Vulnerability Management in the Age of AI: From Data Overload to Decisive Action

By Sean Martin and Marco Ciappelli, Co-Founders of ITSPmagazine

RSAC 2026 | From the 300-Page PDF to Decisive Action: Daniel DeCloss on PlexTrac

Between the 300-page pentest PDF and the spreadsheet no one is updating, security teams lose the thread. Findings pile up, priorities blur, and the key question — are we actually getting safer? — goes unanswered. That is the problem Daniel DeCloss set out to solve when he founded PlexTrac, and it is the conversation he brought to the RSAC Conference 2026 show floor.

Why Is Vulnerability Management Still Mostly Reactive?

Vulnerability management is reactive because adversaries now build exploits faster than defenders can patch. With AI accelerating weaponization, the window between disclosure and active exploitation has collapsed. The goal is no longer to stay ahead of every CVE — it is to fix the right ones in the right order. A 10.0 CVE may be irrelevant if the affected systems do not match an organization’s profile. A lower-severity finding can be critical depending on context. That context has historically been almost impossible to apply at scale.

How Does PlexTrac Make Vulnerability Data Actionable?

PlexTrac addresses this with a recently launched MCP server that correlates vulnerability data against an organization’s actual systems and exposure profile — surfacing contextual risk rather than raw severity scores. A configurable scoring engine lets customers weight findings according to their specific business context. The result is a prioritized, human-readable view of what actually matters in a given environment, rather than an industry average.

DeCloss described what the pre-PlexTrac state looks like for most teams: an annual pentest PDF, weekly scan findings, no common data layer, and manual spreadsheet work to assign and track remediation. Visibility into whether anything is getting fixed — or how long something has been stalled — is nearly nonexistent. PlexTrac replaces that with a unified platform that normalizes data from pentest reports, scanners, and application security tools; automatically assigns findings; and integrates with Jira, ServiceNow, and Azure DevOps so teams are not forced to abandon their existing workflows.

What Does a Successful Security Program Look Like?

The most meaningful outcomes PlexTrac customers describe are not about finding more vulnerabilities — they are about demonstrating that the right ones are being resolved. Dashboards and reporting provide trend data showing faster fix rates, fewer recurring findings, and clear visibility into where work is stalling. For security leaders who need to justify investment and prove program maturity to stakeholders, that kind of evidence is difficult to produce with spreadsheets. Customer feedback at events like RSAC Conference has been direct: teams describe the platform as something that changed not just their workflows, but their morale.

Will AI Replace Security Analysts?

DeCloss is skeptical of the job-eliminator narrative. Security has always operated with a talent shortage, and AI — used responsibly — fills that gap by automating high-toil work and freeing analysts for the judgment calls that require human expertise. That said, AI also expands the attack surface. Organizations that adopt AI tools without a corresponding security strategy create new exposure. The CISO’s job is to give security teams a framework for operating in an AI era, and that starts with visibility into what is actually at risk.

Watch the full conversation from RSAC Conference 2026 and connect with Daniel DeCloss on LinkedIn to learn more about PlexTrac.

PlexTrac Team Editorial Group At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.