Cybersecurity leaders and practitioners brought their burning AI cybersecurity questions to EXPOSURE 2026. They left with clear answers and a blueprint for building an exposure management program. Get a recap and see highlights from the event in words and pictures. 

For the cybersecurity leaders and practitioners who attended EXPOSURE 2026 in Boston this week, the event could not have come at a better time. 

While momentum for exposure management as a means to proactively reduce cyber risk has been building for more than a year, recent rapid advances in frontier AI models have made it even more critical. 

EXPOSURE ‘26 attendees arrived at Boston’s historic Park Plaza Hotel on Monday, May 18, 2026, just six weeks after Anthropic unveiled its groundbreaking frontier model, Claude Mythos Preview. They showed up with pressing questions about securing AI, the impact of frontier AI models on cybersecurity, and how exposure management can address all that and more. 

They left with clear answers, following an intensive day of training and two days of thought-provoking mainstage and breakout sessions featuring Anthropic Field CTO (Cyber) Brett Andrews, CISOs from GEICO, Smithfield Foods, Munich Re, and EōS Fitness, and Tenable experts. 

EXPOSURE 2026 gave attendees a rare opportunity to catch their breath amid the escalating, machine-speed pace of cybersecurity. It kicked off with an immersive day of training that provided attendees with a blueprint for building a successful exposure management program. And it offered them a chance to compare notes with peers and work collaboratively to develop a game plan for protecting their organizations from AI-powered adversaries with exposure management at its core. 

Cybersecurity’s quadruple AI challenge

Four challenges that AI creates for cybersecurity underpinned every session at EXPOSURE 2026: 

1. Frontier AI models like Anthropic’s Claude Opus 4.6 and Mythos make it vastly faster, easier, and more economical for threat actors to discover new vulnerabilities and build exploits for them.
2. AI creates new attack vectors (e.g., prompt injection, jailbreaks, model poisoning, context poisoning in memory, etc.) that traditional cybersecurity controls weren’t designed to address.
3. AI expands every organization’s attack surface, giving threat actors even more entry points to exploit.
4. AI functions as a force-multiplier for threat actors, giving them speed and the advanced, 32-step reasoning capabilities required to autonomously execute an entire network attack chain.

Anthropic’s Andrews discussed the impact of frontier models on cybersecurity, the threat landscape, and how defenders can leverage AI to their advantage.

To illustrate what organizations are up against, several presentations highlighted the sharp contrast between the steady acceleration in vulnerability discovery and exploitation, and the simultaneous deceleration in organizations’ patching and remediation. 

In 2021, for example, the median time to exploit was 84 days, according to Zero Day Clock. Today, it’s 1.6 days. Meanwhile, in 2025, it took organizations an average of 43 days to patch critical CVEs, up 34% from 32 days in 2024, according to data that Tenable Research contributed to the 2026 Verizon Data Breach Investigations Report (DBIR), which was released on the first day of EXPOSURE 2026. 

Referencing additional data from the DBIR, Tenable Chief Product Officer Eric Doerr noted that 31% of breaches in 2025 began with an unpatched CVE as the initial access vector. This trend will likely intensify, as frontier AI models accelerate vulnerability discovery, unless security teams adapt. 

Doerr also spoke to data from Tenable showing that nearly two-thirds of breaches begin with something that isn’t a CVE, such as a misconfiguration, stolen credential, or exposed secret. He used this stat to prove the point that if you’re only concerned about CVEs, you’re leaving two-thirds of your organization’s attack surface exposed. It’s this other attack surface beyond just CVEs that exposure management addresses. 

AI-powered exposure management: the blueprint for preemptive defense

Presenters used these and other statistics from the DBIR, Tenable’s own telemetry, and other sources to make the case for cybersecurity transformation focused on a preemptive and much more autonomous defense. 

They showed how explosive, enterprisewide adoption of AI combined with AI-enabled threat actors requires that organizations build these exposure management capabilities into their cybersecurity programs: 

• Unified visibility - Continuous, deterministic asset discovery across the entire hybrid attack surface, capturing every vulnerability, misconfiguration, and excessive permission across on-prem and cloud infrastructure, OT environments, and the rapidly expanding AI attack surface.
• Contextual, AI-powered insights - Moving past standard CVSS scores to focus on real-world exploitability and business impact, and mapping viable attack paths to understand exactly how an attacker could move laterally toward core assets.
• Machine-speed action - Shifting from manual workflows to automated, orchestrated fixes. Because human teams cannot triage alerts at machine speed, organizations must deploy agentic AI workflows with appropriate guardrails, including human oversight, to proactively harden posture and isolate active threats.

Tenable CSO Robert Huber shared his experience transforming his vulnerability management program and team into an exposure management program and team, which began two years ago. The impetus was the challenge that Huber and his team faced every quarter when he needed to report on cyber risk to the board of directors: His team had to manually gather, aggregate, harmonize, and analyze data from 50 different security tools that each had their own unique way of reporting on risk. Now, Huber’s team can produce reports in minutes. They’ve also extended their scope of visibility from less than 10,000 assets to more than 100,000 assets and reduced alert to ticket volume by 1,500 to 1, all with the same number of staff. 

A live AI vs. AI attack simulation created and led by Tenable Researchers Robert McSulla and Ben Smith demonstrated the capabilities of a fully autonomous, agentic defense against a fully autonomous, agentic adversary. 

McSulla and Smith impressed several key points upon their audience, including:

1. Speed is not the only factor in AI-driven attacks. Yes, AI makes threat actors faster. It also makes them smarter. The demo showed how the adversarial agents reason, make decisions, adapt, and find new, unmapped attack surfaces.
2. Defenders can gain the same advantages as attackers. Defensive agents proactively assess posture, develop and deploy patches for vulnerabilities, and take other hardening actions to reduce risk and mitigate threats.
3. Security leaders and their teams need to get comfortable with autonomous defense. Consider your tolerance for fully autonomous defensive agents: Would you let them shut down a service, configure firewall rules, rotate credentials, or write and deploy patches? That’s what it takes to keep up with agentic attacks that achieve their objectives within three minutes.
4. It’s time to build a governance framework for agentic defense. McSulla and Smith built a governance framework for the defensive agents in their simulation that determines intent, evaluates severity levels, and applies rules, such as when to require a human to make a decision or take an action.

Custom kicks and other fun 

Amid the seriousness of cybersecurity, attendees got to pick out custom Converse sneakers featuring Tenable’s iconic new branding. 

EXPOSURE attendees also had the chance to experience the perfect summer evening at Fenway Park, home of the Boston Red Sox. 

Tenable announcements at EXPOSURE 2026 

EXPOSURE 2026 was punctuated by a host of significant announcements from Tenable, including:

1. The general availability of Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform that gives preemptive security teams capabilities to operate at machine speed.
2. New AI initiatives with Anthropic to increase the agentic capabilities of Tenable One.
3. A strategic integration with the Claude Compliance API designed to help customers improve their visibility into Claude usage across their organizations.
4. The release of the Tenable One Open Connector, which allows customers to bring third-party, custom, and internal data from any source into Tenable One.
5. The launch of the Tenable Open Partner Exchange Network.
6. The Tenable Research team’s prolific contributions to the 2026 Verizon Data Breach Investigations Report.