The traditional vulnerability management paradigm is built on two assumptions that AI-assisted offensive security has rendered obsolete: that individual vulnerabilities can be scored in isolation, and that the human creativity and time required to chain low-severity findings into high-impact exploits represent a meaningful defensive barrier. AI removes both constraints. This paper presents an AI-native exploit chain modeling framework comprising four components: graph-based vulnerability modeling that treats nodes (vulnerabilities, assets, controls) and edges (reachability, preconditions, postconditions) as the primary unit of analysis; a redesigned severity scoring model that adds chainability and AI exploitability dimensions to the existing CVSS framework; path severity scoring that evaluates chains rather than individual findings; and a defensive architecture designed to break the exploit graph rather than patch individual vulnerabilities. The paper also addresses the governance and economic crisis in open-source security created by AI-assisted vulnerability discovery, and proposes structural reforms to open-source security governance.
Narnaiezzsshaa Truong (Thu,) studied this question.