Skip to content

UPCOMING WEBINAR:

BOD 26-04: The Directive Your Board and Auditors Will Ask About

CISA's answer to AI-driven attacks and what it means for you.

  • Speaker: Steve Cobb, Field CISO at Zafran 

  • Webinar Date/Time: Tuesday, July 14 @ 1pmET

Frontier AI models like Mythos have been shaking up cybersecurity for months, accelerating how fast attackers move from a disclosed vulnerability to a working exploit. For most security leaders, the hard part has been separating what's real from what's hype.

On June 10, 2026, CISA made it concrete. Binding Operational Directive 26-04 names AI-accelerated exploitation as its core rationale and turns it into a binding requirement, retiring CVSS-only scoring and the patch-everything model in favor of a four-question, risk-based framework. Federal civilian agencies have until August 10, 2026 to comply, and it’s only a matter of time before regulated industries will be measured against the same bar.

Join our Field CISO Steve Cobb on July 14 @1pm ET for a practical breakdown of what replaces patch-everything and what to do about it now.

In this session, you'll learn:

  • Why the disclosure-to-exploit window has collapsed from weeks to hours, and why "patch everything" no longer works

  • The four questions BOD 26-04 uses in place of a single CVSS score, and the new remediation deadlines they set

  • How to substitute mitigations for patching to buy time

  • Why this directive matters to you even if you're not a federal agency 

  • Practical steps to take now in your VM program 

Speaker

Moderator

Steve-Cobb

Steve Cobb

Field CISO
Zafran
1773235635631

Molly Small

Director, Product Marketing
Zafran