COMMENTARY: In just 18 months, AI systems have moved from barely performing entry-level security tasks to autonomously discovering and exploiting vulnerabilities across open-source and production environments.As open-weight models close the gap with frontier systems, AI-driven vulnerability discovery has rapidly expanded. It’s become accessible, affordable, and routine, ushering in a new era of AI for security.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]However, a growing remediation deficit has emerged. While discovery accelerates, the ability to fix what’s found has not kept pace, creating a widening gap between exposure and resolution.We’ve already seen this deficit play out. At DEF CON 32 Semifinals, AI systems advanced in just one year, moving from partial effectiveness to near-systemic capability, by identifying the majority of planted vulnerabilities while also surfacing previously unknown real-world issues at low cost.These capabilities are no longer isolated or experimental. The math has fundamentally changed, and the remediation deficit has become a defining constraint on security itself, in an era of AI-driven security operations.It’s clear we’re doing business in a dense vulnerability landscape. Vulnerabilities appear throughout complex systems and require approaches that account for that density. Today, we have to keep pace with the speed and scale of discovery across organizational, technical, and economic systems, while continuously reducing exposure.Our industry will shape the next phase of cybersecurity by how effectively we evolve remediation to match a world where continuous discovery continues to expand.Nidhi Aggarwal, chief product officer, HackerOneSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
The illusion of scarcity
Security teams have traditionally assumed that finding and fixing vulnerabilities meant real progress. That assumption only holds if vulnerabilities are relatively scarce.A decade ago, Dan Geer, security researcher and CISO for In-Q-Tel, borrowed a technique from wildlife capture-recapture techniques to ask a deceptively simple question: how many vulnerabilities are actually hiding in our code? The method estimates population size by measuring how often the same items are rediscovered across repeated sampling.The logic: if repeated searches turn up fewer new findings over time, we are running out of undiscovered issues. If new discoveries continue at a steady rate, it suggests a much larger pool that has not yet been explored. The pace of discovery becomes a signal for whether we are nearing the limits of the problem, or only scratching the surface.For most of the industry’s deep history, our tools made the problem feel manageable. Manual testing, bug bounties, and traditional scanning uncovered issues slowly. That slow pace reinforced the belief that vulnerabilities were finite and diminishing with effort. Now, that assumption has broken down.A dense vulnerability landscapeAs AI systems run repeated passes and continue to surface new vulnerabilities, a different picture has come into focus. Discovery no longer repesents the bottleneck. We are, in fact, operating in a dense vulnerability landscape where we can discover issues at scale, speed, and low cost. What once looked like steady progress now appears more like partial coverage. When repeated analysis keeps producing new findings, it signals that the pool of vulnerabilities has become densely packed, with many issues still left to uncover.At the same time, remediation has not kept pace. We find vulnerabilities far faster than we can fix them. Each cycle adds to the backlog, and each unpatched issue remains a live exposure, reinforcing the need for continuous threat exposure management (CTEM). Attackers can use the same AI capabilities to identify and exploit those weaknesses just as quickly. The gap between discovery and remediation continues to widen.Fixing vulnerabilities remains harder, requiring holistic understanding, testing, and coordination across teams. It requires validating exploitability, ensuring patches do not introduce regressions, and aligning across engineering, security, and operations. These processes are not easily automated, even as agentic AI improves. It’s an important point when AI systems begin making decisions or interacting with users because the approach to risk must mature. That’s where AI security testing becomes the turning point.Recent testing with advanced AI systems on heavily audited codebases shows that even the most scrutinized software still contains a significant number of undiscovered issues. In some cases, these systems have identified dozens of serious vulnerabilities in just a few weeks, despite years of prior review.We can’t ignore the implications. The problem was never small. We were just looking at it slowly.Rethinking remediation at scaleClosing the gap will require structural change. We must learn to operate in an environment of continuous discovery that scales far beyond traditional processes. Several shifts are becoming increasingly important:- Prioritize high-fidelity validation: As discovery scales, so does noise. Not every finding represents exploitable risk in a real-world context. Organizations that chase theoretical or low-impact issues will be overwhelmed. The focus must shift to validated, high-impact vulnerabilities, using AI to accelerate triage at scale and apply human judgment where it matters most: to separate critical risks from background noise.
- Collapse organizational handoffs: Traditional vulnerability management relies on multiple human transfer points between discovery and remediation. Tickets move between teams, often stalling in queues or requiring repeated clarification. In a high-velocity environment, these processes become bottlenecks. Organizations must reduce handoffs and compress the path from discovery to fix into a continuous, integrated loop, increasingly supported by agentic AI and how it can scale human expertise in the process.
- Feed discovery back into design: At dense discovery rates, recurring vulnerability classes are inevitable and it’s inefficient to treat them as isolated bugs. Instead, we should recognize them as design-level defects. Discovery data must inform how software gets architected and built to enable systemic fixes rather than repeated patching.




