In this MSP1337 fireside chat, you and Matt Lee unpack the idea of a “vulnpocalypse”, a rapidly emerging reality in which AI-driven tools are accelerating vulnerability discovery at a pace organizations can't keep up with. While much of the industry is focused on the fear and hype, the conversation shifts to what actually matters: operational response. You highlight that the shrinking gap between proof of concept and active exploitation is forcing a fundamental change in how MSPs and organizations manage risk, especially in patching velocity, exposure management, and accountability for internet-facing systems. The takeaway is clear: this isn’t just a future threat, it’s a present inflection point requiring faster, more automated, and governance-aligned security practices.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions a journey together, not alone. We are doing a special fireside chat. Matt Lee, welcome back to the show.
[00:00:27] Oh man, thanks for having me. I appreciate it. I'm glad to be here. I'm fresh back from MSP GeekCon where I got my new Goots doll, I suppose, that's made it to the new shelf. And I've also got the new shelf here in my new studio, so I'm starting to make it feel like I'm home. So it's been good. That's a good starting point. I have kind of got the similar problem. I moved to the other side of my office, so my bookcase is intact. But like I have all this blue space because the wall is much larger on this side of the door.
[00:00:57] Yeah. Now I need to put in some acoustical tiles because my wife took over the other corner. So now we're in the same room. But if she's on the phone, it sounds like she's yelling at me and she's not. She's not a loud talker. When I point when I face her and talk the I can hear my voice coming back off of the wall. I got a solution. Hold on. I can show and tell a solution for your friend. You just need one of these, man. Just then you can talk behind it.
[00:01:27] It's harder. Is that a fiberglass talking about as easily? What's that? Is that a fiber blanket? No, that's an Ikea special. Like I think that's just an Ikea sound board is what they call it. That's hilarious. I mean, it's obviously got a Swedish name, but you just move it around and you can have, you know, protection. Well, I do have like I have the I think they're two foot by two foot true acoustic panels that I had done.
[00:01:55] I did a church project and I ended up with a bunch of leftover panels. Oh, cool. And so they just been sitting in my garage. So rather than letting them collect dust, maybe I'll mock up my blue windows or blue walls. Oh, that's going to be nice, man. I like it. And it gives you some better framing. All right. We did not intend this to be a framing and studio conversation, although that would be. But all right, you came up with the topic. So I really like it.
[00:02:21] So if you would share with the audience the name, if you want to call it a name or the frame frame up. And I didn't coin this term. No, no, no. This term is really trying to express the fear, the moment we live in, the capabilities, what it means for us, what that vector means. And so this term is called vulnpocalypse. So let's let's set the stage of that conversation, though.
[00:02:49] So why what does vulnpocalypse even mean if you break it apart? Like, OK, vulnerability and apocalypse. OK, apocalypse is not typically regarded as a great moment in time for those experiencing it. All right. And so let's say that that's what they're trying to convey, Chris, with this statement. But what it really means is we've already got a system that's overloaded.
[00:03:08] MS or software manufacturers have rarely been great at taking, receiving funding, fixing vulnerabilities and bug bounty programs in general, Matt Lee's opinion. But additionally, you also have the added challenges of capitalism doesn't really support it. Like capitalism supports if I have this many sprint cycles, I put in a new feature, not fix a bug and definitely not necessarily be receptive to even hear about these bugs until somebody weaponizes it.
[00:03:36] But that normally has been limited to the barrier entry of somebody finding something, not following responsible disclosure, using it as a weapon. It's now known as a weapon. And then they finally patch it, whether it has already been disclosed as a vulnerability or not. And then that patch will be at that point. But then that patch gets patched. And then I guess that's not always true in SAS, but let me continue my rant.
[00:03:59] But that patch gets patched. And then you now have a patch you have to apply, which then on top of that, once you have a patch to apply, we have historically had the permission as MSPs to just patch right away and get after it. And then, right, it's been how, you know, don't take me down and we need to do this.
[00:04:14] And anyway, so you have that. But then additionally, the data, the enrichment information, the good guy side is a cluster leading to having to have a European vulnerability disclosure program to make up for the fact that we've had a defunding of MITRE's program and enrichment aspects from NIST and all of the just horrible things that have wrapped together. So what is a Vulnpocalypse? Vulnpocalypse is when Glasswing talked about Mythos, when the project Glasswing discussed Mythos and this model that can find vulnerabilities quickly.
[00:04:44] And then, you know, a lot of political media hype and things, but really, you know, all in all, it's basically a pretty good pen tester is the way I would say it. Pretty good vulnerability discovery. It's found some big things in some open source projects that have been there a very long time. Like the Firefox one was kind of a daunting challenge in and of itself when it was disclosed how many for how long, to your point.
[00:05:11] But even then, the interesting part is like you have alternate sides like Curl. The Curl project came out, which is the most used on the most number of devices, period, out there, I think was his claim. But when you think about Curl, that project has been using these types of code LLMs and already existing things far before Mythos and Glasswing, like traditional code scanning. So my argument might be that Firefox perhaps should have done a better job at some of those modalities.
[00:05:39] So they found themselves more like Curl and less like Firefox. Curl basically said they found, you know, a few things. And yeah, they found bugs and things with their traditional LLMs using tools like BehaveSex. They didn't mention this one specifically, but like BehaveSex auto pen test or other things. So I want to go back and sum this up, but the bonepocalypse is essentially a belief that threat actors now will have such a low barrier to entry by using traditional AI and frontier AI tools that allow them to attack any target based on just existing.
[00:06:10] And so you kind of tend to see that because in addition to that, you have the, for the first time, I think, the Verizon DBIR came out and said that 31% of attacks start now with vulnerability exploits up above password compromise, which is the number one source of attack. That's mind-blowing as a shift, yeah. Well, especially when you look at the trends over the last five years with the breach report,
[00:06:36] which showed consistently like it was largely turning into social engineering and exploitation of like piggyback on, you know, token compromises where really their user is at, you know, at fault in some way. And to your point, now we're seeing the trend of 30% shift. What I wanted to say was, you know, ultimately the bonepocalypse belief, I don't know that it's not much more hype right now, but we are starting to see a little bit of evidence of it.
[00:07:05] Like I said, to the DBIR shift, you're also seeing, um, uh, Voncheck DB does a lot of tracking of this, um, uh, or, uh, uh, who is he working? Patrick Garrity at, I think it's Voncheck. Yeah. Um, but anyway, they're basically starting to see that uptick in the ones attributed to mythos and the ones attributed to anthropic and the ones attributed to Microsoft and their own, their own stuff they're doing. So what I wanted to talk about on this episode is the opposite of what everybody else is talking about
[00:07:34] with Vonpocalypse, which is what do we do about it? And what does the future look like? And, and I, I don't know what the, the in between look, I have some ideas looks like, but what do you think the future looks like as a result of, you know, rapid ability for anyone to democratize finding vulnerabilities in bespoke software? Well, well, so there's two things I think that are really important. What, what you, I mean, the Von side, the apocalypse side is obviously scary,
[00:08:03] but I think at the same time, it's also kind of a, I hate to say breath of fresh air, because that seems a little bit overly optimistic, but well, kind of like when you get punched in the gut and you breathe in real hard, is that kind of breath of fresh air? Is that what you're talking about? Maybe, maybe. That first good breath afterwards. But, but I guess what went through my head and, you know, I've been following this for a while and, you know, the mythos stuff and, you know, you even see in some of the articles that are out there, especially some of the more recent ones, there's a level of optimism because this also means
[00:08:32] good guys can take advantage of findings too. Um, you know, when you build a tool, uh, there's no way in which you can plan for everything as a builder, right? It's just not the job that you've been tasked with. And it goes, flies in the face of, of capitalism, right? Like build the tools, people can consume it, get paid for it. But being able to take advantage of tools like the mythos and some of the other LLMs that can, that are out there that can do this is you're getting told what our potential vulnerabilities
[00:09:01] and you can choose to do something about it. So I think there's an added layer of accountability because anybody can run these tools. I can run them against the tools that are the products that I use. It's not gated anymore. And I do want to, I want to clarify a little bit. These tools aren't just, oh, press button, get outcome. Right, right, right. There really is still a need. In fact, uh, there was a recent one talking about the researchers that say they have pwned Mac OS and in their argument, they, and this is just in the last week or so, they said, you know,
[00:09:30] in our experience, if we hadn't been the skilled red teamers, we were there is zero chance. We came out with this outcome, even using something like mythos or even using something like this. So I think that is something I believe is something I want to clarify in my opinion, to be true as it still is. You still have to have some capability in to get out, but even without it, you'll find a lot of the things that you would find much better than you would, um, a traditional, uh, vulnerability scan type methodology.
[00:10:00] I mean, and not to trivialize this, but I think about, um, a really, a really, really large house and it's got lots and lots of rooms in it. And they all have doors that all take unique keys. And I give you Matt, a key ring with all these different keys on it. If you know all about the house, you know what rooms probably in most cases, you might have to try one or two keys to get into that room because obviously you haven't memorized all the keys, but, but if it's me and I show up and you hand me the keys and I've never been
[00:10:30] there before, I don't even know where to start. I don't even know how many rooms there are. So to your point, like just having access to something that can go and identify vulnerabilities in Firefox. If I'm not familiar with how Firefox works at all, I'm not necessarily going to be very successful with the results. Well, or how the tools work or what this vulnerability means or the other piece is there's a lot of slop. There's still a lot of things like, um, that, that, that are just true, but not meaningful
[00:11:00] or, or something that looks like something, but isn't accurate, uh, in how it's, how it might be expanded upon. Um, and that's getting better. I mean, like there's a great one out there, the auto pin test, Jason Slegel's forked it and played with it and found things, but he's also found a bunch of stuff that wasn't real. Um, and so you have a lot of that where there's one challenge of the CVE and, and vulnerability management structure is that it's now being, if it wasn't overwhelmed before it's overwhelmed now with real stuff, but also tons of just trash.
[00:11:29] And to your point, there's, there's no barrier to just pick up a tool and start throwing stuff. And that means the programs like hacker one and the Linux foundation projects that, that were just recently had that same challenge of being overwhelmed with AI slop, um, that was coming in. That was not meaningful that then still took time out of a researcher's day to validate or disprove. And then they still take time. That should have been applied to the one that really was going to execute you. That's 5,000 down the list. Like, I mean, this does create more challenge. Let's be honest. You mean more patches equals more work.
[00:11:59] In good ways and in bad ways. Yes. We're going to find a way to solve because we're going to have to have secure enough stuff that we're going to be able to do. So, so that's a good, that's a good segue to thinking about and talking about this from the perspective of the ITSPs, the MSSPs, et cetera, that are going to have to, uh, live in this new world. Right.
[00:12:26] And we have traditionally seen where there are KPIs and a lot of MSP dashboards where like they're chasing, get rid of as many CVEs as you can. And I think that that model, that approach is going to be like the dog chasing its own tail. It's going to populate with new CVEs as fast as you're potentially closing them. So I think there needs to be a new approach and the way in which MSPs, et cetera, are looking
[00:12:51] at how do they ensure protecting themselves and protecting their clients in, in this new setup. I mean, you're right. The bonepocalypse, it is a thing, but, um, and some of it is hype. Uh, that's true. But I think the reality is we have to shift the way we do things. Well, and here's the, here's my short-term and long-term vision of what I think is coming. I think short-term to your point, there'll be more work or at least there'll be more patches. We should theoretically find more disclosed patches.
[00:13:19] We should theoretically have more times that we have to patch. We should theoretically have more high security. What has been ignored too. Yeah. A lot of that. Exactly. Yeah. So we're going to have patches that'll need to be done. Yep. So I think that's the short-term and we'll get back to that in a minute. I do genuinely believe that the long-term is we have better software. We have more security and more reliance upon the tools we buy. And that caveat emptor can actually mean something. Let the buyer beware only works when you can have the ability to beware.
[00:13:49] When you are being bamboozled by shitty software that's been made by the lowest bidder for the fastest we can get a tool out and then goes through its own paths of in shittification to extract the last dime out of it, you're going to wind up with shitty software. And until capitalism kicks back and says we need a healthy level, it might mean we pay a little more, but it works out. I pay more for a car now by difference than I did before. It's got more features. It's got more capabilities. It's got more safety. It's got more things. It meets more regulation.
[00:14:17] But you can still get it with manual windows if you really want to. And sometimes car manufacturers don't mind abusing all the testing methodologies of Volkswagen and being able to get through without paying some of that tax. That's true. The point is, genuinely, I think we'll have better cars. We'll have better software. And I think it's because a shift in, well, now I know any vulnerabilities that are found will be found. Now I do have the ability to use AI to inspect my code in a way that's meaningful.
[00:14:46] Now I do have the ability to be adversarially my own code base and reduce the overall classes of vulnerability. I genuinely believe that'll happen without a huge shift in cost. Maybe I'm wrong about the last part. But the point being is that I do believe this will drive us to be in a better place security-wise from the efforts. And maybe loss and death and dismemberment, as we see in the Industrial Revolution. Eventually, you had to put a lockout-tagout method that everybody had to lock.
[00:15:15] And if you didn't have your lockout, then we can't turn this machine back on because poor Bill got ground up one time back in that bucket. And so now we've got to do this. I mean, we joke, but that's how it starts. And so, yeah, poor Bill. God bless him. Stumpy's been around a minute, though, after that. But, you know, the point is lockout-tagout didn't happen in the beginning. And the Industrial Revolution caused a lot of people to be armless and legless. But at the end of it, we had much better reliability, much better safety, much better security.
[00:15:42] I would believe that we're positing, going through our own technical world and technology, we haven't gone through that yet. And code has been at the worst it's ever been. And it's going to get worse with now the ability to vibe code. We did this on stage, and Jason Slagle said, you know, now you vibe code your stuff. I can vibe code the bespoke vulnerabilities for your vibe coding stuff, right? Like, I can, you know what I mean? I'm going to find the vulnerabilities as one-off for you, just Chris's website. Well, so it's fun to do that, right?
[00:16:10] I actually did an experiment the other day. I was like, I didn't want to click on all the links on the web page, right? And yeah, there are tools out there that you can do page scraping. But by and large, good websites have gotten better at making it so that the download button is not the URL. It's some sort of JavaScript call that has an API to it to go and grab the URL. And I was like, I wonder if there's a way to, you know, if I do source code and do some like,
[00:16:36] or look at the whatever you call it, put it in dev mode and start looking at where the things are going. And in about five minutes, I had Claude build me a spreadsheet that pulled all the URLs that I was able to suck in as bookmarks for the entire website. And it took about, I think all in was 15 minutes. It would have taken me hours to get those bookmarks. Citizen development, but also in the same way, like, think about that. What would that would do if I was needing to use that for adversarial reasons, right? Same thing. Boom, done. Just as quick. So in a good way, we have about 10 minutes left.
[00:17:05] This is a good place to turn the corner and say, this is where the cybersecurity trust mark for GTIA may need an adjustment. But specifically, CIS top 18 control 16 application software security. I was thinking about this as you were talking.
[00:17:22] And I'm like, this new technology, this new model or new approach with Mythos and some of the others, this gives MSP the ability to also verify that the software is secure. Or at least at a tolerable level of risk based on the discovery that I've done myself. Or have that allowed others to do? You're saying like, because now I could scan software that I use on a daily basis or tools that I use on a daily basis? Yeah. Yeah.
[00:17:51] And I'm not saying that that's perfect, but like before. No, I'm asking. Five years ago, we couldn't. I just want to make sure before I go down this path. Yeah. Well, but you could. You had a certain people that could. Like, for example, Jason, I've mentioned a bunch of times, but I want to say to your point, there's democratization. Jason's been dipping the code for every automate release for the last, I don't know, forever that I've known him. He's found several. But there's only one Jason. And you think about this on the scale. I'm glad. I want to be careful. Sure.
[00:18:18] What I want to say is, at the same time, AI makes somebody that doesn't know what they're doing have the ability to be an idiot at high scale and cause problems. Yes. A great example. Like, are you DDoSing my system by doing these scans? I don't know what I'm doing. My bot's just trying to figure out what your subdomains are. Well, it seems like it's fuzzing every single domain I have, and we've hit every single rate limit, and it keeps changing.
[00:18:40] So just be careful to make sure that before you get on this path, which I'm not saying you shouldn't, that you have the approval and legal ability to do what you're about to do. And if you can't answer that question, then don't do what we're about to talk about. This is where this is about to get ugly for some people. Yeah, but I think there's something here, though, that I think I maybe I shouldn't have over. I kind of overly stated this. No, no. I just wanted this clarification on this one. Absolutely.
[00:19:07] But what I was thinking about is we know that MSPs are building software, especially now with AI. There's no way around building. Yeah. So now you're saying their own tools. Yeah. On their own tools was where I was going with this. Like, right. It's not just acquired software anymore. You're building software. You are truly building it almost daily. Here's the here's the litmus test question I would ask you for the trust mark. Am I especially as we change it? Am I a code producing entity?
[00:19:36] Is my client a code producing entity? If your client is a code producing entity, control 16 applies so much more now than it ever did before. To your point, if you as an MSP are a code producing entity, then it matters even much more than it did before. And that includes scripts. That includes stuff generated by your LLM. That includes all of the things. Yeah. So think about that for a minute. Like, let's think back to like when did lovable show up? Right. And some of these other products, websites, Wix, et cetera.
[00:20:06] Yeah. And they are genuinely building code. Right. They're generating real code or they're harvesting it. Right. Right. But what's interesting about it today is that. Well, and that's the point of the point though. They're harvesting it, which means I can inject it and give it code that it thinks is good. Okay. Yes. Which by the way, that was actually just in the news. And in fact, I've seen some training videos around this now of like warning.
[00:20:35] Like when you go and ask Claude or fill in the blank for certain things, be careful that you're not validating what you're asking for before you go and say, yes, execute. Go ahead and make those changes. Because like, if you can't understand what the code says. They don't understand what it says. And I genuinely sometimes don't understand what it says. I'm not a programmer by default. I mean, I've had to muddle through it for various reasons, but I didn't do it. It goes to your point of being careful though. Yeah.
[00:21:02] Well, I think being questioning, looking at things, trying to understand, I'd say my growth has been massive in the last two years using tools. Sure. Like assistive coding tools and things. I do want to tackle two pieces though. One, yes, vendor tools, looking at them, asking their postures good. Two, if you are a code producing entity and you're an MSP, you must have the ability to deal with and do your own pen testing.
[00:21:25] And I would say additionally, whatever you expose to the internet, you might want to consider how sensitive it is because you're probably going to get destroyed. And you're going to have a fine. So I would advocate heavily for ZTNA and what you can do, hide things behind identity tunnels. There's so many ways to do that that still makes sense for so many different applications. So I'd stay there. But then the other piece is what can you do about an MSP when it comes to you're not a code producing entity and your clients aren't code producing entities? Let's take that off the table and speak about that Venn diagram.
[00:21:53] For that, for me, the answer that came off stage that was the loudest was anything you have exposed to the internet, you better be patching as fast, as humanly, and even better autonomously possible. You need to get patch windows that are fast. And then the other question is like the age old what enterprise talks about. If this is an enterprise person listening, I want you to understand the paradigm I'm speaking of is most of these are not code producing entities. They might have a server they're running because your company sold them some archaic shit and it still runs on a server instead of you sassifying it.
[00:22:23] That may be the case. And so I'm speaking towards those humans that own infrastructure and they're not in an as-a-service model that should be patching this for them. In that case, the question was asked is like, you know, normally we would have like, you know, if it's six and we do this, if it's five, we do this, and then we have a week or two weeks. You know, I'd say to that, the speed of time from POC to exploit is getting near negative. I believe there was somebody that said it was negative, which means that by the time the POC is out, it's already been exploited. Right.
[00:22:53] You just don't have an argument for a week. You don't have an argument for a week. Right. And somebody in the audience goes, what do I do? Just do patch theater and just patch it and do it quickly and know that's the way I'm going to do it? Pretty much, homie. Like, I hate saying this, but if you're not writing the code, your only thing you have in your control is the speed at which you patch. Yeah. And there's, I know you've seen some of these. I've seen at least three vendors.
[00:23:16] Some of them have actually been on the show where the product that they have is largely dependent on AI models that have been built to when they discover the vulnerability with, say, your AWS cloud server. However, it's automatically giving you either a path to tell it to yes, remediate or even going so far as depending on the types of vulnerabilities, you can group them and say, if it's in this category, yes, remediate. If not, isolate and alert me. That's trying to give some more intelligence to it.
[00:23:46] But now you're getting back to, and this is the problem that we were talking about on stage that day at AI is that the data isn't enriched. And the money that was actually going to that, there was already a couple of years behind on enrichment of CVSS to the CVEs or wasn't happening either. And so like it was already a scale problems. Now we're pulling back the money. Now we don't have the same thing. MITRE is already having problems with that. And you have CNA abuse and CVEs being not issued or held and all this crap.
[00:24:14] So I just don't know that I can trust that. And that's why we got to this conclusion of like, if you aren't a highly complex dependent upon lots and lots of variables like an enterprise player might be, and you're an MSP and SMB with simple exposed things, then anything exposed to the internet needs to be patched as soon as a patch is released, in my opinion. And I know that'll make people pissed. And that's a bad. I mean, you just don't understand patching, you idiot. I do. I would take that stance.
[00:24:40] And interestingly enough, if you think about this from a, to your point, like patching known vulnerabilities, the MSP has also been creating a shift over the last few years. And I thought it was kind of interesting when I kind of came to my own conclusion of like, we're now white labeling sock services. Like the MSPs are like, oh yeah, we have a sock. Clients are like, wow, awesome. Wait, you actually have a sock?
[00:25:09] Sock or you're outsourcing to a third party? This is kind of in that vein too. Early questionnaire view for some that aren't hearing this, but you saw that in an alleged questionnaire document we were working on that allegedly might be part of some quarterly survey of asking like, do you have MDR? Do you have sock as a service? Do you have a dedicated internal team that manages that? Like we're trying to get into that clarification of like, what is your sock look like?
[00:25:33] Because you have this problem where if let's say I have an MDR, but you don't have permission for them to take action other than potential basic containment. And they're not able to do other things that need to be done to actually contain and eradicate. So it's just a fire drill. Until you get the ticket and deal with it and take action, nothing happens. Then even if you get the ticket and don't understand it, can't act upon it, you don't have a clear path forward. So like I'm trying to ask, do you have somebody dedicated or set of humans? Yeah.
[00:25:58] Dedicated that are there to take those when they get this interaction with an MDR sock as a service, other external player. My hope is that the level one space is obviously disappearing very rapidly. And I don't mean that people are disappearing from jobs necessarily, but I think it's a retraining of workforce to be able to do other things now that we can automate so much of that. That's for sure.
[00:26:23] Well, Matt, this has been a vulnerable episode to say the least. Ooh, I see what you did there. I see. No, no, no. I appreciate you coming on. We'll do it again soon. For those of you listening, this has been an episode of MSP 1337. Thanks and have a great week.