UPCOMING WEBINAR:
BOD 26-04: The Directive Your Board and Auditors Will Ask About
CISA's answer to AI-driven attacks and what it means for you.
-
Speaker: Steve Cobb, Field CISO at Zafran
- Webinar Date/Time: Tuesday, July 14 @ 1pmET
Frontier AI models like Mythos have been shaking up cybersecurity for months, accelerating how fast attackers move from a disclosed vulnerability to a working exploit. For most security leaders, the hard part has been separating what's real from what's hype.
On June 10, 2026, CISA made it concrete. Binding Operational Directive 26-04 names AI-accelerated exploitation as its core rationale and turns it into a binding requirement, retiring CVSS-only scoring and the patch-everything model in favor of a four-question, risk-based framework. Federal civilian agencies have until August 10, 2026 to comply, and it’s only a matter of time before regulated industries will be measured against the same bar.
Join our Field CISO Steve Cobb on July 14 @1pm ET for a practical breakdown of what replaces patch-everything and what to do about it now.
In this session, you'll learn:
-
Why the disclosure-to-exploit window has collapsed from weeks to hours, and why "patch everything" no longer works
-
The four questions BOD 26-04 uses in place of a single CVSS score, and the new remediation deadlines they set
-
How to substitute mitigations for patching to buy time
-
Why this directive matters to you even if you're not a federal agency
-
Practical steps to take now in your VM program
Speaker
Moderator

Steve Cobb
Field CISO
Zafran
