ZEST Security today added a set of artificial intelligence (AI) agents that identify whether a vulnerability represents an actual threat to an application environment.

Company CEO Snir Ben Shimol said AI Sweeper Agents make it possible to reduce the number of patches that need to be created by eliminating any request to fix a vulnerability that can’t actually be exploited.

As the amount of code being created using AI coding tools continues to exponentially increase, so too does the number of vulnerabilities being discovered. The AI Sweeper Agents developed by ZEST Security make it easier to prioritize the most pressing issue based on actual risk versus relying on a generic severity score that has been assigned by whoever initially discovered a vulnerability, said Ben Shimol.

The goal is achieved first by using an AI agent to analyze each vulnerability to extract its exploitation requirements using data found in vulnerability research publications, exploit documentation, and technical disclosures.

A second agent evaluates the IT environment to compare it to the exploitation requirements to determine what conditions must be present for exploitation to be possible. Once a determination is made, a third agent validates the conclusion and produces clear reasoning and evidence that can be used to generate a report for a potential audit request

Armed with that level of insight, it then becomes possible to significantly reduce the overall size of the backlog of requests for patches to vulnerabilities that can easily number in the thousands in a large enterprise, he added. According to ZEST Security research, more than 90% of high and critical vulnerabilities found in those backlogs are not actually exploitable in the specific IT environment that cybersecurity teams are trying to protect.

In total, ZEST Security claims cybersecurity teams that have had early access to AI Sweeper Agents have, in the past six months, already been able to dismiss 11 million vulnerabilities.

The overall goal is to provide cybersecurity teams with a set of AI agents that enable them to identify relevant vulnerabilities, rather than creating a long list of potential issues that is then shared with an application development team that is usually already far behind schedule. Instead of randomly remediating the easiest vulnerabilities to fix, the AI Sweeper Agents make it simpler for cybersecurity teams to explain why a specific vulnerability should be remediated as soon as possible, said Snir Ben Shimol.

Ultimately, the goal is to enable auto-remediation by enabling AI agents to invoke DevOps platforms and automation frameworks to create and apply a patch, he added. The patch itself can be created and validated by AI agents and then applied using the guardrails and context provided by the same DevOps platform and automation framework that human application developers are using to build and deploy code, noted Snir Ben Shimol.

Each organization will need to determine for itself what level of comfort it will have with autoremediation of vulnerabilities, but in the meantime, there is a clear opportunity to at the very least reduce much of the toil that today conspires to make securing application environments more tedious than anyone involved especially enjoys.