As AI rapidly reshapes cybersecurity, organizations are facing a fundamental shift in how they defend against threats, manage risk, and build security teams.
Tech-Channels spoke with a Sysdig CISO-in-Residence Conor Sherman, who contends that the speed and scale of AI-driven threats are forcing a move toward real-time defense, open source innovation, and a more adaptive security workforce.
Q. What’s happening in the market right now, particularly around open source and AI?
A. I’d love to dive into that. AI assistants are phenomenal at writing code—60% of developers are coding with this but of course, there are issues that come along with that because you have this incredible speed, this incredible intelligence, and if you don’t have the guardrails you make mistakes. We’re at an incredible moment of change with AI, and open source is going to have its day like it hasn’t before because we need systems that are flexible. Real-time, adaptive protection is only possible because of open source and the speed of its community.
Q. There’s skepticism around open source, especially with AI. Is that concern valid?
A. I actually think the opposite is true. We’re in a world where breaches are happening in under 10 minutes, so when I talk to the CISO community, my refrain, over and over again, is you have to “assume breach.” As a defender the only way you stay on top of that is to have flexibility when you come across edge cases or organization-specific risks. Open source lets you do that. It’s not that everyone will roll their own defenses, but you’re not going to meet the moment if you’re just looking at posture and guardrails.
Q. How is AI changing the threat landscape?
A. Threat actors are using AI just like defenders are. They’re doing more of what already worked—phishing, credential harvesting—but at much lower cost and much higher volume. At the same time, timelines are collapsing. We’ve seen cases where attackers go from discovering a vulnerability to gaining full control of an environment in under 10 minutes. Even more striking, vulnerabilities are now being weaponized in under 24 hours, sometimes in less than 20. If your strategy is just to patch faster, that’s not going to work—you simply can’t patch production environments that quickly.
There has been and always will be an entirely economic or political reason why the threat actors exist. We dress them up like Hollywood villains, but they're just either directly or indirectly acting on behalf of a government to do something political, or they want money. That's it.
Q. What new risks are emerging with AI tools?
A. AI agents introduce a new class of risk because they can take action autonomously. I had an experience flying on a plane to RSA where I asked my agent to do something and it found an MCP server for that—and asked if I wanted to hit it. One button away, and it would have routed all my data through unknown, unvetted software. That’s the challenge: the ability to ‘go do something’ is incredibly powerful, but it also requires control. We now need runtime protection not just in cloud workloads, but inside coding agents and on developer desktops—places we never had to secure in this way before. When you are that close to making a mistake, it's an interesting moment to be a security leader, because now suddenly, you're thinking about problem sets you hadn't had to think about three years ago. Your agent is making tool calls on MCP servers, so you want to have something that's inspecting that at real time. And again, this is not something that we had thought about when we went into the coding world a few years ago, but clearly, the way this is maturing, and we're seeing the threats and risks coming out, you need runtime protection.
Q. What does effective defense look like now?
A. Telemetry is still foundational—you can’t protect what you can’t see—but it’s not enough to just watch. No one gets in trouble for looking at logs, but that doesn’t actually protect the organization. We need to move from observation to action. What are your active defenses? What is actually stopping threats in real time? Ultimately, it becomes a closed loop of visibility, decision, and response. Without all three, you’re only halfway there.
Q. How is this changing the cybersecurity workforce?
A. Security leaders need to create real on-ramps for teams to learn AI. Telling people to ‘just experiment’ isn’t helpful. One of the most concerning things I hear is, ‘I’m too busy to learn.’ If leaders don’t have time to skill up, their teams won’t either. We need structured opportunities—workshops, hackathons, dedicated time—to build that muscle. Otherwise, we won’t keep up with how fast threats are evolving.
Q. How are roles evolving?
A. AI is really the moment of the practitioner. Individuals now have the tools to solve complex problems directly. At the same time, we’re seeing convergence across roles—offensive security, vulnerability management, and defense are all coming together. What used to take years of specialization can now be accelerated with AI. The teams that succeed will be the ones that remove silos and create tight feedback loops between finding, fixing, and defending.
Q. Can regulation keep up?
A. It’s difficult. If regulation is too prescriptive, it’s outdated before it’s even implemented. But doing nothing isn’t an option either. The best approach is principle-based guardrails—focused on reducing harm rather than defining specific technologies. And we have to remember, threat actors don’t follow the law, so regulation has to support defenders without slowing them down.
Q. What needs to change going forward?
A. The biggest issue is that defenders are adopting capabilities much more slowly than attackers. Exploitation timelines have collapsed from months to days—or even hours—while organizations still take weeks to patch. We need real-time protection and faster remediation. That means not just better tools, but a workforce that understands how to use AI effectively and a culture that supports experimentation and adaptation.
AI is accelerating both sides of the cybersecurity equation, compressing the time between vulnerability and exploitation while raising the stakes for defenders. As Speaker 3 makes clear, traditional approaches—reactive controls, siloed teams, and slow remediation cycles—are no longer sufficient in an environment measured in minutes, not days.
The path forward will depend on real-time protection, open and adaptable technologies, and a workforce equipped to harness AI rather than chase it. Organizations that can close that gap stand to turn AI from a source of risk into a powerful defensive advantage.