Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
The three previous posts in this series described a convergence: AI systems that compress exploit development from weeks to hours, automated targeting that removes the human decision about who gets attacked, and application inventories that most organizations know aren’t complete. These are real conditions, not projections, and the question for any security leader is the same: What can I do about it?
That question is harder than it sounds. The recommendations and commitments called out across those three posts aren’t simple checkbox items. Each of them requires organizational alignment, process change, and sustained attention. For most security teams, this gap between what needs to happen and the capacity to follow through is where the risk accumulates.
NuHarbor Security partners with our clients to close that gap.
Starting with Strategy
The first thing good advisory work does is force an honest accounting.
“None of this is negligence, but the accumulated result of decades of reasonable decisions made when application visibility was an important control, not an existential requirement.”
— You Can Only Defend What You Can See
Our Strategic Security Advisory practice starts from the position that while organizations look to improve their posture, they aren’t where they are because of carelessness or a lack of understanding. The reasonable decisions of past years introduced an acceptable level of risk, but that risk was quickly compounded by a threat environment changing faster than their best efforts could follow. To address that issue now means to strategically evaluate the application estate and exposure, identifying where blind spots or technical debt are most pressing, and then creating a balanced view of cost and the reduction of risk that’s required. The output won’t be a simple purchase or patching recommendation. It will be a tailored plan that the security organization can execute, starting with the highest-leverage actions and accounting for constraints in budget, time, and internal appetite.
For state and local governments, where technical debt can be deep, and where IT teams are stretched thin, this kind of assisted and objective analysis helps leaders champion a coherent response and not a reactive one.
Building Controls That Make Visibility Stick
Knowing the problem exists is not the same as having controls in place to keep it from happening again. Our Information Assurance teams dig into the process and policy layer to recommend changes that will blunt the speed and impact of AI-accelerated threats. Visibility follows when software acquisition contracts require a Software Bill of Materials. Documentation of vulnerability management workflows catches transitive dependencies beyond those that a development team chose to explicitly call out. Upstream signals and tailored advisory feeds provide the earliest warning to optimize response.
These controls hold when they are written into governance policy and reinforced through regular assessment, and this is where this work begins. Our assessments review current plans against recommended controls to identify what’s missing and where newly discovered weaknesses have outpaced existing policy. The third article in this series captured the core problem this way:
“Even when the fix is available, the enterprise awareness that it's needed is not.”
— You Can Only Defend What You Can See
Closing that gap requires information that’s specific enough to identify the mitigating control or update that’s missing, and practical enough to produce recommendations the client team can implement. Our team has seen what works across government and commercial environments, so every recommendation is practical and based on real-world experience.
The Pace Problem
The methodology of attack has also changed. Adversaries no longer need to start with a target. They can start with a vulnerability, scan for organizations running the affected code, and let the target list assemble itself.
“Companies become targets not because anyone selected them, but because they happen to carry the vulnerable code. An organization can land on that list without any attacker ever having considered it by name.”
— The Target List Will Build Itself
That target generation and inspection can run continuously, as automation creates an ongoing flow of exploits and targets, driving the need for continuous monitoring. Our Security Operations Center provides persistent attention to identify the new target or the new attack before the damage starts or spreads. When a new vulnerability appears in a popular component, the question is not when someone will develop an exploit, it’s whether an exploit is already being directed at your environment. Recognizing these attacks as they happen is the kind of rigor that the compressed exploit timelines described in Part One demand. And that rigor is what state and local agencies, who are frequent targets of opportunistic campaigns, need to have in place before the attack arrives.
Knowing Before the Advisory Arrives
Our Threat Intelligence capability enables effective upstream monitoring to address the growing latency of information from official disclosure channels.
“The public disclosure cycle, built to help defenders, becomes a faster and more reliable tool for the attackers it was meant to hold off.”
— The Target List Will Build Itself
The gap between a security commit appearing in a public repository and a formal, approved advisory reaching an organization's inbox provides time for attackers to begin identifying targets and launching their exploits. Our threat intelligence team monitors those upstream signals, tracks emerging exploitation patterns, and translates those signals into client-specific context that makes response actionable for the supported team. It won’t eliminate urgent work by the organization, but it will ensure that the security team has a clear, timely picture of what must be done and why.
The Partner’s Position
No services engagement resolves decades of accumulated technical debt in a single effort, and the conditions described in this series are common, structural, interwoven, and long-lived. Our advisors’ experience provides the strategy to begin, the governance needed to ensure policies and controls that last, the monitoring continuity to detect threats as they emerge, and the intelligence to stay ahead of the threat.
That’s not a magic solution. It’s competent, experienced collaboration applied to a problem that most organizations can’t fully address on their own.
Kyle is the Vice President of GTM Strategy at NuHarbor Security. He leads the development and execution of strategic product initiatives, ensuring that NuHarbor’s solutions are aligned with the evolving needs of both public and private sector organizations. His expertise in driving data-driven techniques enables clients to stay ahead of emerging cybersecurity threats. With over two decades in the cybersecurity industry, Kyle has held leadership roles across multiple domains, including security operations, network architecture, and product innovation. Prior to joining NuHarbor, he led cross-domain technology teams, spearheading security and systems initiatives to protect organizations from advanced threats. His work has helped safeguard hundreds of organizations with a combination of innovative approaches and operational excellence. Kyle’s practical approach to technology and deep understanding of client challenges make him a trusted leader at NuHarbor. His passion for developing tailored security solutions ensures that clients receive expert guidance that drives meaningful outcomes.
Subscribe to our blog to get insights sent directly to your inbox.