Security WeekArchived Jun 18, 2026✓ Full text saved
Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. The post No Exploits Required appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
Well hey y’all. I just got hooked up with this space to somewhat-routinely write about vulnerabilities, cybersecurity, and infosec history. I’m currently at runZero, where I’m the vice president of security research, which basically means that I spend most of my time hanging around with some incredibly bright and devoted people who are also cunning and shrewd. We’re all dedicated to the notion that it is, in fact, possible to secure networks by being smart and creative with your approaches to exposure management.
I’m so excited to be writing here, and you might expect me to go on and on about CVE identified vulnerabilities, and the CVE program itself. After all, I’m on the CVE board, and was most recently section chief for the KEV at CISA, and I’ve spent a fair amount of my career managing patch schedules, writing exploits and Metasploit modules, and detecting novel attacks on the network (so I often blather on Mastodon and Bluesky about CVEs).
But you’d be wrong! While I believe that CVEs are an important, even foundational, component of any modern security program (and I will explore aspects of individual CVEs and the program in the future), I’m not convinced that we should be totally infatuated with exploits and bugs. After four decades of personally responding to (and occasionally causing) cybersecurity incidents, it’s become clear to me that most people run into trouble not because they forgot to patch some critical internal database, but because the networking deck is stacked against the defenders.
TTRPGs and Predicting The Future
I remember in 1989 at DunDraCon, my first exposure to Cyberpunk 2020 by Mike Pondsmith and published by R. Talsorian. (You’ve probably heard of the multiplayer online game, Cyberpunk 2077; this pencil-and-paper table-top role playing game is that game’s direct ancestor.) Anyway, I saw the upcoming second edition being playtested during the conference, and me, being a teenage hacker, immediately gravitated toward the more fully-fledged “Netrunner” character class. We had a good time; the combat simulation was a lot more chaotic and swift than D&D, the cybernetic and neurological upgrades were way cooler than spells and potions, and of course, the theme of dystopian end-stage capitalism was infinitely attractive in a grim way.
Anyway, after playing a session, I was offered a comment card. Remember, this was the 80s, point-to-point networking reigned supreme, and to get anything done, you had to first figure out how to negotiate the handshake, puzzle out the protocol, and basically learn every operating system from scratch. So, my feedback was along the lines of, “I really liked the simulated hacking system, but it seems just a little too simplified and straight-forward. It’s unrealistic that in the future, nuclear power plants and banks would all be on the same networks that are known to be shot through with hackers and gangsters.”
Oh, how wrong I was.
Universal Connectivity Is Great Except When It Isn’t
Fast forward to today, and there are just so many things that can go wrong when trying to secure a normal TCP/IP network, along with all the servers, desktops, clouds, phones, hypervisors and operational technology (OT) that’s been patched in. I’d argue that the first, fundamental problem defenders run into is the fact that planet Earth has settled on the whole “IP” part of TCP/IP. After all, the “I” stands for Internet, so given a long enough timeline, virtually everything that talks IP will end up exposed and reachable on the internet, and that’s both the coolest thing about TCP/IP, and its ultimate Achilles’ heel.
Recent events underline this fundamental flaw of modern networking when it comes to security. The 2026 M-Trends report from Google plays up the idea that “exploits represented the most frequently observed initial infection vector in 2025,” since exploited vulnerabilities account for 32% of all initial access vectors. That sounds like a lot!
Of course, the unspoken inverse of this stat is that 68% – over two-thirds – of all the rest of initial access attacks do not rely on technical vulnerability exploitation. The reason for this, of course, is because everything is reachable with enough ingenuity, time, and luck.
But what about Zero-Trust?
Security professionals have long known that the boundaries between internal and external networks are at best notional, defining today’s intrusion defense strategies. For about 15 years, “zero-trust” has been an aspirational end-state: identity and authorization bundled into every network transaction, regardless of origin. However, this path is often blocked by legacy systems that “can’t” be managed this way. Worse, even when CTOs and CISOs get comfortable with their carefully structured boundaries, someone invariably bridges a printer from the IT to the OT network, and shadow-IT hijinks ensue from there.
The standards chosen for TCP/IP are incredible in their interoperability, allowing systems to communicate freely, and routers actively bypass damaged connections, even when these broken connections are intentional blocks. While this fundamental interconnectivity is great for innovation and industry and commerce and entertainment and art and all that, it’s an absolute, quantifiable disaster for security.
The network itself is actively working against the idea that only some of these computers should be able to talk to some of these other computers, automatically and intelligently, without physically closing circuits or swapping cables. It’s no wonder that most breaches today can be traced back to an errant bridge here, or a misclicked email there, rather than a failure to patch.
Securing any enterprise is profoundly difficult due to these fundamental forces, giving hackers, criminals, and spies a seemingly permanent advantage in gaining and keeping access, no exploits required.
Going forward, I’ll be taking up some SecurityWeek column-inches to pursue all these side quests, like tracking end-of-life trends, investigating OT/IT convergence, and the so-called “Layer 8” human-centric issues of cybersecurity. And yes, expect the occasional indulgence in deep-dives on particularly interesting sets of technical software vulnerabilities, CVE-identified or otherwise.
WRITTEN BY
Tod Beardsley
Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.
More from Tod Beardsley
Trending
Webinar: How Modern Breaches Bypass MFA And Evade Detection
June 17, 2026
Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.
Register
Webinar: Modern Exposure Validation In The AI Era
June 24, 2026
AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.
Register
People on the Move
SolarWinds has appointed Justin Henkel as Chief Information Security Officer.
J. Paul Haynes has joined Cinchy as Chief Executive Officer.
Hatem Naguib has become Chief Executive Officer at Sysdig.
More People On The Move
Expert Insights
After AI Reaches Production: 12 Ways Security Teams Can Take Control
Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb)
Everybody Is Vibe Coding But Nobody Told The Security Team
AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au)
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Flipboard
Reddit
Whatsapp
Email