Tenable Blog

How much cyber risk does AI create for organizations? 457 million security issues. Here’s what you can do about it.

Eric Doerr — Wed, 24 Jun 2026 09:00:00 -0400

Over a 30 day period, Tenable detected 457 million AI-related security issues among 7,000-plus organizations, an average of 62,000 exposures per organization. If we didn’t already know that shadow AI was a problem, data like this makes it clear every organization needs to visualize, map, assess, and protect with a comprehensive exposure management program.

Key takeaways

AI tools — approved and unapproved — are driving a massive wave of daily exposures, including an average of 62,000 per organization during a recent 30-day period. This is creating AI security issues that are primarily tied to misconfigurations and unmanaged dependencies rather than standard CVEs.
To successfully outpace AI-assisted threat actors, security teams must deploy automated, agentic workflows that can contain and remediate critical exposures at machine speed.
It’s time for security teams to shift from legacy vulnerability scanning to AI-driven, contextual exposure management that maps specific attack paths leading to their most critical assets.

How much cybersecurity risk does AI create for organizations?

For years, some security leaders have lived by a simple, comforting truism: If the service-level agreement (SLA) dashboard for vulnerability remediation is green, the organization is safe. By focusing on tracking CVEs and patching schedules, they believe they’re effectively managing cyber risk.

Today, as AI boosts cyber threats and transforms cyber defenses, this maxim has morphed from a risky platitude into an outright dangerous fallacy. Cyber teams that operate under this model risk drowning in what Tenable calls the “vulnami” — a tsunami of CVEs fueled by AI vulnerability discovery. They also risk failing to see and address the vast expanse of non-CVE threats in their hybrid environments.

In this blog, we’ll answer the question, “How much cybersecurity risk does AI create for organizations?” and we’ll unpack how exposure management can empower security teams to not only stay ahead of the CVE “vulnami,” but also tackle non-CVE issues across their entire attack surface, both on premises and in the cloud.

The sad state of vulnerability remediation

Almost one-third of breaches (31%) start with an unpatched CVE, making vulnerability exploitation the most common initial access vector, according to the 2026 Verizon Data Breach Investigations Report (DBIR).

Here is the kicker: most of these CVEs aren’t headline-grabbing zero-days. Often, these are years-old vulnerabilities for which patches have long been available.

To illustrate this point, here’s what recent telemetry from the Tenable One Exposure Management Platform showed:

1,865 organizations still exposed to the 2024 vulnerability in Fortinet FortiOS CVE-2024-21762
3,569 organizations still exposed to the 2021 Log4Shell vulnerability CVE-2021-44228
1,430 organizations still exposed to the 2017 WannaCry vulnerability CVE-2017-0144

Moreover, based on aggregated data from more than 13,000 organizations, the 2026 Verizon DBIR report found that those organizations fully remediated only 26% of the CVEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, which lists CVEs being actively exploited in the wild.

And with regard to timely patching, the DBIR finds most organizations aren’t making progress; they’re going backward. The median time-to-patch stands at 43 days, up from 32 days reported in last year’s Verizon DBIR. In short, it’s taking companies longer to patch at the exact moment AI allows attackers to discover and exploit flaws at unprecedented speeds.

Given this reality, it’s time for defenders to use AI to automate vulnerability prioritization and remediation. This requires trusting your security stack, including agentic AI security tools, and your team, so that you can fix your most critical vulnerabilities in hours, not weeks or months.

It’s also time to go beyond vulnerability management, which remains essential but is insufficient on its own. To keep your organization secure in the age of AI, you need to assess all security threats, including identity flaws and misconfigurations, across your IT, operational technology (OT), AI, IoT, and cloud assets and see how they combine to create attack paths leading to your organization’s most sensitive systems and data.

The staggering scope and impact of non-CVE threats

If, according to the 2026 DBIR, 31% of breaches start with a CVE, that means two-thirds of cyber incidents begin with something else entirely, such as:

A misconfiguration
A stolen credential
An exposed secret

How relevant are non-CVE security issues? Based on Tenable telemetry, about 37% of findings are not CVEs but they account for 63% of breach entry points. Let that sink in: one-third of your findings account for two-thirds of your risk.

Thus, if your security program only or primarily looks at CVEs, you are functionally blind to the majority of your attack surface.

The invisible yet massive threat: Shadow AI

This visibility gap is widening every week because of AI. Every time a new AI tool explodes onto the market, employees adopt it, often without asking for approval from your organization.

How often does your team scramble to figure out if an unapproved AI tool is running in your environment? And just like other areas of your infrastructure, most AI risks aren’t standard CVEs, but rather LLM misconfigurations, unmanaged model dependencies, exposed credentials within AI workloads, and more.

To put the scale of this problem into perspective, during a recent 30-day period, the Tenable One Exposure Management Platform found 457 million security issues across our customer base using 274 detection plugins built specifically for AI. That averages out to 62,000 AI-related exposures per customer.

Here’s one specific example of shadow AI risk. A customer, using our AI detection plug-ins, found 12 instances of OpenClaw, the agentic AI personal assistant tool previously known as Clawdbot and Moltbot. Not that bad at first glance, although the organization hadn’t approved the use of OpenClaw in their environment. But upon deeper inspection, they discovered a much more serious situation.

The OpenClaw instances had been installed on the customer’s cloud workloads by a contractor they had hired to do quality assurance testing. They had given the contractor their API keys, as well as access to a large portion of their source code. Moreover, the contractor configured the OpenClaw instances so that he could manage them remotely via Telegram — another unapproved tool.

In other words, they had a dozen instances of an unapproved AI tool with autonomous capabilities that was accessing their source code and that had been installed by a third-party contractor. Furthermore, OpenClaw was remotely downloading who knows what software from the internet, while being controlled through a communications channel into which the company had no visibility nor access to.

The lesson for all of us: You need security for AI because your AI attack surface isn’t a future problem. It is already here.

Enter AI-driven exposure management

If traditional CVE programs are necessary but insufficient, what is the answer? You guessed it: it’s AI-driven exposure management.

Exposure management goes way beyond legacy, point-in-time vulnerability scanning to continuously assess vulnerabilities, misconfigurations, excessive permissions, and exposed secrets that attackers could exploit across your entire attack surface: on premises, in the cloud, in OT environments, and across AI tools and infrastructure. Crucially, exposure management goes beyond simply listing these problems by mapping the attack paths that connect them.

Notably, research from Tenable shows that, on average, an organization faces three attack paths for every single security finding, so if you have 50,000 findings, your environment offers attackers 150,000 potential paths to breach. Of course, they don’t all matter equally. Here, exposure management also helps you by isolating and cutting off the paths that lead directly to your most critical assets.

Does your team know the top five or top ten attack paths an attacker would most likely use at any given time to reach your organization’s crown jewels today? Does your team know how long it would take them to break those attack-path chains? If the answer to those questions is “no”, then your priorities for exposure remediation are probably wrong.

The clock is ticking

AI is making defenders’ jobs even harder. The challenge of keeping pace with the speed of attacks, vulnerability discovery, exploitation, and attack surface expansion demands a preemptive security operating model and a new approach to reducing cyber risk.

The good news is that with AI-driven exposure management automating attack path mapping and prioritization, you can outpace the threat by gaining:

Unified visibility via continuous asset discovery across your entire hybrid attack surface, capturing all vulnerabilities, misconfigurations, excessive permissions, and other security issues
Contextual, AI-powered insights that map how seemingly isolated security issues interconnect to create dangerous, exploitable attack paths
Machine-speed action that triggers automated, orchestrated fixes via agentic AI workflows with appropriate guardrails, including human oversight

Exposure management is here, and it offers comprehensive asset discovery, including unapproved shadow AI tools, full attack surface visibility, more precise prioritization, and machine-speed remediation.

It won’t be easy, but exposure management makes it possible to secure your organization in the age of AI. Let’s do it.

To learn more, read the blog “Beating the Mythos clock: Using Tenable Hexa AI custom agents for automated patching.”

What the Miasma campaign reveals about the new supply chain threat model and the underground market for developer credentials

Research Special Operations — Tue, 23 Jun 2026 09:00:00 -0400

A stolen session cookie sat in underground markets for seven weeks before attackers used it to poison 32 Red Hat packages in the npm software registry, an example of the industrial approach behind modern supply chain attacks.

Key takeaways

Miasma is a self-propagating npm worm derived from Mini Shai-Hulud that TeamPCP open-sourced on May 12. The public release of the full weaponized toolchain means any operator can now replicate structurally identical supply chain campaigns.
The Miasma campaign compromised 89-plus npm packages across three waves (June 1-5), affecting Red Hat, Vapi.ai, and Microsoft Azure repositories. The worm produced malicious packages with valid SLSA Build Level 3 provenance attestations, defeating the highest tier of supply-chain integrity verification.
The root cause was a stolen developer credential that sat in infostealer logs for seven weeks before weaponization. This infostealer-to-supply-chain pipeline is the defining pattern of the Developer Credential Economy.
The Miasma campaign’s third wave (June 5) introduced a significant escalation: persistence files that target AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code), expanding the attack surface from package registries to the developer’s local environment.
Relying on execution-layer detection, such as EDR, is insufficient against supply chain threats because EDR tools lack visibility into the ephemeral CI/CD environments where credential theft and weaponization occur.
Organizations should treat developer credentials as control-plane infrastructure and adopt a phased Continuous Threat Exposure Management (CTEM) approach: harden the generation layer, neutralize harvested secrets in real time, and enforce human-gated publishing controls.

Background on the Miasma worm and npm supply chain attack

On June 1, the Miasma self-propagating worm compromised 32 official npm packages under the @redhat-cloud-services namespace, delivering a credential-harvesting payload to an estimated 80,000 to 117,000 weekly downloads. Within five days, the campaign escalated through three distinct attack waves and forced GitHub to disable 73 repositories across four Microsoft organizations.

The technical details of the Miasma supply-chain attack are alarming: valid Supply Chain Levels for Software Artifacts (SLSA) provenance attestations on malicious packages; a novel execution technique that bypasses install-script monitoring; and a new persistence mechanism that targets AI coding assistants. But the most important detail is a timestamp.

Dark web monitoring firm Whiteintel detected a Red Hat employee’s GitHub credential and session cookie in infostealer logs on April 13. A second sighting appeared on May 15. The credential sat in underground markets for approximately seven weeks before attackers weaponized it on June 1. That seven-week gap is the signature of an emerging threat model that Tenable’s Research Special Operations (RSO) team calls the Developer Credential Economy, and has been tracking since March 2026.

The Developer Credential Economy is a structured black market for highly privileged developer credentials where open-source supply chain compromises function as credential generation infrastructure, underground markets serve as the distribution layer, and multiple threat actors with distinct motivations weaponize the harvested access downstream. The Miasma campaign is the clearest example of this model to date, and it validates a pattern that has been accelerating across the npm, PyPI, and GitHub ecosystems throughout 2026.

The three-layer economy, explained through Miasma

When it first assessed this pattern in March, Tenable RSO built the analysis around the TeamPCP cascading campaign (Trivy, KICS, LiteLLM, Telnyx, and 66+ npm packages) and the Sapphire Sleet/UNC1069 Axios compromise. The thesis identified a three-layer structure: credential generation, distribution, and weaponization. Three months later, the Miasma campaign validates each layer with striking clarity.

Layer	Actor / group	Operational focus	Primary targets	Miasma validation
Generation	TeamPCP	Bulk credential harvesting via tool exploitation	Trivy, KICS, TanStack, Red Hat npm scope	Miasma's payload sweeps GitHub tokens, cloud credentials, CI/CD secrets, SSH keys, and .env files from every infected environment
Distribution	Underground markets, infostealer aggregators	Credential brokering and tooling proliferation	Stolen developer credentials; open-sourced worm code	Red Hat employee credential sat in infostealer logs for seven weeks before weaponization; Shai-Hulud source published May 12
Weaponization	Sapphire Sleet (DPRK-nexus), LAPSUS$, Miasma operator, copycat actors	State-sponsored exfiltration, data theft, cascading supply chain compromise	Axios (npm), Mercor AI, @vapi-ai/server-sdk, Azure/durabletask	Each Miasma wave generates A fresh credential pool, feeding the next wave and enabling downstream actors

Layer 1: Credential generation

The Developer Credential Economy’s first layer is extraction. Threat actors compromise developer tooling and open-source infrastructure not primarily to distribute malware to end users, but to harvest the credentials those environments contain, such as GitHub tokens, npm publishing tokens, cloud provider credentials, CI/CD secrets, SSH keys, and API keys.

TeamPCP pioneered this at scale beginning in September 2025 with the original Shai-Hulud worm. Its defining innovation was cascading credential extraction: compromise one trusted tool, harvest the credentials it holds, and use those credentials to compromise the next tool in the dependency chain.

The Trivy vulnerability scanner compromise yielded CI/CD runner secrets. Those secrets enabled the KICS compromise. KICS yielded additional cloud credentials. Each link in the chain generated a broader set of privileged access.

By May, TeamPCP had refined this into the Mini Shai-Hulud variant, which introduced two capabilities that made the generation layer dramatically more efficient:

Wormable propagation: The malware queries the npm registry for every package the compromised identity can publish, and republishes itself across all of them automatically.
CI/CD pipeline hijack via OpenID Connect (OIDC) token extraction: Rather than stealing static credentials, Mini Shai-Hulud requests short-lived OIDC tokens through GitHub Actions, enabling it to publish packages with valid cryptographic provenance.

In the Miasma supply chain campaign, this generation layer operated through a Red Hat employee’s compromised GitHub account. The worm’s payload swept the infected environment for:

GitHub tokens and personal access tokens
npm publishing tokens
AWS, GCP, and Azure cloud credentials
HashiCorp Vault tokens
Kubernetes service account tokens
SSH private keys
Docker registry credentials
GPG keys
.env files

The June variant added dedicated collectors for GCP and Azure cloud identities, going beyond secret extraction to enumerate all cloud access the infected machine holds.

Every machine that ran npm install against a compromised @redhat-cloud-services package version became a credential generation node.

Layer 2: Distribution

The second layer is the marketplace. Stolen credentials flow from the generation layer into underground markets, infostealer log aggregators, and access brokering services, where they become available to any buyer.

The Miasma supply chain-attack timeline makes this layer visible in a way previous campaigns did not. Whiteintel detected the Red Hat employee’s GitHub credential and session cookie in infostealer logs on April 13. That credential was not generated by a targeted supply chain attack against Red Hat; a commodity infostealer harvested it, one of 13.2 million infostealer infections that SpyCloud's 2025 Identity Exposure Report documented as producing an average of 50 credentials per infection. The credential entered the distribution layer as one data point among billions: SpyCloud recaptured 5.3 billion credential pairs, 18.1 million exposed API keys and tokens, and 8.6 billion stolen session cookies from criminal underground monitoring in 2025 alone.

For seven weeks, the credential sat in the distribution layer before someone acted on it. That dwell time is the systemic gap that the Developer Credential Economy exploits. Organizations that do not monitor underground markets for exposed developer credentials are operating on the assumption that the generation-to-weaponization pipeline does not exist, or that it operates too slowly to matter. Miasma demonstrates that even a seven-week window, which is long by underground market standards, is more than sufficient for weaponization.

The distribution layer was further amplified on May 12, when TeamPCP published the complete Mini Shai-Hulud source code on GitHub under an MIT License with the message “Shai-Hulud: Open Sourcing The Carnage.” The release included CI cache-poisoning scripts, the OIDC token extractor, and the credential stealer with its propagation logic. This is the supply chain equivalent of publishing a working exploit framework: the tooling itself became a distribution channel, lowering the barrier to entry for any operator who wants to run a structurally identical campaign.

Layer 3: Weaponization

The third layer is operational use. Actors with distinct motivations acquire credentials from the distribution layer and weaponize them against specific targets.

In March, the RSO team documented at least three distinct actors operating from the same credential pool: TeamPCP harvested at scale: Sapphire Sleet/UNC1069 (DPRK-nexus) operationalized stolen npm tokens for financial gain through the Axios compromise and LAPSUS$ exploited compromised Tailscale VPN credentials from the LiteLLM breach for data theft from Mercor AI. The same credential ecosystem fed all three.

Miasma’s weaponization layer continues to evolve, but the trajectory across its three waves demonstrates the pattern:

Wave 1 (June 1) used the stolen Red Hat credentials to compromise 32 @redhat-cloud-services packages, generating a fresh round of credentials from every developer environment that installed a compromised version.
Wave 2 (June 3) pivoted to 57 additional packages using a novel technique researchers call “Phantom Gyp,” which abuses a 157-byte binding.gyp file to trigger code execution during npm install, bypassing the preinstall-script monitoring that defenders had deployed after earlier waves.
Wave 3 (June 5) used a previously compromised contributor account, the same one from the May 19 PyPI attack, to push malicious commits to Microsoft’s Azure/durabletask repository, forcing GitHub to disable 73 repositories in a 105-second automated sweep.

Each wave fed the next: Credentials stolen in Wave 1 enabled access for Wave 2 targets, and the same compromised accounts persisted into Wave 3. The worm’s self-propagating behavior ensures that the credential pool grows with each successful infection, creating a compounding cycle where generation and weaponization overlap.

The escalation that should concern every security team

Three aspects of the Miasma campaign represent genuine escalations beyond what the security community had observed in prior supply chain attacks.

1. Provenance attestation is no longer sufficient

Miasma’s Wave 1 packages carried valid SLSA Build Level 3 provenance attestations, the highest tier of software supply chain integrity verification. Red Hat's legitimate CI/CD pipeline built the packages, using Red Hat’s trusted OpenID Connect (OIDC) identity, through GitHub Actions workflows that the attacker injected into the pipeline. The cryptographic certificate was accurate. The package really was built by that pipeline. The pipeline just happened to contain malware at the time.

This is not a bypass of provenance verification. It is a demonstration that provenance verification answers a different question than defenders assume. A signed attestation proves that a specific pipeline built a package. It does not prove the pipeline was clean. Organizations that rely on provenance verification as their primary supply chain control should treat Miasma as a structural limitation, not a one-off failure.

2. AI coding agents are now an attack surface

The Phantom Gyp wave (June 3) and the Azure wave (June 5) introduced a persistence mechanism not previously documented in supply chain campaigns: the malware drops configuration files into project directories for AI coding assistants, including .claude/settings.json for Claude Code, .cursor/rules for Cursor, and configuration files for Gemini CLI and VS Code. These are not trojanized extensions or compromised plugins. They are instruction-layer overrides that silently alter the behavior of the AI assistant the next time a developer opens the project.

If a developer opens an infected project in an AI-assisted IDE, the backdoor executes. The attacker’s hidden instructions can then influence AI-generated code, potentially introducing subtle vulnerabilities that are difficult to distinguish from legitimate suggestions. This represents a meaningful expansion of the attack surface from package registries and CI/CD pipelines to the developer’s local environment and AI-assisted workflow. The attack does not require npm install; it triggers when a developer opens a repository.

This is the first observed supply chain campaign systematically targeting the AI-assisted development workflow as a persistence and propagation surface. As AI coding assistants become standard tooling in enterprise development environments, this attack vector is likely to be replicated and refined.

3. Open-sourced tooling has created a copycat ecosystem

Mini Shai-Hulud is no longer limited to TeamPCP. The public release of the full weaponized toolchain on May 12, means any operator can replicate structurally identical campaigns against new target ecosystems. The Miasma payload is derived from the open-sourced code, with cosmetic modifications replacing Dune universe references with Greek mythology themes (“Miasma,” “spartan,” “nemean-hydra”). It’s unclear whether this is TeamPCP operating under a new brand or a separate actor who studied the published code and improved upon it. What is clear is the implication. The barrier to conducting npm supply chain attacks has been significantly and permanently lowered.

The evidence suggests that this proliferation is already occurring. Palo Alto Networks’ Unit 42 documented that copycat activity using the Shai-Hulud toolchain has complicated future attribution, and the Phantom Gyp wave’s evolution (binding.gyp execution, AI agent targeting, modified exfiltration channels) is consistent with either continued TeamPCP operation or a capable operator building on publicly available infrastructure.

Why EDR and reactive detection cannot solve this problem

The narrative around supply chain defense has leaned heavily on execution-layer detection: the idea that endpoint detection and response (EDR) tools will catch the payload when it fires, so organizations are protected. The Miasma campaign exposes why this assumption is structurally flawed.

EDR monitors execution, not exposure. Relying on EDR to stop a supply chain attack is like relying on a smoke detector while storing open canisters of gasoline in your kitchen. EDR cannot see the misconfigured GitHub Action, the over-privileged npm token, or the seven-week-old stolen credential sitting in an underground market. By the time an EDR agent fires on a malicious payload, the credential theft that enables the next wave has already occurred.

The coverage gap is where the theft happens. EDR has zero visibility into the ephemeral CI/CD runners and build environments where Miasma’s credential harvesting actually executes. These environments spin up, run the compromised npm install, exfiltrate secrets, and tear down, all before a human analyst could triage an alert. In the Developer Credential Economy, the theft happens where the agents are not.

Detection evasion is outpacing detection. After the TanStack compromise in May, defenders deployed preinstall-script monitoring as a detection control. The Phantom Gyp wave, arriving just three weeks later, bypassed that control entirely by shifting execution to binding.gyp, a file that most security tooling does not monitor. The Azure wave then abandoned package installation altogether, shifting to repository-level configuration files that trigger on IDE/editor open. Each defensive response creates a new evasion target, and the iteration cycle is measured in days, not months. EDR evasion is an active, industrialized capability, and supply chain attackers are demonstrating the same adaptive behavior.

While EDR has a role, it addresses the symptom (the malware payload at execution) rather than the disease (the unmanaged exposure of developer credentials and CI/CD infrastructure). Neutralizing the systemic risk created by the Developer Credential Economy requires a fundamentally different approach: identifying and eliminating the exposure conditions before an attacker can exploit them.

The ecosystem fights back, but the structural gap remains

The npm ecosystem has not been passive. npm executed a platform-wide token invalidation on May 19, forcing every maintainer to re-authenticate. npm CLI version 11.15.0 introduced staged publishing with human 2FA approval gates, requiring a deliberate human confirmation step before any package version goes live. GitHub disclosed that approximately 3,800 internal repositories had been exfiltrated during the Shai-Hulud campaigns. Isaac Schlueter, npm’s founder, called for mandatory disablement of non-MFA publishing.

While meaningful, these responses are structurally reactive: each one addresses the technique observed in the previous wave while the attacker has already moved to the next. Staged publishing addresses the OIDC token abuse from Wave 1. It does not address Phantom Gyp’s binding.gyp execution from Wave 2. Neither addresses the AI coding agent persistence from Wave 3.

The path forward requires moving from reactive detection to preemptive exposure management: identifying and closing the credential generation points before attackers can weaponize them.

A phased approach to disrupting the credential economy

The Developer Credential Economy operates on a simple principle: credentials that defenders do not know are exposed cannot be rotated, and therefore, remain vulnerable. A phased CTEM approach disrupts the attack chain at each layer.

Phase 1: Harden the generation layer

The first priority is eliminating the conditions that allow credential theft to occur. Organizations must audit lockfiles and kill lifecycle hooks (--ignore-scripts) immediately to eliminate the postinstall and preinstall vectors. But Miasma’s Phantom Gyp wave demonstrates that lifecycle hooks are no longer the only execution surface: add binding.gyp monitoring to package intake controls and audit all cloned repositories for AI coding agent persistence files (.claude/settings.json, .cursor/rules, .gemini/ configuration files).

Security tooling itself must be treated as critical infrastructure. The events of 2026 have proven this repeatedly: Trivy, Checkmarx KICS, and the Nx Console VS Code extension all functioned as high-value entry points precisely because developers trust them. Subject security tools to the same integrity verification and isolation controls applied to production systems.

Phase 2: Neutralize harvested secrets in real time

The seven-week credential dwell time in Miasma’s attack timeline is the exploitation window that the Developer Credential Economy depends on. Closing that window requires moving beyond periodic rotation to continuous visibility into where credentials are exposed, including in underground markets, CI/CD runners, and ephemeral build stages where EDR has no footprint.

Implement continuous dark web credential monitoring for developer accounts (GitHub, npm, PyPI, Docker Hub) with automated rotation on detection. Enforce mandatory MFA with reduced personal access token lifetimes. The Tenable Cloud and AI Security Risk Report 2026 found that 65% of cloud environments contain “ghost” credentials, dormant service accounts, and unrotated keys that provide ready-made pivot points for attackers. Every ghost credential is a free pass for an actor operating in the distribution layer. Use Tenable One to map the full attack surface, including the CI/CD pipelines and cloud-native build stages that execution-layer detection cannot reach.

Phase 3: Enforce human-gated publishing and break the automation chain

The worm’s self-propagation depends on fully automated publishing: steal a token, enumerate publishable packages, republish with malware, repeat. Inserting a mandatory human confirmation step breaks that automation chain.

The npm staged-publishing feature (npm CLI 11.15.0) represents a concrete implementation of this gate, requiring a human 2FA approval before any package version goes live. Organizations should:

Adopt staged publishing or equivalent human-gated workflows immediately
Review GitHub Actions OIDC token scoping to ensure id-token: Write is limited to release workflows on protected branches only
Implement minimumReleaseAge controls to quarantine new package versions before consumption
Establish detection rules for Miasma indicators: GitHub repositories with the description “Miasma: The Spreading Blight;” the GCP user-agent string google-api-nodejs-client/7.0.0; and the dead-drop GitHub account liuende501
Monitor for anomalous npm publish events and unauthorized GitHub repository creation in organizational accounts.

These are not optional hardening measures. They are direct responses to capabilities that have been demonstrated in the wild and that are now available as open-source tooling for any operator to deploy.

Where this goes from here

The Developer Credential Economy represents a significant maturation of cyber crime, moving beyond opportunistic attacks to establish a sophisticated, scalable, and highly specialized marketplace. The events of March through June have validated this assessment with striking clarity: TeamPCP’s open-sourcing of the Shai-Hulud worm; the proliferation of copycat variants like Miasma; the cross-ecosystem spread from npm to PyPI to GitHub Actions to VS Code extensions; and the introduction of AI coding agent targeting as a new persistence surface.

This evolution turns our own development tools against us to harvest the access needed for large-scale compromise.

The path forward is a fundamental shift toward exposure intelligence that identifies and closes the credential generation points before attackers can weaponize them. The organizations that will weather this shift are those that treat developer environments as control-plane infrastructure, not workstations, and manage them with the continuous visibility and proactive hardening that a CTEM framework provides.

Miasma’s seven-week credential trail is not a worst case. It is a baseline, and the next wave is already being assembled from the same open-sourced tooling.

Learn more

Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the exposure management platform for the modern attack surface.

Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)

Research Special Operations — Thu, 18 Jun 2026 05:23:34 -0400

Oracle addresses 243 CVEs in its June 2026 Critical Security Patch Update with 245 patches, including 122 critical updates.

Key Takeaways

The June 2026 Critical Security Patch Update (CSPU) contains fixes for 243 unique CVEs in 245 security updates
122 issues (49.8% of all patches) were assigned a critical severity rating
Oracle Fusion Middleware received the highest number of patches at 106, accounting for 43.3% of all patches

Background

On June 16, Oracle released its Critical Security Patch Update (CSPU) for June 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 243 unique CVEs in 245 security updates across 11 Oracle product families. Out of the 245 security updates published, 49.8% of patches were assigned a critical severity. Critical severity patches accounted for the bulk of security patches at 49.8%, followed by high severity patches at 42.4%.

This month's update includes 122 critical patches across 122 CVEs.

Severity	Issues Patched	CVEs
Critical	122	122
High	104	102
Medium	15	15
Low	4	4
Total	245	243

Analysis

This month's update saw the Oracle Fusion Middleware product family contain the highest number of patches at 106, accounting for 43.3% of the total patches, followed by Oracle E-Business Suite at 55 patches, which accounted for 22.4% of the total patches.

A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family	Number of Patches	Remote Exploit without Auth
Oracle Fusion Middleware	106	53
Oracle E-Business Suite	55	6
Oracle JD Edwards	20	12
Oracle Enterprise Manager	16	6
Oracle Siebel CRM	12	7
Oracle PeopleSoft	11	7
Oracle Virtualization	10	0
Oracle MySQL	8	4
Oracle Communications	3	3
Oracle Systems	3	1
Oracle Supply Chain	1	1

Oracle PeopleSoft zero-day exploited

On June 10, Oracle published an out-of-band Security Alert Advisory for CVE-2026-35273, a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. On June 11, researchers at Google Threat Intelligence Group (GTIG) and Mandiant published a blog post confirming that CVE-2026-35273 was exploited in the wild as a zero-day by the extortion group ShinyHunters (UNC6240). The campaign, which affected over 100 global organizations, primarily impacted organizations within the United States, 68% of which were in the higher education sector. Organizations are advised to apply the available patches as soon as possible.

Solution

Customers are advised to apply all relevant patches in this CSPU. Please refer to the June 2026 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Operationalize CISA BOD 26-04 with Tenable One

Joshua Moll, Kate Boronkay — Wed, 17 Jun 2026 14:15:00 -0400

CISA’s new directive officially ends federal agencies’ reliance on static vulnerability scores. Learn how Tenable One helps federal agencies pivot to dynamic asset exposure, threat validation, and AI-powered automation to meet compressed compliance timelines.

Key takeaways

CISA’s BOD 26-04 supersedes previous guidelines and shifts federal vulnerability management programs away from prioritizing vulnerability remediation based on static severity scores, like CVSS, to a dynamic vulnerability prioritization model driven by real-world threat and asset context.
Tenable One maps directly to CISA’s four core risk variables (asset exposure, KEV status, exploit automation, and technical impact), delivering continuous visibility rather than point-in-time snapshots.
With strict compliance timelines looming, Tenable Hexa AI and robust API integrations allow agencies to automate complex vulnerability prioritization and mandatory CDM asset tagging without scaling teams linearly.
The directive tightly mandates security coverage across all federal information systems; Tenable One Cloud Exposure ensures certified and non-certified cloud infrastructures align with BOD 26-04 requirements.

What are the implications of CISA BOD 26-04 on federal agency vulnerability management?

The Cybersecurity and Infrastructure Security Agency (CISA) fundamentally changed the rules of federal vulnerability management with the release of Binding Operational Directive (BOD) 26-04. By officially superseding BOD 19-02 and BOD 22-01, this new directive consolidates federal guidelines into a single, unified framework.

More importantly, it marks the end of using static severity scores to determine the urgency of a patch.

Driven by the rapid acceleration of AI-powered threats and increasingly sophisticated adversary campaigns, BOD 26-04 forces a pivot away from treating all vulnerabilities equally. Agencies can no longer rely on a simple checklist of Common Vulnerabilities and Exposures (CVEs). Instead, BOD 26-04 mandates a dynamic, risk-based vulnerability prioritization model built on real-world asset and threat context.

At Tenable, we believe federal agencies shouldn’t have to start from zero to meet these rigorous requirements. The Tenable One Exposure Management Platform delivers the continuous asset discovery, threat validation, and automated orchestration needed to operationalize the requirements of BOD 26-04.

How can Tenable help me comply with CISA BOD 26-04?

How Tenable One helps federal agencies assess the four key risk variables outlined in BOD 26-04

BOD 26-04 dictates that vulnerability remediation timelines must be dynamically driven by four specific risk variables: asset exposure, KEV status, exploit automation, and technical impact. Tenable One helps federal agencies assess each variable. It provides the context and validation federal environments require, backed by comprehensive threat analysis.

Variable #1: Asset Exposure

The directive: Is the vulnerable asset publicly exposed to the internet?
The Tenable solution: Tenable One provides multiple ways to determine which assets are externally accessible. Numerous sensors and third-party data connectors help determine whether a device is internet-facing or has a public IP address. The Asset Criticality Rating (ACR) incorporates external exposure context by taking into account the asset’s location, its network connectivity, and the presence of security controls. Tenable One Attack Surface Management (ASM) provides continuous discovery and identification of internet-facing assets. Rather than relying on a point-in-time snapshot, Tenable One gives agencies an always-on, outside-in view of their true public exposure.
The strategic reality: Tenable analyzed the full CISA Vulnrichment corpus against BOD 26-04’s tiered model and found that asset exposure is the single highest-leverage compliance variable. Removing an asset from public exposure can shift 76.7% of CVEs from the compressed remediation timelines to the deferral tier. Attack surface reduction is not just good security; under BOD 26-04, it is the most efficient path to compliance.

Variable #2: KEV status

The directive: Is the vulnerability tracked on CISA's Known Exploited Vulnerabilities (KEV) catalog?
The Tenable solution: Tenable integrates CISA’s KEV catalog directly into our Vulnerability Priority Rating (VPR) scoring and compliance workflows. Tenable Vulnerability Watch provides early identification of vulnerabilities being exploited in the wild before they appear in the KEV catalog. This early warning capability gives organizations advance notice that their remediation timeline is about to compress.
The compliance advantage: Tenable maintains exploitation tracking that identifies active exploitation before CISA’s formal KEV listing. In a BOD 26-04 environment, this lead time gives federal agencies a compliance advantage: when a CVE is added to the KEV, the agency’s remediation timeline compresses immediately. Organizations that have advance warning can begin remediation before the mandatory clock starts, not after.

Variable #3: Exploit automation

The directive: Can an adversary fully automate all the steps necessary to exploit the vulnerability?
The Tenable solution: Tenable VPR scoring natively assesses exploit maturity as a core feature: it evaluates whether functional exploit code exists, if exploitation has been observed at scale, and how accessible the path is. Tenable’s Asset Exposure Score (AES) further contextualizes risk by evaluating the combined exposure posture of each asset within the organization’s specific environment.
Challenging the automation assumption: Tenable analyzed the full CISA Vulnrichment corpus (over 154,000 enriched CVEs) and found that 61% of actively exploited vulnerabilities cannot be automated. Most real-world exploitation is targeted, not mass-automated. This means organizations that focus remediation exclusively on automatable vulnerabilities will miss the majority of active threats. Tenable’s risk prioritization accounts for this by incorporating threat actor context, campaign intelligence, and exploitation breadth alongside automation maturity.

Variable #4: Technical impact

The directive: Does the exploit grant the attacker partial or total control of the asset?
The Tenable solution: Tenable integrates CVSS base scores and severity assessments for every CVE, seamlessly delivering the deep impact context required to satisfy the directive’s distinction between partial and total asset control.
The critical density of total control: Tenable’s operational assessment reveals that 83% of actively exploited CVEs yield total system control. Under BOD 26-04, total control combined with KEV status on an internet-facing asset triggers the most aggressive compliance tier: three days with mandatory forensic triage. Because total control is the norm rather than the exception among exploited vulnerabilities, agencies should plan for the forensic triage requirement as a routine operational demand, not an edge case. Tenable One identifies the technical impact variable at platform scale, enabling agencies to isolate which vulnerabilities fall into the highest-severity compliance tiers immediately.

Note on changing dynamics: BOD 26-04 timelines are not static. They shift whenever any variable changes: a CVE added to the KEV, an asset newly exposed to the internet, or a Vulnrichment assessment updated from non-automatable to automatable. Compliance is a continuous state, not a point-in-time assessment. The continuous monitoring capabilities provided by Tenable One ensure that when variables shift, your agency’s prioritization shifts with them, in real time, rather than at the next scan cycle.

How vulnerability research from Tenable helps federal agencies comply with BOD 26-04

Beyond reacting to current listings, Tenable has identified over 4,400 vulnerabilities that carry the highest-risk technical profile (automatable, total system control, proof-of-concept available) but are not yet on the KEV. When any of these CVEs receive confirmed exploitation evidence, they immediately jump to the most aggressive BOD timeline: three days with mandatory forensic triage. Organizations using Tenable’s predictive prioritization capabilities can identify and begin remediating these vulnerabilities before the compliance clock starts ticking.

Tenable Vulnerability Watch and VPR scoring flag CVEs that have a high risk profile based on exploit maturity, proof-of-concept availability, and technical impact severity, giving security teams a prioritized remediation queue that anticipates KEV additions rather than reacting to them.

What’s more, the intelligence behind Tenable One is not a static vulnerability feed. It is produced by the Tenable research team through a structured intelligence methodology that assesses vulnerabilities, threat actors, campaigns, and environmental exposures as four independent but interrelated risk dimensions.

The Tenable research team tracks persistent exploitation at three levels: individual CVEs, vendor product lines, and entire technology classes. When a new vulnerability is disclosed in a product family already under sustained attack across multiple actor categories, Tenable’s persistent targeting data elevates the urgency before exploitation of that specific CVE is confirmed, giving customers lead time that single-CVE tracking cannot provide.

Tenable Vulnerability Watch classifications directly inform the platform’s priority scoring. Their exploitation tracking identifies active threats before they reach the CISA KEV catalog. Their persistent exploitation analysis distinguishes between newly emerging threats and vulnerabilities that have been under sustained attack for months across multiple actor categories. For BOD 26-04, this means Tenable customers receive not just compliance data, but the operational threat context that turns compliance into risk reduction.

Vulnerability research from Tenable helps federal agencies address the forensic triage requirement of BOD 26-04

BOD 26-04 introduces a forensic triage requirement with no precedent in prior directives. For CVEs that are both on the KEV and yield total system control (see Table 1 rows 1, 3, and 9 within the BOD), agencies must assess whether compromise has already occurred alongside remediating within three days.

This is not a niche compliance edge case. Tenable data shows that 83% of actively exploited CVEs yield total system control, which means the forensic triage obligation applies to the vast majority of KEV-listed vulnerabilities on publicly exposed systems.

Effective forensic triage requires knowing what to look for. Tenable provides the threat attribution and campaign context that forensic teams need: which actor is exploiting the vulnerability, what tools and infrastructure signatures they use, and whether the exploitation is part of a coordinated campaign targeting your sector. This is the operational intelligence layer that turns a compliance checkbox into an informed investigation.

Navigate the phased requirements of BOD 26-04 with the platform-scale automation of Tenable One

BOD 26-04 outlines strict phased implementation timelines, requiring agencies to update policies immediately (Phase 1), update processes within 60 days (Phase 2), and actively remediate assets and tag metadata within 180 days (Phase 3).

Manually evaluating four complex variables across thousands of vulnerabilities on thousands of assets is an impossible task for human analysts. This is precisely why Tenable has invested heavily in AI-powered exposure management.

Tenable Hexa AI: Our agentic AI engine available in Tenable One orchestrates automated security workflows at machine speed. By applying risk intelligence at platform scale, Tenable Hexa AI surfaces the vulnerabilities that matter most, allowing agencies to meet compressed remediation timelines without needing to scale their security teams linearly.
Automated asset tagging and CDM integration: Phase 3 requires agencies to continuously identify and tag all assets reachable outside the internal network with specific metadata (organization, environment, exposure, and asset type). Tenable’s robust API integrations automate this metadata tagging and seamlessly feed the structured data directly into the federal Continuous Diagnostics and Mitigation (CDM) Dashboard.

Extend governance to third-party and cloud environments

The scope of BOD 26-04 is unyielding: it applies to all federal information systems, including those hosted in third-party and cloud environments.

Whether working with the FedRAMP PMO for certified offerings or directly with cloud service providers (CSPs) for non-certified environments, agencies bear responsibility for ensuring underlying infrastructure adheres to these guidelines.

Tenable One Cloud Exposure helps agencies audit and validate that their underlying CSP infrastructures tightly align with BOD 26-04 guidelines. By unifying data across internet-facing assets, traditional IT, and cloud, Tenable One provides the centralized exposure oversight mandated by CISA.

Complying with BOD 26-04 requires the scale that Tenable One provides

As federal agencies scramble to operationalize BOD 26-04, security teams are asking a foundational question: What can my existing Tenable vulnerability management tools do today, and what requires the Tenable One Exposure Management Platform?

Currently, Tenable Security Center and Tenable One Vulnerability Management natively handle the following core baseline requirements:

KEV status integration - Automatically identify and filter vulnerabilities listed in CISA’s KEV catalog.
Asset segmentation: Build static asset lists to group targeted systems.

However, BOD 26-04 mandates a fundamental shift away from simple scanning toward localized context, specifically tracking CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) “Vulnrichment” metadata (such as exploit automation and technical impact keys).

While CISA maintains a public repository of these enriched vulnerabilities, manually importing, filtering, and cross-referencing this data against an enterprise network requires the scale that only Tenable One provides.

This is why Tenable One is the purpose-built answer to CISA’s advanced data mandates. Tenable One doesn’t just scan for CVEs; it acts as an ingestion and orchestration engine for these exact advanced data requirements of BOD 26-04:

Native Vulnrichment filtering - Tenable One is designed to natively surface and filter threat metrics derived from CISA’s SSVC metadata alongside Tenable’s Vulnerability Priority Rating.
Dynamic variable merging: Traditional vulnerability management tools show you a vulnerability, but they cannot tell you in real time if that specific asset is reachable from the public internet. Tenable One seamlessly blends your internal vulnerability data with continuous Attack Surface Management (ASM) data.

For agencies asking how to filter natively on CISA’s enriched fields without waiting on legacy upgrade cycles, the answer isn’t to stretch traditional scanning tools past their design limits. Agencies can bridge this gap with Tenable One, a unified system that automates prioritization and metadata mapping to provide the real-time visibility required by BOD 26-04.

CISA BOD 26-04 accelerates federal agencies’ journey from vulnerability management to exposure management

BOD 26-04 acknowledges that the speed of modern, AI-driven cyber campaigns requires a parallel leap in defender capabilities. Moving past static compliance means embracing dynamic context and validation. With Tenable One, federal agencies gain a foundational platform built to operationalize this exact model: Tenable One delivers the continuous asset discovery, threat validation, and automated remediation workflows necessary to secure the federal enterprise.

Ready to align your risk management with BOD 26-04?

Read Tenable’s FAQ on CISA BOD 26-04.
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about the Tenable One Exposure Management Platform.

Improving precision in CTEM: How continuous controls validation in Tenable One transforms exposure management

Nathan Dyer — Tue, 16 Jun 2026 08:45:00 -0400

Discover how continuous control validation in Tenable One can improve your CTEM program by filtering out alert noise and factoring in your active cyber defenses. Focus your team on accessible and exploitable attack paths.

Key takeaways:

With vulnerability exploitation ranking as the top initial access vector and frontier AI accelerating vulnerability discovery, organizations must shift from managing theoretical cyber risks to validating actual, accessible exposure.
Tenable One maps active security controls including EDR, MFA, and firewalls directly onto potential attack paths, allowing teams to automatically deprioritize weaknesses that existing defenses already neutralize.
Ingesting penetration testing results via the Tenable One Open Connector allows organizations to layer real-world attack simulations over real-time exposure insights to identify toxic risk combinations that threaten critical assets.

Your security tools probably indicate you have thousands, perhaps tens or hundreds of thousands, of vulnerabilities across your environment. Maybe your tools prioritize these vulnerabilities based on CVSS scores or other criteria, but how do you know which vulnerabilities combine with other preventable security risks, like misconfigured cloud buckets and identity weaknesses, to create attack paths threat actors could realistically traverse? How do you validate which vulnerabilities an existing security control mitigates? You need this context to distinguish the real risks from the theoretical ones to ensure your team focuses on remediating what matters most.

The work of validating, prioritizing, and remediating vulnerabilities alongside other security weaknesses to understand the true exposure they create has become much more urgent, as frontier AI models accelerate vulnerability discovery. In this environment, the traditional patch-based defense model will get crushed. Moreover, defenders cannot afford inaccurate decision-making and wasted remediation work that addresses low-priority vulnerabilities. They desperately need the context and validation that a continuous threat exposure management (CTEM) program provides.

This is why security leaders are evolving their vulnerability management programs to exposure management programs. Exposure management allows you to continually assess your attack surface, prioritize risks, and orchestrate automated remediation of security weaknesses at machine speed.

Exposure management also helps validate which exposures attackers can actually reach by understanding the accessibility and exploitability of an attack path. It uses validation to shift your organization from managing theoretical risks to executing on actual exposure.

What is exposure validation in CTEM?

Validation is one of the five steps in the CTEM lifecycle. It is the process of providing consistent, continuous, and automated evidence of an attack’s feasibility. It stress-tests your defenses against real-world attack conditions, using your own environment’s controls and configurations to confirm whether an exposure is genuinely reachable and exploitable.

Validation moves security from a reactive “patch everything” mindset to a preemptive, evidence-based exposure strategy. It continuously confirms which weaknesses your existing defenses have already blocked and surfaces the ones that demand immediate attention.

Expanded CTEM validation capabilities in Tenable One

Validation isn’t new to Tenable: we’ve been using validation techniques in Tenable solutions for more than 25 years. Tenable developed nearly 3,000 direct check plugins to actively probe a vulnerability and prove its exploitability in situations where software version detection isn’t sufficient for our high-accuracy standards. These plugins actually mimic attack techniques and monitor the target’s response to confirm the presence of the vulnerability.

What is new in Tenable One is the addition of continuous control validation in the platform. By factoring in your active security controls, Tenable One helps eliminate the noise of theoretically exposed assets that are functionally blocked from exploitation. Security teams can visually map their active prevention and detection controls directly onto potential attack paths, automatically prioritizing weaknesses that existing controls already neutralize. Analysts can also filter top attack paths based on the presence of security controls and whether you can prevent attack chains for faster triage and investigation.

Common control validation examples include:

Endpoint detection and response (EDR) tools that block Local Security Authority Subsystem Service (LSASS) memory dump tools used to harvest credentials.
Multi-factor authentication (MFA) methods that prevent unauthorized access via password guessing, password spraying, or credential stuffing.
Firewall and data loss prevention (DLP) tools that prevent data exfiltration by detecting data staging and enforcing egress rules.

See how continuous control validation works in Tenable One.

Proactively manage risk prioritization with continuous security control validation. Eliminate noise from theoretical risks that are functionally blocked by existing defenses by integrating compensating security controls into the exposure prioritization process. Access a unified dashboard where assets, vulnerabilities, and exposure risks are consolidated. Filter attack paths to identify which are protected by compensating controls. View types of compensating controls deployed in the environment. Examine attack paths that could be protected with endpoint protection tools. Review security controls associated with specific attack paths, including SIEM and EDR controls. Inspect individual nodes within attack paths to determine which security controls are protecting them. Identify assets monitored by SIEM tools such as Splunk. Verify endpoint protection coverage on assets, including Microsoft Defender installations. Filter attack techniques to focus on specific threats like LSASS Memory techniques, which extract credentials from compromised systems and can be mitigated by endpoint protection tools. Identify attack paths and assets lacking appropriate EDR coverage. Prioritize remediation by examining high-priority attack paths where compensating controls are absent. Collaborate with security control owners to confirm coverage and address gaps in protection for critical assets.

Integrate penetration testing data into Tenable One

Beyond direct check plugins and continuous control validation, security teams can also integrate penetration testing results into Tenable One that simulate real-world attacks against your cyber defenses. This is another way to validate which exposures are truly exploitable and contextualizes them against your broader attack surface.

The Tenable One Open Connector makes it easy to ingest the latest pentest results and layer them with real-time exposure insights to turn your findings into active, continuous defenses. Integrating pentest data into an exposure management program adds critical context to help you understand toxic risk combinations and enrich your understanding of high-severity weaknesses that threaten your most critical business assets.

Context is essential in exposure management

In the AI era, your security team can’t waste precious time on the wrong issues. With exposure management, context is essential to pinpoint the most critical risks to your organization. Security control validation, coupled with asset criticality, threat activity, entitlement privileges, and attack pathways, give your security team the advantage it needs to stay ahead of threat actors.

Learn more about Tenable One, the exposure management platform for the modern attack surface.

CISA BOD 26-04: Frequently asked questions about the new risk-based patching directive

Robert Huber — Thu, 11 Jun 2026 19:39:00 -0400

CISA issued BOD 26-04, which replaces BOD 22-01 with a four-variable vulnerability prioritization model requiring federal agencies to patch the most dangerous vulnerabilities in as few as three days.

Key takeaways

BOD 26-04 replaces BOD 22-01 with a four-variable risk model that assigns graduated remediation timelines, from as few as three days with mandatory forensic triage for the most dangerous vulnerabilities to full deferral for the lowest-risk ones, ending the era of flat, one-size-fits-all patching deadlines for federal agencies.
The transition represents a significant operational lift at a time when AI is compressing the window between vulnerability disclosure and weaponization, and industry remediation rates are declining: only 26% of KEV vulnerabilities were fully remediated in 2025 according to the 2026 Verizon DBIR, down from 38% the prior year.
Organizations that have invested in continuous asset discovery, risk-based prioritization, and exposure management are well positioned to operationalize the directive’s four-variable model. Those still relying on periodic scanning and CVSS-based prioritization face a significant gap between current capability and compliance requirements.

Background on CISA BOD 26-04

On June 10, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04, “Prioritizing Security Updates Based on Risk.” BOD 26-04 represents a fundamental shift in how federal agencies are expected to manage vulnerabilities. Rather than treating every known exploited vulnerability (KEV) with the same remediation deadline, the new directive introduces a graduated model that accounts for asset exposure, exploitation evidence, adversary automation capability, and technical impact severity. The result is a 16-tier remediation matrix where the most dangerous vulnerabilities must be patched within three days (with mandatory forensic triage), while lower-risk vulnerabilities can be deferred to the next system upgrade cycle.

Tenable applauds this directive, which replaces both BOD 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities, November 2021) and BOD 19-02 (Vulnerability Remediation Requirements for Internet-Accessible Systems, April 2019). It is directionally correct in Tenable’s view, and it represents a significant improvement upon its predecessors, as it consolidates seven years of federal vulnerability remediation policy into a single, risk-weighted framework. More importantly, it aligns with the risk-based, exposure-driven approach to vulnerability management that Tenable has championed as the originator of the exposure management paradigm. For years, Tenable has maintained the position that defenders must move beyond volume-based patching toward intelligent prioritization grounded in real-world exploitation evidence, asset context, and threat actor intelligence. BOD 26-04 codifies that position as federal policy.

Frequently asked questions about BOD 26-04

What is BOD 26-04?

BOD 26-04 is a binding operational directive from CISA that requires all Federal Civilian Executive Branch (FCEB) agencies to prioritize vulnerability remediation based on a four-variable risk model. Unlike its predecessor BOD 22-01, which assigned flat remediation timelines to all vulnerabilities in the KEV catalog, BOD 26-04 evaluates each vulnerability against four criteria and assigns a remediation deadline based on the specific combination of risk factors present.

The directive is mandatory for federal agencies but not for the private sector. However, CISA explicitly encourages private sector adoption, and the track record of BOD 22-01 suggests the framework will become a de facto standard across industries. BOD 22-01’s KEV catalog is already used by organizations worldwide as a prioritization signal, and BOD 26-04’s more sophisticated model will likely follow the same adoption curve.

What are the four variables?

BOD 26-04 determines remediation urgency using four binary variables:

Publicly exposed - Is the vulnerable asset reachable from outside the agency network via a routable IP address? This is the only variable agencies must determine themselves.
In the KEV - Is the CVE listed in CISA’s Known Exploited Vulnerabilities catalog? This confirms real-world exploitation.
Automatable by adversary - Can an attacker automate all the steps necessary to exploit the vulnerability? This assesses weaponization maturity.
Technical impact - Does exploitation give attackers total control of the affected system or only partial control?

CISA publishes the answers to variables two, three, and four for every CVE through its Vulnrichment Program. Agencies must determine variable one (public exposure) using their own asset inventory and CISA’s Internet Exposure Reduction Guidance.

What are the remediation timelines?

Table 1 in Appendix A of the directive maps all 16 possible combinations of the four binary variables to specific remediation deadlines across five tiers:

Three days with forensic triage - Required when a vulnerability is in the KEV and yields total system control (regardless of whether the asset is publicly exposed or the exploit is automatable). This is the most aggressive vulnerability management timeline in federal directive history. The forensic triage component requires agencies to assess whether their systems have already been compromised.
Three days (without forensic triage) - Required for certain high-risk combinations, such as a publicly exposed asset with an automatable vulnerability yielding total control, even if the CVE is not yet in the KEV.
14 days - The standard accelerated timeline for most KEV-listed vulnerabilities and several high-risk non-KEV combinations.
60 days - Applied to lower-risk combinations, such as non-exposed assets with automatable but partial-control vulnerabilities.
Fix on system upgrade - Applied when no risk criteria are met. This is the deferral tier, and it represents a significant operational relief for agencies: vulnerabilities that meet none of the four criteria can wait for the next scheduled upgrade cycle.

Timelines are dynamic. If an agency removes a system from public internet exposure, the applicable timeline shifts to a longer window. Conversely, if CISA adds a vulnerability to the KEV catalog, the remediation timeline accelerates immediately.

In an initial analysis at one large civilian agency, CISA found that only 1% of vulnerability instances fell into the three-day category, while over 60% qualified for deferral to the next system upgrade. The model is designed to focus resources, not overwhelm them.

What changed from BOD 22-01?

BOD 26-04 revokes and replaces BOD 22-01 entirely. The key differences are substantial:
BOD 22-01 applied a flat remediation timeline to every vulnerability in the KEV catalog (14 days for CVEs assigned after 2021, six months for older CVEs). BOD 26-04 replaces this with a graduated model where KEV status is one of four variables, not the sole determinant of urgency. A KEV vulnerability on an internal system with partial control and no automation capability now receives 14 days, while the same KEV on a publicly exposed system with full automation and total control receives just three days with mandatory forensic triage.
BOD 22-01 had no deferral mechanism. Every KEV required action. BOD 26-04 introduces the “fix on system upgrade” tier for vulnerabilities that meet none of the four risk criteria, allowing agencies to focus on the ones that matter most rather than chasing every vulnerability with equal urgency.
BOD 22-01 had no forensic triage requirement. BOD 26-04 introduces mandatory forensic analysis for the highest-risk tier, recognizing that when a vulnerability is actively exploited and yields total system control, patching alone is insufficient: organizations need to determine whether they’ve been compromised.
The underlying methodology also shifts. BOD 22-01 relied primarily on the KEV catalog and CVSS scoring. BOD 26-04 is informed by CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) system, which provides a more nuanced, risk-informed vulnerability analysis methodology.

Why did CISA issue BOD 26-04 now?

Two converging factors drove the directive. The first is the deteriorating effectiveness of traditional vulnerability management. Citing the 2026 Verizon Data Breach Investigations Report, CISA’s blog post accompanying the directive notes that only 26% of KEV-listed vulnerabilities were fully remediated by organizations in 2025, a decline from 38% the previous year. Meanwhile, the median time to fully resolve vulnerabilities rose to 43 days. In an environment where exploitation can occur within hours of disclosure, the remediation gap is widening.

The second factor is artificial intelligence. CISA explicitly states that AI is accelerating both vulnerability discovery and weaponization, narrowing the window of time that exists between vulnerability disclosure and exploitation. The directive aligns with priorities in the recent AI Executive Order, Promoting Advanced Artificial Intelligence Innovation and Security. As AI-enabled tools make it easier for adversaries to identify, weaponize, and deploy exploits at scale, the traditional “patch everything eventually” approach becomes untenable. Defenders need a framework that tells them what to patch first, and BOD 26-04 provides the framework enabling them to prioritize on an accelerated timeframe.

This is a challenge Tenable has been tracking closely. The intersection of an AI-enabled threat landscape with already-declining remediation effectiveness creates a compounding problem: adversaries are getting faster while defenders fall farther behind. BOD 26-04 is a necessary policy response to this environment.

I don’t work for a federal agency. How does BOD 26-04 affect my organization?

While BOD 26-04 is mandatory only for FCEB agencies, its influence extends well beyond the federal government. BOD 22-01’s KEV catalog became the most widely adopted vulnerability prioritization signal in the industry, used by private sector organizations, state and local governments, critical infrastructure operators, and international allies. BOD 26-04’s four-variable model will likely follow the same trajectory.

Organizations should evaluate the directive’s framework as a model for their own exposure management programs. The four variables (asset exposure, exploitation evidence, automation potential, and technical impact) represent a defensible, data-driven approach to prioritization that any organization can adopt. For organizations in regulated industries, federal supply chains, or critical infrastructure sectors, aligning with BOD 26-04’s framework before it becomes an industry expectation is a strategic advantage.

What will this transition require from agencies and organizations?

This directive represents a significant operational lift. BOD 22-01 was conceptually simple: if a CVE is in the KEV, patch it within the specified window. BOD 26-04 requires agencies to operationalize a four-variable decision model, which means they need answers to four questions for every vulnerability on every asset in their environment, and they need those answers continuously.

The compliance deadlines are aggressive. Agencies must immediately update their vulnerability management policies. Within 60 days (approximately August 2026), they must update their processes for remediating common vulnerabilities per the new tiered model. Within 180 days (approximately December 2026), they must meet the full remediation timelines defined in Table 1. CISA will also publish machine-level asset tagging data requirements within 60 days.

The most demanding new requirement is the combination of continuous asset exposure identification (variable one) with dynamic timeline tracking. An asset that moves from internal to publicly exposed shifts its remediation deadline immediately. An agency that cannot maintain real-time visibility into which assets are internet-facing cannot comply with the directive’s graduated and dynamic timelines.

This is where the right technology platform makes the difference. Organizations that have invested in continuous asset discovery, risk-based vulnerability prioritization, and exposure management capabilities are positioned to operationalize BOD 26-04 efficiently. Those still relying on periodic scanning and CVSS-based prioritization face a significant gap between their current capabilities and what the directive demands.

How does BOD 26-04 relate to the AI threat landscape?

BOD 26-04 arrives at a critical moment. Artificial intelligence is accelerating adversaries' workflows at every stage: vulnerability discovery, exploit development, target selection, and operational execution. CISA acknowledges this directly, citing AI-driven vulnerability discovery as a motivating factor for the directive.

The implications are sobering. The 2026 Verizon DBIR data shows defenders already falling behind even at the current pace of vulnerability exploitation. As AI compresses the time from vulnerability disclosure to weaponization, the 43-day median remediation time becomes not just inadequate but dangerous. Agencies and organizations implementing BOD 26-04 will be doing so against a backdrop of accelerating threat velocity.

The operational reality is that manually evaluating four variables across thousands of vulnerabilities on thousands of assets, on a continuous basis, does not scale with human analysts alone. The organizations best positioned to meet BOD 26-04’s accelerated timelines will be those whose platforms can ingest Vulnrichment data, correlate it against asset exposure in real time, and surface the vulnerabilities that require three-day action versus those that can wait for the next upgrade cycle.

The parallel challenge is real: organizations must simultaneously transition to a new compliance framework and adapt to a threat landscape that is evolving faster than their current processes can handle. The organizations best positioned to succeed are those with platforms that already operationalize risk-based prioritization, continuous asset discovery, and AI-assisted decision-making.

What should organizations do now?

Organizations should take three immediate steps:

Audit your current vulnerability management posture against the four-variable model. Can you identify which assets are publicly exposed? Do your tools integrate KEV status into prioritization decisions? Can you assess exploit automation potential and technical impact for the vulnerabilities in your environment? If you can answer these questions today, you are well positioned for BOD 26-04. If you cannot, the 60-day process update deadline creates urgency.
Prepare for the BOD 22-01 to BOD 26-04 transition. If your organization has built compliance workflows around BOD 22-01, those workflows reference a revoked directive. Begin updating policies, dashboards, and reporting to reflect the four-variable model. The immediate policy update requirement means this work should start now, not at the 60-day mark.
Assess your forensic triage readiness. For the highest-risk tier (KEV + total control), BOD 26-04 requires agencies to conduct forensic triage alongside remediation within three days. This means organizations need the ability to identify not just what is vulnerable, but what may already be compromised. Evaluate whether your current tooling provides the threat attribution and detection context needed to support forensic triage.

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about the Tenable One Exposure Management Platform.

Learn more

Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507)

Research Special Operations — Tue, 09 Jun 2026 14:19:42 -0400

32Critical
166Important
0Moderate
0Low

Microsoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days.

Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as important. Our counts omitted 6 CVEs that were already addressed by Microsoft via servicing and do not require additional customer action to resolve as well as 2 CVEs that were disclosed by other CNAs (CVE-2025-10263 and CVE-2026-8863). This Patch Tuesday release is the largest release since the Patch Tuesday program began, smashing the previous record of 167 CVEs in the October 2025 Patch Tuesday release.

This month’s update includes patches for:

.NET
ASP.NET Core
Active Directory Domain Services
Azure HorizonDB
Azure Stack Edge
Copilot Chat (Microsoft Edge)
Function Discovery Service (fdwsd.dll)
GitHub Copilot and Visual Studio Code
HTTP/2
Linux MANA Driver
M365 Copilot
Microsoft Azure Attestation service and Device Health Attestation Service
Microsoft Azure Kubernetes Service
Microsoft Bing
Microsoft Copilot
Microsoft Defender for Endpoint
Microsoft Dynamics 365 (on-premises)
Microsoft Exchange Online
Microsoft Exchange Server
Microsoft Graph
Microsoft Graphics Component
Microsoft Kinect
Microsoft Live Share Canvas SDK
Microsoft Office
Microsoft Office Click-To-Run
Microsoft Office Excel
Microsoft Office Project
Microsoft Office SharePoint
Microsoft Office Word
Microsoft PC Manager
Microsoft PowerToys
Microsoft Teams for Android
Microsoft UxTheme Library (uxtheme.dll)
Microsoft Windows DNS
Nuance PowerScribe
Office for Android
Remote Desktop Client
Role: Windows Hyper-V
UI Automation Manager (uiamanager.dll)
Universal Plug and Play (upnp.dll)
Visual Studio Code
Windows Administrator Protection
Windows Ancillary Function Driver for WinSock
Windows Application Identity (AppID) Subsystem
Windows BitLocker
Windows Bluetooth Port Driver
Windows Bluetooth Service
Windows Boot Manager
Windows Collaborative Translation Framework
Windows Common Log File System Driver
Windows Cryptographic Services
Windows DHCP Client
Windows DHCP Server
Windows DWM Core Library
Windows Deployment Services
Windows HTTP.sys
Windows Hotpatch Monitoring Service
Windows Hyper-V
Windows Internet (wininet.dll)
Windows Kerberos
Windows Kernel
Windows Kernel-Mode Drivers
Windows Mark of the Web (MOTW)
Windows Media
Windows NT OS Kernel
Windows NTFS
Windows Narrator Braille
Windows Network Controller (NC) Host Agent
Windows Performance Monitor
Windows Program Compatibility Assistant Service
Windows Projected File System Filter Driver
Windows Push Notifications
Windows RDP
Windows SDK
Windows Secure Boot
Windows Shell
Windows Storage
Windows TCP/IP
Windows Telephony Service
Windows UEFI
Windows Universal Disk Format File System Driver (UDFS)
Windows Win32K - GRFX
Winlogon

Elevation of Privilege (EoP) vulnerabilities accounted for 31.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 27.3%.

Important

CVE-2026-50507 | Windows BitLocker Security Feature Bypass Vulnerability

CVE-2026-50507 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. It was publicly disclosed prior to a patch being available and assessed as “Exploitation More Likely” according to Microsoft's Exploitability Index.

According to Microsoft, an attacker with physical access to the system could bypass the BitLocker Device Encryption feature in order to gain access to the device's encrypted data. This vulnerability appears to be the flaw known as Bitskrieg and a collaboration between Chaotic Eclipse (Nightmare Eclipse) and Jonas L.

Important

CVE-2026-49160 | HTTP.sys Denial of Service Vulnerability

CVE-2026-49160 is a denial of service (DoS) vulnerability affecting HTTP.sys. It received a CVSSv3 score of 7.5 and is rated as important. It was assessed as “Exploitation More Likely” and publicly disclosed prior to a patch being available. According to the advisory, this DoS affects HTTP/2. The advisory notes that this update adds a MaxHeadersCount registry setting which can be used to limit the number of headers included in HTTP/2 and HTTP/3 requests.

Dubbed HTTP/2 Bomb by researchers at Calif, which is credited by Microsoft for reporting the DoS, their blog describes the technical details and provides a proof-of-concept which can be used to test web servers against this vulnerability. As noted in the blog post, at the time it was released, Microsoft had not yet released patches.

Important

CVE-2026-45586 | Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability

CVE-2026-45586 is an EoP vulnerability affecting Windows Collaborative Translation Framework (CTFMON), a process that supports voice and handwriting recognition. It was assigned a CVSSv3 score of 7.8 and rated as important. This EoP flaw was one of three zero-days disclosed prior to patches being made available. Successful exploitation would grant an attacker SYSTEM privileges and Microsoft has assessed this vulnerability as “Exploitation More Likely.”

Critical

CVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 | Remote Desktop Client Remote Code Execution Vulnerability

CVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 are RCE vulnerabilities affecting Remote Desktop Client. CVSSv3 scores ranged from 8.8 (CVE-2026-42985, CVE-2026-47289 and CVE-2026-47653) to 7.5 and seven were rated as critical while CVE-2026-42993, CVE-2026-42909, CVE-2026-47653 and CVE-2026-42913 were rated as important. Successful exploitation would require a victim to connect to an attacker controlled server using an affected version of the Remote Desktop Client. This action could trigger a heap-based buffer overflow, resulting in remote code execution.

While no public details have been released about these vulnerabilities as of June 9, Microsoft has assessed CVE-2026-42985 as “Exploitation More Likely” while the other CVEs were classified as either “Exploitation Unlikely” or “Exploitation Less Likely.” Patches are available for supported versions of Windows and Windows Server.

Out Of Band Updates

While these updates were released prior to the Patch Tuesday release on June 9, they were outside the window for the May release and are noted here as they are significant.

Important

CVE-2026-41091 | Microsoft Defender Elevation of Privilege Vulnerability

CVE-2026-41091 is an EoP vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and is rated important. An unprivileged attacker could exploit this vulnerability by writing a specially crafted file to a privileged location. Successful exploitation would result in Microsoft Defender writing the file back to the privileged location, gaining privileges as SYSTEM.

According to reports, CVE-2026-41091 is RedSun, a zero-day vulnerability disclosed by a researcher named Chaotic Eclipse or Nightmare Eclipse on April 15, 2026. This researcher has also published several additional zero-days recently, including BlueHammer (CVE-2026-33825), GreenPlasma, MiniPlasma and collaborated on Bitskrieg (CVE-2026-50507). It has since been exploited in the wild and added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (CISA KEV) catalog on May 20.

Important

CVE-2026-45585 | Windows BitLocker Security Feature Bypass Vulnerability

CVE-2026-45585 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. This vulnerability is known as YellowKey, named by the researcher known as Chaotic Eclipse or Nightmare Eclipse.

A proof-of-concept (PoC) was made public on May 13, prompting Microsoft to publish the original advisory and CVE identifier on May 19th, offering mitigation guidance.

Exploitation does require physical access to the device, however Microsoft has assessed this vulnerability as “Exploitation More Likely.”

Tenable Solutions

A list of all the plugins released for Microsoft’s June 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The June 2026 AI Executive Order: What federal agencies need to know and how Tenable can help

Jill Shapiro — Thu, 04 Jun 2026 19:33:00 -0400

On June 2, 2026, the White House signed an Executive Order directing federal agencies to harden their systems with AI-enabled cyber defenses and to stand up a new AI cybersecurity clearinghouse — most of it on a 30-day clock. Here’s what the EO requires and how Tenable can help.

Key takeaways:

The new AI Security Executive Order will require national security and civilian federal agencies to prioritize cyber defenses to account for new frontier AI model capabilities.
Tenable is well positioned to help federal agencies gain visibility across their environments, including AI assets, and to prioritize the vulnerabilities and other exposures that pose the highest risk; Tenable AI-enabled exposure management capabilities can help support vulnerability remediation and automate multi-step remediation workflows.
The vulnerability and patching clearinghouse which will be developed under the Executive Order will require strong engagement from private sector partners, including Tenable, to drive actionable insights on AI-associated vulnerabilities and mitigation prioritization.

On June 2, 2026, the President signed an Executive Order (EO) titled “Promoting Advanced Artificial Intelligence Innovation and Security.” The direction is clear and the calls to action are fast-moving. Within 30 days:

Federal agencies must begin hardening their information systems with AI-enabled cyber defenses.
CISA must issue new directives or guidance for civilian agencies.
The Department of the Treasury (Treasury), with the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), must stand up a new AI cybersecurity clearinghouse focused on finding and fixing software vulnerabilities.

Within 60 days, Treasury, with the Department of War (DoW), NSA and CISA, in consultation with the White House and other agencies, must establish a classified benchmarking process to assess the capabilities of frontier AI models through voluntary collaboration with AI developers.

While the Executive Order applies to U.S. federal agencies, the need to prepare for changes in the threat landscape brought about by the advanced cyber capabilities of frontier AI models applies to any organization that needs to manage cyber risk. Here’s a breakdown of what the AI EO requires, the deadlines that matter, and where Tenable fits.

What the AI Executive Order requires

The EO’s operative provisions sit in Section 2 (“Upgrading American systems for advanced AI”) and Section 3 (“Secure frontier model deployment”). The cybersecurity core is in Section 2.

Within 30 days:

National security and defense systems. The Committee on National Security Systems must prioritize the cyber defense of National Security Systems (NSS) and the Secretary of War must do the same for DoW information systems (Section 2(a) and 2(b)).

Civilian federal systems and critical infrastructure. CISA, in consultation with the Office of Management and Budget (OMB), the Assistant to the President for National Security Affairs, and the National Cyber Director, must release Binding Operational Directives (BODs) “and other guidance as appropriate” to:

Expedite and prioritize the cyber defense of civilian federal information systems.
Establish or expand federal programs and services that enhance AI-enabled defensive tools.
Facilitate access to cybersecurity tools and services, including where appropriate, covered frontier models, for agencies, state and local authorities, and critical infrastructure operators such as rural hospitals, community banks, and local utilities.

Worth noting, while the EO directs CISA to release BODs or other guidance for federal civilian agencies, the specific implementation directives are not yet known (Section 2(c)).

The AI cybersecurity clearinghouse. The Secretary of the Treasury, with the National Cyber Director, NSA, and CISA, must form an AI cybersecurity clearinghouse, in voluntary collaboration with the AI industry and critical infrastructure operators. The EO tasks the clearinghouse with three concrete functions, per Section 2(d):

Coordinate and deconflict scanning for software vulnerabilities
Discover and validate those vulnerabilities
Coordinate and prioritize the remediation and distribution of vulnerability patches.

Grant funding for AI vulnerability detection. OMB, with the National Cyber Director and CISA, must determine whether existing federal grant programs have funding that can be directed toward applicants developing advanced AI vulnerability detection (Section 2(e)).

Within 60 days:

Cybersecurity workforce. The Office of Personnel Management must expand hiring and placement pathways for cybersecurity specialists through the United States Tech Force (Section 2(f)).

Secure frontier model deployment. Treasury, NSA, and CISA, in consultation with NIST and others, must develop a classified benchmarking process to assess the advanced cyber capabilities of AI models. They must also set the threshold for designating a “covered frontier model,” and design a voluntary framework through which developers can give the government up to 30 days of pre-release access to those models. The Executive Order is explicit that it does not create any mandatory licensing, preclearance, or permitting requirement for AI models (Section 3).

No fixed deadline:

Criminal enforcement. The EO directs the Attorney General to prioritize enforcement against those who use AI to illegally access or damage computer systems (Section 4).

For federal cybersecurity leaders, this is less a future-state policy document than a near-term planning trigger. Watch for CISA’s issuance of BODs and other guidance, and for readouts on the clearinghouse, during June and July.

How Tenable can help

The EO’s center of gravity — finding software vulnerabilities, validating them, prioritizing them, and driving remediation — is the work Tenable's platform is built to do. While the AI Executive Order focuses on vulnerability discovery, validation, prioritization, and remediation, the benefit of the Tenable One Exposure Management Platform is that it addresses vulnerabilities alongside other security weaknesses, including misconfigurations of AI systems and overpermissioned AI agents, to serve as the system of action for mitigating cyber exposure and reducing cyber risk across organizations’ expanding attack surfaces. Below, learn how specific Tenable capabilities map to the EO’s requirements.

Continuous vulnerability detection across the attack surface

Sections 2(a) through 2(d) turn on the ability to find vulnerabilities across a wide range of systems continuously. Tenable One Vulnerability Management and Tenable Security Center provide network-based and agent-based assessment across IT assets, with credentialed scanning for greater depth. Tenable One Cloud Exposure extends that visibility to cloud workloads and configurations, and Tenable One Attack Surface Management maps internet-facing assets that agencies may not know they have.

For agencies operating classified or air-gapped environments — relevant to the National Security Systems named in Section 2(a) — Tenable Enclave Security is built to run vulnerability and configuration assessment inside those boundaries.

Risk-based prioritization, not “patch everything”

Section 2(d) doesn’t only call for discovering vulnerabilities — it calls for prioritizing them for remediation. That distinction matters because no agency can patch everything at once.

Tenable’s Vulnerability Priority Rating (VPR) uses machine learning, trained on the company’s corpus of more than 1.7 trillion security findings accumulated over more than 25 years of continuous scanning, to forecast which vulnerabilities are most likely to be exploited, so defenders can focus on the smaller set that represents real, immediate risk. By leveraging AI-generated features and expert intelligence from Tenable's Research Special Operations team, VPR helps organizations pinpoint the critical 1.6% of vulnerabilities that represent actual business risk. Tenable also ingests CISA’s Known Exploited Vulnerabilities (KEV) catalog — the continuously updated, authoritative list of Common Vulnerabilities and Exposures (CVEs) under active exploitation — directly into prioritization, aligning remediation guidance to the same source CISA uses to track risk across the federal enterprise.

AI-enabled defensive tooling

Section 2(c) directs CISA to establish or expand programs that enhance AI-enabled defensive tools. As frontier AI models accelerate the rate at which vulnerabilities can be discovered and exploited, the traditional window for manual remediation is rapidly closing. The June 2026 AI Executive Order recognizes this shift, directing federal agencies to counter machine-speed threats with AI-enabled cyber defenses within 30 days.

Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, is designed to help counter machine-speed threats, supercharge productivity, and accelerate risk reduction by automating multi-step remediation workflows. Security teams can leverage pre-built agents directly in the user interface or build custom agents via the Model Context Protocol (MCP), turning exposure intelligence into decisive action at machine speed.

At the same time, as agencies build custom models or adopt third-party tools like ChatGPT and Copilot, they fundamentally expand their attack surface. It is now critical to protect enterprise AI, shadow AI, training data, and underlying infrastructure from emerging threats like adversarial attacks, data poisoning, and model theft. Tenable secures this expanding attack surface with Tenable One AI Exposure, which is designed to help agencies see, manage, and control the risks introduced by generative AI. Tenable One AI Exposure allows agencies to discover and inventory AI tools and libraries, and apply AI usage policies across the environment — a growing requirement as agencies adopt AI and need to account for it as part of their attack surface. By addressing critical supply chain vulnerabilities and a lack of identity controls, Tenable actively closes the growing AI exposure gap to ensure agencies can adopt new technologies without introducing unmanaged business risk.

Recognized by Gartner as the company to beat for AI-powered exposure assessment, Tenable has cemented its role as the go-to platform for organizations looking to stay ahead of risk in an increasingly AI-driven threat environment.

Discovering and validating vulnerabilities at scale

The vulnerability and patching clearinghouse provision is arguably the most operationally consequential requirement in the AI Executive Order because it describes a capability, not a policy: the need to coordinate vulnerability scanning, discover and validate vulnerabilities, and prioritize remediation. That is the work the Tenable One platform and research organization are built to do, and the AI-enabled dimension of that work is already in production.

For scanning at scale, the Tenable platform (including Tenable One Vulnerability Management, Tenable Security Center, Tenable Nessus, Tenable One Cloud Exposure, and Tenable One OT Exposure) handles millions of daily scans across critical infrastructure using non-intrusive methods, which is essential for avoiding disruption in government environments.

In vulnerability discovery and validation, Tenable Research has publicly disclosed over 450 zero-day vulnerabilities and tracks 1,000 zero-days tagged all-time. Additionally, the Tenable Research team tracks more than 2,000 vulnerabilities which have been verified to be exploited in the wild. The team uses a hybrid intelligence model that combines expert analysis with large language models, resulting in a curated library of over 11,000 CVEs enriched with exploitation evidence and threat actor links and that operates independently of the National Vulnerability Database (NVD).

For vulnerability prioritization and remediation, Tenable's Vulnerability Priority Rating (VPR) provides an advantage by not relying on NVD severity scores, a key consideration given recent changes limiting NVD enrichment. Tenable Research consistently identifies actively exploited vulnerabilities a median of seven days before they appear on CISA’s Known Exploited Vulnerabilities catalog. In addition, Tenable Hexa AI automates remediation workflows, and Tenable One AI Exposure helps agencies inventory AI tools and libraries, addressing the expanding attack surface.

Protecting critical infrastructure: hospitals, banks, and utilities

Section 2(c)(iii) directs CISA to facilitate access to cybersecurity tools for rural hospitals, community banks, and local utilities. Note the verb facilitate: this is an access-and-incentive provision, not a mandate imposed on those operators. Many of these organizations have historically lacked the budget and staff for enterprise-grade vulnerability management.

Tenable One OT Exposure is built for the operational technology environments common in utilities and healthcare delivery, including industrial control systems and SCADA networks. It has been listed on CISA’s Continuous Diagnostics and Mitigation (CDM) Approved Products List since October 2021. Tenable's research into threat activity targeting operational technology at water and energy utilities gives these operators current, actionable context for the risks this provision is meant to address.

Funding the work: grant programs under Section 2(e)

Section 2(e) directs OMB to identify federal grant funding that can be steered toward advanced AI vulnerability detection. Several existing programs already fund this kind of work, including the State and Local Cybersecurity Grant Program (SLCGP) and the Department of Energy's Rural and Municipal Utility Advanced Cybersecurity Grant (RMUC) program. Tenable solutions help fulfill SLCGP requirements, and Tenable works with public sector customers and channel partners to align purchases to available grant funding.

Security for AI and AI for cybersecurity

The June 2026 Executive Order moves AI policy toward operational cybersecurity, and it does so on a short clock. The provisions that matter most — continuous detection, validation, risk-based prioritization, and remediation — describe the discipline of exposure management. Agencies that already have those practices and tools in place will be best positioned to meet the EO’s requirements as CISA, Treasury, and OMB translate it into specific directives, programs, and funding over the coming weeks.

Learn more

Tenable resources:

Government resources:

Tenable joins Anthropic’s Project Glasswing to advance AI-era cyber defense

Vlad Korsunsky — Thu, 04 Jun 2026 16:30:00 -0400

By participating in Project Glasswing and working with Claude Mythos Preview, Tenable can help customers better understand how emerging frontier AI models behave, their evolving risks and benefits for cybersecurity, and the kinds of controls organizations will need as AI adoption accelerates.

Key takeaways

Tenable is also interested in using Mythos Preview to drive new research, strengthen the security of Tenable, and help customers better understand how emerging frontier AI models behave, their evolving risks and benefits, and the kinds of controls organizations will need as they accelerate AI adoption.
Tenable previously announced the integration of the Tenable One Exposure Management Platform with the Claude Compliance API to give Tenable customers better AI visibility and governance capabilities, along with Claude-powered workflows in Tenable Hexa AI, the agentic engine of the Tenable One platform.

Over the past year, it has become increasingly clear that AI is going to fundamentally reshape cybersecurity.

Not eventually. Now.

The pace of vulnerability discovery is accelerating. Attack surfaces are expanding faster than ever. Security teams are already overwhelmed trying to determine what actually matters.

At the same time, frontier AI models like Claude Mythos Preview are demonstrating that new capabilities in reasoning and agentic workflows are on the horizon and could significantly accelerate cyber offense and challenge cyber defense over the next few years.

Tenable joining Project Glasswing is a strategic step forward for defenders, and an extension of our existing partnership with Anthropic.

We also believe the industry is entering a period where defender advantage will not come from access to any single model. It will come from understanding what matters most, reducing exposure before attackers strike, and coordinating remediation at the speed modern threats demand.

Improving what matters most

The industry already has more findings than humans can realistically process. The real challenge is understanding what matters most.

Which exposures are actually dangerous? Which combinations create meaningful attack paths? What should be fixed first? What actions will materially reduce risk?

Those are exposure management problems.

We’re working with frontier AI models to evaluate and benchmark how advanced reasoning capabilities may improve exposure analysis, attack path understanding, prioritization, and remediation decision-making to help our customers and partners improve their own security and risk management initiatives.

As part of Project Glasswing, we’re particularly interested in driving new research using Mythos Preview to better understand where it can help reinforce existing security analysis, and strengthen our own defenses by using frontier models to improve the security of Tenable. We also plan to use Mythos alongside other models to help challenge assumptions, and identify relationships and risk patterns faster than traditional approaches alone.

We believe frontier models will increasingly become another important source of security insight and telemetry flowing into exposure management platforms. The long-term differentiator for defenders will not be access to a single model. It will be the ability to combine those signals with authoritative context, asset intelligence, attack path analysis, and coordinated remediation across the enterprise.

Understanding the AI attack surface

Another important reality is that organizations are increasingly responsible for AI systems they did not build themselves. That creates a rapidly expanding attack surface.

Our goal is simple: when meaningful advances in AI capabilities arrive, we will be ready to translate them into practical customer value quickly and responsibly.

Participating in frontier AI initiatives like Project Glasswing help us better understand emerging model behaviors, evolving risks, and the kinds of controls organizations will need as AI adoption accelerates.

That learning directly informs both our products and our own internal security practices.

The future of cybersecurity

One thing is becoming increasingly clear: frontier AI capabilities will not remain rare for long.

Capabilities that seem extraordinary today will eventually become widely available across the industry, including to attackers.

In that world, defender advantage will not come from access to any single model. It will come from understanding what matters most, reducing exposure before attackers strike, and coordinating remediation at the speed modern threats demand.

That is the work we’re focused on at Tenable. That is our commitment to our partners and customers.

And we’re excited to be doing it alongside Anthropic and the broader Project Glasswing community.

Tenable CTO Q&A: C-suite views AI as massive threat, as cyber teams adopt exposure management to counter AI attacks

Team Tenable — Wed, 03 Jun 2026 09:00:00 -0400

Tenable CTO Vlad Korsunsky talks about participating in the World Economic Forum’s Annual Meeting on Cybersecurity and Tenable’s EXPOSURE 2026 conference, where he talked with global leaders about new game-changing AI threats and the groundbreaking benefits of exposure management.

Key takeaways

The patching cycle is obsolete. Advanced AI models have compressed exploitation timelines into “negative days,” meaning adversaries actively weaponize vulnerabilities before vendor patches are even released.
Shift from static CVE severity scores to AI-powered exposure management. Point-in-time vulnerability-risk snapshots fall short. You need AI insights to prioritize remediation based on real-world exploitability of your entire attack surface.
Secure the agentic economy. The rapid explosion of autonomous non-human AI identities demands the immediate application of zero trust and least-privilege cryptographic primitives to mitigate severe, systemic internal risks.
Don’t focus only on vulnerabilities. While the 2026 Verizon DBIR ranks vulnerability exploitation as the top initial access vector for breaches (about 30%), the majority of breaches (70%) stem from human errors, such as misconfigurations and identity flaws.

Tenable Chief Technology Officer Vlad Korsunsky recently participated in the World Economic Forum’s Annual Meeting on Cybersecurity in Geneva, Switzerland, an annual summit that takes the pulse of global cyber risk. Korsunsky was one of 150 senior leaders from global industry and government who gathered to discuss how to strengthen businesses’ cyber defenses. The sobering, collective consensus: The traditional cybersecurity playbook is obsolete, as AI becomes an unprecedented threat multiplier.

For Tenable, participating in foundational, high-level dialogues and collaborations such as this one is both a privilege and an immense responsibility. As the cybersecurity operating model gets rewritten in real-time, Tenable feels a duty to help shape cyber defenders’ collective insights and strategies. Tenable has spent years addressing the structural cybersecurity operational gaps that worry C-level executives and government leaders worldwide.

Korsunsky also had a chance to sit down with many of the hundreds of cybersecurity executives who gathered recently at Tenable’s EXPOSURE 2026 conference. The EXPOSURE 2026 discussions ranged from the death of reactive patching cycles to the need to counter AI threats with systemic cyber resilience, and signaled an urgent need to shift away from a siloed, fragmented approach to cybersecurity and move toward AI-powered exposure management.

Below is an in-depth Q&A with Korsunsky, expanding on his participation in the Geneva and Tenable meetings, the rapid escalation of AI threats, and the way to tame cyber risk today and in the coming years.

Q: Vlad, you recently returned from the World Economic Forum’s Annual Meeting on Cybersecurity in Geneva. What was the overarching energy in the room among these 150 global leaders, which included CEOs, CTOs, CISOs and government leaders?

Vlad Korsunsky: The energy was highly focused and, frankly, deeply sober. We are witnessing an unprecedented compression of the threat landscape, and everyone in that room, whether they were running a multinational bank, directing a national cyber defense agency, or leading an NGO, realized that conventional cyber defenses cannot keep up with this velocity.

A telling example of how high the stakes have jumped occurred just recently in Washington, D.C. The then Federal Reserve Chair Jerome Powell and U.S. Treasury Secretary Scott Bessent convened an emergency, high-level meeting with the CEOs of some of America's largest financial institutions, including Wall Street giants like Goldman Sachs, Citigroup, Wells Fargo, Bank of America, and Morgan Stanley.

The entire meeting focused on a single AI model: Anthropic’s Claude Mythos Preview. Anthropic had flagged that while it built Mythos to bolster cyber defense, its raw capabilities were so advanced that, if weaponized or leaked, it could pose a major threat to the structural stability of the global financial system. When the highest echelons of fiscal and state power are holding emergency briefings over the capabilities of a single generative AI model, you know you’re dealing with a fundamentally different cyber threat landscape.

Q: When asked, "What are the top cyber concerns for 2027?," meeting participants ranked the capacity of AI to be a threat multiplier as number one. Is this a future problem, or are we living it now?

Vlad Korsunsky: The threat of AI in the hands of attackers is absolutely a global concern today. Look at the empirical metrics tracking adversary speed over the last decade and a half. For years, Mandiant tracked a linear trend that actually looked like a win for defenders. Time-to-exploit, which is the window between a vulnerability being disclosed and an active exploit hitting the wild, shrank steadily from 63 days in 2018 down to 32 days by 2022.

Concurrently, average attacker dwell time — the time an attacker remains undiscovered after breaching a network – plummeted from more than 400 days in 2011 down to just 14 days in 2025. In short, defenders were actively closing the gap.

Then came 2023, and the trend broke violently. Time-to-exploit collapsed from 32 days to just five. By 2024, it went negative: minus one day.

According to Mandiant’s latest “M-Trends 2026 Report,” published last month, the average time-to-exploit sits at minus seven days. Think about that structural asymmetry. Attackers are successfully weaponizing and exploiting vulnerabilities a full week before a vendor compiles and ships a patch.

Meanwhile, the median timeline for an enterprise to deploy a patch across their environment is roughly 43 to 55 days, according to this year’s Verizon Data Breach Investigations Report (DBIR). If adversaries are operating in negative time and defenders are operating across months, the traditional patching cycle is effectively a dead strategy.

Q: What is driving this terrifying acceleration? How are attackers moving so quickly?

Vlad Korsunsky: It is driven entirely by advanced frontier LLMs doing in minutes what used to require weeks of highly specialized human labor. Back in February, Anthropic’s Opus 4.6 model uncovered more than 500 zero-day vulnerabilities in widely utilized open-source software, flaws that had remained undiscovered despite decades of manual peer review by brilliant human engineers.

Less than two months later, Anthropic’s Mythos model found thousands more vulnerabilities across foundational operating systems, web browsers, and core cryptographic libraries. More importantly, Mythos went further after spotting them; it boasted an 83% autonomous success rate in chaining disparate, low-severity logic flaws into devastating, end-to-end critical exploits.

Essentially, we have reached a watershed moment reminiscent of when Google DeepMind’s AlphaGo defeated human Go champions. Experts believed a computer was decades away from mastering the Go game because the game features more potential board configurations than there are atoms in the observable universe. Brute force was impossible. Yet, AlphaGo won by leveraging deep neural networks to synthesize a form of machine intuition, discovering creative moves no human had conceived in 2,500 years of play.

Today, frontier AI models are applying that exact evolutionary leap to cybersecurity. The most powerful LLMs can now execute 32-step complex reasoning chains to autonomously map and compromise simulated corporate networks. The asymmetry is stark. This massive capability curve means the absolute volume of known exposures is poised for a massive step-change, and GenAI has poured pure gasoline on the fire.

Q: With zero-days dropping in droves thanks to AI-aided discoveries, should enterprises focus all their engineering resources on hunting down these vulnerabilities? What did you hear from CISOs and other high-level cybersecurity leaders about this issue at Tenable’s EXPOSURE 2026?

Vlad Korsunsky: This is where we have to look at the whole board and avoid panic. While the influx of AI-driven zero-day disclosures is a massive upstream pressure on software vendors, data from this year’s Verizon DBIR shows that breaches directly leveraging software exploits account for about 30% of incidents. It's a significant percentage, yes, but what about the other 70%?

Cybersecurity leaders I talked to at EXPOSURE 2026 realize that the overwhelming majority of enterprise breaches do not begin with an ultra-sophisticated, state-sponsored zero-day exploit. They start with incredibly simple, unforced human errors: unsecured shadow IT cloud assets running outside corporate governance; misconfigured databases left wide open to the public internet; over-privileged corporate identities; a lack of multi-factor authentication (MFA); and highly targeted, AI-driven spear phishing. This is a critical insight for guiding your cyber strategy today.

These misconfigurations and unsecured cloud credentials are the dry fuel sitting inside an enterprise network. When an AI hacking agent comes looking, that fuel ignites faster than any traditional cybersecurity team can react. So organizations must be diligent about proactively maintaining stringent security hygiene.

Q: If paddling faster inside the old patching model won't save us, how do defenders change the rules of the game?

Vlad Korsunsky: We have to look at this the way wildland firefighters have looked at massive forest fires for over a century. When a wildfire is roaring toward a town faster than a human can run, firefighters don’t just stand at the edge of the flames reaching for a bigger water hose. They get ahead of the blaze and light a controlled burn. They intentionally clear out the brush, trees, and fuel ahead of time. When the main fire line reaches that cleared zone, it starves and dies because there is nothing left to consume.

Enterprise security must adopt this exact philosophy. We have to stop reacting to the fire and start aggressively clearing the fuel before the adversary arrives. This requires a wholesale shift from reactive vulnerability patching to continuous exposure management.

The traditional Common Vulnerability Scoring System (CVSS) is effectively dead as a primary prioritization tool. A static CVSS score tells you the theoretical severity of a single CVE in a vacuum; it tells you absolutely nothing about real-world exploitability within the specific context of your unique enterprise environment.

At EXPOSURE 2026, we heard from our customers how continuous, AI-driven exposure management is helping them counter today’s evolving AI threats successfully. With exposure management, you use advanced analytics to gain unified, real-time visibility across your entire modern attack surface, encompassing data centers, cloud infrastructure, OT/IoT environments, corporate identities, and newly deployed AI pipelines. We must use AI on the defense side to continuously map true attack paths; for example, pinpointing exactly where a minor misconfiguration chains into a critical business asset.

Q: You mentioned using AI on the defense side. How does Tenable view the balance between human security analysts and autonomous AI defenders?

Vlad Korsunsky: Security is fundamentally a team sport, and AI vendors like OpenAI and Anthropic are not our adversaries. AI is the single most potent tool ever introduced into the defender’s toolkit; we simply need to wield it with machine-speed orchestration. Because our adversaries are deploying fully autonomous hacking agents today — tools that are already topping commercial bug bounty leaderboards — the only fair fight is to meet machine speed with machine speed.

This means building and deploying agentic AI workflows on the side of the defense to power autonomous exposure management. However, this must always be balanced with strict human-in-the-loop oversight. In Geneva, we spent a great deal of time discussing the systemic risks of unchecked automation. If an autonomous system applies a sweeping remediation script without understanding the broader business context, it can inadvertently trigger a massive operational outage: a self-inflicted systemic failure.

Defenders must maintain deep visibility into the “behind-the-scenes” logic of their automation. We need human control to govern business context, while leveraging machine speed to continuously ingest, prioritize, and neutralize exposures before an attacker can strike.

Q: Another major pillar of the WEF discussion centered on AI safety and non-human identities. What are the hidden risks enterprises are overlooking as they rush to adopt AI?

Vlad Korsunsky: We are transitioning rapidly into what we call the “Agentic Economy.” Historically, enterprise security focused on securing human users and a relatively manageable set of non-human service accounts. As organizations embed AI agents into core business workflows — from code generation to customer operations to financial automation — we are seeing an exponential growth of non-human, agentic identities and agentic workflows. These autonomous agents are fundamentally different. Instead of operating just “on behalf” of a human in a tightly bound session, they execute complex tasks independently.

The alarming reality discussed in Geneva and in our EXPOSURE 2026 conference is that our current security frameworks lack effective, native guardrails for these agents. LLMs routinely bypass system prompts or ignore markdown safety files. They can even actively manipulate or hack neighboring AI agents to achieve their algorithmic goals. We’ve seen anecdotal instances of an enterprise AI agent autonomously writing a script to bypass an internal access restriction, and when flagged, its underlying logic essentially argued that the script committed the violation, not the agent itself.

Because AI agents behave essentially like trusted corporate insiders that have been let loose across internal data silos, we must immediately apply foundational cryptographic primitives to agentic identities. We need strict zero-trust architectures, rigorous least-privilege access controls, and absolute defense-in-depth tailored specifically for non-human identities before they morph into the next great vector of unmanageable global risk.

Q: Any final thoughts for organizations trying to navigate this massive technological shift?

Vlad Korsunsky: Attackers are increasingly rocketing laterally across enterprise networks after the initial breach, often in minutes and even seconds, whereas before it could take them days or weeks. The adversary’s inherent advantages will always be timing, velocity, and the luxury of only needing to find a single weak link in your exposure landscape.

But as defenders, we possess the ultimate home-field advantage: We can see the whole board, and we have the power to fundamentally alter the terrain. By abandoning obsolete point-in-time checkmarks, embracing continuous, AI-driven exposure management, and proactively clearing out our operational fuel at machine speed through foundational cyber hygiene, we can break the adversary’s curve and effectively secure our environments.