By: Chris Griffith – VP, Product Management
I finally got time to watch Project Hail Mary this past weekend. If you haven’t seen the movie yet, consider this a quick spoiler alert: humanity faces an extinction-level threat from “Astrophage”, an alien microbe that multiplies exponentially, consuming the sun’s energy.
The terrifying realization for protagonist Dr. Ryland Grace and the scientists on Earth isn’t just that the threat is deadly; it’s that the math is impossible. No matter how much energy humanity throws at the problem, Astrophage simply scales faster to consume it.
Reading the newly released 2026 Verizon Data Breach Investigations Report (DBIR), to which SAFE is again a contributing data provider, I couldn’t help but draw a parallel: enterprise security has encountered its own Astrophage. Defenders are expending more effort than at any point in history, yet because the volume of modern threats has surged so drastically, we are falling further behind. We haven’t just hit a temporary roadblock; we have hit what looks to be a ceiling in our remediation capacity.
The threat is simply outscaling us.
The CISA KEV Crisis: Fighting Exponential Threats with Linear Effort
Perhaps the most jarring revelation in the 2026 DBIR is that the exploitation of vulnerabilities has officially overtaken credential abuse as the number one initial access vector for breaches, surging to account for 31% of all breaches.
Crucially, this is not a failure of effort by security teams; it is a failure of scale. In absolute numbers, defenders within the organizations covered by the analyzed dataset proactively patched a staggering 63.7 million CISA KEV vulnerability instances in 2025. Yet, they still fell backward. In terms of overall resolution status, only 26% were fully remediated vs. 38% in the prior year, while the median time until full remediation stretched to 43 days (vs. 32 days in the prior year). A key driver: the volume of critical exploited vulnerabilities flowing through the system was almost eight times higher than in 2022.
The situation is captured well in the report’s Figure 15, which maps the survival curve of CISA KEV vulnerabilities over the past four years.
Source: 2026 Verizon Data Breach Investigations Report
The chart illustrates a harsh reality: despite years of tooling investments, mandate pressure, and sharpened focus on known-exploitable vulnerabilities, the Day 7 remediation rate has barely budged and the Day 28 and 90 remediation rates have actually regressed. DBIR researchers suggest that even the most mature organizations cap out at fixing just 30% to 40% of KEV instances in the first week after detection, leaving 60% to 70% of vulnerabilities open regardless of the year or organizational maturity.
The GenAI Accelerator
This internal patching ceiling is being aggressively squeezed as threat actors integrate generative AI into their workflows to automate and scale the development of malware and initial access tools. When adversaries can mass-exploit vulnerabilities in days or minutes, and nearly a third are exploited before a CVE even exists, the race as run today is mathematically lost before it begins. Trying to fight this exponential threat growth with linear, manual human effort is fundamentally a losing battle.
Solving the Equation: Shifting to a CTEM Paradigm Supercharged by Agentic AI
In Project Hail Mary, humanity doesn’t survive by simply working harder to out-burn the Astrophage. They survive because Dr. Grace stops fighting the impossible math, relies on first-principles thinking to change the game, and deploys a highly targeted, context-aware solution to neutralize the threat.
To defeat a scale problem of this magnitude, enterprise security needs its own evolutionary leap. We must shift from the broken paradigm of trying to fix everything to an intelligent, automation-led, risk-based approach. By aligning our defense strategy to the Continuous Threat and Exposure Management (CTEM) framework, we can scale our response to match the threat.
-
Scoping and Discovery: Continuous Attack Surface Visibility
Traditional, point-in-time scanning leaves too many gaps for AI-driven threats to exploit. To manage risk effectively, organizations must expand visibility beyond basic software flaws to incorporate the entire corporate exposure landscape, including cloud misconfigurations, emerging AI risks, and third-party exposures. Asset discovery must be continuous, real-time, and comprehensive across the entire dynamic attack surface.
-
Prioritization: Business-Context and Risk-Centric Filtering
Since patching 100% of vulnerabilities is mathematically impossible, we must replace raw volume with context and focus. Security teams need to ruthlessly prioritize only the fraction of vulnerabilities that matter in terms of actual risk to the business. This means filtering vulnerabilities by analyzing whether they are actively exploited by threat actors, verifying whether internal compensating controls are already mitigating them, and determining if they provide an exploit path to business-critical applications or services.
-
Validation and Mobilization: Automated Remediation via Agentic AI
We cannot close the 2026 DBIR’s cited 43-day median remediation gap using human triage against adversaries operating in minutes. We must move past basic, rigid scripts and deploy Agentic AI: systems capable of reasoning, planning, and autonomously executing workflows. By using AI agents to continuously validate exposure and autonomously trigger targeted mitigation or remediation processes at scale and velocity (mobilization), we eliminate the latency that legacy silos create.
Summary: A New Paradigm
The 2026 DBIR findings are a clear signal that the old paradigm of proactive cybersecurity has reached its physical limits. The math has demonstrated that we can no longer out-work, out-patch, or out-spend an exponential threat landscape using linear processes.
By shifting to a unified, risk-based CTEM approach with maximal automation, we can finally stop exhausting our teams against an impossible threat volume. Much like Dr. Grace, it’s time to stop fighting the impossible math, deploy a system built for scale, and move safely forward.
Download the full 2026 Verizon DBIR report to explore the findings behind this shift and what they mean for the future of cyber risk management.
