Qualys Launches Agent Val to Bring AI-Driven Exploit Validation Into Risk Operations Centers

Qualys is pushing deeper into the evolving world of exposure management with the release of Agent Val, a new capability within its Enterprise TruRisk Management platform designed to validate real-world exploitability and automate remediation workflows. The move reflects a broader shift across cybersecurity toward evidence-based risk reduction as organizations struggle to keep pace with accelerating attack timelines.

The company positions Agent Val as an answer to a growing disconnect between vulnerability detection and actual risk. Security teams are inundated with alerts, yet many of those findings never translate into exploitable attack paths. At the same time, attackers are moving faster than ever, often weaponizing vulnerabilities before patches are even available.

Recent industry data underscores the pressure. The number of known exploited vulnerabilities has surged dramatically in recent years, while many critical flaws remain unpatched days after disclosure. In some cases, exploitation is occurring before organizations have time to respond, forcing security teams to rethink how they prioritize and act.

Agent Val aims to address that gap by shifting vulnerability management away from theoretical scoring models and toward verified outcomes. Instead of relying solely on severity ratings or risk dashboards, the system actively tests whether a vulnerability can be exploited within a specific environment.

Melinda Marks, practice director for cybersecurity at Omdia, said the industry has reached a turning point. “Exposure management efforts often focus on counts, trends, and heat maps that describe risk but don't consistently drive action. The next step in maturity is extending attack path analysis through actual exploit validation, turning potential exposure into operational certainty. Validation is critical to risk reduction, and offensive validation remains a significant gap across the market. Capabilities like what Agent Val offers can help teams prioritize real attack paths, move faster, and focus effort where it delivers measurable impact.”

At the core of Agent Val is an orchestration layer powered by what Qualys calls TruConfirm. The system evaluates exposure signals across assets, prioritizes which risks matter most based on business context, and then safely tests exploitability in live environments. The results are fed back into the platform to drive automated remediation decisions.

This approach is designed to reduce what many security leaders describe as “noise” in vulnerability management. By filtering out issues that cannot be exploited, teams can focus their limited resources on the exposures that actually matter.

Florian Bielak, CISO at BitMEX, framed the challenge in economic terms. “In an era of infinite vulnerabilities and finite engineering cycles, the primary challenge is no longer discovery—it is the strategic allocation of remediation capital. Agent Val with TruConfirm will enable us to further shift away from a reactive posture based on theoretical CVSS scores to a disciplined, evidence-based model. By validating actual attack paths at scale, we'll have a way to effectively eliminate the noise tax, ensuring our lean teams are engineering against real-world risk rather than chasing statistical outliers.”

Qualys says the platform can significantly cut down on unnecessary remediation work by confirming which vulnerabilities are truly exploitable. Once a risk is validated, the system prioritizes it for action and can recommend mitigation strategies beyond traditional patching, including compensating controls or isolation when fixes are not immediately available.

The platform also re-tests environments after remediation to confirm that exploit paths have been closed, creating a feedback loop that ties security actions directly to measurable outcomes. This capability is increasingly important as boards and executives demand clearer evidence of risk reduction rather than abstract metrics.

Sumedh Thakar, president and CEO of Qualys, emphasized that distinction. “Having a vulnerability does not equal risk. What matters is whether an attacker can successfully reach and execute an exploit path in your environment. As exploit timelines shrink and adversaries use AI to move faster, the industry can't keep running on assumptions. Agent Val in ETM moves the Risk Operations Center (ROC) from 'we think' to 'we know' to 'it's been taken care of' with minimal manual effort, giving the power of AI back into the hands of defenders to drive measurable risk reduction at scale.”

Agent Val is now generally available as part of Qualys Enterprise TruRisk Management. The launch signals a growing industry push toward autonomous security operations, where AI not only identifies risk but actively verifies and helps remediate it.

As attackers continue to compress timelines and automate their own workflows, tools that can prove exploitability rather than infer it may become essential. For security teams already stretched thin, the shift from assumption to evidence could mark a meaningful change in how cyber risk is managed at scale.