Earlier this month, Broadcom published findings from our frontier model research initiative examining what frontier AI models can do when applied to vulnerability discovery and exploitation. The conclusions were sobering: AI can compress the window between disclosure and active exploit from weeks to hours, at a scale and persistence no human red team can match. This is not a distant risk. It is the environment your security and platform teams are operating in today. I am sharing best practices, along with specific product recommendations based on our experiences within the Tanzu Division of Broadcom.
Go to the source: Lean on your vendors
Here is the part of this story that does not always make the headlines: frontier AI is not only a tool for attackers. The same capabilities that allow a bad actor to find and chain vulnerabilities at machine speed are available to the engineers building the software your organization depends on. I urge you to know who built the software your organization depends on, ensure you have a direct relationship with them, and keep that line of communication open
Take our patches and updates, do not defer them.
At Broadcom, our engineers leverage AI models to actively identify potential exploits across our open source and commercial portfolio. When a vulnerability surfaces, we quickly find, assess, and push a fix. From a Tanzu perspective, we make sure that patch updates to our solution, Tanzu Platform and Tanzu Data Intelligence, can be applied easily and when possible without downtime.
Do not let older releases become a liability.
Not every organization can move to the latest release on the day we ship it. As primary steward for Spring and as an active contributor to Cloud Foundry, Greenplum, GemFire and RabbitMQ, we are extending commercial support for releases that have passed their standard end-of-support date. Spring deserves particular emphasis: it is the foundational framework for an enormous share of enterprise Java applications worldwide, and keeping it secured is not optional. Extended commercial support means you receive security patches for the versions you are running today while you plan a migration, rather than choosing between a rushed upgrade and an exposed runtime.
Insist on enterprise-validated open source.
Community releases are not built for enterprise accountability. They lack the compatibility testing, security hardening, and production validation commitments that enterprises require. Through Bitnami Secure Images, Broadcom continuously packages and validates the latest releases of hundreds of open source components. When your developers reach for a database, a message broker, or a runtime, they should be reaching for something built to that standard.
Where Broadcom is the upstream steward, we fix at the source. Where we package and distribute, we validate and keep current. Either way, your organization should not be waiting on an intermediary when a vulnerability needs to close.
Equip yourself for continuous patching: Make it part of the architecture
The rising volume of patches from vendors and open-source providers requires remediation for both packaged and custom applications. However, most enterprise environments are “snowflakes”, unique and non-standardized, making it difficult to prioritize updates. Patching entire environments, from the OS to the application stack, is a daunting task, especially when aiming for continuous availability.
Standardize the stack, own the patch path.
Broadcom, with Tanzu Platform can help with continuous patching by structurally enforcing security and eliminating the need for manual, application-by-application remediation, which is necessary to respond to the shrinking time between vulnerability disclosure and active exploit.
Tanzu Platform separates application code from the underlying runtime components; the OS, the filesystem stack, and the dependent packages, to enable independent, fleet-wide updates for every layer.
Hardened OS Stemcells are virtual machine images that provide the underlying operating system for the infrastructure. A single stemcell update remediates every virtual machine in the fleet. For example, one stemcell update addresses a vulnerability like the “Copy Fail” Linux kernel exploit, remediating the entire fleet with zero downtime. Rather than taking infrastructure offline to patch it, Tanzu Platform replaces virtual machines one at a time. It drains each instance of live traffic, replaces it with a freshly patched version, verifies it is healthy, and returns it to service before beginning the update on the next instance. Users experience no interruption. Application teams receive no pages. Security debt closes without a fire drill.
Hardened Filesystem stacks are OS base layers for running application containers, located beneath the application code. Because stacks are consistent, applying an OS-level patch once automatically triggers a container rebuild, ensuring all applications get the latest version at the next startup.
Precurated Buildpacks automate the conversion of source code into runnable artifacts, detecting and adding the correct language runtimes and dependencies (like Java, Node.js, or Python). All applications draw from the same centrally maintained and regularly updated repository of packages. Changes to these packages or security updates automatically trigger a container rebuild, which the platform then deploys. Automated container deployments enable healthy containers to always run to support the application, resulting in continuous application availability.
Scale out continuous updates across the organization
This model yields striking results. Some of our customers execute over 100,000 platform-driven updates monthly across their application fleets, with at least one planning to scale to 250,000 updates a month. These are not scheduled batch maintenance windows; they are continuous, automated, and invisible to end users. This represents a fundamentally different relationship with software currency than most enterprises have ever had.
When an organization achieves this cadence, the threat calculus changes entirely. A newly disclosed CVE fix is no longer a crisis that triggers a war room, but a patch that enters the pipeline and closes within the existing operational rhythm. This is what continuous security looks like, and it is the standard we believe every enterprise should adopt
Build multiple layers of defense
Rapid patching is necessary, but not enough. Our frontier model research shows that AI-assisted attackers chain vulnerabilities together to escalate privileges. While faster patching is important, preventing lateral movement is critical.
You need perimeter security, but strengthening your application runtime defense is equally vital. Tanzu Platform provides structural runtime security controls that operate below the application layer, making them invisible to application teams and resistant to misconfiguration.
Deny-by-default network and resource isolation.
Tanzu Platform inverts the typical cloud-native model where applications communicate freely. Every workload starts with zero network connectivity and with a bounded set of compute and memory resources. Communication paths to other applications, services, AI models, or external endpoints must be explicitly declared and approved. This means an attacker has no lateral path to follow unless explicitly authorized by the platform.
Structural secrets isolation.
Since credential theft is a primary attacker objective, and AI excels at searching file systems for sensitive data, Tanzu Platform removes this attack vector. Applications never hold credentials directly. The platform injects them into the runtime at binding time, without exposing them to the code or automated agents. Because secrets are never stored in clear text or distributed manually, there is nothing for an attacker to find.
This fundamental shift from manual security administration to architectural enforcement is essential for building the resilient defense posture required for the current threat environment.
How we can help you get there
The capabilities I have described are running in production today across some of the world’s largest enterprises. Getting there from where most organizations are today does not require a leap. It requires a sequence. Here is where we suggest starting.
Secure support coverage for your open source software.
If your organization is running one of the Broadcom-supported technologies like Spring, RabbitMQ, Cloud Foundry, Greenplum, or GemFire, we can provide, through commercial support, patches and updates not only on your current versions but also on older, non-community supported versions of the software. This will provide you a vendor to call when a critical CVE drops, access to patches for community end-of-life versions, and the confidence that your applications are actively maintained at the source.
Assess your custom application portfolio.
Most large enterprises lack a complete picture of where their exposure is concentrated. You can engage Broadcom’s Tanzu team to assess your custom applications, build a picture of concentrated risk and out-of-date dependencies, and outline a prioritized modernization roadmap.
Prioritize Tanzu Platform onboarding on VCF.
For organizations using VMware Cloud Foundation (VCF), onboarding Tanzu Platform is quick and offers immediate benefits. It deploys natively, allowing you to quickly and incrementally onboard legacy applications to immediately gain continuous patching, zero-downtime updates, and structural security controls like deny-by-default networking and secrets isolation.
The threat environment has changed. The tools to respond to it exist today. I would welcome the conversation.
