A

You're listening to the Cyberwire Network, powered by N2K.

B

Welcome to this edition of Cyberwire X. I'm Dave Buettner. Vulnerability management has always been a race against time. But as artificial intelligence accelerates both the discovery of software flaws and the speed at which attackers can exploit them, that race is moving faster than ever. For large enterprise software companies, the challenge is no longer just finding vulnerabilities. It's determining which ones matter most, mobilizing the right teams, and reducing risk at scale. Joining me today are Daniel Ventura, Senior Manager of Adobe's Vulnerability Operations center, and and Sangeeta Arora, Director of Vulnerability Management at Adobe. Together, they share how Adobe is evolving its approach to vulnerability management in the age of AI. From improving prioritization and strengthening cross functional partnerships to balancing the need for speed with meaningful security outcomes. That's all ahead on this episode of Cyberwire X. Adobe empowers everyone everywhere to imagine, create and bring any digital experience to life. From creators and students to small businesses, global enterprises and nonprofit organizations, customers choose Adobe products to ideate, collaborate, drive business growth and build remarkable experiences. But in today's digital world, trust is is what makes bold ideas possible. Trust empowers creativity, and it starts with security by protecting the customers and communities who use Adobe products every day. That's why Adobe partners with the global security research community through its bug Bounty program hosted on HackerOne. The program invites ethical hackers from around the world to help find and report vulnerabilities, helping keep millions of customers secure and and maintaining the trust that powers the Adobe brand. So if you're a researcher ready to make an impact, check out Adobe's public program@hackerone.com Adobe. Well, before we dig into talking about vulnerability management, I'd love to learn a little bit about each of you. What led you to your position at Adobe? Sangeeta, why don't I start with you?

A

So I've actually been at Adobe for over 20 years now, and my career here has evolved quite a bit over the last two decades. I spent the first half of my career in IT doing various different things and then I moved into cybersecurity about nine years ago. In the beginning, I started out by building our third party security review capability, and then I took on penetration testing for all of our products and services. And then about three years ago, I stepped into leading vulnerability management at Adobe. Today I lead the broader vulnerability management function, which includes penetration testing our Bug Bounty program on HackerOne vulnerability operations, end to end, as well as third party security.

B

Dan, how about you yeah, so I've

C

been with Adobe for about six and a half years now. I started out as an ic, an individual contributor working on the Pcert team. At that time we were primarily focused on application security and bug bounty related vulnerabilities. But as I'm sure we'll get to in this discussion, there was a strong need to have a much heavier vuln management presence. And so our team evolved over time to take on additional roles and responsibilities that encompasses the broader vuln management lifecycle.

B

Well, I think when people hear vulnerability management a lot of folks will initially think of things like scanning and patching. Can you give us a sense of what the work actually looks like inside an organization that operates at the scale of Adobe?

C

Yeah, sure. So it really, it takes a tribe when we think about vuln management at a large organization. We have various teams across Adobe Security that are performing different types of manual testing, automated testing, looking for vulnerabilities in different pieces of our tech stack and different types of product offerings that we publish to customers. We have a team that will review and assess those vulnerabilities for severity and impact. And then we also have folks that work directly with product teams to help them prioritize their backlog and strategize around effective remediation.

B

Sangeeta, anything to add?

A

Yeah, I think Dan pretty much covered it, but in a large enterprise like Adobe it definitely includes the end to end vulnerability management life cycle. So five core things I would say we want to make sure that there's asset discovery so there's, you know, we have a way to discover all of our assets, our cloud environments and then like Dan said, testing at multiple layers. So we're going to have various different teams that are doing either pen testing, we have our external bug bounty program, we're going to have vulnerability scanning as well any DAST tools and then when we get the findings from those tools we want to be able to do context driven prioritization. So use multiple different parameters to prioritize those vulnerabilities and then be able to like create tickets for our product teams or alert them that they need to be working on remediation. And then lastly remediation tracking and validation is a big piece of vulnerability management. We want to make sure that in the end those issues are truly fixed, validated and we feel comfortable that the vulnerability has been resolved.

B

I'm curious, in the time that you all have been at this, what are some of the things that you've seen change? Have, have there been evolutions in the way that you all come at your jobs?

C

Yeah. I think the biggest change that we've noticed over the last couple years has been the evolution of AI as it relates to adversaries and our vuln management processes. So this applies both to defenders and adversaries alike. You know, on one end we have product teams that are able to generate code and ship much faster, but at the same time, attackers and threat actors can also move from a bug to an exploit at a much faster clip as well. For example, from the CrowdStrikes 2026 Global Threat Report, they documented that an AI enabled adversary has increased their operation from 89% year over year just last year in 2025. We also came across some research from IBM in their cost of a data breach report last year. Their research showed that the average breakout time for an adversary, which is the speed that an attacker can move from initial access to lateral movement, fell to just 29 minutes, with the fastest observed breakout time happening at a staggering 27 seconds. IBM also goes on to mention that one in six of those incidents involved an AI driven attack. Another piece that I found very interesting is aside from the exploitation piece of this, just the sheer number of CVEs being published across the industry is also accelerating very quickly. Year over year there has been a 28% growth in the number of CVEs published, and more specifically with critical CVEs, there has been a 62% increase to the number of CVEs being published. So I think when we talk about, you know, speed and velocity as it relates to AI, it really means that our vulnerable management processes within organizations need to evolve too. It's not just about more vulnerabilities. It's less time to respond, more ways to be attacked, and a higher likelihood of exploitation as well.

B

Is it fair to say, Sangeeta, that this is sort of a triple threat? That we've got an increase in the volume of vulnerabilities, the speed of exploitation, and even the sophistication of attacks. Are you tracking all three of those concerns?

A

Absolutely, yeah. We have seen a really big change with AI. Basically, AI is becoming the security expert at this point. So like Dan said, it's speeding things up. It's becoming really easy for attackers to move from vulnerability details to making a usable exploit attempt pretty quickly. Also, in addition, like the phishing and social engineering is becoming so much easier and it increases the chances of access for these adversaries as well. Well, lastly, I think from an attack surface perspective, it's becoming easier for them to be able to identify the exposed services on the Internet. So if they have a poc, they're able to find out entry points much faster. So yes, we are. Basically all companies are having to deal with this large surge due to AI. And I know Dan cited some numbers, but this is a pretty dramatic increase. When we see a 60% increase in critical CVEs from year over year, just from 2025 to 2020, it is something that is top of mind for all of us as defenders. We just have less time to react and so prioritization becomes key and we really need to make sure that we are prioritizing based on exposure and impact to be able to deal with that large volume.

B

How do you balance the speed that's necessary to respond these days with the accuracy that you want your security teams to have? They're under a lot of pressure to move faster than ever, but you don't want to miss things.

C

That's a very good question because when everything looks critical, it's tough to decide what gets fixed first and how do you make sure that you're not missing anything. These type of AI driven threats that we've been seeing have really changed how we think about using the CVSS score to determine our prioritization. With product teams. At Adobe, we've begun treating CVSS scoring as a baseline severity signal, not the final decision. We've added and embedded additional factors into our risk assessment process such as threat intelligence and exploitability on top of that base CVSS score to really help us assess what needs to be fixed first and determine that prioritization order. We also use additional parameters to help us evaluate prioritization, including vulnerabilities that are published on the known exploited vulnerabilities catalog. Exposure is a good one, such as whether a vulnerable asset is Internet facing or internal. And then also we heavily consider the vulnerabilities that are found against our crown jewel assets. So lastly, to really help us prioritize remediation, we also found it crucial to keep our vulnerability management program dynamic by reprioritizing. As the intel changes, threat actors and exploits evolve over time and so must we.

B

How has this affected your teams? You know, this shift to AI, the need to prioritize things, how has this changed their day to day?

A

I would say that we are leveraging a lot of automation and AI as well because it definitely changes the day to day due to the large volume. We want to make sure that we're really giving our engineering and product teams the signal out of the large volume. Right. And so prioritization is it becomes difficult and we're trying to use all of these contextual parameters in addition to CVSS score like Dan outlined, like looking at the exposure, whether this is a crown jewel, is there any revenue impact? Do we have any mitigating controls? But in order to do that we have to definitely look at some automating ways. So that's the day to day change for the teams. Like the vulnerability Operation center is to be really innovating on how can we automate some of this prioritization and triage to be able to give the product teams the signal out of the noise.

C

I think one thing to add on top of that is Adobe security and our vault management function are using AI to augment a lot of our existing capabilities. So as Sangeeta mentioned, like detections and testing, patch development, prioritization that we already spoke about, AI assisted PR pull request creation, if adversaries are using AI, we must too. And so we're looking for ways to augment and embed AI into our existing vault management functions.

B

How do you all interact with your engineering team? What's the collaboration like there?

C

Maybe I'll speak to the general guidance and recommendations that we've had over the years and then talk about the evolution with the introduction of AI. So some of the core tenants I believe represent a strong security and product team partnership. Include things like meeting engineers where they work, whether that's in Jira, ServiceNow, GitHub, providing actionable findings to those developers and engineers, not just a simple raw scanner output. We're actually up leveling in this area by moving to an action based ticket function that helps us scale our engagement efforts and paint a clearer picture on overarching risk for product teams to understand what the issue is, what the impact is and more importantly what do they need to do to fix the issue. Also defining clear SLAs based on risk. This goes back to the prioritization conversation we had, not just arbitrary deadlines. So by implementing a more intelligent risk assessment matrix, we're able to embed additional factors and threat intelligence into those decision making pieces. I think lastly, having an embedded security champion that lives and operates with each of the product teams has been extremely valuable to us. And having security toolkits to assist with patch development and secure code improvements as well has really helped us. I think more specifically on the AI piece in the world of AI vulnerabilities, it's really important for our security organization to help these product teams understand new classes of risk that they might not have been aware of before. Things like prompt injection and model leakage or data exposure are all very prevalent and new with all of these AI tools and features becoming public to customers. Also, leveraging threat models to provide secure design patterns is also really helpful to make sure that product teams are building their software and features in a secure method.

B

Sangeeta, I'm curious, how do you foster a sense of true collaboration between security and engineering to make it feel as though you're equal partners in this effort to make everything that Adobe does be as good as it can possibly be?

A

Absolutely. It is always a partnership and one of the things that we aim for is to really bring along and work towards the betterment and improving the security posture at Adobe. So we have the security champions embedded within the product teams. That really helps when we're making improvements or changes to any of the processes. We definitely partner with the champions so that not only are they aware, but they're also really championing the effort within the product teams and giving us really good feedback on how we could help, how we security can help them get to a better state faster and in a more automated fashion. So that has really been helpful as a model. And then also one of the things that we're doing is embedding AI in the entire lifecycle. So for example, threat modeling, right? So when they're developing the product or when they're developing the release, we want to make sure that they're able to come to security and get that feedback early on in, in the life cycle and not wait for once it's released. Post that. We also work with them on pen testing. We wanna make sure that any new features, any new scope is pen tested in a timely manner. And then after that we also, we're continuing to work with them on how to give them better context and be able to give them fixes and patch fixes within the tickets or even like PR fixes. And how can we develop things that will really help them so that they can build better products. So we really just wanna make sure that they're enabled to do what they're while security is really helping them and working with them in parallel. So it's really a true partnership and we are striving to continue to make that better, especially in this AI era.

B

I'm curious for our listeners, are there any words of wisdom that you have, your lessons that you all have learned along the way that they could benefit from your wisdom, the successes and the mistakes that you've made along the way? Any lessons to share?

A

If there are a few things that I would want folks to take away is three main things. I think we really need to know our exposure and attack surface that is key. If we don't have visibility into that, that can definitely lead to us having gaps. So really making sure invest in a real asset inventory, know what's Internet facing, know what's widely deployed because that is really critical to be able to prioritize the vulnerabilities, especially with a really large volume. Secondly, I think we talked a little bit about this is prioritization is key use context, not just cvss. In these times it is very important for us to be looking at business criticality exploitability signals. Have a threat intel team that is giving you signals that you can use to prioritize not just at the time of the vulnerability creation, but also reprioritize as time goes by and the threat intel changes. That is very important right now. Also be looking for compensating controls that can be used for prioritization as well. What can be mitigated fast because as we know the time to exploitation is getting really really small. So we need to move fast so where we can look for mitigations until it can be remediated. And then lastly embed AI into all aspects of the vulnerability management life cycle. This is a journey I think we're evolving as well in this space. But since the adversaries are using it, I think the defenders have to use AI as much as we can. So use it to test your code, use it to test your products for triage, for prioritization, for ticketing, for providing context to your engineering and product teams as well as just automating all aspects to remove the manual toil. So those are the three things that I feel have been really key that we have discovered in this journey.

B

Dan, how about you? Anything to add?

C

Yeah, I think Sankita covered most of the takeaways that I could think of. I think maybe the one last piece to add is that one of the advantages that an organization has when leveraging AI to help drive vulnerability management is context. I think there's a lot more information and context that we as employees of an organization have to help us orient ourselves around prioritization and where our most risky assets are and maybe where there are strong protections or areas that can be further hardened. My main takeaway would be to leverage those internal contexts to help us speed up the vulnerability management function.

B

I'm curious how each of you measures success if vulnerability management is ultimately about reducing risk. How do you put a measuring stick on that?

C

Yeah, so I'll take a stab at answering this. First, we've invested a lot of effort into evolving our vulnerability management metrics and security posture at Adobe. It's no longer sufficient to just measure SLA adherence and our product teams fixing vulnerabilities by the given SLA that the Security Org sets. We're measuring things like threat intelligence trends and time to remediation and accuracy and risk rating time to triage. There's a lot of different aspects that go into vulnerability management and so those factors all contribute to the overarching metrics of success when we think about vulnerability management. On the product side. We've also developed a security risk posture scorecard in which we present this data everything I just mentioned in a consumable way to product teams and their leadership to help them understand how they are performing and across the various different types of vulnerability management and initiatives that the Security Org has product teams working on.

B

Sangeeta, anything to add there?

A

Definitely. Like Dan said, in addition to just like looking at SLA adherence, we want to see time to triage, time to remediate, time to attribute is another one like I touched on asset inventory but really making sure that the time from vulnerability discovery to when it can be attributed to an owner is really really small and can be done real time, that is critical. And then the lastly one thing I would say is looking for systemic trends is another metric to keep an eye on is not just one vulnerability at a time, but just making sure that you have metrics that identify or dashboards that identify any systemic trends that need to be looked at for a particular product or a particular area. And of course the scorecard that Dan mentioned has been really helpful because it gives the product teams one place to go to to be able to see what their security posture looks like from different areas. And it includes vulnerability data as well.

C

One other metric of success that I forgot to mention is very interesting and that's visibility. It's interesting when we think about ticket SLAs even time to remediation and all the things we just talked about, it only goes so far as what the security organization can see. And so for example, if we have a 99% SLA adherence and we're crushing it across all of our metrics, but we're actually only able to see maybe 20% of the company as an example that paints a very different picture compared to those those metrics alone. And so that's, that's one area that we're also measuring success in is making sure that our Security Org is able to see what's going on across our organization at different levels of the tech stack.

B

Our thanks to Daniel Ventura, senior manager of Adobe's Vulnerability Operations center, and Sangeeta Arora, director of Vulnerability Management at Adobe, for joining us and sharing their perspectives on how vulnerability management programs are adapting to a rapidly changing threat landscape. As AI continues to reshape, both offense and defense organizations will need strategies that help them move quickly, focus on what matters most, and drive measurable risk reduction. Thanks for listening to this episode. For more conversations with industry leaders tackling today's most important CyberSecurity challenges, visit TheCyberWire.com I'm Dave Buettner. We'll see you back here next time.