Current Cybersecurity Operating Models Do Not Operate at the Speed and Acceleration of the Attack Surface in the AI Age
We have spent years arguing about the size of the attack surface. Size was never the thing that was going to hurt us.
What hurts us is motion. The attack surface is no longer a static thing we measure once and defend at our leisure. It is a body in movement, and in the age of artificial intelligence it has both speed and acceleration. We are not losing because the surface is large. We are losing because it moves faster than our way of seeing it, and the rate at which it moves is itself increasing. That is a different kind of problem, and most of our defenses were built for the old one.
To see why, we have to be precise about words we use loosely every day. So let us slow down and define them properly, the way you would build any idea worth trusting, one layer at a time.
The attack surface is a three dimensional figure
Start with the word surface. A surface is not a list. It is not a perimeter. A surface is a face of a solid, and a solid has three dimensions. If we are going to call it an attack surface, we should treat it as the geometric object the word actually describes, because the geometry is where the argument lives.
Explore the living three dimensional figure: https://cybersecuritycompass.github.io/attacksurface/
The first dimension is the range of asset categories. Not how many assets we have, but how many kinds. The list of kinds is what has exploded. Network components, switches, routers, firewalls, and the segments between them. Endpoints and the people behind them. Servers, virtual machines, and the cloud workloads that replaced them. Containers and the clusters that orchestrate them. APIs, the connective tissue that lets everything call everything else. Identities, human and machine, each one a key to something. Data stores and the pipelines that move data between them. And then the categories that barely existed a few years ago: large language models, the inference systems that serve them, the agents built on top of them, the Model Context Protocol connections that let those agents reach into tools and data, and the third party integrations that extend the surface beyond anything the organization owns. Each of these is a different kind of asset, and each kind is a new direction the surface can extend in. AI did not just add more assets. It added entire new categories of asset, and each category brings its own way of being attacked. The category count is the dimension that matters here, not the asset count, because a thousand identical servers extend the surface in one direction, while one model, one agent, one MCP connection, and one cluster extend it in four.
The second dimension is the space of attack tactics and techniques that can be used against those assets. Every kind of asset invites its own methods. A model invites prompt injection and model manipulation. An agent invites the abuse of its autonomy and the trust it places in other agents. An identity invites credential theft and privilege abuse. As the first dimension widens with new kinds of assets, the second widens with new kinds of attack, because a new asset type is also a new technique surface. The two grow together.
The third dimension is the cyber risk carried by each asset. This is the depth that turns a flat map into a solid. Not every asset matters equally. An agent that can trigger refunds and reach the customer database has a wide blast radius. A forgotten test server has almost none. The third dimension weights every point on the surface by how much damage reaches the business if that point is compromised. Without it, you have a drawing. With it, you have a volume.
Picture it as terrain. Lay the kinds of assets along one edge and the attack techniques along the other, and you have a plane. Now let each point rise by the cyber risk it carries. Most of the surface sits low and green, ordinary assets with little reach. Some of it swells into amber. And in a few places it spikes into sharp red peaks, the handful of assets where a wide blast radius meets a live threat and a real consequence. Those peaks are where cyber risk actually concentrates. A defender does not face a flat field of equal squares. They face a landscape with a few dangerous summits scattered across a wide plain, and the summits are not where the snapshots tend to look.
There is one more feature of this landscape, and it is the most dangerous one. Parts of the surface are covered in fog. These are the assets that exist, are reachable, and carry real cyber risk, but that no one has discovered yet. An agent stood up last night. A shadow integration a team wired in without telling anyone. A model endpoint exposed by a default setting. The fog is not empty ground. It is surface you own and cannot see, and the cruel part is that the fog does not avoid the peaks. A red summit can sit entirely inside it. The most dangerous asset on your surface can be one you do not yet know exists. You cannot rate what you have not found, and you cannot defend what you have not rated.
The color is not decoration. Each shade maps to an exact number. The gradient from green through amber to red is a continuous scale of cyber risk, and every point on the surface carries a specific value behind its color, a Cyber Risk Index for that asset, computed from its exposure, its exploitability, and the consequence if it falls. Green is not a mood, it is a measured low score. A red peak is not emphasis, it is a high number you could read off and act on. This matters, because a picture you can feel is useful, but a picture every point of which resolves to a number is one you can operate. The terrain is not an illustration of cyber risk. It is cyber risk, quantified, asset by asset.
Put the three together and the attack surface is the volume of that solid. Asset Categories along one axis, Attack Tactics and Techniques along another, Cyber Risk per asset as the depth. The attack surface is not a number. It is a volume, and a volume can grow in any of its three dimensions at once. Hold that picture, because everything that follows is about how fast that volume changes. And notice what AI does to it. It does not raise the terrain evenly. It adds new ground along the asset axis, new ground along the technique axis, and new peaks where the most autonomous, most connected assets carry the widest blast radius. The landscape does not just get bigger. It grows new mountains.
Speed is how fast the volume grows
Once the attack surface is a volume, speed has an exact meaning. Speed is the rate at which that volume grows over time. How much new surface appears per day, per hour, per minute. New agents stood up. New integrations connected. New identities issued to machines that act on their own. New models deployed with new pipelines feeding them.
For most of the history of this field, that speed was something a human team could hold in its hands. New surface arrived slowly enough that a person could review each piece as it appeared. You provisioned a server, you scanned it, you moved on. The growth rate of the surface and the cadence of the people watching it lived in the same world.
That is no longer true. New surface now appears between meetings, between tickets, between shifts. The growth rate has climbed past the speed of the human processes built to track it. This is not a failure of effort. Nobody got slower. The surface got faster, and a review cadence that was sufficient for a trickle cannot keep pace with a stream. Speed alone, if it were steady, would be survivable. We would set the cadence faster and catch up. What makes this era different is that the speed does not hold steady. It keeps increasing.
Acceleration is the growth rate itself rising
Acceleration is the second derivative, and it is the concept that separates this moment from every moment before it.
Speed tells you how fast the surface is growing. Acceleration tells you whether that growth rate is itself getting faster. A surface can grow quickly at a constant pace, and you can plan against a constant pace, because next quarter looks like this one, only larger. That was the cloud era. Growth was fast, but its acceleration was close to flat, and a defender could build a cadence that stayed roughly in proportion.
Artificial intelligence breaks the flatness. Each new agent can spawn more agents. Each integration opens the door to more integrations. Each model creates demand for more pipelines, more identities, more connections. Growth feeds growth. The rate of expansion does not hold steady, it bends upward. This is what makes the AI era different in kind and not merely in degree. It is not that there is more surface. It is that the surface is accelerating, and a defense designed around periodic review was designed for a world where this line was flat.
When something accelerates, the gap between where it is and where you last measured it does not grow steadily. It compounds. By the time you finish acting on one snapshot, reality has not moved a little. It has moved more than it moved during the entire previous interval. Acceleration is why catching up is no longer a matter of trying harder. The thing you are chasing is pulling away faster the longer you watch.
Cyber risk is the intersection, and it never holds still
Before we can talk about exposure, we need to be exact about cyber risk, because the two are constantly confused and they are not the same thing.
Cyber risk is an intersection. Picture three circles. The first is threat, the actors and events that could cause harm, the intent. The second is vulnerability, the weaknesses that could be used, the openings. The third is consequence, the operational, financial, legal, and reputational impact if the harm lands. Where those three overlap is the only place cyber risk exists. A vulnerability with no threat against it and no consequence behind it is not cyber risk. A threat with nothing to exploit and nothing to damage is not cyber risk. Cyber risk is the point where intent meets exposure, and exposure meets impact. Only the intersection counts.
And that intersection is not a fixed point. Cyber risk is dynamic, it is shared, and it is continuous. Dynamic, because it shifts the moment a new exploit is published, a control is disabled, an agent is granted new access. Shared, because it flows across partners, suppliers, software supply chains, and systems no single organization fully owns. Continuous, because it does not pause between assessments, it moves while you are not looking. A still picture cannot describe something that behaves this way, which is why a grid of colored squares reviewed once a quarter was always the wrong instrument for this kind of risk.
Explore the interactive Cyber Risk visual definition: https://cybersecuritycompass.github.io/cyberrisk/
Cyber risk exposure is what you carry because you could not keep up
Now the distinction that matters most. Cyber risk exposure is not the size of the surface, and it is not cyber risk in the abstract. Exposure is what you actually carry because the surface grew and changed faster than you could see and govern it.
This is the part that overturns a decade of advice. If discovery kept pace, the surface could grow and your exposure could stay flat, because you would see each new piece, place it in context, and govern it as it appeared. Growth is not the enemy. Blindness is. Exposure rises specifically in the space between what exists and what you have seen and brought under control. It is the accumulation, over time, of everything that appeared on the surface after your last honest look and before your next one. It is the fog, measured. Every patch of surface still hidden in it is exposure you are carrying without knowing the amount.
This is why exposure tracks acceleration rather than size. A small surface that is being probed and changed faster than you can map it can carry more exposure than a large surface that sits still under continuous watch. The board has been told for years to reduce the attack surface. The surface was never the lever. Exposure is set by whether you operate at the speed the surface now moves, not by how big the surface is.
The snapshot was always going to lose
Hold the two ideas together. The surface is accelerating. Exposure is the gap between the surface and what we have seen. Now look at how we traditionally try to see it.
We assess periodically. A scan, a review, an inventory, on a calendar. Each assessment captures the surface as it was at that instant, then freezes that picture until the next assessment runs. Between the two, reality keeps climbing while our map lies flat. When the surface moved slowly, the flat stretch between snapshots was short enough that the map stayed close to the territory. That is gone. Against an accelerating surface, the snapshot is obsolete the moment it is taken, and it falls further behind every hour it stands.
This is the illusion of continuous. We call a quarterly program continuous because it repeats, but repetition on a calendar is not continuity against something that accelerates. The flat tread of each snapshot is precisely the period in which we are defending a map that no longer matches the world. Anything that is not genuinely continuous is already behind the risk it claims to represent.
Vulnpocalypse: the surface is not the only thing accelerating
There is a second force acting on the surface, and it works along the technique and consequence dimensions rather than the asset dimension.
Call it the Vulnpocalypse. A rapid step change in the volume of software vulnerabilities, including zero days, and in their exploitation, compounded by the structural friction in patching and remediation, producing damage at a scale defenders cannot absorb. This is not simply more bugs. It is more bugs, found and weaponized faster, against an installed base that cannot patch at anything like the same speed. The surface does not only grow because we add assets. It grows because the weaknesses in the assets we already have are being discovered and turned into weapons faster than we can close them.
The friction is the cruel part. Even when a fix exists, remediation moves at the speed of change windows, dependencies, testing, and human approval. The discovery of the weakness accelerates. The closing of the weakness does not. The space between those two rates is exposure, and the Vulnpocalypse widens it from the technique side at the same time acceleration widens it from the asset side.
Adversary discovery: the same engine, pointed two ways
The Vulnpocalypse has an engine now, and it deserves its own name because it is the newest and sharpest driver of exposure.
Frontier AI models can discover vulnerabilities at a volume and speed no human research team can match. This is the factor that changes the second and third dimensions of the surface at once, because it accelerates the rate at which the weak points in whatever surface exists get found. It matters even when the surface itself is not growing, because a static surface that is being scanned by frontier models carries more exposure with each passing day.
The honest framing is that the capability is double edged. A frontier model that can find a vulnerability for an attacker can find the same one for a defender. The engine is neutral. What differs is who runs it, and how fast. The attacker runs it continuously, at machine speed, and never stops to file a ticket, so each new piece of surface is probed almost as soon as it exists. The defender can run the very same capability inward, finding and fixing first. Nothing in the technology prevents it. What prevents it is the operating model. A defender who points frontier discovery at their own surface, continuously, turns the engine into a defense. A defender who keeps finding their own weaknesses on an audit calendar has conceded the discovery race before it began.
So the flaw finding race now runs at AI speed on both sides, and whoever discovers first wins. This is the asymmetry that has always defined cybersecurity, expressed on a new axis. The attacker only needs to be faster than our decision making process, and an automated system is faster than our decision making process by its own design.
How the drivers compound
Here is why the situation is worse than the sum of its parts. Exposure is driven by an accelerating surface you cannot fully see, and separately by frontier models finding the weaknesses in that surface at machine speed. These two do not add. They multiply. The flaws are found faster on a surface that is itself growing faster, and the result is an exposure curve that turns upward sooner and climbs harder than either driver would produce alone.
An accelerating surface, on its own, was already enough to bend exposure upward. Layer adversary discovery on top, and the knee of the curve arrives earlier and the climb steepens. The defender who is still running periodic assessment is now losing two races at once, the race to see their own surface and the race to find its flaws before the adversary does, and a periodic model loses both at AI speed.
What the geometry demands
Trace the argument back through its own structure and the answer is not subtle. If the attack surface is a volume, and that volume is accelerating, and exposure is the gap between the surface and what we have seen and governed, then exposure cannot be managed by anything that samples the surface on a calendar. The instrument has to move at the speed of the thing it measures.
That is the whole reason exposure has to be operated continuously rather than assessed periodically. Cyber Risk Exposure Management exists to unify asset discovery, vulnerability and misconfiguration findings, attack path analysis, and exposure assessment into one continuous view rather than a scatter of disconnected scans. Risk based vulnerability management exists to rank the flood that the Vulnpocalypse produces by the cyber risk each flaw actually carries, weighing exploitability, asset criticality, and consequence, so remediation follows impact instead of raw counts. Cyber risk quantification exists to express the exposure in financial terms a leader can act on, a probable loss and a range rather than a color. Adversarial exposure validation exists to test whether a control actually holds against real technique, rather than assuming it does. Each of these is an attempt to make a moving volume measurable in motion.
These instruments measure. Something has to make them turn. That is the Cyber Risk Management Lifecycle, the CRML, the operating loop of the before a breach domain. It is the discipline that keeps cyber risk management moving, one digital asset at a time, on a principle that leaves no room to coast. What is not defined cannot be measured. What is not measured cannot be improved. What is not improved is always degraded. So the CRML defines, measures, and improves, in that order, and it does not stop, because a living surface punishes any pause. Its operating form is CyberRiskOps, a continuous discipline that fuses cyber risk assessment and cyber risk reduction into one loop and closes the old gap between finding a cyber risk and actually reducing it. A periodic program admires a framework. The CRML runs one.
And the operating model that runs them is not the one most organizations have. The Security Operations Center asks what is happening right now. It was never designed to watch an accelerating surface and decide what to do before the incident. That is the work of a Cyber Risk Operations Center, the CROC, which asks what our exposure is right now, how it is changing, and what we should decide today to reduce it before it becomes an incident. The CROC is where the CRML runs, the place the lifecycle becomes daily operations rather than an annual ritual. The SOC protects today. The CROC protects tomorrow. Together they close into a Continuous Defense Loop, one half reacting to what has already happened and the other half preventing what could happen next, each feeding the other with no end, because the surface never stops moving and neither can the defense.
Explore the interactive CRML framework: https://cybersecuritycompass.github.io/crml/
The surface that matters
We measured the surface for years and asked the wrong question of it. We asked how big it was. The surface was never going to hurt us by being large. It was going to hurt us by moving, and by moving faster the longer we watched, while we defended it with a map drawn on a calendar.
Speed we could have survived. Acceleration is the thing that ends the periodic model, because acceleration means the gap does not grow steadily, it compounds, and a snapshot taken today describes a world that no longer exists by the time anyone acts on it. The attacker already operates at that speed. The frontier models already find our weaknesses at that speed. The only question left is whether our way of seeing our own surface moves at the speed the surface now moves, or whether we keep taking photographs of a body in flight and calling them the truth.
Exposure is a choice, not a fate. It is set by the speed at which we operate, and that speed is the one variable still in our hands.
References
Castro, J. (2026). Revisiting the Cyber Risk Management Lifecycle (CRML) in the Age of AI. ResearchGate. https://www.researchgate.net/publication/408096877 DOI:10.13140/RG.2.2.36183.02724
Castro, J. (2025). Defining Cyber Risk, Cyber Risk Scoring, and Cyber Risk Quantification. ResearchGate. https://www.researchgate.net/publication/396206049 DOI:10.13140/RG.2.2.21760.90885
Castro, J. (2025). Every Cyber Risk. Every Signal. Continuous Defense Loop. ResearchGate. https://www.researchgate.net/publication/396885730 DOI:10.13140/RG.2.2.30137.22882
Castro, J. (2024). From Reactive to Proactive: The Critical Need for a Cyber Risk Operations Center (CROC). ResearchGate. https://www.researchgate.net/publication/388194441 DOI:10.13140/RG.2.2.27408.93445/1
Castro, J. (2025). Cyber Risk Operational Model (CROM): From Static Risk Mapping to Proactive Cyber Risk Operations. ResearchGate. https://www.researchgate.net/publication/390490235 DOI:10.13140/RG.2.2.15956.92801
Castro, J. (2025). Cyber Risk Should Not Be Treated — It Should Be Operationalized. ResearchGate. https://www.researchgate.net/publication/389991463 DOI:10.13140/RG.2.2.12429.45289