Panel Brief | Top Breaches in Cyber Security in 2025

By the end of 2025, one reality became impossible to ignore: the barrier to executing high-impact cyberattacks has collapsed.

The most damaging breaches of the year were not driven by novel zero-days or exotic techniques. Instead, they reflected something more concerning-capabilities once limited to nation-state or elite criminal groups are now widely accessible. AI-assisted tooling, automated reconnaissance, and commoditized exploitation platforms have turned advanced attacks into a baseline capability for mid-tier threat actors.

To understand what this shift means for defenders, four cybersecurity leaders-Sachin Deodhar, Matthew Harris, Matthew Rosenquist, and Meryl Vernon-came together to analyze the most consequential breaches of 2025. Their discussion surfaced a clear conclusion: the traditional security model, built on periodic testing and point-in-time assurance, is structurally misaligned with how modern attacks operate.

Breaches should now be assumed. The differentiator is no longer prevention alone, but the ability to limit blast radius, detect quickly, and recover decisively.

Watch the full panel discussion recording

Sachin Deodhar, Matthew Harris, Matthew Rosenquist, and Meryl Vernon where they shared their insights on “Top Breaches in Cyber Security in 2025.Link

FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

>>FireCompass Free Trial

Strategic Context: The Democratization of Breach Capability

The panelists opened with a critical observation: breaches in 2025 did not introduce new attack vectors. They distributed access to vectors that previously required nation-state resources or criminal sophistication.

Sachin Deodhar stated: “The attacks in 2025 are driven less by elite actor capability and more by mid-tier operators leveraging artificial intelligence and automation to increase scale and sophistication.”

This inversion has profound implications:

• Attacker Barrier to Entry Collapsed: AI-assisted reconnaissance, automated exploitation, and evasion-by-default are now purchased services, not developed capabilities.
• Persistence of Detection Requires Scale: Traditional annual pentests or quarterly security audits miss 80% of the actual attack surface that threat actors probe continuously. Traditional testing assesses only ~20% of known assets; threat actors attack 100% of the surface, continuously.
• Board Visibility Increased: Regulatory mandates (SEC Rule 4-2(g) effective January 2025 requiring material breach disclosure within 4 days) and CEO-level incident escalations elevate cybersecurity from risk management to investor communications.

Matthew Rosenquist highlighted the implication for security investment: “The defender lag is structural. While waiting for AI-integrated security products, attackers are already using AI for evasion. This gap will persist for 18-24 months.”

Breach Categories: Beyond “Data Exfiltration”

The panel redefined what constitutes a breach, moving beyond the narrow framing of confirmed data theft:

Breaches of Trust: Supply chain defects, vendor negligence, software defects deployed to millions. Example: CrowdStrike’s Falcon Sensor crash affecting 8.5 million Windows endpoints globally.

Breaches of Security: Identity abuse, authentication bypass, unauthorized access to systems without data movement. Example: Salesforce OAuth token harvesting via third-party integrations.

Breaches of Availability: System outages with cascading public impact. Example: Cloudflare’s DNS misconfiguration disconnecting large internet segments.

Breaches of Control: Loss of asset inventory, privilege escalation, infrastructure takeover. Example: Jaguar Land Rover ransomware cascading through suppliers to government-level intervention.

Matthew Harris, referencing these categories, emphasized: “If everyone was just doing CIS 6 well-asset inventory, software inventory, data protection, secure configuration, identity & access management, and change management-90% of what I would attempt as a threat actor doesn’t work. But none of you are doing it well. You don’t have full asset inventory. You don’t have full identity and access inventory.”

This is precisely why continuous asset discovery-FireCompass’s NextGen Attack Surface Management (ASM) capability-has become foundational. ASM provides >99% coverage of infrastructure, applications, APIs, and shadow IT assets through autonomous OSINT and active reconnaissance. Organizations can no longer claim “we don’t know what we don’t know.”

Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

>>FireCompass Free Trial

The Attack Pattern Shift: Four Critical Dynamics

1. Perimeter Exploits in Decline; Identity and Cloud Ascendant

Traditional cybersecurity focused on CVEs, buffer overflows, and unpatched servers at the network edge. In 2025, the primary attack surface shifted decisively inward.

Attack vectors gaining dominance:

• Credential stuffing, session hijacking, token replay
• SaaS control plane misconfigurations (overpermissioned IAM roles, unmonitored API access)
• OAuth abuse targeting third-party integrations
• Legitimate application abuse (e.g., LogMeIn-legitimately signed code, making detection structurally difficult)

Matthew Harris noted: “We’re seeing more of a trend toward legitimate applications like LogMeIn making it very difficult to catch. The attack surface has expanded from ‘how do we patch CVEs’ to ‘how do we monitor and control every identity, every API token, every legitimate service running on our infrastructure?'”

Case Study: Salesforce Ecosystem Incident. Attackers did not exploit Salesforce. They harvested OAuth tokens from a third-party integration (Drift), then used those credentials to exfiltrate CRM data without triggering traditional breach indicators-no malware, no CVE exploitation, no perimeter compromise.

CISO Implication: Identity planes (users, service accounts, API tokens, bot identities) must be continuously inventoried and monitored.

FireCompass Solution: ASM continuously discovers all API tokens, service accounts, OAuth integrations, and cloud IAM roles across your infrastructure. Real-time alerts notify when new, exploitable identities are created or exposed. Agent AI then autonomously tests whether overpermissioned identities can be abused-chaining credential capture → token replay → lateral cloud access → control plane actions. This validates the exact attack sequence the panel discussed.

2. AI-Orchestrated Kill Chains, Not Just AI-Assisted Tactics

In prior years, AI supported individual attack stages-phishing generation here, malware obfuscation there. In 2025, AI became the orchestration layer coordinating entire attack sequences autonomously.

Examples of AI-driven orchestration:

• Recon: Automated OSINT ingestion (breach dumps, GitHub repositories, SaaS metadata) to construct dynamic attack graphs in real time.
• Exploitation: Chained attacks without human pause-credential abuse → token replay → lateral cloud access → control plane actions.
• Evasion: Real-time behavioral adjustment to remain below SOC thresholds (the “Lakshman Rekha” principle: stay within the boundary that doesn’t trigger alerts).
• Persistence: Abusing admin tools, SaaS features, CI/CD runners, and backup systems to remain undetected indefinitely.

Matthew Rosenquist framed the economic asymmetry: “Attackers embrace AI tools faster than defenders integrate them. Vendors take 3+ quarters to add AI capabilities; threat actors take 3 weeks. Attackers don’t have procurement limitations. They just give themselves access to whatever tool they want. More at-bats equals more successful attacks.”

CISO Implication: Defenders must match the speed and scale of AI-assisted attacks using their own autonomous testing. Annual or quarterly pentests become obsolete.

FireCompass Solution: CART (Continuous Automated Red Teaming) uses Agentic AI to orchestrate the full attack lifecycle autonomously. The platform:

• Continuously discovers your entire attack surface via ASM
• Autonomously generates organization-specific attack plans (not generic playbooks)
• Executes multi-stage attacks mimicking real adversaries, including AI evasion tactics
• Validates real exploitability with live payload execution and proof of concept
• Generates automated remediation playbooks

Unlike manual pentesting (weeks of human effort per engagement), CART runs continuously without human intervention, providing 10-100x more testing coverage with the same budget. This closes the defender lag the panelists highlighted.

3. Adaptive Evasion: The Detection-Aware Attacker

Modern attackers no longer operate under time pressure-breach fast, exfiltrate, persist, and leave before detection. Instead, they engage in “detection shaping,” deliberately remaining within the boundaries of what defense mechanisms are built to alert on.

Sachin described this as the “Lakshman Rekha”-a mythological boundary that must not be crossed. Attackers get close, operate within it, and achieve objectives without triggering the isolated-system alert that would end the intrusion.

This is enabled by:

• SOC Threshold Mapping: Understanding alert tuning (e.g., alerts fire after 50 suspicious login attempts; attackers stay at 40).
• Detection Tool Awareness: Real-time scanning of installed security products and adjusting techniques accordingly.
• Living-off-the-Land: Using only legitimate tools (PowerShell, Group Policy, Azure AD, built-in backup systems) that generate noise indistinguishable from administrative activity.

CISO Implication: Static baselines and rule-based detection are insufficient. Continuous behavioral baselining and anomaly detection become non-negotiable.

FireCompass Solution: CART includes adaptive evasion testing specifically designed to validate whether your controls detect AI-assisted, detection-aware attacks. The platform:

• Simulates attack chains that deliberately stay below SOC thresholds
• Tests whether behavioral baselining catches evasion attempts
• Validates that detection rules don’t just fire on volume, but on behavioral anomalies
• Provides continuous red teaming that doesn’t just test “loudly” but tests realistically-how an attacker would actually operate inside your environment

This transforms security testing from “can we find vulnerabilities?” to “can we detect and contain this specific attacker behavior?”

Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

>>FireCompass Free Trial

4. Mid-Tier Operators Now Match Nation-State Capability

A decade ago, only nation-states and elite criminal syndicates had resources for multi-stage, advanced persistent threat (APT) campaigns. In 2025, the barrier to entry collapsed.

Any operator with access to:

• Vulnerability detection-as-a-service tools
• Exploitation frameworks (Metasploit Pro, Cobalt Strike)
• AI-assisted attack orchestration platforms
• Commoditized malware families and loaders

…can now operate at nation-state scale. Meryl Vernon stated plainly: “You don’t have to be good anymore. You just pay a little bit and you’ve got an exploit right there at your fingertips.”

This represents a force-multiplier effect: one attacker + AI automation = a specialized team’s capability.

CISO Implication: Organizations must assume their threat model includes sophisticated, well-funded attackers. Traditional defenses optimized for “commodity malware” are insufficient.

FireCompass Solution: CART’s multi-stage attack playbooks include APT-realistic scenarios:

• Ransomware susceptibility assessments that test recovery capability, not just prevention
• Nation-state attack tree simulations (MITRE ATT&CK-aligned)
• Privilege escalation path identification across cloud, on-premises, and hybrid infrastructure
• Exploitation chain testing that validates end-to-end kill chains

Organizations can now continuously test themselves against the threat model that mid-tier attackers can now afford to execute.

The Year’s Most Significant Breaches: Incident Analysis with FireCompass Remediation

Date of Report: July-August 2025

Overview: CrowdStrike pushed a defective Falcon Sensor configuration to millions of Windows devices globally. A single corrupted file triggered cascading system crashes affecting 8.5 million endpoints. Cloudflare made a routine DNS configuration change that inadvertently disconnected large internet segments.

Strategic Significance: These were not threat actor-driven breaches. Yet the business impact rivaled major cybersecurity incidents-CrowdStrike’s estimated total cost: $8 billion (combining lost sales, brand damage, and operational recovery).

Root Cause: Change management failure. Neither organization followed the basic controls required by CIS Controls 6.

CISO Takeaway:

• Change control is foundational and must precede any advanced defensive tooling. Implement change management with these disciplines:
  • Stakeholder coordination: Engage all product owners before deploying updates.
  • Blast radius assessment: Model cascading failures across dependent systems.
  • Automated rollback: Ensure you can revert changes instantly, not after investigation.
• Matthew Harris was emphatic: “Make sure you speak with all the stakeholders and owners of that product. Understand how that change will affect it. Have an effective rollback plan, not something that’s going to shut down the entire internet because of an oopsie.”

FireCompass Application:

• Pre-deployment validation via CART: Simulate a misconfigured update on representative systems to validate impact before enterprise-wide rollout.
• Continuous validation: CART tests whether system configurations match approved baselines (CIS Controls 4: Secure Configuration).
• Incident simulation playbooks: Run BAS (Breach and Attack Simulation) scenarios to test change management rollback procedures.
• This transforms change management from “we followed the process” to “we validated the outcome under attack conditions.”
  

  Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

  FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

  >>FireCompass Free Trial

Incident 2: Bybit-The Largest Single-Attack Financial Theft

Date of Report: Multiple phases through 2025

Overview: North Korean threat actors executed what panelists called the largest single-attack financial theft on record-$1.5 billion stolen from Bybit, a cryptocurrency exchange.

Context: While CrowdStrike’s cost was $8 billion (estimated), that combines lost sales and brand damage. Bybit’s $1.5 billion was actual hard currency stolen directly.

Attack Vector: Identity compromise at the exchange, leading to unauthorized access to financial control systems and blockchain asset transfers.

Strategic Significance: As organizations digitize assets (cryptocurrency, blockchain-based instruments, financial records), the potential blast radius grows exponentially. A single compromised credential can translate directly to billions in losses.

CISO Takeaway:

• Identify your crown jewels-systems that, if compromised, create direct financial loss or national security impact.
• Apply singular focus and defense-in-depth protection to these systems:
  • Require hardware-based multi-factor authentication for all administrative access.
  • Implement immutable audit logs with external forwarding (so attackers cannot delete evidence).
  • Segment financial and blockchain systems from general-purpose infrastructure.
  • Conduct quarterly penetration tests and red-team exercises specifically targeting these systems.

FireCompass Application:

• Targeted CART campaigns: Deploy red-teaming playbooks specifically against crown-jewel systems (financial platforms, cryptocurrency wallets, payment processing).
• Credential validation: ASM continuously scans for leaked or overpermissioned service accounts with access to financial control systems.
• Multi-factor authentication testing: CART tests whether MFA can be bypassed via token replay, session hijacking, or fatigue attacks.
• Supply chain for fintech: Assess vendors and third parties with access to financial infrastructure; test their security posture proactively.
• Incident response validation: Simulate a financial system compromise and validate detection/containment in less than detection latency.

The result: instead of assuming “we have good defenses,” organizations know definitively whether a $1.5 billion compromise is detectable and containable.

Incident 3: Salesforce OAuth Abuse & Microsoft Copilot Prompt Injection

Date of Report: Multiple incidents, 2025

Overview:

• Salesforce: Attackers harvested OAuth tokens from the Drift integration with Salesforce CRM, exfiltrating customer data without triggering detection.
• Microsoft Copilot: Researchers discovered prompt injection attacks enabling unauthenticated data exfiltration at scale from LLM-integrated Microsoft services.

Attack Vectors:

• OAuth token replay (tokens captured, reused across sessions)
• Prompt injection (manipulating LLM instructions to bypass guardrails)

Strategic Significance:

• API and protocol security remains immature. Most enterprises lack granular API security controls or centralized API token management.
• AI and LLM vulnerabilities are largely unexplored territory. Prompt injection, context manipulation, and model-specific attacks will proliferate in 2026 and beyond.
• Organizations are rushing to integrate AI everywhere without understanding the attack surface they’re creating.

Sachin’s observation: “The Microsoft Copilot attack caught my attention because it involves a modern AI LLM-very popular, involuntarily pushed to users-integrated across all Microsoft services. We should expect to see more of these attacks because even AI companies themselves don’t fully understand their LLMs. They’re discovering prompt injection techniques even as we speak.”

CISO Takeaway:

• Audit every OAuth integration and third-party API connection. Understand:
  • What data can be accessed by this integration?
  • What happens if the OAuth token is compromised?
  • Is there monitoring for bulk or unusual data access patterns?
• For LLM and AI integrations:
  • Do not assume security by obscurity or complexity. Assume LLM interactions can be manipulated.
  • Monitor LLM query patterns for signs of exfiltration (e.g., unusual data requests, encoding attempts).
  • Isolate sensitive data from LLM training and inference pipelines.

FireCompass Application:

• OAuth token discovery & testing: ASM discovers all OAuth integrations, API tokens, and cloud IAM roles. CART autonomously tests whether these tokens can be replayed or abused for privilege escalation.
• API security validation: CART includes API security testing playbooks; the platform can autonomously execute authentication bypass, token manipulation, and data exfiltration scenarios.
• LLM attack simulation: Prompt injection testing can be added to CART playbooks to validate whether AI services can be manipulated into exfiltrating sensitive data.
• Third-party API monitoring: Continuous monitoring of data flows through third-party APIs; alerts when unusual volumes or patterns are detected.
  

  Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

  FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

  >>FireCompass Free Trial

Incident 4: Jaguar Land Rover-Supply Chain Cascade and Board-Level Recovery Decisions

Date of Report: 2025

Overview: A ransomware attack on Jaguar Land Rover (owned by Tata Group, India’s largest conglomerate) cascaded through the entire automotive supply chain. Suppliers dependent on JLR couldn’t pay employees. The ripple extended across the sector.

Critical Detail: JLR’s board chose not to pay the ransom. This decision was more costly than capitulation would have been-but it set a precedent. The board said “we will not fund criminal operations” and endured the pain of recovery.

Strategic Significance: Boards are increasingly rejecting ransom payments on principle and policy. This fundamentally changes how security budgets must be allocated.

Matthew Rosenquist noted: “Regulators are taking note. Elevating the topic to the CEO and board level. This has ripple effects. Organizations are moving from ‘how do we prevent attacks’ to ‘how do we survive and recover when attacks succeed?'”

CISO Takeaway:

• Business continuity and disaster recovery are no longer “optional.” They are board-level decision points.
• Build recovery capability:
  • Maintain immutable, offline backups that cannot be modified even with domain admin credentials.
  • Test restoration at scale quarterly; assume backup indexes themselves were targeted.
  • Document and rehearse supply chain recovery workflows with critical vendors.
  • Establish contracts requiring vendors to maintain independent recovery capability.
• Shift narrative from “we prevent breaches” to “we survive breaches.”

FireComass Application:

• Ransomware susceptibility assessment: CART includes ransomware attack playbooks that test whether backup systems and recovery procedures are resilient. The platform simulates encryption of production data and validates whether recovery can be executed without paying ransom.
• Supply chain security testing: FireCompass includes supply chain assessment modules that proactively test vendor security posture. Organizations can ensure critical suppliers maintain their own recovery capability.
• Backup system validation: CART simulates attacker attempts to locate, access, and delete backups. This validates whether backup infrastructure is truly immutable and isolated.
• Incident response playbook validation: Run tabletop exercises with CART simulations to test containment speed and recovery procedures under realistic conditions.

Instead of learning recovery capability from a real ransomware attack, organizations validate it continuously beforehand.

Incident 5: Aflac & Coinbase-The Persistent Insider Threat Pattern

Date of Report: Multiple incidents, 2025

Overview:

• Aflac: Identity theft and financial system compromise involving shared user accounts and social engineering.
• Coinbase: A contractor was paid to exfiltrate data on 70,000 users. That data became the attack vector for downstream social engineering campaigns.

Pattern: Both breaches highlighted the same vulnerability-shared accounts and insider access.

When “user1” performs an action on a legacy medical device or hospital system:

• Zero Attribution: You don’t know which of five people sharing that account performed the action.
• Impossible Compliance: HIPAA, SOX, and other frameworks require individual accountability.
• Invisible Insider Threats: You cannot detect which insider is malicious if multiple people share credentials.

Strategic Significance: Legacy infrastructure and shared accounts are not just convenience trade-offs; they are structural security blindspots that enable insider threats while eliminating the ability to attribute or investigate them.

CISO Takeaway:

• Eliminate shared accounts:
  • Require individual credentials for every user, every system.
  • For legacy systems that don’t support individual accounts, isolate them and add compensating controls (network segmentation, enhanced monitoring).
  • This is non-negotiable for HIPAA, SOX, and most compliance frameworks.
• Implement continuous audit logging:
  • Log every action tied to an individual user, not a shared account.
  • Ensure logs are immutable and externally forwarded (so insiders cannot delete evidence).

FireCompass Application:

• Shared account discovery: ASM continuously scans for shared credentials, service accounts with excessive privilege, and API keys embedded in code.
• Insider threat simulation: CART includes playbooks that simulate insider threats-a malicious contractor exfiltrating data or a disgruntled employee escalating privileges.
• Credential behavior analytics: Continuous monitoring of credential usage patterns; alerts when a service account suddenly exhibits unusual behavior (accessing data it doesn’t normally touch, exfiltrating at unusual times).
• Compliance validation: CART validates that audit logging captures individual attribution for every action, meeting HIPAA, SOX, and PCI compliance requirements.

The Defender Lag Problem: Structural Asymmetry

The speed asymmetry between attackers and defenders is not tactical-it is structural.

Attacker Advantage:

• No procurement process, no legal review, no vendor lock-in agreements.
• Access to cutting-edge AI tools, exploitation frameworks, and commodity malware within weeks.
• Multiple simultaneous attack iterations without organizational friction.

Defender Constraints:

• Vendor integration (3+ quarters to add AI to security products).
• Procurement and legal processes (average 6-9 months).
• Internal change management and staff training.
• Legacy technology integration and backward compatibility.

Matthew Rosenquist highlighted the regulatory dimension: “Effective January 2025, publicly held U.S. companies must report material security incidents within 4 days. The irony is devastating: most organizations take 6-9 months to discover a breach in the first place. The four-day reporting window becomes arbitrary. But it elevates cybersecurity to the board level because the impact is now ‘material’ to investors.”

This regulatory pressure has cascading effects:

• Budget Allocation: CISOs must justify investments in detection speed, not just prevention.
• Vendor Selection: Speed-of-integration becomes a primary evaluation criterion.
• Board Expectations: Incidents become investor communications; reputational damage is material to stock price.

FireCompass Addresses the Lag:

• Continuous Testing, Not Periodic: Instead of waiting 3+ quarters for vendors to integrate AI, organizations deploy CART immediately for continuous automated testing.
• Reduce Risk Window: FireCompass reduces risk window from 90-364 days (traditional annual/quarterly testing) to less than 2 days. This directly addresses the board’s concern about “we took 9 months to find it.”
• Real-Time Asset Inventory: ASM provides immediate visibility into the full attack surface, not annual reconnaissance audits.
• Autonomous Remediation Playbooks: CART doesn’t just find vulnerabilities; it generates automated fixes and validates remediation before handoff to engineering.
  

  Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

  FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

  >>FireCompass Free Trial

The Most Repeatable Failure Pattern: Identity Mismanagement

Across every major 2025 breach, the common thread was identity abuse:

• Initial Access: Credential stuffing, session hijacking, token replay
• Persistence: Compromised identities remain valid indefinitely
• Lateral Movement: Overpermissioned service accounts, API keys in code, hardcoded credentials in config files

Why does identity remain such a consistent vulnerability?

• Inventory Gap: Organizations can’t enumerate all identities (users, service accounts, API tokens, bot identities).
• MFA Fatigue: Multi-factor authentication is effective, but users are trained to bypass it through fatigue attacks.
• Shared Accounts: Legacy systems force shared logins, masking attribution entirely.
• API Key Sprawl: Every cloud service, third-party integration, and internal tool gets API keys that are never rotated or revoked.

Meryl Vernon observed: “API security is not doing well. It’s behind where other modern enterprise controls have gotten.”

FireCompass Solution:
The CART platform’s continuous identity testing directly addresses this:

• Complete Identity Inventory: ASM discovers all human users, service accounts, API tokens, OAuth integrations, and bot identities across infrastructure, cloud, and SaaS.
• Credential Exposure Detection: Continuous scanning for leaked credentials, hardcoded secrets in repositories, and exposed API keys.
• Privilege Validation: CART autonomously tests whether service accounts are overpermissioned by attempting privilege escalation paths.
• Token Reuse & Replay Testing: Simulates session hijacking and token replay attacks to validate whether captured credentials can be abused.
• API Security Playbooks: CART includes playbooks that test OAuth abuse, API key interception, and unauthorized API access.
• Real-Time Alerts: New, exploitable identities are surfaced in real-time, not discovered in retrospective audits.

What Defenders Can Actually Control: The Pragmatic Framework

When asked where to invest in automation first, Sachin Deodhar provided unusually practical guidance: “Automate where you’re already getting quick wins.”

Maturity Curve

Already Mature (Implement These Now):

• Detection rule automation (continuous SIEM/IDS rule engineering)
• Response playbook orchestration (SOAR platforms)
• Vulnerability scanning and assessment
• Asset discovery and inventory
• Continuous red teaming (CART)

Emerging in 2026 (Pilot These):

• SOC Tier 1 alert triage (AI dramatically improves signal-to-noise)
• Behavioral and adaptive security awareness training
• Vulnerability prioritization by business context (not just CVSS scores)
• GRC automation (continuous compliance vs. annual audits)

Still Immature (Wait and Learn):

• Identity controls (still figuring out what to measure)
• Third-party monitoring (not enough maturity or standardization)
• LLM security controls (threat landscape is still being discovered)

The Actionable Framework

• Start with low-hanging fruit: Focus on measurements you already know how to validate.
• Deploy detection rule automation early: Continuous rules engineering beats static signatures.
• Automate response playbooks: Prioritize high-volume, low-complexity scenarios (e.g., malware detected on endpoint → isolate → notify security team).
• Implement continuous validation: Annual pentests assess ~20% of the attack surface. Threat actors attack 100% of it, continuously.
• Deploy CART platform: Immediately address the “20% problem” with continuous red teaming that covers 100% of your attack surface.

Meryl added the key insight: “When I’m on a sales call explaining force multipliers, customers see it immediately for attackers. I ask, ‘Why don’t you see the same leverage for defense?’ The cognitive dissonance is real.”

FireCompass CART Deployment:

• Start with ASM: Discover your complete attack surface in week 1.
• Layer CART playbooks: Begin with ransomware susceptibility and identity abuse testing.
• Enable Agent AI: Autonomously generate and execute organization-specific attack plans without manual effort.
• Measure and iterate: Track metrics like risk window reduction, remediation acceleration, and detection rate improvement.
  

  Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

  FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

  >>FireCompass Free Trial

Reframing Security Metrics: What Boards Actually Need

If a board asks, “Are we safer than last year?”, don’t answer with:

• Number of vulnerabilities patched
• Compliance checkbox completion
• CVSS scores

Instead, provide:

Metric 1: Exposure-Based Outcomes

Traditional: “We’ve implemented 78% of our security controls.”

Better: “Here are the 5 most viable attack paths that could impact revenue. We’ve eliminated 3. For the remaining 2, here’s our detection latency and containment time.”

This shifts the conversation from inputs (controls implemented) to outcomes (risk reduced).

FireCompass Enables This:

• PARC (Patented Attack-Tree Automation) chains vulnerabilities into real attack paths.
• Attack path visualization shows board exactly which sequences could compromise crown jewels.
• Continuous validation proves whether detection catches these paths.

Metric 2: Adverse-Based Testing

Don’t just assert controls work-demonstrate it under live attack conditions:

• Purple teaming exercises
• Breach and Attack Simulation (BAS)
• Controlled red team campaigns with measured detection/response times
• Distinguish between attacks detected automatically (deterministic) and those requiring manual investigation (human-dependent)

FireCompass Enables This:

• CART executes full kill-chain simulations continuously (not once per year).
• Real-time detection & response validation: see exactly how long detection takes and whether containment works.
• Automated playbook generation: immediately convert findings into remediation.

Metric 3: Business Impact, Not Technical Metrics

Rank vulnerabilities by business impact, not CVSS:

• Which systems generate 80%+ of revenue?
• Which compromises cascade through supply chains?
• Which exposures breach regulatory thresholds?

Matthew Rosenquist shared: “A client had CVSS 10s affecting 2% of revenue, while moderate findings affected 80% of revenue. Blindly fixing by CVSS is security theater.”

FireCompass Enables This:

• PARC prioritizes vulnerabilities by exploitability + business context, not CVSS alone.
• Supply chain assessment maps cascading impacts through vendors.

Metric 4: Resilience Readiness

Boards increasingly reject ransom payments. Investment narrative must reflect this:

• Recovery Time Objective (RTO) for critical systems
• Business continuity drill results (quarterly)
• Supply chain recovery mapping and testable plans

FireCompass Enables This:

• Ransomware playbooks: CART simulates encryption and validates recovery can succeed without paying ransom.
• Backup validation: continuous testing of backup integrity and restoration speed.
• Incident response playbook validation: quarterly simulations of major incident scenarios.
  

  Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

  FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

  >>FireCompass Free Trial

The Foundation Still Matters: CIS Controls 6

Every panelist, despite focusing on cutting-edge AI threats, returned to the same theme: the basics still dominate.

Meryl called CIS Controls “the unsung hero of the industry.” Matthew Harris was direct: “Do CIS 6 well. All of you. Please.”

What Is CIS Controls 6?

1. Asset Inventory: Know what you own.
2. Software Inventory: Know what’s running.
3. Data Protection: Know what’s sensitive.
4. Secure Configuration: Baseline hardening across all systems.
5. Identity & Access Management: Individual credentials, least privilege.
6. Change Management: Controlled modifications with rollback plans.

Why Organizations Still Fail CIS 6

• Operational Friction: Shared accounts are “more efficient” than individual identity enforcement.
• Visibility Gaps: You can’t inventory what you don’t see (cloud sprawl, shadow IT, forgotten systems).
• Legacy Complexity: 15-year-old medical devices don’t support modern IAM.

The Path Forward

Rather than waiting for perfect conditions, embed continuous validation:

• Continuous asset discovery: Weekly reconnaissance of your infrastructure.
• Continuous vulnerability scanning: Every API, database, and cloud bucket.
• Continuous compliance: Automated drift detection, not annual audits.
• Continuous red teaming: Not pentests once a year, but ongoing attack simulation.

This is where the paradigm shifts from “do an audit to prove we’re compliant” to “maintain a baseline and validate it continuously.”

FireCompass Continuous Validation Against CIS 6:

• Control 1 (Asset Inventory): ASM discovers 99%+ of assets continuously. Real-time alerts when new assets appear.
• Control 2 (Software Inventory): Scan all systems for installed software and outdated versions.
• Control 3 (Data Protection): Identify and monitor sensitive data storage (databases, cloud buckets, file shares).
• Control 4 (Secure Configuration): CART tests whether systems match approved baselines; identify drift automatically.
• Control 5 (Identity & Access Management): ASM discovers all identities; CART tests whether they’re overpermissioned; validate privilege escalation controls.
• Control 6 (Change Management): Test every change in staging before production; validate rollback capability.

CIS 6 is no longer a compliance checkbox. It becomes a continuously validated operational baseline.

2026 Priorities: Shrink Your Blast Radius

When panelists were asked what to prioritize in 2026, they converged on practical, achievable targets:

Priority 1: Eliminate Shared Accounts & Enforce Individual Identity

• Remove shared user accounts from every system.
• Implement individual login credentials with comprehensive audit trails.
• For legacy systems that don’t support individual accounts, isolate them with compensating controls.
• This is non-negotiable for HIPAA, SOX, and most compliance frameworks. It also eliminates the invisible insider threat problem.

FireCompass Roadmap: ASM continuously discovers shared accounts and alerts CISOs to legacy systems lacking individual identity support. CART tests whether compensating controls (network isolation, monitoring) are sufficient to meet compliance.

Priority 2: Know Your Critical Business Functions

• Which systems generate your revenue?
• Which compromises would trigger board-level escalation?
• Prioritize defenses around those systems, not everything equally.
• CISOs have finite budgets. Triage ruthlessly.

FireCompass Roadmap: Crown-jewel identification module within ASM; focused CART playbooks specifically for revenue-critical systems; quarterly red-team exercises prioritizing high-blast-radius targets.

Priority 3: Invest in Resilience, Not Just Prevention

• Detection and response speed matter more than perfection.
• Business continuity and disaster recovery are no longer “optional”-they are board mandates.
• Test recovery playbooks quarterly.
• Assume attackers will succeed; plan for survival.

FireCompass Roadmap: Ransomware susceptibility assessments validate recovery speed; incident response playbook simulation; supply chain recovery mapping.

Priority 4: Get Your Arms Around AI (Defensive)

• Don’t wait for perfect understanding; deploy AI in SOC automation, vulnerability management, and GRC.
• Assume attackers are already using AI; you’re playing catch-up.
• Build institutional AI muscle, not just tool adoption.

FireCompass Roadmap: Agent AI enables autonomous penetration testing without waiting for human pen testers. LLM-powered interface allows non-technical security teams to orchestrate complex attack scenarios. Institutional learning compounds as CART discovers and tests more attack paths.

Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

>>FireCompass Free Trial

What CISOs Should Stop Doing in 2026

The panelists also identified activities that consume time without reducing risk:

• Stop Ranking Vulnerabilities by CVSS Alone: Prioritize by business context.
• Stop Security Theater Compliance: Implementing controls because a framework requires them, not because they reduce risk.
• Stop Accepting Defender Lag: Build your own AI capabilities rather than waiting for vendors.
• Stop Reactive Security: Allocate time for strategy, threat modeling, and prioritization.
• Stop Limiting Red Teams: If China can attack it, your red team should test it.

FireCompass Enables All of These:

• PARC prioritizes by exploitability + business impact.
• Continuous compliance validation: compliance becomes operationalized, not ceremonial.
• Agent AI eliminates dependency on human pen testers; autonomous attack orchestration matches attacker speed.
• Automated playbook generation and remediation prioritization; CISOs focus on strategy.
• Unlimited red teaming: CART runs 24/7, testing everything attackers could target.

The Medium-Term Outlook: When Defenders Gain Advantage

Matthew Rosenquist offered a sobering but important prediction: “We’re going to get the AI tools we need. It’s just going to be about three quarters from now. So the attackers are going to maintain that advantage.”

This is realism, not defeatism. But he added a counterpoint: “Over the long term, defenders benefit more as AI becomes part of compilers, scanners, and development tools. Almost real-time vulnerability discovery and remediation becomes possible.”

The Strategic Implication: The next 18-24 months are perilous. Attackers maintain an overwhelming advantage. But organizations that invest in AI defensively now will compound that advantage as tooling matures. Those that wait will be perpetually behind.

Why FireCompass CART Matters in This Timeline:

• Vendors will spend 18+ months integrating AI into their products. FireCompass has already deployed Agent AI natively into CART.
• Organizations that start continuous red teaming today will have 18+ months of operational data, remediation history, and institutional learning by the time traditional security tools catch up.
• The 10-100x testing multiplier compounds over time: more tests → more vulnerabilities found and fixed → lower attack surface → attacker difficulty increases exponentially.

Conclusion: The New Baseline

2025 proved that you no longer need nation-state resources, elite hacker expertise, or sophisticated zero-days to execute breaches with material business impact.

You need:

• AI-assisted tooling (commoditized)
• Automation (readily available)
• Persistence (measured in days, not months)
• One exploitable identity or API token

The organizations that survive 2026 won’t be those with the fanciest tools. They’ll be those with:

• Strong fundamentals: Asset inventory, identity governance, change control-executed continuously, not annually.
• Fast feedback loops: Continuous testing, not annual audits.
• Ruthless prioritization: Crown jewels get the best defenses; non-critical systems get baseline protection.
• Resilience planning: When attacks succeed-and they will-how fast can you recover?

The panelists’ collective advice: Do the basics, continuously, with rigor. The rest follows.

How FireCompass Enables This Baseline

FireCompass Continuous Automated Red Teaming (CART) is specifically architected to address the gap between awareness and action that the panel identified.

The Problem: Organizations know they need continuous security testing, but:

• Traditional annual pentests assess only ~20% of the attack surface
• Manual red-teaming is expensive and infrequent
• Defender lag means new AI tools won’t be integrated for 18+ months
• Attack surface is expanding exponentially (cloud, SaaS, APIs, shadow IT)
• Risk window from breach discovery to incident response is still 6-9 months, despite 4-day regulatory reporting requirements

FireCompass Solution:

1. Complete Attack Surface Visibility (NextGen ASM)

• Autonomous discovery of 99%+ of infrastructure, applications, APIs, cloud assets, and shadow IT
• Continuous monitoring for new, exploitable assets
• Real-time alerts when sensitive data, credentials, or overpermissioned identities are exposed
• Addresses the “20% problem”: discover what competitors, regulators, and attackers see

2. AI-Orchestrated Continuous Red Teaming (CART + Agent AI)

• Autonomous execution of multi-stage attack playbooks matching real attacker behavior
• Agentic AI generates organization-specific attack plans, not generic playbooks
• Full kill-chain simulation: reconnaissance → exploitation → lateral movement → persistence → exfiltration
• Tests adaptive evasion, detection-aware tactics, and AI-assisted techniques
• Runs 24/7 without human intervention; 10-100x testing coverage vs. manual pentesting

3. Real Exploitability Validation

• Doesn’t just flag vulnerabilities; safely executes them to confirm real-world exploitability
• Live payload execution with proof of concept
• False positive reduction through automated validation
• Risk prioritization by exploit chain feasibility, not CVSS scores

4. Automated Remediation & Compliance

• Generates remediation playbooks automatically
• Validates fixes before deployment
• Continuous compliance testing (CIS 6, HIPAA, SOX, PCI)
• Transforms compliance from annual audit to continuous operational baseline

5. Incident Response Simulation

• Tabletop exercises with realistic attack simulations
• Validates detection speed, containment capability, and recovery procedures
• Ransomware playbooks test backup resilience and recovery without paying ransom
• Supply chain cascade testing to validate vendor security posture

Outcome: Organizations move from “we don’t know what we don’t know” to “we know our exact attack surface, continuously test it, and validate we can survive real attacks.”

Stay Ahead of Attackers with AI-Powered Automated Penetration Testing.

FireCompass delivers a unified platform for Continuous Automated Red Teaming (CART), Penetration Testing, and Next-Generation Attack Surface Management.

>>FireCompass Free Trial