What every CEO asks their CISO before vacation. Because while you’re gone, Mythos, Kimi or others will land.

What every CEO asks their CISO before vacation, ON2IT
For the CEO · Before vacation · June 2026

What every CEO asks their CISO before vacation. Because while you’re gone, Mythos, Kimi, Mimi, Deep Seek or others will land.

Anthropic’s next frontier AI model is rolling out this summer – and if not Mythos, you can expect Kimi, DeepSeek, or others to follow. What if it will be in attackers hands in August? The CSA / SANS Mythos-Ready Security Program was developed with contributions from leading cybersecurity experts including Jen Easterly, Bruce Schneier, Heather Adkins, Rob Joyce, Phil Venables, and others, and reviewed by hundreds of CISOs and security leaders. They call it the most significant offensive AI capability shift the industry has seen. Your security team gets it back to back with vacation season.

The window is real. NIS2 first compliance audit deadline: 30 June 2026. BSI is in active enforcement. Article 20 imposes personal liability on management bodies, extending to US companies with EU subsidiaries or operations in the Union. Regulators on both sides of the Atlantic are watching. A material breach triggers disclosure obligations, notice requirements, and the legal clock, all at once. The summer window closes faster than the regulator’s patience.

Before you sign off on vacation, ask your CISO these five questions. Make them answer with evidence, not assumption. If they can answer all five succinctly and with live evidence, you’re in good shape. If they can’t, that’s the signal to get help, before the news cycle does it for you.

1
Show me what’s exposed to the internet this week. Not last quarter. This week. The next generation of frontier AI finds finds what you don’t know exists. An aged inventory is worse than no inventory.
2
When the next frontier AI drops – Kimi, DeepSeek, or others – how many hours until we’re patched? Tell me a number, not a process. Time-to-exploit is now hours. If your patch SLA is in weeks, you’ve already lost. See the Zero Day Clock.
3
If we get breached tonight, who knows first: us, our customers, or the press? Regulatory notice windows are tight and unforgiving. You can’t meet them if you don’t detect the incident first.
4
Who has the keys to our crown jewels? Walk me through the list. If your CISO can’t list privileged identities by name in three minutes, neither can the auditor.
5
Prove to me the blast radius is bounded. With evidence, not assumption. “We have Zero Trust” is not evidence. A live posture screen is. Page 6 explains what that looks like.

The rest of this briefing tells you what good answers look like, what stopping the spread actually means as a managed strategy, and how one week on-site (SHERPA) tells you concretely where you stand, without committing you to anything beyond the conversation. The signed acknowledgment is on page 8.

Informational purposes only. This briefing summarizes the published CSA / SANS Mythos-Ready Security Program and references regulatory frameworks including NIS2 (EU Directive 2022/2555 and national implementations) and applicable cybersecurity disclosure obligations. It is not legal, tax, or accounting advice. Readers should consult qualified counsel regarding the application of these frameworks to their specific circumstances.
For the CFO & General Counsel · One-page brief

You’ve already bought the tools. You haven’t bought the strategy.

US enterprises have spent the last decade investing in network, endpoint, identity, and cloud security. The tools work as advertised. What’s missing is the corporate strategy that ties them to business risk and the operational discipline to prove, on demand, that the strategy is holding when the SEC, the NIS2 competent authority, the board, or a customer asks. That’s what we manage. On the controls you already own. So a breach stays a breach, and never becomes a board-level event.

Question 1
Are you extracting the strategy you already paid for from the security stack you already own?
Question 2
When the board, your auditor, the SEC, or a NIS2 competent authority asks “are you in control right now?” Can you answer with live evidence, not a slide?
Question 3
If a breach lands tomorrow, will you be prepared, or will you be scrambling lawyers, consultants, and insurers to get ahead of a news cycle, preparing regulatory filings, required notices, and calculating how much company value you just lost?
The bottom line

The next breach is no longer a question of if. AI-driven adversaries collapsed the time from vulnerability to exploit from weeks to hours. A material incident now triggers a cascade: regulatory filings, required breach notifications, legal reviews, insurer calls, and a news cycle you’re not controlling. NIS2 Article 20 puts personal liability on management bodies of in-scope EU entities, and on US parents providing services through EU subsidiaries. Buying more tools won’t close the gap. Strategy and operational discipline will, applied to the tools you already own.

ON2IT manages your existing security investments to a single corporate Zero Trust strategy. No rip-and-replace. No second SASE. We turn the stack you already paid for into measurable resilience, provable live, on demand, in AUXOâ„¢_TM_PLACEHOLDER. The result: a contained incident instead of a material event. Operational risk instead of disclosure risk.

The briefing that follows describes how it works, what the four numbers that actually move risk look like, and how one week on-site (SHERPA) tells you concretely where you stand, without a long-term contract.

↓ Continue to the briefing ↓

You can’t stop the breach.
You can stop the spread.

AI just made the next breach inevitable. Zero Trust, operationalized as a managed service: the difference between a contained incident and a board-level event.
ON2IT, Zero Trust Innovators May 2026 For US C-Suite & Boards

The five questions above are the conversation. The pages that follow are what good answers look like. You’ve already paid for the tools. You’ve already hired the talent. You’ve already passed last year’s audit. None of that stops what’s coming. AI-driven adversaries have compressed time-to-exploit from weeks to hours, as the CSA / SANS Mythos-Ready Security Program (April 2026) documents in detail. NIS2 is in active enforcement; regulatory frameworks on both sides of the Atlantic now impose personal liability on the executive who didn’t ask hard enough questions. The next breach is no longer a question of if. The only question you actually control is how far it spreads. This briefing describes what stopping the spread looks like as a strategy, how it’s operationalized as a managed service on the controls you already own, and how the first stretch of runway is one week on-site.

What stopping the spread actually looks like

Stopping the spread isn’t a product. It’s a strategy with three layers, embedded as a culture, operationalized through the controls you already own. The layers go in this order; each one is the foundation for the next.

Strategy
Kindervag’s five-step methodology, written in the US, by a Forrester analyst, in 2010. Define protect surfaces, map transaction flows, build Kipling-method policy (“who, what, when, where, why, how”), microsegment, monitor continuously. Vendor-agnostic by design. This is what Zero Trust means, and what most US enterprises still don’t operationalize, despite having bought the tools.
Culture
The organizational discipline that keeps the strategy from drifting back into product configuration. SHERPA Onboarding Week installs it on-site. AUXOâ„¢ governs it across six management layers: Strategy, Policy, Architecture, Engineering, Operations, Assurance. Continuous engagement keeps it operational, not aspirational. This is what makes Zero Trust stick.
Operationalization
Your existing US security investments, managed to one Zero Trust policy. MDR Prevent runs your network, endpoint, identity, and SASE controls to a single strategy, continuously hardened, continuously evidenced. No rip-and-replace. No second SASE. The vendors you already chose, doing the job you bought them for. This is what makes Zero Trust real.

11 Mythos-Ready actions. 8 delivered today. 3 honest answers.

In April 2026, the CSA / SANS Mythos-Ready Security Program, developed with contributions from Easterly, Schneier, Adkins, Joyce, Reavis, Venables, and others, reviewed by hundreds of CISOs and security leaders, published 11 priority actions for surviving AI-accelerated vulnerability discovery. The table below maps each one to how it’s delivered as part of MDR Prevent today. Eight directly. Two with your engineering team. One through our partner ecosystem. Every claim is defensible, every cell is honest about who owns what.

# Priority Action Sev. ON2IT Delivery How
PA1 Point Agents at code & pipelines CRIT Partial LLM-driven code review via AUXOâ„¢ + partner ecosystem; full VulnOps is the roadmap (see PA11).
PA2 Require AI agent adoption CRIT Advise SHERPA Week sets the customer’s adoption policy and security guardrails for coding agents.
PA3 Defend your agents CRIT Delivers Agents become a Protect Surface in ZT Step 1; Kipling policy in ZT Step 4 bounds tools, blast-radius, and escalation.
PA4 Innovation & acceleration governance CRIT Delivers SHERPA Week convenes security, legal, and engineering on-site with an ON2IT CISO + Enterprise Consultant.
PA5 Prepare for continuous patching CRIT Delivers 24×7 Global SOC triages disclosure waves; AUXO™ orchestrates change without breaking ZT policy.
PA6 Update risk models & reporting CRIT Delivers SHERPA Week reframes board metrics around containment + recovery; Global SOC produces the evidence stream.
PA7 Inventory & reduce attack surface HIGH Delivers ZT Step 1 (DAAS / Protect Surface) and Step 2 (Transaction Flows), the methodology was built for this.
PA8 Harden your environment HIGH Delivers MDR Prevent Configuration pillar + ZT Steps 3–4: segmentation, egress filtering, phishing-resistant MFA, Kipling policy.
PA9 Build a deception capability HIGH Delivers Behavioral monitoring + IOC enrichment in Global SOC; native canary / honey-token tooling not yet productized.
PA10 Build an automated response capability HIGH Delivers MDR Prevent Expert IR pillar + AUXOâ„¢ SOAR + pre-authorized Global SOC playbooks. Customer reference: <2 hrs MTTC.
PA11 Stand up VulnOps CRIT Partner Continuous AI-driven vulnerability discovery delivered through the ON2IT partner ecosystem; integrated into the customer’s MDR Prevent posture.

MDR Prevent, three pillars do the heavy lift

The Mythos-Ready briefing repeats one message: harden, contain, respond at machine speed. That is exactly how MDR Prevent is built. The three pillars below sit inside AUXOâ„¢’s six management layers: Strategy, Policy, Architecture, Engineering, Operations, Assurance, so the same Zero Trust language is spoken in the boardroom, the change ticket, and the Global SOC.

Configuration

Hardening the platform: segmentation, egress filtering, phishing-resistant MFA, secrets rotation, dependency lockdown, software minimization.

→ PA7 · PA8

Zero Trust Policy

The Kipling Method applied to every Protect Surface, including AI agents as a new asset class. Bounds blast-radius before exploitation, not after.

→ PA3 · PA8

Expert Incident Response

24×7 Global SOC, Netherlands-sovereign, AUXO™-orchestrated. Pre-authorized containment playbooks execute at machine speed; humans handle the calls humans must own.

→ PA5 · PA9 · PA10

Zero Trust 5 steps, the operating sequence

Kindervag’s five-step methodology is not a marketing framing. Each step satisfies specific priority actions; the sequence is what makes the program executable rather than aspirational.

  1. Step 1: Define the Protect Surface (DAAS)
    Identify the data, assets, applications, and services that matter most, including coding agents and other AI systems as a new asset class.
    satisfies PA7 · feeds PA3
  2. Step 2: Map transaction flows
    Trace how the Protect Surface actually talks to the rest of the environment. Without this, segmentation is a guess.
    supports PA7 · enables PA8
  3. Step 3: Architect the Zero Trust environment
    Place enforcement points where flows demand them. This is where deep segmentation and egress filtering land, both named by name in the Mythos-Ready briefing.
    satisfies PA8
  4. Step 4: Create Zero Trust policy (Kipling Method)
    Who, what, when, where, why, how, for every flow, including agent-to-tool and agent-to-data calls. This is how PA3 (“Defend Your Agents”) is operationalized.
    satisfies PA3 · PA8
  5. Step 5: Monitor and maintain (Global SOC)
    24×7 detection, response, patch orchestration. Pre-authorized containment turns “human-speed defense vs machine-speed offense” from a slogan into a service-level commitment.
    satisfies PA5 · PA10 · partial PA9

Four numbers. Not one of them is cost-of-breach.

Cost-of-breach figures describe the bill. The bill arrives after the news cycle does. What matters before that is what you actually control: whether the fire starts, how far it spreads, what you can prove while it’s happening, and how fast it stops.

You can’t stop the fire from starting. You can stop it from spreading. The four numbers below describe exactly that.

4 / 4
Structural risks closed
Asset inventory, least-privilege, lateral-movement bounding, documented response, the four conditions present in >20 breach simulations at Antwerp Management School, all addressed in MDR Prevent.
1 : 1
Blast radius bounded
One compromise reaches one protect surface. Architectural guarantee, not a probability. The spread stops at the segmentation boundary.
LIVE
Posture in AUXOâ„¢
Per protect surface, with traffic flows, policy drift, MTTD / MTTR. On demand. The evidence your auditor and your board are asking for.
<2h
Mean time to contain
Post-onboarding steady-state, with pre-authorized Global SOC playbooks. When prevention is bypassed, response is bounded.

See AUXOâ„¢ live. Thirty minutes.

Your board is asking. Your auditor is asking. Regulators are asking. NIS2 competent authorities are asking. They all want the same answer: are you in control of your security posture right now?

Most organizations answer with a policy document, a slide, or last quarter’s audit. Documents describe intent. They don’t describe state. AUXOâ„¢ does. Every protect surface visible in real time, with traffic flows, policy drift, MTTD and MTTR. Thirty minutes. We’ll walk one of your protect surfaces with you. You’ll see what live posture looks like.

Request a 30-min AUXOâ„¢ demo

“The next breach isn’t a question of if. It’s a question of how far it spreads, and whether the answer fits in a paragraph, or in a regulatory filing.” — ON2IT, May 2026
The First Stretch of Runway

Everybody needs a sherpa to climb the Mount Everest

One week. On-site. You’ll know exactly where you stand, and you’ll already be moving.

SHERPA Onboarding Week is how we start. An ON2IT CISO and Enterprise Consultant come to you for five working days. We walk your stack, map your protect surfaces, find your exposures, and stand up a live AUXOâ„¢ view of your environment before the week is out. You don’t leave with a report. You leave with a strategy, an exposure list, and momentum, exactly what your CEO needs to sign Question 5 with a Yes.

The summer window matters. Mythos Frontier AI preview is rolling out this season. NIS2 first audit deadline is 30 June. Senior consulting capacity is limited each quarter. Earlier requests get earlier slots.

From → To
From not knowing where you stand, to knowing, and from standing still, to moving
With you, all week
ON2IT CISO + Enterprise Consultant, on-site, five working days
You walk away with
Documented Zero Trust strategy, exposure list, live AUXOâ„¢_TM_PLACEHOLDER posture view
Capacity, by design
Senior consulting time is finite. A limited number of SHERPA engagements run each quarter.
Ask about the next SHERPA slot or contact us@on2it.net · US phone & address: [insert before publication]
References: “The AI Vulnerability Storm” (CSA / SANS / OWASP, April 2026); Antwerp Management School breach simulation research (Bobbert & Timmermans); NIS2 (EU Directive 2022/2555) US Edition · May 2026 ON2IT · Zero Trust Innovators · on2it.net
Pre-Vacation CEO Checklist · Summer 2026

The five questions. Can your CISO answer every one?

Before you leave for vacation, walk through these five questions with your CISO. Each one has a short answer if the work has been done. If the answers take longer than a few minutes, or rely on policy documents instead of live evidence, that gap is worth closing before you go. Demonstrating strategic compliance isn’t just good governance, it’s the clearest way to show you’re in control.

1
Show me what’s exposed to the internet this week. Not last quarter. This week.
CISO answer (current state, with evidence)
Gap, if any
Closed by (date)
2
When the next frontier AI, how many hours until we’re patched? Tell me a number, not a process.
CISO answer (target hours, evidence-backed)
Gap, if any
Closed by (date)
3
If we get breached tonight, who knows first: us, our customers, or the press?
CISO answer (detection capability, MTTD, escalation path)
Gap, if any
Closed by (date)
4
Who has the keys to our crown jewels? Walk me through the list.
CISO answer (privileged-identity inventory, review cadence)
Gap, if any
Closed by (date)
5
Prove to me the blast radius is bounded. With evidence, not assumption.
CISO answer (segmentation evidence, live posture, AUXOâ„¢ or equivalent)
Gap, if any
Closed by (date)
If the answers aren’t there yet

That’s exactly what SHERPA Onboarding Week is for. One week on-site, an ON2IT CISO and Enterprise Consultant, and a live AUXOâ„¢_TM_PLACEHOLDER posture view of your environment before the week is out. You leave knowing where you stand, and already moving. Senior consulting capacity is limited each quarter. Earlier requests get earlier slots.

Ask about the next SHERPA slot

Prepared by ON2IT B.V. with reference to the CSA / SANS Mythos-Ready Security Program (April 2026). Distribution permitted with attribution. © ON2IT 2026.