Mandia, Stamos, and Adamski Just Told Everyone the Next Two Years Will Be 'Insane'

Three of the industry's most credible voices stood up at RSAC 2026 and said the same thing: defenders are about to lose ground at a rate the playbook was not built for. CISOs should treat this as the year's most important signal — not a marketing line.

SAN FRANCISCO — At the RSA Conference in March, Kevin Mandia, Morgan Adamski, and Alex Stamos sat down with CyberScoop for an exclusive interview that has since circulated as the defining executive framing of the year. Mandia, founder of new AI-native security company Armadin and the former founder of Mandiant, summarized it bluntly: the next two years are going to be "insane." Stamos called the current moment an inflection point, with AI generating exploits faster than organizations can patch them. Adamski, the former executive director of U.S. Cyber Command and now U.S. lead for PwC's Cyber, Data and Technology Risk practice, framed the operational consequence: CISOs are being squeezed between board pressure to adopt AI rapidly and compliance frameworks that haven't moved.

The single most important framing from the discussion is what defenders should now call the velocity gap. AI lets attackers find and weaponize vulnerabilities at machine speed while organizations remain bound by human-speed patching, procurement, and compliance cycles. Mandia's specific operational warning: "You're not going to have time to call Mandiant on a Thursday afternoon, get people in, sign a contract. You're going to have to be able to respond at machine speed." This is the editorial signal of the year for CISOs, and it lands alongside the broader 2026 AI deployment risk landscape the industry has been documenting in real time.

The velocity gap, as the three leaders described it

Stamos's framing of AI as an inflection point rests on a specific empirical claim: foundation model companies currently sit on thousands of undiscovered vulnerabilities in their own code, and AI-powered analysis is starting to find longstanding flaws in mature codebases including the Linux kernel. Mandia agreed without qualification when asked whether AI will find more vulnerabilities than humans, saying it is 100 percent certain, getting cheaper and more effective at the same time. The cost asymmetry favors offense. AI lowers the marginal cost of generating a tailored phishing message, a working exploit, or a credential-stuffing campaign by roughly an order of magnitude. The marginal cost of defense has not moved.

The compression matters because the human-speed parts of the defender stack are now load-bearing. Patch deployment, change management approval, vendor procurement, SOC analyst triage, incident response contracting — every one of these is calibrated to a threat tempo that no longer exists. Mandia's Thursday-afternoon line is the operationally specific version of the abstraction.

The CISO squeeze

Adamski's contribution to the framing was the organizational reality check. CISOs are receiving simultaneous board mandates to adopt AI rapidly, often with explicit goals of reducing headcount, while SOC 2, ISO 27001, and similar compliance regimes remain unchanged. "All those rules are exactly the same," Adamski said. The mismatch produces a CISO who is accountable for shipping AI-augmented productivity gains, defending against AI-augmented attacks, and maintaining compliance with frameworks written for a slower threat landscape — all from the same budget.

The conflict is not theoretical. Adamski's broader observation, that AI is going to make organizations pay for the sins of yesterday, points at the technical debt embedded in most enterprise environments. Decade-old authentication systems, sprawling SaaS estates with weak inventory, and identity programs that depend on manual review will be the first targets of AI-augmented attack tooling. Those are the same systems your existing compliance program already considers acceptable.

The national security overlay

Stamos noted, and Mandia echoed, that adversaries are already developing AI-powered offensive tooling at the nation-state tier. Mandia's description of agentic AI attackers — systems that can issue commands in parallel, adapt to defender response, and evade detection — is the same threat profile his new company, Armadin, is built to simulate from the offensive side. Mandia's company launched in March 2026 with $189.9 million in seed and Series A funding, framed by him as a bet that defense has to become autonomous because human-in-the-loop decision making will not survive contact with machine-speed attacks. Defenders should take the commercial-interest framing into account, but the underlying technical claim has independent confirmation from the broader research community.

The CyberSignal Analysis

Signal 01 — This is the year's most credible industry-leader consensus signal

Mandia, Stamos, and Adamski are not echoing each other from a single talking-points deck. They represent three different vantage points — vendor founder, academic researcher, and former senior government cyber leader — and they converged on the same operational claim independently. For CISOs looking for defensible board-room language to justify accelerated cyber investment, this is the year's most credible industry-consensus citation.

Signal 02 — The velocity gap is the operational construct to build programs around

The right reframing for 2026 vulnerability management is not faster patching of the existing SLA. It is treating AI-discovery and AI-exploitation as a new vulnerability class that requires pre-authorized emergency patching, automated rollback for critical paths, and pre-built IR retainer relationships that do not depend on Thursday-afternoon procurement cycles. The cost is real. The alternative is a known unrecoverable position.

Signal 03 — Compliance frameworks are now a lagging indicator, not a defense posture

SOC 2, ISO 27001, CMMC, and similar frameworks remain valuable for what they are designed to do, which is establish a defensible baseline of process maturity. They were not designed for AI-speed threat dynamics and they will not be updated on a timeline that helps you. CISOs who treat compliance as the defense posture are accepting the velocity gap as their actual risk. Layer threat-velocity-specific controls on top — continuous monitoring, real-time threat intelligence integration, automated change-control for security architecture — and treat compliance as the starting line.

What to do this week

1. Brief your board on the velocity gap using the Mandia, Stamos, and Adamski framing. The three names together are credible enough that "industry consensus on AI-driven cyber acceleration" is defensible language for asking for accelerated cyber investment, and the CyberScoop interview is citable as a primary source.
2. Audit your alert-to-action ratio in SOC operations. If analysts spend more than 40 percent of their time on triage rather than investigation, the gap is structural rather than a headcount problem. Pilot AI-assisted triage and pre-authorized response automation for the top three alert categories that consume the most analyst time.
3. Establish pre-approved emergency patch and IR retainer relationships now, not after the first AI-augmented incident. Mandia's Thursday-afternoon comment is operationally specific. Verify your incident response playbook does not depend on procurement-cycle-bound vendor engagement for the first 24 hours.

Sources