Frontier AI is now finding and weaponizing vulnerabilities in internet-reachable infrastructure faster than vendors can disclose them, and VPN sits squarely in its path. More than half of organizations report a VPN-related security incident in the past twelve months, and 61% have encountered AI-enabled attacks. Only 6% can deploy a critical VPN patch within 24 hours, and in nearly one-third of environments a single stolen credential opens the entire network. The security control built to keep adversaries out has become the channel that lets them in. Zscaler’s Deepen Desai, EVP and Chief Security Officer, explains why the problem is built into the architecture and that patching alone cannot save it.
For decades, VPN was the sensible answer to a simple question: how do you grant employees, branch offices, and partners secure remote access to internal systems without exposing those systems to the open internet and security risk?
Deepen Desai, who leads threat research at Zscaler and serves as EVP and Chief Security Officer, argued in a recent interview that the question itself is no longer the problem. The architecture VPN uses to answer it is.
He put the architectural problem in one sentence. “VPN is a technology built a couple of decades ago to provide remote access to applications, but it brings the user and the attacker onto the same network as the application,” he said.
The consequence shows up the moment an identity is compromised. “Once the threat actor or the AI agent has compromised an identity, they use the same channel that was put in place to bring legitimate users to those applications,” Desai said. “We don’t see VPN as a security control. It’s actually serving the opposite role, making it easier for threat actors leveraging AI to get in and move laterally.”
That contradiction sits at the heart of the new Zscaler ThreatLabz 2026 VPN Risk Report. The very security control built to keep adversaries out has become the channel that lets them in. Cybersecurity Insiders surveyed 822 IT and security professionals who run network access at their organizations, and paired the findings with threat research from ThreatLabz, the security research arm of Zscaler’s Zero Trust Exchange platform. Only 6% of organizations surveyed can deploy a critical VPN patch within 24 hours. 54% need a week or more. By the time a change advisory board has its first conversation about a fresh CVE, exploitation is already happening. AI is making the timeline worse on both ends.
Fighting AI With Blindfolds On
Attackers are using AI to do in minutes what used to take days. Desai’s team is watching it happen at the access layer.
“We’re absolutely seeing an uptick in AI-driven attacks,” he said. “It’s more around phishing, vishing, and that initial access stage where they’re trying to get into the environment. There’s also an uptick in how they’re crafting evasive malware payloads designed to evade traditional security controls.”
Anthropic’s Mythos model, made available to defenders through Project Glasswing in April 2026, surfaced thousands of previously unknown zero-day vulnerabilities across every major operating system and browser in pre-release testing — at a level Anthropic describes as surpassing all but the most elite human researchers. The implication for any internet-reachable VPN is direct: a frontier model can find a vulnerability the vendor doesn’t know exists, weaponize it autonomously, and exploit it before any patch could be written.
AI is not just changing what attackers do, it is making them do it faster. They still need initial access, lateral movement, and time inside the environment to reach what they came for, but every one of those steps now happens in minutes instead of hours, and at a scale no human-led defense team can match.
The VPN survey shows the same picture from inside the enterprise. Only 11% of organizations can restrict a compromised session to a single application. In nearly one-third of environments, a single stolen credential opens the entire network. Once a VPN credential authenticates, the user has the same lateral reach as everyone else on that network, with nothing between them and the applications if they turn out to be an attacker. Only 5% of organizations trust their VPN to detect and stop AI-enabled attacks. The other 95% are running an architecture built for a slower threat than the one in front of them.
The blind spots are not limited to access. 60% of organizations inspect a quarter or less of their encrypted VPN traffic for threats, and 52% describe their VPN as a transport layer with limited or no inspection capability. Defenders cannot detect what they cannot see, and the architecture they bought was never built to look inside the sessions it carries. None of these failures can be patched out.
The Patch Race Is Over
Patching VPN appliances still matters. It just cannot move fast enough to be effective against active exploitation. Yet most organizations are still investing in faster patching as if speed alone could close the gap.
“Organizations are still relying on the old 30, 60, 90 day patching cycles, but VPN is critical infrastructure,” Desai said. “You can’t just patch it in the middle of the day when there may be hundreds or thousands of users on it. I understand why organizations take time to patch those VPNs.”
Desai pressed the point further. “Patching is important, but the speed at which you’re able to patch is not enough in this day and age. You can no longer have an externally exposed VPN, because that’s a target waiting to be exploited.”
The survey backs him up. 54% of organizations need a week or more to deploy a critical VPN patch. ThreatLabz analyzed 411 VPN CVEs over five years and found annual volume up 82.5%, with 60% of last year’s vulnerabilities rated high or critical.
The numbers are what defenders cannot get past. Adversary tooling now weaponizes a fresh VPN CVE in days, sometimes in hours. Defender patching cycles are still measured in days, more often in weeks. 79% of survey respondents identified attackers weaponizing vulnerabilities faster than patches can be deployed as their single greatest AI-driven risk. 61% said they had already encountered confirmed or suspected AI-enabled attacks in the past twelve months. You simply cannot close that gap by patching faster.
VPN was built for connectivity, not containment. Faster patching, better monitoring, tighter policies — they all help, but none of them change what the appliance was actually built to do. A perfectly patched VPN concentrator is still an externally reachable box that, the moment a credential works, puts the user on the same network as the application. ThreatLabz has observed ransomware operators going from a stolen VPN login to a fully encrypted environment in under four hours. The credentials had been harvested months earlier through a memory-disclosure CVE in the appliance itself. The organizations had applied the patch but had not rotated the credentials it exposed. The patch was available. The patched organizations were still breached.
In February 2026, CISA issued Binding Operational Directive 26-02, giving federal civilian agencies 18 months to inventory and replace end-of-support firewalls, routers, VPN gateways, and network security appliances. When the federal government starts pulling categories of edge boxes off the network, the “patch faster” debate is practically over.
The Contractor You Forgot About Is Still Logged In
Patching is one of VPN’s biggest failures. The next one is identity. The contractors, vendors, and partners an enterprise grants VPN access to typically hold credentials with broad network reach into the environment, and most of those credentials outlive the work they were issued for.
“This is the classic supply chain risk,” Desai said. “You should not be using VPN for this. But if you still are, then this is another big attack vector that threat actors will leverage to get inside your environment. They target one or several of the vendors leveraging VPN to perform whatever contract activity you’ve hired them for, then use that same channel to perform malicious activity through the compromised contractor accounts.”
His prescription was equally direct. “Instead, organizations should use zero trust browser-based access — read-only, just-in-time, fully recorded and auditable, provisioned only when the task is required.”
The survey shows why this advice is important: 41% of organizations still route vendor and contractor connections through VPN, typically handing them the same network reach as employees. 57% never audit the application access those credentials unlock. Dormant contractor accounts are some of the most valuable inventory on access broker forums: provisioned for short projects, never disabled, still authenticating months later from hosting providers in countries the contractor has never visited. The enterprise has no idea this is happening, and the contractors are not the only blind spot.
When Users Route Around the Control
The other blind spot is closer to home. The legitimate workforce, the employees the enterprise hired and provisioned correctly, has built its own set of access paths that the enterprise also cannot see.
“We’ve seen this happen in real-world attack scenarios as well, where users create a backdoor channel and bypass VPN to get to the destination they need,” he said. “You could implement controls to prevent that, but not all organizations have the technical expertise to put those in place.”
The survey shows what happens when an entire workforce reaches the same conclusion the threat actors did. 63% of organizations report users intentionally bypassing VPN controls to reach applications faster. 72% of user complaints trace back to performance: slow connections, inconsistent device behavior, frequent disconnections. The sanctioned path is the slowest path.
A control that two-thirds of the workforce routes around stops being a control. The cost of running it shifts onto everyone else: latency for users, incident tickets for the help desk, and security blind spots for the people responsible for catching the next breach.
The Migration Playbook
The replacement architecture is not theoretical. Zscaler has been making this architectural argument for over a decade. The company built its Zero Trust Exchange platform on the principle that users should connect directly to applications rather than to networks, well before zero trust became the industry default. The AI moment is bringing the broader market to a position Zscaler has been operating from at scale for years. In January 2026 the company extended the platform with the Zscaler AI Security Suite to apply the same model to AI assets, access, and infrastructure, and appointed Dr. Swamy Kocherlakota as EVP of Agentic AI Security Engineering, a signal of how seriously it is treating the category.
Closing those blind spots means changing what authentication actually grants. Zero trust replaces the network-level access model with a tighter set of properties. It connects users directly to specific applications instead of putting them on a network. Authentication never grants implicit trust. Every access decision is verified continuously against identity, device posture, and behavioral context, scoped to the single application the user actually needs, and inspected inline at the session level. The credential opens one connection to one application. It never opens a path into the rest of the environment.
Each of those properties closes one of the failures VPN cannot fix on its own. There is no externally reachable concentrator to patch, so the patching race becomes irrelevant. There are no standing credentials to harvest, because every session is just-in-time and disappears when the task ends. There is no lateral reach from a stolen credential, because the credential never grants network access in the first place. The workforce stops routing around the control because the sanctioned path is now the fastest one. The same architecture also handles capabilities VPN was never built for: microsegmentation between workloads, identity-aware authorization for APIs and service accounts, inline data inspection on every session, and the same access logic applied to AI agents and copilots as to human users. This is the model 84% of organizations have committed to, even if many are still in the middle of adopting it.
Desai’s playbook, refined across federal and large-enterprise transformations, organizes the work around four questions: how to reduce the external surface, how to prevent initial compromise, how to eliminate lateral propagation, and how to keep data from leaking out. The four questions structure the assessment phase and sequence the work that follows.
Desai recommends: “Start by securing your users and their access to your mission-critical applications. Really prioritize eliminating any remote access VPNs that are reachable from the internet, because that is a door you’re leaving open for the threat actors.”
The most common stall point is the application inventory exercise, and Desai has seen it freeze transformations that were otherwise running well. “I’ve had many discussions where customers say, ‘I have 500 or 600 apps in my environment,'” he said. “When we run the initial phase, we discover tens of thousands of applications. But you don’t need to worry about segmenting all those apps. Start with your mission-critical apps as part of this transformation journey, and you will be in a much better security posture than you are with VPNs.”
The numbers say the strategic argument is settled. 84% of organizations are now planning, transitioning to, or have completed a zero trust architecture, up from 78% two years ago.
Hybrid environments with zero trust and VPN will persist for years in most enterprises. Virtually nobody is doing a clean cutover and replacing all VPN infrastructure at once. The work is incremental: shrink the reachable network surface, migrate the highest-risk workforce access first, leave legacy boxes only where there is no other path.
Done in that order, the blast radius gets smaller every quarter, even while VPN is still in the rack for use cases like site-to-site connectivity. And the population that needs access is no longer just human.
Securing the Next Users: AI Agents
AI agents are showing up on enterprise networks as a new kind of user: one that runs as software, acts on its own, and needs its own access to applications and data. They are arriving faster than most access models were designed to handle.
Desai organizes the defender response into three buckets. “With agents and AI there is opportunity for both sides, whether it’s attackers or defenders,” he said. “We’re already seeing attackers take advantage of it, and there is similar investment happening on the defender side as well. I’ll call out three buckets where I see myself talking to a lot of CXOs about how they are leveraging AI in this defense journey against AI-driven attacks.”
The three buckets shape the rest of his answer.
The first bucket is using AI to accelerate the zero trust transformation itself. “There’s no debate about whether you need to go down the zero trust route. That is already happening. The question is how to leverage AI to fast-track that transformation journey,” he said. “An example is using AI to come up with user-to-app segmentation policies. You’re leveraging an AI-powered platform to drive the transformation much quicker, using the data that already exists in your environment, and getting to that end state sooner rather than doing things manually or with scripts.”
The second bucket is deception, with a twist that changes how CISOs should think about it. “Unlike humans, AI agents are capable of exploring every available path to get to that destination,” Desai said. “If you have carefully integrated deception decoys or honeypots planted, the chances of flagging such an attack and taking a response action using AI put you in a much better security posture, because attacks are typically happening in minutes, not over days, when AI is involved. Having a proactive deception technology will go a long way.”
That distinction matters in practice. Human attackers pick the obvious paths and often skip the honeypots. Today’s AI agents check everywhere, which is exactly what decoys were built to catch. Deception has been a niche control for years. Suddenly it has a clear job.
The third bucket is the agentic SOC. Defender-side AI is starting to do the inverse of what attackers use it for: triaging the volume of signals that human analysts cannot process at the pace incidents now arrive. “Agentic SOC is something that is already being adopted. There is a lot of work to be done in that area, but there is real potential to help security organizations cut through the noise and focus on things that actually matter,” Desai said. “Reducing the time to respond to incidents versus dealing with noisy alerts. That’s where AI will be leveraged by organizations.”
The list of things that need access to enterprise systems just got much longer: employees, contractors, workloads, APIs, copilots, and the AI agents acting on behalf of any of them. The rules are the same for all of them: verify continuously, assess behavioral context, authorize every action, and never trust anything just because it logged in once.
The Clock Is the Risk
Every failure VPN is producing right now is coming down to time. The patching cycle is too slow. The access credentials persist too long. The workforce gives up on the sanctioned path because it is too slow. AI agents arrive faster than the access model was built to handle. Time is the constant across every one of these failures, and no amount of effort inside the existing model slows it down.
The VPN infrastructure is not the problem because it is old. It is the problem because it was built to do one thing, connect users to a network, at a time when no one had to think about how to contain what happened next. Attackers have caught up to that design choice and gone past it.
The old question security teams asked was how to connect users to the network safely. The new question is how to let humans, workloads, and autonomous agents reach applications without granting unnecessary reach, unnecessary persistence, or unnecessary trust. Verifying continuously, giving people access only to what they need, inspecting every session, and assuming you have already been breached — these used to be aspirations. They are requirements now.
Organizations getting this right are doing three things in parallel, on a clock measured in quarters rather than years. They are replacing externally exposed VPN concentrators with broker-mediated access that never puts users on the network. They are eliminating standing third-party credentials in favor of just-in-time, browser-isolated sessions that exist only for the length of a task. And they are segmenting their highest-risk applications first, because the complete inventory will not be done before the next compromise arrives.
The next compromise will arrive at machine speed. The organizations that contain it are the ones that have already moved their critical applications off the reachable internet, not the ones still trying to patch their way out of an architecture built for slower attackers.
From the Zscaler ThreatLabz 2026 VPN Risk Report, based on a survey of 822 IT and cybersecurity professionals.
Join our LinkedIn group Information Security Community!
