Adversaries are building exploits faster than most teams can patch -- so what does it actually mean to manage vulnerability risk in 2026? Daniel DeCloss, Founder & CTO of PlexTrac, joins Sean Martin live on the RSAC Conference 2026 show floor to answer that question with hard-won operational clarity.
Security teams have always struggled with the gap between finding vulnerabilities and fixing the right ones. DeCloss built PlexTrac after seeing that gap firsthand as a penetration tester -- watching critical findings disappear into static PDFs and manual spreadsheets with no real tracking, no accountability, and no way to demonstrate improvement. The platform was designed from the ground up to close that loop.
The conversation gets specific about what contextual risk scoring actually means. A CVE rated 10.0 in the National Vulnerability Database may be irrelevant to a given organization; a lower-severity finding may be critical given the systems that organization actually runs. PlexTrac's newly launched MCP server correlates vulnerability data against real-world environmental context, making that distinction automated and actionable -- not something an analyst has to puzzle out manually every time.
DeCloss walks through what the before state looks like for most teams: an annual pentest PDF, weekly scanner output, no unified view, and spreadsheet-based assignment that makes it nearly impossible to track who is working on what or whether anything is actually getting resolved. PlexTrac replaces that with a normalized, integrated platform that connects to Jira, ServiceNow, and Azure DevOps -- keeping workflows intact while adding the visibility that was always missing.
On AI's role in the industry, DeCloss is measured but direct. AI is a force multiplier, not a job eliminator. Security has always operated with a talent shortage, and automation fills that gap. But AI also expands the attack surface -- and organizations that adopt it without a security framework create new exposure. The human in the loop, with real subject matter expertise, remains essential.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Daniel DeCloss, Founder & CTO, PlexTrac
https://www.linkedin.com/in/ddecloss/
RESOURCES
PlexTrac: https://plextrac.com
KEYWORDS
Daniel DeCloss, PlexTrac, Sean Martin, vulnerability management, penetration testing, pentest reporting, risk prioritization, CVE scoring, MCP server, AI in cybersecurity, blue team, remediation tracking, CTEM, continuous threat exposure management, RSAC Conference 2026, brand spotlight, brand marketing, marketing podcast, brand story
Vulnerability Management in the Age of AI: From Data Overload to Decisive Action | A Brand Spotlight at RSAC Conference 2026 with Daniel DeCloss, Founder & CTO of PlexTrac
[00:00:10] Sean Martin: Here we are, Dan.
[00:00:11] Daniel DeCloss: Yeah,
[00:00:12] Sean Martin: we're at a nice booth here.
[00:00:13] Daniel DeCloss: Yeah.
[00:00:13] Sean Martin: The PlexTrac booth.
[00:00:14] Daniel DeCloss: Yeah. It's pretty
[00:00:15] Sean Martin: exciting. It's, uh, there's a lot of people cruising around here.
[00:00:17] Daniel DeCloss: Yeah.
[00:00:17] Sean Martin: Wondering what's going on with PlexTrac.
[00:00:19] Daniel DeCloss: Yeah. Yeah. No, I mean, uh, it's been a, and it's been an exciting journey, you know, with PlexTrac, you know, I'm the founder. So, I, I started my career in cybersecurity over 20 years ago. Kind of found my niche in penetration testing and security management as a whole, and so I just saw a lot of pain around on the pen testing side around how we generate reports and the lack of collaboration during the entire life cycle of those findings that come out. Which are some of the most critical findings that an organization can have, and just a weakness around how they're actually getting resolved and how people are tracking those issues. So that's really like the track part of PlexTrac -- providing a platform that not only helps on the reporting and generation of the report itself for the pen test team, but also better collaboration on those results. And then we've just continued to expand that offering to support the entire security team from the proactive side. Being able to aggregate data across lots of different sources of findings like vulnerability scanners, app code scanners, all of that so that they truly have a prioritized view of all their risks and can actually identify what are the most important things we should be working on now, and are we actually getting better in our security posture? That's our mission.
[00:01:32] Sean Martin: Got it. I love it. And, uh, we were joking before we started recording that vulnerability management's easy. Yeah. There's never, uh, there's never enough to work on, right? We blow through the list so fast.
[00:01:46] Daniel DeCloss: Yeah. Yeah. Yep.
[00:01:47] Sean Martin: What's people watching know the real reality, but, uh, kind of paint that picture for us. The analysts and practitioners, what are they really dealing with?
[00:01:56] Daniel DeCloss: Yeah, I mean, you know, vulnerability management's just always -- I mean, it's gonna continue to be a reactive practice more than anything anymore. It's not a true proactive activity because exploits, with AI and everything else that's going on in the adversary world, they're able to build exploits faster than we can patch. So there's just really no sense in vulnerability management being a proactive activity. It now just fits into that aspect of -- hey, how do we know we're fixing the most important things and the most critical aspects? And that's still a very challenging problem for a lot of teams. So that's really where we come in and where we can help. What are the most important things that we should be fixing first? What is our true exposure? How exploitable are these things in our environment? And that's where you match the pen test data with data in the real world. PlexTrac just launched an MCP server. That really helps bring visibility in -- from the data to, hey, what's exploitable in our environment? How can we tie that into our processes and our workflows so that teams are getting better? That's our mission.
[00:03:09] Sean Martin: So talk to me about the process. What I'm envisioning -- correct me if I'm wrong -- but we've done a decent job with CVEs and categorizing and ranking and rating and normalizing and getting stuff in a way that systems can kind of use it.
[00:03:31] Daniel DeCloss: Yeah.
[00:03:32] Sean Martin: But not great for humans.
[00:03:35] Daniel DeCloss: Right.
[00:03:35] Sean Martin: The introduction of MCP and AI and LLMs -- I'm assuming it makes it human digestible, human actionable. Talk to me a little bit about how that process looks now. Am I right in that?
[00:03:49] Daniel DeCloss: Yeah, absolutely. Systems can analyze and consume data much better than humans can. So a CVE is not necessarily going to have the context for that customer or that enterprise. What our MCP server can do is draw up that data and correlate it -- analyze like, okay, yeah, it may be a 10.0 CVE in the world, but based on the systems it's exploitable for in your environment, it may be less because they don't exist in a publicly facing environment. Or the opposite -- this CVE is lower severity, but based on the data housed by the systems you're operating in, it's actually more severe. That's where AI can really continue to help teams understand what are the most important things in the context of their environment. Within PlexTrac also, we have our own risk scoring capabilities that allow customers to put the context of their business into that risk score. So they really have control over how CVEs and vulnerabilities are exploitable in the context of their business.
[00:05:08] Sean Martin: So it's one thing to collect vulnerabilities, analyze them, rank-stack them. Then you need to do something. You have a PDF of some findings -- how useful is that, really? What do you do?
[00:05:28] Daniel DeCloss: Yeah, exactly. At some point somebody's gotta get the work done. And the real work is where you actually resolve those issues and remediate and reduce risk. So what we help support is that whole life cycle around the tracking and remediation. Not only can you update statuses and have automations around who gets assigned to what issues -- within PlexTrac, we can also integrate with other ticketing systems like Jira, ServiceNow, Azure DevOps -- so that people have visibility and don't disrupt their workflows for how they remediate issues. But you have visibility into who's working on it, where's the status, are we actually fixing these issues, how long have they been in each state? So you truly have better analytics around actually fixing the issues that are the most important ones.
[00:06:19] Sean Martin: I want to touch on that in a second. But walk me through a common scenario -- or look back at the current state for most organizations who haven't modernized their vulnerability management and patch management program yet. Compare that previous state to now. What's that flow look like? Who's involved? Is there better collaboration, communication?
[00:06:40] Daniel DeCloss: Yeah. So previously you would have a team that hires a pen test firm to come and do a third-party pen test. That's like an annual assessment. They'll provide you a 300-page PDF report. And in addition to that, the team is also doing recurring scans every week and getting all these other findings. They didn't really have a way to bring the pen test results alongside the vulnerability management results so you actually understood how they stack rank against each other. And then they'd have to put that into a spreadsheet -- assign this one to this person -- and that's not a centralized way to manage work. A lot of people are still doing that today. So what we do is bring that together in a unified platform with normalized data sets so that everybody can see all the issues across their environment, how important they are to fix relative to them. We can automatically assign these out. We have visibility into who's working on them, how long they've been in each state. It's been sitting with this team for three weeks -- we can go find out where the status actually is. Because that's where a lot of time gets lost. And time is extremely precious within the blue team, especially with the dawn of AI, which is only accelerating attackers much faster than defenders. The more you can automate, the more you can give visibility into the most important aspects, the better they're gonna sleep at night knowing they're working on the right things.
[00:08:36] Sean Martin: Right. And let's talk about that. The more information you have, the better you can figure out what's really going on. What does success look like for your customers? How do they measure what's happening? What are some of the ways they say -- we were really slow here, our team was burnt out -- and now they can say this looks really good because of X, Y, Z?
[00:09:04] Daniel DeCloss: Yeah. Some of the ways they measure success -- hey, we didn't have visibility into who was fixing these issues and how they were getting resolved, and are they recurring? Being able to do continuous testing and have visibility into those results is one measure of success. They can also look at trend lines -- every time we do a scan, the number of issues popping up may be the same, but we're fixing them at a faster rate. Or we have better visibility into which are false positives and which we're not going to worry about because they're not as important. They're able to break that down through our dashboarding and reporting and truly recognize -- hey, we can report up to our stakeholders that we're getting better and that we're working on the most important things.
[00:10:01] Sean Martin: What do some customers say when you talk to them after using it for a little bit? Any feedback they share?
[00:10:11] Daniel DeCloss: I mean, this is what I also love about conferences like RSAC Conference or Black Hat. When we're meeting with customers, it's always energizing. You'll see -- oh man, PlexTrac changed my life. We've genuinely had those conversations, and that's very rewarding. They were stuck in manual processes, lack of visibility, and they truly feel empowered and their morale on the team is so much better. Those are the kind of wins we take to heart. And that's one thing I love about our community -- we're all trying to make people better and truly get better at security.
[00:11:00] Sean Martin: So there's a lot of talk that automation will eliminate roles. What's your view on that in relation to vulnerability management?
[00:11:07] Daniel DeCloss: I think there's gonna be an augmentation of AI -- it's just going to continue to accelerate how much teams can get done. Traditionally in security we've had the conversation around a talent shortage. And I think AI fills that gap -- it's not necessarily removing people, it's augmenting the talent you have. We were just talking about this in the adversary village. You still need that subject matter expertise to help analyze and do those gut checks. AI will continue to help accelerate the automation pieces, but you still need a human in the loop to trust and verify. I see it as only an enhancement -- accelerating the current talent you have, not replacing people. And with any technological revolution, there are gonna be certain things that aren't needed anymore, but those people will adapt and those jobs will adapt into other skill sets. AI broadens the attack surface itself, so people need to be skilled in identifying the issues specifically with the AI they're deploying or using and how users might be causing problems. We'll just continue to see the evolution grow within our space.
[00:12:51] Sean Martin: Anything you want to highlight from the adversary village discussion?
[00:12:53] Daniel DeCloss: It was a great conversation about how AI is helping adversaries accelerate much faster. They don't have the restrictions the blue team does. The blue team's always going to be limited by time, money, and talent -- and the same is true in the AI era. So how does the blue team use AI to help accelerate at a better pace? That was a key discussion, along with where AI is going in terms of validating the output it produces. That's where subject matter expertise still becomes valuable. We need to keep educating and training people because you don't want to lose that expertise.
[00:13:45] Sean Martin: All right, let's look at the future a little bit -- from three angles. The threat: the vulnerabilities being exploited, the volume, the AI enabling it. The AI that's protecting. And that person sitting there dealing with it. What's your vision for where things are headed? Do we find utopia at some point, or is it just going to constantly be like this?
[00:14:20] Daniel DeCloss: It's like any other technological revolution or evolution -- there are gonna be things AI does really, really well, and it's gonna present its own set of challenges. From the attacker's perspective, it's gonna continue to help them accelerate and provide more sophisticated attacks. From the defender's perspective, they're gonna have to be better at using AI to identify those attacks -- seeing the signals from more advanced phishing, better obfuscation within exploit code. Just understanding the landscape is the defender's most important job today: these are the aspects AI is really good at, so we need to have visibility into whether that's happening in our environment. That's not an easy thing to do. The defenders are just having to expand their realm of knowledge. Overall AI is going to be a force multiplier for everybody. It will improve a lot of automations. It will expand the attack surface -- so making sure the business understands where they need to invest to protect against those things is just as important as saying, go use AI. You can't let your organization run wild with AI -- that opens up the attack surface even broader. Giving your security team the leeway to say: this is the manner in which we need to operate in an AI era -- that's probably the most important thing for the business to do.
[00:16:28] Sean Martin: Makes sense. Makes sense. So final word from me, Dan. I always like to figure out where this stuff fits into a program. Companies are still doing a lot of stuff manually. How and where can they connect with you? Let's say an organization has a program that's been around for a while -- mature, but not meeting the team's expectation. How do they connect with you?
[00:16:59] Daniel DeCloss: Obviously connecting with us -- come to our website, request a demo, connect with us on LinkedIn. We're easily open and can give demos. But where the mature teams are seeing value is that they're continuing to optimize for better output, better outcomes related to -- are we fixing the right things? The mature companies are already doing pen testing, some form of automated testing, and they're inundated with: are we really fixing the right issues? We help with that prioritization and the mobilization of the teams responsible for fixing the issues. For the less mature teams, this is a great place to get started. We provide a framework for how you can actually be more proactive than reactive in your security operations. And that's the mantra that has to continue to drive forward -- how can we be in a continuous, proactive state, rather than reactive and living on a hope and a prayer.
[00:18:08] Sean Martin: Perfect. And I know I said final -- I have one more final. That was to the professional, the practitioner, the folks with their hands on the keyboards. They have a manager -- the CISO. I have a lot of CISO audience. What's your message to them?
[00:18:28] Daniel DeCloss: My message to them is -- you want to make sure your team is optimized and doing the best that they can in the best mental state that they can. Having good morale and truly knowing they are empowered and focused on the right things. And having that visibility through a platform like PlexTrac can really provide the metrics and the visibility. Have we invested in the right products for our security team? Are they fixing the right issues? What's the overall state of your program and your risk posture? That's something we can truly help with.
[00:19:06] Sean Martin: I love it. Dan, pleasure chatting with you.
[00:19:07] Daniel DeCloss: Yeah, you too.
[00:19:10] Sean Martin: Thank you. Yep. Keep up the good work. Folks listening and watching -- connect with Dan and the PlexTrac team, and stay tuned for more coming from RSAC Conference. Thank you.
[00:19:12] Daniel DeCloss: Appreciate it.