The Clock Ran Out on Defense-in-Depth

Defense-in-depth was never about stopping attacks. It was about buying time. AI just made time the one thing you no longer have.
That's not a provocation. It's arithmetic. In 2023, the median time between a CVE disclosure and a confirmed exploit in the wild was six days. By 2024, it was four hours. By 2025, more than 44% of exploited vulnerabilities were weaponized before they were even publicly disclosed; the exposure window hadn't just shrunk, it had inverted [1]. The layered security model your organization built: the SAST scans, the CVSS-triaged backlogs, the "shift left" mandate - was calibrated for a world where attackers moved at human speed. They don't anymore. This matters to you as an engineering manager because the tools your security team relies on to protect your pipeline are measuring the wrong things, at the wrong cadence, pointed at the wrong place.
The Supply Chain Is the Target. Your Code Is the Delivery Vehicle.
The attacker's calculus has shifted. Why try to breach one company when you can compromise the supply chain and get thousands at once?
In May 2026, threat actors deployed a trojanized VS Code extension - Nx Console v18.95.0 - that was live on the Visual Studio Marketplace for roughly 18 minutes before it was pulled [2]. In that window, the malware harvested credentials from developer workstations. The attack chain ultimately reached GitHub itself, resulting in a breach of approximately 3,800 of GitHub's own internal repositories: Vault tokens, AWS keys, SSH keys, GitHub tokens [3].
Eighteen minutes. Your on-call rotation doesn't move that fast. Your incident response playbook wasn't written for that clock.
The attack didn't target your firewall. It targeted the developer's local machine before code was ever committed, a blind spot that no SAST tool, no CSPM platform, and no CVE scanner can see. The pre-commit environment is a black box, and attackers know it.
AI-powered bots are now actively scanning for pipeline misconfigurations at scale. One documented campaign submitted over 475 malicious pull requests across GitHub repositories in a single 26-hour window, dynamically adapting the attack payload to each tech stack [4]. Not a human running scripts, but rather an automated system finding your specific weakness and writing the exploit for it.
Your Scoring System Is Broken
CVSS scores were designed to help teams prioritize. The problem is that AI can now chain multiple low-severity findings into a single critical exploit path; invisibly, automatically, without triggering any of the thresholds your tools use to escalate. Three separate "medium" findings in your SCA backlog can chain together into a critical path in practice. Your tooling filed all three as "review next sprint."
That's not a gap in the tools. It's a structural limitation in the model they're built on. SAST, DAST, and SCA tools classify vulnerabilities by CVE and CVSS score. When those scores no longer accurately reflect exploitability in a chained-threat environment, the tools built on top of them inherit the same blind spot. Shift-left doesn't help if what you're shifting is the wrong signal.
The Always-Red Dashboard
Ask your engineers how they feel about the security alerts in their Slack channels. A year ago it was monthly. Then biweekly. Now it's near-daily. When the volume is high enough, the signal degrades. Teams stop responding with urgency not because they're careless but because urgency has been stripped of meaning by volume. At some point, every alert looks like every other alert.
The volume of AI-generated code, combined with the expanding attack surface of third-party packages and AI tooling, has outpaced the capacity of any team to manually triage. The dashboard is always red because the inputs are always red.
The New Attack Surface Nobody Has a Policy For
Developers are copying MCP skills (the connectors that let AI agents interact with external tools) from open repositories because they have catchy names and solve immediate problems. Most organizations have no inventory of what skills are running in their pipelines, no approval process, and no monitoring for what those skills are doing after install.
Some demand blanket read/write access to private and public repositories. Some are updated silently after initial approval. The OWASP MCP Top 10 classifies this as "Tool Poisoning" (MCP03): a trusted tool that becomes malicious after it's already inside your perimeter [5]. Your security team probably doesn't know which MCP skills your engineers installed last week.
A Word on the Hype
You've probably noticed every vendor with a blog post and a booth has suddenly discovered Mythos. "Best practices for the Mythos era." "Our framework for AI-accelerated threat response." The marketing is moving faster than the solutions, which is how you know we're early.
My honest read: there is no single best practice. No framework one company or one vendor can publish addresses a problem this foundational. The attack surface is too dynamic and the dependencies are too interconnected for any individual organization to solve in isolation.
What's actually needed is industry bodies willing to do the slow, unglamorous work of convening the right people. OWASP and the Cloud Security Alliance deserve credit for trying; the MCP Top 10 and related guidance are real contributions. But this problem doesn't get solved without the major AI providers, the large cloud platforms, and the enterprise software vendors in the same room, with resources behind it, treating this as a shared infrastructure problem rather than a competitive differentiator.
Until that happens, be skeptical of anyone selling you a complete answer to your problem.
What You Actually Need to Change
You don't need a new tool. You need a different mental model.
The question isn't "how do we patch faster?" It's "how do we build pipelines that assume compromise and limit what an attacker can reach?" Code review tooling that understands how vulnerabilities chain, not just their isolated CVSS scores. Runtime controls on what MCP skills can access. An incident response process that can rotate credentials in minutes on any day of the week, not a Tuesday morning with three people on a bridge.
Defense-in-depth was a sensible strategy when adversaries were constrained by the same time you were. They aren't anymore.
Rusty Perry is a cybersecurity executive with 25+ years building and transforming security programs across regulated industries, specializing in AI governance, cloud-native platforms, secure software development supply chain, and enterprise-scale cybersecurity transformation.
Citations
[1] Zero Day Clock — Time-to-Exploit milestone tracking across 83,000+ CVEs from sources including CISA KEV, ExploitDB, and Metasploit. https://zerodayclock.com
[2] "Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer," The Hacker News, May 2026. https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
[3] "GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension," The Hacker News, May 2026. https://thehackernews.com/2026/05/github-internal-repositories-breached.html. See also: CISA Alert, May 28, 2026. https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories
[4] "prt-scan: AI-Powered GitHub Actions Supply Chain Attack," Wiz Research, 2026. https://www.wiz.io/blog/six-accounts-one-actor-inside-the-prt-scan-supply-chain-campaign
[5] OWASP MCP Top 10 — MCP03:2025 Tool Poisoning. https://owasp.org/www-project-mcp-top-10/2025/MCP03-2025%E2%80%93Tool-Poisoning
