Zafran Security

The 𝟮𝟬𝟮𝟲 𝗩𝗲𝗿𝗶𝘇𝗼𝗻 𝗗𝗕𝗜𝗥 dropped yesterday, and the implication for vulnerability management teams is hard to ignore: the exploitation window has collapsed, and traditional patching cycles can't keep up. Three stats that should reshape your 2026 roadmap: 🔴 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 𝗶𝘀 𝗻𝗼𝘄 𝘁𝗵𝗲 #𝟭 𝗶𝗻𝗶𝘁𝗶𝗮𝗹 𝗮𝗰𝗰𝗲𝘀𝘀 𝘃𝗲𝗰𝘁𝗼𝗿 at 31% of breaches, up 55% year-over-year 🔴 Only 26% of CISA KEV vulnerabilities were fully remediated in 2025, down from 38% last year. 𝗠𝗲𝗱𝗶𝗮𝗻 𝘁𝗶𝗺𝗲 𝘁𝗼 𝗿𝗲𝗺𝗲𝗱𝗶𝗮𝘁𝗲 𝗶𝘀 𝗻𝗼𝘄 𝟰𝟯 𝗱𝗮𝘆𝘀 🔴 Meanwhile, 29% of KEV vulnerabilities were 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗱 𝗯𝗲𝗳𝗼𝗿𝗲 𝗽𝘂𝗯𝗹𝗶𝗰 𝗱𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲 this year The math no longer works. You cannot patch your way out of a window that closes before the patch exists. 👉 𝗥𝗲𝗮𝗱 𝗼𝘂𝗿 𝗳𝘂𝗹𝗹 𝗯𝗿𝗲𝗮𝗸𝗱𝗼𝘄𝗻 of the report and what it means for security programs operating in the age of AI-accelerated exploitation: https://lnkd.in/eU5kVMAX

𝗠𝗮𝗿𝗰𝗵 𝟮𝟬𝟮𝟰: Zafran came out of stealth with a thesis on AI-augmented exploitation (attached is a screenshot from our launch blog). 𝗠𝗮𝘆 𝟮𝟬𝟮𝟲, 𝗽𝗼𝘀𝘁-𝗠𝘆𝘁𝗵𝗼𝘀: that thesis is the operating reality of every security team. The difference between predicting a shift and being prepared for it shows up in how fast you can respond when it lands. Our customers aren't reacting to the new threat landscape. They're already operating in it, with remediation cycles measured in hours. If you're rebuilding your exposure management strategy this quarter, we can help you start today. Sanaz Yashar Ben Seri #CTEM #ExposureManagement #VulnerabilityManagement

For the first time ever, Google has documented a 𝗭𝗲𝗿𝗼-𝗗𝗮𝘆 𝗲𝘅𝗽𝗹𝗼𝗶𝘁 𝗯𝘂𝗶𝗹𝘁 𝘄𝗶𝘁𝗵 𝗔𝗜 and used in a planned 𝗺𝗮𝘀𝘀 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻. The GTIG report released this week confirms what the industry has been bracing for: attackers are now using AI to discover and weaponize vulnerabilities at a pace traditional VM programs were never built to handle. Here are the 𝘁𝗵𝗿𝗲𝗲 𝘀𝗵𝗶𝗳𝘁𝘀 every program needs to make now: 🔹 𝗙𝗿𝗼𝗺 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝘁𝗼 𝗲𝘅𝗽𝗼𝘀𝘂𝗿𝗲. A CVE list is not a risk register. What matters is whether a vulnerability is actually exploitable in your environment, on which assets, and what your existing controls already neutralize. 🔹 𝗙𝗿𝗼𝗺 𝗽𝗮𝘁𝗰𝗵-𝗼𝗻𝗹𝘆 𝘁𝗼 𝗰𝗼𝗺𝗽𝗲𝗻𝘀𝗮𝘁𝗶𝗻𝗴 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀. Patching cannot outrun AI-assisted exploit development. The EDR, WAF, and firewall tools you already own are the defense layer that closes the window while patches catch up. 🔹 𝗙𝗿𝗼𝗺 𝗵𝘂𝗺𝗮𝗻-𝘀𝗽𝗲𝗲𝗱 𝘁𝗼 𝗮𝗴𝗲𝗻𝘁𝗶𝗰. When thousands of AI-discovered vulnerabilities hit a compressed disclosure window, no team will triage them by hand. Governed automation is the only way to keep pace. The full breakdown of the GTIG findings and what they mean for your program is in the blog 👇 https://lnkd.in/eaannGP3 #CTEM #ExposureManagement #VulnerabilityManagement

What if a vulnerability could go from discovery to working exploit in under five minutes? That is no longer a hypothetical. It is the operating environment introduced by Anthropic's Claude Mythos Preview when Project Glasswing launched on April 7, 2026. Mythos has demonstrated over 83% accuracy in finding new vulnerabilities across every major operating system and web browser. The AI Security Institute found it succeeded on expert-level capture-the-flag challenges 73% of the time. Before April 2025, no AI model could complete tasks at that level of difficulty. Our new report, co-authored by Francis Odum, Lawrence Pingree, and Sean Sosnowski, surfaces three findings every security leader needs to act on: ⬩ Exploitation windows are collapsing to sub-5 minutes, effectively making Zero Days sub-hour vulnerabilities ⬩ The volume of AI-discovered bugs is overwhelming remediation capacity, requiring new commercial or consortium-led fixes ⬩ Defenders must leverage models like Mythos for automated counter-signatures and proactive patching in critical infrastructure, like Linux The market map below highlights the emergence of a new security layer for the Mythos era: continuous exploitability management. Mythos does not create an entirely new cybersecurity problem; it accelerates existing ones. Here is our full report: https://lnkd.in/eYyxiZQt #Cybersecurity #AISecurity #CISO #VulnerabilityManagement #AIAgents #Mythos #RiskManagement #CyberResilience #SecOps

"The tip of the iceberg." That's how Google's GTIG chief analyst John Hultquist described the first confirmed case of criminal hackers using AI to discover and weaponize a zero-day in the wild, reported today by The New York Times. → A previously unknown flaw in a popular web-based admin tool, found and weaponized by AI, used by a criminal hacking group. → Hultquist also called it "a taste of what's to come," and said the problem is "probably much bigger" than this single incident. → AI-driven vulnerability discovery has moved from research labs to criminal toolkits in a matter of weeks. 👉 Read the full report from GTIG: https://lnkd.in/e4zuARJS

Earlier this month, every team at Zafran Security built something new with AI. 18 teams. Real prototypes. Real problems across sales, marketing, customer success, HR, support, and product, each tackled with a working AI prototype in under a week. A few that stood out: - 𝗙𝗼𝗿 𝘀𝗮𝗹𝗲𝘀: an AI battlecard generator that pulls together competitive positioning on demand. - 𝗙𝗼𝗿 𝗺𝗮𝗿𝗸𝗲𝘁𝗶𝗻𝗴: an AI event targeting system that figures out which prospects to prioritize at conferences and field events. - 𝗙𝗼𝗿 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲: an AI HR help assistant that answers the questions people usually hesitate to ask, instantly. Zafran gives people room to experiment with the newest tools, ship fast, and learn from what works. People here level up because they're constantly 𝗯𝘂𝗶𝗹𝗱𝗶𝗻𝗴 things they've never built before, with teammates who push them to think bigger. If this sounds like the kind of place you want to work, 𝘄𝗲'𝗿𝗲 𝗵𝗶𝗿𝗶𝗻𝗴 𝗮𝗰𝗿𝗼𝘀𝘀 𝘁𝗵𝗲 𝗯𝗼𝗮𝗿𝗱 https://lnkd.in/gSMs3jPv Sanaz Yashar Ben Seri Rotem Peled-Dvir Tom Anthony Nick Fisher Itay Nachum Rachel Barouch-Haik Hadas Bergman

🤩 Spot on CNBC article from Samantha Subin and Hugh Son featuring Zafran CTO Ben Seri. VM teams have been losing ground for years against the increasing speed of vuln exploitation. Anthropic's Mythos just made it a board-level issue overnight.

We are not done talking about Mythos. H/T to Stephanie Domas for motivating this post. In short, Mozilla had built a harness for using existing models to discover vulnerabilities. When Anthropic handed them early access to Mythos they were able to swap out models and were taken-aback by the results. I make a couple of predictions in the article. https://lnkd.in/e59ZGg3s

🤖 Introducing the Zafran 𝗭𝗲𝗿𝗼 𝗗𝗮𝘆 𝗔𝗴𝗲𝗻𝘁: from disclosure to mobilization in minutes. AI-accelerated models like Anthropic's Mythos have made manual vulnerability workflows obsolete. The Zero Day Agent continuously scans for new vulnerabilities, detects if you're exposed, and mobilizes mitigations and remediation before most teams have opened their inbox. 🔍 Detects exploitable zero days within 24 hours of disclosure, even before a CVE is assigned 🎯 Validates actual exposure in your environment using your SBOM, internet reachability, runtime context, and existing defense configurations ⚡ Auto-creates tickets, assigns ownership, and deploys mitigation and remediation steps the moment an exposure is confirmed The gap between disclosure and exploitation is measured in hours. The Zero Day Agent shrinks it to minutes. 👉 Read the full breakdown https://lnkd.in/eJBA8Bzh

By far the most registrations of any webinar we've done 🤯 👉 https://lnkd.in/euK-BAbX Grab a seat and tune in this Thursday May 7 to hear Zafran CISO Nathan Rollings break down exactly 𝗵𝗼𝘄 𝘁𝗼 𝗹𝗲𝗮𝗱 𝘁𝗵𝗲 𝗯𝗼𝗮𝗿𝗱 𝘁𝗵𝗿𝗼𝘂𝗴𝗵 𝘁𝗵𝗲 𝗠𝘆𝘁𝗵𝗼𝘀 𝗰𝗼𝗻𝘃𝗲𝗿𝘀𝗮𝘁𝗶𝗼𝗻. Specifically: → How to frame the risk across three horizons → What your board is actually worried about (and what they're not asking yet) → How to present your security program with confidence → What asks are worth making while the window is open 𝗔𝗹𝗹 𝗮𝘁𝘁𝗲𝗻𝗱𝗲𝗲𝘀 𝘄𝗶𝗹𝗹 𝗿𝗲𝗰𝗲𝗶𝘃𝗲 𝗮 𝗖𝗜𝗦𝗢-𝘁𝗲𝘀𝘁𝗲𝗱 𝗣𝗼𝘄𝗲𝗿𝗽𝗼𝗶𝗻𝘁 𝘁𝗲𝗺𝗽𝗹𝗮𝘁𝗲 𝘁𝗼 𝗵𝗲𝗹𝗽 𝗴𝘂𝗶𝗱𝗲 𝘁𝗵𝗲 𝗰𝗼𝗻𝘃𝗲𝗿𝘀𝗮𝘁𝗶𝗼𝗻.