Qualys has launched Agent Val, a new capability within its Enterprise TruRisk Management (ETM) platform aimed at validating whether security exposures are actually exploitable in production environments and then driving prioritised remediation. The company said the tool is designed for use in a Risk Operations Centre (ROC) and is now generally available as part of Qualys ETM.
Qualys positioned the release against a broader challenge for security teams: an increasing volume of known exploited vulnerabilities and persistent delays in remediation. The company cited research indicating the volume of known exploited vulnerabilities has grown 6.5 times over the past four years, while the share of critical vulnerabilities still open after seven days has increased. It also claimed “time to exploit” has fallen to “minus one day”, suggesting exploitation can begin before patches are available.
Melinda Marks, practice director for cybersecurity at Omdia, said organisations often rely on metrics that describe risk but do not consistently translate into action. She said a next step in maturity is extending attack path analysis through exploit validation to turn “potential exposure into operational certainty”, and described offensive validation as an area where many programs still have gaps.
According to Qualys, Agent Val is powered by its TruConfirm technology and acts as an orchestration layer within ETM. The company said it identifies exposures for validation using business context and asset criticality, safely tests exploitability in live environments, and feeds confirmed results back into ETM to drive remediation.
Qualys said Agent Val is intended to support three stages: validating exploitability, mitigating confirmed risks beyond patching where required, and revalidating after changes to confirm the exploit path is closed. It also stated the system covers more than 1,600 CVEs and does not require a new sensor deployment.
Florian Bielak, CISO at BitMEX, said the approach could help shift prioritisation away from theoretical scoring models toward evidence-based validation of attack paths at scale, with the aim of reducing time spent on low-impact findings.
Qualys president and CEO Sumedh Thakar said exploitability in a specific environment should be the key factor in assessing risk and that the tool is intended to reduce reliance on assumptions as exploit timelines shrink.
Qualys said Agent Val is included in ETM and is available now.
