Azul has launched a free Java Virtual Machine (JVM) vulnerability risk assessment aimed at helping organisations identify and remediate security risks across their Java environments, amid concerns that AI-enabled attack tools are accelerating exploitation timelines.
The company said advances in autonomous AI are reducing the time between vulnerability discovery and exploitation, increasing the risk posed by unmanaged or unpatched Java estates. Azul said the assessment is intended to provide visibility into JVM instances across an organisation’s environment, including embedded and unmanaged runtimes, and to identify Known Exploited Vulnerabilities (KEVs) and end-of-life Java versions.
According to Azul, the assessment produces a prioritised remediation roadmap covering actions such as patching workloads, migrating off unsupported runtimes and addressing extended support requirements for legacy environments.
The material accompanying the launch cites research and industry commentary suggesting “mean time to exploit” is shrinking from months to days or hours, and argues that incomplete runtime visibility can leave enterprises exposed between vulnerability disclosure and remediation. It also references Anthropic’s “Claude Mythos” as an example of AI systems that can uncover vulnerabilities and generate exploit paths, though no independent validation is provided in the release.
Azul said the assessment is available at no cost directly and through select partners, and is designed for DevOps and SecOps teams. Deliverables listed include an “executive-ready security dashboard”, breakdowns of risk by Java version and publisher, visibility into KEV exposure aligned to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) KEV catalogue, and a remediation plan ranked by impact.
The announcement also positioned Java patching practices as a growing compliance issue for regulated sectors. Azul pointed to frameworks including PCI-DSS, SOX, HIPAA, DORA, NERC CIP and FedRAMP as requiring visibility into deployed software versions, timely vulnerability remediation and documented patch history.
“Anthropic’s Mythos has shown that AI can now discover and weaponise vulnerabilities on its own — including flaws that survived decades of human review. That’s the real lesson for every CISO: the deep expertise that used to stand between attackers and your software estate is no longer a barrier,” said Scott Sellers, co-founder and CEO of Azul. “The unpatched JVM is already a growing liability, not a future one. Azul’s JVM vulnerability risk assessment was created to help security leaders find and close that exposure before AI-driven attackers can exploit it.”
The release also included a customer statement from Newcastle City Council’s head of ICT & Digital, Jenny Nelson, who said a partnership with Azul reduced risk levels for Java applications and infrastructure and improved consistency and maintainability in the council’s Java environment.
