IT Brief Canada - Technology news for CIOs & IT decision-makers
Canada
Enterprise security ops center analyzing live attack path highlighted route
#
SOCs
#
Cybersecurity
#
Agentic AI

Qualys launches Agent Val to prove exploitable risks

Wed, 25th Mar 2026
Author image
By Shannon Williams, News Editor

Qualys has launched Agent Val within its Enterprise TruRisk Management platform. The product is now generally available as part of its exposure management offering.

The tool is aimed at security teams that need to test whether software vulnerabilities can actually be exploited in live environments, then push confirmed issues into remediation workflows. Agent Val is designed for use in the Risk Operations Centre, or ROC, where organisations manage cyber exposure and prioritise response.

The launch comes as security teams face a growing backlog of vulnerabilities and shorter exploitation windows. Qualys cited industry research showing that the volume of known exploited vulnerabilities has risen 6.5 times over the past four years, while the share of critical vulnerabilities still open after seven days has also increased.

The gap between paper-based severity scores and real-world exploitability has become a central problem for chief information security officers. Teams are still spending too much time on findings that appear severe in theory but may be blocked in practice by existing controls or may not be reachable in production systems.

Validation focus

Agent Val uses Qualys' TruConfirm technology to test whether an exploit path is open, blocked or unreachable. The system also uses business context and asset criticality to determine which exposures should be checked first.

Once a risk has been confirmed, the result is fed back into Enterprise TruRisk Management so it can be moved higher in the remediation queue. The process can extend beyond patching to include mitigation controls and isolation measures where patches are not available or cannot be deployed quickly.

The product then repeats validation after mitigation to confirm that the exploit path has been closed. Agent Val covers more than 1,600 CVEs and does not require a new sensor footprint.

For customers, the commercial argument is less about finding more vulnerabilities and more about narrowing the list to the ones that matter. Qualys said the system can reduce remediation noise by more than 90% and cut time to remediate confirmed exploitable findings by 70%.

That focus on proof rather than prioritisation models alone reflects a wider shift in cybersecurity operations. Many exposure management tools have concentrated on scoring, trend analysis and attack path mapping, but validation in production remains harder because of the operational risks involved in testing live systems.

"Exposure management efforts often focus on counts, trends, and heat maps that describe risk but don't consistently drive action," said Melinda Marks, Practise Director For Cybersecurity, Omdia.

"The next step in maturity is extending attack path analysis through actual exploit validation, turning potential exposure into operational certainty. Validation is critical to risk reduction, and offensive validation remains a significant gap across the market. Capabilities like what Agent Val offers can help teams prioritize real attack paths, move faster, and focus effort where it delivers measurable impact," Marks said.

Customer view

BitMEX, the digital asset exchange, was cited by Qualys as a user interested in the model. Its comments pointed to a familiar issue for lean security teams: too many alerts and not enough engineering time to deal with them.

"In an era of infinite vulnerabilities and finite engineering cycles, the primary challenge is no longer discovery-it is the strategic allocation of remediation capital," said Florian Bielak, CISO, BitMEX.

"Agent Val with TruConfirm will enable us to further shift away from a reactive posture based on theoretical CVSS scores to a disciplined, evidence-based model. By validating actual attack paths at scale, we'll have a way to effectively eliminate the noise tax, ensuring our lean teams are engineering against real-world risk rather than chasing statistical outliers," Bielak said.

Qualys is positioning the launch within a broader push to make cyber risk management more measurable for both security teams and boards. By rerunning tests after mitigation, customers can gather evidence that an issue was not only identified but also closed.

The move also shows how security vendors are applying AI agents to operational tasks rather than limiting them to analytics and alert triage. In this case, Qualys is using an agent as an orchestration layer that can identify targets for validation, trigger tests, assess outcomes and route confirmed exposures into remediation steps.

Qualys President and CEO Sumedh Thakar said the distinction between a vulnerability and a practical risk is becoming more important as attackers move faster.

"Having a vulnerability does not equal risk," said Sumedh Thakar, President And CEO, Qualys.

"What matters is whether an attacker can successfully reach and execute an exploit path in your environment. As exploit timelines shrink and adversaries use AI to move faster, the industry can't keep running on assumptions. Agent Val in ETM moves the Risk Operations Centre (ROC) from 'we think' to 'we know' to 'it's been taken care of' with minimal manual effort, giving the power of AI back into the hands of defenders to drive measurable risk reduction at scale," Thakar said.

Related stories
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Testlio launches AI chatbot testing service amid scrutiny
Cyber insurance now common among North American SMBs

Top stories

TestRail launches AI test script generation in beta
FIRST conference highlights AI & CVE disclosure push
OpenAI expands Codex with desktop & workflow tools
OpenAI launches GPT-Rosalind for life sciences research
Mirantis integrates NVIDIA Run:ai to speed AI deployment