Episode 9: Teen Hackers, Billion-Dollar Damage — Zafran’s Yonatan Keller & Nate Rollings on AI Threats Rising

In this episode of THREATCON1, hosts Tom Bain and Patrick Garrity sit down with Nathan Rollings, Field CISO at Zafran, and Yonatan Keller, Analyst Team Lead at Zafran, for a deep, practitioner-focused conversation on the realities of modern vulnerability management.Together, they explore why patching alone can’t keep up with today’s threat landscape — and how security teams can dramatically reduce risk by prioritizing what actually matters.🔍 Key Topics CoveredWhy patching is too slowThe average enterprise takes ~49 days to patch — while attackers weaponize vulnerabilities in days (or minutes).Mitigating controls vs. patchingHow firewalls, EDRs, WAFs, segmentation, and configuration changes can meaningfully reduce exploitability — even when patching isn’t possible.The “1 in 50,000” insightWhy only a tiny fraction of vulnerabilities are truly critical when you factor in runtime, reachability, exploitability, and existing controls.Zero-days without CVEsHow agentic workflows can assess exposure, identify impacted assets, and recommend mitigations before scanners, signatures, or CVE IDs exist.CTEM as a maturity journeyMoving from noisy vulnerability lists to operationalized, risk-driven exposure management — without creating shelfware.Threat enablement is the real dangerWhy loosely organized groups and even teenagers are now capable of causing enterprise-level disruption.Edge devices, legacy software, and OT riskWhy internet-facing systems and unpatchable environments (manufacturing, healthcare, critical infrastructure) demand a mitigation-first mindset.AI vulnerabilities: the next frontierNo CVEs, no standards, rapid adoption — and a growing attack surface most organizations aren’t tracking yet.AI as a force multiplier for defendersHow agentic AI can shorten exposure windows, automate analysis, and upskill under-resourced security teams.🎯 Why This Episode MattersIf you’re overwhelmed by vulnerability volume, constrained by patching windows, or struggling to align security priorities with business reality, this episode offers a grounded, experience-driven perspective on how modern teams are adapting — and where the industry is heading next.THREATCON1 is created by VulnCheck and focuses on emerging threats, real-world security operations, and conversations with practitioners shaping the future of cybersecurity.🔔 Subscribe for more episodes exploring vulnerabilities, threat intelligence, and exposure management with the people who matter most.