This HFS Research Highlight is for CISOs and security leaders rebuilding their cyber function into VulnOps to deploy agentic AI safely at scale.
A year ago, HFS warned that “the moment AI systems decide and act instead of merely assisting, you’ve crossed into a zone that your current oversight model likely can’t handle.” Anthropic’s Mythos and the arrival of OpenClaw’s agentic flows to action have made that moment now. This moment demands a radical new approach to cybersecurity that may also prove the true unlock for agentic AI in the enterprise.
Zenity’s full-day San Francisco Agentic AI Security Summit provided three telling signals:
Cybersecurity must shift from being seen as the brake on enterprise AI to the discipline that makes autonomous systems work at scale. It is no coincidence that IBM and Red Hat have picked this moment to commit $5 billion and 20,000 engineers to fix the open-source security layer. Reshape your cyber function, and you scale agentic. Don’t, and you’ll spend 2026 governing yesterday’s threats with last decade’s playbook.
Jim Reavis, CEO of the Cloud Security Alliance, presented data on Anthropic’s Mythos Preview. It identified nearly 3,900 high- or critical-severity vulnerabilities in open source alone. Every defender must now assume nation-state capability is aimed at every asset. The 30-day patch SLA is over (India’s CERT has moved to 12 hours). Annual tests are over. Common Vulnerabilities and Exposures (CVE)-prioritized vulnerability management is over.
Jenn Gile of OpenSourceMalware delivered demand-side proof. Before January 2026, AI skill registries did not exist. Within weeks of ClawHub’s launch, more than 700 malicious skills were live with payloads that “fire every time your agent runs, not just on install.” Skills are in natural language, so static code analysis fails. Third-party scanner badges create false trust. The payload moved out of the skill into a linked site, triggered at runtime, a threat only a cyber expert would spot.
Michael Bargury, co-founder and CTO of Zenity, warned that the industry had wasted three years rebranding agentic risk over and over, variously a shadow AI, data, identity, cloud, or inventory problem. Every agent that his team has tested has been hackable. The new unit of security, he argues, is intent, and must be evaluated continuously. Why did an agent do a thing at runtime? The role of security changes to “getting the thing to work.”
Reavis captured the cultural shift: “The fastest growing job title in cybersecurity is going to be builder.”
Travis McPeak, head of security at Cursor, challenged conventional thinking that “Security is everyone’s job,” calling it an abdication. The team that gets blamed for the breach has to own the outcome. Cursor’s operating model demonstrates the agent-heavy approach most firms will need to adopt: AI-triaged vulnerability intake, three independent agents tracing reachability, auto-patch and auto-merge, with the safety rails built by security itself. Cyber becomes the team that builds the autonomous fix loop, not the team that nags developers.
Source: HFS Research, 2026
Gadi Evron, founder and CEO of Knostic AI and CISO-in-Residence for AI at the Cloud Security Alliance, names the new discipline VulnOps: a continuous, machine-speed triage and remediation loop with human-in-the-loop oversight. Think of it as DevOps for the threat surface.
Every enterprise should stand up its own VulnOps, with these guiding principles:
IBM and Red Hat just announced Project Lightwell, a $5 billion commitment and a 20,000-strong engineering force, augmented by frontier AI, to stand up a trusted enterprise clearinghouse for open-source security. This promises AI-assisted vulnerability triage at industrial scale, validated patches with enterprise-grade lifecycle management, and upstream disclosure, all packaged as a commercial subscription.
It builds on Anthropic’s Project Glasswing and OpenAI’s Trust Access for Cyber, so the major labs and major SIs (systems integrators) are coordinating on a shared response. Early adopters include Bank of America, BNY, Citi, and Goldman Sachs; financial services is bought in.
This can be read as the first VulnOps program of real consequence in production. But it does not address the runtime-intent problem Bargury raised, or the agent-registry trust problem Gile raised. Lightwell is a foundation. The rest is on you.
VulnOps gives your cyber estate the contextual and predictive postures HFS describes in our 2025 Cybersecurity Horizons report and allows your enterprise to run autonomous systems at the rate the market is shipping them.
Security is the unlock for enterprise AI. IBM, Red Hat, and their early adopters have committed $5 billion with that in mind. The question every CISO needs to answer now is whether the enterprise will run a VulnOps program of its own or wait to be carried by someone else’s.
Register now for immediate access of HFS' research, data and forward looking trends.
Get StartedIf you don't have an account, Register here |
With the exception of our Horizons reports, most of our research is available for free on our website. Sign up for a free account and start realizing the power of insights now.
Our premium subscription gives enterprise clients access to our complete library of proprietary research, direct access to our industry analysts, and other benefits.
Contact us at [email protected] for more information on premium access.
If you are looking for help getting in touch with someone from HFS, please click the chat button to the bottom right of your screen to start a conversation with a member of our team.
