AI is accelerating vulnerability discovery faster than any human team can respond. Closing the gap requires a defender that reasons like an adversary.
There's a comfortable assumption baked into most OT security programs: defenders have time. Time to receive a CVE disclosure, evaluate it against their environment, coordinate with vendors, schedule a maintenance window, and deploy a patch or workaround. The entire vulnerability management lifecycle is built on the premise that the gap between discovery and exploitation is wide enough for humans to work within.
That assumption is collapsing. AI-driven vulnerability research, exemplified by Anthropic's Project Glasswing and Claude Mythos, is compressing the discovery side of the equation dramatically. Vulnerabilities that would have taken human researchers weeks or months to find are surfacing in hours. And this isn't a future problem. The 90-day coordinated disclosure timelines are already running.
But here's the part that most coverage of Glasswing misses: the speed of discovery was never really the bottleneck for defenders. The bottleneck is understanding. Knowing a CVE exists is trivial. Knowing whether an adversary can actually reach, chain, and exploit it in your specific environment is the hard part, and that's where the real asymmetry between red and blue lives.
Red Side: Faster Than Ever
An attacker evaluating a new CVE in an OT environment doesn't just check whether the vulnerable software is present. They work backward from their objective. Can I reach the target? What protocols are available for lateral movement? Which management interfaces are exposed? Are there file transfer services I can abuse to stage tools? What compensating controls stand between my entry point and the vulnerable system, and can I work around them?
This is adversarial reasoning, and it's exactly the kind of multi-step, context-dependent analysis that AI excels at. When the red side gets AI-assisted tools that can discover vulnerabilities AND reason about exploit chains, the speed advantage compounds. It's not just more CVEs faster. It's more weaponizable intelligence faster.
For OT environments, this is particularly dangerous. Industrial control systems often have predictable architectures, limited protocol diversity, and compensating controls that were designed for safety and reliability rather than adversarial resistance. An attacker who understands the environment can move efficiently through it. And AI is about to make that understanding dramatically cheaper to acquire.
Blue Side: Still Working at Human Speed
Now look at the defender's workflow. A new CVE drops. The security team checks their asset inventory to see if the affected software is present. If it is, they look at the CVSS score, maybe cross-reference it with a threat intelligence feed, and slot it into a prioritization queue. If it scores high enough, someone manually reviews network diagrams to estimate exposure. Maybe they convene a meeting with control engineers to talk through potential impact. Eventually, a decision gets made about whether to patch, apply a workaround, or accept the risk.
Every step in that chain runs at human speed. Every step requires context that lives in different systems, different teams, and different people's heads. And every step introduces delay that an AI-accelerated attacker doesn't have.
The fundamental problem isn't that defenders are slow. It's that they're answering the wrong question. "Is this CVE present in our environment?" is a necessary but wildly insufficient question. The question that actually determines risk is: "Can an adversary chain together enough access, protocols, and pivot points to reach this CVE and exploit it in a way that impacts our operations?" That's a question most OT security teams can't answer at all, let alone at speed.
Agentic Defense: Reasoning Like the Adversary
Closing the red/blue speed gap doesn't mean hiring more analysts or buying more dashboards. It means deploying a defender that reasons the way an attacker does, continuously, at machine speed, across every possible path through your environment.
That's what SAIRA was built to do. Frenos's Simulated Adversary Intelligence Reasoning Agent doesn't wait for a CVE to be disclosed and then check whether you're exposed. It continuously probes the digital twin of your OT environment, processing hundreds of millions of adversarial decisions per second, mapping every viable attack chain before a real attacker gets the chance.
Three capabilities make this fundamentally different from traditional vulnerability management:
-
Reachability analysis. SAIRA doesn't just ask whether a vulnerable system exists on your network. It maps whether an adversary can actually get there. That means chaining together management protocols, file transfer services, and lateral movement techniques across every hop from potential entry points to the target. If there's no viable path, the CVE might be real but the risk to your operations isn't. If there is a path, SAIRA knows exactly which systems and protocols make up the chain.
-
Compensating controls evaluation. Most OT environments have layers of network controls, firewall rules, router ACLs, segmentation boundaries, that were put in place for various reasons over the years. Some of those controls silently block attack paths that the security team doesn't even know about. SAIRA evaluates every compensating control in the digital twin to determine what's actually stopping adversarial movement and what isn't. This cuts both ways: it surfaces false confidence where teams assume a control is protecting them when it's not, and it identifies hidden protection that means a scary-looking CVE is actually unreachable.
-
Exploit chain modeling. Frenos maintains a vulnerability catalog built by reverse engineering proof-of-concept exploits to determine the exact actions and sequence of events that need to occur before a CVE can be exploited. This isn't a theoretical severity score. It's a concrete model of what the adversary has to do, step by step, to turn a vulnerability into an impact. SAIRA runs that model against your environment to determine whether those preconditions can actually be met.
Flipping the Asymmetry
When you combine these three capabilities, something interesting happens. The defender stops being reactive and starts operating ahead of the attacker.
Traditional security is a race where the red side sets the pace. A vulnerability gets discovered, disclosed, and eventually weaponized, and the blue side scrambles to respond before exploitation occurs. The defender is always behind, always reacting, always constrained by the time it takes humans to understand what's actually at risk.
With SAIRA running continuous adversarial simulations against the digital twin, the math changes. Every CVE in the vulnerability catalog has already been modeled against your environment. The reachability analysis is already complete. The compensating controls have already been evaluated. When a new disclosure drops, the defender already knows the answer. Not "this CVE has a 9.8 CVSS score," but "this CVE is reachable via three protocol hops from the engineering workstation subnet, the existing firewall rules on VLAN 42 don't block the required management protocol, and the exploit requires write access to a file share that's currently open to authenticated users."
That's not a vulnerability report. That's an adversary's operational plan, generated by the defense, before the adversary even starts.
The Post-Glasswing Security Model
Project Glasswing didn't just accelerate vulnerability discovery. It revealed what was already true: the red/blue speed gap in OT security was unsustainable, and the only thing masking it was the relatively slow pace of manual vulnerability research. Now that AI has removed that constraint, the gap is exposed.
The answer isn't to run faster on the same treadmill. More analysts reviewing more CVEs against more spreadsheets won't close the gap when the volume of disclosures is accelerating exponentially. The answer is to change the model entirely, from reactive human-speed triage to continuous AI-driven adversarial simulation that already knows the answer when the question arrives.
The red side has agents now. The blue side needs them too.
Frenos is the industry's first simulated OT penetration testing platform, combining digital twin technology with SAIRA, an AI reasoning agent that thinks like an adversary to reveal every attack path in your OT environment, risk-free.
Learn more at frenos.io.
.jpg)
