Harman Kaur, chief technology officer at Tanium, has argued security leaders should prioritise improving foundational IT and security operations over buying new tools as AI accelerates cyber risk.
In an opinion piece circulated to media, Kaur points to early June trials in Australia where a select group of organisations were granted access to the Mythos AI capability via Project Glasswing, which she said demonstrated the ability to compress vulnerability discovery timelines “from months to hours”.
She links the development to recent warnings from Australian and allied cyber agencies that AI could increase the speed and scale of attacks, and says the shift should act as a “forcing function” for Australian CISOs.
“In the past three months, every CISO I’ve spoken with globally is asking which new security tool is needed in response,” Kaur wrote. “The question they should be asking is whether the foundation underneath those tools has the real-time intelligence they need to match the speed and scale of today’s threat environment.”
Kaur said Project Glasswing had surfaced more than 10,000 high or critical vulnerabilities in roughly a month, describing it as automation that “compresses what previously took months of skilled attacker effort into hours of automated discovery”.
Her argument centres on three areas: reducing attack surface, accelerating patching and remediation, and improving prioritisation based on business context rather than relying on vulnerability scores alone.
On attack surface, Kaur said unmanaged applications, ports and services create exposure that automated discovery can quickly exploit, including systems not captured in asset inventories. She urged organisations to develop real-time inventories of what is installed and running on endpoints, assign business ownership for applications, validate dependencies for open ports, and remove or segment what is not required.
On patching, Kaur said many security programs still fail to connect vulnerability discovery to “validated remediation”. She cited Edgescan’s 2025 Vulnerability Statistics Report, which found 45% of vulnerabilities in large enterprises remained unpatched after 12 months, and said Project Glasswing findings showed that of 1,094 confirmed high-severity flaws identified, 97 had been patched.
Traditional patching programs are “a critical liability” in an AI-accelerated environment, she argued, because they rely on fixed cycles, manual handoffs and endpoint data that can be outdated by the time decisions are made. Kaur also warned AI could accelerate patch creation and vendor patch releases, further increasing deployment backlogs and putting pressure on teams built around monthly cycles.
She noted some systems may remain unpatchable, including end-of-life infrastructure, OT and embedded firmware, requiring segmentation and compensating controls alongside improved visibility.
Kaur also argued that AI can combine low-severity vulnerabilities into higher-impact attack paths, increasing the risk of remediation teams becoming overwhelmed. She said organisations should prioritise remediation using asset criticality, business context, exploit availability and exposure paths, rather than relying on CVSS ratings alone.
The opinion piece concludes that the operational gaps being exposed are longstanding, but become more urgent as automated discovery reduces the effort required to find exploitable weaknesses. Kaur urged CISOs to focus on reducing attack surface, achieving real-time visibility across endpoints, enabling automated remediation at scale, and aligning security and IT around a single, authoritative data source.

