Vulnerability Discovery Was Never the Bottleneck and AI Just Proved It

AI coding agents ship features faster. They also generate vulnerabilities faster. Better scanning tools find more. Frontier models discover more. The pile grows from every direction, while most security teams are already sitting on six-month backlogs that they cannot process. The hard part of vulnerability management was never finding the flaws. It was always fixing them. AI has made that gap impossible to ignore.

Eliel Oliveira is the Information Security Officer at Knauf Digital, the digital arm of Knauf Group, a global building materials manufacturer. He built the company's DevSecOps practice from the ground up, created a Security Champions network across all product teams, established the AI Center of Excellence with governance aligned to the EU AI Act, and leads the company-wide cybersecurity program under ISO 27001. His path from system administrator through DevOps engineering to security leadership gives him direct visibility into how software actually gets built and where security breaks down in practice.

"Discovering vulnerabilities was never the bottleneck," Oliveira says. "The bottleneck was always: what is your mean time to recovery? Once you have any type of issue, how long does it take you to actually fix it?"

A superhuman number

The scale of the problem is beyond manual review. "If you have 12,000, 20,000, 50,000 CVEs, it's not easy for a human to go one by one and check: this is fine, this is bad, this is good," Oliveira says. Mythos accelerated the volume starting in March, and the pile has grown through April and May. But the discovery increase only exposed what was already true: most teams were already bad at mean time to recovery because of competing priorities and resource constraints.

Oliveira's team uses a matrix approach: AI agents combined with deterministic static analysis tools and runtime context to surface what matters. The combination allows them to tackle low-severity issues that previously sat untouched because AI can now reduce a two-hour fix to minutes, freeing capacity for the critical items.

Supervised, not autonomous

The agents are not running unsupervised. "We do supervise with our software engineers to make sure that the judgment is there and they can evaluate if the code generated and the checks that pass are good enough or bad," Oliveira says.

His team has spent three years shifting left so engineers work primarily from the IDE. MCP servers connect security and quality checks directly into the development environment, removing the friction that historically made developers skip security steps entirely.

Oliveira describes a model where agents handle the feature, request security and quality checks automatically, and then present results for human review. For higher maturity workflows, he favors a "judge and contrarian" pattern: two AI supervisors that challenge each other's output before code progresses.

"Mistakes will still happen because every engineer has made mistakes in the past," he says. "But if you have the right pieces in place, you can correct faster." The gap in trust between security leaders and agent autonomy remains the limiting factor for most organizations.

Liability moves faster than fixes

The legal dimension is tightening. Organizations are now formally aware of vulnerabilities they cannot patch in time, and regulatory windows are shrinking. Oliveira points to a pattern in supply chain attack data: most hits occur on Fridays, when teams are offline until Monday.

"In the last ten years, every CISO said we need to update our dependencies and keep things up to date," he says. "Now, because of this speed and the way supply chain injections are being done, we actually need to tell the opposite: you need to be aware of when you update your stuff."

His advice to CISOs runs upstream of tooling. Leadership needs to close the distance with the people who actually build and ship software. "Higher management is far away from the builders," Oliveira says. "They need to come closer. Otherwise, they will not respond in time because we are already at machine speed."

Skip-level meetings, open-door policies, and sitting in open office spaces rather than private offices are all mechanisms he has seen work. The common thread is removing layers between the people who make risk-based security decisions and the people who can actually execute them.

The views and opinions expressed are those of Eliel Oliveira and do not represent the official policy or position of any organization.