Why Patching Vulnerabilities Is No Longer Enough: The Case for Patterns-of-Life Cybersecurity

By David A. Bray, PhD and Jeff Frazier

The cybersecurity challenges posed by AI-empowered adversaries and increasingly sophisticated multi-stage attacks are not going to disappear. And while Anthropic’s Claude Mythos and Project Glasswing represent remarkable advances in AI-driven vulnerability discovery, relying solely on finding and patching flaws is both insufficient and dangerously incomplete. What we’re dealing with is what we like to call a “hairball” tech-meets-society issue. Hairball problems are complex, tangled, and difficult to solve because they’re incredibly intricate and multifaceted. They involve so many stakeholders, intersecting domains, and competing interests that it makes them hard to address. A focus on vulnerability patching alone won’t solve these uniquely modern security conundrums.

What will help is a fundamental shift from forensics-based cybersecurity to patterns-of-life AI-based security that detects malicious intent in real time. All organizations will be affected by the promises and potential perils of AI-accelerated attacks and AI-enabled defenses. Thus, all boards and CEOs should understand this shift, and all should work to ensure that their organizations reward cyber defenders for being proactive rather than reactive in a rapidly changing threat landscape that will soon look vastly different.

Why Vulnerability Patching Alone Is Not the Answer

At first glance, the emergence of AI models like Claude Mythos that can discover thousands of previously unknown vulnerabilities might seem like the solution to our cybersecurity challenges. Anthropic’s model has identified zero-day flaws that sat undetected in major operating systems and web browsers for as long as nearly three decades. Project Glasswing, the consortium of major tech companies including Apple, Amazon, CrowdStrike, Palo Alto Networks, and Microsoft, is using Mythos to scan code bases and patch vulnerabilities before adversaries can exploit them. This is genuinely important work.

However, there are several reasons why this approach, while valuable, is fundamentally incomplete. First, it is essential to recognize the asymmetry problem. Even if Project Glasswing participants patch every vulnerability Mythos discovers in their systems, adversaries with access to similar AI capabilities will find vulnerabilities in the countless other systems that haven’t been scanned. The patching race is endless, and defenders must win every time while attackers only need to win once.

Second, the sophistication of modern attacks has evolved beyond simple exploitation. Today’s adversaries increasingly use “Living off the Land” techniques, where they abuse legitimate system tools like PowerShell, administrative utilities, and trusted processes rather than introducing foreign malware. These attacks don’t rely on unpatched vulnerabilities. They exploit the normal functioning of systems, making vulnerability patching irrelevant to defense.

Third, history teaches us that a vulnerability-focused approach creates a dangerous blind spot. In 2017, as the non-partisan Chief Information Officer of the Federal Communications Commission, one of us (Bray) witnessed firsthand how focusing on traditional defenses left organizations vulnerable to novel attack patterns when it came to a flood of bot submitting content masquerading as human content. The lesson applies here: patching known vulnerabilities addresses yesterday’s attack methods while adversaries are already executing tomorrow’s campaigns using techniques that don’t require exploiting flaws at all.

When Forensics Tells You About Yesterday’s Problems Today

Forensics-based security is inherently reactive. You discover what happened after the damage is done. You analyze logs after the breach. You patch vulnerabilities after they’ve been exploited. This approach, while necessary, is fundamentally insufficient for modern threats.

Back in 2017, the FCC faced a flood of bot-generated comments designed to manipulate a controversial rulemaking proceeding. Despite the IT team’s efforts to scale the cloud-based system and keep it operational 99.4% of the time, they were fighting a reactive battle. They could see the flood happening, but their tools were designed to respond to attacks, not prevent them before they manifested.

The New York Attorney General later revealed in 2021 that 18 million of the twenty-three million comments were fraudulent. This revelation highlights a critical truth: by the time forensics reveal what happened, the manipulation has already succeeded. The public discourse was already distorted. The damage was done.

Similarly, during one of ours (Frazier) tenure managing the FBI’s congressionally funded international portfolio, we observed how adversaries exploited the gap between detection and response. Organizations would discover breaches months after initial compromise, by which time adversaries had established persistent access, mapped internal networks, and positioned themselves for maximum impact. The forensic analysis that eventually revealed what happened came too late to prevent the damage.

The Patterns-of-Life Imperative

Fast forward to 2026, and the cybersecurity landscape has evolved in ways that make forensics-based approaches even more inadequate. AI-empowered adversaries can now automate vulnerability discovery, accelerate exploitation, and conduct multi-stage attacks that blend seamlessly into normal operations. Traditional security tools that rely on signatures, rules, and known attack patterns cannot keep pace.

This is where patterns-of-life AI-based cybersecurity becomes essential. Rather than waiting to discover what went wrong after an incident, patterns-of-life approaches establish what normal looks like for every user, device, and system in an organization. Then, when behavior deviates from established patterns, the AI flags it immediately, allowing intervention before damage occurs. This represents a fundamental paradigm shift in how we approach security, moving from reactive detection to proactive threat hunting, which represents a transformation we discussed in depth in our conversation on AI and biotechnology where similar principles apply.

Here’s a practical example: Imagine your CEO suddenly attempts to wire $250,000 on a Friday evening at 10 p.m. A patterns-of-life AI system analyzes all historical behavior and recognizes this doesn’t match normal patterns. It stops the transaction until someone performs physical verification that it’s legitimate. If it was actually the CEO making an unusual but legitimate transaction, they might be momentarily inconvenienced. If it wasn’t, your organization just avoided a significant monetary loss.

This same principle applies to detecting sophisticated multi-stage attacks. An adversary might use entirely legitimate credentials to access a system. They might use standard administrative tools to move laterally through the network. They might exfiltrate data using approved file transfer protocols. Each individual action appears normal when examined in isolation. But the sequence of events, their timing, and the context across identities and environments reveals intent that patterns-of-life AI can detect.

Companies like DeepTempo have developed vertical foundation models specifically purpose-built for this challenge. Their LogLM analyzes operational telemetry, interpreting groups of logs to expose attacker behavior and intent. Unlike traditional security tools that flood SOC teams with alerts reflecting operational complexity rather than attacker intent, patterns-of-life approaches achieve false positive rates below 1 to 5 percent. This allows security analysts to focus on genuine threats rather than drowning in noise.

Why This Matters for Living off the Land Attacks

The shift to patterns-of-life security is particularly crucial for defending against Living off the Land attacks, where adversaries abuse trusted tools and legitimate system functions. These attacks are pernicious precisely because they don’t introduce foreign code or exploit known vulnerabilities. They simply use PowerShell, Windows Management Instrumentation, or other built-in utilities in ways that appear individually benign.

Traditional security approaches struggle with these attacks because they focus on identifying malicious artifacts. When there are no malicious artifacts, only legitimate tools being used for malicious purposes, signature-based detection fails. Vulnerability patching is irrelevant because no vulnerability is being exploited.

Patterns-of-life AI solves this by focusing on intent rather than artifacts. It understands how systems are actually used in your organization. It knows which workflows are normal, which are rare, and which should never occur. When an adversary uses PowerShell to enumerate domain controllers at 3 a.m., the individual command might be legitimate, but the context, timing, and sequence reveal malicious intent.

This approach extends beyond detecting external adversaries. As organizations increasingly deploy agentic AI systems that can take autonomous actions, patterns-of-life security becomes essential for ensuring these agents operate within expected bounds. An AI agent with legitimate credentials and authorized access could still behave in ways that threaten the organization if it malfunctions, is manipulated, or pursues goals misaligned with organizational intent. Patterns-of-life monitoring detects when agentic AI deviates from normal operational parameters, providing a critical safety mechanism.

The Board and CEO Imperative

Here’s a reality that security leaders rarely discuss openly with boards: CIOs and CISOs are already underwater. They face an expanding threat landscape where AI-empowered adversaries have supercharged traditional attack methods, automated vulnerability discovery, and accelerated exploitation. Ransomware attacks have become more sophisticated. Supply chain attacks multiply faster than security teams can assess them. Zero-day vulnerabilities emerge with alarming frequency. The security operations center never sleeps, and the alert queue never empties.

Into this already overwhelming environment comes news of AI models like Mythos that can discover thousands of vulnerabilities at machine speed. For many security leaders, this represents yet another challenge to manage with already stretched resources. The psychological burden of accepting that vulnerability patching, while necessary, is insufficient creates cognitive dissonance that many cannot process while managing daily operational demands.

As we explored in congressional testimony on AI-human hybrid red teams, organizations urgently need to pair AI capabilities with human expertise to continuously test defenses and identify vulnerabilities before adversaries exploit them.

This is precisely why boards and CEOs must act now to reward cyber defenders for being proactive rather than reactive. The shift to patterns-of-life security requires investment in new capabilities, integration with existing security operations, and organizational commitment to moving beyond forensics-based approaches. Security teams cannot make this shift alone while drowning in reactive work.

From our combined experience leading tech-driven transformations in both public and private sectors, we’ve seen how organizational culture determines whether security innovations succeed or fail. When one of us (Frazier) led Microsoft’s worldwide public sector business, we observed that the most resilient organizations were those that empowered their security teams to hunt threats proactively rather than only responding to alerts. These organizations treated security as a strategic capability, not just a compliance function.

Boards should be asking specific questions:

1. What are we doing to detect threats before they manifest, rather than discovering them after damage is done?
2. How are we addressing Living off the Land attacks that don’t rely on exploiting vulnerabilities?
3. What capabilities do we have to monitor the intent and behavior of both human users and agentic AI systems operating in our environment?
4. Are we rewarding our security teams for proactive threat hunting and behavioral analysis, or only for responding to incidents after they occur?
5. How are we integrating AI-driven patterns-of-life detection with our existing security stack to reduce alert fatigue and focus analysts on genuine threats?

The answers to these questions will determine whether organizations stay ahead of adversaries or remain perpetually reactive, discovering yesterday’s compromises today.

Now in 2026 and Beyond: A Comprehensive Approach to AI-Era Security

Looking to the future, effectively addressing the challenges arising from AI-accelerated threats requires a comprehensive approach that combines multiple defensive layers. Project Glasswing and similar initiatives using AI to discover and patch vulnerabilities represent one essential component. But they must be complemented by patterns-of-life security that detects malicious intent regardless of whether vulnerabilities are being exploited.

Think of it as a defense-in-depth strategy for the AI era. Vulnerability discovery and patching harden the attack surface, making exploitation more difficult. Patterns-of-life security detects when adversaries bypass those hardened defenses by abusing legitimate functionality. Together, these approaches create resilience that neither provides alone.

Organizations must also recognize that the AI arms race in cybersecurity is already underway. Adversaries are using AI to automate reconnaissance, accelerate exploitation, and conduct campaigns that morph and evolve to evade traditional defenses. Defenders must leverage AI not just to find vulnerabilities faster, but to understand behavior at scale in ways no human analyst could achieve.

DeepTempo’s approach demonstrates what this looks like in practice. Their LogLM continuously learns from operational telemetry, adapting to new behaviors and attack patterns without requiring manual retraining. It provides immediate context including MITRE ATT&CK mappings and entity resolution, allowing analysts to quickly understand the scope and nature of threats. It replaces dozens or hundreds of ineffective rules with a single adaptive model that evolves alongside threats.

This is the future of cybersecurity: AI-driven systems that understand intent, detect deviations from normal patterns, and provide actionable intelligence to human analysts who can then make informed decisions about response. It’s not about replacing human judgment but augmenting it with capabilities that operate at the speed and scale modern threats demand.

A Call to Action for Boards and CEOs

How then can boards and CEOs ensure their organizations are prepared for the AI-accelerated threat landscape rather than perpetually fighting yesterday’s battles?

The answer lies in recognizing that cybersecurity is no longer primarily a technical challenge. It’s a strategic imperative that requires board-level attention and CEO commitment. The shift from reactive forensics to proactive patterns-of-life security cannot happen without organizational support that rewards defenders for preventing incidents rather than only responding to them.

We think boards must explicitly ask their security leaders: How are we getting left of boom? Booms may happen, but what can we do to be more preventative? And when incidents do occur, how will we know we’re responding faster than we would otherwise?

These questions shift the conversation from compliance checkboxes and incident counts to strategic capabilities that determine organizational resilience. They create space for security leaders to invest in proactive capabilities like patterns-of-life AI rather than only reactive tools.

CEOs must recognize that the collective action problem in cybersecurity, where the private sector assumes the government will protect them and the government assumes the private sector will protect themselves, leaves critical vulnerabilities unaddressed. Neither sector can wait for the other to act first. The technology exists today to shift from assumption-based security to verification-based security, from forensics to patterns-of-life, from reactive to proactive.

Organizations stand at a critical juncture. Project Glasswing demonstrates that AI can discover vulnerabilities at unprecedented scale. That’s valuable. But it’s only one part of the equation. The other part is detecting when adversaries bypass those patches by abusing legitimate functionality, when insiders misuse authorized access, or when agentic AI systems operate outside expected parameters.

We cannot afford to apply old assumptions about vulnerability-focused security to new realities of AI-accelerated threats and Living off the Land attacks. The time for decisive action is now: before we witness catastrophic incidents caused by threats that existing defenses cannot detect. By explicitly incorporating patterns-of-life AI into security operations and rewarding defenders for proactive threat hunting, organizations can ensure they’re prepared for the threats of tomorrow, not just patching the vulnerabilities of yesterday.

The challenges are immense, but so too are the opportunities for positive change. Let’s seize this moment to create comprehensive security that embraces both vulnerability management and behavioral detection, informed by the hard lessons we’ve already learned and the new capabilities AI provides. Working together, boards, CEOs, and security teams can co-create a future that stays ahead of adversaries rather than perpetually reacting to their latest campaigns.

Additional Resources:

•  Living off the Land Attacks Pose a Pernicious Threat for Enterprises (CIO.com)
•  Anthropic’s Mythos Has Landed: Here’s What Comes Next for Cyber (Dark Reading)
•  Congressional Testimony on AI-Human Hybrid Red Teams (U.S. House Judiciary Committee)
• Tempo: A Transformer-Based Log Language Model Advanced Cybersecurity Defense
•  AI and Bio Tech: A Conversation with Dr. David Bray (OODAloop)

---

Dr. David A. Bray is a Distinguished Fellow and Chair of the Accelerator with the Alfred Lee Loomis Innovation Council at the non-partisan Henry L. Stimson Center. He is also a CEO and transformation leader for different “under the radar” tech and data ventures seeking to get started in novel situations. He is Principal at LeadDoAdapt Ventures, Inc. and has served in a variety of leadership roles in turbulent environments.  He previously served as a non-partisan Senior National Intelligence Service Executive, as Chief Information Officer of the Federal Communications Commission, and IT Chief for the Bioterrorism Preparedness and Response Program. Business Insider named him one of the top “24 Americans Changing the World“ and he has received both the Joint Civilian Service Commendation Award and the National Intelligence Exceptional Achievement Medal. David accepted a leadership role in December 2019 to direct the successful bipartisan Commission on the Geopolitical Impacts of New Technologies and Data that included Senator Mark Warner, Senator Rob Portman, Rep. Suzan DelBene, and Rep. Michael McCaul. From 2017 to the start of 2020, David also served as Executive Director for the People-Centered Internet coalition Chaired by Internet co-originator Vint Cerf. Business Insider named him one of the top “24 Americans Who Are Changing the World” and he was named a Young Global Leader by the World Economic Forum. For twelve different startups, he has served as President, CEO, Chief Strategy Officer, and Strategic Advisor roles. The U.S. Congress invited him to serve as an expert witness on AI in September 2025.

Jeff Frazier is an operator, go-to-market leader, and Board member serving technology companies in AI Compute (Groq), Data (Gretel.ai), Digital Infrastructure (Quantela), and Telecommunications (T-Mobile Public Sector Board) markets. He is an Operating Partner at Digital Alpha Advisors and Ansa Capital. Previously, Frazier served as Head of Global Public Sector at Snowflake, Chief Operating Officer of Pryon, Managing Director in the Office of the Executive Chairman for Cisco, and Partner & General Manager leading Microsoft’s worldwide $8.5 billion public sector business including government, national security, and international organizations. Before entering the commercial sector, he held leadership positions within municipal and federal governments including as an FBI leader administering a congressionally funded international portfolio. He has served on numerous boards and commissions including the International Affairs Council, NC Governor’s Innovation Council, and as an appointed member of the United Nations International Police Advisory Council. Frazier is a non-resident Senior Fellow at the Atlantic Council and Councilor of the Alfred Lee Loomis Innovation Council at the non-partisan Henry L. Stimson Center. He is a delegate to Harvard University’s Kennedy School Senior Executive Fellows program, a 2012 Eisenhower Fellow (2013 Douglas Dillon Fellow distinction), and an enrolled tribal member of the Kaw Nation.