In December 2025, an autonomous AI agent named ARTEMIS spent ten hours probing Stanford’s live computer science network; roughly 8,000 hosts across twelve subnets. It found nine valid vulnerabilities. It beat nine of the ten OSCP-certified human penetration testers it was benchmarked against.

ARTEMIS is open source. Anyone reading this can have it running in an hour or so. I know, because I have!

The work of finding holes in your network just got cheap, fast, and replicable. That should focus the mind.

A War That Was Always Asymmetric Just Got More So

Cybersecurity has always been an asymmetric game. Attackers need to win once. Defenders need to win every day. The numbers were against the blue team before any of this and they’re now moving in the wrong direction at speed.

In 2025, 48,177 CVEs were assigned. That’s 131 vulnerabilities published every day. CVE submissions are up 263% since 2020, and Q1 2026 is tracking another third higher than Q1 2025. NIST formally gave up trying to enrich every one of them on 15 April 2026 and only fully analyse the ones that intersect CISA’s Known Exploited Vulnerabilities catalogue, federal-government software, or Executive Order 14028 critical software.

Meanwhile, VulnCheck’s State of Exploitation 2026 found that 28.96% of newly exploited vulnerabilities were attacked on or before the day their CVE was published, up from 23.6% in 2024.

What’s your patch cycle? Ninety days? Sixty if you’re disciplined?

Defenders are running on a quarterly cadence; attackers are running daily, and that gap is now actively widening.

The Process Is Already Broken

Most enterprises run vulnerabilities through the same four-step gauntlet: triage, validate, remediate, deploy. Every step is structurally broken.

Triage: most organisations operate at roughly one application security engineer per hundred software engineers. CVSS scoring doesn’t reflect actual exploitability, so the queue gets prioritised by the wrong signal. And the queue is mostly noise: a meaningful share of scanner findings are false positives that eat the team’s day.

Validate: feature delivery beats technical debt every sprint. The CAB process demands extensive documentation before anything moves. Real threats slip past because the developers reviewing them don’t have the security expertise to recognise what they’re looking at.

Remediate: friction between application teams and security teams creates delays. Endless back-and-forth on whether a fix is really a fix. The vulnerability stays live throughout.

Deploy: by the time the patch is in production, the triage backlog has grown faster than it shrank. You’re losing ground every sprint.

A typical enterprise takes weeks from CVE disclosure to production fix.

Non-deterministic Safety Systems

Think about a modern operating theatre. The surgeon brings non-deterministic judgement. Every patient is different, every operation throws up things no textbook fully anticipates. But that judgement is wrapped in deterministic discipline: the pre-op checklist, sterile field protocols, the time-out before incision, the instrument count before closure.

That’s the architecture mature security needs in the AI era. Deterministic policy at the edges. Non-deterministic intelligence in the middle. Deterministic enforcement at the gates.

In practice, that looks like:

• Deterministic policy. Signed commits, software bills of materials, SLSA attestation, mandatory scanning on every pipeline run, codified approval rules, immutable audit trails. None of this is AI. All of it is non-negotiable.

• Non-deterministic intelligence. AI-assisted triage that distinguishes real findings from scanner noise. AI explanation that tells the developer not just what is wrong but why and how to fix it. AI-drafted remediation that produces a merge request, not a ticket. AI prioritisation that uses exploit intelligence rather than raw CVSS.

• Deterministic enforcement. Protected branches, deployment approvals, container and dependency scanning gates that block on policy violation, not on human reviewer availability.

AI in the middle, where judgement helps. Determinism at the edges, where you cannot tolerate ambiguity.

This is how defenders get back to attacker speed; not by adding humans to a broken process, but by replacing the broken process with one that operates at the pace and volume the threat now demands.

You Can’t Out-Hire This. You Have to Out-Architect It.

The asymmetric war isn’t coming. It’s already here. ARTEMIS is on GitHub. Mythos exists. Fable is already banned. Attackers running on daily cadence have AI in their tooling already; that gap with defenders running quarterly will only widen.

You can’t out-hire this. You can’t outspend it on more scanners. And you can’t wait for someone else’s coalition to fix it for you.

What you can do is build a platform where AI accelerates the work that scales, and humans are kept on the work that doesn’t. Where deterministic policy enforces the rules. Where deterministic gates a

bsorb AI’s output safely. Where non-deterministic intelligence operates in the middle, doing the work no team of humans can do at the volume and velocity now required.

The defenders who get this right won’t be the ones with the biggest security teams. They’ll be the ones with the best platform.