Key Takeaways
- AI‑powered threat actors can now exploit vulnerabilities far faster than traditional patch cycles, rendering the old “risk‑threshold” model obsolete.
- Cisco has shifted from an annual‑check posture to a continuous operating model built around real‑time visibility, validation, runtime protection, and modernization.
- The defense loop is organized as an outside‑in process: internet‑facing edges are hardened first, then core assets, with every decision driven by exposure, exploitability, and business impact.
- Legacy systems and end‑of‑life assets are retired or isolated because they cannot support advanced runtime defenses such as Hypershield, Live Protect, or eBPF‑based Tetragon.
- The goal is an agile, adaptable network that can stay secure without scheduled downtime, turning security into a perpetual, machine‑speed improvement cycle.
Introduction: Why the Old Model No Longer Works
Every CISO is now asked whether the organization is ready for AI‑powered attacks. For years enterprises managed risk by setting a threshold, patching only the vulnerabilities above it, and tolerating the rest. That trade‑off made sense when adversaries needed months to weaponize a flaw. AI has collapsed that window to hours—or even minutes—so the “safe” zone below the threshold is now actively exploited. The bar has been dropped, and the entire risk model must be rethought.
What We’re Up Against: Cisco’s Own Attack Surface
Cisco’s corporate network carries traffic for millions of devices, thousands of applications, and a rapidly growing population of AI agents. It mirrors the environments our products protect, making it a prime target for the same adversaries we defend against. The classic vulnerability‑patching cycle—disclosure, patch development, change‑window scheduling, manual approvals, deployment—once measured in weeks, now faces attackers who can scan, exploit, and weaponize weaknesses at machine speed. New frontier AI models enable threat actors to discover and weaponize flaws in our code and across our supplier ecosystem almost as fast as we can patch them.
Real‑time Visibility First
Before any remediation can be accelerated, we needed a continuously updated, centralized picture of the entire attack surface. Real visibility goes beyond a simple asset inventory; it captures ownership, criticality, and the potential impact of compromise for every asset, identity, service account, cloud entitlement, and API. Knowing who owns what and how bad a breach could be forms the foundation for every subsequent security decision.
Continuous Exposure Validation, Not Periodic Review
Traditional validation relied on periodic reviews and CVSS scores to prioritize patches. AI‑driven adversaries ignore those scores, chaining low‑severity flaws into working exploits faster than any quarterly cycle can catch. We therefore abandoned static vulnerability lists in favor of continuous exposure validation. By simulating real attacks at machine speed, we identify what is actually exploitable—not merely what looks risky on paper—and focus remediation where it matters most.
Runtime Protection as a Bridge, Not a Destination
Runtime telemetry feeds back into the visibility layer, creating a feedback loop. Runtime protection contains threats while we work on root‑cause fixes, buying time until a permanent patch is ready. The objective is a production environment that remains operable and safe even under partial compromise, turning runtime defenses into a resilient bridge rather than a final solution.
Modernization as a Strategic Security Imperative
A modern foundation is essential for the continuous loop to function. We are hardening the infrastructure by retiring end‑of‑life systems, eliminating insecure legacy services, and positioning the network for faster patching and greater resilience. Only on this modern base can advanced runtime defenses—such as Hypershield‑class segmentation, Live Protect, and the eBPF‑powered Tetragon agent—deliver real‑time vulnerability shielding without reboots or binary changes. Legacy systems simply cannot support these capabilities.
How We’re Prioritizing: Outside‑in
When the exposure surface is vast, sequencing matters as much as technical skill. We adopted an outside‑in approach: internet‑facing edges receive the highest patching velocity and shielding because they face the greatest and fastest‑moving risk. Moving toward the core, the pace becomes more deliberate, as those segments protect our most critical assets. Every decision follows the same risk‑based logic: determine what is most exposed, most vulnerable, and whether to remove, segment, apply runtime protection, or accelerate patching. End‑of‑life and unsupported assets are eliminated or isolated; externally exploitable flaws are patched first; assets that cannot be patched within operational windows receive runtime‑first protection while remediation proceeds.
The Bigger Shift: From Fortress to Agile System
Our efforts point to a deeper transformation: security is no longer about building a hardened fortress that requires periodic downtime for patching. Instead, we are cultivating an agile, adaptable system that can continuously move toward a more secure state without taking a time‑out. As Jason Lish, Cisco’s Senior Vice President and CISO, puts it, “The game is always being ready to redeploy new, secure technologies. The notion that I’ve got to take a time‑out and do patching work—that’s the game of the past.” By participating in trusted initiatives like Anthropic’s Project Glasswing and OpenAI’s Daybreak, we gain deep insights that drive immediate operational changes, and we will keep proving each capability at scale, sharing learnings to help customers evolve their own defenses.
Conclusion: The Window Is Still Open
The window to get ahead of AI‑enabled threats remains open, but it will not stay that way indefinitely. Organizations that build the operational muscle for continuous visibility, validation, runtime protection, and modernization will compound their advantage. Those that wait will compound their risk. Cisco defends its own network every minute of every day with the same tools and processes we offer to customers, proving that a relentless, machine‑speed security model is not only possible—it is essential.
About the Author
Jason Lish is Senior Vice President, Chief Information Security Officer at Cisco. He provides strategic leadership for Cisco’s Information Security functions, including enterprise information security, data protection, attack surface management, and security operations. He also oversees value‑chain security and the Security and Trust Organization’s mergers and acquisitions service.
Join the Webinar
Glasswing: Mythos demands a new model for infrastructure – Cisco Security, Thursday, May 28, 2026, 12:00 PM. Tune in here!
More resources (links omitted for brevity).