Qualys Debuts Industry's First AI Agent for Safe Exploit Validation and Autonomous Remediation

Rhea-AI Summary

Qualys (NASDAQ: QLYS) launched Agent Val on March 23, 2026, an AI agent inside Enterprise TruRisk Management (ETM) that validates exploitability, automates mitigation, and revalidates controls.

Company says Agent Val yields 90%+ remediation noise reduction, 70% faster time-to-remediate for confirmed exploits, and covers 1,600+ CVEs.

Positive

• 90%+ remediation noise reduction by validating exploitability
• 70% faster time-to-remediate on confirmed exploitable findings
• 1,600+ CVEs covered with no new sensor footprint required
• Generally available now as part of Qualys ETM

Negative

• Known exploited vulnerability volume +6.5x over four years (industry trend)
• Critical vulnerabilities open at Day 7 increased, indicating slower manual remediation
• Time to exploit shrunk to −1 day, meaning exploits occur before patches exist

News Market Reaction – QLYS

+0.93%

3 alerts

+0.93% News Effect

+$30M Valuation Impact

$3.31B Market Cap

0.2x Rel. Volume

On the day this news was published, QLYS gained 0.93%, reflecting a mild positive market reaction. Our momentum scanner triggered 3 alerts that day, indicating moderate trading interest and price volatility. This price movement added approximately $30M to the company's valuation, bringing the market cap to $3.31B at that time.

Data tracked by StockTitan Argus on the day of publication.

Key Figures

Exploited vuln growth: 6.5 times Critical vulns open: Day 7 Time to exploit: minus one day +3 more

6 metrics

Exploited vuln growth 6.5 times Growth in known exploited vulnerability volume over past four years

Critical vulns open Day 7 Percentage of critical vulnerabilities still open at Day 7 increasing

Time to exploit minus one day Attackers exploiting vulnerabilities before patches exist

Noise reduction 90%+ reduction Reduction in remediation noise from exploit validation with Agent Val

Remediation speed 70% faster Improvement in time-to-remediate confirmed exploitable findings

Exploit coverage over 1,600 CVEs Number of CVEs covered by Agent Val validation

Market Reality Check

Price: $89.90 Vol: Volume 1,654,725 is 2.23x...

high vol

$89.90 Last Close

Volume Volume 1,654,725 is 2.23x the 20-day average of 741,084, indicating elevated trading interest into this AI product launch. high

Technical Shares at $96.44 are trading below the 200-day MA of $130.67, sitting 37.97% below the 52-week high and 13.28% above the 52-week low.

Peers on Argus

Peer moves are mixed: BOX up 0.51%, WEX up 4.5%, while STNE is down 2.41% and AC...

Peer moves are mixed: BOX up 0.51%, WEX up 4.5%, while STNE is down 2.41% and ACIW down 0.45%, with OS flat. No common directional sector pattern, suggesting this AI announcement is more stock-specific.

Previous AI Reports

4 past events · Latest: Oct 15 (Positive)

Same Type Pattern 4 events

Date	Event	Sentiment	Move	Catalyst
Oct 15	AI platform expansion	Positive	+0.1%	Expanded ETM with agentic AI for identity, threats, and exploit validation.
Aug 04	AI ROC launch	Positive	+4.0%	Unveiled agentic AI Risk Operations Center with cyber risk AI agents.
Apr 29	TotalAI upgrades	Positive	+1.7%	Enhanced TotalAI to secure MLOps and detect 40 AI attack scenarios.
Aug 05	AI risk controls	Positive	-3.4%	Announced TotalAI to de-risk generative AI and LLM usage for enterprises.

Pattern Detected

AI-related announcements have historically produced modest average moves of 0.61%, with mostly positive but sometimes mixed price reactions.

Recent Company History

Over the past two years, Qualys has steadily expanded its AI and risk operations capabilities. Prior AI-tagged releases introduced the agentic AI fabric for Enterprise TruRisk Management (ETM), launched a marketplace of Cyber Risk AI Agents, and rolled out TotalAI to secure generative AI and LLM workloads. These updates focused on automated risk insights, exploit validation, and AI workload protection. Today’s Agent Val launch builds directly on TruConfirm and prior AI fabric work, deepening ETM’s exploit validation and autonomous remediation focus within the Risk Operations Center.

Historical Comparison

+0.6% avg move · AI-related launches for Qualys have historically led to relatively modest average moves of 0.61%, wi...

AI

+0.6%

Average Historical Move AI

AI-related launches for Qualys have historically led to relatively modest average moves of 0.61%, with mostly constructive but occasionally mixed price reactions.

AI updates progressed from securing AI and LLM usage, to launching AI risk agents and an AI fabric in ETM, to deeper exploit validation and autonomous remediation with Agent Val.

Market Pulse Summary

This announcement deepens Qualys’ AI roadmap by embedding Agent Val into ETM for safe exploit valida...

Analysis

This announcement deepens Qualys’ AI roadmap by embedding Agent Val into ETM for safe exploit validation and autonomous remediation. The company highlights a 90%+ reduction in remediation noise, 70% faster remediation on confirmed findings, and coverage of over 1,600 CVEs. In context of prior AI expansions to ETM and TotalAI, this extends the focus on evidence-based risk reduction. Investors may track adoption, measurable risk metrics, and how these capabilities influence future financial results.

Key Terms

exploit validation, cvss, cves

3 terms

exploit validation technical

"“The next step in maturity is extending attack path analysis through actual exploit validation, turning potential exposure into operational certainty.”"

Exploit validation is the process of confirming whether a reported software or system weakness can actually be used to break into or damage a product or network. Think of it like testing whether a claimed hole in a ship really lets water in; it tells managers how urgent fixes are, how big potential losses or regulatory fines might be, and whether customer trust or operations are at real risk. Investors watch exploit validation because it affects expected costs, liability, and the company’s reputation — all of which can change the stock’s outlook.

cvss technical

"“shift away from a reactive posture based on theoretical CVSS scores to a disciplined, evidence-based model.”"

Common Vulnerability Scoring System (CVSS) is a standardized way to rate the severity of software security flaws on a numeric scale, summarizing how easily a vulnerability can be exploited and how much damage it could cause. For investors, CVSS scores act like a storm severity chart for a company’s digital systems — higher scores signal greater operational, financial and reputational risk, possibly leading to remediation costs, downtime, or regulatory scrutiny that can affect a firm’s value.

cves technical

"“With over 1,600 CVEs covered, Agent Val provides unmatched coverage with no new sensor footprint required.”"

CVEs (Common Vulnerabilities and Exposures) are unique ID numbers assigned to publicly known security flaws in software or hardware, like a catalog entry that describes a specific weak spot. For investors, CVEs matter because they signal potential risks to a company’s systems and customer data—similar to a product recall number that warns of problems requiring fixes, which can lead to costs, downtime, regulatory scrutiny, or reputational damage.

AI-generated analysis. Not financial advice.

Agent Val exploits, mitigates and revalidates exposures against compensating controls continuously, dramatically reducing the average window of exposure

FOSTER CITY, Calif., March 23, 2026 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a leading provider of cloud-based IT, security and compliance solutions, today launched Agent Val within Enterprise TruRisk Management (ETM) to bring safe, agent-led exploit validation and autonomous risk remediation to the Risk Operations Center (ROC). Agent Val represents a fundamental shift in vulnerability and exposure management from assumption-driven prioritization to evidence-based execution, accelerating response, reducing wasted effort, and delivering measurable reductions to cyber risk.

Research shows that known exploited vulnerability volume has grown 6.5 times in the past four years, while the percentage of critical vulnerabilities still open at Day 7 has increased — proof that manual remediation has hit a hard ceiling. To make matters worse, the time to exploit has now shrunk to minus one day, meaning attackers are exploiting them before patches exist. For CISOs, the challenge is closing the gap between vulnerabilities that look severe on paper and those truly exploitable in production environments, so teams are not wasting valuable time remediating low-impact issues and missing other dangerous exposures. Organizations need proof of exploitability, not assumptions, to move faster and reduce risk with confidence.

"Exposure management efforts often focus on counts, trends, and heat maps that describe risk but don't consistently drive action," said Melinda Marks, practice director for cybersecurity at Omdia. "The next step in maturity is extending attack path analysis through actual exploit validation, turning potential exposure into operational certainty. Validation is critical to risk reduction, and offensive validation remains a significant gap across the market. Capabilities like what Agent Val offers can help teams prioritize real attack paths, move faster, and focus effort where it delivers measurable impact."

Agent Val, powered by TruConfirm, serves as the agentic AI orchestration layer within ETM. It coordinates and identifies high-risk exposures, validates exploitability in production using business context and asset criticality, and feeds confirmed results directly into ETM to drive prioritized remediation and measurable risk reduction with minimal manual effort, shifting security teams from chasing volume to reducing verified risk.

"In an era of infinite vulnerabilities and finite engineering cycles, the primary challenge is no longer discovery—it is the strategic allocation of remediation capital," said Florian Bielak, CISO, BitMEX. "Agent Val with TruConfirm will enable us to further shift away from a reactive posture based on theoretical CVSS scores to a disciplined, evidence-based model. By validating actual attack paths at scale, we'll have a way to effectively eliminate the noise tax, ensuring our lean teams are engineering against real-world risk rather than chasing statistical outliers."

Agent Val enables organizations to:

• Validate real exploitability – Agent Val analyzes exposure signals across assets and determines what should be validated first based on attacker relevance, business context, and exposure. Then, it uses TruConfirm to safely test exploitability in the live environment, providing evidence-based confirmation of whether an exploit path is open, blocked by controls, or unreachable. The result is a 90%+ reduction in remediation noise, so security teams can stop chasing findings that cannot be exploited.
  
  
• Mitigate confirmed risks – Once risk is confirmed, ETM prioritizes that exposure to the top of the remediation queue and extends response beyond patching deployment with mitigation controls and isolation, where patching is not feasible. This enables targeted mitigation to reduce exposure quickly, resulting in 70% faster time-to-remediate on confirmed exploitable findings and allowing engineering teams to prioritize exposures that matter.
  
  
• Prove Risk Reduction —After mitigation, Agent Val runs validation again using TruConfirm to verify that the exploit path is closed, controls are working and risk has been reduced. With over 1,600 CVEs covered, Agent Val provides unmatched coverage with no new sensor footprint required. Teams now have proven exploitability evidence captured for board reporting to show measurable risk reduction.

"Having a vulnerability does not equal risk," said Sumedh Thakar, president and CEO of Qualys. "What matters is whether an attacker can successfully reach and execute an exploit path in your environment. As exploit timelines shrink and adversaries use AI to move faster, the industry can't keep running on assumptions. Agent Val in ETM moves the Risk Operations Center (ROC) from 'we think' to 'we know' to 'it's been taken care of' with minimal manual effort, giving the power of AI back into the hands of defenders to drive measurable risk reduction at scale."

Availability
Agent Val, powered by TruConfirm, is included as part of Qualys ETM and is now generally available. Sign up at https://www.qualys.com/demo/enterprise-trurisk-management to be among the first to experience Agent Val within Qualys ETM.

Additional Resources

• Read our blog post, "Meet Agent Val: Closing the Validation Gap in Exposure Management at Machine Speed with Agentic AI"
• Sign up for a free trial of Qualys ETM at https://www.qualys.com/demo/enterprise-trurisk-management
• Watch the video here
• Follow Qualys on LinkedIn, Instagram and X

About Qualys  
Qualys, Inc. (NASDAQ: QLYS) is a leading provider of cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Enterprise TruRisk Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Oracle Cloud Infrastructure, Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit http://www.qualys.com.

Qualys, Qualys VMDR®, Qualys TruRisk and the Qualys logo are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies. 

Media Contact:   
Rachel Yap Winship 
Qualys
Media@Qualys.com

 

View original content to download multimedia:https://www.prnewswire.com/news-releases/qualys-debuts-industrys-first-ai-agent-for-safe-exploit-validation-and-autonomous-remediation-302721708.html

SOURCE Qualys, Inc.

FAQ

What is Agent Val from Qualys (QLYS) and when was it launched?

Agent Val is an AI-driven exploit validation and autonomous remediation agent; it launched on March 23, 2026. According to the company, it runs safe exploit tests, prioritizes confirmed risks, and automates mitigation inside ETM.

How much remediation noise reduction does Agent Val deliver for QLYS customers?

Agent Val delivers a 90%+ reduction in remediation noise by validating real exploitability before remediation. According to Qualys, this evidence-based approach prevents teams from chasing non-exploitable findings.

What remediation speed improvement does Agent Val provide for QLYS clients?

Agent Val yields about 70% faster time-to-remediate for confirmed exploitable findings. According to Qualys, prioritized confirmed risks move to the top of ETM remediation queues and enable quicker mitigations.

How many CVEs does Agent Val cover and does it need new sensors for QLYS?

Agent Val provides coverage for over 1,600 CVEs and does not require a new sensor footprint. According to Qualys, customers gain wide CVE coverage integrated into ETM with existing agents.

Is Agent Val generally available for Qualys ETM and how can organizations try it?

Agent Val is now generally available as part of Qualys ETM. According to the company, organizations can sign up for a demo or free trial via Qualys' Enterprise TruRisk Management demo page.

Why did Qualys build Agent Val and what industry problem does it address for QLYS investors?

Agent Val aims to shift remediation from assumption-driven to evidence-based validation to reduce wasted effort. According to Qualys, this addresses rising exploited vulnerabilities and shrinking time-to-exploit by proving exploitability before remediation.