On March 25 at RSAC 2026, Eric Chien and I stood in front of a room of defenders and told them the threat model had changed. Advanced actors had stopped distinguishing by company size. For any team without an eight-figure security budget, the defensive stack required to stop them had moved out of reach. We said plainly: this is no longer an option for all but the most well-resourced, heavily-staffed, security-first enterprises. And we said that the smaller the organization you defend, the more you need to rely on your platform vendors to do the correlation work for you, because extensive and accurate correlation requires expertise that even some large enterprises don’t have.

That was a forecast. We had the attacker tradecraft, but couldn’t yet share the evidence that the capability gap between advanced threat actors and everyone else was about to collapse.

One month later, the evidence is public.

What the testing confirmed

Last week, engineering teams across Broadcom’s Infrastructure Software Group—including engineers from my own Enterprise Security Group team—published what our testing confirmed. The findings hold up, and so do the implications. Frontier AI models find vulnerabilities at a scale and creativity no prior generation matched. They tenaciously chain lower-severity issues into working exploit paths in ways triage-based vulnerability management was never built to anticipate. The volume of credible known vulnerabilities is going to rise substantially. The time between disclosure and exploitation is going to compress further than it already has. Prioritization as a defensive strategy begins to fail. Patching velocity, not triage precision, is where defensive advantage now lives.

If you haven’t read that post, read it. This one picks up where it stopped.

What the industry’s response is missing

Several peer vendors have offered genuinely useful guidance in recent weeks. Others have responded by quietly redefining “baseline security” upward. You have probably read the phrase “mostly protected is unprotected.” You have read that single-digit-minute mean time to detect (MMTD) and respond is the new floor. You have read that the path forward is consolidation on a single vendor’s full stack.

These are defensible claims for large banks, hyperscalers, and Fortune 100 customers. They are not defensible claims for the organizations that make up the overwhelming majority of the economy. If you lead security at a regional hospital system, a specialty manufacturer, a school district, a municipal utility, a community bank, or a mid-sized software vendor, single-digit-minute MTTD is not a standard you can realistically adopt tomorrow. The full consolidation stack is not a purchase you can justify. “Mostly protected” is not a gap you can close on this year’s budget.

That is not a complaint about our peers. It is an observation about asymmetry. The teams least equipped to defend against an AI-accelerated vulnerability environment are being asked to meet a bar that presumes resources they do not have. If the industry accepts that framing without challenge, the practical effect is to place a meaningful fraction of the economy—the organizations the rest of us depend on every day—structurally outside the scope of modern defense.

I do not accept that framing. I do not think any serious defender should.

A call to the industry

Speaking now as the GM of our Enterprise Security Group, not just as someone who spoke at RSAC, I want to be specific about what the industry needs to do.

To my peer vendors. Every major software vendor should already be integrating frontier AI into its security engineering end to end: vulnerability discovery, exploit validation, patch generation, regression testing. Any vendor not doing this now will be behind in months, not years, and their customers will pay the cost. This is table stakes. Publish your progress. Ship fixes faster. Compete on remediation velocity, not by raising the ceiling on cyber defenses while making your smaller customers feel abandoned.

To the channel. MSPs, MSSPs, MDR providers, and regional integrators will deliver most of the AI-era defensive capability to most of the economy. Our Catalyst Partner program exists because we believe this, and we are investing in partner experiences that make it possible to manage security outcomes for hundreds or thousands of customers at a time. If you serve under-resourced teams, frontier AI is the single biggest opportunity in your business in the last decade. Lean into it. Build managed services around it. Expect your platform vendors to do the integration work so your engineers can focus on outcomes.

To the open source and open standards communities. The pace at which AI-discovered vulnerabilities reach long-tail software depends on maintainer capacity. Broadcom is a co-founding member of OCSF and an active participant in the standards work that lets defenders share signal across vendors. We will continue to invest there. Every vendor with frontier AI access should be supporting the maintainer community with more than goodwill.

To security leaders defending under-resourced organizations. You are not outside the scope of this conversation. You are the conversation. Reread your cyber insurance exclusions through an AI-accelerated-vulnerability lens. Audit which of your tools depend on CVE enrichment that is going to fall behind. Automate patching before you think you are ready. And demand that your platform vendor, whoever it is, does the frontier-AI discipline work on your behalf. If that vendor is Broadcom, capabilities like Threat Tracer and Incident Prediction inside Symantec CBX are examples of what that work looks like when it reaches the defender — but the broader point is that you should not be expected to build frontier-AI security discipline from scratch, regardless of which vendor you trust.

Where the Enterprise Security Group stands

Our mission has not changed in the month since RSAC. Enterprise-grade security for all is what we are building now. The AI-accelerated environment we and our peers are describing does not change the destination—it validates the urgency.

Inside our engineering, frontier AI is being integrated into how security work gets done. Symantec CBX—the unified XDR platform we launched at RSAC — was built to do correlation that resource-constrained teams cannot do for themselves. Threat Tracer gives an analyst who is not a senior threat hunter the ability to investigate across the full attack chain without writing queries, in a graphical environment that makes chained exploits visible the way they need to be. Incident Prediction, trained on more than 500,000 attack chains, anticipates the next four to five moves an attacker is likely to make and applies mitigation automatically through the Adaptive Protection policy. Those are two specific examples. They exist because AI that makes security analysts smarter and faster is the kind of AI that actually reaches the defender under pressure.

I am not going to pretend those capabilities solve the problem. They don’t. Frontier AI as a defensive discipline is still in early innings, and the capabilities that Symantec CBX ships today are going to look very different a year from now—ours and everyone else’s. Every capability we build, every platform we ship, and every partnership we extend is evaluated through one question: does this let an under-resourced defender reach the same security outcomes a Fortune 500 security team can reach? If the answer is no, we have more work to do. If the answer is yes, we extend it through the channel so the people who serve under-resourced customers can deliver it.

That is the bet. The defender community at large—not a subset of it, not the teams with in-house AI engineering, not just the Fortune 100—is who we are building for. But we are one vendor. For this to work, other vendors must build for that same community too. Frontier AI in the hands of every defender is how this industry comes through the next phase with the economy intact. Frontier AI in the hands of only the largest enterprises is how we end up with a class system that fails most of the businesses that keep the real world running.

Our peers have a choice to make about which world they help build. Broadcom has made its choice. The rest of the Enterprise Security Group team and I — along with the Catalyst Partners, channel partners, MSPs, and MSSPs who stand with us—will spend the year ahead making sure every defender who wants these capabilities can get them through the vendors and partners they already trust.

Every defender deserves frontier AI. That is not a slogan. It is the operational requirement of the decade ahead.