In early 2026, the timeline between discovering a vulnerability and its exploitation shrank dramatically—from days or weeks to mere hours. Security teams accustomed to a predictable patching schedule found themselves outpaced by adversaries that operated without the need for rest or coordination. These adversaries could weaponize zero-days faster than your CI/CD pipeline could execute.
This isn't speculation. The rise of frontier agentic models has made traditional reactive security inadequate. Let's explore what happened, what failed, and what your team needs to do differently.
What Happened
Organizations with converged IT/OT environments—such as manufacturing facilities with networked sensors and energy systems with SCADA controllers—reported intrusions that didn't match known attack signatures. Adversaries moved laterally through protocol gateways between IT and operational technology networks, exploiting visibility gaps where traditional scanning tools couldn't reach.
These attacks were characterized by rapid reconnaissance, automated identification of exploitable services behind protocol translators, and weaponization of vulnerabilities before they appeared in public databases like CISA's Known Exploited Vulnerabilities (KEV) catalog.
Timeline
Hour 0: An agentic system identifies a vulnerability in an industrial protocol gateway through automated fuzzing and behavioral analysis.
Hour 2: Exploit code is generated and tested against simulated environments.
Hour 4: Initial compromise of the target network occurs through an exposed gateway service.
Hour 6: Lateral movement begins. The agent maps the OT network topology by probing devices behind protocol converters—PLCs, building management systems, industrial sensors.
Hour 12: Persistence is established across multiple device types. Traditional EDR tools miss activity because they don't monitor OT protocols.
Hour 18: The security team detects anomalous traffic patterns, but by this point, the adversary has already exfiltrated network topology data and identified critical control systems.
Which Controls Failed or Were Missing
Asset visibility: Organizations couldn't inventory what they didn't know existed. IoT devices provisioned by facilities teams, shadow OT systems deployed by operations, and protocol gateways bridging networks were not in asset management databases. You can't protect what you can't see.
Network segmentation verification: The IT/OT boundary existed on paper but not in practice. Protocol gateways created pathways that bypassed firewall rules. No one had validated that segmentation actually worked at the protocol level.
Anomaly detection: Traditional SIEM rules looked for known attack patterns. Agentic adversaries generated novel reconnaissance traffic that appeared benign—valid protocol queries executed at machine speed across thousands of endpoints.
Vulnerability prioritization: Teams relied on CVE publication and KEV catalog listings to prioritize patching. By the time a vulnerability appeared in public databases, it had already been discovered and weaponized by agentic systems.
What the Relevant Standards Require
The NIST Cybersecurity Framework v2.0 calls for comprehensive asset identification under ID.AM-1: "Physical devices and systems within the organization are inventoried." This includes OT devices, IoT sensors, and protocol gateways—not just laptops and servers. ID.AM-2 requires software platforms and applications to be inventoried, including firmware on industrial devices.
ISO/IEC 27001:2022 Annex A control 8.1 mandates inventory of assets associated with information and information processing facilities. The standard explicitly includes "equipment located outside the organization's premises," covering IoT devices deployed in the field.
NIST 800-53 Rev 5 Control CM-8 requires organizations to develop and document an inventory of system components that "reflects the current system" and is "reviewed and updated" at defined frequencies. CM-8(3) adds: detect the presence of unauthorized hardware, software, and firmware components.
PCI DSS v4.0.1 Requirement 1.2.5 demands that all connections between trusted and untrusted networks be documented. If you're running payment processing in an environment with OT integration, those protocol gateways are in scope.
None of these standards say "inventory the assets you know about." They require comprehensive discovery—including the devices and connections your facilities team deployed without telling IT.
Lessons and Action Items for Your Team
Run protocol-aware discovery now: Standard network scanners won't find devices behind Modbus gateways, BACnet controllers, or proprietary industrial protocols. You need tools that can probe safely across protocol boundaries. Consider solutions like runZero, which offer capabilities to peek behind protocol gateways using proprietary IT, IoT, and OT protocol safe-probes. OT protocol discovery
Map IT/OT convergence points: Document every location where your corporate network touches operational technology. Protocol converters, industrial VPNs, cloud-connected sensors—these are your exposure points. Test whether your network segmentation actually blocks lateral movement at the protocol level, not just the IP level.
Shift vulnerability prioritization: Stop waiting for CVE publication. Monitor your attack surface for changes—new services, modified configurations, updated firmware. Agentic adversaries find vulnerabilities through automated analysis of exposed functionality, not by reading security bulletins. Your patching cadence needs to account for threats that move at machine speed.
Instrument protocol-level monitoring: Deploy detection that understands industrial protocols, not just TCP/IP. If you can't tell the difference between legitimate Modbus queries and reconnaissance traffic, you won't catch lateral movement until it's too late.
Validate your asset inventory weekly: The half-life of asset data in converged environments is measured in days. Facilities deploy new sensors, operations teams connect temporary monitoring equipment, contractors add diagnostic tools. Your CMDB is out of date before the change request closes. Continuous discovery isn't a luxury anymore.
The timeline compression observed in early 2026 isn't going away. Agentic adversaries operate at machine speed, and your reactive controls—patch Tuesday, quarterly assessments, annual audits—are structurally mismatched to the threat. You need continuous visibility into what you're defending and real-time detection of changes to that attack surface.
Start with asset discovery. You can't secure what you can't see, and right now, you can't see most of your OT environment.
