Security leaders are asked to make high-stakes decisions based on risk scores, heat maps, and predictive models but too often those signals are built on assumptions rather than evidence. As exploitation accelerates and attack paths grow more complex, leaders face a critical question: Which risks truly deserve attention and investment?
Exploit, Don’t Trust is a thought leadership series for security and risk decision-makers navigating this challenge. Bringing together industry voices and experienced security leaders, the series examines why theoretical risk alone is no longer sufficient and how an exploit-aware, evidence-driven mindset can improve prioritization, accountability, and outcomes.
Across the sessions, speakers will explore:
- Why common risk metrics often misalign with real-world attacker behavior
- How exploitation trends change what “high risk” actually means
- The difference between reporting risk and reducing it
- Why cyber confidence is often misplaced (why organizations believe they’re secure when they’re not)
Designed for directors, security leaders, and executives responsible for cyber risk strategy, this series focuses on how to make better risk decisions—cutting through noise, challenging inherited models, and aligning security investments to what demonstrably threatens the business.
March 18, 2026
9:00 AM – 12:00 PM PT
Something went wrong. Please try again.
Don’t miss the opportunity to learn from industry experts. Register now.
Featuring
Ron Eddings
Hacker Valley Media
Patrick Garrity
Security Research
Vulnerability Intelligence
Professor Dan Haagman
CEO, Chaleit
Author
Chris Hughes
Founder, Resilient Cyber
VP Security Strategy, Zenity
Author
Lance Seelbach
Director Global Lead, Cybersecurity, AI/Automation
DXC
Sumedh Thakar
President and CEO
Qualys
Himanshu Kathpal
VP Product Management
Qualys
Saeed Abbasi
Senior Manager
Qualys Threat Research Group (TRU)
Agenda
9:00 AM PT
Opening Perspectives on Cyber Risk
Cybersecurity thought leader and co-founder of Hacker Valley Media, Ron Eddings will open the session with a welcome and set the stage for a forward-looking conversation on redefining cyber risk in the age of AI. Drawing on insights from his work with global security leaders, Ron will frame the key themes shaping today’s risk landscape and prepare the audience for an engaging executive dialogue.
Ron Eddings
Hacker Valley Media
9:15 AM PT
Rethinking Cyber Risk in the Age of AI
Cybersecurity leaders are under increasing pressure to translate technical exposure into business impact. As AI accelerates innovation—and expands the attack surface—the conversation must shift from vulnerability counts to measurable risk.
Join Sumedh Thakar, CEO of Qualys, and Professor Dan Hagman for a candid fireside chat exploring how organizations can operationalize cyber risk in a world defined by AI, automation, and increasing regulatory scrutiny. They’ll examine how to align security strategy with business priorities, quantify risk in financial terms, and build a more resilient enterprise through data-driven decision-making.
Expect an engaging discussion that bridges academic insight with real-world execution—offering practical perspectives for CISOs, risk leaders, and boards navigating the next era of cyber risk management.
Sumedh Thakar
President and CEO
Qualys
Professor Dan Haagman
CEO Chaleit, Author
9:45 AM PT
Turning Vulnerability Intelligence into Measurable Risk Reduction
In this Cyber Risk Series session, Patrick Garrity and Saeed Abbasi take a practical look at what exploitation trends are really telling us—and why simply “prioritizing by severity” doesn’t cut it anymore.
Building on recent research findings and a large dataset of newly issued CVEs, they’ll dig into how fast vulnerabilities move from disclosure to active exploitation, where remediation efforts stall, and why certain technologies especially network edge and end-of-life devices continue to show up in breach headlines.
Most importantly, the session connects research to reality. By pairing external threat intelligence with real-world detection and remediation data, Patrick and Saeed will show how to separate theoretical risk from exploitable risk. You’ll walk away with practical ideas for sharpening your focus, improving scoring and categorization, and turning vulnerability management into something measurable: real, provable risk reduction.
Patrick Garrity
Security Research, Vulnerability Intelligence
VulnCheck
Saeed Abbasi
Senior Manager
Qualys Threat Research Group (TRU)
10:30 AM PT
Session to be announced
Chris Hughes
Founder, Resilient Cyber
VP Security Strategy, Zenity
Author
11:00 AM PT
Session to be announced
Lance Seelbach
Director Global Lead, Cybersecurity, AI/Automation
DXC
11:30 AM PT
Bridging the Gap Between Probability to Confirmed Exploitability
Risk-based vulnerability prioritization is a powerful filter, but it has a hard ceiling because it estimates likelihood rather than certainty. A vulnerability that scores critical may be entirely unreachable behind your deployed controls; a medium-severity finding may be trivially exploitable.
This session will highlight how closing that gap requires moving from probability to proof through exploit-based validation that deterministically confirms whether a vulnerability is actually exploitable within your specific environment. The speakers will also discuss how autonomous validation agents take this further by operationalizing confirmation at scale, continuously probing across dynamic environments, respecting safety guardrails to prevent disruption, and feeding confirmed findings directly into remediation pipelines. The result is a remediation posture grounded in evidence, not assumption.
Himanshu Kathpal
VP Product Management
Qualys
Saeed Abbasi
Senior Manager
Qualys Threat Research Group (TRU)