The Containment Era is here. →Explore

A Conversation with Chris Hughes on the In Progress Podcast

On the inaugural episode of "In Progress", Aviatrix CEO Doug Merritt sat down with Chris Hughes, a CISA Cyber Innovation Fellow, author of Software Transparency, Effective Vulnerability Management, and Securing AI Agents, and the voice behind the widely-read Resilient Cyber. They covered the forces reshaping security right now: the flood of new vulnerabilities, AI in both attack and defense, the limits of "human in the loop," and why the future belongs to organizations that can absorb a breach without falling over.

Here are the moments that stood out:

A “Vulnpocalypse” of Exponentially Growing CVEs

Doug opened by asking which recent story unsettled Chris most. The answer was the so-called "Vulnpocalypse" because it ties so many threads together.

The number of tracked vulnerabilities is climbing on an exponential curve. Chris noted that annual CVEs passed 40,000 in 2025 and are projected toward 59,000 or 60,000 this year, with some estimates reaching 100,000. The National Vulnerability Database, overwhelmed, has pulled back to enriching only a subset of entries, which ripples out to every scanner and security team that relies on that data.

Layered on top is AI. As Chris put it, the models "have gotten exceptionally good at coding. And as a by-product of that, they’ve gotten exceptionally good at identifying vulnerabilities, and also exploiting vulnerabilities or generating exploits." Decades of unaddressed security debt are now colliding with tools that make exploitation almost trivial, and "those capabilities are not just reserved to the frontier labs."

Doug summarized the stakes plainly: one of the easiest avenues for an attacker just got far easier. "There’s a bigger hole in that front door that we’ve been trying to batten down."

"Just Patch Faster" Isn’t That Simple

When Doug asked why teams can’t simply patch their way out, Chris referenced a popular meme: a CISO as a lifeguard yelling at a drowning swimmer (i.e., a security team member) to "just swim faster." Remediation capacity, he noted, has long hovered below 10 percent of the backlog, and that was before large language models entered the picture. Organizations were "already drowning."

The reasons patching lags are not mysterious. Sometimes no patch exists. Sometimes a patch risks breaking production, so a security fix undercuts availability and "violates our own triad." And inside most companies, feature releases and customer requests win out over security work. "It’s the age-old people, process, technology triad. It’s all of the things. It’s not just one thing."

Not Risk Elimination but Risk Management

Both speakers returned to a central reframe: the goal is not a perfect wall. Chris argued the industry over-invests in stopping the "if" and under-invests in preparing for the "when." Citing Sounil Yu’s Cyber Defense Matrix, he noted how disproportionately the field focuses on prevention while neglecting response and recovery. "Something is going to happen, and when it does, what are you gonna do about it?"

Doug agreed the expectation set by many boards, that a security team’s job is to stop everything, has become unrealistic, like defending a house with 10,000 windows and doors against well-armed attackers with no police nearby.

Chris pushed further: the danger is not only outsiders, but the people already inside. Developers and business units accept risk constantly because they are doing the work of the business. You cannot eliminate that risk "because to do that, you would have to seize the business from operating."

Limiting the Blast Radius

Asked what resiliency means in practice, Chris pointed to the book Antifragile and its idea that some systems grow stronger under stress. Organizations can do the same by learning from incidents and applying the lessons.

Technically, he framed resiliency around containment. The question after a compromise should be whether it stays bounded. "Yes, a system had an incident, but it didn’t spread to the rest of our enterprise." That works in two directions: raising the cost and effort for an attacker to get in, and architecting the environment so that when something happens, the damage is contained to certain systems rather than the whole estate, paired with a strong response loop to learn and adapt.

Doug connected this to speed. The average time to detect and respond effectively still sits north of 200 days, while the shortest breakout time he had seen recently was 27 seconds, with an average around 29 minutes per CrowdStrike. Resiliency has to mean both containing the damage and reacting fast enough to prevent more.

The Human in the Loop Delusion

Chris was blunt about a comfort many teams cling to. He wrote a piece calling it the "human in the loop delusion," a safety blanket people invoke "because it feels good."

The math does not hold. Between the number of agents and sub-agents and the volume of alerts in a typical security operations center, "you don’t have enough humans and there’s too many loops." He pointed to how quickly users fatigue and begin auto-approving AI prompts the longer they use the technology.

That leads to a circular situation: the problems created by AI volume and speed can realistically only be met by using AI in defense. "We need to use AI to fight AI." Chris urged security teams to break their habit of being late adopters. The risks of not adopting, falling behind peers and attackers and perpetuating the "bolted on rather than built in" pattern, are real risks too. "We need to be an early adopter and user of the technology if we want to keep pace."

Security is Friction: "If It Can’t Go With Us or Through Us, It’s Going to Go Around Us"

Doug, candid about his own role, admitted that even as a security-aware CEO he pushes his teams to "deploy faster," and that security is inherently friction. He asked how cyber teams can move at the pace of the business.

Chris described the business as water that "is going to find the fastest, most efficient way" to its goal. When security blocks the path, work routes around it, which is how shadow technology spreads. The early "just block ChatGPT" response was a perfect example, and it failed. The more successful pattern, he said, is cultural: security acting as a "collaborator and a co-conspirator" who provides sanctioned tools and guardrails rather than simply saying no. Punitive, friction-heavy behavior creates more risk by driving teams away. As he put it, "show me an incentive, I’ll show you an outcome." Each team is measured differently, and aligning feature velocity, uptime, and security is genuinely hard.

Descriptive, Not Prescriptive

Closing on the future, Doug asked what we will wish we had done in 2026 after some unthinkable attack. Chris worried society may not fully wake up until a cyber attack affects "life and limb," and traced the gap back to incentives. Without real market or regulatory consequences, organizations absorb the cost of an incident and move on.

Chris left listeners with a mindset rather than a checklist: "Always stay open to learning. Think of it like an opportunity to keep learning, keep growing, keep developing."

Listen to the full episode.

Learn more about Aviatrix "In Progress" and subscribe for updates about future episodes.

Share This Article
Connect With Us

Ready to see Aviatrix in action?

Get a personalized live demo walkthrough or explore our latest deep-dive cloud threat research intelligence.

Gartner Report

Gartner Strategic Roadmap for Zero Trust Security Programs 2025 Report

Download and gain actionable insights to advance your cloud security strategy.

Download Now!
Recent Articles
Introducing the Aviatrix In Progress Podcast

Introducing the “In Progress” Podcast

Jul 08, 20263 min read
Zero Trust vs. Containment - Are They the Same?

Zero Trust vs. Containment: The Security Architecture Gap

Jul 07, 202610 min read
Validated Containment Architecture for AI Agent Harnesses Blog Image

Validated Containment Architecture for AI Agent Harnesses - OpenClaw / NemoClaw

Jul 01, 20264 min read
Every Team Has AI Tools Now. Is One Your Next Incident

Every Team Has AI Tools Now. Is One Your Next Incident?

Jun 30, 202612 min read

Keep Reading

Related Articles

Featured Categories

95a2292256ee0f5750aa745fc7d21d39c8ae2870

ACE Program

Explore Category
Rectangle 3966

Customers

Explore Category
5a9318112c7cc265fab072924a2acaa2122a1c9f

Cloud Network Security

Explore Category
Aws-card

AWS

Explore Category
partner_card

Partners

Explore Category
cloud networking heroes

Cloud Networking Heroes

Explore Category
azure_card

Azure

Explore Category
events_card

Events

Explore Category

Secure The Connections Between Your Clouds and Cloud Workloads

Leverage a security fabric to meet compliance and reduce cost, risk, and complexity.

Cta pattren Image