A sharp increase in hardware, API and network vulnerabilities is exposing organizations to new risks, according to Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World.
The annual report from Bugcrowd, published on September 23, draws on hundreds of thousands of vulnerability data points gathered from global bug bounty and disclosure programs.
AI Expands the Attack Surface
The study finds that AI-assisted software development, while accelerating innovation, is also widening the attack surface.
Applications pushed through rapid release cycles often leave behind gaps in access control, data protection and hardware security. At the same time, attackers are exploiting overlooked entry points such as APIs.
“We are in a high-stakes innovation race, but with every AI advance, the security landscape becomes exponentially more complex,” said Nick McKenzie, CISO of Bugcrowd.
“Attackers are exploiting this complexity, but still targeting foundational layers like hardware and APIs. No single CISO can win this race alone.”
John Watters, CEO of iCOUNTER, warned that, “CISOs have always known that their near infinite attack surface and open vulnerabilities presented an insurmountable problem.”
In his view, defenders are facing a new era where “everyone becomes patient zero,” with novel threats replacing the predictable reuse of old attack methods.
Read more on CISO’s challenges: The Evolving Role of the CISO: From Security Experts to Strategic Communicators
Foundational Weaknesses Still Rising
Bugcrowd’s 2025 analysis revealed several notable trends:
-
88% increase in hardware vulnerabilities amid IoT proliferation
-
81% of security researchers reported finding new hardware flaws in the past year
-
32% rise in payouts for critical vulnerabilities
-
36% increase in broken access control vulnerabilities, now the leading category
-
42% increase in sensitive data exposure
-
10% increase in API vulnerabilities
-
Doubling of network vulnerabilities
Diana Kelley, CISO at Noma Security, noted that “foundational issues like broken access control and sensitive data exposure remain at the top of the stack.”
She cautioned that agentic AI systems, with their autonomous decision-making capabilities, could exacerbate these challenges without robust monitoring and privilege controls.
Evolving Role of the CISO
The report also reflects on the shifting responsibilities of CISOs as they balance technical depth with broader business alignment.
“The CISO persona is a necessary part of the broader business conversation,” said Bruce Jenkins, CISO at Black Duck. But he stressed that public-facing obligations “cannot interfere with the CISO’s primary responsibility, which is defending the business against cybersecurity-based threats in the most proactive manner possible.”
Agnidipta Sarkar, chief evangelist at ColorTokens, echoed this evolution, pointing to regulations as the main force pushing CISOs toward “greater alignment towards business enablement through agile and collaborative cyber practices.”
Randolph Barr, CISO at Cequence Security, highlighted a growing risk from AI-enabled impersonation: “This goes beyond phishing, it’s targeted impersonation backed by research and AI.”
He argued that layered security controls must move beyond blaming “human error” to detect and block these sophisticated attacks in real time.
The Bugcrowd report concludes that collective intelligence and continuous offensive testing will be essential to withstand escalating digital threats.
