The report shows a 75% year-over-year reduction in exploitable in-use vulnerabilities among Sysdig users, but also warns that the overall volume of vulnerabilities is rising too fast for human teams to keep up. It argues that AI-assisted exploit creation and agentic AI-driven remediation, bounded by strong guardrails, will be necessary to match shrinking weaponization timelines. #Sysdig #RiskSpotlight #ProjectGlasswing #MITRE #VulnCheck
Keypoints
- Sysdig’s 2026 Cloud-Native Security and Usage Report found a 75% year-over-year reduction in exploitable in-use vulnerabilities among its users.
- The report says vulnerability growth is exponential, and security teams are struggling to keep pace with the expanding number of issues.
- Risk Spotlight helps users identify vulnerabilities that are in use, have an existing exploit, and have a fix available.
- In-use vulnerabilities without a known exploit have plateaued at 5%, showing that prioritization alone is not solving the broader problem.
- The article warns that AI can shorten the time from disclosure to weaponization to hours, making “no known exploit” an unreliable safety signal.
- Organizations are increasingly using behavior-based detections and automated response actions, including auto-killing processes when detections trigger.
- The piece argues that autonomous remediation with agentic AI must be governed by strict guardrails such as scoped permissions, rollback plans, and audit logging.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – The article describes vulnerabilities becoming weaponized and actively exploited soon after disclosure, enabling attackers to gain access through exposed software (‘an exploit can be crafted and weaponized within a few hours’).
- [T1211 ] Exploitation for Defense Evasion – The report emphasizes that exploit weaponization is collapsing toward near-real time, increasing the chance that attackers can use newly crafted exploits before defenders respond (‘weaponization will approach near-real time’).
- [T1059 ] Command and Scripting Interpreter – The article mentions an AI-assisted cloud intrusion achieving admin access in minutes, implying automated execution of actions after intrusion (‘an AI-assisted cloud intrusion achieves admin access in 8 minutes’).
- [T1078 ] Valid Accounts – The phrase “admin access” indicates successful acquisition and use of privileged credentials or equivalent authenticated access (‘achieves admin access in 8 minutes’).
- [T1562 ] Impair Defenses – The recommendation to auto-kill suspicious processes and enforce guardrails reflects defensive actions designed to stop malicious activity or unsafe behavior (‘suspicious processes are now killed automatically’).
Indicators of Compromise
- [Vulnerability IDs ] referenced in examples of rapid weaponization – CVE-2026-39987, React2Shell
- [Organizations/Products ] security and detection tooling mentioned in context of vulnerability prioritization – Sysdig Risk Spotlight, Anthropic’s Project Glasswing
- [Metrics/Environment References ] operational context for detections and automation – 75% year-over-year reduction, 91% of environments, 5% plateau
Read more: https://www.sysdig.com/blog/vulnerability-management-is-reaching-the-limits-of-human-scale