A managed antivirus product. An MSP that checks in monthly. No dedicated security staff. For a significant share of defense industrial base suppliers, that is the current security posture, while handling the same controlled unclassified information as primes with 24/7 SOCs and full threat intelligence teams. The adversary has read the supply chain map, they know where the soft targets are, and they are already inside.

"Discomfort is the gap between where you are and where the adversary is," said Rob Joyce, former Director of Cybersecurity at the National Security Agency, at the Secureframe National Cybersecurity Summit. "If something I say makes you uncomfortable, that's actually good."

Joyce spent 34 years at the NSA, where his final role was leading the agency's Cybersecurity Directorate, the organization responsible for publicly attributing nation-state cyber campaigns, issuing advisories on active threats, and standing up the NSA Cybersecurity Collaboration Center as a free resource for the Defense Industrial Base. Before that, he served on the White House National Security Council as Special Assistant to the President and Cybersecurity Coordinator, and as Acting Homeland Security Advisor. He has spent his career in rooms where the classified picture of adversary capability is fully visible.

He came into the Summit with two points he wanted the DIB to leave with. First, that the adversary is already inside U.S. critical infrastructure, and the DIB is high priority on the target list. Second, that AI has crossed a threshold in offensive capability that changes the math for every organization handling CUI, regardless of headcount. The window between now and when AI-enabled defense catches up is when companies are most vulnerable.

Volt Typhoon and Salt Typhoon have the DIB on their target lists

Joyce pointed to two major PRC operations as proof that the threat is active, not theoretical.

Volt Typhoon is a pre-positioning campaign inside U.S. critical infrastructure: energy, water, transport, ports. The goal is not espionage. It's battlefield preparation, the ability to disable U.S. logistics and power if Beijing moves on Taiwan. Volt Typhoon doesn’t use malware. It operates through PowerShell, WMI, and scheduled tasks, the same tools your IT staff use every day, so endpoint detection tools don't fire. Joyce cited the language the government used in declassified intelligence to describe the intent: societal panic.

"Think about that: societal panic. China's prepositioning for digital terror attacks in the event of a crisis with the U.S."

Salt Typhoon is a different operation with the same target list. It penetrated major U.S. telecom carriers (Verizon, AT&T, T-Mobile, Lumen) and got inside the lawful intercept systems used by law enforcement. Call records, location data, and in some cases content. Any employee or executive who touched a U.S. mobile phone network during the relevant window may have had their metadata and conversations collected.

Both operations explicitly name the Defense Industrial Base. "You're not collateral damage in this. You are often the objective."

The PRC already knows the supply chain map. SAM.gov is public. Prime award filings are scrapeable. They can identify which tier two machine shop or tier three software vendor sits one hop away from a weapons system, and they know the shared exposure points, including the law firms handling patent filings and M&A deals.

Large primes have hundreds of cleared staff, 24/7 SOCs, threat intel teams, and insider threat programs. Joyce has personally walked into tier two and three shops with 60 employees, no dedicated security person, a managed antivirus product, and an MSP that checks in monthly. Both handle the same CUI. Both carry the same DFARS obligations.

"The adversary doesn't care about your headcount. They care about which path to CUI is the easiest path to get into their objective. Today, that path runs through the supplier with the part-time MSP because the CUI is the same, but the defense isn't."

"We've crossed a Rubicon" on AI-enabled offense

Joyce used the word Rubicon deliberately. Two years ago, AI in offensive cyber was a productivity tool. “It writes phishing emails better. It speeds up reverse engineering. It doesn't change the game with those kind of technologies," Joyce explained. The autonomous loop wasn't there. Models hallucinated, lost state, and couldn't recover from errors mid-operation. Human judgment was still the bottleneck.

That changed roughly 18 months ago when three things converged: agentic frameworks that closed the loop, frontier models that got dramatically better at code reasoning, and adversaries that deployed those combinations in the wild.

"There's no going back to the pre-AI threat model. The decisions you make about your defense are decisions about the new normal. We're not preparing for a possible future."

Four data points that prove the game has changed

The following four data points, all from the last 18 months, show what that shift looks like in practice. 

1. The AI model Is now flying the operation

In November 2025, Anthropic published a report on a PRC-linked actor that used an AI agent in an active espionage campaign against 30 organizations across tech, finance, chemical, and government sectors. The agent executed 80 to 90 percent of operational steps autonomously (reconnaissance, exploitation, lateral movement, exfiltration) with minimal human involvement.

Many in the security community read the report as evidence of unsophisticated techniques with humans still in the loop. Joyce read it differently.

"It was an impressive problem decomposition. The actors adapted AI into their operational framework. They demonstrated an ability to find vulnerabilities across an enterprise. I think that the exercise taught the APTs to use offline models. They now know how to operate without calling home to commercial APIs."

"It worked against real-world targets. We said it wasn't sophisticated — it was sophisticated enough. It won."

On the malware side, Google Threat Intelligence identified three new families (PromptFlux, PromptSteal, and PromptSpy) that call out to a large language model at runtime to generate the next command. The intelligence isn't baked into the binary. It's staged on demand. Signature detection doesn't flag LLM use when everyone in the organization is using LLMs.

2. Vulnerability discovery Is now industrialized

Microsoft's April 2026 Patch Tuesday was the second largest on record: 165 new vulnerabilities. The May 2026 Chrome update contained 127 security fixes in a single release, roughly double the previous record. Vendors have publicly acknowledged that agentic vulnerability hunting is materially driving the volume.

"It's not that Chrome got worse. New things were found that previously went unnoticed. We're not finding bugs faster because we have more humans on the problem. We're finding them faster because the discovery loop is now mostly machine." 

An autonomous pen-testing agent called XBOW became the first non-human entity to top the HackerOne bug bounty leaderboard in 2025, finding more valid, in-scope vulnerabilities than any human researcher on the platform, continuously, at whatever scale the operator chose to fund.

3. AI Is finding bugs that decades of human review overlooked

OpenSSL has had 27 years of professional review, paid bug bounties, academic scrutiny, and adversarial hacking. It is one of the most examined open-source projects in existence. A company called IL ran AI-driven analysis on the codebase and found 13 new CVEs, including a remote code execution vulnerability that traced back to the original Unix code the project was built on.

"The point you should take away is not that humans are bad at code review. It's that the search space was too large. And we couldn't brute-force it or have something deterministic until now. So AI has shrunk the cost of looking at every code path by orders of magnitude." 

4. AI now outperforms elite human operators 

In March 2026, Israeli startup Tenzai entered an autonomous agent into six major CTF competitions against 125,000 human competitors, many of them professionals from NSA, top red teams, and the security research community. The agent finished in the top one percent across all six events.

"This is not AI getting close to humans. This is one AI agent outperforming nearly every elite human in that competition. If you're building your security strategy on the assumption that human operators are meaningfully better than machines at offense, that assumption was true 24 months ago. It is definitely not true today."

The attacker's cost is collapsing while the defender's workload grows

Time to exploit used to be measured in days or weeks after CVE disclosure. It's now in hours, and it's automated. Defenders' SLAs for patching are still measured in weeks, even at well-resourced shops. That gap is widening, not closing, as patch volumes increase.

Operator cost has dropped substantially. A competent offensive operator used to be a scarce resource. Inference on frontier models now runs for pennies on the dollar.

"When the marginal cost of attack approaches zero, the marginal value required to justify an attack also approaches zero. So we all get more in the target areas."

Three factors have compounded the asymmetry: 

• Speed: Scan to exploit in minutes
• Tempo: AI doesn't come off shift or get fatigued, and 
• Parallelism: One operator, thousands of simultaneous targets 

Response time on the defensive side hasn't changed. Attack tempo has.

The governance implication follows directly. The definition of reasonable security is not static. It tracks where tools and practices are commercially available. When AI-assisted defensive scanning is broadly available, not using it will start to look like negligence. Boards are already asking about AI-driven attack exposure. Cyber insurers will be next on renewal questionnaires. Regulators will follow.

Reframing Zero Trust in the new world of AI

"Every vendor at RSA puts zero trust on the banner. The term is exhausted. Let me strip it back to what it really means." 

In a world where the adversary is already inside the wire and attack tempo is at machine speed, you can’t have any place in your architecture where presence implies trust. Identity, device, network position, time of day — none of those are sufficient on their own.

The six pillars in practice: verify the user (phishing-resistant MFA, no exceptions), verify the device (managed, healthy, patched endpoints only), enforce least privilege (audit your admin sprawl), segment the data (CUI lives in a defined enclave, not scattered across the organization), watch continuously (anomaly detection on identity, data movement, and configuration drift), and assume compromise (design for containment, not just prevention).

On segmentation, Joyce noted that Mandiant has reported the time to exploit has moved to negative day, and vulnerabilities are being discovered and exploited before a patch exists. "If you assume that world, people are going to get through your firewall, your VPN concentrator. What are you doing then to have a speed bump at the next place?"

On building your own implementation: "There are 300,000 companies in the DIB. If each one of you builds its own zero trust enclave from scratch, we get 300,000 unique implementations, each with their own strengths and weaknesses, 300,000 unique misconfigurations, failure modes. And an autonomous attacker can probe all of them in parallel to find the weak ones." Government-owned reference architectures, prime-provided shared enclaves, and certified third-party CUI environments exist for this reason.