Qualys introduces “Agent Val,” an AI-driven tool that tests vulnerabilities in production environments for real-world exploitability, initiates remediation, and automatically documents risk reduction.
The number of known and actively exploited vulnerabilities has grown 6.5 times over the past four years. At the same time, the window between disclosure and active exploitation has shrunk to under 24 hours; in some cases, exploits exist before a patch is available. For security leaders (CISOs), this sharpens a fundamental dilemma: many vulnerabilities classified as critical cannot actually be exploited in real-world environments, while more dangerous gaps go undetected.
Traditional vulnerability management approaches rely on scores such as CVSS to set priorities. This model is increasingly strained because it does not account for real-world context — such as existing security controls, system reachability, or the business value of an asset. The result: teams patch issues with limited actual impact while overlooking those that pose genuine risk.
Agent Val: Exploit Validation in the Production Environment
Cybersecurity company Qualys (NASDAQ: QLYS) has introduced “Agent Val,” a new component of its Enterprise TruRisk Management (ETM) platform. The tool operates as an AI-driven orchestration layer designed to close the gap between theoretical risk analysis and operational certainty.
Agent Val analyzes security signals across all enterprise assets and prioritizes which vulnerabilities should be tested first — guided by attacker relevance, business context, and actual exposure level. It then uses the integrated TruConfirm technology to test, within the live production environment, whether an exploit path is genuinely open, blocked by existing controls, or simply unreachable.
Once a risk is confirmed, ETM elevates that vulnerability to the top of the remediation queue and extends the response beyond traditional patching: for systems that cannot be immediately patched, shielding measures or isolation are initiated. After remediation, Agent Val re-validates whether the attack path has been effectively closed.
Performance Figures
Qualys states that the approach reduces remediation effort by more than 90 percent, as teams no longer pursue vulnerabilities that cannot be exploited. Remediation time for confirmed vulnerabilities reportedly drops by approximately 70 percent. Current coverage spans more than 1,600 CVEs without requiring new sensors.
“Having a vulnerability does not automatically mean having a risk,” said Sumedh Thakar, President and CEO of Qualys. “What matters is whether an attacker can successfully reach and execute an exploit path in your environment.” Thakar emphasized that the tool is designed to move the Risk Operations Center from believing to knowing to done — with minimal manual effort.
Practitioner Perspectives
Florian Bielak, CISO at BitMEX, describes the challenge from a user’s standpoint: “In an era of endless vulnerabilities and constrained development cycles, the greatest challenge is no longer detection but the strategic allocation of resources for remediation.” He sees the tool as a way to eliminate what he calls the “noise tax” — the overhead of chasing findings that pose no real threat.
Melinda Marks, Practice Director for Cybersecurity at Omdia, places the development in a broader trend: vulnerability management must move from describing risks — through numbers, trends, and heat maps — to operational execution. Validating actual exploits is a decisive step in that direction.
Availability
Agent Val, powered by TruConfirm, is included as part of Qualys ETM and is now generally available. Organizations can register at qualys.com/demo/enterprise-trurisk-management.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de