Qualys launches AI agent that validates, fixes and confirms vulnerabilities without human intervention

Qualys has launched Agent Val, a new AI agent embedded in its Enterprise TruRisk Management (ETM) platform, designed to take vulnerability management beyond detection and into autonomous action. The agent can validate whether a vulnerability is genuinely exploitable in a live environment, trigger targeted remediation, and then revalidate to confirm the exposure has been closed, all with minimal manual effort from security teams.

The launch, announced at the GISEC Global conference in Dubai, addresses what the company describes as a deepening crisis in enterprise vulnerability response. Qualys research shows that the volume of known exploited vulnerabilities has grown 6.5 times in the past four years. The proportion of critical vulnerabilities still unpatched on day seven has continued to rise, and the average time to exploit has now dropped below zero, meaning attackers are exploiting vulnerabilities before patches are available.

Melinda Marks, Practice Director for Cybersecurity at Omdia, said the launch addresses a significant structural gap in how organisations currently manage exposure. "Exposure management efforts often focus on counts, trends, and heat maps that describe risk but don't consistently drive action," she said. "The next step in maturity is extending attack path analysis through actual exploit validation, turning potential exposure into operational certainty. Validation is critical to risk reduction, and offensive validation remains a significant gap across the market. Capabilities like what Agent Val offers can help teams prioritise real attack paths, move faster, and focus effort where it delivers measurable impact."

Sumedh Thakar, President and CEO of Qualys, said the core problem had become an epistemological one. "Having a vulnerability does not equal risk," he said. "What matters is whether an attacker can successfully reach and execute an exploit path in your environment. As exploit timelines shrink and adversaries use AI to move faster, the industry can't keep running on assumptions. Agent Val in ETM moves the Risk Operations Center from 'we think' to 'we know' to 'it's been taken care of' with minimal manual effort, giving the power of AI back into the hands of defenders to drive measurable risk reduction at scale."

Agent Val operates as an agentic orchestration layer within ETM, powered by Qualys's TruConfirm technology. It begins by analysing exposure signals across an organisation's assets and selecting what to validate first, using attacker relevance, business context, and asset criticality as inputs. It then safely tests exploitability in the production environment, producing evidence-based confirmation of whether an attack path is open, blocked by compensating controls, or structurally unreachable. The company claims the approach delivers a 90% or greater reduction in remediation noise, eliminating the churn of chasing findings that pose no real risk.

Where exploitability is confirmed, Agent Val feeds the validated finding directly into ETM's prioritisation queue and extends the response beyond patching. For environments where deploying a patch is not immediately feasible, it can apply mitigation controls and isolation. Qualys says confirmed exploitable findings are now being resolved 70% faster than under conventional approaches, freeing engineering teams to focus on exposures that carry genuine risk. Following remediation, Agent Val runs a second validation pass to verify that the attack path is closed and that controls are functioning as expected, generating evidence that can be reported to boards and used to demonstrate quantifiable risk reduction.

Agent Val currently covers more than 1,600 CVEs and requires no new sensor footprint, operating through Qualys's existing agent infrastructure. It is included as part of the ETM subscription and is now generally available.