Agentic SOC Exposure and VulnOps Surface
Per-function deep-dive for the Exposure & VulnOps row of the Agentic SOC Reference Architecture. The function runs continuous exposure and vulnerability discovery, plus remediation, across the whole estate — own code, AI-generated and vibe-coded applications, third-party libraries, container images, and the cloud control plane. It is the SOC’s seam with DevSecOps: where build-time security hands off to operate-and-monitor, and where production exposure is owned. The function is the operational home of VulnOps — discovery and remediation staffed and automated like DevOps rather than run as a quarterly audit cycle.
The agent surface is a pair of worker patterns under the orchestrator: a read-heavy discovery/exposure agent and a state-changing remediation agent. The split is load-bearing. Discovery is reversible and can run at high autonomy; remediation applies a patch or isolates an asset, which is a consequential change to the production estate, so it is gated separately.
The function runs primarily on the RA’s Data & Knowledge plane (the telemetry, asset, and threat-intel substrate it reads) and the Policy & Enforcement plane (the deterministic gate every remediation action crosses). Its autonomy is gated by the CMM gating rule on D1 (Telemetry & Data Readiness) — the asset and exposure data the agents reason over — and D4 (Agent Identity & Action-Authority) — the scoped, blast-radius-bounded authority a remediation agent needs before it may act.
The driver is the time-to-exploit collapse. The Zero Day Clock records the median time from CVE disclosure to first observed exploitation falling from 771 days in 2018 to zero-day in 2025–2026, where the exploit arrives on or before the advisory.1 Periodic vulnerability management — a quarterly pen test plus patch-as-CVE-arrives — is structurally outmatched against continuous AI-driven discovery, and the estate is now too large and too fast-changing for humans to inventory or patch in time.
The agent surface
The function decomposes into two worker patterns on the supervisor-worker topology, kept distinct because they sit on opposite sides of the consequential-action line.
Discovery / exposure agent (read-heavy). Continuously enumerates the estate and maps known and novel exposure onto it: asset and attack-surface inventory, SBOM and dependency-chain resolution, configuration and cloud-control-plane posture, and code scanning across own and AI-generated repositories. It ingests external intelligence — CTI feeds, ISAC data, vendor advisories, GitHub disclosures, government feeds — and maps it automatically onto organization-specific assets, the un-silo discipline Mallory’s VulnOps framing centers.2 Mechanism is hybrid: deterministic scanners and SBOM tooling supply coverage, while AI does the contextualization, reachability reasoning, and exploitability triage that separates the reachable flaws from the noise. Frontier-model code audit — the discovery-capability thesis — sits here, where the harness around the model does the validation work.3
Remediation agent (state-changing). Proposes or applies the fix: a patch, a configuration change, a virtual-patch / compensating control, or asset isolation. It calls the change-management and deployment tooling, and every action crosses the Policy & Enforcement plane’s deterministic gate. This is where the plan-validate-execute pattern bounds what the agent may do, and where D4’s auto / propose / approve / block tiers and blast-radius limits are enforced.
The agents read the Data & Knowledge plane’s asset and threat-intel substrate and write findings into the case/thread investigation substrate — threads, not cases, each a collaborative analyst-agent exchange.2 The human-authority boundary sits asymmetrically: it is light on discovery (read-only enumeration is reversible) and firm on remediation (an applied patch or an isolation is consequential and crosses the approval tier its blast radius warrants).
Autonomy progression
The function’s autonomy is not a single value. Discovery autonomy and remediation autonomy are scored and gated separately, because discovery is read-heavy and reversible while remediation changes production state. A SOC can legitimately run discovery at high autonomy and hold remediation at a lower rung — the common and correct posture.
The gating rule applies per the CMM: a function reaches autonomy L_k only when its governing domains are mature enough to support it. For this function the L2 gates are D1 (the asset and exposure data must be real and reasonably complete) and D4 (a remediation agent must hold scoped, revocable authority before a consequential action it proposes can be approved and bounded). L3 adds D3 (Evaluation) and D5 (Observability); L4 adds D7 (Resilience) and D8 (Governance).
| Level | What it looks like for this function | Gating domains |
|---|---|---|
| L0 — Manual | Quarterly pen test; vulnerability scan reviewed by hand; patches scheduled in a maintenance window | — |
| L1 — Assisted | Continuous scanning with AI-assisted triage; the agent ranks and explains findings, a human decides and acts | D1 (data to rank against) |
| L2 — Semi-autonomous | Discovery runs continuously and proposes findings with exploitability and confidence scores; remediation executes routine sub-tasks but every applied patch or isolation needs explicit approval | D1 + D4 (scoped, revocable remediation authority; coarse auto/approve split) |
| L3 — Conditional | Discovery autonomous in-bounds; remediation auto-applies low-blast-radius, high-confidence fixes (a virtual patch, a config rollback) within blast-radius limits and escalates out-of-bounds; humans monitor | D1, D4 (auto/propose/approve/block tiers + blast-radius limits) + D3, D5 |
| L4 — Delegated | The function owns the discover-triage-remediate lifecycle within governed bounds; humans govern outcomes and the autonomy-raising decision. Asymptotic — high-blast-radius remediation still terminates at the human boundary | + D7, D8 |
The defined failure mode is operating above the earned ceiling: granting remediation autonomy the governing domains do not support. Auto-applying patches (L3 remediation) when D4 cannot bound blast radius, or when D3 cannot measure whether the agent’s exploitability triage is correct, is reckless autonomy — a wrong containment or a bad patch is itself an availability incident. The ceiling is set by the weakest governing domain; the common split is discovery several rungs above remediation.
False-positive flood is the bounding risk
AI-generated findings arrive faster than human triage capacity, and most are not reachable in practice. Anthropic’s Glasswing one-month update reported the bottleneck inverting from discovery to verification: of roughly 6,202 estimated high/critical findings, 1,752 were assessed and 75 patched, and maintainers asked Anthropic to slow disclosures.4 JFrog’s 2026 analysis found 66% of analyzed CVEs had a low applicability rate (0–20%) and only 12% were highly exploitable in real environments.5 The discipline that bounds the flood is exploitability triage — severity and confidence scoring, deduplication, and reachability analysis as first-class queue stages — which Mythos-ready PA 11 names as designing VulnOps around triage discipline from the start.
Control landscape (dated)
Vendors and patterns are dated, swappable examples, not endorsements. The function’s spine — continuous discovery, triage, remediation — is mechanism-agnostic; the AI-specific particulars and named products are dated here.
| Capability | What ships today | Status (mid-2026) |
|---|---|---|
| Exposure / attack-surface management | Continuous attack-surface and exposure management platforms; cloud security posture management for the control plane | GA; an established category |
| Continuous exposure program model | Gartner CTEM as the program spine for continuous discovery, prioritization, validation, and mobilization | GA as a framework; adoption maturity varies |
| Asset / dependency inventory | SBOM generation and dependency-chain resolution; AI-BOM for the AI-component supply chain | SBOM GA; AI-BOM emerging |
| AI-assisted code-audit / discovery | OpenAnt (OSS), Codex Security (OpenAI), Claude Code Security (Anthropic); vendor-internal Big Sleep and CodeMender; Mythos-class models via Glasswing partners | Preview / private-preview for most; vendor-internal for Big Sleep and CodeMender; Mythos is preview-only, no GA planned |
| Offensive testing at scale | Wiz Red Agent, Palo Alto Unit 42 AI pentesting, CrowdStrike Frontier AI Readiness | Productized; vendor-reported coverage figures |
| Exploitability triage | Severity/confidence scoring, deduplication, reachability and applicability analysis as queue stages; adversarial-reflexion-style false-positive control | Pattern-level; the load-bearing scarce-resource discipline |
| Continuous / autonomous patching | Automated patch pipelines; virtual patching and compensating controls; autonomous patch deployment where the change is low-blast-radius | Emerging; a growing share of patches now ship without a human in the loop, though most complex applications still patch slowly1 |
| Remediation authority enforcement | Plan-validate-execute, policy-as-code, and SOAR/response-platform approval tiers with blast-radius limits (scored by D4) | GA as primitives; per-action authority tiering over remediation agents is configuration |
The two load-bearing rows are exploitability triage and remediation-authority enforcement. The first bounds the false-positive flood on the discovery side; the second is what lets remediation autonomy rise without surrendering control of production change. AI is the barrier-lowering enabler on the discovery side: continuous code audit and CTI-to-asset mapping become reachable without the bespoke engineering they once required.
Failure modes and what to watch
- False-positive collapse (discovery side). AI-generated findings exceed human triage capacity, and most are not reachable. Unbounded, the queue buries the exploitable flaws among the noise and the team stops trusting it. Bounded by exploitability triage as a first-class discipline (severity/confidence/dedup/reachability) and by D3 Evaluation, which measures whether the triage is correct. This is the named scarce resource: triage, not patching capacity.45
- Reckless auto-remediation (remediation side). Auto-applying a patch or auto-isolating an asset with too large a blast radius is itself an availability incident. Bounded by D4 — auto/propose/approve/block tiers, blast-radius limits, a documented rollback and human-override path — and by the deterministic Policy & Enforcement plane gate. Remediation autonomy must never exceed what D4 supports, regardless of how good discovery is.
- Coverage blind spots. A patch or isolation acts on a defensible picture only if the asset and exposure inventory is real. An un-inventoried asset, a silent telemetry source, or an unresolved dependency is exposure the function cannot see. Bounded by D1: measured coverage against the threat model, not assumed completeness. Mythos-ready PA 7 makes the point — you cannot patch, segment, or defend what you do not know exists.
- AI-generated and vibe-coded app sprawl. Coding agents in non-developer hands fragment central visibility, and AI-generated code carries its own flaw profile. These apps are in scope for discovery the same as any other estate, regardless of who shipped them. Bounded by full-estate inventory coverage (D1) and the dependency-chain scope of the discovery agent.
- Triage / hunt fatigue. The function absorbs a volume of work no human team alone can, and the team itself can burn out under the flood. Bounded by treating headcount and reserve capacity as a design parameter, scored under D8 People & Governance.
Right-sizing by org profile
Targets are split discovery / remediation, because the two rungs move independently. The realistic remediation target trails discovery in every band.
| Band | Realistic autonomy target | Why |
|---|---|---|
| Solo / small | Discovery L2–L3, remediation L1–L2 | Near or below the cyber poverty line. Borrow exposure coverage and triage via an MSSP/MDR/ISAC; AI lowers the floor so continuous scanning and AI-assisted triage are reachable without a built-out program. Remediation stays human-approved — a small team’s blast-radius controls are thin, so auto-remediation is not yet earned |
| Mid | Discovery L3, remediation L2–L3 | An in-house team can run a CTEM-shaped program with its own exposure platform and a ground-truth store. Remediation can auto-apply low-blast-radius, high-confidence fixes once D4 carries auto/propose/approve/block tiers and blast-radius limits; higher-impact patches stay gated |
| Enterprise | Discovery L3–L4, remediation L3, selective L4 | A full VulnOps function with frontier-model code audit, measured coverage, and a governed remediation pipeline. Even here, high-blast-radius remediation terminates at the human boundary; L4 is delegated lifecycle ownership under governance, not unsupervised patching |
For the small-team band, AI lowers the discovery barrier: continuous discovery and CTI-to-asset mapping become reachable without the engineering that gated traditional vulnerability programs. The path is borrowing exposure capability and keeping remediation tightly human-gated, not standing up a fleet.
Relations
- Per-function deep-dive hanging off the Agentic SOC Reference Architecture (the Exposure & VulnOps row); runs on its Data & Knowledge and Policy & Enforcement planes.
- Gated by the Agentic SOC CMM gating rule on D1 (Telemetry & Data Readiness — asset and exposure data) and D4 (Agent Identity & Action-Authority — remediation authority and blast-radius limits).
- The operational home of VulnOps; the discovery-and-remediation and CTI-fusion framings are sourced in From Threat Intel to VulnOps and the Mythos-ready program (PA 5 continuous patching, PA 7 inventory/attack-surface reduction, PA 11 stand up VulnOps).
- Driven by the time-to-exploit collapse documented in the Zero Day Clock; the discovery-capability thesis is Frontier AI for Vulnerability Discovery.
- Build-time counterpart: SDLC in the AI-Attacker Era owns security as code is written; this function is the operate-and-monitor seam where production exposure is owned. The two meet at the DevSecOps handoff.
- Real patterns as dated examples: CTEM, SBOM, AI-BOM, continuous patching, and exposure/attack-surface management.
Notes
Footnotes
-
Zero Day Clock, from zerodayclock.com (Sysdig and collaborators, 2026). Median time-to-exploit by year: 771 days (2018), 84 days (2021), 6.36 days (2023), 4 hours (2024), zero-day (2025–2026). The Qualys 2026 benchmark cited there puts mean time-to-remediation for the most-delayed complex applications at 5 months 10 days even as roughly 40 million of about 150 million deployed patches now ship autonomously. ↩ ↩2
-
From Threat Intel to VulnOps, CYBR.SEC.Media (2026-05-15), featuring Jonathan Cran (Mallory). Continuous ingestion of about 3,000 intelligence sources mapped automatically onto organization-specific assets, cloud, code, and IaC; “threads, not cases” investigation model. ↩ ↩2
-
Frontier AI for Vulnerability Discovery. The harness around the model does the validation work; the gap between a candidate finding and a validated one is load-bearing. ↩
-
Anthropic — Project Glasswing: An initial update, 2026, via VulnOps. Open-source scanning funnel: 6,202 estimated high/critical found, 1,752 assessed, 75 patched, ~2-week mean patch time; the constraint named as verification, disclosure, and patching, not discovery. ↩ ↩2
-
JFrog 2026 Software Supply Chain Security State of the Union, via VulnOps: 66% of analyzed CVEs had a low applicability rate (0–20%); only 12% were highly exploitable in real enterprise environments. ↩ ↩2