Defensive AI Touches Production

Defensive AI is crossing a line it used to stay behind - fixing production.

It used to be that AI finds the problem and humans decide what to do about it.

That’s no longer the case.

The newest tools don't stop at "this is exploitable." They patch it, isolate it, or roll it back (all on their own).

This is blue team’s answer to the exponentially increasing number of vulnerabilities, amplified by offensive AI tools like Mythos.

Qualys debuted Agent Val in March, which they claim is the first AI agent for safe exploit validation and autonomous remediation.

"Autonomous" being the word that should make you lean in, and the word that should make you nervous.

Here's the problem it's built for.

Vulnerability management has always run a backlog. Scanners flag thousands of vulns, teams patch as quickly as they can, but it takes time, and some stay unpatched for weeks.

This is known as the “exposure window”. The time between finding the vuln and actually patching it.

That window is the enemy.

Industry threat reporting now shows that up to 1/3rd of exploited vulnerabilities are exploited the day or day before they're disclosed. So, a quarterly patch cycle just ain’t cutting it anymore.

The idea of autonomous remediation is to close that window at machine speed, by doing the fixing, not just the finding.

Qualys’ Agent Val, for example, isn’t just an "auto-patch." It’s a three-step loop:

Most automation stops at "change applied." This stops at "risk reduced" - and proves it. The shift is from assumption to evidence.

Qualys are claiming Agent Val:

Then, there’s “self-healing infrastructure”.

Firefly, the “Autonomous Cloud Infrastructure Platform” that received $23mil in Series A funding last year, is one of the best examples of this.

With self-healing infrastructure, the agent lives in your CI/CD pipeline and watches for drift - the live environment quietly deviating from the declared "desired state" - then reconciles it automatically.

The base mechanism of self-healing infrastructure isn’t new, it’s basically a GitOps reconciliation loop with an AI agent bolted on. So now, instead just reverting to the last manifest to reverse drift, an LLM-driven agent diagnoses:

Firefly does this by continuously comparing every live cloud resource against its declared IaC config, flagging any deviation from a manual change or API call, then uses AI to generate a remediation pull request automatically.

Its bigger ambition is to become an agentic cloud control plane for infrastructure teams. A platform that discovers what is running in the cloud, figures out what is actually managed as code, generates Infrastructure-as-Code, enforces governance, and helps rebuild environments after outages or cyberattacks.

The interesting shift here isn’t that infrastructure can “heal” itself. Kubernetes and GitOps have been reconciling desired state for years.

The shift is that the definition of “healthy” is becoming agent-mediated.

In the old model, your YAML file was the source of truth. In this new model, the agent interprets the cloud, decides what drift means, proposes the fix, and eventually may apply it.

It turns messy cloud sprawl into something governable and recoverable.

Qualys claims 70% faster time to remediation. Seemplicity, a similar tool, claims 4× remediation velocity. There are also self-healing infrastructure papers out there claiming 6.9 minutes to detect and remediate drift.

The thing is, every one of those measures speed. None of them measure safety.

The figures that matter for trusting an agent in production are the ones companies often don’t publish.

Unlike the pentest-agent world, which has independent benchmarks like CVE-Bench, there's no neutral scoreboard here.

Only vendor decks.

Letting an agent change production opens a failure mode that flagging never had.

The first is a new attack class called "malicious remediation."

If an attacker can shape what your agent believes the "desired state" or "the fix" should be, they don't need to breach you. They wait for your AI to remediate the environment into an exploitable configuration.

Your healing loop becomes the attack.

The second is duller and more likely - the agent misreads a legitimate change as drift, reverts it, and causes the outage it was supposed to prevent.

This is why every serious treatment lands on the same answer - graduated autonomy.

Here, you climb a ladder:

Each rung is earned as the system proves itself.

Underneath it, you need real rollback, enforced change windows, and a full audit log of what the agent saw, decided, and did.

Turn autonomy on before that scaffolding exists and you've automated your own incidents.

Don’t get us wrong, the exposure-window problem is real, and an agent that validates before it fixes is genuinely useful. It kills the wasted effort on unreachable "criticals."

But, take the ladder approach….and judge it on the numbers vendors won't give you - wrong-fix rate and outage rate, not just time-to-remediate.

Move it up the autonomy ladder only when it's earned the next rung.

This is the moment defensive AI stops being a smarter dashboard, and starts being a hand on the controls. That's a real capability jump AND a real concentration of risk in the same step.

That’s it for this week!

See you next Sunday 🙂

Zac S from The Cyber Breakdown