Exploitation timelines have collapsed. Median time-to-exploit for newly disclosed vulnerabilities is trending toward zero. Attackers are weaponizing CVEs the same day they're published — sometimes before a CVE ID exists. CVE volume is past 380,000 records with 40–48K new entries per year. Scan, triage by CVSS, open a ticket: that workflow is dead.
The bigger shift is in the attack surface itself. Threat actors aren't just exploiting known CVEs. They're publishing backdoored packages on npm, compromising maintainer accounts, deploying self-propagating supply chain worms, and running C2 over blockchain infrastructure that nobody can seize. The Axios maintainer compromise, Sha1-Hulud, TeamPCP — all happened in the last six months. All moved faster than any advisory-based workflow could respond.
The vulnerability lifecycle in a world of agentic AI and automated exploitation has fundamentally changed. Threat intelligence and vulnerability management can't keep running as separate disciplines. CTI and malware intelligence need to feed directly into prioritization.
This talk walks through how to do that in practice. I'll cover Phoenix Blue — a free vulnerability intelligence feed aggregating 15+ sources (NVD, CISA KEV, EPSS, Shadowserver, GreyNoise, OpenSSF malicious packages, and more) — and how it powers a threat-centric approach to prioritization. The core of the talk is scoring: how a model that fuses real-time exploitation evidence (honeypot observations, in-the-wild scanning, ransomware associations) with predictive signals (EPSS, Time-to-Exploit cohort patterns, Exploit Acceleration Index) separates the CVEs that are actually burning in production from the ones that just look scary on a report.
We'll dig into reachability analysis — code, library, container, runtime — and why it changes the remediation playbook for containers, where "just upgrade the package" is often wrong, unsafe, or doesn't exist. I'll connect CTI to remediation decisions directly: what's actively dangerous, what's theoretical, what needs compensating controls because patching is slow. And I'll show how agentic LLM enrichment (with dual-model adversarial validation to catch hallucinations) rewrites noisy scanner output into fix-oriented guidance at scale, and how agentic remediation for library upgrades gets dramatically better when you gate it on reachability and production relevance.
The end goal: a CTEM framework on three pillars — ownership attribution, vulnerability attribution, remedy attribution — where every finding is scored by what's being exploited in the real world, not what could theoretically be exploited on paper.
Talk Breakdown:
1. Exploitation timelines collapsing to zero — the data, the cases, what it means for prioritization workflows
2. The attack surface moved: malware, supply chain compromise, and threat actor behavior are the problem now, not just CVE counts
3. Feeding CTI and malware intelligence into the vulnerability pipeline (Phoenix Blue, free, 15+ sources)
4. Prediction vs. evidence: the dual-signal scoring model and how it separates real threats from noise
5. Reachability analysis and code-to-cloud tracing for routing fixes to the right team
6. Container patching: why it's different and how to stop getting it wrong
7. AI-CTI at scale — agentic LLM enrichment with adversarial validation that catches hallucinations
8. Agentic remediation for libraries, gated by reachability
9. CTEM three pillars: right team, right vulnerability, right remedy, right context
What Attendees Walk Away With:
* A clear picture of why time-to-exploit at zero changes prioritization fundamentals, and why CVSS on its own was never going to work.
* How to wire threat intelligence and malware intelligence into vulnerability management instead of running them as parallel programs.
* The prediction-and-evidence scoring model — what's actually burning versus what's noise — with specifics on how the signals compose.
* A method for combining reachability with code-to-cloud tracing so remediation lands on the right team with less alert fatigue.
* How AI-CTI and agentic remediation scale fix generation without producing garbage, and the adversarial validation architecture behind it.
* A CTEM blueprint that turns vulnerability management into measurable exposure reduction.