Well hey y’all. I just got hooked up with this space to somewhat-routinely write about vulnerabilities, cybersecurity, and infosec history. I’m currently at runZero, where I’m the vice president of security research, which basically means that I spend most of my time hanging around with some incredibly bright and devoted people who are also cunning and shrewd. We’re all dedicated to the notion that it is, in fact, possible to secure networks by being smart and creative with your approaches to exposure management.
I’m so excited to be writing here, and you might expect me to go on and on about CVE identified vulnerabilities, and the CVE program itself. After all, I’m on the CVE board, and was most recently section chief for the KEV at CISA, and I’ve spent a fair amount of my career managing patch schedules, writing exploits and Metasploit modules, and detecting novel attacks on the network (so I often blather on Mastodon and Bluesky about CVEs).
But you’d be wrong! While I believe that CVEs are an important, even foundational, component of any modern security program (and I will explore aspects of individual CVEs and the program in the future), I’m not convinced that we should be totally infatuated with exploits and bugs. After four decades of personally responding to (and occasionally causing) cybersecurity incidents, it’s become clear to me that most people run into trouble not because they forgot to patch some critical internal database, but because the networking deck is stacked against the defenders.
TTRPGs and Predicting The Future
I remember in 1989 at DunDraCon, my first exposure to Cyberpunk 2020 by Mike Pondsmith and published by R. Talsorian. (You’ve probably heard of the multiplayer online game, Cyberpunk 2077; this pencil-and-paper table-top role playing game is that game’s direct ancestor.) Anyway, I saw the upcoming second edition being playtested during the conference, and me, being a teenage hacker, immediately gravitated toward the more fully-fledged “Netrunner” character class. We had a good time; the combat simulation was a lot more chaotic and swift than D&D, the cybernetic and neurological upgrades were way cooler than spells and potions, and of course, the theme of dystopian end-stage capitalism was infinitely attractive in a grim way.
Anyway, after playing a session, I was offered a comment card. Remember, this was the 80s, point-to-point networking reigned supreme, and to get anything done, you had to first figure out how to negotiate the handshake, puzzle out the protocol, and basically learn every operating system from scratch. So, my feedback was along the lines of, “I really liked the simulated hacking system, but it seems just a little too simplified and straight-forward. It’s unrealistic that in the future, nuclear power plants and banks would all be on the same networks that are known to be shot through with hackers and gangsters.”
Oh, how wrong I was.
Universal Connectivity Is Great Except When It Isn’t
Fast forward to today, and there are just so many things that can go wrong when trying to secure a normal TCP/IP network, along with all the servers, desktops, clouds, phones, hypervisors and operational technology (OT) that’s been patched in. I’d argue that the first, fundamental problem defenders run into is the fact that planet Earth has settled on the whole “IP” part of TCP/IP. After all, the “I” stands for Internet, so given a long enough timeline, virtually everything that talks IP will end up exposed and reachable on the internet, and that’s both the coolest thing about TCP/IP, and its ultimate Achilles’ heel.
Recent events underline this fundamental flaw of modern networking when it comes to security. The 2026 M-Trends report from Google plays up the idea that “exploits represented the most frequently observed initial infection vector in 2025,” since exploited vulnerabilities account for 32% of all initial access vectors. That sounds like a lot!
Of course, the unspoken inverse of this stat is that 68% – over two-thirds – of all the rest of initial access attacks do not rely on technical vulnerability exploitation. The reason for this, of course, is because everything is reachable with enough ingenuity, time, and luck.
But what about Zero-Trust?
Security professionals have long known that the boundaries between internal and external networks are at best notional, defining today’s intrusion defense strategies. For about 15 years, “zero-trust” has been an aspirational end-state: identity and authorization bundled into every network transaction, regardless of origin. However, this path is often blocked by legacy systems that “can’t” be managed this way. Worse, even when CTOs and CISOs get comfortable with their carefully structured boundaries, someone invariably bridges a printer from the IT to the OT network, and shadow-IT hijinks ensue from there.
The standards chosen for TCP/IP are incredible in their interoperability, allowing systems to communicate freely, and routers actively bypass damaged connections, even when these broken connections are intentional blocks. While this fundamental interconnectivity is great for innovation and industry and commerce and entertainment and art and all that, it’s an absolute, quantifiable disaster for security.
The network itself is actively working against the idea that only some of these computers should be able to talk to some of these other computers, automatically and intelligently, without physically closing circuits or swapping cables. It’s no wonder that most breaches today can be traced back to an errant bridge here, or a misclicked email there, rather than a failure to patch.
Securing any enterprise is profoundly difficult due to these fundamental forces, giving hackers, criminals, and spies a seemingly permanent advantage in gaining and keeping access, no exploits required.
Going forward, I’ll be taking up some SecurityWeek column-inches to pursue all these side quests, like tracking end-of-life trends, investigating OT/IT convergence, and the so-called “Layer 8” human-centric issues of cybersecurity. And yes, expect the occasional indulgence in deep-dives on particularly interesting sets of technical software vulnerabilities, CVE-identified or otherwise.
