1 June 2026 Security Tips Timothée Alamargot
You like this content ?
Share it on the networks
An asset exposed after your last pentest. A critical CVE published on a Friday evening. A cloud infrastructure modified between two audits. These three scenarios share one thing in common: they create an exploitation window that no scanner alone, no pentester alone, and no AI alone can close. And while you wait for the next audit cycle, the attacker is already inside.
According to Mandiant M-Trends 2026, exploits represent the most frequently observed initial intrusion vector for the sixth consecutive year, accounting for 32% of compromises in 2025. The Mean Time To Exploit (MTTE), the average time between vulnerability disclosure and active exploitation, dropped from 32 days in 2023 to 5 days in 2024 (Mandiant/Google Cloud). 32% of CVEs exploited in 2024 were weaponized before a patch was even publicly available.
In France, the CESIN/OpinionWay barometer confirms this on-the-ground reality: 47% of French companies suffered at least one cyberattack in 2023, and among those, 47% were hit through vulnerability exploitation, the second most common attack vector after phishing. This is not a question of lacking tools. It is a question of an approach that is structurally misaligned with the actual pace of attackers.
The median dwell time (or MTTD, Mean Time To Detect), the time an attacker spends inside your environment before being detected, rose to 14 days in 2025 according to Mandiant/Google Cloud (M-Trends 2026). This figure primarily reflects Mandiant's client base, which has above-average detection capabilities; national CERTs typically observe delays of several months. For incidents detected only through external notification, this delay reaches 25 days within the Mandiant scope.
In this context, Patrowl client organizations discover on average 30 to 40% of previously unlisted internet-facing assets within the first 72 hours of deployment — assets absent from all prior analyses and therefore from all remediation scopes.
An annual pentest photographs your security at a single point in time. It becomes obsolete the moment a new feature is deployed, a cloud asset is exposed, or a critical CVE is published. Patrowl's founders experienced this firsthand: a 2-week engagement with no vulnerability detected, followed by a real intrusion a few weeks later via a feature activated after the audit.
Each component of offensive security has its strengths. The problem is not their individual existence — it is their use in silos. Here is why each one, alone, creates an exploitable blind spot.
A scanner tests thousands of assets simultaneously, around the clock. That coverage is irreplaceable. Its structural limitation: between 60% and 80% of alerts generated are false positives or acceptable risks. Without business context or real exploitation, reports create operational noise. Teams spend their time triaging instead of fixing.
Field consequence: an organization receiving 400 alerts with no prioritization will mechanically deprioritize — and let the real threat slip through in favor of volume.
AI correlates signals at scale, accelerates triage, and helps write exploits or PoCs to speed up the pre-exploitation phase. But a false negative — an undetected vulnerability — leaves an attack surface exposed with no alert. On sensitive data, hallucinations are a real risk. AI cannot make decisions, sign off on a report, or take accountability before a CISO or a NIS2 regulator.
Field consequence: AI alone cannot answer the fundamental question: "Is this vulnerability actually exploitable in my specific context?" It produces a hypothesis. It does not validate.
A certified pentester brings offensive reasoning, contextual judgment, real business impact assessment, and contributes to R&D and continuous tooling improvement. These skills are irreplaceable for complex exploitation scenarios. The limitation is structural: the engagement is point-in-time.
The CESIN/OpinionWay barometer reveals that 33% of security incidents are caused by misconfiguration and 29% by residual vulnerabilities — 62% of incidents linked to exposures that continuous monitoring detects in real time, and that an annual pentest structurally misses by definition. Between two audits, your infrastructure changes: new assets, new configurations, new CVEs published.
With an average MTTE of 5 days and a median dwell time (MTTD) of 14 days according to Mandiant, an analysis that is 3 months old has no operational value. Your infrastructure has changed. New assets have appeared. A critical CVE has been published, perhaps already exploited.
CVE-2025-31324 allows an unauthenticated attacker to upload arbitrary files via SAP NetWeaver Visual Composer. CVSS score: critical. Scanners and AI tools automatically rank it at the top of their priority lists.
According to M-Trends 2026, at least four distinct threat clusters exploited this vulnerability as a zero-day in early 2025. After SAP released a patch in April 2025, six additional clusters — including several PRC-nexus espionage groups — continued exploiting it as an n-day.
What automation alone misses:
A file upload blocked by strict network policies makes the vulnerability unexploitable in that context — the scanner still flags it as critical without knowing
The patch may have been applied incompletely on certain nodes: the automated tool does not detect this delta
The exploit chain CVE-2025-31324 + CVE-2025-42999 (remote code execution) is not identified without specific rules
What human analysis determines:
Post-compromise activity observed by Mandiant was limited to establishing a foothold and conducting reconnaissance — a human analyst assesses whether your organization is a priority target for these clusters
The impact differs radically between a production SAP system and a test instance: only a certified expert qualifies the real consequences on data, service continuity, and compliance
Result without human qualification: 90% of teams waste time remediating a vulnerability that is inactive in their specific configuration. 10% ignore a critical threat because the tool misclassified the alert — especially if the Metadata Uploader component is not detected as internet-exposed.
The Patrowl method does not stack three tools: it orchestrates three roles, none of which can substitute for the other two.
| Automation | Supervised AI | Human validation | |
|---|---|---|---|
| Role | Discovery and detection at scale | Triage, correlation, pre-exploitation | Validation and tooling R&D |
| Strength | 24/7, unlimited volume | Analytical speed, PoC coding assistance | Contextual judgment, zero false positive |
| Without the other two | 60-80% false positives | Unvalidated hypotheses, hallucinations | Point-in-time, obsolete within 72h |
1. Continuous automation maps exposed assets without requiring a predefined scope, detects Shadow IT, runs black-box tests, and reruns tests after remediation. Organizations deploying Patrowl discover 38% additional assets within the first 72 hours — attack vectors absent from all prior analyses.
2. Internally supervised AI sorts threat intelligence data, enriches CVE context on identified assets, helps write exploits and PoCs to accelerate pre-exploitation, and reduces processing time on low-value signals. It makes no autonomous decisions visible in the client portal. Models run on Patrowl infrastructure hosted in France at OVH Gravelines — data does not transit through third-party services or US providers.
3. Systematic human validation: a certified pentester (OSCP, OSWE, OSCE, PASSI) validates the real exploitability of findings pre-qualified by automation and AI before anything appears in the client dashboard. Validation relies on structured templates including PoC, IoC indicators for the SOC, and priority criteria — enabling high coverage without exhaustive manual review. Result: zero false positives transmitted to teams, alert within 40 minutes of the CVE-2025-53770 SharePoint publication (Brest Métropole), MTTR divided by 3 at Xplor through prioritization by real exploitability.
NIS2 and DORA no longer require an annual audit. They mandate exhaustive, up-to-date knowledge of the attack surface, continuous third-party risk monitoring, and immediate response to critical vulnerabilities. A static pentest report or unqualified automated scans expose organizations to compliance failures with financial penalties that directly engage executive liability.
Continuous orchestration is the only technical method to demonstrate compliant risk governance — not a checkbox, but a permanent operational capability.
Patrowl UEMP (Unified External Monitoring Platform) is a unified platform combining EASM, continuous pentest, and agentic AI into a single operational workflow. Here is how it compares to traditional approaches:
| Traditional scanners | Point-in-time pentest | Patrowl UEMP | |
|---|---|---|---|
| Frequency | Continuous (scheduled) | 1 to 2 times per year | Continuous 7d/7, 24h/24 |
| Shadow IT | Limited to known scope | Impossible outside scope | Automatic and permanent |
| False positives | 60-80% | Low (manually filtered) | Near 0% (validated, templates) |
| Proof of exploitation | None | Present in the report | Delivered in real time |
| Critical CVE alert delay | Days to weeks | None outside audit window | Under 40 minutes on average |
| Remediation plan | Generic | Contextual but static | Prioritized by business criticality |
With an average MTTE of 5 days, a median dwell time (MTTD) of 14 days according to Mandiant, and exploits responsible for 32% of compromises in 2025, choosing between automation, AI, and human expertise is not a strategic decision — it is an operational mistake. Every isolated approach leaves an exploitable blind spot. Attackers are already combining automation and AI to identify and exploit vulnerabilities before your teams are even aware of them.
Orchestrating all three is not a marketing position. It is the technical response to a documented reality.
Sources: Mandiant M-Trends 2026 · Mandiant/Google Cloud M-Trends 2025 · CESIN/OpinionWay Barometer 2024 · Patrowl deployment data
