A 6x CISO on the era that security just entered
The Hygiene Era is here, and the boring work is now the moat.
Welcome to The Cybersecurity Pulse (TCP)! I’m Darwin Salazar, Head of Growth at Monad and former detection engineer in big tech. Each week, I bring you the latest security innovation and industry news. Subscribe to receive weekly updates! 📧
Guest post by Dr. Yonesy Núñez, CISO at Surf AI (previously Wells Fargo, Jack Henry, and DTCC). Published in partnership with Surf AI.
I’ve spent more than two decades running enterprise security programs — five CISO seats across Wells Fargo, Jack Henry, and DTCC. In that time, I’ve watched security go through five distinct eras. Each one was a real response to a real shift in how attackers worked, what auditors wanted, and where the workloads ran. And in each one, the same thing happened: security hygiene got pushed further down the backlog.
We’re entering a sixth era. This time, hygiene is the strategic discipline — the work that decides whether the rest of the security program can actually hold.
I want to be specific about what I mean by hygiene: the recurring operational work that reduces attack surface. Dormant accounts. Stale OAuth apps. Secrets and environment variables left readable in production. Expired certificates. Third-party access no one has reviewed since the integration was built. Plaintext sensitive data. AI tools connected to your environment that nobody on the security team knows exist.
That work has always been on the roadmap. It almost never got funded at the level it deserved. This year, three events made it impossible to ignore why that has to change.
The five eras I’ve worked through
Perimeter (late 1990s into the early 2000s): Firewalls, DMZs, NAT. The marquee discipline was the boundary. If the perimeter held, the inside was assumed safe. Hygiene was invisible.
Compliance (early to mid-2000s): SOX, PCI DSS, HIPAA enforcement. Audit became the gate. Hygiene sat on every framework’s control list and almost never got primary funding. Passing the audit was a faster path to keeping your seat than fixing the underlying mess.
Detection and APT (late 2000s through mid-2010s): Operation Aurora, Stuxnet, Mandiant’s APT1 report. SIEM proliferation. Assume breach. Detection became the strategic discipline — you couldn’t stop everything, but you could respond fast enough. Hygiene deficits got absorbed by detection coverage.
Cloud and zero trust (mid-2010s into the early 2020s): Workloads moved off the corporate network. Identity became the new perimeter. SolarWinds was the marker. Hygiene changed shape — third-party access, identity sprawl, OAuth apps — and stayed in the backlog.
SOAR and AI SOC (overlapping with the above): The promise was that you could manage alert volume without doing the cleanup that produced the alerts. SOAR automated parts of the response motion. AI SOC now extends that idea with agents, copilots, and autonomous triage loops. That wave is still useful, but it does not remove the underlying problem. If anything, it makes the hygiene gap more obvious: faster alert handling does not fix the stale account, exposed secret, permissive OAuth grant, or unmanaged SaaS tool that created the incident path in the first place.
Each era was a rational response to real conditions. And each one helped security teams absorb the risk created by hygiene gaps. The model worked — more or less — because attacker tempo stayed inside what human-staffed detection could close.
That model broke in April 2026.
What April 2026 actually showed us
Three events, read together, make the argument.
Anthropic and Claude Mythos (April 7). Anthropic disclosed that a single model run surfaced thousands of zero-day vulnerabilities — including long-lived flaws in major operating systems and browsers — and produced working exploits at a scale prior generations could not approach. Anthropic chose not to ship the model publicly and instead stood up Project Glasswing to share findings with vetted partners. That decision, and the stated reason behind it, is what matters: discovery cost is approaching zero.
CVE-2026-31431 (Copy Fail, April 29). Xint Code disclosed a Linux kernel logic flaw affecting major Linux distributions. A 732-byte Python proof-of-concept could obtain root on Ubuntu, Amazon Linux, Red Hat Enterprise Linux, and SUSE. CISA later added the vulnerability to its Known Exploited Vulnerabilities catalog. The hygiene implication is direct: asset inventory, kernel exposure tracking, patch ownership, and exploitability context in your environment. If you can’t answer which systems are affected and who owns the remediation, this CVE is an open door.
The Vercel breach (April 19). This one is the most instructive. An employee at Context.ai was compromised by Lumma Stealer, giving an attacker a path through OAuth into Vercel. The result: exposed environment variables, a database key, and source code. The root cause wasn’t a zero-day — it was an uninventoried AI tool, an OAuth trust relationship that granted broader access than anyone realized, and secrets governance that treated readable environment variables as low risk.
The same pattern appeared in the 2025 Salesloft Drift OAuth incident, where compromised OAuth tokens tied to a trusted integration enabled access to Salesforce environments. The campaign affected a number of high-profile organizations, including Cloudflare and Palo Alto Networks, which disclosed unauthorized access to its Salesforce tenant through the compromised Salesloft Drift integration. The lesson is the same: modern breach paths increasingly run through trusted SaaS integrations, OAuth grants, third-party tools, and data that security teams did not realize those tools could reach.
That’s what April showed: discovery cost is collapsing, so exposed inventory matters more than it ever did.
The failure mode is now an uninventoried trust relationship, not a missed alert. And attack tempo scales with compute — which means detection that scales with headcount can’t keep up.
Why hygiene becomes the strategic discipline
The reason hygiene was always deprioritized is rational: every era’s marquee discipline absorbed the risk that hygiene gaps created. Detection caught what hygiene missed. SOAR papered over what detection missed. AI SOC may accelerate triage and response, but it does not eliminate the blast radius created by unmanaged access, exposed secrets, stale identities, or unreviewed integrations.
That model held as long as attacker tempo stayed inside what human-staffed detection could close. It doesn’t hold anymore.
Here’s what changes: hygiene is the only security discipline that compounds. Every account removed, every secret rotated, every third-party tool inventoried makes future attacks measurably more expensive. It doesn’t matter what the attacker discovers tomorrow — every piece of hygiene work between now and then is still in force.
Detection burns down with the alert. A SOAR playbook burns down with the incident. An AI SOC agent can help summarize, prioritize, and respond faster. But hygiene reduces the surface that the next alert fires on. As attackers exploit vulnerabilities and trust relationships faster than ever, hygiene stops being optional and becomes non-negotiable. The unglamorous work is now the strategic work.
What this looks like in practice
For the board update, three frames hold up:
Detection investment has a ceiling defined by attacker tempo. We’re not going to chase it by adding headcount.
Hygiene investment compounds across every future incident class. We’re funding it as program work, not project work — which means dedicated ownership, not quarterly cleanup sprints.
Context investment turns hygiene into outcomes. NIST has changed how it enriches CVEs in the National Vulnerability Database. The public pipeline can’t be relied on the way it once could. Re-deriving severity inside your own environment — knowing which systems are actually exposed, who owns them, and what business function they support — is no longer optional.
For practitioners, the work that compounds fastest in 2026 is the work the backlog has been carrying for a decade:
Identity hygiene as a standing program: dormant accounts, leaver audits, guest accounts, OAuth application scope review
Third-party inventory, expanded to include AI tools and their data access
Environment variable and secrets governance, treated as program work rather than ticketing-system tasks
Certificate lifecycle with executive backing and cross-team ownership, not a quarterly project
None of this is new. What’s new is that the justification for deferring it no longer holds.
Why I joined a startup to work on this
In December, I left DTCC to join Surf AI. The question I get most often: why leave a CISO seat at a major financial infrastructure firm to join an early-stage company?
The answer is the argument above.
Hygiene at scale doesn’t get done by adding headcount. The operational surface — dormant accounts, external OAuth apps, sensitive data in plaintext, certificate lifecycle — crosses too many systems and teams for manual workflows to close. What I wanted to work on was the question of how specialized AI agents execute those operational disciplines at speed, with human approval at every step, in a way that actually closes the gap rather than auditing it.
That’s what Surf AI is building. And when I saw what April was going to look like — well before any of those three events were public — it confirmed that this is the right problem to work on now.
A closing thought
Every prior era named itself in retrospect. This one is naming itself in real time, while the discovery curve bends past where prior playbooks were designed to operate.
When the next exploit arrives, the teams that come through it cleanest will be the ones that spent the months before reducing surface, not chasing alerts.
If you’re seeing the same pattern in your environment, find me. The peers who tell each other the truth about what’s happening on the ground are the ones who get their organizations through periods like this intact.
Interested in sponsoring TCP?
Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to an audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎