How to Use AI for Vulnerability Management

In 2025, over 48,000 CVEs were published. That’s roughly 130 new vulnerabilities every single day. And while your team is triaging, prioritizing, and patching, attackers are moving; the average time from CVE disclosure to active exploitation is now just 20 hours.

Traditional vulnerability management wasn’t built for this. It was built for a slower, more contained world – one that no longer exists. Today’s attack surface spans cloud, endpoints, containers, third-party dependencies, and increasingly, AI-generated code that gets shipped before anyone fully understands what it exposes. On top of that, models like Anthropic’s Mythos have significantly lowered the bar to being a dangerous attacker. The tools and processes most organizations rely on simply weren’t designed for this level of scale, speed, or complexity.

That’s exactly what a new SANS whitepaper, The Exposure Gap: From Vulnerability Management to AI-Driven Control, digs into, and why knowing how to use AI for vulnerability management has gone from competitive advantage to baseline necessity.

Here’s what you need to know.

The Vulnerability Management Limitations Teams Can’t Ignore

Vulnerability management was designed for a world of on-prem infrastructure, predictable perimeters, and manageable patch cycles. That world is gone.

Most organizations today are running hybrid environments – cloud, endpoints, code repositories, SaaS platforms, containers, OT mixed with IT – each with its own security tooling and its own interpretation of risk. The result is fragmented visibility. Teams aren’t looking at one coherent picture of organizational risk; they’re stitching together outputs from a dozen different tools that weren’t built to talk to each other.

And even within those tools, the limitations run deep. Point-in-time scans create stale data the moment the scan completes. Ephemeral assets – containers that spin up and die in minutes, temporary test environments – fall through the gaps entirely. CVSS scores, while useful, don’t account for context: a 9.8 CVSS vulnerability sitting on an isolated, internet-disconnected system is far less urgent than a weaponized vulnerability on an exposed asset that’s actively in the queue behind it.

With nearly 50,000 CVEs published in 2025, no team is remediating everything. The real question isn’t how many, it’s which ones actually matter. And that’s a question traditional vulnerability management was never built to answer at this scale.

Why the Speed Gap Is Now the Biggest Threat

The structural vulnerability management limitations would be manageable if attackers were slow. They’re not.

Mean time-to-exploit is down to 20 hours as attackers use AI to compress every stage of the process with agentic frameworks that can traverse networks in real time, no human in the loop required.

Meanwhile, defenders are navigating approvals, compliance requirements, risk tolerance frameworks, and organizational controls. Attackers have none of that. They move fast, experiment freely, and break things without consequence. It’s not a fair fight.

And it’s getting more complicated. The rise of vibe coding is quietly expanding the attack surface in ways traditional vulnerability management can’t detect. The SANS whitepaper cites a real example in which a developer used Claude Code to expose an internal application to the internet via Cloudflare. No configuration, no security review. Within 10 seconds of exposure, attackers were already probing it.

This is the new reality. Exposure paths are being created faster than most security teams even know to look for them.

How to Use AI for Vulnerability Management – The Shift That Changes Everything

The instinct is to go faster. More scans, more patches, more coverage. But speed without direction just means doing the wrong things quicker. Knowing how to use AI for vulnerability management isn’t about accelerating the old process — it’s about changing what you’re optimizing for entirely. AI alone can’t improve vulnerability management, it’s about where and how it’s being used.

Here’s what that looks like in practice:

Consolidate your data first

AI amplifies whatever it’s fed. Fragmented, siloed data produces fragmented, siloed insights – just faster. Before anything else, normalize data across all your tools and environments into a single unified platform. This is the foundation everything else is built on.

Stop thinking in lists, start thinking in graphs

Attackers don’t work through a ranked CVE list; they map paths to your most critical assets and find the fastest route there. AI can apply that same attacker logic defensively, helping teams identify which vulnerabilities sit on the highest-risk paths rather than just which ones score highest on CVSS.

Use AI for continuous discovery

Containers, serverless functions, ephemeral test environments – these assets appear and disappear faster than any point-in-time scan can track. AI-driven classification can identify patterns and flag risk in infrastructure that traditional asset management never even sees.

Act on real-time exploitability intelligence

Not every vulnerability is equal, and not every critical vulnerability is actively being exploited right now. Layering in KEV status, proof-of-concept availability, and patch readiness means your team is always working on what actually matters today.

Measure attack paths eliminated, not patches shipped

Removing a single critical path to a crown jewel asset can do more for your risk posture than closing out dozens of lower-priority CVEs. That’s the core reframe of modern exposure management, and it’s where AI for vulnerability management delivers its biggest impact.

Rethinking What “Good” Looks Like in Exposure Management

Changing how you work is only half the shift. The other half is changing how you measure it.

Most security teams are still reporting on patch counts, scan coverage, and vulnerability volume. These metrics aren’t useless, but they measure activity, not impact. A team that patched 500 CVEs last month may have made almost no meaningful dent in their actual risk exposure if none of those CVEs sat on a critical attack path.

The metrics that matter in a modern exposure management program look different: How many attack paths to crown jewel assets were eliminated? What’s the mean time-to-resolution on actively weaponized vulnerabilities? How has blast radius changed over time?

That shift also changes the conversation with leadership. “We patched 300 CVEs this quarter” doesn’t tell an executive anything meaningful about business risk. “We eliminated 12 critical attack paths to our core infrastructure” does. AI can play a direct role in translating technical findings into business-relevant insights that actually land in the boardroom.

The ultimate goal isn’t a shorter patch list. It’s an environment that’s genuinely hard to traverse; where attackers have fewer paths, less to exploit, and less room to move. That’s what good looks like now.

The Organizations That Win Won’t Fix the Most – They’ll Risk-Reduce the Most

The scale, speed, and complexity of modern environments have simply outgrown what manual processes and fragmented tooling can handle. Knowing how to use AI for vulnerability management isn’t an advanced capability reserved for the most mature security programs – it’s quickly becoming the baseline for any team that wants to stay ahead of attackers rather than perpetually clean up after them.

The organizations that come out on top won’t be the ones with the longest patch lists. They’ll be the ones that consolidated their data, thought in attack paths, and focused relentlessly on reducing real risk, not just activity metrics.

Want the full picture? Download The Exposure Gap: From Vulnerability Management to AI-Driven Attack Surface Control.