版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
May2026
Mckunsey
&company
McKinseyTechnology
HackerOneCEOKara
SpragueonhowAIis
reshapingcybersecurity
HackerOneCEOKaraSpraguediscusseshowAIisreshapingthe
cybersecuritylandscapeandwhysecurityteamsmustshiftfromfindingvulnerabilitiestoreducingexposure.
1“Fromvulnerabilitytoexploitation,”ZeroDayClock,accessedMay1,2026.
2AfrontierAImodelwithadvancedcybersecuritycapabilities.
HackerOneCEOKaraSpragueonhowAIisreshapingcybersecurity2
AsfrontierAImodels—themostadvancedgenerationofAIsystems—makecyberattacksfasterandmoresophisticated,organizationsareincreasinglyturningtocompaniessuchasHackerOnetoenhancetheirdefenses.InaconversationwithMcKinseySeniorPartnerMartinHarrysson,
HackerOneCEOKaraSpragueexploredhowAIischangingtherisklandscapeandwhytherealchallengeisnolongerfindingvulnerabilitiesbutremediatingthembeforeattackerscanact.
Thisinterviewhasbeeneditedforlengthandclarity.
MartinHarrysson:WeareatamomentwhereAIisreshapingmanypartsoftechnology.Howdidyouenterthetechnologyfield,andwhatisstructurallydifferentincybersecuritytoday
comparedwithbeforetheriseofAI?
KaraSprague:IstartedmycareeratMcKinsey,advisingclientsacrossthetechstack,then
movedintoindustryatF5,whichfocusesonapplicationdeliveryandsecurity.NowI’mCEOofHackerOne,workingwithsomeoftheworld’sbiggestcompaniestofindandfixsecurity
weaknessesbeforetheycanbeexploited.
Today,we’reseeingthreethingshappeningatonce.First,theattacksurfaceisgrowingbecausemoreAImodelsandsystemsarebeingdeployedacrossmoreenterprises,andAIcode
generationisacceleratingthepaceatwhichcompaniesbuildanddeploysoftware.Second,thatattacksurfaceismorevulnerablebecausesecurityforAIdeploymentsisstillnascent,andAI-
generatedcodestilltendstobelesssecurethanhuman-generatedcode.Andthird,attackersaregettingmorecapablebecausetheyarequicklyadoptingandweaponizingfrontierAI
capabilities.
Defenseisbehind,anditwilltaketimetocatchup.Enterprisesecurityoperationswillhavetoretoolforspeed.Andthat’snotjustaboutadoptingnewtechnology.It’saboutrethinkingthe
operatingmodel,talent,andgovernance.Thefind-to-fixworkflowhastobereimaginedwithAIattheforefront.
MartinHarrysson:Shouldleadersseethecurrentlandscapeasastepchangeinriskoranaccelerationofexistingtrends?
KaraSprague:Iwouldcallitanaccelerationoftrendsthathavebeenvisibleforsometime.Thetimebetweenvulnerabilitydiscoveryandexploitation,forexample,hasbeensteadilydecreasingfromovertwoyearsin2018tolessthanadaytoday.1
Whatfeelsnewinrecentweeks,followingAnthropic’searlyAprilannouncementofMythos,2is
thestepchangeincyber-specificcapabilities.Modelscannowbuildeffectiveexploitsthatchainmultiplevulnerabilitiestogether,meaningevenunsophisticatedattackerscanidentifyandtargetcriticalissues.
MartinHarrysson:Thecompressionintimelinesandtheemergenceofnewattackvectorsissignificant.Howwellareorganizationskeepingup?
HackerOneCEOKaraSpragueonhowAIisreshapingcybersecurity3
KaraSprague:AtHackerOne,wehaveabroadviewacrossthemarketbecauseweworkwith
closeto20percentoftheFortune500andalmost40percentoftheFortune50.Whatwe’re
seeingacrossourplatformisthatvulnerabilityreportshaveincreased76percentyearonyear.3Youmightassumethosereportsarejustmorenoise—whatsomerefertoas“AIslop.”Wehaveseenthatinthepast,butthat’snotwhatwe’reseeingnow.Thesignal—theshareofreportsthatturnintovalidfindings—hasheldsteady,whichmeanstheincreaseisreflectedinreal
vulnerabilitiesaswell.
Defendersarestrugglingtokeepupwiththreats.Backlogsaregrowing.Thegapbetweennewthreatsandtheabilitytorespondisstillmeasuredinmonths,andsometimesyears.
Itreallydependsonhowquicklysecurityorganizationsareabletoretooltheiroperationsfor
speed.Thereareemergingblueprintsforwhatthatlookslike—forexample,theCloudSecurityAlliance’srecentworkonbuildingMythos-readysecurityoperations4—butclosingthatgapwillrequiresignificantchangestohoworganizationsoperate.
MartinHarrysson:Inpracticalterms,whatstepscanorganizationstaketobridgethedefensegapyou’reoutlining?
KaraSprague:TomeetthissurgeinAI-ledvulnerabilitydiscovery,weneedtomeaningfullyacceleratevalidationandremediationatscale.
AtHackerOne,we’reinvestinginhelpingorganizationsovercomeafewbottlenecks.First,
agentictestingcapabilitiesthatincorporatethelatestfrontiermodelscanfindthesame
vulnerabilitiesthatadversariesusingmodelssuchasClaudeOpusandMythoswouldfind—butagentictestingdoesitsooner.Second,agenticvalidationcapabilitieswillbeneededtoabsorbthecomingsurgeinvulnerabilityvolumewhilemaintaininghighsignalrates.Andthirdis
remediationsupport—helpingorganizationsmovefromfindingtheproblemtoimplementingaverifiedfixfasterandatscale.
Humanexpertiseiscriticalforimplementingthesecapabilitiessuccessfully.AtHackerOne,
nearly90percentofourglobalcommunityofsecurityresearchersusesfrontiermodelstofindnovelandelusiveissues,andtheytestfixestoensuretheyfullyremediateexposure.
MartinHarrysson:Toyourpointontheresearchercommunity,howdoyouseetheroleofhumanresearchersevolvingasAIbecomesmorecapable?
KaraSprague:Humanresearchersareshiftingfrommanualbughuntingtohigher-level,morestrategicwork.AIistakingoverthediscoveryofcommon,high-volumevulnerabilities,while
researchersareincreasinglyfocusedonbuildingtoolsandsystemsthatuseAItofinddeeper,morecomplexissuessuchaslogicflaws,architecturalweaknesses,andnovelattackpaths.
Youcancompareautonomouscodefixestoself-drivingcars:Forcriticalsystems,thetoleranceforerrorisessentiallyzero.AlthoughAIcanreliablyproposefixesingreenfieldprojects,it
3“HackerOneintroducesH1validationtohelpenterprisesmanagesurgeinAI-discoveredvulnerabilities,”HackerOne,April21,2026.
4The“AIvulnerabilitystorm”:Buildinga“Mythos-ready”securityprogram,CloudSecurityAlliance,April12,2026.
HackerOneCEOKaraSpragueonhowAIisreshapingcybersecurity4
cannotsafelyuntanglecomplex,legacyarchitecturalissues.Fixingthesesystemsrequiresexperthumanoversight.
Ultimately,thisevolutionwillleadtothemarketplacingamuchhigherpremiumonidentifyingcomplex,high-impactvulnerabilitiesandguidingcriticalfixeswhiledecreasingthepayoutsforlower-complexityissueshandledautonomouslybyAI.
MartinHarrysson:Wheredoorganizationstendtobreakdownasvulnerabilitydiscoveryaccelerates?Whatdoesittaketoprioritizeandacteffectively?
KaraSprague:Organizationstendtobreakdownatthehandoffpoints.Thetypical
workflow—findinganissue,filingaticket,triaging,prioritizing,andpatching—involvesmultiplehandoffs,whichcreatebacklogsofworkwaitingtobeprocessed.Thosebacklogsdon’tholdupundervolume.Theorganizationsthatperformwellaretheonesthatshortenorminimizethosehandoffsandensurefindingsarrivewithenoughcontext.
Thisistricky.Asthepaceofdiscoveryandexploitationaccelerates,traditionalboundaries
betweenAppSec,DevOps,andSecOps5becomehardertosustain.Separatingthesefunctionsalsocreatesadditionalhandoffsacrossteams,slowingresponsetimes.Instead,organizationsmaymovetowardmoreintegratedworkflowswithshareddataandpriorities.Overtime,this
couldmeanshiftingsecurityfromaseparatefunctionthatinspectssoftwareafteritisbuilttosomethingembeddeddirectlyintohowsoftwareisdevelopedandrun.
MartinHarrysson:Giventhosechallengesarounddata,tooling,andorganizationalalignment,whatwillseparatetheorganizationsthatgetthisrightfromthosethatdon’t?
KaraSprague:Thebiggestdifferencewillbehowquicklyorganizationscancleartheirbacklogsandtheextenttowhichtheycancompresstheirfind-to-fixworkflows.Manyarestilloperatingasiftheyhavetimebetweenwhenavulnerabilityisdiscoveredandwhenitisexploited—but
withAI,thattimeisgone.
Organizationsthatgetthisrighttreatitasatime-basedproblem.Thosethatfallbehindarestillmanagingvolume—generatingmorefindingsthantheycanacton.Thisiswhereprioritizationisimportant.Traditionalvulnerabilityscoringsystemsprovideastandardizedviewofseverity,buttheydonotreflectactualriskinaspecificenvironment.Thesamevulnerabilitycanhavevery
differentimplicationsdependingonwhetheranassetisinternet-facing,whatdataitprocesses,andwhatcontrolsareinplacearoundit.
Effectiveprioritizationdependsoncontext—combininganunderstandingoftheas
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2026血液透析面试题目及答案
- 阑尾炎试题及答案
- 2026医疗医保面试题目及答案
- 科技发展面试题及答案
- 2026应急处置队员面试题及答案
- 2026宇翔护理面试题及答案
- 2026悦泰集团面试题目及答案
- 2026枣庄学校面试题库及答案
- 2026郑州九中面试题目及答案
- 2026年税务师税法一真题预测与答案
- 铁路装卸安全课件
- 麻袋装填护坡施工方案
- 销售配件管理制度大全
- 中暑热衰竭电解质紊乱护理查房
- DGTJ08-2240-2017 道路注浆加固技术规程
- 药品技术转移管理制度
- 【鄂尔多斯】2024年内蒙古鄂尔多斯职业学院人才引进39人笔试附带答案详解
- 2024衡阳蒸湘区中小学教师招聘考试试题及答案
- DB32-T 4910-2024 大水面生态渔业资源监测与资源量评估技术规范 湖泊与水库
- DB52T 1161-2016 贵州省旅游购物场所等级划分与评定
- NB-T35026-2022混凝土重力坝设计规范
评论
0/150
提交评论