Cisco is pushing organizations to address decades-old routers, switches and network-attached storage, warning that aging connectivity gear creates real exposure as generative AI lowers the bar for attackers. The company has launched an effort called “Resilient Infrastructure” that pairs new research and industry outreach with product changes meant to prompt upgrades and reduce risk.
Keeping legacy boxes running can seem cheaper in the short term. Many IT teams choose to leave equipment humming in a forgotten closet rather than pay for replacement or endure the operational work of a refresh. Those devices can carry insecure default settings, and vendors frequently stop issuing patches and other protections for older models, leaving gaps that attackers can exploit more easily today than in the past.
Cisco says the Resilient Infrastructure plan will start with clearer signals about gear that is nearing end of life. Customers running known insecure configurations, or who attempt to add those settings, will see explicit prompts during device updates. Later, the company intends to remove historic configuration options and interoperability settings that it no longer regards as safe.
“Infrastructure globally is aging, and that creates a ton of risk,” says Anthony Grieco, Cisco’s chief security and trust officer. “The thing we’ve got to get across is this aging infrastructure wasn’t designed for today’s threat environments. And by not updating it, it's fostering opportunities for adversaries.”
To shape the outreach, Cisco commissioned work from the British advisory firm WPI Strategy on how end-of-life technology shows up in the “critical national infrastructure” of five countries: the United States, United Kingdom, Germany, France, and Japan. The report finds the United Kingdom faces the highest relative risk among those peers, with the United States close behind. Japan scores lowest on relative risk, a result the researchers tie to steadier upgrade cycles, decentralization of key systems, and “a stronger, more consistent national focus on digital resilience.”
The WPI Strategy analysis adds that many security incidents track back to known flaws that attackers can exploit when devices go unpatched or remain in service past vendor support windows. That pattern makes the business choice to defer hardware refreshes more costly than it appears on a ledger that ignores risk.
“The status quo is not free—there is actually a cost, it’s just not being accounted for,” says Eric Wenger, Cisco's senior director for technology policy. “If we can help elevate this risk to something that is treated as a board-level concern, then hopefully that will help to underscore the importance of making an investment here.” He adds, “we’re not making it hard enough for the attackers.”
Cisco’s market position colors the debate. Founded in 1984, the company’s equipment is deeply embedded across government and commercial networks worldwide, which can prompt questions about motive when it calls for equipment spending. Wenger pushes back on that framing, noting that older kit does not generate ongoing revenue for the company and that convincing customers to modernize won’t guarantee they buy Cisco gear.
“Look, we don’t make money on the stuff that we sold two decades ago. When we convince somebody that they need to move off of the old technology—what we’re selling now is innovative, it’s cost effective, but we’re not going to win everyone over,” he says. “But we need to start the conversation either way.”
Grieco points to his own efforts over several years to draw attention to the problem. In an August 2016 Cisco blog post, he wrote that systems built and deployed in earlier decades “didn’t anticipate the hostile security environment of today. Until now, very few have thought about securing infrastructure since they didn’t think adversaries would target these systems and devices, or they had ‘higher priorities’ to fix. This must change.”
AI tools are not replacing skilled human attackers, yet they are streamlining parts of the reconnaissance and outreach that underpin many campaigns. Security teams are seeing AI-assisted social engineering that produces more convincing lures, faster scanning that reveals vulnerable firmware and misconfigurations, and automation that helps refine malware payloads. For low-skill operators, these tools supply capabilities that used to require deeper expertise. For organized intruders with more resources, the tools shave time from steps that once consumed hours or days.
That trend raises the stakes for organizations that keep unsupported hardware online. Patching and planned replacement cycles are the obvious mitigations, but those require budget and planning. Cisco’s push is aimed at making the risk a visible line item in procurement and risk discussions so boards and executives treat legacy infrastructure as a substantive threat.
“It’s time to give people a jolt about the silent risk of aging infrastructure,” Grieco says. "We’re going to make it loud.”