Show Description

The Zero Day Clock is ticking — and the numbers should make every security leader uncomfortable. In this episode, I sit down with Sergej Epp, CISO at a leading security firm, who built the Zero Day Clock after a weekend experiment using AI to discover vulnerabilities firsthand. What he found shocked him: with no professional vulnerability research background and just a few hours of work, he was successfully finding zero days across major security projects using AI models and basic scaffolding.

Sergej breaks down his concept of the "Verifier's Law" — the idea that offense has the cheapest verifier in cybersecurity because feedback is binary and instant (you either popped a shell or you didn't), while defense operates in a space where validation is expensive, ambiguous, and slow. We dig into what this asymmetry means for the industry, why 20 years of warnings from Ross Anderson, Bruce Schneier, Halvar Flake, and others have gone unheeded, and whether coordinated disclosure models are broken now that AI can reverse engineer a patch into a working exploit in minutes.

We also discuss the tension between regulation and deregulation playing out in the U.S. and EU, why the answer might be outcome-based accountability rather than prescriptive compliance, and what a realistic defensible posture actually looks like when the mean time to exploit for actively exploited vulnerabilities is under two days — while most organizations are still operating on 30-day patch cycles.

Show Notes

• Sergej shares how a weekend AI experiment led him to discover multiple zero days across major security projects with no professional vulnerability research experience — and why that should alarm the entire industry
• The "Verifier's Law" explained: offense has cheap, deterministic validators (pop a shell, exfiltrate data, trigger an XSS) while defense faces expensive, ambiguous validation (parsing SIM alerts, measuring security posture), giving AI-accelerated offense a structural advantage
• The Zero Day Clock synthesizes 3,500+ CVE-exploit pairs and shows the mean time to exploit for actively exploited vulnerabilities is now under two days — while organizations still operate on 14-to-30-day patch cycles
• 20 years of ignored warnings: from Ross Anderson's 2001 economics paper through Bruce Schneier, Halvar Flake's "the patch is the advisory" insight, and DARPA's Cyber Grand Challenge — the industry has consistently failed to act on clear signals
• AI can now reverse engineer patches to identify underlying flaws and generate working exploits in minutes, potentially breaking coordinated disclosure models and compressing the window between patch release and active exploitation to near zero
• The regulation paradox: the EU risks overregulating AI in ways that hamper defenders while attackers face no such constraints, while the U.S. is pushing deregulation that may remove the only forcing function for vendor accountability — Sergej and Chris discuss outcome-based regulation as a potential middle path
• Defenders have a data advantage: by understanding their own environments, infrastructure, and processes, security teams can detect AI-driven attacks through behavioral anomalies like hallucinated API calls, non-existent user accounts, and other artifacts of AI-generated attack playbooks
• The Zero Day Clock's real power is as a board-level communication tool — a single slide that translates the patching gap into a number executives and policymakers can't ignore, shifting the conversation from "are we compliant?" to "are we fast enough?"

Summary:

In this conversation, Chris Hughes and Stanislav Fort discuss the transformative role of AI in cybersecurity, particularly in vulnerability management. Stanislav shares insights on how AI can discover zero-day vulnerabilities in widely used codebases, the challenges of balancing AI-driven discoveries with quality assurance, and the importance of proactive security measures. They also explore the economic sustainability of AI in cybersecurity, the burden on maintainers, and the ongoing arms race between defenders and attackers. The discussion emphasizes the potential for AI to significantly enhance software security and the aspiration towards achieving zero vulnerabilities in critical infrastructure.


Takeaways:

AI is revolutionizing vulnerability management in cybersecurity.
The ability to find long-hidden vulnerabilities is unprecedented.
AI can enhance both offensive and defensive security measures.
Proactive security integration into development pipelines is essential.
The quality of vulnerability reports is declining due to AI-generated noise.
Maintainers face increasing burdens from rapid AI-driven discoveries.
AI can help secure open source projects effectively.
Sustainability in AI cybersecurity requires financial backing.
The arms race between attackers and defenders is intensifying with AI.
Achieving zero vulnerabilities is an aspirational yet achievable goal.


Chapters

00:00 Introduction to AI in Cybersecurity
02:52 The Evolution of AI and Vulnerability Discovery
05:45 AI's Impact on Software Development
08:59 Discovering Zero-Day Vulnerabilities
11:48 The Great Bifurcation in Security Research
14:52 Balancing AI-Driven Discoveries and Quality
17:59 Proactive Security Measures in Software Development
20:53 The Role of AI in Securing Open Source Projects
23:54 Sustainability of AI in Cybersecurity
27:07 Addressing the Burden on Maintainers
30:09 The Tension Between Autonomy and Security
33:03 The Arms Race Between Defenders and Attackers
36:12 Aiming for Zero Vulnerabilities
38:58 Conclusion and Future Outlook

In this episode of Resilient Cyber I catch up with Momentum Cyber's Founder & CEO, Eric McAlpine.

We will be unpacking 2025's M&A and capital market activities, using Momentum Cyber's 2025 Cybersecurity Almanac Report, as well as discussing some of the overlooked and untold details under the hood of cyber M&A, building world class teams and more.