The week ending 21 October handed security leaders two clocks running at incompatible speeds: ageing endpoints that cannot move quickly, and AI-augmented adversaries closing the gap between disclosure and exploitation to near zero.
That is not a future threat. It is the operating condition now.
| Context update | ||||||
| The issues that are shaping trust, security, and AI in this edition: | ||||||
|
Retrospective
So what have we learned from this week?
Not that the threats are new. Legacy endpoints and social engineering have always been around. What is new is the decoupling of sophistication from consequence. The F5 advisory shows a well-resourced adversary exploiting a device built to be trusted. The WA Health breach shows a 15-year-old with no malicious intent walking through a gap that had no anomaly detection behind it.
Both land in the same place: a trust boundary that assumed it would not be tested. The architectural response is not a better watchtower. It is building so that when the watchtower fails, the failure does not spread.
Poll of the week
What is your organisation doing with Windows 10 endpoints that cannot meet Windows 11 hardware requirements?
Full replacement — absorbing the capital expenditure now rather than later
Extended Security Updates — paying Microsoft to maintain a patch runway while planning migration
Isolation play — quarantining legacy machines in segmented or virtual desktop environments
Risk acceptance — continuing to run them with endpoint detection as the primary control
| Takeaways | ||||||||
| These are this edition's takeaways. | ||||||||
|
Opinion
Two clocks ran at incompatible speeds this week, and the uncomfortable part is that only one of them can be sped up. Ageing endpoints and procurement cycles move at the pace they have always moved at. The attackers exploiting them are not waiting for that pace to catch up — they have already done the market analysis on which regions and which devices are worth the effort.
What that means in practice is that legacy risk can no longer be measured by counting vulnerabilities. It has to be measured by how fast a device that cannot be patched can be contained, because containment speed is now the only lever still under an organisation's control.
The governance thread underneath all of it is the one I think gets underweighted: director duties are starting to attach directly to AI oversight, which means the real question is no longer whether a board cares about an AI tool register. It is whether whoever owns that register can produce it, and prove the kill switch behind it actually works, before it is asked for under worse circumstances.
I hope you found this edition useful. I'm always looking for feedback to improve The Context, so please reach out with any suggestions. If it shifted your thinking, the highest compliment would be to share it with someone else whose thinking it might help shift as well.
Until next week, many thanks for reading,
David




