VulnOps — Vulnerability Operations
VulnOps is an emerging operational model that fuses previously-separate security functions into a single agent-augmented discipline. The term is now sourced from two independent directions in the same six-month window:
| Framing | Emphasis | Source |
|---|---|---|
| Discovery + remediation as a DevOps-shaped function | Permanent function staffed and automated like DevOps, owning continuous discovery of zero-day vulnerabilities across the entire software estate and automated remediation pipelines | Mythos-ready briefing — concept jointly introduced by Heather Adkins (CISO, Google) + Gadi Evron (CEO, Knostic) + Bruce Schneier (Inrupt; Harvard Kennedy School) in October 2025, on the strength of a September 2025 industry warning by Adkins + Evron that autonomous vulnerability discovery and exploitation were ~6 months away. Filed as the strategic-briefing’s long-term Priority Action #11. |
| CTI + vulnerability management fusion | Operational fusion of threat intelligence and vulnerability management — “un-silo the information so that it can be brought into the context window for the agent to be able to operationalize it” — automatic mapping of global intelligence to organization-specific assets / cloud / code / IaC | CYBR.SEC.Media May 2026 article — term attributed to customers of Mallory (founder Jonathan Cran) |
Both framings center the same structural observation: previously-separate functions need to be operationalized as one because modern attacks don’t respect the boundaries. The two are compatible and complementary — the Mythos-ready briefing’s DevOps-shaped discovery-and-remediation function structurally requires the CTI-to-environment-context fusion Mallory’s customers describe; the Mallory framing’s threat-intel-meets-vulnerability-management discipline structurally requires the discovery + remediation pipelines the Mythos-ready briefing names. The wiki treats both as load-bearing sourced framings rather than competing claims.
Why It Exists
Quarterly pen tests and reactive patching cycles cannot keep pace with continuous AI-driven discovery. Existing CVE/NVD infrastructure and patch-prioritization workflows were built for dozens of critical CVEs per month, not hundreds. The Zero Day Clock documents the structural problem: mean Time-to-Exploit collapsed from 2.3 years (2018) to 9 hours (2026). Vulnerability management as a periodic activity is structurally outmatched.
What It Is — Four Operating Properties
- Staffed and automated like DevOps. A permanent function — not a campaign, not a project — designed around continuous flow rather than periodic snapshot. Treat it as an operating capability with on-call structure, runbooks, and dashboards rather than as a quarterly audit cycle. (Mythos-ready framing.)
- Owns the full software estate. Coverage spans own code, AI-generated code, third-party libraries, container images, MCP servers, IDE extensions, agent skills, and rules-files. The function does not stop at “app the security team owns” — it follows the dependency chain. (Mythos-ready framing.)
- Designed around triage discipline from the start. With AI-discovery rates exceeding human-paced response, triage is the load-bearing operational discipline. “Existing CVE/NVD infrastructure and patch-prioritization workflows were built for dozens of critical CVEs per month, not hundreds.” VulnOps treats triage as the primary scarce resource and designs for it explicitly — severity scoring, confidence scoring, deduplication, and prioritization queues are first-class. (Mythos-ready framing.)
- Un-silos threat-intel against organization-specific context. Continuous ingestion of external intelligence (CTI feeds, ISAC data, vendor advisories, GitHub disclosures, government feeds) is automatically mapped to the organization’s own assets, cloud environments, code repositories, and infrastructure-as-code configurations. Action-on-finding is policy-driven via configurable skill files. “Threads” replace conventional case-management “cases” — every investigation is a collaborative analyst-agent thread. (Mallory framing per CYBR.SEC.Media May 2026.)
Relationship to Existing Wiki Concepts
- Complementary to the CMM but cross-cutting — VulnOps is not measured by the CMM’s nine domains. It is a function organizations stand up, akin to a SOC or a Red Team. The most-relevant CMM domains for VulnOps maturity are D8 (Supply Chain & AI-BOM) for the third-party / OSS / AI-BOM scope and D9 (Operations & Human Factors) for the burnout / triage-fatigue / decommission-lifecycle properties. A formal CMM cross-walk for VulnOps is a candidate revision-pass addition.
- Operationalized via existing tools — OpenAnt (OSS), Codex Security (OpenAI), Claude Code Security (Anthropic) are the canonical commercial / open-source instruments for the discovery side. MDASH, Big Sleep, and CodeMender are the vendor-internal counterparts. The Mythos-ready Priority Action 1 (Point Agents at Your Code and Pipelines) is the Monday-morning entry to a VulnOps capability; PA 11 (Stand Up VulnOps) is the 6-to-12-month durable answer.
- Adjacent to the 2026 Secure-SDLC Framework Stack thesis — VulnOps is the candidate Layer 8 function complementing the parked Layer 4½ harness-config audit and Layer 7 AI-driven vuln-discovery layers. The Mythos-ready briefing argues VulnOps is the long-term answer; the framework-stack thesis treats it as a candidate layer parked pending broader peer adoption.
- Operates against the Citizen Coders sprawl — proliferation of coding agents to non-developers fragments central IT visibility; VulnOps is the organizational structure that owns the full code-and-dependency landscape regardless of who shipped which artifact.
Adjacent / Open Questions
- Reporting structure. Does VulnOps report into Security Engineering, into the CISO directly, or into a new function alongside DevOps? The briefing does not commit. SANS / CSA practitioner experience over the next year will likely produce a default.
- Tooling consolidation vs best-of-breed. Multiple vendor-tier instruments exist (Codex Security, Claude Code Security) plus OSS (OpenAnt, raptor); how organizations compose them into a coherent VulnOps stack is still open. The Adversarial Reflexion discipline is sourced across all of them, which suggests interoperability is more about evidence-handoff than single-vendor lock-in.
- Regulatory implications. The EU AI Act (August 2026) introduces automated audit, incident reporting, and cybersecurity requirements around AI. The standard of care for “used available AI defensive tools” will shift; VulnOps capability becomes a candidate due-diligence artifact at the board level.
- Burnout and team resilience. Mythos-ready briefing names this directly: VulnOps is built to absorb a volume of work no human team alone can absorb, but the function itself can burn out — request additional headcount and budget reserve capacity as a design parameter rather than as an after-the-fact correction.
See Also
- Mythos-ready paper — source and the canonical PA 11 (Stand Up VulnOps) description.
- Mythos-ready Security Program (Playbook) — operational instrument.
- Zero Day Clock — quantitative anchor for the speed-of-exploitation problem VulnOps responds to.
- Gadi Evron · Heather Adkins — co-introducers (Sep–Oct 2025).