Full Report
Kevin Mandia, Morgan Adamski, and Alex Stamos tell CyberScoop that AI is finding bugs faster than anyone can fix them, exploit development is accelerating, and most organizations aren't prepared for what's coming. The post Security leaders say the next two years are going to be ‘insane’ appeared first on CyberScoop.
Analysis Summary
# Industry News: AI-Driven Vulnerability Discovery Outpacing Human Defense
## Summary
Prominent cybersecurity leaders Kevin Mandia, Morgan Adamski, and Alex Stamos warn that the industry is entering a two-year period of "insane" disruption. AI-driven systems are now discovering software vulnerabilities exponentially faster than organizations can patch them, threatening to render decades of established security practices obsolete.
## Key Details
- **Date:** March 27, 2026
- **Companies Involved:** Armadin (Kevin Mandia), Corridor (Alex Stamos), U.S. Cyber Command (Morgan Adamski)
- **Category:** Market Analysis & Threat Prediction
## The Story
At the 2026 RSA Conference, security experts highlighted a critical "inflection point" where offensive AI capabilities are beginning to vastly outperform defensive measures. Alex Stamos revealed that foundational model companies are currently sitting on thousands of AI-discovered bugs that they lack the capacity to verify or remediate.
The primary concern is that AI is finding flaws in legacy code—including foundational Linux kernel code—that human researchers missed for decades. Within 12 months, experts predict that open-source models (including those from China) will allow low-skill threat actors to generate "EternalBlue-level" exploits on demand. This shift creates a "collective action problem" where the shear volume of exploits could overwhelm the global software supply chain.
## Business Impact
### For the Companies Involved
- **Armadin:** Positions Kevin Mandia’s AI security firm as a thought leader in the "AI vs. AI" defensive landscape.
- **Corridor:** Highlighting the urgent need for managed security and research capabilities in the face of automated threats.
### For Competitors
- **Legacy Security Vendors:** Traditional vulnerability management firms face obsolescence if they cannot match the speed of AI-driven threat discovery.
- **Offensive AI Developers:** A likely surge in venture capital toward startups focusing on "AI Red Teaming" and automated patching.
### For Customers
- **The "Patching Gap":** Organizations will face a widening window of exposure where exploits exist publicly before a vendor patch can be developed or deployed.
- **Increased Costs:** Businesses may be forced to "massively rebuild" base infrastructure that was written in memory-unsafe languages.
### For the Market
- **Infrastructure Shift:** A forced migration toward memory-safe languages (like Rust) and formal verification methods.
- **Insurance Market Volatility:** Cyber insurance premiums may spike as the predictability of software security diminishes.
## Technical Implications
AI is shifting the bottleneck from *finding* bugs to *exploiting* them. While AI can already identify vulnerabilities, the next 6–12 months will likely see the automation of "working shellcode" that can bypass modern processor protections. This suggests that existing "memory-unsafe" codebases are fundamentally insecure in an era of superintelligent bug-finding machines.
## Strategic Analysis
- **Market Positioning:** Companies that automate the *remediation* (patching) of code will gain a massive competitive advantage over those that simply *detect* vulnerabilities.
- **Competitive Advantage:** Early adopters of "AI Defense Agents" may survive the upcoming two-year "storm" better than laggards.
- **Challenges:** The democratization of these tools means that even a "19-year-old in St. Petersburg" could soon possess the same offensive capabilities as a nation-state.
## Industry Reactions
- **Expert Commentary:** Kevin Mandia describes the current landscape as a "perfect storm for offense."
- **Market Response:** Despite the warnings, the RSA floor remains flooded with AI marketing, suggesting a disconnect between vendor "hype" and the industrial-scale risks identified by top experts.
## Future Outlook
- **The 12-Month Window:** Expect the first wave of AI-generated, sophisticated exploits to hit mainstream software.
- **What to Watch For:** Increased government intervention regarding "AI safety" for foundation models to prevent them from outputting exploit code, and a possible industry-wide pivot to "Secure-by-Design" architecture.
## For Security Professionals
Practitioners must move away from manual "triage" and toward high-velocity automation. The focus should shift from "Can we find the bug?" to "Can we isolate the system before the automated exploit arrives?" Strengthening identity-based controls (Zero Trust) will become more vital as software vulnerabilities become easier for attackers to find and weaponize.