Blog
Product
Announcing Autonomous Vulnerability Response: Closing the Loop at Machine Speed
Cogent's Autonomous Vulnerability Response capability closes the loop from vulnerability detection through remediation and validation without human intervention, at whatever autonomy level the customer configures.
6 minutes read

Today, we're announcing Autonomous Vulnerability Response (AVR), the first end-to-end autonomous AI vulnerability response capability proven in production. AVR runs the full vulnerability response lifecycle, from detection through validation, without human intervention where policy allows and with human oversight where policy requires. It is running at production scale across customer environments today.
AVR builds on the foundations we shipped in May. Zero Day Response identifies exposure within minutes of disclosure. Autonomous Remediation finds the optimal fix, scores change impact, and executes through existing tools. AVR brings together the end-to-end vulnerability response lifecycle and runs it as one continuous autonomous workflow, backed by production outcomes.
The urgency has not eased since May. In the months since Anthropic's Mythos Preview announcement, AI-assisted exploit development has continued to compress the timeline between disclosure and working attack code. The average enterprise still takes weeks or months to close a critical vulnerability. Attackers are now working in hours.
The tempo gap keeps widening
In our May research, Cogent Research found that 62% of critical vulnerabilities with a known exploit had that exploit circulating before any scanner released a detection signature. The average scanner lag on critical CVEs was 2.7 days. Those findings have held.
What has changed is what attackers can do inside that window. AI now handles the techniques that used to require an experienced offensive team. Chaining exploits, evading endpoint detection, and moving laterally are increasingly automated. A CVE announcement that a year ago would have sat low in the queue because weaponizing it required specialist attention is now something an average attacker can turn into a working exploit in hours.
Adding analyst hours does not close this gap. There aren't more analysts to add, and the fastest analyst still moves at human tempo. The velocity of the response has to come from somewhere else.

Closing the loop: Autonomous Vulnerability Response
AVR is the workflow that runs detection, investigation, remediation, and validation as one continuous process.
Agentless zero-day detection
AVR identifies exposure to new vulnerabilities within roughly 10 minutes of publication. It covers formal CVE advisories, pre-CVE disclosures, and supply chain events. Without installing any new agents on assets, detection is grounded in software inventory the customer's tooling already tracks, live threat intelligence, and Cogent's proprietary knowledge layer.
Autonomous investigation
Once an exposure is identified, the Cogent agent workforce runs the investigation. Agents gather evidence across the customer environment, correlate signals against the asset, ownership, and compensating controls data Cogent already holds, and produce a findings package with the reasoning preserved.
Autonomous remediation
The remediation stage produces the fix, validates to check for downstream impact, generates a Work Item with the owner and instructions attached, and dispatches to Jira or ServiceNow. For assets in the customer's autonomous zone, the remediation begins deploying under the customer's configured guardrails. For assets that require human approval, the plan waits in the queue with full context.
Closed-loop validation
Most VM programs mark findings remediated when the action was taken. Cogent treats remediation as incomplete until the fix is independently confirmed through a scanner rescan or SBOM rebuild. If the fix did not hold, the Work Item reopens automatically. Closure requires validation, not a ticket status change.

What our customers see
Corey Kaemming, CISO at Valvoline Instant Oil Change, and Shawn Kerns, Head of Information Security at the University of the Pacific, are two of the practitioners running AVR in production today.
A few things stood out from the conversation.
Corey put a number on the operational difference. Valvoline is seeing roughly an 80% reduction in response time on zero-day, P1, and P2 incidents. In his framing, the shift is "minutes versus hours."
Shawn described what his team walks into. "When I come in in the morning I see a zero-day that pops up, that analysis step has been performed, the action plans are built and ready to go." The morning triage that used to take the first hours of the morning is done before his team arrives.
Both were also clear about the trust ceiling. Corey: "autonomy without governance is very hard to defend to the board, auditors, and even my leadership team." Shawn: "patches to critical infrastructure, I think that's gonna be an area where there's still a human element."
That guidance shaped how we built AVR.
Where we're headed
Two years ago, running autonomous vulnerability response across the full lifecycle in a production enterprise environment would have read as aspirational. It is now a set of customer references we can point to.
What comes next is expanding the classes of action AVR handles autonomously, tightening the confidence bounds on the assets and controls that surround each decision, and improving the feedback loop for AVR to learn over time.
Cogent's long-term goal has not changed. A VM program measured by how close the attack surface is to zero, not by how well it manages the queue. AVR is the mechanism that makes that metric move.





