fwd:cloudsec 2026

Exploitation of unpatched vulnerabilities just became the #1 way attackers breach organizations — 31% of breaches in the 2026 Verizon DBIR, a 55% jump in a single year. Only 26% of CISA KEV entries are fully remediated. The median time to patch a critical vulnerability is 43 days, two weeks slower than the year before. Defenders are losing the race, and the gap is widening.

Web Application Firewalls have a reputation problem — but they are also one of the few controls that can buy critical hours during a zero-day. A virtual patch deployed in minutes while engineering queues up a weeks-long rollout across a sprawling estate. I lived this in 2021 with Log4Shell. The math has only gotten worse since.

The promise collapses under its own weight at scale. Fine-tuning WAF rules across hundreds of distinct technology stacks, application owners, and risk profiles is a domain-expertise problem that doesn't scale with headcount. The result is a familiar compromise: rules so broad they're useless, or so tight they become a reliability incident waiting to happen. Teams end up choosing between security theater and engineering pain.

This talk shares lessons from operating WAF at enterprise scale — and what changes when you introduce agentic AI into that loop. We'll walk through how AI-assisted rule generation, context-aware tuning, and a human-in-the-loop pipeline can compress the cycle from "vulnerability disclosed" to "fleet protected" from 43 days to single-digit minutes, without requiring a WAF expert embedded in every product team. We'll cover where the AI gets it wrong, what guardrails matter, and what it looks like when a virtual patch is the difference between a contained incident and a headline.

Attendees will leave with a framework for thinking about AI-augmented defensive controls not as magic, but as a new kind of teammate — one that needs supervision, clear trust boundaries, and very good memory for what "normal" looks like.