Rupert Marais is a leading security specialist who has dedicated his career to hardening the perimeters of modern organizations. With deep expertise in endpoint protection, device security, and complex network management, he has witnessed firsthand how the digital landscape has shifted from manual oversight to an automated arms race. As businesses increasingly integrate artificial intelligence into their development and supply chains, Rupert provides a critical voice on how to navigate the resulting vulnerabilities and the escalating speed of cyber threats. This discussion explores the current trend of deploying flawed code, the shrinking window for remediation, and the urgent need for robust governance in an era where AI-driven attacks are becoming the new standard.
With three-quarters of organizations admitting to shipping code they know is vulnerable, what are the primary business pressures driving these deployment decisions, and how can teams better balance rapid release cycles against the long-term risks of known exploits?
The reality is that 75% of organizations find themselves stuck between a rock and a hard place, often choosing speed to market over foundational security. While this is a slight improvement from the 81% we saw last year, it highlights a persistent culture where meeting a product deadline feels more urgent than fixing a theoretical exploit. To find a balance, teams need to transition from seeing security as a final hurdle to integrating it as a continuous thread throughout the lifecycle. It is about understanding that a known exploit is not just a technical debt, but a ticking time bomb that can eventually cost far more than a delayed launch.
Projections suggest that the time it takes for a vulnerability to be exploited could shrink from several days down to just one minute by 2028. What specific technical shifts are enabling this acceleration, and what steps must security teams take to compress their remediation timelines accordingly?
The acceleration we are witnessing is staggering; we have moved from a window of 840 days back in 2018 to less than two days in 2026, and that one-minute mark in 2028 is closer than it feels. This shift is driven by the fact that threat actors are no longer manually scanning for weaknesses; they are using powerful AI models to identify and weaponize flaws the moment code is released. For security teams to survive this, they must move away from reactive patching and embrace automated, real-time remediation tools. If the adversary is using a machine to find the hole in sixty seconds, our defensive systems must be capable of closing it in thirty.
AI-generated code is currently being produced at a volume that outpaces manual security reviews. How are development teams currently vetting this automated output, and what specific governance policies should be implemented to manage the “math problem” of a growing vulnerability backlog?
Right now, many development teams are failing the “math problem” because they are trying to apply human-speed reviews to AI-speed production. The volume of code being generated is simply too high for manual oversight, leading to a backlog that grows exponentially every day. To manage this, organizations must implement strict governance policies that require AI-generated code to pass through automated security gates before it ever reaches a human reviewer. We need a formal AI usage policy—which currently only 35% of businesses have—that mandates rigorous scanning and limits the deployment of unvetted automated blocks.
Exploitation of vulnerabilities now accounts for nearly a third of initial access in data breaches. Given that threat actors are leveraging AI for dozens of different attack techniques, how should defense strategies evolve to counter this high-volume, automated scanning and entry?
We are seeing a significant jump in vulnerability exploitation, which now accounts for 31% of initial access points, up from 20% just a year ago. Threat actors are becoming incredibly versatile, with some documented using up to 50 different AI-assisted techniques to probe for weaknesses. Defensive strategies must evolve by adopting the same level of automation, moving toward a proactive stance where AI-driven threat hunting identifies patterns of automated scanning. It is no longer enough to build a wall; you need a system that can sense the vibration of a drill before it even touches the surface of your network.
While a majority of businesses express concern over their suppliers’ use of AI, only a small fraction have actually audited those third-party systems. What practical steps can a company take to verify a vendor’s AI security, and what metrics indicate a supply chain is truly resilient?
There is a massive gap between concern and action, as 75% of UK businesses worry about supplier AI risk, yet only 28% have actually performed an audit. To bridge this gap, companies should start by demanding transparency in how their vendors train and secure their AI models, making these audits a non-negotiable part of the procurement process. A resilient supply chain is one where the vendor can demonstrate a formal governance policy and provide evidence of regular, automated vulnerability assessments. If a supplier cannot tell you exactly how they are vetting their own AI-generated code, they are a liability waiting to happen.
More than 20% of attacks now involve a third-party supplier. In an environment where cyber events are becoming more frequent, what are the most effective ways to integrate suppliers into an incident response plan and ensure they adhere to strict AI usage standards?
With 22% of victims reporting that most or all of their attacks involved a supplier, it is clear that your security is only as strong as your weakest partner. Integrating suppliers into incident response means moving beyond a simple phone list to conducting joint tabletop exercises that simulate a breach originating in their environment. We have to treat suppliers as an extension of our own network, requiring them to adhere to the same strict AI usage standards we set internally. When a cyber event occurs—and they are occurring more often, with the rate rising to 59% in 2026—the communication channels must be pre-established and tested.
What is your forecast for the future of AI-driven supply chain security?
I believe we are entering an era of “zero-trust supply chains” where no piece of code or software update is accepted without automated validation, regardless of the source. As we move toward 2028, the manual vetting process will become obsolete, replaced by autonomous security layers that vet, patch, and monitor third-party integrations in real-time. Organizations that fail to adopt these AI-driven defenses will find themselves perpetually vulnerable to the one-minute exploit cycle. Ultimately, the winners in this landscape will be those who use AI not just to create faster, but to defend smarter.
