To stay ahead of adversaries and defend against AI-accelerated attacks, we need a renewed focus on the fundamentals of cybersecurity.
There’s something paradoxical about preparing for AI-driven cyber attacks. The instinct, when faced with adversaries who can operate at incredible speed, is to throw out the existing playbook and reach for novel approaches to cyber defense.
The more effective response is the opposite: a renewed, intensified focus on the fundamentals that have always defined good cyber programs. AI-era attacks are different in velocity and scale, not in kind — and the defensive response should track that distinction. In other words, cyber leaders must double down on the foundational disciplines while updating the processes and technologies that execute them so the work happens faster, more accurately, more comprehensively, and with increasingly advanced automation.
This post lays out the case in detail: what AI actually changes about the threat landscape, why the existing fundamentals are still the right framework, why most of the tools organizations use to execute that framework are no longer sufficient, and what the path forward looks like.
What AI Actually Changes About the Threat Landscape
Start with what AI is and isn’t doing on the attacker side, because a lot of confused defensive thinking begins with a misread of the offensive capability.
AI is not inventing new attack techniques. The vulnerabilities being surfaced by frontier models — including the thousands of zero-days reportedly identified by Claude Mythos Preview across major operating systems and browsers — fall into classes researchers have understood for decades: memory corruption, use-after-free bugs, buffer overflows, injection, cross-site scripting, and the rest of the well-known catalog. AI systems are trained on human-generated data and continue to operate within the bounds of human-documented knowledge. They are not, at least not yet, producing genuinely novel attack categories.
What AI changes is the speed, scale, and economics of applying that knowledge. A capable model can review more code, more carefully, faster than any human team. It can probe more of an organization’s external footprint in an hour than a human attacker could in a week. It can iterate on exploit attempts continuously, without fatigue or breaks, and without the bottleneck of human attention. The window between vulnerability disclosure and large-scale weaponization, which used to be measured in weeks, is collapsing toward minutes.
The summary: the attack surface didn’t change, but the rate at which it gets probed and the speed at which vulnerabilities are exploited did. The implications for defense follow from that single observation.
The Problem Isn’t the Playbook — It’s the Tools Built to Run It
The cybersecurity playbook has been broadly right for years. Asset management, vulnerability management, detection and response, incident response, identity and access management — these are the right disciplines, and they always have been. Security leaders and practitioners aren’t failing at their jobs by focusing on them. The fundamentals have always been the fundamentals for a reason.
The problem is that many of the technologies organizations rely on to execute this playbook were built ten, fifteen, or in some cases more than twenty years ago. They were designed for a slower, more predictable threat environment. Periodic asset and software inventory reviews were defensible because the rate of change in an organization’s external footprint was lower. Patch SLAs of thirty, sixty, or ninety days were within the threat environment’s tolerances. The tools matched the era.
To their credit, many of these platforms have evolved — adding scanning capabilities, expanding coverage, integrating threat intelligence, and layering on machine learning. But evolutionary improvements to architectures designed for a different era have inherent ceilings. A platform whose data model assumes weekly refresh cycles cannot simply be updated to operate continuously. A discovery engine whose seeding model assumes a known list of domains cannot simply be retrofitted to find what the organization doesn’t know it owns. The constraints are baked into the architecture.
A recent Anthropic blog post titled “Preparing your security program for AI-accelerated offense” captures the practical implications:
- close your patch gap
- prepare for a higher volume of vulnerability reports
- find bugs before you ship
- find the vulnerabilities already in your code
- design for breach
- reduce and inventory what you expose
- shorten your incident response time
What’s striking about that list is how foundational it is — it would have been good advice in 2010, 2015, or 2020. The argument isn’t that the work has changed. It’s that the cadence and execution requirements have, and the platforms used to do the work have to change with them.
The path forward is not to abandon the fundamentals or buy into AI-washed marketing for marginal gains. It’s to execute the same fundamental disciplines using technology purpose-built for the current threat environment.
Four Dimensions of Modernized Fundamentals
What does purpose-built actually mean? It comes down to four properties that distinguish modernized security platforms from their legacy predecessors. Each corresponds to a place where the old execution model breaks down under AI-enabled pressure.
Real-Time
Quarterly inventory refreshes, weekly scans, monthly vulnerability reviews, and patch SLAs measured in months were defensible when attackers also operated on those timescales. With the disclosure-to-weaponization window compressing toward minutes, the entire defensive cycle has to compress with it. If your remediation cadence is measured in weeks, you’ve already lost on a meaningful percentage of incidents before they begin.
Modernized platforms have to operate continuously. Discovery, vulnerability detection, risk assessment, and triage all need to happen in near real-time, not on a schedule set when the threat moved more slowly. This isn’t an aspiration anymore. It’s the new floor.
High-Fidelity
The next wave of security operations is going to be heavily AI-augmented. SOC copilots, agentic triage systems, automated remediation workflows, and AI-assisted incident response are all real and arriving fast. Every one of those capabilities is bottlenecked on the quality of the underlying data.
Inaccurate asset inventories produce inaccurate risk scoring, which produces misallocated analyst attention. AI agents given bad data produce confidently wrong recommendations at speeds humans can’t audit in real time. Garbage in, garbage out — except now the throughput is so high that the consequences compound much faster.
High-fidelity ground truth — accurate to the asset, attributed correctly, continuously refreshed — is the substrate everything else runs on. As security operations transition toward AI-driven workflows, data quality becomes the most important property of the underlying platform, not a peripheral concern.
Full-Coverage
Attackers only need one way in. A forgotten IP address from a deprovisioned cloud project. A legacy service running on a non-standard port that nobody decommissioned when the application was retired. A development environment that was supposed to be temporary and is now three years old. A subsidiary’s infrastructure that was never folded into the parent organization’s inventory after the acquisition closed. An internal tool that an engineering team exposed to the public internet for a quick test and never took down.
Most discovery tools are seeded — you give them a list of domains and IPs, and they find what’s connected to those seeds. Anything outside that connection graph is invisible. In a slower threat environment, that invisibility was uncomfortable but survivable. In an AI-accelerated environment, where adversaries routinely scan all possible ports and increasingly probe both IPv4 and IPv6 looking for exactly the kind of forgotten asset described above, the same invisibility is fatal.
Full coverage has to mean everything you’re responsible for protecting, not everything connected to what you already knew about. That’s a meaningful architectural distinction, and it separates platforms built for the current threat environment from platforms built for the prior one.
Workflow-Native
Manual ticket assignment, manual exception tracking, manual coordination between security and IT for patch deployment, manual integration between scanning tools and downstream systems — these are the human-speed bottlenecks that AI-era attacks bypass entirely. They were tolerable when everything else was also slow. They aren’t anymore.
Modernized platforms have to be operable through APIs, seamlessly integrated with the workflows security teams actually use, and capable of feeding clean data into whatever sits downstream — whether that’s traditional SIEM, XDR, and SOAR playbooks or the agentic AI systems increasingly being deployed in the SOC. Webhook architectures, MCP support, machine-readable outputs, and programmatic access stop being nice-to-haves. They become the connective tissue that determines whether the rest of the security program can operate at speed.
The Real Challenge in Cyber Risk Management
None of the above is news to most security leaders. The challenge isn’t recognition; it’s the structural difficulty of running a security program inside a real organization.
Cyber risk management has always required tradeoffs against limited resources, competing priorities, and organizational friction. Security leaders work within budgets that may not flex, boards that vary widely in their tolerance for cyber risk and their appetite for spending increases, GRC processes that introduce drag on tool adoption, and procurement cycles that can turn an obvious purchase into a multi-quarter exercise. Identifying the gap is rarely the hard part. Closing it within the constraints of the organization is where the actual work lives.
The vendor landscape compounds the difficulty. The cybersecurity market has thousands of products, many of which make confident marketing claims that don’t fully translate to operational capability. AI-washing has made this worse — it’s now common for tools to be positioned as AI-driven when the actual AI component is incidental to the value delivered. For a CISO trying to make smart investment decisions, separating substance from positioning takes real work, and the answer is frequently more nuanced than a sales conversation reveals.
There is, however, a useful upside to the current moment. AI-enabled attacks and high-profile capabilities like Mythos have made it past the security press and into the general business press. Boards have read about it. CEOs are asking about it. Risk committees are flagging it. For security leaders who have been trying to make the case for modernizing core capabilities, the broader awareness of AI-driven threats creates an opening that didn’t exist a year ago. The threat environment is now legible to non-technical leadership in a way that lowers the activation energy for serious investment in fundamentals.
The case to make is straightforward: the fundamentals haven’t changed, but the tolerances have collapsed, and the platforms used to execute the fundamentals have to be modernized accordingly. That’s a more defensible budget conversation than “we need AI to fight AI,” and it tends to land better with boards who have grown skeptical of vendor hype.
What SixMap Provides
SixMap was built around a simple thesis: a small set of capabilities are foundational to any serious cyber program, and they need to be done well. They are not optional. They are not “nice to haves” that some organizations can skip. They are the substrate everything else runs on. Many vendors claim to provide them; relatively few execute them at the level the current threat environment demands.
Those capabilities map directly to the four dimensions described above.
Real-time: SixMap continuously discovers and assesses external assets, with near real-time updates rather than scheduled refresh cycles. Customers see changes to their attack surface as they happen, not weeks later.
High-fidelity: every asset SixMap discovers is automatically attributed to the correct entity, business unit, or subsidiary, with a clear chain of ownership. Risk findings are tied to specific systems and specific responsible parties. The data is structured to be trustworthy enough for downstream AI workflows to act on.
Full-coverage: SixMap starts with the organization itself rather than a seed list of domains and IPs, then scans the entire IPv4 and IPv6 address space to find every asset that belongs to the organization — including the ones the organization doesn’t know it owns. Forgotten subsidiaries, legacy infrastructure, shadow IT, and unattributed exposure all surface in the same view as the known footprint.
Workflow-native: customers access SixMap data through APIs, webhooks, an MCP server for AI tool integration, and a custom on-demand reporting capability that takes natural-language requests and returns polished reports in minutes. The platform is designed to feed downstream systems — both legacy SOC stacks and emerging agentic workflows — with clean, structured data.
The point is not that SixMap is the only platform that can do these things. The point is that somebody has to do them, well, for any cyber program to be ready for the threat environment that’s already here.
Closing
The fundamentals haven’t changed. The tolerances have collapsed.
Organizations that internalize that distinction — and modernize the platforms they use to execute the fundamentals — will be in a defensible position against AI-enabled adversaries. Organizations that wait for new categories of “AI defense” to mature, or try to extract more performance from platforms built for a different era, will not.
The work that needs to be done is not exotic. It’s the same work that’s always defined a strong cyber program, executed at the speed and scale the current threat environment demands. That’s where SixMap is built to help.
