Qualys today introduced Agent Val, the industry’s first AI‑driven agent designed to safely validate exploits in production environments and autonomously drive remediation. Integrated into the Qualys Enterprise TruRisk Management (ETM) platform, Agent Val marks a major shift from prioritizing vulnerabilities based on assumptions to acting on verified exploitability a capability long missing from conventional vulnerability management.
The launch comes as organizations struggle to keep pace with a surge in exploited vulnerabilities. Over the past four years, the volume of known exploited vulnerabilities has grown more than sixfold, while the percentage of critical vulnerabilities still unpatched after seven days continues to rise. Compounding the challenge, the average “time to exploit” has dropped to below zero days, with attackers now exploiting vulnerabilities before vendors can release patches.
“The next step in maturity is extending attack path analysis through actual exploit validation. Validation is critical to risk reduction.”
— Melinda Marks, Omdia
Qualys positions Agent Val as the answer to this widening gap. Acting as the AI orchestration layer within ETM, the system identifies high‑risk exposures, validates whether they are truly exploitable in production, and triggers automated remediation workflows. By distinguishing between vulnerabilities that are exploitable and those that are blocked by existing controls, Agent Val reduces remediation noise by more than 90%, allowing teams to focus exclusively on issues that present real business risk.
According to Omdia’s Melinda Marks, the move represents a critical evolution for the industry. “Exposure management often focuses on counts and heat maps that describe risk but don’t consistently drive action,” she said. “Capabilities like Agent Val allow teams to prioritize real attack paths and act on evidence.”
“What matters is whether an attacker can reach and execute an exploit path. Agent Val moves the ROC from ‘we think’ to ‘we know.’”
— Sumedh Thakar, CEO, Qualys
Once a risk is confirmed, ETM accelerates mitigation through patching, isolation, and compensating controls, delivering up to 70% faster remediation for validated threats. Agent Val then re-tests exposures using TruConfirm technology, verifying that risks are resolved evidence organizations can use for executive reporting and board oversight.
“Having a vulnerability does not equal risk,” said Qualys CEO Sumedh Thakar. “Agent Val gives defenders AI-driven certainty, enabling risk reduction at scale.”
Agent Val is now generally available as part of Qualys ETM.
