Security Had It Backwards. This Is What Comes Next.

Link copied!
Jorge Monteiro

Jorge Monteiro

CEOEthiack

June 30, 2026

Most security teams are not losing to sophisticated attackers. They are losing because they have always been solving the wrong problem.

The industry built tools that see. Dashboards that aggregate. Platforms that map attack surfaces and generate findings by the thousand. Visibility became the priority. The industry got better at it. But better at seeing is not the same as better at knowing what matters. The assumption was that if you could see everything, the rest would follow.

It didn't.

00:00
00:00

Seeing a vulnerability and proving an attacker can exploit it are two different things. The gap between them is where most security programs stall. It is also where attackers move freely. And for too long, the industry called that gap acceptable, because proving exploitability at scale is genuinely hard (flagging potential risk is much easier) and there was time from discovery to exploitation in scale.

That trade-off is no longer acceptable. The exploitation window has collapsed. What used to take months now takes days. Sometimes hours. The tools built for a world where you had time to review weekly reports and schedule quarterly pentests are structurally mismatched to the threat environment of 2026.

Security had it backwards. Proof should have come before volume.

What the market got right and what it missed

Visibility was the right place to start. You cannot defend what you cannot see. The first generation of security tooling did important work: discovering assets, mapping attack surfaces, building the foundations of continuous monitoring.

Then came the findings.

Scanners got better at detection. They got very good at it. Today, most organisations have more findings than their teams can meaningfully process. Critical vulnerabilities stack up by the hundreds. Severity scores pile on. Dashboards fill with red.

And most of those findings do not require your team's attention at all.

Not because they are not real vulnerabilities. They are. But a vulnerability that exists in your environment is not the same as a vulnerability that an attacker can exploit in your environment. The distinction sounds technical. The consequences are not. When your team cannot tell the difference, they spend their best hours reviewing findings that will never be weaponised, while the ones that will sit in the queue.

A concrete example makes this tangible. A web server running an outdated library might carry a CVE with a critical severity score. Every scanner in the market will flag it. But if that library's vulnerable function is never called in production, if the service runs behind a network boundary that blocks external access, or if an authentication layer sits in front of the attack path, the vulnerability exists on paper and nowhere else. An attacker cannot reach it. Your team, however, still has to review it, triage it, assign it, track it, and eventually close it. Multiply that by hundreds of findings per week and you have a security program that is mostly working for its tools rather than working against real risk.

The industry solved detection. It never solved exploitability. It gave security teams more signal without giving them a way to tell the signal from the noise. Across our clients, 90% of what traditional scanners flag never requires action. Nine out of ten findings reviewed, triaged, and assigned for nothing. And so organisations ended up with a different problem than the one they started with: not too little visibility, but too little proof.

You don't need more findings. You need to know what attackers can exploit right now.

See. Test. Act.

This is not a tagline. It is the framework of how offensive security has to work if it is going to keep pace with the threat landscape.

See means continuous, live mapping of your entire attack surface: external, internal, cloud, third-party. Not a point-in-time snapshot. A permanent, accurate picture of what is exposed and reachable, updated as your environment changes.

Test means validating exploitability, not just detecting potential risk. It means reasoning like an attacker,building exploit chains, testing authentication flows, and discovering vulnerabilities that have no CVE because your environment has custom logic that no scanner was trained on. It means proof of exploitation, not probability scores.

Act means having the intelligence to prioritise and remediate what matters, the metrics to show your posture is improving over time, and the autonomy to move without waiting on a vendor team to schedule the next engagement.

Each of these is necessary. None of them is sufficient on its own. The gap between See and Test is where false positives accumulate. The gap between Test and Act is where validated findings sit in a queue while the exploitation window stays open.

The response we built

Ethiack was built around a single conviction: that proof has to come before volume, and that continuous has to replace periodic. Not because those are appealing product characteristics but because the threat environment demands them.

That conviction has not changed. What has changed is the scale at which we can deliver on it, and the clarity with which the platform now surfaces what the engine has always found.

We have known for years what the trajectory looked like. Exposure timelines collapsed. AI is accelerating attacker tooling at a pace that makes scheduled testing structurally obsolete. Attack surfaces are growing faster than any team can track manually. Adversarial exposure validation (continuous, proof-based, autonomous) was our answer to that trajectory, as the market was still defining the problem.

The new Ethiack portal and website that we are releasing today are the expression of that conviction at full scale. Not a change of direction but a change of resolution. The engine has not changed. What changed is how clearly it now surfaces what it has always found: risk posture you can track over time, exploit timelines that replace probability with proof, and the ability to launch a pentest without waiting on our team.

This is not a product update. It is the platform finally matching the conviction we have always operated from, and the one the market now requires.

What security looks like from here

The organisations that will manage risk effectively in the next three years are not the ones with the most tools. They are the ones who can answer three questions with confidence on any given day:

What is exposed in our environment right now?

What can an attacker actually exploit?

Are we measurably safer than we were last month?

Those questions map directly to what security programs have always needed and rarely had: visibility into the full attack surface, validation of what is actually exploitable, and velocity to act before the window closes. See. Test. Act. Not as a sequence you run once a quarter. As a continuous loop that runs at the speed of your environment.

The organisations that build security programs around that loop, not around periodic testing, not around severity scores, not around compliance calendars, are the ones that will be able to answer those three questions with confidence. Not because they have more tools. Because they have the right model.

That is what we are building. Today is a significant step. It is not the last one.

If your team is trying to answer those three questions, I would invite you to see what our approach finds in your environment.

Validate your exposure

before attackers do.

30-day free trial. No commitment.

signup(datetime.now());

def hello(self): print("We are ethical hackers")

class Ethiack: def continuous_vulnerability_discovery(self: Ethiack): self.scan_attack_surface() self.report_all_findings() def proof_of_exploit_validation(self: Ethiack): self.simulate_attack() self.confirm_exploitability() self.validate_impact()

while time.time() < math.inf: ethiack.map_attack_surface() ethiack.discover_vulnerabilities() ethiack.validate_exploits() ethiack.generate_mitigations() ethiack.calculate_risk() ethiack.notify_users() log.success("✓ Iteration complete")

ISO27001

Compliant

Activate AI penTesting

Ethiack — Autonomous Ethical Hacking for continuous security Continuous Attack Surface Management & Testing