The cybersecurity landscape is undergoing a dramatic transformation as artificial intelligence fundamentally shifts the balance between attackers and defenders, according to Sergej Epp, CISO of cloud security company Sysdig.
During an interview at Sysdig’s San Francisco headquarters, we go deep into the impact of AI on cybersecurity with Epp. According to him, AI is one of the reasons why the time between vulnerability disclosure and active exploitation has collapsed from 1.5 years in 2020 to just hours today. He expects that this time will shrink further to minutes in the near future. This acceleration is driven by AI’s ability to quickly verify exploits and automate attacks at scale.
The implications are quite substantial: traditional security approaches like monthly patching cycles and human-dependent response processes can no longer keep pace with AI-powered threats. Epp argues that defense must adopt full automation and remove humans from the loop to match the speed of modern attacks.
Sysdig’s foundation in open source and runtime security
Sysdig was founded with the belief that security must be powered by open source foundations. The company’s founders influenced and built projects like Wireshark and Falco. Falco has become a standard to secure Kubernetes and container environments. These technologies power approximately 80% of cloud infrastructure and are used by 60% of Fortune 500 companies.
The company pioneered runtime security in the cloud before the industry fully understood the concept, according to Epp. While posture management examines configuration snapshots, runtime security monitors what’s happening in real-time to detect active attacks. Sysdig captures telemetry at the kernel level, the deepest point in the stack where all activity must pass and where attackers cannot hide.
Context graphs paint the attack picture
A key differentiator for Sysdig is its context graph approach, which stitches together kernel-level data with Kubernetes configuration and cloud layer information. “Attackers are thinking in graphs and we were thinking in lists,” as Epp notes during our conversation. Graph databases reveal relationships and attack paths that traditional list-based approaches miss.
This graph-based view enables both offensive and defensive thinking. Epp’s first major initiative after joining Sysdig was running red team exercises to understand how attackers would act, mapping those paths in a graph, and prioritizing remediation based on actual attack vectors.
AI gives attackers a superpower advantage
Epp applies a methodology called verification laws to explain AI’s disproportionate impact on offense versus defense. AI excels in domains where verification is simple, binary, and immediate. For attackers, popping a shell or running an exploit provides instant binary feedback. That is, it works or it doesn’t. This makes AI extremely effective at training and running offensive agents.
Defense faces a fundamentally different challenge. Security teams receive suspicious information every minute, with 50% or more being false positives. Verification is complex and non-binary, making AI less effective on the defensive side. This creates an acceleration of offensive capabilities that defense struggles to match, Epp notes.
To demonstrate this acceleration, Epp built a zero-day discovery environment in a single Sunday afternoon using AI tools. He was able to identify multiple unknown vulnerabilities in common security products despite not being a professional vulnerability researcher. “If I can do this, everybody else can do this,” he says.
The shrinking window for vulnerability exploitation
Epp’s research into exploitation timelines reveals a dramatic trend. In 2020, the average time between vulnerability disclosure and active exploitation was 1.5 years. Today, that window has collapsed to hours, with expectations it will reach minutes in the near future.
Something we might consider even more concerning, more than 60% of vulnerabilities exploited in recent years were zero-days. That means no patch existed when exploitation began. “We’re expecting vulnerabilities to be released where there’s not even a patch, and you start to see already instant exploitation,” Epp explains.
Currently, only 1-2% of disclosed vulnerabilities are actively exploited, according to Epp. This leaves a lot of room to scale up attacks for threat actors. Every patch also serves as a blueprint for exploits, as it contains information about the vulnerability that AI can quickly reverse-engineer.
Real-world impact on organizations
Epp points out that what the shortening of time to exploitation can mean, when he tells us an anecdote from Germany. A critical supply chain vulnerability prompted police to physically visit the homes of C-level people at 3 AM on a weekend to ensure immediate patching.
Defense must adopt full automation
Given the speed of AI-powered attacks, Epp takes a rather radical stance: “I don’t think that we need more automation. I think what we need is we need to take the humans completely out of the loop.”
He cites a recent attack where credentials found in an AWS S3 bucket led to full admin access in just eight minutes. According to him, there was clear evidence of AI involvement in this attack. The permissions created were named “Claude,” included comments in Serbian, and attempted to call GitHub repositories that didn’t exist. “If offense is already adopting out-of-the-loop automation without a human, we at defense have to do the same,” Epp argues.
The above approach doesn’t mean abandoning proven security principles. Concepts like assume breach, zero trust, and blast radius containment remain valid. However, they only work at 100% implementation. AI excels at finding the gaps in 99% implementations, exploiting the least resistant path that human defenders missed.
The brownfield challenge
However, implementing full automation and zero trust faces practical obstacles. Most organizations operate in brownfield environments with legacy systems, dependencies, and technical debt. Greenfield opportunities for complete re-architecture are rare. Even seemingly simple solutions like auto-patching can cascade into major operations due to version dependencies and compatibility requirements.
Epp acknowledges these challenges but emphasizes that security by design must start in the development cycle. He points to recommendations like using Rust instead of C, which eliminates 80% of vulnerability classes. AI could potentially help rebuild popular open source projects, which power 80% of commercial software, in more secure languages.
The Zero Day Clock initiative
To make the threat acceleration visible to executives and policymakers, Epp launched the Zero Day Clock initiative. This project measures the time between vulnerability disclosure and first exploitation, currently oscillating between one day and hours, trending toward minutes.
The initiative has been signed by security leaders including Bruce Schneier and Google’s CISO. “If you have one slide you want to present to your board, to your government, to explain what is happening in the security industry right now, not to create FUD but to have real numbers, that’s the slide you want to show,” Epp says.
As AI continues to accelerate offensive capabilities, organizations must fundamentally rethink their defensive strategies, automation levels, and response timelines. Those that continue to rely on manual processes and monthly patch cycles will find themselves increasingly vulnerable to attacks that execute in minutes.
Also read: Sysdig: How Project Falco is strengthening cloud runtime security