Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Five Eyes to Boards: Back to Basics, Faster
Back to BlogAnalysis

Five Eyes to Boards: Back to Basics, Faster

Jonathan CranJune 24, 20264 min read

On June 22, the heads of six cybersecurity agencies across the Five Eyes signed the same one-page statement. These agencies publish together often. Almost always it's a technical advisory: indicators of compromise, ATT&CK mappings, detection rules, mitigation steps, tied to a named attacker or campaign and built for the people defending the network.

This one's different. Two pages, no indicators, no detection guidance, no classified sources. It's written for boards, not defenders: "cyber risk can no longer be treated as a purely technical issue." And it's signed by name. All six agency heads: the NSA, CISA, the UK's NCSC, Australia's ASD, Canada's CSE, and New Zealand's GCSB. When that group skips the analysts and writes straight to executives, pay attention. The message is short. The gap between a vulnerability going public and getting exploited is shrinking, and AI is why. "The timeline," they write, "is not years, it is months."

What they said

The statement is short and worth reading in full. The argument: AI is speeding up attacks faster than it's helping defenders, cybersecurity is a business risk the board owns and not just an IT problem, and leaders should act in months, not years. It gives five things to do: shrink your attack surface, patch faster, retire legacy systems, tighten identity and access, and practice your incident response before you need it.

None of the five are new. The agencies say so. What changed is the clock.

Not more tools

Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.

The security market sells a new category every quarter. Here are six intelligence agencies telling boards that more software isn't the answer. The basics are: patch, shrink the attack surface, retire legacy, tighten identity, practice. It's an unglamorous list, and they're betting it does more for you than the next product launch as long as you do it fast.

Teams have always known what to do. The hard part now is doing it fast enough.

Speed breaks the old way of ranking risk

Most teams decide what to fix first with a score set the day a vulnerability is disclosed, usually CVSS, checked against a list of what they own. Both are snapshots. They worked fine when the gap from disclosure to exploitation was months. A score you set on Monday was still about right on Friday.

When exploitation shows up in hours, that score is stale before your maintenance window opens. The picture you ranked against has already moved.

This isn't a knock on the teams or tools that built that model. It worked for a decade. One input changed: time got shorter. Plenty of smart people are rebuilding around that. Exploit prediction, reachability analysis, and the broader CTEM shift are all answers to the same pressure the Five Eyes just named. The problem is real and a lot of people feel it. We're not the only ones aiming at it.

A score set on day one can't keep up with a clock like that. What keeps up is what adversaries are doing right now: what they're exploiting, who's running it, and whether companies like yours are getting hit this week.

Use AI to decide, not just to automate

The sharpest line for defenders is one most coverage will skip. The agencies don't just warn that attackers have AI. They tell defenders to use AI, in their words, "deliberately to strengthen defence," "not just improve efficiency."

That's the part that matters. So far, most AI in security has gone toward efficiency: summarize the alert, draft the report, write the rule faster. That's useful, but it only speeds up work you're already doing. The harder job is deciding. Out of everything happening this hour, what should the team touch first? That's a judgment call under time pressure, and it's where AI earns its keep on defense: helping a team get the order of operations right when there's no time to work it out by hand.

Where we fit

We made this bet at Mallory before the statement existed. We start from what adversaries are doing and work back to your exposure: pulling proofs of concept, exploitation reports, detections, and actor campaigns from thousands of sources, lining them up against your environment, and surfacing what to act on now. The old model isn't wrong. It just assumes a clock that no longer holds, and the clock the Five Eyes describe needs a way to rank risk that moves as fast as it does.

We're not the only ones who'll get there. We do think we're pointed straight at it, and we built the data model for it.

The posture is right

The agencies close by asking leaders, vendors included, to act now and work together. That's the right call, and six signatures make it land. The window is real and it's still closing. The teams that come out ahead will get the basics done fast and let live adversary activity set the order of the work, instead of a score that froze on the day the CVE dropped.

- jcran

Prioritize on adversary behavior, not a frozen score

Mallory correlates exploitation, detections, and adversary activity from thousands of sources and maps it to your environment as it happens.

Start Free Trial
← More Articles
Share: