Howdy, everyone. I’ve just been given a regular column here to write about vulnerabilities, cybersecurity, and the history of information security. I currently work at runZero, where I serve as vice president of security research — which essentially means I spend most of my days surrounded by an exceptionally talented and passionate team who are also remarkably sharp and resourceful. We share the conviction that it really is possible to secure networks by applying clever, creative strategies to exposure management.
I’m thrilled to be writing for this outlet, and you might assume I’d launch into a lengthy discussion about CVE-identified vulnerabilities and the CVE program itself. After all, I sit on the CVE board, was most recently the section lead for the KEV catalog at CISA, and I’ve spent a good chunk of my career juggling patch cycles, developing exploits and Metasploit modules, and identifying novel network-based attacks (so I tend to ramble about CVEs on Mastodon and Bluesky quite a bit).
But you’d be mistaken! While I consider CVEs to be a critical — even foundational — piece of any modern security program (and I’ll certainly dig into specific CVEs and the program itself down the road), I’m not sold on the idea that we should be completely obsessed with exploits and bugs. After forty years of personally responding to (and sometimes creating) cybersecurity incidents, it’s become obvious to me that most organizations get into trouble not because they neglected to patch some critical internal database, but because the networking landscape is fundamentally tilted against the defenders.
Tabletop RPGs and Foretelling What’s to Come
I recall attending DunDraCon back in 1989, where I first encountered Cyberpunk 2020 by Mike Pondsmith, published by R. Talsorian. (You’re likely familiar with the video game Cyberpunk 2077; this pen-and-paper tabletop RPG is the direct predecessor to that title.) In any case, I noticed the upcoming second edition being playtested at the conference, and as a teenage hacker, I was immediately drawn to the more fully developed “Netrunner” character class. We had a blast — the combat system was far more chaotic and fast-paced than D&D, the cybernetic and neural enhancements felt much more exciting than spells and potions, and naturally, the dystopian late-stage capitalism theme was endlessly appealing in a dark sort of way.
After finishing a session, I was handed a feedback card. Keep in mind, this was the late ’80s — point-to-point networking was the norm, and to accomplish anything, you first had to figure out how to establish a handshake, decode the protocol, and essentially learn every operating system from the ground up. So my feedback went something like: “I really enjoyed the simulated hacking mechanic, but it feels a bit too streamlined and simple. It’s hard to believe that in the future, nuclear power plants and banks would all sit on the same networks that are already crawling with hackers and criminals.“
Boy, did I get that wrong.
Universal Connectivity Is Wonderful — Until It Isn’t
Jump ahead to the present day, and there are simply countless things that can go wrong when you’re trying to secure a standard TCP/IP network — along with every server, desktop, cloud instance, phone, hypervisor, and operational technology (OT) device that’s been bolted on. I’d argue that the very first, core problem defenders face is that the entire planet has embraced the “IP” portion of TCP/IP. After all, the “I” stands for Internet, so given enough time, virtually everything that communicates via IP will end up exposed and accessible on the internet — and that’s simultaneously the most remarkable feature of TCP/IP and its greatest vulnerability.
Recent developments highlight this inherent weakness in modern network security. Google’s 2026 M-Trends report emphasizes that “exploits were the most commonly observed initial infection vector in 2025,” with exploited vulnerabilities accounting for 32% of all initial access methods. That sounds significant!
Of course, the flip side of that statistic is that 68% — more than two-thirds — of all remaining initial access attacks do not depend on exploiting technical vulnerabilities. The reason is straightforward: because everything is reachable given enough creativity, time, and luck.
But What About Zero-Trust?
Security practitioners have long understood that the dividing lines between internal and external networks are, at best, theoretical — and these lines shape today’s intrusion defense strategies. For roughly 15 years, “zero-trust” has been an aspirational goal: identity and authorization woven into every network transaction, no matter where it originates. However, this approach is frequently hindered by legacy systems that supposedly “can’t” be managed this way. Even worse, even when CTOs and CISOs feel confident in their carefully constructed perimeters, someone inevitably connects a printer across the IT and OT networks, and from there, shadow-IT chaos takes over.
The standards underlying TCP/IP are extraordinary in their ability to enable interoperability, letting systems communicate freely, and routers actively route around damaged connections — even when those broken connections are deliberate blocks. While this deep interconnectivity is fantastic for innovation, industry, commerce, entertainment, art, and everything else, it is an absolute, measurable catastrophe from a security standpoint.
The network itself actively works against the notion that only certain computers should be permitted to communicate with certain other computers, automatically and intelligently, without physically severing connections or swapping cables. It’s no surprise that the majority of breaches today can be traced back to a stray network bridge here or a misdirected email there, rather than a failure to apply patches.
Securing any enterprise is profoundly challenging due to these structural forces, granting hackers, criminals, and spies a seemingly permanent edge in obtaining and maintaining access — no exploits necessary.
Moving forward, I’ll be using this SecurityWeek column to explore all of these tangents — things like tracking end-of-life trends, examining OT/IT convergence, and the so-called “Layer 8” human-centric dimensions of cybersecurity. And yes, expect the occasional deep dive into particularly fascinating collections of technical software vulnerabilities, whether they’ve been assigned CVE identifiers or not.
