Snir Ben Shimol, CEO and co-founder of Zest Security, talks about why vulnerability and exposure management has become one of the most stubborn problems in security operations. Ben Shimol argues that the numbers are getting worse, not better. Exploitation has become the top initial access path, new CVEs keep piling up and teams are still drowning in triage and remediation work that remains largely manual.

Zest’s answer is what it calls AI Sweeper Agents. The concept is straightforward: instead of handing security teams an even larger list of findings, use AI agents to determine which vulnerabilities in a specific environment are actually reachable and exploitable. Ben Shimol describes the agents as mimicking the work of a senior security engineer at scale. They ingest vulnerability details, identify the real requirements for exploitation and compare those requirements to evidence in the customer’s environment, such as network placement, permissions and configuration. If key conditions are missing, the vulnerability is swept out of the backlog. If the conditions are met, it stays for prioritization and remediation.

Ben Shimol says this approach can eliminate the bulk of findings that teams feel compelled to chase, claiming Zest has swept more than 11 million vulnerabilities across customers. The result, he says, is waking up to a backlog that is dramatically smaller, leaving teams able to focus on the issues that actually matter rather than spending cycles on noise.

The conversation also touches on a familiar friction point: audits and compliance. Ben Shimol notes that highly regulated customers initially faced pushback when large portions of a backlog disappeared, but argues that the agents provide evidence-based reasoning that auditors can review, turning subjective arguments into documented facts.

For security leaders buried under vulnerability volume, this is a look at how agentic AI is being positioned to reduce manual triage and help teams focus remediation where it reduces risk.