Introduction

The most dangerous phrase in security leadership is: “We just need more headcount to clear the backlog.” It’s a fundamental misunderstanding of the system you’re operating in. In 2025 alone, we saw a record 48,000 new CVEs published—averaging out to roughly 132 new vulnerabilities every single day.

Rather than chasing this as a “task” problem, I have been building a program that views the vulnerability backlog through the lens of Systems Thinking—specifically, as a Stock and Flow problem that is mathematically rigged against us in the industry.

Alt text

The Broken Calculus of Security Debt

Think of your vulnerability backlog as a Stock—a reservoir of unmitigated risk.

  • The Inflow: New vulnerabilities are pouring in at an exponential rate, driven by a 18% year-over-year increase in discovery velocity.
  • The Outflow: This is your remediation capacity—the speed at which your team can triage, test, and deploy fixes.

In most organizations, the Inflow has become a firehose, while the Outflow remains a manual, high-friction straw. When Inflow consistently exceeds Outflow, the Stock (your security debt) doesn’t just grow; it stagnates and compounds. In sectors like healthcare, the “survival half-life” of a vulnerability—the time it takes to drain just 50% of that reservoir—is now a staggering 244 days.

By the time you’ve drained half the “old” risk, the reservoir has already been refilled multiple times over with new, more sophisticated threats.

Moving to a “Done-For-You” (DFY) Outflow

To fix the system, we must pivot our approach. We have to stop obsessing over the Stock (which we can’t control directly) and start re-engineering the Outflow. This is where a “Done-For-You” (DFY) mentality changes the game.

Traditional vulnerability management is high-friction by design. It requires manual triage based on static CVSS scores that ignore real-world context, followed by cross-departmental negotiations. It’s a slow, turbulent outflow that leads to widespread alert fatigue.

We can’t solve it with more people historically. However, now with AI agents we could actually scale our Outflow effectively. I am proposing an AI-native approach that creates a Done-For-You Outflow by automating the entire remediation lifecycle:

  • Intelligent Filtration: Instead of treating every “Critical” score as equal, AI identifies the 2-5% of vulnerabilities that are actually related to resources with high business impact and exploitability through CSPM and Vulnerability Scanning tools. This instantly thins the inflow to what actually matters.
  • Automated Liquidation: We move beyond opening tickets. Systems can now ingest scanner data and automatically create patch Pull Requests across repositories in minutes.

The Strategic Payoff: Shrinking the Reservoir

By increasing the velocity of the Outflow through AI-driven automation, we finally achieve what manual teams cannot: we drive down the Stock of Risk.

When remediation becomes a “background service”—high-confidence and low-friction—security debt stops being a permanent tax on your innovation. You aren’t just “patching”; you are increasing the liquidity of your technical environment, allowing your best talent to focus on building rather than digging out of a hole, and ultimately accelerating your company’s actual mission and development.


In Part II, I’ll explore how we actually use agentic AI to solve the very architectural drift it creates during accelerated development—Done-For-You Remediation.