SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Security ops center cloud network map penetration test vuln remediation
#
DevOps
#
Cloud Security
#
SOCs

Qualys launches Agent Val for live exploit validation

Mon, 23rd Mar 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Qualys has launched Agent Val in its Enterprise TruRisk Management product, and the tool is now generally available.

The software tests whether vulnerabilities can actually be exploited in live environments and triggers remediation when risks are confirmed. It also checks whether compensating controls block an attack path and can revalidate exposures after mitigation work is completed.

The launch reflects a broader shift in cyber security away from ranking issues by severity scores alone and towards testing whether a weakness is reachable and useful to an attacker. As the volume of disclosed vulnerabilities rises and patching backlogs grow, vendors and security teams have increasingly focused on exploitability.

According to Qualys, the volume of known exploited vulnerabilities has increased 6.5 times over the past four years. The company added that the time between disclosure and exploitation has shrunk to the point where some attacks begin before a patch is available.

Validation focus

Agent Val sits within Qualys' Enterprise TruRisk Management platform and uses TruConfirm as its validation layer. Qualys said it identifies higher-risk exposures, tests exploitability in production using business context and asset criticality, and feeds confirmed results back into the platform to help prioritise remediation.

The product is aimed at security teams that need to distinguish between issues that appear severe on paper and weaknesses that create an immediate route to compromise in a production environment. That distinction has become more important as organisations try to reduce time spent on lower-value remediation work.

Qualys said Agent Val can validate exploitability, apply mitigation where patching is not practical, and then retest to confirm the risk has been reduced. It covers more than 1,600 CVEs and does not require a new sensor footprint.

The company also attached performance claims to the launch, saying the validation process can cut remediation noise by more than 90% and reduce the time needed to remediate confirmed exploitable findings by 70%.

Melinda Marks, practice director for cybersecurity at Omdia, placed the launch in the context of a maturing exposure management market.

"Exposure management efforts often focus on counts, trends, and heat maps that describe risk but don't consistently drive action," said Marks. "The next step in maturity is extending attack path analysis through actual exploit validation, turning potential exposure into operational certainty. Validation is critical to risk reduction, and offensive validation remains a significant gap across the market. Capabilities like what Agent Val offers can help teams prioritise real attack paths, move faster, and focus effort where it delivers measurable impact."

Customer view

BitMEX CISO Florian Bielak said the product addresses the difficulty of deciding where limited remediation resources should be spent.

"In an era of infinite vulnerabilities and finite engineering cycles, the primary challenge is no longer discovery-it is the strategic allocation of remediation capital," said Bielak. "Agent Val with TruConfirm will enable us to further shift away from a reactive posture based on theoretical CVSS scores to a disciplined, evidence-based model. By validating actual attack paths at scale, we'll have a way to effectively eliminate the noise tax, ensuring our lean teams are engineering against real-world risk rather than chasing statistical outliers."

The launch also shows how security suppliers are using AI agents in operational workflows rather than limiting them to analysis or alerting. In this case, the system is intended to orchestrate validation, prioritisation, mitigation and revalidation with less manual intervention from analysts and engineers.

That approach is particularly relevant to risk operations teams, which often have to balance patching, temporary controls, isolation measures and reporting to management. Qualys said Agent Val can capture proof of exploitability and proof of risk reduction for board-level reporting once a mitigation has been tested and the exploit path has been shown to be closed.

Qualys President and CEO Sumedh Thakar said the company views exploit validation as the missing link between vulnerability discovery and measurable exposure reduction.

"Having a vulnerability does not equal risk," said Thakar. "What matters is whether an attacker can successfully reach and execute an exploit path in your environment. As exploit timelines shrink and adversaries use AI to move faster, the industry can't keep running on assumptions. Agent Val in ETM moves the Risk Operations Centre (ROC) from 'we think' to 'we know' to 'it's been taken care of' with minimal manual effort, giving the power of AI back into the hands of defenders to drive measurable risk reduction at scale."

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member