as much action and cooperation as we are seeing today, and that’s from every government agency that we’re working with,” Whitmore said. 

“There is certainly a tremendous shift in the level of discussion that we get from the government today,” she added. “It’s a very proactive, kind of muscular dialogue that’s different from what I’ve previously seen.”

Experts said that earlier concerns about triggering backlash and worsening already fragile systems had kept the federal government from taking certain actions, but that caution is now being reconsidered.

“The government’s going to start punching people in the face,” said Jamil Jaffer, venture partner and strategic advisor at Paladin Capital Group. 

Trump administration officials have told the private sector it wants their help and they need to be well defended, he added. “If we do live in glass houses, well, everyone’s going to need to start putting more glass up.”

Jaffer expects the Trump administration to prevent and respond to intrusions aggressively and publicly. “Half the problem with deterrence today is we don’t actually practice real deterrence when it comes to the cyber domain. We don’t punch people back,” he said. 

The dynamic and proper response, to him, is akin to a child responding to a bully at school. 

“If you get hit in the face, punch them back in the face,” Jaffer said. “Do it publicly. Everyone sees it. Less people come after you.”

The post Experts insist Trump administration’s cyber strategy is already paying off appeared first on CyberScoop.

The Trump administration’s top cyber officials have emphasized the urgent need to take aggressive action to deter increasingly brazen foreign cyberattacks. Trump himself, however, has repeatedly brushed aside the notion that foreign cyber activity is anything even really noteworthy.

When Trump’s team talks about foreign hacking, be it China’s alleged massive cyberespionage campaign against telecommunications companies or its efforts to take root in U.S. critical infrastructure, they insist the actions can’t be tolerated and must be deterred.

“We need to find some way to communicate that this is not acceptable,” Alexei Bulezel, senior director for cybersecurity at the National Security Council, said in May when asked about the groups thought to be behind those campaigns, Salt Typhoon and Volt Typhoon.

More recently, last month, National Cyber Director Sean Cairncross cast a wider net about foreign adversaries who want to “do us harm,” saying, “To date I don’t think the United States has done a tremendous job of sending the signal, in particular to China, that their behavior in this space is unacceptable.”

Trump, by contrast, has framed all that differently, to the point of dismissiveness.

Asked in June about Chinese hacking of U.S. telecoms, theft of intellectual property and more, Trump answered, “You don’t think we do that to them? We do. We do a lot of things. … That’s the way the world works. It’s a nasty world.”

Asked in August about whether he would discuss alleged Russian hacking of U.S. courts with Vladimir Putin, Trump replied, “I guess I could, are you surprised? … They hack in, that’s what they do. They’re good at it, we’re good at it, we’re actually better at it.”

The gulf between what Trump says about cyber compared to what his top deputies say provokes a variety of reactions from cyber experts and former officials. It sends mixed signals to adversaries, some say, while others say it might just reflect facts of life about today’s cyber environment or a president who doesn’t behave or think conventionally.

At the same time, Trump’s casual messaging about cyber may reflect a broader trend of nations increasingly treating cyber operations as a routine instrument of power.

A need for consistency?

A lack of consistency between the president and his personnel muddles a clear message to adversaries, and downplaying cyberattacks is unwise, said Christopher Painter, who served as the top State Department cyber official under President Obama.

“Either cyber and cyberattacks are a priority or they’re not, and it’s [a] problem if you communicate they’re not serious by saying, ‘Oh, we don’t care now,” said Painter, now a nonresident senior adviser at the Center for Strategic and International Studies. Cyberattacks are serious, he said, and “We need to say it, and we need to be consistent about it, and we need to make sure we take it seriously. So I am concerned that it undermines the narrative that I think we need.”

Trump downplayed foreign cyber activity during his first term, too, both publicly and privately, in the latter case shunting away an adviser while the president tried to watch a golf tournament by saying “You and your cyber … are going to get me in a war — with all your cyber s—t.” According to Painter, Trump often links the issue to Russian interference in the 2016 presidential election, a subject he resents because he believes it undermines the legitimacy of his presidency.

But Painter also noted Trump wasn’t the first to downplay any kind of foreign cyber activity, with former Director of National Intelligence James Clapper remarking about the 2015 Office of Personnel Management hack, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

Clapper also drew a line between the OPM breach, which he said was “passive intelligence collection activity” and a full-fledged cyberattack. There’s a long-lasting debate over whether cyberespionage constitutes a cyberattack.

Trump officials, too, have emphasized they’re more worried about the activity of Volt Typhoon, with its potential for disruption, than that of Salt Typhoon, which is more espionage-focused.

Some analysts acknowledge that Trump has a point when he dismisses cyberespionage as a fact of modern life rather than something that requires retaliation. “My own experience says that it’s extremely difficult, if not impossible, to deter espionage,” said Michael Daniel, who held the White House’s top cyber position under Obama and is now president of the Cyber Threat Alliance.

Any threat in an attempt to deter cyberespionage has to be credible to be effective, said Erica Lonergan, an assistant professor at Columbia University’s School of International and Public Affairs. And there are a few things working against the United States making credible threats.

“We do it, because we all do it, and everyone knows we do it,” she said. Next, the potential consequence has to be more harmful than the value of cyberespionage, which is extremely useful to have. “We’re not going to go to war over cyberespionage. No matter how many times a member of Congress calls it an act of war or not, we didn’t go to war over the spy balloon.”

Yet other analysts read Trump’s comments on foreign cyber activity differently. He might have an aggressive reaction to a more clearly damaging attack than the incidents he’s downplayed, said James Siebens, a fellow with Stimson Center’s Strategic Foresight Hub.

“If we were talking about a genuinely destructive cyberattack that cost people’s lives, I would imagine that there would be a fairly forceful response,” said Siebens, who recently co-authored a study on cyber deterrence. “My view is that President Trump was doing something that he often does, which is to state plainly things that make people uncomfortable, but are nonetheless observable and rooted in an important truth.”

Richard Harknett, director of the Center for Cyber Strategy and Policy at the University of Cincinnati, took Trump’s recent remarks as a comment more on the potency of U.S. capabilities compared to its adversaries.

“It wasn’t sort of a complacency, it was more confidence,” said Harknett, who served as the first scholar-in-residence at United States Cyber Command and National Security Agency beginning in 2016. Of course, he said, “The president tends to speak in confident terms regardless.”

Daniel said that some  contradictions between Trump and his cyber team are to be expected. Different officials are bound to have differences of opinion, including in the Trump administration, which has hardly been a “paragon of consistency” in its messaging to the world, he said. Daniel added that deterrence is a challenge for every administration; throughout history, the United States has often threatened not to tolerate certain actions, but then failed to respond when those actions occurred. 

Several experts said they were willing to give the administration time to iron out any potential contradictions. Harknett said it’s hard to read too much into public comments alone right now. More important, Harknett and others said, will be what the administration says in a forthcoming cyber strategy.

A global trend?

Trump is not the only world leader in recent months to speak about his nation’s cyber activity in a more casual manner. At the beginning of this month, Chinese President Xi Jinping and South Korean President Lee Jae Myung joked about the security of a cell phone gift that Xi gave his counterpart, which ended in Xi quipping, “You can check if there’s a backdoor.”

It was “weird for Xi, especially because the Chinese are loath to ever admit they do anything,” Painter said, even if he was joking.

The openness about cyber doesn’t end there, extending to a number of cases where nations that historically haven’t pointed the finger at other countries over alleged cyberattacks are more willing to do so by releasing technical analyses.

“We’re starting to see more non-Western countries, and notably China, making attributions back now,” said Allison Pytlak, director of the Cyber Program at the Stimson Center think tank and the co-author of the deterrence report with Siebens. Singapore recently made its first cyber attribution as well.

Trump officials have been touting offensive operations, which used to be a topic of very little public discussion. And other nations have been growing more open about cyber operations, from Japan’s recent active cyber defense legislation to Australia establishing its own Cyber Command last year.

‘There is more openness about cyber in general, the strategic level, in terms of leaders being willing to talk about cyberespionage, cyber offense,” Lonergan said. “No one talked about cyber offense in the U.S. government for years.”

That openness could turn out to be a good thing, Pytlak said. It could “spark debate” in the public about the very nature of cyber, about the differences between the harm espionage causes and the kind of national security threat other kinds of activity poses.

The post While White House demands deterrence, Trump shrugs appeared first on CyberScoop.

Many web application firewalls (WAFs) can be bypassed by simply sending large amounts of extra data in the request body along with your payload. Most WAFs will only process requests up to a certain size limit. How the WAF is configured to handle these large requests determines exploitability, but some common WAFs will allow it by default.

The post Bypassing WAFs Using Oversized Requests appeared first on Black Hills Information Security, Inc..

One tool that I can't live without when performing a penetration test in an Active Directory environment is called NetExec. Being able to efficiently authenticate against multiple systems in the network is crucial, and NetExec is an incredibly powerful tool that helps automate a lot of this activity.

The post Getting Started with NetExec: Streamlining Network Discovery and Access appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // Overview The following description of some of Impacket’s tools and techniques is a tribute to the authors, SecureAuthCorp, and the open-source effort to maintain and extend the code. […]

The post Impacket Defense Basics With an Azure Lab  appeared first on Black Hills Information Security, Inc..

In this BHIS webcast, we cover some new techniques and tactics on how to track attackers via various honey tokens.  We cover how to track with Word Web Bugs in ADHD and […]

The post BHIS Webcast: Tracking Attackers. Why Attribution Matters and How To Do It. appeared first on Black Hills Information Security, Inc..

Jordan Drysdale & Kent Ickler// Jordan and Kent are back with more blue team madness! The shameless duo continue their efforts to wrangle decades old attacks against wireless networks. The […]

The post WEBCAST: Stop Sucking at Wireless appeared first on Black Hills Information Security, Inc..

John Strand// In this webcast John talks about the new ACDC law and what it means exactly. There has been quite a bit of anger and great GIFs about hacking […]

The post WEBCAST: Proper Active Defense and the New ACDC Active Defense Law appeared first on Black Hills Information Security, Inc..

John Strand // I wanted to take a few moments and address the “Hacking Back” law that is working people up. There is a tremendously well-founded fear that this law […]

The post Debating the Active Defense Law.. Because Arguing is Fun appeared first on Black Hills Information Security, Inc..

Beau Bullock, Brian Fehrman, & Derek Banks // Pentesting organizations as your day-to-day job quickly reveals commonalities among environments. Although each test is a bit unique, there’s a typical path […]

The post WEBCAST: CredDefense Toolkit appeared first on Black Hills Information Security, Inc..

Derek Banks // I want to expand on our previous blog post on consolidated endpoint event logging and use Windows Event Forwarding and live off the Microsoft land for shipping […]

The post End-Point Log Consolidation with Windows Event Forwarder appeared first on Black Hills Information Security, Inc..

Derek Banks, Beau Bullock, & Brian Fehrman // Our clients often ask how they could have detected and prevented the post-exploitation activities we used in their environment to gain elevated […]

The post The CredDefense Toolkit appeared first on Black Hills Information Security, Inc..

This is the in-studio version of our live in DC event from July. In this webcast, John covers how to set up Active Directory Active Defense (ADAD) using tools in […]

The post WEBCAST: Active Domain Active Defense (Active DAD) Primer with John Strand appeared first on Black Hills Information Security, Inc..

CJ Cox // We frequently get requests from customers asking us if we provide consultation defending their systems. The other day I got a question from a customer asking us […]

The post How to Build Super Secure Active Directory Infrastructure* appeared first on Black Hills Information Security, Inc..

Kent Ickler // How to Configure Distributed Fail2Ban: Actionable Threat Feed Intelligence Fail2Ban is a system that monitors logs and triggers actions based on those logs. While actions can be […]

The post How to Configure Distributed Fail2Ban: Actionable Threat Feed Intelligence appeared first on Black Hills Information Security, Inc..