Vulnerability management at AI speed.

Dave Bittner: Welcome to this edition of "CyberWireX." I'm Dave Bittner. Vulnerability management has always been a race against time, but as artificial intelligence accelerates both the discovery of software flaws and the speed at which attackers can exploit them, that race is moving faster than ever. For large enterprise software companies, the challenge is no longer just finding vulnerabilities; it's determining which ones matter most, mobilizing the right teams, and reducing risk at scale. Joining me today are Daniel Ventura, Senior Manager of Adobe's Vulnerability Operations Center, and Sangeeta Arora, Director of Vulnerability Management at Adobe. Together, they share how Adobe is evolving its approach to vulnerability management in the age of AI, from improving prioritization and strengthening cross-functional partnerships to balancing the need for speed with meaningful security outcomes. That's all ahead on this episode of "CyberWireX." [ Music ] Well, before we dig into talking about vulnerability management, I'd love to learn a little bit about each of you. What led you to your position at Adobe? Sangeeta, why don't I start with you?

Sangeeta Arora: I've actually been at Adobe for over 20 years now, and my career here has evolved quite a bit over the last two decades. I spent the first half of my career in IT doing various different things, and then I moved into cybersecurity about nine years ago. In the beginning, I started out by building our third-party security review capability, and then I took on penetration testing for all of our products and services. Then about three years ago, I stepped into leading Vulnerability Management at Adobe. Today, I lead the broader vulnerability management function, which includes penetration testing, our bug bounty program on HackerOne, vulnerability operations end-to-end, as well as third-party security.

Dave Bittner: Dan, how about you?

Daniel Ventura: Yeah, so I've been with Adobe for about 6-1/2 years now. I started out as an IC, an individual contributor, working on the PSIRT team. At that time, we were primarily focused on application security and bug bounty-related vulnerabilities, but as I'm sure we'll get to in this discussion, there was a strong need to have a much heavier vulnerability management presence, so our team evolved over time to take on additional roles and responsibilities that encompasses the broader vuln management lifecycle.

Dave Bittner: Well, I think when people hear "vulnerability management," a lot of folks will initially think of things like scanning and patching. Can you give us a sense of what the work actually looks like inside an organization that operates at the scale of Adobe?

Daniel Ventura: Yeah, sure, so it really takes a tribe when we think about vuln management at a large organization. We have various teams across Adobe Security that are performing different types of manual testing, automated testing, looking for vulnerabilities in different pieces of our tech stack and different types of product offerings that we publish to customers. We have a team that will review and assess those vulnerabilities for severity and impact, and then we also have folks that work directly with product teams to help them prioritize their backlog and strategize around effective remediation.

Dave Bittner: Sangeeta, anything to add?

Sangeeta Arora: Yeah, I think Dan pretty much covered it, but in a large enterprise like Adobe, it definitely includes the end-to-end vulnerability management lifecycle. Five core things I would say, we want to make sure that there's asset discovery, so there's, you know, we have a way to discover all of our assets, our cloud environments, and then like Dan said, testing at multiple layers. We're going to have various different teams that are doing either pen testing. We have our external bug bounty program. We're going to have vulnerability scanning as well, any DAST tools, and then when we get the findings from those tools, we want to be able to do context-driven prioritization. Use multiple different parameters to prioritize those vulnerabilities and then be able to create tickets for our product teams or alert them that they need to be working on remediation. Then lastly, remediation tracking and validation is a big piece of vulnerability management. We want to make sure that in the end, those issues are truly fixed, validated, and we feel comfortable that the vulnerability has been resolved.

Dave Bittner: I'm curious, in the time that you all have been at this, what are some of the things that you've seen change? Have there been evolutions in the way that you all come at your jobs?

Daniel Ventura: Yeah, I think the biggest change that we've noticed over the last couple of years has been the evolution of AI, as it relates to adversaries and our vuln management processes. This applies both to defenders and adversaries alike. On one end, we have product teams that are able to generate code and ship much faster, but at the same time, attackers and threat actors can also move from a bug to an exploit at a much faster clip as well. For example, from the CrowdStrike's 2026 Global Threat Report, they documented that an AI-enabled adversary has increased their operation from 89% year over year just last year in 2025. We also came across some research from IBM in their Cost of a Data Breach Report last year. Their research showed that the average breakout time for an adversary, which is the speed that an attacker can move from initial access to lateral movement, fell to just 29 minutes, with the fastest observed breakout time happening at a staggering 27 seconds. IBM also goes on to mention that one in six of those incidents involved an AI-driven attack. Another piece that I found very interesting is, aside from the exploitation piece of this, just the sheer number of CVEs being published across the industry is also accelerating very quickly. Year over year, there has been a 28% growth in the number of CVEs published. More specifically, with critical CVEs, there has been a 62% increase to the number of CVEs being published. I think when we talk about, you know, speed and velocity as it relates to AI, it really means that our vuln management processes within organizations need to evolve too. It's not just about more vulnerabilities. It's less time to respond, more ways to be attacked, and a higher likelihood of exploitation as well.

Dave Bittner: Is it fair to say, Sangeeta, that this is sort of a triple threat, that we've got an increase in the volume of vulnerabilities, the speed of exploitation, and even the sophistication of attacks? Are you tracking all three of those concerns?

Sangeeta Arora: Absolutely, yeah, we have seen a really big change with AI. Basically, AI is becoming the security expert at this point, so like Dan said, it's speeding things up. It's becoming really easy for attackers to move from vulnerability details to making a usable exploit attempt pretty quickly. Also in addition, like, the phishing and social engineering is becoming so much easier, and it increases the chances of access for these adversaries as well. Lastly, I think from an attack surface perspective, it's becoming easier for them to be able to identify the exposed services on the internet. If they have a POC, they're able to find out entry points much faster. So yes, we are basically, all companies are having to deal with, like, this large surge due to AI. I know Dan cited some numbers, but this is a pretty dramatic increase when we see a 60% increase in critical CVEs from year over year, just from 2025 to 2026. So it is something that is top of mind for all of us. As defenders, we just have less time to react, and so prioritization becomes key. We really need to make sure that we are prioritizing based on exposure and impact to be able to deal with that large volume.

Dave Bittner: How do you balance the speed that's necessary to respond these days with the accuracy that you want your security teams to have? They're under a lot of pressure to move faster than ever, but you don't want to miss things.

Daniel Ventura: That's a very good question because when everything looks critical, it's tough to decide what gets fixed first and how do you make sure that you're not missing anything? These type of AI-driven threats that we've been seeing have really changed how we think about using the CVSS score to determine our prioritization with product teams. At Adobe, we've begun treating CVSS scoring as a baseline severity signal, not the final decision. We've added and embedded additional factors into our risk assessment process, such as threat intelligence and exploitability, on top of that base CVSS score, to really help us assess what needs to be fixed first and determine that prioritization order. We also use additional parameters to help us evaluate prioritization, including vulnerabilities that are published on the known exploited vulnerabilities catalog. Exposure is a good one, such as whether a vulnerable asset is internet facing or internal. Then also, we heavily consider the vulnerabilities that are found against our crown jewel assets. So lastly, to really help us prioritize remediation, we also found it crucial to keep our vulnerability management program dynamic by reprioritizing as the intel changes. Threat actors and exploits evolve over time and so must we.

Dave Bittner: How has this affected your teams? You know, this shift to AI, the need to prioritize things, how has this changed their day-to-day?

Sangeeta Arora: I would say that we are leveraging a lot of automation and AI as well. Because it definitely changes the day-to-day due to the large volume, we want to make sure that we're really giving our engineering and product teams the signal out of the large volume, right, and so prioritization becomes difficult. We're trying to use all of these contextual parameters in addition to CVSS score like Dan outlined, like looking at the exposure, whether this is a crown jewel. Is there any revenue impact? Do we have any mitigating controls? In order to do that, we have to definitely look at some automating ways. That's the day-to-day change for the teams like the Vulnerability Operations Center, is to be really innovating on how can we automate some of this prioritization and triage to be able to give the product teams the signal out of the noise?

Daniel Ventura: I think one thing to add on top of that is Adobe Security and our vuln management function are using AI to augment a lot of our existing capabilities. So as Sangeeta mentioned, like detections and testing, patch development, prioritization that we already spoke about, AI-assisted PR, pull request creation, if adversaries are using AI, we must too. We're looking for ways to augment and embed AI into our existing vuln management functions.

Dave Bittner: How do you all interact with your engineering team? What's the collaboration like there?

Daniel Ventura: Maybe I'll speak to the general guidance and recommendations that we've had over the years and then talk about the evolution with the introduction of AI. Some of the core tenets I believe represent a strong security and product team partnership include things like meeting engineers where they work, whether that's in JIRA, ServiceNow, GitHub, and providing actionable findings to those developers and engineers, not just a simple raw scanner output. We're actually up-leveling in this area by moving to an action-based ticket function that helps us scale our engagement efforts and paint a clearer picture on overarching risk for product teams to understand what the issue is, what the impact is, and more importantly, what do they need to do to fix the issue. Also, defining clear SLAs based on risk -- this goes back to the prioritization conversation we had, not just arbitrary deadlines. By implementing a more intelligent risk assessment matrix, we're able to embed additional factors and threat intelligence into those decision-making pieces. I think lastly, having an embedded security champion that lives and operates with each of the product teams has been extremely valuable to us, and having security toolkits to assist with patch development and secure code improvements, as well, has really helped us. I think more specifically on the AI piece, in the world of AI vulnerabilities, it's really important for our security organization to help these product teams understand new classes of risk that they might not have been aware of before. Things like prompt injection and model leakage or data exposure are all very prevalent and new with all of these AI tools and features becoming public to customers. Also, leveraging threat models to provide secure design patterns is also really helpful to make sure that product teams are building their software and features in a secure method.

Dave Bittner: Sangeeta, I'm curious how you foster a sense of true collaboration between Security and Engineering to make it feel as though you're equal partners in this effort to make everything that Adobe does be as good as it can possibly be.

Sangeeta Arora: Absolutely. It is always a partnership. One of the things that we aim for is to really, like, bring along and work towards the betterment and improving the security posture at Adobe. We have the security champions embedded within the product teams. That really helps. When we're making improvements or changes to any of the processes, we definitely partner with the champions so that not only are they aware, but they're also, like, really championing the effort within the product teams and giving us really good feedback on how we could help, how we, security, can help them get to a better state faster and in a more automated fashion. That has really been helpful as a model. Then, also, one of the things that we're doing is embedding AI in the entire life cycle. For example, threat modeling, right? When they're developing the product or when they're developing the release, we want to make sure that they're able to come to security and get that feedback early on in -- in the life cycle and not wait for once it's released. Post that, we also work with them on pen testing. We want to make sure that any new features, any new scope, is pen tested in a timely manner. Then after that, we also -- we're continuing to work with them on how to give them better context and be able to give them fixes and patch fixes within the tickets or even, like, PR fixes, and how can we develop things that will really help them so that they can build better products? We really just want to make sure that they're enabled to do what they're best at while security is really helping them and working with them in parallel. It's really a true partnership, and we are striving to continue to make that better, especially in this AI era.

Dave Bittner: I'm curious, for our listeners, are there any words of wisdom that you have, your lessons that you all have learned along the way that they could benefit from, your wisdom, the successes and the mistakes that you've made along the way, any lessons to share?

Sangeeta Arora: If there are a few things that I would want, you know, folks to take away is three main things: I think we really need to know our exposure and attack surface. Like, that is key. If we don't have visibility into that, that can definitely lead to us having gaps, so really making sure, you know, invest in a real asset inventory, know what's internet facing, know what's widely deployed, because that is really critical to be able to prioritize the vulnerabilities, especially with a really large volume. Secondly, I think we talked a little bit about this as prioritization is key. Use context, not just CVSS. In these times, it is very important for us to be looking at business criticality, exploitability signals, have a threat intel team that is giving you signals that you can use to prioritize, not just at the time of the vulnerability creation, but also, reprioritize as time goes by and the threat intel changes. That is very important right now. Also, be looking for compensating controls that can be used for prioritization as well. What can be mitigated fast? As we know, the time to exploitation is getting really, really small. We need to move fast, so where we can look for mitigations until it can be remediated. Then lastly, embed AI into all aspects of the vulnerability management lifecycle. This is a journey. I think we're evolving, as well, in this space, but since the adversaries are using it, I think the defenders have to use AI as much as we can. Use it to test your code. Use it to test your products, for triage, for prioritization, for ticketing, for providing context to your engineering and product teams, as well as just automating all aspects to remove the manual toil. Those are the three things that I feel have been really key that we have discovered in this journey.

Dave Bittner: Dan, how about you? Anything to add?

Daniel Ventura: Yeah, I think Sangeeta covered most of the takeaways that I could think of. I think maybe the one last piece to add is that one of the advantages that an organization has when leveraging AI to help drive vulnerability management is context. I think there's a lot more information and context that we as employees of an organization have to help us orient ourselves around prioritization and where our most risky assets are, and maybe, where there are strong protections or areas that can be further hardened. My main takeaway would be to leverage those internal contexts to help us speed up the vulnerability management function.

Dave Bittner: I'm curious how each of you measures success. If vulnerability management is ultimately about reducing risk, how do you put a measuring stick on that?

Daniel Ventura: Yeah, so I'll take a stab at answering this first. We've invested a lot of effort into evolving our vulnerability management metrics and security posture at Adobe. It's no longer sufficient to just measure SLA adherence and our product teams fixing vulnerabilities by the given SLA that the security org sets. We're measuring things like threat intelligence trends and time to remediation and accuracy and risk rating, time to triage. There's a lot of different aspects that go into vulnerability management, and so those factors all contribute to the overarching metrics of success when we think about vulnerability management. On the product side, we've also developed a security risk posture scorecard in which we present to this data, everything I just mentioned, in a consumable way to product teams and their leadership to help them understand how they are performing and across the various different types of vulnerability management and initiatives that the security org has product teams working on.

Dave Bittner: Sangeeta, anything to add there?

Sangeeta Arora: Definitely. Like Dan said, in addition to just, like, looking at SLA adherence, we want to see time to triage, time to remediate; time to attribute is another one. Like, I touched on asset inventory, but really making sure that the time from vulnerability discovery to when it can be attributed to an owner is really, really small and can be done real time. That is critical. Then lastly, one thing I would say is looking for systemic trends is another metric to keep an eye on. It's not just one vulnerability at a time but just making sure that you have metrics that identify -- or dashboards that identify any systemic trends that need to be looked at for a particular product or a particular area. Of course, the scorecard that Dan mentioned has been really helpful because it gives the product teams one place to go to be able to see what their security posture looks like from different areas. It includes vulnerability data as well.

Daniel Ventura: One other metric of success that I forgot to mention is very interesting, and that's visibility. It's interesting when we think about, you know, ticket SLAs, even time to remediation and all the things we just talked about, it only goes so far as what the security organization can see. And so, for example, if we have a 99% SLA adherence and we're crushing it across all of our metrics but we're actually only able to see maybe 20% of the company, as an example, that paints a very different picture compared to those metrics alone. So that's one area that we're also measuring success in, is making sure that our security org is able to see what's going on across our organization at different levels of the tech stack. [ Music ]

Dave Bittner: Our thanks to Daniel Ventura, Senior Manager of Adobe's Vulnerability Operations Center, and Sangeeta Arora, Director of Vulnerability Management at Adobe, for joining us and sharing their perspectives on how vulnerability management programs are adapting to a rapidly changing threat landscape. As AI continues to reshape both offense and defense, organizations will need strategies that help them move forward quickly, focus on what matters most, and drive measurable risk reduction. Thanks for listening to this episode. For more conversations with industry leaders tackling today's most important cybersecurity challenges, visit thecyberwire.com. I'm Dave Bittner. We'll see you back here next time. [ Music ]