"The majority of cyber cases that we've seen in the customer base have moved well beyond the breaking inside... to taking over control of your entire VM environment, wiping out all VMs, destroying all hypervisors, blowing up the center and leaving you in basically a dark, dead state," said Commvault Chief Technology Officer Brian Brockway.
Brian Brockway on the new normal: attacks that leave environments "dark, dead"
Brockway told The Register that attackers — now armed with frontier AI tools — are moving from file-level encryption and corruption to full takeovers of virtualised infrastructure. According to his account, incidents increasingly involve wiping virtual machines, destroying hypervisors and leaving victims unable to boot their data centers until they redeploy from bare metal. Those processes are not trivial: even in a well-exercised environment, Brockway said recovery to a stable, usable state "could be a couple of days or longer."
Frontier AI models and the flood of disclosed vulnerabilities
Commvault pointed to Palo Alto Networks research showing frontier models such as Mythos and GPT-5.5-Cyber identified more than seven times the typical number of software vulnerabilities in a single month during testing. Brockway described how these advanced models reshape the threat landscape twice over: they uncover far more vulnerabilities, and attackers exploit disclosed flaws within minutes rather than weeks. He warned that newer models go further than scanning — when allowed into controlled environments, some models will attempt exploits themselves, mirroring attacker behaviour and demanding "extremely tight security control."
Operational strain: 10,000 vulnerabilities and hard choices on priorities
Brockway said one frontier model flagged roughly 10,000 critical vulnerabilities across operating systems, browsers and other infrastructure — "that's 10,000 patches that have to come out of the system." Faced with that signal volume, security and engineering teams must make hard choices. He described the unplanned remediation load pulling staff off planned releases: "We had the plan in place, we had sprints already dedicated... and we have to come back over and reinvest more engineering time to corrective actions versus the next new get ahead feature."
At Commvault, Brockway runs a standing fast-action team dedicated to triage: "They're the fast action team to analyze, make a quick assessment," he said. But even with triage, he argued the volume and velocity of signals require more automation and AI to filter noise, assist with patching, and support deployment — or risk desensitising teams so "that's when bad things really start to occur."
Commvault guidance: air-gaps, immutable copies, and cleanroom rehearsals
Commvault's practical recommendations call teams to rethink resiliency beyond conventional backups. Brockway urged organisations to ask whether they can restore critical systems cleanly, whether recovery environments are isolated from compromised production identity, network and management planes, and whether recovery plans cover the most important applications and dependencies. He called air-gapping "the starting point" and said organisations should keep immutable and isolated copies of critical data separated from production identity, network, and management planes.
He also emphasised testing: pressure-test recovery time and recovery point objectives against realistic attack scenarios and rehearse recovery in isolated cleanroom environments. On testing he said, "I need a testing environment that's got the same makeup, the same builds... How do I put that application stack into a live environment, so we can come back over and test?" and described the clean room as "not just being a reaction to an incident, but... a quick environment for you to come back over and clone."
What this means for technologists, enterprises, and engineers
- Technologists and security teams: Expect to prioritise containment and rebuild plans that separate recovery infrastructure from compromised planes, and to expand playbooks to include AI-era dependencies such as model repositories, vector databases, data pipelines and agentic workflows.
- Affected enterprises and procurement leaders: Prepare to prioritise systems that are impossible to operate without — identity platforms, billing systems, operational databases and cloud services — and to pressure-test RTO/RPO with rehearsals rather than theoretical plans.
- Engineers and operations teams: Anticipate sustained unplanned remediation work and possible reassignment to fast-action triage teams; consider investing in automation and defensive AI to filter high-volume signals and support rapid patching and deployment.
Commvault's account is stark: frontier AI tools widen the vulnerability surface, accelerate exploitation timelines, and amplify operational strain. The remedy Brockway proposes is not merely faster patching but structural changes — isolated, immutable recovery copies, rehearsed cleanrooms and automation to sort signal from noise. The central practical question he leaves on the table is operational: can organisations scale recovery and testing fast enough to keep pace when disclosures turn to exploits within minutes?
