Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Five Eyes to Boards: Back to Basics, Faster
Back to BlogAnalysis

Five Eyes to Boards: Back to Basics, Faster

Jonathan CranJune 24, 20264 min read

On June 22, the heads of six cybersecurity agencies across the Five Eyes signed the same one-page statement. These agencies publish together often. Almost always it is a technical advisory: indicators of compromise, ATT&CK mappings, detection rules, mitigation steps, tied to a named attacker or campaign and built for the people defending the network.

This one is different. Two pages, no indicators, no detection guidance, no classified sources. It is written for boards, not defenders: "cyber risk can no longer be treated as a purely technical issue." And it is signed by name. All six agency heads: the NSA, CISA, the UK's NCSC, Australia's ASD, Canada's CSE, and New Zealand's GCSB. When that group writes to executives instead of analysts, the form is the message. And the message is short. The gap between a vulnerability going public and getting exploited is shrinking, and AI is why. "The timeline," they write, "is not years, it is months."

What they said

The statement is short and worth reading in full. The argument: AI is speeding up attacks faster than it is helping defenders, cybersecurity is now a business risk the board owns and not just an IT problem, and leaders should act in months, not years. It gives five things to do: shrink your attack surface, patch faster, retire legacy systems, tighten identity and access, and practice your incident response before you need it.

None of the five are new. The agencies say so. What changed is the clock.

Not more tools

Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.

Read that again. The security market sells a new category every quarter. Here are six intelligence agencies telling boards the answer is not more software. It is the basics, done faster. Patch. Shrink the attack surface. Kill legacy. Tighten identity. Practice. The list is boring on purpose. Their bet is that the boring list, done fast, beats the shopping list.

The hard part was never knowing what to do. It is the speed.

Speed breaks the old way of ranking risk

Start from first principles. Most teams decide what to fix first with a score set the day a vulnerability is disclosed, usually CVSS, checked against a list of what they own. Both are snapshots. Both worked fine when the gap from disclosure to exploitation was months. A score you set on Monday was still about right on Friday.

When exploitation shows up in hours, that score is stale before your maintenance window opens. The picture you ranked against has already moved.

This is not a knock on the teams or tools that built that model. It worked for a decade. One input just changed: time got shorter. Plenty of smart people are rebuilding around that. Exploit prediction, reachability analysis, the whole CTEM shift, are all answers to the same pressure the Five Eyes just named. The problem is real, and a lot of people feel it. We are not the only ones aiming at it.

The signal that keeps up with a shrinking clock is not a score set on day one. It is what adversaries are doing right now: what they are exploiting, by whom, against companies like yours, this week.

Use AI to decide, not just to automate

The sharpest line for defenders is one most coverage will skip. The agencies don't just warn that attackers have AI. They tell defenders to use AI, in their words, "deliberately to strengthen defence," "not just improve efficiency."

That difference is the whole game. So far, most AI in security has been about speed: summarize the alert, draft the report, write the rule faster. Useful, but it only speeds up work you already do. The harder and more valuable job is deciding. Out of everything happening this hour, what should this team touch first? That is a judgment call under time pressure. It is where AI earns its place on defense, not by doing the work faster, but by getting the order right.

Where we fit

This is the bet we made at Mallory before the statement existed. We start from what adversaries are doing and work back to your exposure. We pull proofs of concept, exploitation reports, detections, and actor campaigns from thousands of sources, line them up against your environment, and surface what to act on now. The old model is not wrong. It is that the clock the Five Eyes just described needs a way to rank risk that moves as fast as the clock does.

We are not the only ones who will get there. We do think we are aimed straight at it, and we built the data model to hit it directly.

The posture is right

The agencies close by asking leaders, vendors included, to act now and work together. That is the right call, and six signatures make the point. The window is real, measured in months and still shrinking. The teams that come out ahead will get the basics done fast, and let what adversaries are actually doing, not a score frozen on day one, set the order of the work.

- jcran

Prioritize on adversary behavior, not a frozen score

Mallory correlates exploitation, detections, and adversary activity from thousands of sources and maps it to your environment as it happens.

Start Free Trial
← More Articles
Share: