Ask Us Anything: Closing the Discovery-Remediation Gap
The gap between discovering vulnerabilities and fixing them is getting wider. Remediation time across the industry has grown, even as AI is accelerating the rate of discovery. On the H1 Platform, submissions are up 92% year over year, and 32% of those findings are critical or high severity. That is not a volume problem. It is an operational one.
To get into the hard questions, we hosted an Ask Us Anything session with three leaders from HackerOne:
Alex Rice, Co-Founder, CTO and CISO
Nidhi Aggarwal, CPO
Michiel Prins, Co-Founder and Sr. Dir. of Product Management
The conversation covered how organizations are building toward Continuous Threat Exposure Management (CTEM), navigating shadow AI, managing expanding attack surfaces, and making prioritization decisions that hold up at the board level.
We received more questions than we could address live. Below are five that tell the most important parts of that story.
Q: With AI accelerating vulnerability discovery, how do you make sure your engineering teams do not get buried?
Alex: "The honest answer is that most teams already are buried, and adding more discovery without changing the remediation model makes it worse. The organizations getting ahead of this are the ones treating remediation as a system, not a queue.
That means validated findings routed directly to the team that owns the code, with clear SLAs and automated retesting to confirm the fix actually worked. These are the organizations experiencing a meaningful decline in their Mean Time to Remediate (MTTR). The ones still working from a ticket backlog are seeing remediation times move in the wrong direction. The gap is widening because discovery is faster, but the fix workflow has not changed."
Q: How are organizations thinking about continuous testing across an attack surface that keeps growing?
Nidhi: "Most programs were designed for a fixed point-in-time model. A pentest twice a year, a bug bounty program running in the background. That architecture does not work when code is being deployed by AI agents at a speed we have never seen before and when your attack surface now includes AI tools your engineering teams spun up last week without telling security.
The shift we are seeing from organizations that are ahead of this is from discrete testing cycles to a continuous loop. Scan on every code change. Differential analysis on what is new or regressed. Bug bounty and security researcher engagement to find the vulnerabilities that automated tools will not catch. Then validation and retest to confirm fixes close the actual exposure, not just the ticket.
The teams building this architecture are not asking how to add more tools. They are asking how to connect the ones they have into a program that runs at the speed of their development pipeline."
Q: How do you prioritize what actually gets fixed when the backlog is growing faster than the team can work?
Alex: "Start by cutting the noise. If your team is working from a raw findings list, three quarters of that effort is not reducing real risk. Validation changes the math entirely. Once you are working from validated, exploitable findings, the prioritization question becomes: what is the blast radius if this gets exploited, and how fast can we close it? Critical and high severity findings that are exploitable and sit in systems with external exposure should drive the conversation at the board level.
Everything else is a sequencing question. The board question I get asked most is not how many vulnerabilities do you have. It is how quickly can you identify the ones that matter and verify they are fixed. If the answer takes days to produce, there is a material exposure gap regardless of how big your security team is."
HackerOne Co-founder, CTO, and CISO Alex Rice on why prioritization must move at machine speed in 2026: agentic pipelines need to get findings straight into remediation, with human review reserved for edge cases only.
Q: Shadow AI seems like the new shadow IT. What is actually working to detect and manage it?
Alex: "First, define your terms clearly, because how you define shadow AI changes the answer completely. If shadow AI means any AI your organization has not formally approved, the problem is already bigger than shadow IT ever was.
The productivity pull at the consumer level is enormous, and people are bringing these tools into the enterprise faster than any governance process can respond. Trying to shut that down with policy alone will fail. The better approach is to move fast on your golden path: pick your approved vendor, whether that is Gemini, Claude, OpenAI, or another, deploy it properly, and make it easy for people to use.
Once you have a golden path in place, then you can reasonably monitor for the consumer tools that fall outside it. Endpoint detection will give you basic coverage on the most common ones. But the organizations making the most progress are the ones working with their business teams, not against them. Understand why people are using the tools they are using, and bring them to the approved path rather than trying to block the behavior."
Q: AI is being used to find vulnerabilities faster than ever. Does that make bug bounty programs less relevant, or more?
Michiel: "The headline you see out there is that bug bounty is dead. We disagree, and the data disagrees. What AI is actually doing is raising the floor, not replacing the ceiling. The lower-hanging fruit, basic injection vulnerabilities, cross-site scripting, the things a scanner could eventually find, those are getting caught earlier in the stack now, and that is a good thing. You should not need a security researcher to find your SQL injection at the last line of defense.
What that does is change what researchers are competing on. Every security researcher right now is effectively a bionic researcher. They are not finding vulnerabilities with their hands anymore. They are extending their judgment and creativity with AI tools, which means the findings coming through bug bounty programs are getting harder and more novel. The creative, logic-flaw, nobody-expected-this-to-exist class of vulnerability.
This is what human ingenuity finds, and no model has replaced that yet. Bug bounty is not becoming less relevant. The bar for what it catches is going up and extremely critical when thinking about what is actually exploitable."
Nidhi: "An example of this on a recent trip came from a team of researchers working with some of the most sophisticated AI tools available. They were doing exactly the kind of bionic hacking Michiel described. The AI hit a constraint and told them directly: this is the limit, you cannot go further. The researchers ignored it. They pushed past what the AI said was possible and reached remote code execution, a finding that nearly crossed from a critical vulnerability into a live incident.
That is the power of the researcher in this equation. The AI did not find that vulnerability. A researcher with AI, one who knew the limit was worth breaking, did. This class of finding, researchers pushing past the limits agents set for themselves, is showing up consistently across our bounty programs."
Keep the Conversation Going
We did not get to every question submitted during the session. If you have others, reach out. No sales pitch, just insights around how enterprises are tackling these challenges every day.
And if you want to hear more, check out HackerOne's Virtual Security Summit on July 15th, with customers, security researchers, partners, and outside experts taking these questions a layer further with practical guidance.
