The capabilities of artificial intelligence models are progressing at an unprecedented pace. While no one can yet predict the scale of their impact on the volume of vulnerabilities to be addressed, one thing is certain: organizations must strengthen their ability to decide, prioritize and coordinate their response starting today, in the face of a possible shift in scale. Here are 5 concrete actions to launch before the summer to gain resilience.
The debate is no longer technological. It has become organizational.
For several weeks, announcements around frontier models have followed one another. Mythos, ChatGPT 5.5, Fable 5… each new release fuels debate within the cyber community.
The release of Fable 5, followed a few hours later by its suspension by US authorities, was a reminder of an obvious point: these subjects now go far beyond the technological framework alone. They have become strategic, geopolitical and sovereignty issues.
That said, this is not, in our view, where the only critical question lies.
The immediate question is not whether Mythos outperforms Fable 5, nor to predict the exact date of a hypothetical “wave” of vulnerabilities. The urgency is above all operational: whatever the model, organizations will need the capacity to cope with it.
What will happen if, tomorrow, your organization has to absorb two or three times more vulnerabilities than today?
Because this is precisely the scenario several players in the ecosystem are beginning to prepare for.
The data calls for caution. It equally calls for anticipation and preparation.
No one can affirm with certainty today that the summer of 2026 will mark a turning point.
The available data calls for caution. It equally calls for anticipation and preparation.
The number of published vulnerabilities continues to rise (+32.4% between H1 2025 and H1 2026), exploitation timeframes are getting shorter and shorter, and several cybersecurity agencies are calling on organizations to further integrate artificial intelligence into their defense programs. At the same time, CERT-FR does not, at this stage, observe an explosion in the number of critical alerts compared with previous years.
In other words, both the timing and the magnitude of a potential acceleration remain uncertain.
One thing, however, is observable. Many large organizations (operators of vital importance, public institutions, major industrial and financial groups) have already moved past the monitoring stage and entered that of active preparation.
Why? Because in crisis management, uncertainty is never a reason to do nothing. A prepared organization will always be more resilient than one that waits for the first incident to organize its response.
This approach is consistent, moreover, with the messages delivered in recent weeks by CISA and by the cybersecurity agencies of the Five Eyes: attackers are already using artificial intelligence to act faster; defenders must do the same, while strengthening their preparation and response capabilities starting today.
Shifting from a detection logic to a prioritization logic
For years, cybersecurity has been organized around a relatively linear logic: identify a vulnerability, qualify it, fix it, then deploy the patch.
This approach obviously remains relevant.
But it rests on an implicit assumption: organizations have the capacity required to absorb the volume of vulnerabilities discovered.
Yet this is precisely the assumption that could be called into question.
If artificial intelligence effectively accelerates the discovery, analysis and, tomorrow, exploitation of vulnerabilities, the main challenge may no longer be technical.
It will be organizational:
- How can more alerts be qualified with the same teams?
- How can we prioritize when several critical vulnerabilities appear simultaneously?
- How can we decide quickly when no patch yet exists?
- How can we arbitrate between business continuity and cyber risk reduction?
In other words, the topic is no longer solely one of detection.
It is becoming the question of organizations’ ability to decide, coordinate and prioritize under constraint.
The right reading of the situation is not to prepare for Mythos but rather to prepare for a scenario of acceleration in the cyber pace and the critical trade-offs that will result.
It is in this spirit that we propose 5 concrete actions, from the angle of cyber crisis management and anticipation, to launch now, before the summer.
5 actions to launch now to prepare your organization to face a surge in vulnerabilities
1. Make sure your organization will not be alone the day a critical incident occurs
The first mistake is to assume that a cyber crisis is handled internally alone.
In reality, an organization never responds alone to a major incident. It depends on an entire ecosystem: managed services provider, MSSP, CERT, hosting provider, PRIS, cloud provider, software vendors, backup solutions, specialized service providers, and so on.
In other words, an organization’s resilience does not depend solely on its own capabilities. It also depends on those of its partners.
The question to ask is ultimately quite simple.
If a critical vulnerability is published on a Saturday in August at 6 pm, who responds? Who is reachable? At what number? Who makes the first decisions?
Experience shows that many difficulties encountered during the first hours of a crisis are not technical. They stem from coordination: outdated contacts, ill-defined responsibilities, unavailable partners or escalation chains that no longer match reality.
These checks take a few hours today. They can save entire days when an incident occurs.
To launch now:
- Update the crisis directory and the mapping of critical partners.
- Verify the contact details and escalation levels of each strategic provider.
- Confirm their on-call arrangements and response capabilities during the summer.
- Check that contracts and SLAs actually cover the expected mobilization scenarios.
2. Prepare operational capacity before the vacation period
Every summer, organizations operate with reduced teams.
That is not a problem in itself. The real risk is to discover the limits of this arrangement… the day an incident occurs.
The topic therefore goes well beyond the question of on-call rosters (although they are clearly part of it). It is a matter of assessing the actual ability of your organization to absorb several incidents at once, even when some key skills are absent.
A few questions quickly help identify the main points of fragility.
- How many critical incidents can you handle in parallel?
- Who backs up the key people?
- What are your bottlenecks?
- How long does it take to bring together the right decision-makers?
- Is there a plan B if several experts are simultaneously unavailable?
An organization never becomes saturated all at once. It becomes so gradually, when demands exceed its absorption capacity. Identifying these limits before the summer is already a resilience measure.
To launch now:
- Review on-call arrangements for IT, security, SOC and management.
- Formalize backup arrangements for critical roles.
- Check escalation chains and their ability to function with reduced headcount.
- Identify the threshold beyond which the organization enters saturation.
The problem is not having fewer resources in August. The problem is discovering it on the first day of the crisis.
3. Use AI now, without waiting for frontier models
Many organizations are still waiting for “the right model” before integrating artificial intelligence into their cybersecurity operations.
This is probably a mistake. The operational gains already exist. Whether we are talking about open-source models like Mistral, Llama or proprietary models, the challenge is not to wait to have the most powerful model. It is to start relieving teams on the tasks that already take up most of their time.
- Initial alert qualification.
- Document analysis.
- Attack surface identification.
- Preliminary vulnerability analysis.
- Preparation of recommendations.
These are all tasks for which AI can already deliver significant gains.
The message delivered recently by the Five Eyes cybersecurity agencies is very clear: attackers are already using artificial intelligence to act faster. Defenders must do the same.
Teams’ experience with AI should not begin when pressure is at its peak. It should begin today.
To launch now:
- Identify two or three high-ROI use cases around the main bottlenecks.
- Experiment with the models already available.
- Train teams in these new uses before operational pressure ramps up.
The time saved today will be your response capacity tomorrow.
4. Prepare decision-making mechanisms before they become critical
For years, cybersecurity has been organized around a detection logic. The challenge emerging today is different. It could become one of prioritization.
Because if the volume of vulnerabilities increases significantly, not all of them will be treatable simultaneously. The real challenge will therefore no longer be solely to identify vulnerabilities. It will be to decide which ones to treat first.
This evolution requires a cultural shift. When everything becomes critical, everything can no longer be a priority.
The image is deliberately borrowed from emergency medicine: faced with a massive influx of patients, medical teams do not try to treat everyone immediately. They triage. They prioritize. They concentrate their resources where they will have the greatest impact.
Cybersecurity could tomorrow be confronted with the same type of situation.
Will a vulnerable system need to be kept in production to preserve an essential activity?
Will a service need to be interrupted to prevent a wider compromise?
Will a risk need to be temporarily accepted due to the lack of an available patch?
These decisions are not solely technical. They are business trade-offs, whose potential impacts require that they be made at the highest level of the organization. They involve business lines, executive leadership, operations, communication and sometimes the very continuity of the activity.
This preparation also concerns crisis communication. When several critical vulnerabilities follow one after another, teams are quickly solicited from all sides: users, business lines, executive leadership, partners, customers, and sometimes authorities or media. Preparing the stakeholder map upstream, identifying the key contacts and having a few holding statements ready for the main scenarios helps preserve a precious asset in the first hours of the incident or crisis: time. The time needed to qualify the situation, take the right decisions and prevent communication from itself becoming a factor of saturation.
They therefore assume that the following have been clarified upstream:
- prioritization criteria;
- escalation thresholds;
- decision-making responsibilities;
- the conditions under which a risk may be temporarily accepted;
- shortened decision chains.
And also:
- Update the mapping of internal and external stakeholders.
- Prepare a few holding statements (users, business lines, customers, partners…) to have a communication baseline ready from the first hours.
In other words, governance becomes as important as technology.
To launch now:
- Define shared arbitration criteria between IT, security and business lines.
- Verify that the BIA truly allows critical assets to be ranked.
- Identify decisions that can be pre-authorized in the event of an emergency.
- Shorten validation chains for saturation situations.
A mature organization is not one that patches everything. It is one that knows how to protect the essential when everything can no longer be treated simultaneously.
5. Train before having to arbitrate
Organizations still too often discover their blocking points… during the crisis.
Yet the most difficult decisions cannot be improvised. The best time to arbitrate remains the one when you are not yet forced to. There is no need to organize a large-scale crisis exercise.
Two simple formats already make it possible to raise the level of preparation considerably.
The first is the tabletop exercise. It consists of bringing together various resources from one or several teams and fostering exchanges around 2 or 3 scenarios walked through collectively.
Imagine a realistic scenario:
- About fifteen critical vulnerabilities published in forty-eight hours.
- Several technologies affected.
- Patches unavailable.
- Teams reduced by vacations.
The objective is not to test technical skills. It is to observe how the organization reacts.
- Who is alerted?
- Who decides?
- What are the blocking points?
- How long does it take to bring together the right players?
The second is the arbitration workshop.
The exercise consists of placing decision-makers in front of situations they could actually encounter.
- Maintain or interrupt a critical service?
- Temporarily accept a risk?
- Isolate an application?
- Postpone a patch?
These workshops help surface invisible dependencies, divergences of perception between business lines and security, and the decisions that will have to be made collectively.
They also constitute an excellent opportunity to update the mapping of critical dependencies and to verify that the BIA genuinely meets operational needs.
To launch now:
- Organize a tabletop exercise centered on a saturation scenario.
- Bring the main decision-makers together around an arbitration workshop.
- Take advantage of these exercises to update the BIA and critical dependencies.
The most resilient organizations will not be those that detect the most vulnerabilities. They will be those that have already trained their decision-makers to arbitrate under pressure.
Conclusion: To govern is to anticipate
It is impossible to predict whether the wave of vulnerabilities announced by some will materialize this summer.
It is just as impossible to anticipate its precise magnitude. The available data calls for caution. It equally calls for anticipation and preparation.
Because in crisis management, the point has never been to predict the future. The point is to prepare for it.
The actions proposed in this article can be summed up simply:
- strengthen the response ecosystem;
- prepare operational capabilities for the summer;
- integrate artificial intelligence into defense operations starting today;
- prepare arbitration and decision-making mechanisms;
- regularly train decision-makers to face a saturation scenario.
For years, cybersecurity has been built around detection.
The coming years may be those of prioritization.
The organizations that hold up best will probably not be those with the best tools.
They will be those that have prepared their teams, their partners, their decision-makers and their operating modes before the crisis strikes.
To govern is to anticipate.
In crisis management, anticipating means training and preparing.
To go further, watch the replay of our debrief webinar on this topic:
FAQ – How can artificial intelligence transform vulnerability management?
Artificial intelligence is already accelerating certain tasks such as alert qualification, document analysis, attack surface identification and preliminary vulnerability analysis. The challenge for organizations is now to gradually integrate these uses in order to gain operational efficiency and strengthen their response capability.
Read the article
Publication of the ReCyF framework: ANSSI is concretely preparing organizations for the NIS2 era
6 July 2026Read the article
How to operationalize AI in your cyber crisis management workflows?
6 July 2026Read the article