.svg){kind=icon}
Customer Wins: Agentic Exposure Management in Numbers
Over the past year, we invested deeply in AI research and partnered with leading security teams to build AI Agents that can take millions of vulnerability findings across tools and systems and resolve them without humans in the loop.
The results surprised many teams at first.
Across ZEST Security customers in 2025, AI Agents dismissed over 11 million vulnerabilities, prevented +129,000 tickets from ever being opened, and saved more than 600,000 hours of security and engineering effort (operational toil). At the same time, these same customers fully remediated +386,000 vulnerabilities and mitigated another 36 thousand through targeted controls and guardrails.
At first glance, some metrics appeared counterintuitive. Ticket volume was radically reduced. The number of fixes deployed by engineering teams dropped significantly. Yet exposure declined at a magnitude most organizations had never achieved before. This was the moment many security leaders realized that efficiency and risk reduction are not opposites. They are tightly correlated when exposure management is done correctly.
The Failure of Scoring in Vulnerability Management
For years, vulnerability management and CTEM programs have relied on a simple but flawed model. Aggregate findings from scanners and tools. Apply scoring systems such as CVSS, EPSS, KEV - check if something is publicly accessible - Open tickets. Push remediation downstream. Measure success by volume processed.
The result is predictable. Backlogs grow. Time to remediate increases. Engineering teams lose trust in security prioritization. Security regulations become harder to satisfy because evidence of risk reduction is unclear.
More effort produces less impact.
When our customers shifted to dynamic exposure reduction
What changed in 2025 was not another scoring model. It was a shift in mindset.
Instead of treating vulnerabilities as independent findings, AI Agents analyze them as part of an interconnected exposure graph. They unify vulnerability data across all security tools and environments and reason about exploitability, reachability, asset criticality, and compensating controls together.
AI Agents validate whether a vulnerability can actually be exploited in a specific environment, whether it is reachable from an attacker path, and whether existing mitigations already reduce risk. The outcome is not a ranked list of CVEs. It is a dramatically smaller set of issues that truly increase exposure.
This is why millions of vulnerabilities were dismissed. Not ignored. Proven irrelevant based on evidence.
.png)
Learning to Manage AI Agents Instead of Backlogs
One of the most important shifts we observed among customers was operational, not technical. Security teams stopped spending their days sifting through vulnerability lists and started managing AI Agent recommendations.
Instead of reviewing thousands of findings daily, teams review a concise set of AI generated decisions with clear explanations of why a vulnerability was dismissed, mitigated, or prioritized for remediation. Evidence is attached. Assumptions are explicit. Recommendations are traceable.
This changes the role of the security team. Less triage. Less manual correlation. More oversight and governance. More time spent aligning remediation with engineering and business priorities.
Unified vulnerability management becomes real when humans manage outcomes and AI manages scale.
Why AI Is the Missing Piece for Smart Remediation
Remediation has always been the hardest part of exposure management, not because fixes are technically complex, but because the decision space is too large for humans to reason through at scale. Traditionally, teams attempt to solve one vulnerability with one fix, without understanding how that fix affects the broader environment.
AI Agents approach remediation differently. They reason backward from exposure reduction goals and simulate multiple remediation pathways before recommending action.
Instead of asking how to fix a single CVE, AI Agents evaluate different resolution paths across the environment. These paths may include enforcing cloud guardrails, applying mitigation controls, patching shared base images, modifying infrastructure as code policies, or changing runtime configurations. Each option is simulated and measured based on how many vulnerabilities it resolves, what assets are impacted, and how overall exposure is reduced.
Humans are constrained to evaluating one or two remediation options at a time. AI Agents can simulate dozens of remediation pathways in parallel, compare blast radius and effectiveness, and identify the action that delivers the greatest exposure reduction with the least operational cost.
This is how customers achieved outcomes such as a single remediation action eliminating over 26 thousand vulnerabilities in production. The focus shifts from patching everything to fixing the right thing.
Vulnerability Remediation Limitation? Not with AI
There is a reality every mature security organization eventually accepts. You cannot remediate everything critical.
What 2025 made clear for our customers is that deep prioritization is not optional. It is the only way forward. The goal of exposure management is not vulnerability elimination. It is exposure elimination.
AI enables this by making prioritization brutally precise. Vulnerabilities that do not materially increase risk are deprioritized or dismissed. Where remediation is not immediately possible or time is critical, AI Agents recommend mitigation controls that measurably reduce exposure.
Security teams stop chasing volume and start optimizing impact.
2026 - Future of AI CTEM
2025 was the year many organizations realized that traditional vulnerability management workflows cannot keep up with modern environments. Opening more tickets does not lead to better security outcomes. Better decisions do.
By combining unified vulnerability management, AI driven exposure analysis, and simulated remediation pathways, customers radically reduced time to remediate while shrinking their attack surface at scale.
AI Agents are not here to automate tasks. Built correctly, they deliver outcomes humans cannot achieve on their own.
In 2026, ZEST Security and our customers will continue to push this boundary. Fewer tickets. Smarter remediation. Measurable exposure reduction. That is what modern CTEM programs should look like.
More to come.
