On June 22, the heads of six cybersecurity agencies across the Five Eyes signed the same statement. Normally these are technical advisories: indicators, ATT&CK mappings, detection rules tied to a named campaign. This one is written for boards, not defenders, and signed by name: the NSA, CISA, the UK's NCSC, Australia's ASD, Canada's CSE, and New Zealand's GCSB. The message is short. The gap between a vulnerability going public and getting exploited is shrinking, and AI is why. "The timeline," they write, "is not years, it is months."
What they said
The statement is short and worth reading in full. AI is speeding up attacks faster than it's helping defenders, cyber risk is a business problem the board owns, and leaders should act in months, not years. It lists five things to do: shrink the attack surface, patch faster, retire legacy systems, tighten identity, and practice incident response. None are new, and the agencies say so. What changed is the clock.
Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.
Six cybersecurity agencies are telling boards that more software isn't the answer. The basics are unglamorous, and they're betting those basics beat the next product launch, as long as you move fast.
Speed breaks the old way of ranking risk
Most teams rank what to fix with a score set the day a vulnerability is disclosed, usually CVSS, checked against what they own. Both are snapshots. They worked when the gap from disclosure to exploitation was months. When exploitation shows up in hours, that score is stale before the maintenance window opens.
That isn't a knock on the model. It held for a decade, and one input changed: time got shorter. Plenty of smart people are rebuilding around that, from exploit prediction to reachability analysis to the broader CTEM shift. A day-one score can't keep up with a clock like this. What keeps up is what adversaries are doing right now: what they're exploiting, who's running it, and whether companies like yours are getting hit this week.
Where AI earns its keep
One line for defenders will get skipped in most coverage. The agencies don't just warn that attackers have AI; they tell defenders to use it "deliberately to strengthen defence," not just for efficiency. So far, most AI in security has gone toward efficiency: summarize the alert, draft the report, write the rule faster. That speeds up work you're already doing. The harder job is deciding what to touch first when there's no time to work it out by hand.
That's the problem we work on at Mallory. We start from what adversaries are doing and work back to your exposure, pulling proofs of concept, exploitation reports, detections, and actor campaigns from thousands of sources, lining them up against your environment, and surfacing what to act on now. We're not the only ones headed here, but it's where we've pointed the product and the data model.
The agencies close by asking leaders, vendors included, to act now and work together. The window is real and still closing. The teams that come out ahead will get the basics done fast and let live adversary activity set the order of the work.
- jcran
Prioritize on adversary behavior, not a frozen score
Mallory correlates exploitation, detections, and adversary activity from thousands of sources and maps it to your environment as it happens.
Start Free Trial