Adaptive Defense Series — AI-Native Cybersecurity for the Modern Enterprise

Your Frameworks Passed the Audit. Your Defenses Failed the Clock.

/in , /by

Every year, security teams across the world complete their NIST CSF assessments, renew their ISO 27001 certifications, and report green on their COBIT dashboards. Every year, the same teams get breached. The uncomfortable truth is that these two facts are not contradictory but reflect the disconnect between the systemic approach of traditional frameworks and the “controlled chaos” of real-world cybersecurity. The foundational frameworks upon which most governance and compliance systems are based were designed for a threat landscape that no longer exists.

NIST CSF was first published in 2014. ISO 27001 was substantially revised in 2013 and updated in 2022. COBIT 2019 reflects governance thinking from the same decade. All of them were designed, and supplemented through consortiums, around a set of assumptions about how adversaries operate. These assumptions were reasonable at the time, but are structurally lacking for today’s threat landscape.

Key Failings of Traditional Control Frameworks

Time Compression: The traditional frameworks assume human-speed adversaries. The 2014 threat model imagined attack cycles measured in days or weeks, long enough for human escalation chains, and quarterly assessments to reflect capability. In 2025, the average adversary breakout time (the interval between initial access and lateral movement) fell to 29 minutes, according to CrowdStrike’s 2026 Global Threat Report. The fastest recorded breakout was 27 seconds. The threat is happening before the time check.

Identity as an Attack Surface: The frameworks assume identity is a binary gate. Valid credential equals trusted session. MFA plus least-privilege forms the perimeter. The Verizon 2025 Data Breach Investigations Report found that 88% of basic web application attacks used stolen credentials. The IBM X-Force Threat Intelligence Index 2025 found that valid account abuse was the initial access vector in 30% of all incidents. The gate model fails when the attacker already has the key.

“As someone who has led an Audit practice, our expectation of access management controls were ensuring management performed a quarterly re-certification of user access and ensuring that the findings identified in the previous quarter had been actioned…this wasn’t a very effective control then, and it certainly isn’t an effective control now,” says David Malcom, Cybersecurity Practice Lead at In Balance. “The threats are using valid credentials and moving (if they choose) in minutes.”

Speed vs. Human Intervention: The frameworks assumed humans would be the actors, through SIEM correlation rules, analyst triage, and escalation chains, in time to intercept bad actors. That assumption fails against attackers who enter through valid credentials, lie in wait, move laterally and recon-to-exfiltration at machine speed before an analyst can respond.

29 minutes
Average adversary breakout time, 2025 (CrowdStrike, 2026)
27 seconds
Fastest recorded breakout time, 2025 (CrowdStrike, 2026)
82%
Of 2025 intrusions were malware-free — attackers log in, not break in (CrowdStrike)
241 days
Average breach lifecycle, 2025 (IBM Cost of a Data Breach Report)

The metrics are real, and so are the threats. You cannot document your way out of a timing gap. If your mean time to contain is four hours and an adversary’s kill chain completes in four minutes, no control framework revision closes that gap. It is a physics problem that requires operational solutions, and those solutions are (at least in part) the agentic capabilities required to detect and respond in the real world.

What Adaptive Defense Does Differently

Adaptive Defense recognizes that there is no “steady state” in cybersecurity. The investment organizations have made in traditional frameworks (NIST, ISO, COBIT) has value, but those control frameworks need to be extended and activated by mapping every framework control to real-time operational capabilities that operate at adversarial speeds rather than audit cadence.

The prime directive for any security leader should not be “are we compliant?”, but “at current mean time to contain, how many adversarial kill chains complete in our environment in a 24-hour window before we intercept them?” Most organizations have never answered that question. The answer, when measured, is the business case for everything that follows.

The rest of this series works through the specific attack surfaces and operating disciplines where the framework gap is widest, and what closing it looks like in practice.

About This Series

This post is the first in the Adaptive Defense series. Each article addresses a specific domain where traditional frameworks fall short of today’s agentic AI threat landscape. The next post will examine the human-AI operating model and how it enables security and secops organizations to deploy agentic solutions rationally in proportion to the threat and within an organization’s ability to operate.