Jay Kaplan is Synack CEO and co-founder.
During my time at the National Security Agency and the Department of Defense, I learned an underlying truth about conflict: you don’t win by building higher walls; you win with superior intelligence and superior speed. The principles of offense and defense that I applied to protect our nation’s most critical assets are the same principles that govern the digital battlefield today. But the battlefield itself has transformed into something our legacy tools and strategies were never designed to handle.
We are facing a crisis of scale. Security teams are not just struggling; they are being systematically overwhelmed. This is not a failure of talent or effort. It is a fundamental mismatch between the speed and scale of modern threats and the human-centric processes we use to fight them.
Consider the raw numbers. In 2024 alone, the industry witnessed the publication of over 40,000 new Common Vulnerabilities and Exposures (CVEs)—a staggering 38% increase from the previous year. This flood of vulnerabilities equates to an average of 108 new potential threats arriving every single day, or one new CVE emerging roughly every 17 minutes.
It is mathematically and logistically impossible for any security team, no matter how large or well-funded, to manually assess this volume of incoming threat data. This explosion in CVEs is not just a technical problem; it’s an economic one. Each new CVE represents a decision cycle—assess, prioritize, assign, patch, validate—that consumes finite human resources. With threats growing while security budgets and headcounts do not, every organization is accumulating a massive and unsustainable “security debt.” Teams are forced to ignore a growing percentage of vulnerabilities, not by choice, but by necessity.
The age of purely human-led defense is over. Yet the promise of a purely AI-led defense is a dangerous fantasy. The only viable future for security lies in a new, symbiotic relationship between the scalable intelligence of machines and the irreplaceable ingenuity of humans. This is the core philosophy that has driven us for years at Synack, and it is the principle upon which we have built our most important innovation to date: Sara.
The Attacker’s Unfair Advantage: Speed, AI, and the Collapsing Window of Exposure
The modern defender’s greatest challenge can be summarized in one concept: the “window of exposure.” This is the time between when a vulnerability becomes known and exploitable, and when an organization successfully patches it. For years, attackers have been working to shrink this window, but today, it has all but collapsed.
The speed mismatch is profound. High-profile vulnerabilities are now being weaponized and exploited within hours of their public disclosure. According to researchers at Mandiant, the average time it takes for an attacker to develop an exploit for a newly disclosed vulnerability has plummeted to just five days, down from 32 days only a year prior.
Contrast this with the speed of defense. A 2024 report from Bitsight revealed that the average time to remediate a critical vulnerability is 4.5 months, or 137 days. For high-severity vulnerabilities, the average remediation time stretches to over nine months. This isn’t a gap; it’s a chasm. Attackers are operating at the speed of automation, while defenders are still bound by the speed of human process.
Two landmark incidents serve as stark, real-world case studies of this systemic failure.
The Log4Shell vulnerability (CVE-2021-44228) was a perfect storm. Awarded the maximum CVSS severity score of 10.0, it was a flaw in a ubiquitous Java logging library that had existed unnoticed since 2013, embedded in hundreds of millions of devices and applications. Its exploitation was trivial, allowing attackers to gain total control of a server by simply sending a malicious text string. In the days following its disclosure in late fall 2021, security firms observed millions of attempted attacks per hour. The core challenge for defenders wasn’t just patching; it was the frantic, chaotic scramble to even find where Log4j was running in their environment. It was often present not as a primary application, but as an indirect, nested dependency within other software, making discovery a nightmare. The CISA Cyber Safety Review Board has since highlighted that Log4j will continue to pose a significant problem for organizations for many years to come.
More recently, the MOVEit vulnerability (CVE-2023-34362) demonstrated the devastating potential of supply-chain attacks. Exploitation began on May 27, 2023, and within just a few months, the Clop ransomware group had compromised over 2,700 organizations, exposing the personal data of approximately 93 million individuals and inflicting an estimated $9.9 billion in damages. Even though the vendor, Progress Software, issued patches quickly, the complexity of the digital supply chain meant that breaches continued for months. An organization might not have used MOVEit directly, but one of its trusted third-party vendors did, creating a hidden vector for attack.
This already dire situation is being supercharged by the attacker’s new force multiplier: offensive AI. This is no longer a theoretical threat from a science fiction movie; it is a documented reality of the current threat landscape. Adversaries are now leveraging AI to automate and scale their operations in ways that were previously unimaginable. Research suggests that an estimated 40% of all cyberattacks are now AI-driven.
These are not crude bots. This is AI used to craft hyper-realistic phishing emails that mimic trusted sources with such precision that they are opened by recipients 78% of the time. It is AI used to create adaptive malware that can change its own code to evade traditional signature-based detection tools. And it is AI used to automate reconnaissance, probe for weaknesses and crack passwords at machine speed—one study found that an AI tool could crack 51% of common passwords in under one minute.
This new reality exposes a dangerous flaw in our traditional thinking. For years, we have relied on metrics like the Common Vulnerability Scoring System (CVSS) to prioritize our defensive efforts. While useful in some contexts, the CVSS score has become a woefully incomplete metric. It measures the theoretical severity of a vulnerability in isolation but fails to capture the two variables that matter most to a modern defender: its actual exploitability within their unique environment and the imminent threat actor intent to use it.
With static CVSS scores flagging 60% of all CVEs as “high” or “critical,” security teams are drowning in a sea of alerts that all scream for immediate attention. They are facing a crisis of signal versus noise. An AI-powered attacker doesn’t care about the highest CVSS score; they care about the path of least resistance to your most valuable asset. This path might involve chaining together several “medium” severity flaws that your team has de-prioritized but that are, in fact, wide open in your environment. A security team spending all its time chasing the highest theoretical scores may be completely blind to the attack path that is actually being prepared against them. They are optimizing for a static metric while the adversary is optimizing for dynamic opportunity.
The Machine’s Limit: Why AI-Only Defense Is a Flawed Premise
In response to this escalating threat, the cybersecurity industry has, rightly, turned to artificial intelligence. We are seeing our industry peers launch impressive AI-powered capabilities designed to help customers manage this crisis. CrowdStrike’s ExPRT.AI, Tenable’s AI-powered Vulnerability Priority Rating (VPR), and Rapid7’s Active Risk scoring all leverage machine learning to bring much-needed intelligence to vulnerability prioritization. This industry-wide pivot is a positive development. It validates the core problem and confirms that machine-scale analysis is a critical part of the solution.
However, at Synack, we believe this is only half of the equation. Based on over a decade of experience orchestrating the world’s most talented ethical hackers, we have arrived at a core belief: there remains a persistent and large gap between what even the most advanced AI agent can find and what a creative, determined human attacker can uncover.
This is not a criticism of AI; it is a recognition of its nature. AI excels at the science of hacking: pattern recognition, speed, and scale. An AI agent can test for millions of known vulnerability classes and their permutations across an entire attack surface in minutes—a task that would take a human team years. It can identify misconfigurations, outdated software, and known exploit patterns with breathtaking efficiency.
But humans excel at the art of hacking. They possess ingenuity, contextual understanding and a creative spark that algorithms have yet to replicate. A human attacker understands business logic. They can identify subtle design flaws that aren’t in any vulnerability database. Most importantly, they can chain together multiple, seemingly low-impact findings to create a catastrophic, high-impact breach. An AI might see a file upload vulnerability and a weak session management flaw as two separate, medium-risk issues logged in a report. A human hacker sees a two-step path to remote code execution and full server compromise.
Many of our cybersecurity industry peers rightly emphasize a “human-in-the-loop” approach, where their expert teams can manually override AI-generated outcomes when the machine’s analysis falls short. This isn’t a weakness in their AI; it’s a clear-eyed recognition of the limits of pure automation. For Synack, this human-machine partnership isn’t a feature we’ve recently added; it has been the bedrock of our philosophy since the day we were founded.
This art-versus-science distinction reveals two diverging philosophies on the role of AI in security. The first, which we see gaining traction, is “AI-Augmented Automation.” This approach uses AI to make existing automated processes, like vulnerability scanning and scoring, faster and smarter. The end product is still fundamentally a list of prioritized vulnerabilities, albeit a more intelligent one.
The second philosophy, which Synack champions, is “AI-Augmented Human Intellect.” This approach uses AI as a force multiplier for elite human experts, significantly enhancing their scale, speed, and precision. The goal is not just to produce a better list of problems, but to empower humans to find better answers to the ultimate question: “Am I truly secure?” As attackers continue to leverage AI, the “AI-Augmented Automation” model risks becoming a symmetric, machine-versus-machine arms race. The “AI-Augmented Human Intellect” model, however, maintains an asymmetric advantage. It preserves the unpredictable, creative, and context-aware element of human intelligence—the very thing that is hardest for an opposing AI to model and defeat—allowing human experts to focus on what truly matters, extending their capabilities with greater pace and precision.
A New Paradigm: Announcing Sara and the Future of Active Offense
Today, I am thrilled to announce the realization of our vision. We are formally introducing Sara, the Synack Autonomous Red Agent.
Sara is the embodiment of our philosophy. She is not another scanner or a simple prioritization algorithm. She is an AI agent built from the ground up to think like an attacker. Her purpose is to automate the reconnaissance, discovery, and triage that consumes up to 80% of a human pentester’s time, but to do so with the express goal of teeing up the most interesting, complex, and high-value targets for our elite human experts—the Synack Red Team (SRT).
And with Sara, we are launching our first revolutionary product offering built on her engine: Active Offense.
Active Offense is the product I wish I had when I was defending our nation’s networks. It is a single, unified solution that finally solves the signal-from-noise problem by delivering a complete, end-to-end workflow—from asset discovery to validated exploitability. It moves security teams beyond the world of potential risk and into the world of proven risk.
The Active Offense workflow seamlessly integrates five critical capabilities into one continuous cycle:
| Component | Function | The Problem It Solves |
| Attack Surface Discovery (ASD) | Continuously maps and monitors the entire external attack surface, identifying both known and shadow IT assets. | “I can’t protect what I don’t know I have.” |
| Vulnerability Scanning | Ingests data from Synack SmartScan and integrates with leading third-party scanners (like Tenable and Qualys) to identify all potential issues. | “I have a list of 10,000 theoretical vulnerabilities and alerts, creating overwhelming noise.” |
| Sara Triage | The revolutionary step. Sara, our AI agent, autonomously attempts to validate the exploitability of vulnerabilities found by scanners. | “Which of these 10,000 alerts represent a real, verifiable threat that can actually be exploited in my environment?” |
| Exploit & Vulnerability Intelligence | Correlates exploitable vulnerabilities with real-time data on threat actor tactics, techniques and procedures (TTPs), active campaigns and industry targeting. | “Of the threats that are real, which ones are attackers actively using against companies like mine right now?” |
| Human-in-the-Loop (SRT) | Serves as the ultimate escalation path. When Sara confirms a critical exploit or identifies a complex attack path she cannot resolve, the finding can be passed to the Synack Red Team for deeper, human-led penetration testing. | “How do I uncover the novel, creative and business-logic attack paths that a purely automated system will miss?” |
This integrated platform fundamentally changes the nature of vulnerability management. It moves it from a reactive, human-gated process defined by manual decision points—What do we scan? What do these results mean? Which one is real?—into a proactive, autonomous security function. It frees security teams from the soul-crushing, time-intensive work of sifting through endless false positives, a task at which AI excels. Instead, it allows them to become what they were always meant to be: strategic risk managers who focus on the business impact of confirmed threats and orchestrate effective remediation. Active Offense doesn’t just give them more data; it gives them back their time and their focus.
From Months to Minutes: A Zero-Day Scenario in the Real World
To illustrate the power of this new paradigm, let’s walk through a real-world scenario. Imagine a new, critical remote code execution vulnerability is discovered in Microsoft SharePoint. It’s assigned CVE-2025-53770. For most organizations, the announcement of this zero-day kicks off a week of chaos. For organizations using Active Offense, it’s a morning of clarity.
The “Old Way”: A Day of Chaos
- Hour 0: The CVE is announced. Panic ensues. The CISO’s phone rings off the hook. The board, the executive team and the legal department all want to know the same thing: “Are we vulnerable?”
- Hours 1-48: The security and IT teams scramble. “Where are we even running SharePoint? Which versions? Are they internet-facing? Do we have an accurate inventory?” They try to configure and run authenticated scans across the enterprise, but credential management is a nightmare and network segments are firewalled off. The vulnerability scanner vendors are still working to develop and release a reliable signature for the new CVE.
- Week 1-4: The scans finally complete, generating thousands of “potential” findings across the environment. The security team now faces the monumental task of manually triaging these alerts. They must attempt to reproduce the exploit in a safe test environment, a process that consumes hundreds of person-hours and often fails, leaving them unsure if the vulnerability is real or a false positive.
- Months 1-4: The team is still patching, prioritizing based on incomplete data and best guesses. All the while, attackers have been actively and successfully exploiting the vulnerability for weeks. The window of exposure has been massive, and the organization has been flying blind.
The “Active Offense Way”: A Morning of Clarity
- Minute 0: CVE-2025-53770 is announced.
- Minute 1: Active Offense automatically correlates the new CVE with its continuously updated Attack Surface Discovery data. It instantly knows every single SharePoint server the customer owns, its exact version, and its exposure status. There is no scramble, no guesswork.
- Minute 5: Active Offense triggers targeted scans—using either Synack SmartScan or integrated third-party tools—against only the relevant assets. It doesn’t waste time or resources scanning systems that aren’t affected.
- Minute 30: The scans return a list of potential findings. Sara Triage immediately begins its work. Sara, our autonomous agent, begins testing each finding, one by one, attempting to safely and verifiably confirm true exploitability.
- Minute 60: The CISO receives a single, clear, actionable notification on their dashboard: “We have identified 3 servers vulnerable to CVE-2025-53770. Exploitability has been confirmed by Sara. These are the assets to patch immediately. All other 97 SharePoint servers in your environment have been tested and are not susceptible.”
The outcome is transformative. We cut down the vulnerability exposure window from months to minutes. In a world of overwhelming noise, Active Offense provides a clear, actionable signal. This is the ultimate value proposition.
Our Commitment to the Future of Security
The fight against sophisticated, AI-powered attackers cannot be won with last-generation tools or last-generation philosophies. It demands a new model that fully embraces the scale of artificial intelligence while harnessing the unique and irreplaceable ingenuity of human experts. At Synack, we are committed to building and leading this new paradigm.
Sara and the Active Offense platform are just the beginning. We are already working on the next evolution of this technology: a truly agentic pentest offering. This will empower Sara to not only triage known vulnerabilities but to conduct full-scope, objective-based penetration tests, discovering novel attack paths and business logic flaws, all while working in concert with the Synack Red Team. All of this operates from a common platform, enabling organizations to analyze results and drive corrective action directly into their software development life cycles (SDLCs) and infrastructure teams, equipping our customers with a truly end-to-end capability for proactive security testing and vulnerability management.
My experiences have taught me that security is a continuous mission, not a one-time fix. It requires constant innovation and a willingness to challenge old assumptions. The human-machine team is the most powerful force on the modern battlefield, and it is the only way we will secure our collective digital future. The future is bright, and I couldn’t be more excited for what’s to come.
