RSAC 2026: Security Leaders Warn AI Exploit Discovery Has Gone Exponential — Next 2-3 Years Will Be 'Insane'

At RSAC 2026 in San Francisco (March 27, 2026), three of the most prominent security leaders in the industry delivered a joint warning that AI-driven vulnerability discovery is creating what they described as a 'perfect storm' for attackers over the next 2-3 years.

KEY SPEAKERS AND THEIR WARNINGS:

1. Kevin Mandia (Founder, Armadin AI Security):

• His company has built AI agents capable of autonomous network penetration
• Unlike human attackers who manually type commands, AI agents operate across hundreds of threads simultaneously
• 'It is a perfect storm for offense over the next year or two'
• 'Because of the asymmetry in the cyber domain, where one person on offense can create work for millions of defenders, speed leverages that asymmetry'

2. Alex Stamos (CSO, Corridor — raised $25M from Felicis, Lux Capital, with angels from Anthropic, OpenAI, Cursor, Cognition):

• 'The exploit discovery has gone exponential'
• Foundation model companies are sitting on thousands of AI-discovered bugs they lack capacity to verify or patch
• An AI system discovered a flaw in foundational Linux kernel code that humans overlooked for years
• 'This superintelligent system was able to figure out a way to manipulate the machine into a place that, when you look at the bug, I am not sure how a human could have found that'
• Predicts AI will generate sophisticated EternalBlue-level exploits on demand within 12 months
• When Chinese open-source models (DeepSeek, Qwen) reach current American model capability: 'you are going to have every 19-year-old in St. Petersburg with the same capability' as elite vulnerability researchers

3. Morgan Adamski (Former Executive Director, US Cyber Command):

• Confirmed the operational reality of AI-accelerated threats from a government defense perspective

BROADER RSAC 2026 CONTEXT: The conference was dominated by AI agent security themes:

• Palo Alto Prisma AIRS 3.0: kill-switch capability for misbehaving AI agents
• Geordie AI named 'RSAC 2026 Most Innovative Startup' for AI security
• Corridor ($25M raise) building Agentic Coding Security Management (ACSM) platform
• Sysdig launched runtime security for AI coding agents at syscall level
• Kiteworks 2026 report: 60% of organizations lack ability to terminate misbehaving agents

THE SPEED ASYMMETRY PROBLEM: The core issue is that AI has made vulnerability discovery nearly trivial, while remediation still requires human effort and organizational coordination. Each new AI model generation could surface hundreds of new vulnerabilities in the same foundational software. The timeline for these capabilities becoming widely accessible is measured in months, not years.