“Frontier artificial intelligence models are challenging some longstanding beliefs about how to make organizations secure. At Visa, it's forcing a complete rethink of cyber resilience.
The payments giant participated in Anthropic's Project Glasswing cybersecurity initiative, which released a preview of its security-focused Mythos model to select companies in April. Anthropic made a public version of the model, known as Fable 5, available Tuesday.
Testing during the project showed that AI systems could identify individual vulnerabilities and instantly link separate, minor weaknesses into viable avenues of attack.
"What it really brings to bear is that it can construct attack chains," said Rajat Taneja, Visa's president of technology. "It's not just identifying single bugs. It is showing that it will be able to find things which in and of themselves may not be high severity, but it can put them all together."
The latest generation of AI models can detect software weaknesses at unprecedented speed. This capability compresses the timeline between discovery and exploitation, placing immense pressure on organizations to fix vulnerabilities before attackers act. Thousands, and sometimes millions, of flaws can be uncovered by these models, posing a triage challenge. "Prioritization is the new battleground," said Rex Thexton, a senior managing director at consulting firm Accenture.
For years, defenders focused on discovering software vulnerabilities before attackers could exploit them. Increasingly, security executives say, the primary bottleneck occurs after those flaws are uncovered.
"The issues have always existed," said David Cooper, cyber commercial leader for consulting firm Ernst & Young in the Americas. "What's new is that we have a machine-scale way of identifying them, and now we need to adopt a machine-scale way to fix them."
The findings prompted Visa to rethink how it measures cyber resilience. The company developed a metric called "Mean Time to Adapt," which measures how quickly an organization identifies, triages and fixes vulnerabilities once discovered.
"It will shift the emphasis from finding issues to validating, prioritizing and fixing at a level of speed and automation to stay ahead of what will be machine-speed attackers," Taneja said.
Recognizing that human engineers can't patch at machine speed, Visa developed the Visa Vulnerability Agentic Harness, or VVAH, to test its own systems against frontier models. The framework tasks AI agents with validating vulnerabilities, generating software fixes and automatically testing remediation efforts. Visa plans to release the framework as open-source software Wednesday to help the broader industry automate its defenses.
During the Project Glasswing tests, the AI identified relatively few critical vulnerabilities within Visa's core environment. Taneja noted that the company's existing zero-trust architecture, network segmentation and secondary controls would have mitigated the flaws that were found. The exercise nevertheless uncovered new vulnerabilities and reinforced Visa's stance that security programs must become increasingly automated as AI capabilities advance, a challenge that looks particularly acute beyond large enterprises.
While organizations like Visa can invest in automated remediation systems, many suppliers, software vendors and open-source projects operate with far fewer security resources. A weakness in a smaller vendor or a widely used open-source software component still poses a direct risk to the larger enterprises that depend on them.
---
James Rundle is a reporter for WSJ Pro Cybersecurity.” [1]
1. AI Shifts Cybersecurity Battle From Finding to Fixing Flaws. Rundle, James. Wall Street Journal, Eastern edition; New York, N.Y.. 11 June 2026: B4.
Komentarų nėra:
Rašyti komentarą