Hardware, API and network vulnerabilities have soared in the last year, according to new research by Bugcrowd. And not surprisingly, AI-assisted software development has been both a blessing and a curse — speeding up innovation while at the same time expanding the attack surface. 

Bugcrowd’s analysis of data gleaned from global bug bounty and disclosure programs showed an 88% increase in hardware vulnerabilities as the number of IoT devices rose. Four out of five security researchers (81%) uncovered new hardware flaws during the year, while network vulnerabilities doubled and the number of API bugs rose by 10%. 

Critical vulnerabilities continued to be worrisome — and Bugcrowd noted a 32% rise in payouts for these flaws. 

Broken access control topped the categories of vulnerabilities, with a 36% increase noted during the year. 

“The Bugcrowd report confirms what many of us are already seeing in real time: foundational issues like broken access control and sensitive data exposure remain at the top of the stack,” says Noma Security CISO Diana Kelley, “with critical vulnerabilities in those categories increasing by 36% and 42%, respectively.” 

Kelley says what stands out to her “is how agentic AI will likely accelerate these patterns.”  

Indeed, AI is speeding release cycles and creating gaps in security, access control and data protection. Kelley cites a hacker in the report who notes that “access control becomes harder to manage” as apps increase in complexity. “Agentic systems are definitionally complex and operate with autonomy, calling APIs, using tools and persisting memory,” she says. “If we don’t apply strong discovery, privilege boundaries, monitoring and access controls, agentic AI will increase these risks.” 

As the landscape changes, the role of CISOs is shifting. They must now be both technically savvy and adept at aligning security with business goals. The report also reflects on the shifting responsibilities of CISOs as they balance technical depth with broader business alignment.  

“While the tightly coupled relationship between the IT and cybersecurity organizations is necessary and undeniable, there has been a shift in CISO reporting structures that leans toward the senior leader who is overall responsible for business risk,” says  Bruce Jenkins, CISO at Black Duck. “The expanding and dynamic risk picture, along with changing reporting structures, creates new conversations around the role of the CISO and the part they play in articulating software and cybersecurity risk management strategies to customers, partners and prospects.” 

With threats becoming even more complex, the report underscores just how important collective intelligence and continuous offensive security are to bolstering resilience.  

“Earlier, the CISO was a technical role, and this year, we are seeing the role move towards a greater alignment with business enablement through agile and collaborative cyber practices, balancing risks and opportunities,” says Agnidipta Sarkar, chief evangelist at ColorTokens.   

Sarkar believes that going forward, CISOs will continue to push business leaders to embed breach readiness and cyber-defense practices in business functions, making businesses breach-ready by design. 

Cybersecurity-by-design will become more integrated in the fabric of an organization, supporting innovation, transformation and growth as CISOs attempt “to build immunity and resilience in digital operations across all possible points of breach and surfaces in the enterprise, be it at data centers, in OT, across cloud computing, be it old and legacy applications or the most modern ones,” Sarkar says. 

That doesn’t mean CISOs will sacrifice technical acumen, though. “If anything, the technical capabilities will be leveraged to make the CISOs own the cybersecurity baton of the business for digital resilience,” he says, noting it will not be an easy journey and will require support from cyber defense evangelists. “However, that confluence of technology, risk and business acumen is the future of CISOs.”  

John Watters, CEO and Managing Partner at iCounter, says, “It’s time to change the game.” CISOs, he explains, have long known that “their near infinite attack surface and open vulnerabilities presented an insurmountable problem” and they couldn’t “close every hole, patch every vulnerability, or protect against every type of attack.” As a result, their strategy became protecting their organizations against known threats based on bad actors’ reuse of attack methods and tools. 

But that strategy no longer works now that “every attack vector is discoverable and exploitable by new and novel attack methods that have never been used before,” and everyone is “patient zero,” says Watters. “That’s a tough challenge — one we’re not prepared to address as an industry.” 

Simultaneously, innovation is accelerating on the adversary front while innovation is stagnating amongst defenders, he says, noting that “roughly 53% of CISOs have flat to down budgets this year.” 

Agility is a key component of the reimagination of defense in the modern age. Watters compares this new path to the post-9/11 environment, “when we were now faced with an amorphous terror threat, an unconventional warfare like we’ve never seen before.”  He explains that “resources were channeled from traditional defenses to Special Operations with decision velocity and funding required to compete in the new reality,” which has been highly effective. “That’s what we must do today as cyber defenders,” Watters says.