For twenty years the security playbook started in the same place, find a vulnerability, prioritize it, and patch it. Doug Merritt, CEO of Aviatrix and former CEO of Splunk, thinks that playbook is quietly breaking, and his explanation has nothing to do with anyone being careless. The economics of offense changed underneath us, and most security programs are still funded as if they did not.

Why this conversation matters

Doug has sat in two seats that give this argument weight. At Splunk he evangelized detect and respond, and now at Aviatrix he is arguing that detect and respond, while still important, is no longer enough on its own. That is not a vendor pivot so much as an honest reading of the incentives, and it lands differently coming from someone who built a business on the previous era. If you are a practitioner watching AI rewrite the attacker's cost curve, or a leader trying to defend a prevention-heavy budget to a board, this conversation reframes where the money should actually go.

Key takeaways

• Offense became a compute problem, and that is permanent. Finding and exploiting a vulnerability is a search task, and the cost per token has been deflating faster than Moore's Law. That is why this is a structural shift rather than a few headline demos, and why throwing compute at offense keeps getting cheaper and faster.
• Patching has a ceiling that offense does not. Every patch carries the risk of breaking something, so testing, deployment, and organizational friction cap how fast defenders can move. When vulnerability discovery scales freely and patching cannot, "find more and patch faster" turns into a race you are structurally set up to lose.
• The interesting question is not how they got in, it is where they went. Attackers increasingly arrive with valid credentials and move through the trust graph that runs across cloud services and CI/CD pipelines, including malware injected into trusted repositories. Once they look legitimate inside the environment, lateral movement and egress are where the real damage happens.
• Cloud rewarded velocity, and security paid the bill. Cloud providers made identity default-deny because someone has to own and pay for a workload, but they left networking wide open because their economic engine is developer velocity and security reads as friction. New agentic frameworks inherit that same wide-open default, connected to the internet with little oversight.
• A strong identity stance is necessary and not sufficient. Identity answers whether someone is allowed to act, not whether the action is an attack, which is why attackers log in rather than hack in. Human, agent, and workload identities are genuinely different, and workload identity in particular has been underserved.
• Containment is about blast radius, not about keeping everyone out. The mindset shift is to accept that breaches will occur and to govern every path a workload can take, so an incident stays local and recoverable. Done well, containment holds firm whether or not anyone has detected the attack yet.
• Blast radius has to become a boardroom metric. Doug's argument is that CISOs, CIOs, CEOs, and boards should be able to answer how reachable anything is from anything else, and treat that number as something to drive down deliberately rather than discover after an incident.
• AI is the reason containment is finally workable. The historic blocker to micro-segmentation was cognitive load across tens or hundreds of thousands of workloads. AI is strong at synthesis and pattern matching, which makes a staged path of observe, discover, monitor, and then enforce realistic, ideally starting with the internet-exposed workloads that have no filtering at all.

In this episode of Resilient Cyber, I sit down with Katie Norton, Research Manager for DevSecOps and Software Supply Chain Security at IDC, to unpack what application security looks like as AI moves from copilot to autonomous teammate across the software development lifecycle.

We dive into:

🤖 AI's accelerating impact on AppSec and the SDLC – and the productivity-versus-risk equation now that agentic coding tools are shipping code at machine speed

💥 The "Vulnpocalypse" – the explosion of CVEs, AI-generated code, and the widening gap between vulnerability discovery and remediation capacity

🛠️ Whether legacy AppSec categories like SAST, DAST, SCA, and ASPM can keep pace – or are being fundamentally reinvented for an agentic world

🎯 The rise of autonomous pen testing and offensive security agents (XBOW, Project Naptime, Project VAIL) and what it means when offense scales faster than defense

🔗 How agentic development is reshaping software supply chain risk – from hallucinated packages to MCP server integrity and the provenance of code no human ever wrote

🏛️ Governance models for AI-generated code, the evolving AppSec team of the future, and what CISOs should be prioritizing right now

📈 Katie's predictions for where AppSec, software supply chain security, and the SDLC are heading over the next 18-24 months

Whether you're an AppSec practitioner, security leader, developer, or just trying to make sense of how AI is reshaping software security – this conversation is packed with insights you won't want to miss.

🔔 Subscribe for more conversations on cybersecurity, AI security, and the future of resilient software.

#Cybersecurity #AppSec #AISecurity #DevSecOps #AgenticAI #SoftwareSupplyChain #ResilientCyber

In this episode, we sat down with Richa Gual, CEO of Complyance, the AI-first enterprise GRC platform that recently raised a $20M Series A led by GV (Google Ventures), to dig into how legacy GRC is finally being disrupted and what role AI agents play in that transformation.

We discussed why GRC has lived in the dark ages for so long, stuck in static documents, snapshot-in-time assessments, system sampling, and self-attestations while the rest of IT moved to cloud, APIs, and automation. We unpacked the credibility crisis caused by commoditized compliance and rubber-stamp audits, the limits of the first wave of GRC automation, and what genuinely changes when agentic AI takes on evidence review, vendor risk, policy drafting, and customer trust workflows end-to-end.

Richa shared Complyance’s perspective on building agentic AI for the most sensitive data an organization holds, why explainability and isolation matter more in GRC than almost anywhere else, and how customers like Dropbox, CVS Health, and Major League Soccer are using AI agents to cut manual GRC work by 70% without lowering the assurance bar.

We closed on what the next five years look like for the GRC workforce and whether the field can finally restore credibility to the phrase “compliance equals security.”