Part 2: Strengthening product safeguards with AI

This blog is part of a three-part series on how Adobe is evolving its security approach in the age of frontier AI, covering security fundamentals, product and infrastructure defenses, and supply chain risk. This is part 2 of the series; in part 1, we discussed why security fundamentals are important now more than ever in the age of frontier AI. In part 3, we look at how these principles are applied to infrastructure and supply chain security.

In the first post of this series, we outlined why strong security fundamentals remain essential in the age of frontier AI. The next step is operational: how those principles are applied across products and the systems that support them in practice.

At Adobe, we are evolving how we secure our software and services by applying AI-assisted capabilities across testing, remediation, and defense-in-depth strategies. These approaches are designed to help teams move faster while maintaining the rigor required to manage risk at scale.

Securing Adobe products and services

Moving toward continuous AI-assisted testing

Security testing has traditionally operated on a periodic cycle. AI-assisted capabilities now enable teams to move toward more continuous analysis, helping reduce the time between discovery, prioritization, and remediation.

In support of this goal, Adobe has developed a frontier AI model-powered penetration testing harness to help teams identify classes of vulnerabilities more efficiently across products and services. Rather than focusing on individual issues, this approach identifies patterns and uncovers multiple vulnerabilities in a single pass, helping teams surface critical issues earlier and address broader categories of risk more efficiently. The harness is modular and can support multiple frontier AI models.

In one engagement, it identified nearly 20 confirmed findings across multiple products in a single day, demonstrating consistent results while helping teams spot related patterns and address them proactively.

This capability operates in two modes.

• In Scan mode, it analyzes large codebases to produce a triaged and deduplicated set of vulnerabilities.
• In Propagate mode, a confirmed finding becomes a starting point to identify related patterns across codebases, helping teams address broader classes of risk more efficiently.

This shift enables teams to move beyond individual findings and address systemic sources of risk across products.  We also incorporate learnings from across the broader security ecosystem as approaches to AI-assisted testing continue to evolve.

Accelerating remediation

Finding vulnerabilities faster is only part of the equation. Organizations also need to be able to prioritize and address those findings efficiently.

At Adobe, AI-assisted capabilities support key parts of the remediation process including helping teams identify potential code changes, strengthening regression testing, and accelerating analysis of related issues. We continue to evolve these workflows as part of our broader effort to improve end-to-end response.

Human oversight remains essential in the security context, particularly when leveraging AI-capabilities. Engineering teams continue to review, validate, and approve all changes before deployment. These AI-assisted workflows help teams move more efficiently on repeatable remediation tasks while preserving rigorous reviews for more complex architectural decisions.

Defense in Depth

Defense in depth also remains critical. No security program eliminates all vulnerabilities. The most resilient systems are designed with layered protections intended to help reduce impact and contain risk when issues emerge.

As AI accelerates vulnerability discovery, these architectural safeguards become even more important. Faster identification does not eliminate risk on its own, which is why layered defenses are designed to limit the potential impact of unknown or emerging vulnerabilities.

By way of example, in Acrobat, sandboxing continues to play an important role in helping reduce the potential impact of unknown vulnerabilities in complex document-processing environments. By isolating high-risk parsing activities and limiting access to sensitive system resources, sandboxing is designed to help contain risk while additional mitigations and fixes are developed.

At Adobe, this broader defense-in-depth strategy includes continued investment in sandboxing approaches, layered access controls, and continuous monitoring that help reduce exposure while longer-term fixes are validated and deployed.

In our final post, we look at how these principles extend to infrastructure and supply chain security.