Change in security never arrives all at once. It moves in a sequence you can predict, and lately at a speed you cannot match. You can hear both in a pan of popcorn.
One kernel pops. A pause. Two more. Then the tempo climbs until you can no longer pick out a single pop and it becomes a roar, before tapering off almost as fast as it began. Anyone who has made popcorn knows that curve without being taught it. You do not need a chart for it. You have already heard acceleration.
The first kernels
Ten years ago, I was one of the first to pop. I deployed ZTNA before most had even heard the term Zero Trust, back when people would look at me sideways for it. The pan was barely warm, and you could count the early poppers on one hand.
Change always moves in the same ratio. Roughly twenty percent pop early. They feel the heat before the crowd and they transform. Sixty percent are the majority. They understand the need, but they wait to see the early kernels go before they commit. The last twenty percent have already decided. They are not going to move.
For most of my career I have been helping and watching this transition, on the assumption that the rest would catch up eventually. The pan was warm, not dangerous. That is no longer true.
The pan turns red hot
While the majority were still debating whether Zero Trust was real, some of us had already moved on to the next phase, Negative Trust. Deception. Do not just verify and refuse, actively mislead. Lace the environment with honeypots and lures so that anyone who touches them has, by definition, declared themselves an attacker. Turn your own estate into a place attackers are afraid to move.
Then frontier AI arrived, the Mythos class of capability now handled so carefully it is not even released to the open market, and the heat went to ten.
Here is what that heat actually means, and this is the point where the numbers stop being abstract. CrowdStrike's 2026 Global Threat Report puts the average breakout time, the gap between initial compromise and the first lateral movement, at 29 minutes. It was 48 minutes the year before, and 98 minutes back in 2021. The fastest breakout they observed was 27 seconds. In one intrusion, data was leaving the building within four minutes of the attacker getting in. AI-enabled adversary activity rose 89 percent in a single year.
And here is the part that should worry us most. Breakout time is lateral movement time. Most organisations replaced the VPN with ZTNA and decided the job was done, but a VPN replacement only protects the remote user reaching an application. It does nothing for the people and systems already inside. On-premises users, the branch, the campus, the data centre, all of it stays on a flat and trusted network, and a flat trusted network is exactly where lateral movement happens. The attacker who moves in 27 seconds is not breaking down the front door. They are walking through the ones we never closed.
Read those numbers as a popping curve and the message is hard to miss. The attacker is no longer human. An AI-driven adversary probes, pivots, chains, and exfiltrates faster than an analyst can read the title of the alert. At that speed, the human in the loop is no longer the safeguard we always believed it to be. The human in the loop is the slow component. The vulnerability is the pause for thought.
Why reflex
What do you actually do when you touch a hot stove? You do not decide anything. Your hand pulls back before your brain has even registered the pain. The signal never reaches the brain in time. It short-circuits through the spine and fires the muscle directly, and the conscious decision arrives later, once you are already safe. That is a reflex, and it exists precisely because some things are too hot to think about.
This is the architecture the moment demands. Call it Reflex Defence.
Negative Trust is the nerve ending. It senses the threat the instant a decoy fires or an agent behaves in a way it should not. Zero Trust is the muscle. It withdraws access, kills the session, and severs the path. Reflex Defence is the arc that wires the two together directly, so detection triggers response without first routing through the brain, which is your SOC. We detect at machine speed, and we close access at machine speed. No ticket, no analyst, no pause.
The human still matters, enormously, but consciousness belongs after the reflex, doing the investigation and the tuning. It does not belong in the critical path of a fight that is already over by the time anyone looks up.
When the pan is this hot, you do not think. You react. That is not a weakness in the design. That is the design.
Pop, or burn
So here is what surprises me, ten years on. The pan that made us pop is now too hot to touch, and I look around and see how many kernels are still sitting there. Not popping. Waiting.
In a pan this hot, the ones who do not pop are not waiting. They are burning. They simply do not know it yet. Ten years ago, not popping meant falling behind. Today it means you are the burnt kernel at the bottom of the pot.
The pan is at maximum heat. The only question left is whether you pop.