I've spent my career in cybersecurity, in security operations leadership, as a CISO, and now at F5, where I lead all AI and technology operations. That vantage point matters, because the challenge in front of us is both a security problem and an operations problem.
I know what it feels like to sit across from your board and be asked whether your organization is prepared for a threat that didn't exist a quarter ago. I know what it's like to weigh the operational cost of a patch against the risk of not applying it. And I know that the hardest problems in security are rarely the ones you can solve by buying another tool. They are the ones that require changing how your organization operates.
Just as frontier AI enables defenders with powerful new ways to harden software, it gives attackers faster ways to identify and exploit discovered vulnerabilities. Across the industry, many vendors are moving to more frequent releases because AI is surfacing issues at a rate the traditional disclosure-and-patch model was never designed to absorb.
Our Chief Product Officer, Kunal Anand, wrote recently about the changes to our release cadence—our move to monthly hardened releases, and the monthly security notifications that follow. The first of those hardened releases is available today. What I want to talk about is the part that keeps CISOs up at night: whether your organization can actually absorb the fixes now coming at a faster pace.
Finding and fixing vulnerabilities faster doesn't help you if the fixes can’t be applied in your environment. The median organization takes 20 days to deploy a patch. Attackers now weaponize vulnerabilities in hours, often before they're even publicly disclosed. As every one of your vendors accelerates their release cadence, that gap compounds. More releases, from more vendors, more often, landing on the same finite team.
“Just as frontier AI enables defenders with powerful new ways to harden software, it gives attackers faster ways to identify and exploit discovered vulnerabilities.”
This is the operational burden that a faster cadence creates. And if we simply pushed more releases at you without helping you absorb them, we would be handing you a problem, not a solution.
Making a faster cadence sustainable
We've been building the capabilities to make this manageable because the speed at which you can deploy a fix is now part of your security posture, not separate from it.
Today, alongside our first hardened release, we're introducing new fleet management capabilities in F5 Insight for ADSP. These workflows give security and operations teams fleet-wide visibility, guided update management, and the ability to move from identifying risks to taking accountable action across large, distributed F5 BIG-IP environments. In practice, that means a single view of which devices are current, which are exposed, and which require action, then the guided workflows and pre-execution readiness checks to update them safely at scale.
For those of you in regulated industries, there's another dimension that matters. As AI becomes part of day-to-day operations, you need to document what happened: what the AI accessed, what it recommended, who approved the action, and what the outcome was. F5 Insight now includes governance-grade controls like enterprise authentication, role-based access controls, and a tamper-evident AI audit trail. Accountability for every operational action—whether taken by a person or an AI—is captured.
Our goal is to turn a monthly cadence from an operational tax into a routine, low-risk, largely automated process. Here are three steps I’d recommend taking now to prepare:
- Get a trial of F5 Insight for ADSP. Deploy it today to get visibility into your current fleet posture and use the new fleet management capabilities. Visibility is the prerequisite for everything else.
- Contact F5 Professional Services for update automation. Our team will work with you to design and implement an automated, low-risk update workflow tailored to your environment. We use certified Ansible collections; adapt to your regulatory requirements, high-availability configurations, and traffic flows; and build in validation and testing.
- Set up a guided demo of F5 AI Red Team. The same frontier AI capabilities that are reshaping offense can be turned to your defense. Connect with our team to learn how AI Red Team allows you to identify potential exploits in your own applications before an adversary does, and validate that your controls actually hold.
What this asks of you and us
The most important shift here is one’s mindset. In a world where attackers chain lower severity flaws into novel exploits, the severity of any single fix is a poor guide to its importance. The organizations that thrive will be the ones that treat currency—staying on the latest hardened release—as a core security discipline, not a maintenance chore. That requires investment in automation and visibility now, before the pressure peaks.
For our part, we're holding ourselves to the same standard. We are making F5 the best, most advanced customer of our own products. We are running our own infrastructure the way we're asking you to run yours, with the same rigor, the same tooling, and the same urgency. We're not asking you to move to a posture we haven't adopted ourselves.
This is a structural response to a permanent change in how software gets attacked and defended. The threat landscape will keep evolving. So will we—in how we find and fix vulnerabilities, in how we help you deploy them, and in the runtime defenses that protect you in the window before a patch is applied.
The world’s largest organizations put F5 in their most critical paths. That's a responsibility we don't take lightly, and it's the starting point for every decision we're making.
You can find more information on F5’s approach to frontier AI defense here.
About the Author

Michael is responsible for the enterprise‑wide strategy and execution to operate the company with security and resiliency at its core. He leads F5’s Security, Risk, and Digital Operations organizations, driving end‑to‑end operational trust for customers, partners, and employees. Montoya joined F5’s executive leadership team in October 2025 after serving on F5’s Board of Directors from 2021 to 2025. Prior to F5, Montoya was Chief Operating Officer at BlueVoyant and previously served as Chief Information Security Officer at Equinix and Digital Realty. He spent more than a decade at Microsoft in global leadership roles, including Chief Cyber Security Officer, regional CIO/CISO for EMEA and Asia, and a global leader for Datacenter Operations.
More blogs by Michael MontoyaRelated Blog Posts

Securing F5 NGINX in the age of AI
How F5 is applying AI-driven security practices across the F5 NGINX portfolio to help deliver safer, more resilient software.

From dashboard fatigue to operational excellence: Why XOps needs F5 Insight for ADSP
Learn how F5 Insight for ADSP lays the visibility foundation for XOps—turning fragmented signals across applications and infrastructure into actionable intelligence.

The hidden cost of unmanaged AI infrastructure
AI platforms don’t lose value because of models. They lose value because of instability. See how intelligent traffic management improves token throughput while protecting expensive GPU infrastructure.

Govern your AI present and anticipate your AI future
Learn from our field CISO, Chuck Herrin, how to prepare for the new challenge of securing AI models and agents.

F5 recognized as one of the Emerging Visionaries in the Emerging Market Quadrant of the 2025 Gartner® Innovation Guide for Generative AI Engineering
We’re excited to share that F5 has been recognized in 2025 Gartner Emerging Market Quadrant(eMQ) for Generative AI Engineering.
Self-Hosting vs. Models-as-a-Service: The Runtime Security Tradeoff
As GenAI systems continue to move from experimental pilots to enterprise-wide deployments, one architectural choice carries significant weight: how will your organization deploy runtime-based capabilities?
