The Board Is Asking a Question CISOs Cannot Yet Answer

On April 23, 2026, CrowdStrike launched Project QuiltWorks — an industry coalition pulling in Accenture, EY, IBM Cybersecurity Services, Kroll, OpenAI, and Anthropic — to confront a problem that most enterprise security programs were never designed to handle. Frontier AI models are now uncovering logic bugs, design flaws, misconfigurations, and novel exploit paths across production codebases faster than automated scanners and human reviewers can triage them. The exploit window is collapsing. The remediation pipeline is not.

CEO George Kurtz framed the business reality plainly: "As frontier AI accelerates vulnerability discovery, every board in the world is asking their chief information security officers the same question: are we exposed and are we protected? Project QuiltWorks is how the industry comes together to give every organization the answer their board needs."

That question — "are we exposed and are we protected?" — is the single most consequential prompt moving through enterprise risk committees right now. And for most Fortune 500 CISOs, the honest answer today is: we don't know at machine speed, which means we don't know at all.

What QuiltWorks Actually Is

Project QuiltWorks is not a product. It's an operating model. CrowdStrike is the lead, but the coalition pools frontier AI capacity from OpenAI and Anthropic with the remediation muscle of the Big Four and their specialist security arms. The stated mission: continuously assess, prioritize, and remediate the wave of vulnerabilities frontier models are surfacing in production code.

The coalition's three-layer approach:

• Assessment — Expert review of each organization's current security program, where it stands today, and how much remediation capacity it has. This is the honest baseline most enterprises avoid because they suspect the number will be uncomfortable.
• Model deployment — Frontier AI-powered scanning of applications and code bases to find truly exploitable vulnerabilities that legacy tools and human review miss. CrowdStrike's Falcon platform, which already processes trillions of daily security events, becomes the telemetry spine.
• Prioritization and remediation — Adversary-informed prioritization (not plain CVSS scores), board-level risk reporting, and guided remediation delivered by 10,000+ certified professionals across the coalition.

Wrapped around this is a commercial motion: the Frontier AI Readiness and Resilience Service, a 12-month renewable subscription purchasable directly through Falcon Flex dollars. Enterprises already committed to Falcon budget don't need a new procurement cycle to start. That procurement detail matters more than it reads — it's the difference between QuiltWorks getting deployed this quarter versus sitting in a 2027 budget review.

Why This Is Happening Now

The statistic underwriting the entire coalition came from Dave Burg at Kroll: "Over 90% of our clients have told us they are dealing with cyber incidents related to the use of AI." That is not a risk forecast. That is a current-state observation from a firm whose client base skews toward large, regulated, incident-prone enterprises.

The attack surface isn't one thing. It's converging failure modes:

• Shadow AI-developed applications. Business units are shipping code with AI assistants, and a meaningful share of it has never been reviewed by a security function. The Offensive Security teams at CrowdStrike and Kroll report substantial growth in vulnerabilities inside in-house AI-developed apps.
• Frontier models as discovery engines. The same models that accelerate development also accelerate discovery. If a well-prompted GPT-class or Claude-class model can enumerate logic flaws in your checkout flow, so can an adversary's.
• The pace asymmetry. Traditional vulnerability management is built on quarterly scans, ticket queues, and human-mediated prioritization. Frontier-model discovery is continuous. The throughput mismatch is where breaches happen.

IBM's Mark Hughes captured the stakes: the partnership extends IBM's Autonomous Security capabilities to address new risks "at machine speed." That phrase — machine speed — is the operative constraint. Manual processes lose.

The Technical Perspective: For CIOs, CTOs, and CISOs

For technical leaders, QuiltWorks is less interesting as a marketing event than as an architectural signal. Three things worth internalizing:

1. Vulnerability scanning is being redefined, not augmented. The old stack — SAST, DAST, SCA, manual pen-test — assumed that humans triage, rank, and remediate. The QuiltWorks model assumes frontier models handle discovery and initial prioritization, humans handle strategic remediation decisions, and the ratio of human time spent on remediation versus triage flips. If your AppSec team is still spending the bulk of its hours on triage, the economics of your security program are about to change.

2. Falcon becomes a frontier-AI control plane. CrowdStrike is not just running frontier models against code — it's feeding Falcon's existing adversary intelligence, attack-path graphs, and endpoint telemetry into the prioritization layer. That means the vulnerabilities flagged aren't just "high CVSS." They're "high CVSS and an active adversary is using this path in the wild and your specific environment has the exposed surface." That triangulation is what reduces false-positive fatigue. Standalone LLM-based scanners produce too much noise; telemetry-grounded ones don't.

3. Agentic AI security becomes a subset of code security. Most enterprises are treating "AI agent security" as a separate category — one that needs a new vendor, new product line, new budget. QuiltWorks implicitly argues the opposite: the agents your business units are deploying are applications. They have code. They have misconfigurations. They have design flaws. Treat them with the same vulnerability management discipline you treat any other production system, accelerated by frontier models.

For a CIO building an AI platform strategy, the integration question becomes: where does QuiltWorks-style remediation sit relative to your existing guardrails (prompt injection, DLP, output moderation)? The answer is upstream. Runtime guardrails handle the prompt-level and output-level attack surface. QuiltWorks handles the code-level surface — the bugs and design flaws that exist whether the app is an AI agent or a traditional microservice.

The Business Perspective: For CFOs, General Counsel, and Boards

Strip out the technical framing and QuiltWorks is an argument about financial and governance risk.

The board question, operationalized. "Are we exposed?" has always been rhetorical. QuiltWorks productizes the answer: an expert-led assessment benchmarks your current program against AI-era threats. "Are we protected?" gets a 12-month renewable subscription attached to a remediation service. Boards don't want ambiguity. They want a named vendor, a named service, and a defensible answer. This is how CISOs produce that.

The TCO calculation is not straightforward. The Frontier AI Readiness and Resilience Service is priced through Falcon Flex, which means the incremental budget hit depends on how much Flex spend is already committed. For CrowdStrike customers with meaningful Flex dollars left, this is a low-friction add. For non-customers, the economics include a Falcon purchase plus the service. CFOs should model two scenarios: current-customer expansion vs. net-new procurement, because the effective unit cost is dramatically different.

Insurance and regulatory exposure. Cyber insurers are already raising the bar on AI-use attestations. Regulators are probing how enterprises manage AI-introduced risk. A documented program with board-level reporting, adversary-informed prioritization, and a named remediation partner is a materially stronger posture than "we have a vulnerability scanner." Expect this to show up in insurance negotiations and SEC-style disclosures within 12-18 months.

Vendor concentration risk. Coalitions are efficient but concentrated. Leaning on a single CrowdStrike-led stack — even one with Big Four diversification inside the remediation tier — creates dependency. General Counsel should ensure contract language preserves portability of findings and remediation artifacts, not just the service itself.

The Competitive Landscape

QuiltWorks does not enter an empty market. The enterprise AI security space is getting crowded, and the positioning matters:

• Palo Alto Networks + Google Cloud announced an expanded strategic collaboration earlier in April to secure AI in the enterprise, pitched at runtime protection for AI agents.
• OpenAI's own acquisition of Promptfoo (announced March 9) gave OpenAI an AI red-teaming and evaluation capability that it's folding into Frontier, its platform for building AI coworkers. Promptfoo is already used by 25% of the Fortune 500.
• Ammune.AI launched an AI Agent Runtime Security Platform on April 22 — squarely targeting the autonomous-agent discovery and mapping problem.
• Anthropic's Glasswing initiative and earlier Trend Micro + Claude integrations have taken somewhat different paths into the same problem space.

The pattern: runtime protection vendors are moving upstream into agent security, while application security and code security vendors are moving downstream into runtime. QuiltWorks is distinct because it couples frontier-model discovery with human-led remediation at scale — the coalition of professional services firms is the actual moat. A product can be copied. A 10,000-person remediation workforce cannot be spun up in a quarter.

A Decision Framework for the Next 90 Days

CIOs, CTOs, and CISOs evaluating QuiltWorks — or building their own answer to the board question — can work through a short decision framework:

Step 1 — Baseline your AI-developed code. What percentage of your production code in the last 12 months was written with AI assistants (Copilot, Cursor, Windsurf, internal tools)? If you don't know, that's the first data gap. Without a denominator, you cannot size the problem.

Step 2 — Assess discovery coverage. Are your current SAST/DAST/SCA tools finding logic bugs and design flaws, or just known CVEs? Most legacy tools are good at the latter and weak at the former. Frontier-model-assisted discovery is specifically strong at logic and design.

Step 3 — Quantify remediation latency. From the moment a vulnerability is discovered, how many days until production-ready fix? If the answer is measured in weeks, you are on the wrong side of the machine-speed asymmetry.

Step 4 — Evaluate procurement path. If you're a Falcon customer with Flex dollars, pilot the Frontier AI Readiness and Resilience Service this quarter. If you're not, benchmark QuiltWorks against Palo Alto + Google Cloud, Promptfoo (via OpenAI Frontier), and at least one focused vendor like Varonis Atlas or Ammune.AI before committing.

Step 5 — Set board-reportable KPIs. The service's value is the board answer, so the KPIs should be board-shaped: time-to-remediate critical AI-discovered findings, percentage of AI-developed code covered by frontier-model scanning, adversary-informed risk score per business unit. Anything else is noise at the board level.

What to Watch Over the Next Two Quarters

Three signals will determine whether QuiltWorks becomes the default answer or one of several viable answers:

• Coalition expansion. Does Deloitte, PwC, or KPMG join? Does Microsoft participate on the frontier-model side? The narrower the coalition stays, the more competitors will form counter-coalitions.
• Concrete customer outcomes. CrowdStrike will need to publish anonymized case studies with real numbers — vulnerabilities found, remediation-time compression, cost per finding — within two quarters. Without those, the service reads as ambitious positioning.
• Regulatory alignment. If NIST, CISA, or EU regulators cite QuiltWorks-style programs as reference architectures, adoption accelerates. If they cite a neutral framework instead, adoption stays vendor-led.

The broader story is that enterprise AI security has graduated from point-product debate to ecosystem debate. CISOs are no longer picking a scanner — they're picking which coalition they want to inherit risk from. That is a meaningful shift in how this market is going to be bought.

Want to calculate your own AI ROI? Try our AI ROI Calculator — takes 60 seconds and shows projected savings, payback period, and 3-year ROI.

Continue Reading

Sources

• CrowdStrike Launches Project QuiltWorks — Investor Relations
• CrowdStrike Press Release — Official
• Project QuiltWorks — Partner Program Page
• SiliconANGLE — CrowdStrike Launches Project QuiltWorks Coalition
• CIO Influence — QuiltWorks Coalition Details
• StockTitan — Coalition Members and Service Details