Agent Val Proves Exploits, Not Just Predicts Them

Qualys has launched Agent Val. It’s an AI agent embedded within Enterprise TruRisk Management that fundamentally reshapes how security teams validate and remediate vulnerabilities. The tool marks a decisive shift from assumption-driven vulnerability management to evidence-based risk reduction, addressing a market gap that has persisted despite years of competing solutions.

The timing reflects genuine market pressure. The volume of known exploited vulnerabilities has grown 6.5 times over four years. Critical vulnerabilities remain open at Day 7 at higher rates than before. Meanwhile, attackers now exploit vulnerabilities before patches exist, compressing response windows to negative timelines. Manual remediation has hit a hard ceiling, leaving security teams overwhelmed by volume rather than focused on actual risk.

Sumedh Thakar, president and CEO of Qualys, said, “Having a vulnerability does not equal risk. What matters is whether an attacker can successfully reach and execute an exploit path in your environment. As exploit timelines shrink and adversaries use AI to move faster, the industry can’t keep running on assumptions.

“Agent Val in ETM moves the Risk Operations Center (ROC) from ‘we think’ to ‘we know’ to ‘it’s been taken care of’ with minimal manual effort, giving the power of AI back into the hands of defenders to drive measurable risk reduction at scale.”

What is Agent Val addressing?

Security teams are under siege by the number of vulnerabilities that are disclosed every year. The Forum of Incident Response and Security Teams (FIRST) predicts that 2026 could be the year that vulnerabilities cross the 50,000 mark. It is impossible for any organisation to remediate any significant percentage of those.

Even at the vendor level, managing the number of risks is hard. Microsoft’s March Patch Tuesday addressed 84 security vulnerabilities across Windows, Office, and cloud services. Eight of those were classified as critical.

The challenge for organisations is how to reduce that volume to a manageable level that can be handled without increasing risk.

From Volume to Verification

Agent Val operates as an orchestration layer that coordinates three distinct functions.

First, it validates exploitability by analysing exposure signals across assets. It then determines which exposures warrant testing based on attacker relevance and business context. Agent Val tests whether exploit paths remain open, get blocked by compensating controls, or become unreachable in production environments.

The result is a 90% reduction in remediation noise. Security teams stop chasing findings that attackers cannot actually exploit.

Second, once risk confirmation occurs, Agent Val feeds results directly into ETM’s remediation queue. This extends the response beyond patch deployment. It includes mitigation controls and isolation strategies where patching proves infeasible. Qualys reports 70% faster time-to-remediate on confirmed exploitable findings. This frees engineering teams to prioritise exposures that genuinely matter rather than statistical outliers.

Third, Agent Val revalidates after mitigation to confirm that exploit paths are closed and controls function properly. This creates documented proof of risk reduction for board reporting and compliance documentation.

Why This Matters to Business Leaders

For CISOs and security operations centres, the business case centres on resource allocation efficiency. Security teams operate under finite engineering cycles. Vulnerability discovery no longer represents the constraint. Instead, the bottleneck has shifted to strategic remediation capital allocation. Agent Val removes guesswork from this calculation by providing evidence-based prioritisation.

According to Florian Bielak, CISO at BitMEX, “Agent Val with TruConfirm will enable us to further shift away from a reactive posture based on theoretical CVSS scores to a disciplined, evidence-based model. By validating actual attack paths at scale, we’ll have a way to effectively eliminate the noise tax, ensuring our lean teams are engineering against real-world risk rather than chasing statistical outliers.”

Agent Val covers over 1,600 CVEs without requiring new sensor infrastructure. This matters operationally because it avoids the deployment friction that typically accompanies new security tools. The agent integrates directly into existing ETM deployments, reducing implementation complexity.

Enterprise Times: What does this mean

Vulnerabilities are increasing. Security teams are at the point where they don’t know what to prioritise, which leaves them chasing everything. That brings with it other problems. Production systems should be high on their agenda, but patching them by reflex carries risk.

Apply an untested patch, and you can bring down enterprise systems. Even with resilient solutions, there will still be an impact on the business while it recovers. And that still fails to address the underlying vulnerability.

Similarly, wasting time on non-urgent patches risks delaying or even preventing the application of key patches. Systems remain vulnerable, and attackers will exploit that. In 2024, the average Time-To-Exploit was down to 5 days. Since then, it has continued to fall.

Qualys’ Agent Val should take the risk out of vulnerability management, giving teams a clear route of what to patch and when. That leaves two questions. How many organisations will adopt it? When will Qualys publish a white paper showing the real-time efficiencies and cost reductions Agent Val delivers?

The post Agent Val Proves Exploits, Not Just Predicts Them appeared first on Enterprise Times.