HelpnetSecurity

Picus Autonomous Exposure Validation Platform validates real-world CVE exploitability


Picus Security has launched the Picus Autonomous Exposure Validation Platform, built for a world where frontier AI has collapsed the time between disclosure and attack.

Adversaries now weaponize new CVEs in hours, against a backdrop of around 132 published every day. A CVE drops; it is rated 9.8. Leadership asks, “Are we exposed?” and most teams cannot say whether the attack would even work against their controls. In the post-Mythos era, “Mythos-ready” has become shorthand for the question now reaching the boardroom: Can we withstand AI-powered attacks, and can we prove it?

“Finding the exposure was never the hard part,” said Volkan Erturk, CTO of Picus Security. “The hard part is acting on the right issue: the defensible decision, the fix that closes the gap, and the evidence it worked. This platform validates attack surfaces, exposures, and security controls as one loop, then drives the fixes that matter to closure and re-validates them, at the speed AI-powered threats now demand.”

One platform, not three tools

The platform converges three validation disciplines, breach and attack simulation, autonomous penetration testing, and exposure validation, into a single context-aware loop. Picus Breach and Attack Simulation continuously tests what an organization’s EDR, SIEM, firewall, and WAF actually block and detect, then ships the fixes and re-validates that the gap is closed.

Picus Autonomous Penetration Testing executes real exploit chains against reachable assets, showing what an attacker can actually reach and do rather than what a CVSS or EPSS score predicts. And Picus Exposure Validation answers the question that those tools cannot reach: whether a given CVE is exploitable here, against these controls, on the day it is disclosed.

Exposure Validation: proof for every CVE, not just the ones you can pentest

A 9.8 severity score describes how dangerous a vulnerability is in theory. It does not tell you whether your controls would stop it, or whether the attack would even work in your environment. Picus Exposure Validation answers that. It decomposes each vulnerability into the exploit primitives an attacker must execute, then validates the chain against your real control stack to determine, per asset, whether the path executes and which control stops it, or that nothing does.

Picus validates the moment a CVE is published, reaching even the restricted assets, and the CVEs with no safe exploit that stand-alone automated penetration testing cannot. When a patch is weeks away, it recommends a compensating control for each step in the chain; because those primitives recur across CVEs, hardening one blocks a whole family of attacks.

Picus Swarm: a workforce of AI agents, not a tool

AI accelerates both sides: Adversaries weaponize vulnerabilities faster, and defenders ship detections, configs, and changes faster too. Every change raises the question only validation can answer: Did your defense get better, get worse, or not move at all, and no team can manually respond at the rate CVEs now arrive. Picus Swarm solves this challenge. Five specialist agents (Discovery, Exploitation, Validation, Mobilization, and Reporting) are orchestrated by Numi AI, which senses what changes, decides which workflow it matters for, and conducts the run end to end, so the output is decisions and verdicts, not raw alerts.

The swarm runs on the Picus data fabric, grounded in your assets, exposures, and control effectiveness, and stays under your control: You choose the autonomy level per workflow step, Manual, Supervised, or Fully Autonomous, with full audit trails.

Proven at enterprise scale

At a Fortune 100 financial-services firm, a single simulation surfaced a 15-hour detection-logging lag in a leading XDR, a blind spot that was invisible until validated. “We thought our detection coverage was solid, and on paper it was,” said the firm’s chief information security officer. “Picus showed us a gap no dashboard had flagged, and then proved it was closed once we fixed it.” Across deployments, customers reach 2x security control effectiveness within 90 days and an 89% reduction in MTTR, with 75+ integrations feeding the platform across the stack.



Source link