Project QuiltWorks and the Next Phase of Threat Exposure Management

Cyber

June 17, 2026

Managing Cyber Exposure at AI Speed

The next phase of Threat Exposure Management by Gayathri Kunapuli

Executive Takeaways

  • AI accelerates the clock while reinforcing the fundamentals. Security leaders still need inventory, ownership, prioritization, remediation and verification; those capabilities now need to operate on compressed timelines.
  • Discovery is becoming abundant. Remediation velocity is becoming a scarce resource. The ability to prioritize what matters, assign owners, apply remediation and demonstrate that risk has decreased will shape resilience.
  • Threat Exposure Management (TEM) is shifting from a security workflow to an enterprise-risk discipline. CISOs, CFOs, General Counsel, CROs and boards need a shared view of exposure, financial impact, legal posture, ownership and evidence.
  • Regulators are emphasizing evidence and accountability. The expectations center on governance, resilience, disclosure readiness, third-party oversight, documentation and defensible decisions.
  • The focus for security teams is shrinking the exposure window. Prioritize the paths that can affect the business and reduce those exposures before attackers can operationalize them.

Summary

AI is changing the economics of vulnerability discovery. What once required specialized research teams, significant time and bespoke tooling is becoming faster, more repeatable and increasingly available through frontier models, agentic workflows and AI-assisted security research.

Recent announcements make that shift concrete. Anthropic's release of Claude Fable 5 and Claude Mythos 5, along with its Project Glasswing update, shows how advanced cyber-reasoning capabilities are moving from research demonstrations into operational defensive use cases. 

CrowdStrike's Project QuiltWorks, with Kroll among the initial partners, was built for the next step: helping organizations assess, prioritize and remediate AI-discovered vulnerabilities in production code.
In our conversations with clients since the Project Glasswing and Project QuiltWorks announcements, the question has moved from “What does this mean?” to “How do we operationalize the response?”

 

What Recent Developments Change for Leaders

  • Frontier cyber capability is becoming operational. Fable 5 and Mythos 5 reinforce that advanced reasoning, code analysis and tool-use capabilities are moving into real-world defensive workflows.
  • Project Glasswing is generating increased patch activity. Anthropic's initial update reported thousands of vulnerabilities across partner estates and open-source software. Microsoft has released substantially higher volumes of patches compared with the same period last year.
  • The threat landscape is already heavy with vulnerabilities. Verizon's 2026 DBIR reported that 31% of breaches began with software vulnerability. Kroll's State of Resilience report found that 36% of organizations acknowledge gaps in how threats are prioritized, with 51% citing differing risk tolerance  as the leading cause.
  • Regulators are converging on evidence and accountability. SEC disclosure rules, NIST AI risk guidance, CISA/NSA guidance on agentic AI, UK financial-regulator statements on frontier AI and DORA-style resilience expectations all point toward defensible governance, documentation, third-party oversight and proof of operational resilience.
  • AI-enabled systems are expanding the exposure surface. Public AI tools, embedded AI features, copilots, agents, model access, non-human identities, context stores and AI-assisted software development now need to be visible in exposure management programs.
 

From Discovery Speed to Remediation Velocity

AI-enabled discovery will increase the volume, speed and specificity of findings entering the enterprise risk system. For many organizations, the constraint will shift from identifying issues to deciding what action is required, who owns it, how quickly it should be funded, whether compensating controls are acceptable and how closure will be verified.

That shift elevates exposure management from a security workflow to an enterprise risk discipline. CISOs, CFOs, General Counsel, CROs and boards all need a shared operating model for determining which exposures require remediation, mitigation, risk acceptance, transfer, disclosure or continued monitoring.

A common operating model includes the following activities:

  • Find: identify exposure across infrastructure, cloud, SaaS, applications, APIs, identities, third parties, open source and AI-enabled workflows.
  • Contextualize: determine reachability, exploitability, attack paths, privilege impact, business criticality and compensating controls.
  • Decide: choose remediation, mitigation, transfer, risk acceptance, disclosure or monitoring, with named owners and documented rationale.
  • Act: fund and execute the fix or mitigation through infrastructure, application, cloud, identity, vendor and business owners.
  • Prove: verify that the exposure was closed or meaningfully reduced through retesting, control validation and evidence capture.
  • Report: translate residual exposure, accepted risk, ageing and investment needs into language executives and boards can use.

The Exposure Window is a Business and Resilience Problem

In many organizations, the vulnerability backlog already exceeds remediation capacity. Additional AI-led discovery can improve visibility but also increases pressure on prioritization, remediation and risk management processes.

TEM connects exposure discovery to business context, real-world exploitability, remediation capacity, validation and executive reporting. The discipline helps leaders focus on the exposures that can affect operations, customers, regulated data, revenue or resilience.

AI-driven vulnerability discovery has moved beyond a tactical security issue. The exposure decisions it creates have operational resilience, financial, legal and governance consequences.

Leader
They Should Ask
TEM Should Produce
CISO
Which exposures can an attacker realistically reach, chain and exploit? Where does remediation stall?
Threat-informed prioritization, ownership, mitigation plans, verification evidence and operational metrics.
CFO
What is the potential financial impact? What investment reduces it most? Where are we paying for activity rather than risk reduction?
Financial exposure scenarios, remediation capacity analysis, risk-reduction options and investment trade-offs.
General Counsel / CRO
What is material? What needs disclosure or notification? Who accepted the risk and what evidence supports the decision?
Governance and risk management records, aging, disclosure and notification playbooks, third-party obligations and defensible documentation.
Board / Audit or Risk Committee
Are we exposed in ways that matter to operations, customers, regulated data, revenue or resilience?
Plain-language reporting on exposure trends, verified closure, accepted risks, residual exposure and investment decisions.

What Good Looks Like

A strong TEM program operates as a loop: identify exposure, add threat and business context, prioritize what matters, drive mitigation, validate the outcome and report progress in a way leaders can use.

Useful metrics include scanner and asset coverage, exploitable critical backlog age, mean time to remediate by severity and business criticality, SLA compliance, exception aging, verified closure rate, assets without an accountable owner, third-party and open-source exposure, AI service and agent inventory, non-human identity permissions, patch-wave readiness and financial exposure reduction.

High-performing organizations will move beyond patching faster. They will widen visibility, prioritize based on real-world attacker behavior, tighten remediation partnerships, validate outcomes and build enough governance to make fast decisions safely. In plain terms, they will move exposure management closer to AI speed while preserving the human accountability that enterprise risk decisions require.

What Executives Can Do Now

Immediate

  • Align security, legal, finance, risk and business leaders on how exposure decisions will be made and escalated.
  • Establish a shared view of critical exposures, accountable owners and business impact.
  • Review how AI-enabled systems, agents, third parties and non-human identities are captured in existing risk processes. 
  • Connect exposure management with incident response, crisis management and disclosure planning.
  • Identify where remediation, mitigation or risk acceptance decisions are slowing down.

 

Near-term

  • Evolve prioritization to include exploitability, attack paths, business impact, resilience impact and mitigation options. 
  • Strengthen the operating model for exposure management, including ownership, escalation, governance and executive reporting. 
  • Test how quickly the organization can respond to a high-impact exposure across security, IT, legal, finance and the business.
  • Refresh incident response, Business Continuity Planning (BCP) and Disaster Recovery (DR) planning for AI-enabled systems, third-party dependencies and accelerated exploitation scenarios.
  • Develop board-level reporting that shows exposure reduction, decision quality, accepted risk and remediation capacity.

How Kroll Can Help

Kroll helps organizations move from awareness to action. We help leaders determine where they are exposed, what attackers can realistically reach, which risks require immediate remediation or mitigation and how to prove that exposure has been reduced.

Our work starts with a practical TEM readiness assessment that baselines visibility, prioritization, remediation capacity, governance, reporting and investment needs. From there, Kroll helps clients conduct targeted AI exposure reviews across AI-assisted development, agents, codebases, identity, cloud and data flows; prioritize exposures based on real-world threat activity and business impact; execute remediation sprints against the highest-risk paths; translate technical exposure into board-ready enterprise risk reporting; and validate that corrective actions reduced risk.

As part of Project QuiltWorks, Kroll is working with CrowdStrike to combine technology-enabled discovery, adversary-informed prioritization and guided remediation with Kroll’s practical consulting, incident response, regulatory, AI risk and remediation expertise. 

The goal is clear: help clients identify where they are exposed, act on the exposures that matter most and demonstrate measurable risk reduction.

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Learn more