Agentic SOC Exposure and VulnOps Surface

Per-function deep-dive for the Exposure & VulnOps row of the Agentic SOC Reference Architecture. The function runs continuous exposure and vulnerability discovery, plus remediation, across the whole estate — own code, AI-generated and vibe-coded applications, third-party libraries, container images, and the cloud control plane. It is the SOC’s seam with DevSecOps: where build-time security hands off to operate-and-monitor, and where production exposure is owned. The function is the operational home of VulnOps — discovery and remediation staffed and automated like DevOps rather than run as a quarterly audit cycle.

The agent surface is a pair of worker patterns under the orchestrator: a read-heavy discovery/exposure agent and a state-changing remediation agent. The split is load-bearing. Discovery is reversible and can run at high autonomy; remediation applies a patch or isolates an asset, which is a consequential change to the production estate, so it is gated separately.

The function runs primarily on the RA’s Data & Knowledge plane (the telemetry, asset, and threat-intel substrate it reads) and the Policy & Enforcement plane (the deterministic gate every remediation action crosses). Its autonomy is gated by the CMM gating rule on D1 (Telemetry & Data Readiness) — the asset and exposure data the agents reason over — and D4 (Agent Identity & Action-Authority) — the scoped, blast-radius-bounded authority a remediation agent needs before it may act.

The driver is the time-to-exploit collapse. The Zero Day Clock records the median time from CVE disclosure to first observed exploitation falling from 771 days in 2018 to zero-day in 2025–2026, where the exploit arrives on or before the advisory.1 Periodic vulnerability management — a quarterly pen test plus patch-as-CVE-arrives — is structurally outmatched against continuous AI-driven discovery, and the estate is now too large and too fast-changing for humans to inventory or patch in time.

The agent surface

The function decomposes into two worker patterns on the supervisor-worker topology, kept distinct because they sit on opposite sides of the consequential-action line.

Discovery / exposure agent (read-heavy). Continuously enumerates the estate and maps known and novel exposure onto it: asset and attack-surface inventory, SBOM and dependency-chain resolution, configuration and cloud-control-plane posture, and code scanning across own and AI-generated repositories. It ingests external intelligence — CTI feeds, ISAC data, vendor advisories, GitHub disclosures, government feeds — and maps it automatically onto organization-specific assets, the un-silo discipline Mallory’s VulnOps framing centers.2 Mechanism is hybrid: deterministic scanners and SBOM tooling supply coverage, while AI does the contextualization, reachability reasoning, and exploitability triage that separates the reachable flaws from the noise. Frontier-model code audit — the discovery-capability thesis — sits here, where the harness around the model does the validation work.3

Remediation agent (state-changing). Proposes or applies the fix: a patch, a configuration change, a virtual-patch / compensating control, or asset isolation. It calls the change-management and deployment tooling, and every action crosses the Policy & Enforcement plane’s deterministic gate. This is where the plan-validate-execute pattern bounds what the agent may do, and where D4’s auto / propose / approve / block tiers and blast-radius limits are enforced.

The agents read the Data & Knowledge plane’s asset and threat-intel substrate and write findings into the case/thread investigation substrate — threads, not cases, each a collaborative analyst-agent exchange.2 The human-authority boundary sits asymmetrically: it is light on discovery (read-only enumeration is reversible) and firm on remediation (an applied patch or an isolation is consequential and crosses the approval tier its blast radius warrants).

Autonomy progression

The function’s autonomy is not a single value. Discovery autonomy and remediation autonomy are scored and gated separately, because discovery is read-heavy and reversible while remediation changes production state. A SOC can legitimately run discovery at high autonomy and hold remediation at a lower rung — the common and correct posture.

The gating rule applies per the CMM: a function reaches autonomy L_k only when its governing domains are mature enough to support it. For this function the L2 gates are D1 (the asset and exposure data must be real and reasonably complete) and D4 (a remediation agent must hold scoped, revocable authority before a consequential action it proposes can be approved and bounded). L3 adds D3 (Evaluation) and D5 (Observability); L4 adds D7 (Resilience) and D8 (Governance).

LevelWhat it looks like for this functionGating domains
L0 — ManualQuarterly pen test; vulnerability scan reviewed by hand; patches scheduled in a maintenance window
L1 — AssistedContinuous scanning with AI-assisted triage; the agent ranks and explains findings, a human decides and actsD1 (data to rank against)
L2 — Semi-autonomousDiscovery runs continuously and proposes findings with exploitability and confidence scores; remediation executes routine sub-tasks but every applied patch or isolation needs explicit approvalD1 + D4 (scoped, revocable remediation authority; coarse auto/approve split)
L3 — ConditionalDiscovery autonomous in-bounds; remediation auto-applies low-blast-radius, high-confidence fixes (a virtual patch, a config rollback) within blast-radius limits and escalates out-of-bounds; humans monitorD1, D4 (auto/propose/approve/block tiers + blast-radius limits) + D3, D5
L4 — DelegatedThe function owns the discover-triage-remediate lifecycle within governed bounds; humans govern outcomes and the autonomy-raising decision. Asymptotic — high-blast-radius remediation still terminates at the human boundary+ D7, D8

The defined failure mode is operating above the earned ceiling: granting remediation autonomy the governing domains do not support. Auto-applying patches (L3 remediation) when D4 cannot bound blast radius, or when D3 cannot measure whether the agent’s exploitability triage is correct, is reckless autonomy — a wrong containment or a bad patch is itself an availability incident. The ceiling is set by the weakest governing domain; the common split is discovery several rungs above remediation.

False-positive flood is the bounding risk

AI-generated findings arrive faster than human triage capacity, and most are not reachable in practice. Anthropic’s Glasswing one-month update reported the bottleneck inverting from discovery to verification: of roughly 6,202 estimated high/critical findings, 1,752 were assessed and 75 patched, and maintainers asked Anthropic to slow disclosures.4 JFrog’s 2026 analysis found 66% of analyzed CVEs had a low applicability rate (0–20%) and only 12% were highly exploitable in real environments.5 The discipline that bounds the flood is exploitability triage — severity and confidence scoring, deduplication, and reachability analysis as first-class queue stages — which Mythos-ready PA 11 names as designing VulnOps around triage discipline from the start.

Control landscape (dated)

Vendors and patterns are dated, swappable examples, not endorsements. The function’s spine — continuous discovery, triage, remediation — is mechanism-agnostic; the AI-specific particulars and named products are dated here.

CapabilityWhat ships todayStatus (mid-2026)
Exposure / attack-surface managementContinuous attack-surface and exposure management platforms; cloud security posture management for the control planeGA; an established category
Continuous exposure program modelGartner CTEM as the program spine for continuous discovery, prioritization, validation, and mobilizationGA as a framework; adoption maturity varies
Asset / dependency inventorySBOM generation and dependency-chain resolution; AI-BOM for the AI-component supply chainSBOM GA; AI-BOM emerging
AI-assisted code-audit / discoveryOpenAnt (OSS), Codex Security (OpenAI), Claude Code Security (Anthropic); vendor-internal Big Sleep and CodeMender; Mythos-class models via Glasswing partnersPreview / private-preview for most; vendor-internal for Big Sleep and CodeMender; Mythos is preview-only, no GA planned
Offensive testing at scaleWiz Red Agent, Palo Alto Unit 42 AI pentesting, CrowdStrike Frontier AI ReadinessProductized; vendor-reported coverage figures
Exploitability triageSeverity/confidence scoring, deduplication, reachability and applicability analysis as queue stages; adversarial-reflexion-style false-positive controlPattern-level; the load-bearing scarce-resource discipline
Continuous / autonomous patchingAutomated patch pipelines; virtual patching and compensating controls; autonomous patch deployment where the change is low-blast-radiusEmerging; a growing share of patches now ship without a human in the loop, though most complex applications still patch slowly1
Remediation authority enforcementPlan-validate-execute, policy-as-code, and SOAR/response-platform approval tiers with blast-radius limits (scored by D4)GA as primitives; per-action authority tiering over remediation agents is configuration

The two load-bearing rows are exploitability triage and remediation-authority enforcement. The first bounds the false-positive flood on the discovery side; the second is what lets remediation autonomy rise without surrendering control of production change. AI is the barrier-lowering enabler on the discovery side: continuous code audit and CTI-to-asset mapping become reachable without the bespoke engineering they once required.

Failure modes and what to watch

  • False-positive collapse (discovery side). AI-generated findings exceed human triage capacity, and most are not reachable. Unbounded, the queue buries the exploitable flaws among the noise and the team stops trusting it. Bounded by exploitability triage as a first-class discipline (severity/confidence/dedup/reachability) and by D3 Evaluation, which measures whether the triage is correct. This is the named scarce resource: triage, not patching capacity.45
  • Reckless auto-remediation (remediation side). Auto-applying a patch or auto-isolating an asset with too large a blast radius is itself an availability incident. Bounded by D4 — auto/propose/approve/block tiers, blast-radius limits, a documented rollback and human-override path — and by the deterministic Policy & Enforcement plane gate. Remediation autonomy must never exceed what D4 supports, regardless of how good discovery is.
  • Coverage blind spots. A patch or isolation acts on a defensible picture only if the asset and exposure inventory is real. An un-inventoried asset, a silent telemetry source, or an unresolved dependency is exposure the function cannot see. Bounded by D1: measured coverage against the threat model, not assumed completeness. Mythos-ready PA 7 makes the point — you cannot patch, segment, or defend what you do not know exists.
  • AI-generated and vibe-coded app sprawl. Coding agents in non-developer hands fragment central visibility, and AI-generated code carries its own flaw profile. These apps are in scope for discovery the same as any other estate, regardless of who shipped them. Bounded by full-estate inventory coverage (D1) and the dependency-chain scope of the discovery agent.
  • Triage / hunt fatigue. The function absorbs a volume of work no human team alone can, and the team itself can burn out under the flood. Bounded by treating headcount and reserve capacity as a design parameter, scored under D8 People & Governance.

Right-sizing by org profile

Targets are split discovery / remediation, because the two rungs move independently. The realistic remediation target trails discovery in every band.

BandRealistic autonomy targetWhy
Solo / smallDiscovery L2–L3, remediation L1–L2Near or below the cyber poverty line. Borrow exposure coverage and triage via an MSSP/MDR/ISAC; AI lowers the floor so continuous scanning and AI-assisted triage are reachable without a built-out program. Remediation stays human-approved — a small team’s blast-radius controls are thin, so auto-remediation is not yet earned
MidDiscovery L3, remediation L2–L3An in-house team can run a CTEM-shaped program with its own exposure platform and a ground-truth store. Remediation can auto-apply low-blast-radius, high-confidence fixes once D4 carries auto/propose/approve/block tiers and blast-radius limits; higher-impact patches stay gated
EnterpriseDiscovery L3–L4, remediation L3, selective L4A full VulnOps function with frontier-model code audit, measured coverage, and a governed remediation pipeline. Even here, high-blast-radius remediation terminates at the human boundary; L4 is delegated lifecycle ownership under governance, not unsupervised patching

For the small-team band, AI lowers the discovery barrier: continuous discovery and CTI-to-asset mapping become reachable without the engineering that gated traditional vulnerability programs. The path is borrowing exposure capability and keeping remediation tightly human-gated, not standing up a fleet.

Relations

Notes

Footnotes

  1. Zero Day Clock, from zerodayclock.com (Sysdig and collaborators, 2026). Median time-to-exploit by year: 771 days (2018), 84 days (2021), 6.36 days (2023), 4 hours (2024), zero-day (2025–2026). The Qualys 2026 benchmark cited there puts mean time-to-remediation for the most-delayed complex applications at 5 months 10 days even as roughly 40 million of about 150 million deployed patches now ship autonomously. 2

  2. From Threat Intel to VulnOps, CYBR.SEC.Media (2026-05-15), featuring Jonathan Cran (Mallory). Continuous ingestion of about 3,000 intelligence sources mapped automatically onto organization-specific assets, cloud, code, and IaC; “threads, not cases” investigation model. 2

  3. Frontier AI for Vulnerability Discovery. The harness around the model does the validation work; the gap between a candidate finding and a validated one is load-bearing.

  4. Anthropic — Project Glasswing: An initial update, 2026, via VulnOps. Open-source scanning funnel: 6,202 estimated high/critical found, 1,752 assessed, 75 patched, ~2-week mean patch time; the constraint named as verification, disclosure, and patching, not discovery. 2

  5. JFrog 2026 Software Supply Chain Security State of the Union, via VulnOps: 66% of analyzed CVEs had a low applicability rate (0–20%); only 12% were highly exploitable in real enterprise environments. 2