HackerOne has added an artificial intelligence (AI) agent to its platform that validates whether a vulnerability actually exists within an IT environment to reduce the amount of time cybersecurity teams and application developers would otherwise spend researching a potential threat.

Michiel Prins, head of product for HackerOne, said this extension to the Hai agentic AI system that HackerOne embedded into its platform for contracting ethical hackers will make it easier to prioritize remediation efforts based on the actual risk to an organization.

That extension assesses a vulnerability, determines if there might be any duplicate effort, and comes up with a recommendation based on the level of priority assigned. Among early adopters, HackerOne claims this agentic AI capability in the past five months has reduced by 56% the amount of time required to validate a vulnerability.

The AI agent itself was trained using a Continuous Threat Exposure Management (CTEM) methodology to identify exposures across your environment, validate what’s real, prioritize based on context, and drive remediation, noted Prins. That’s critical because the percentage of vulnerabilities that actually affect a specific IT environment is usually very small, he added.

It’s not clear how effort is being wasted tracking down vulnerabilities that ultimately turn out to either be a false positive or may not actually be exposed to the Internet, but there is no love lost between application developers and IT operations teams that need to investigate these issues and cybersecurity teams that are responsible for compiling a list of vulnerabilities. Many of the vulnerabilities that cybersecurity teams ask developers and IT operations teams to investigate wind up not being present. Unfortunately, over time they wind up ignoring vulnerability reports until, of course, one inevitably winds up being exploited.

In the absence of any ability to validate a vulnerability, trust between those teams is only going to erode, noted Prins.

Hopefully, more organizations are investing in best DevSecOps practices to reduce the overall number of vulnerabilities that might find their way into a production environment in the first place. Eventually, much of that tension that vulnerabilities currently create will soon be reduced by AI agents that will be able to not only discover and validate vulnerabilities but also remediate them. While a human should always review a patch before it is applied, there are also many patches that can be applied with a relatively low risk of adversely impacting an application environment.

In the meantime, however, adversaries are now also using AI tools to both discover vulnerabilities and exploit them faster than ever so it’s possible the percentage of vulnerabilities being exploited in IT environments might increase. While there are legitimate concerns about testing a patch that might potentially break an application, the risks associated with not applying a patch in a timely manner are clearly increasing. The challenge, as always, is finding a way to strike the right balance between two potentially suboptimal outcomes that everyone involved has a vested interest in avoiding at all costs.