Blog
Exploit ValidationExposure ManagementEvidence-Based SecuritySovereign AI

Exploit Validation: Evidence Beats Estimate, But Whose Cloud Runs the Proof?

In March 2026 Qualys shipped Agent Val, conceding that CVSS scores are guesses. Evidence-based vulnerability management is right — but whose cloud runs the proof?

Zero Hunt Research··7 min read

On 23 March 2026, Qualys — the vendor that arguably invented the modern vulnerability scanner — shipped Agent Val, an AI agent that tries to actually exploit a finding to see whether it is reachable. Read the press release and one line does the heavy lifting. Their own launch CISO frames it as a shift "away from a reactive posture based on theoretical CVSS scores to a disciplined, evidence-based model."

That is a remarkable admission from the company whose business was built on producing those scores. The entire vulnerability-management industry spent two decades ranking risk by estimate — CVSS severity, threat-intel weighting, EPSS probability — and the market leader just told its customers the estimate was never good enough. It was always a guess dressed up as a number.

They are right. The interesting question is what comes after the admission, because "evidence-based" is not one thing. There is a hierarchy of proof, and where a product sits on it — and, critically, where that proof gets computed — is the whole game.

The estimate problem: scoring 35,000 things that mostly never happen

Start with why estimate-based prioritisation was doomed. In the first half of 2026, 35,364 CVEs were published. Every one of them gets a CVSS severity. A large share score 7.0 or higher, which is how you end up with a remediation backlog measured in tens of thousands of "high" and "critical" findings that no team on earth can clear.

Now overlay reality. Of those 35,364 first-half CVEs, only 85 — 0.24% — have shown up in CISA's Known Exploited Vulnerabilities catalog so far. The number will climb as the cohort ages and KEV lags disclosure by months, but the shape is stable across years: VulnCheck's State of Exploitation found roughly 1% of 2025 CVEs were exploited in the wild by year end. Prioritising by score means spending 99% of your effort on things that will never be touched, while the 1% that matters is buried in the same colour of red.

And the 1% moves fast. VulnCheck recorded that 28.96% of 2025 KEVs were exploited on or before the day the CVE was published — up from 23.6% in 2024. By the time a quarterly scan re-runs and a ticket is triaged, the window that mattered has already closed. This is the same pattern our own write-ups keep hitting from the other direction: CitrixBleed 3 was patched in March and became an emergency in June; SharePoint CVE-2026-45659 was patched in May and exploited in July. A scanner that reports "patched" is answering a different question than "reachable."

So Qualys is correct to move. The problem is that "we found a bug, and here's its score" was never actionable. "We proved this specific asset can be taken over, and these controls stopped it" is. That is the right direction. Now let's be precise about how far it actually goes.

Three tiers of exploit validation — and only one is proof

Every product that touches this space sits on one of three rungs. The words blur together in marketing, so pin them down:

  • Tier 1 — Estimate. A severity or probability score attached to a CVE. CVSS, EPSS, a vendor risk score like TruRisk. It tells you what could be exploitable across a population. It is a forecast, computed from metadata, never from your environment. Every scanner does this.
  • Tier 2 — Safe validation. An agent checks whether a known exploit path, from a curated library, is open against your asset — using business context to decide if a control blocks it. Qualys' Agent Val, powered by TruConfirm, covers over 1,600 CVEs this way and claims a 90%+ cut in remediation noise. Pentera and Horizon3 pioneered the category; the big scanner vendors are now catching up to it. This is real progress. It answers "is this path open right now?" for the paths someone has already catalogued.
  • Tier 3 — Executed proof. A fresh exploit chain is generated for the specific target, run against it, and the outcome is captured as a signed, tamper-evident artifact of what actually happened. Not "this CVE is probably reachable." Not "a known payload for this CVE is not blocked." The literal record of a compromise that occurred, replayable and verifiable.

Tier 2 is where the market is loudly moving, and it deserves credit for leaving Tier 1 behind. But it carries two assumptions that matter enormously depending on who you are.

What "safe" exploit validation quietly assumes

The first assumption is a library. Agent Val validates against a curated set of known CVEs — a very large one, but finite and backward-looking. That works beautifully for the n-day flood. It does nothing for the chain nobody has catalogued yet: the novel composition of two boring primitives, the logic flaw, the misconfiguration that only becomes critical three hops into your specific network.

We watched exactly this happen with the HTTP/2 Bomb (CVE-2026-49975), where an AI agent chained two decade-old primitives that no human and no exploit library had ever composed. A validation engine keyed to a CVE list cannot validate an attack that does not yet have a CVE. Generation can; a library cannot.

"But our library covers 1,600 CVEs." — And the attacker who owns you next quarter is writing the 1,601st against your environment specifically, by hand or with a model, tonight. A red team that can only replay a catalogue is testing you against last year's attacker.

The second assumption is the one nobody puts on the slide: where the proof is computed. Agent Val validates "in the live environment," but it is orchestrated by Qualys' cloud platform. Your asset inventory, your topology, your control posture, and the validation telemetry all flow to a multi-tenant SaaS to be reasoned over. For most enterprises that is an acceptable trade. For a defence ministry, a national grid operator, an intelligence service, or any operator running an air-gapped OT segment, it is a non-starter — and no amount of "evidence-based" fixes it.

Evidence is only sovereign if it never leaves your building

Here is the uncomfortable corner of the evidence-based pitch. The act of gathering the evidence is itself an intelligence operation against your own network. You are mapping every reachable asset, every open path, every control gap — the exact document an adversary would kill for. If that map is computed in someone else's cloud, by someone else's model, the "proof" you gained came at the cost of exporting your attack surface to a third party's infrastructure and a third party's LLM.

For a bank under DORA, a hospital under NIS2, or a critical-infrastructure operator, that trade fails the threat model before it starts. It is also why the known-CVE gap keeps showing up as the first audit finding: the organisations most exposed are frequently the ones that cannot send their topology to a cloud validator in the first place, so they fall back to the annual manual pentest and the estimate-based backlog. Tier 2 in the cloud simply is not available to them.

Tier 1 — Estimate Tier 2 — Safe validation Tier 3 — Executed proof
Answers What could be exploitable Is a known path open now? Was this asset actually taken over?
Coverage Every CVE, by metadata Curated library (finite, n-day) Generated per target, incl. novel chains
Where it runs Anywhere Vendor cloud orchestration On-prem, air-gap capable
Artifact A score A validation result Signed, tamper-evident record
Sovereign? N/A No — topology leaves the building Yes — nothing leaves the appliance

The row that decides everything for a regulated operator is the third one. Evidence beats estimate — but only if generating the evidence does not itself become the breach.

Proof you can hold, generated where the data lives

This is the gap Zero Hunt was built into. The engine runs a coordinated 10-agent AI swarm — Recon, Exploit, Web, Credential, Post-Exploit, Pivot, Tactic and Report under an AI Controller — that does not replay a catalogue. It writes a generative exploit for the specific target with a local LLM, unique to that environment, then runs it inside an ephemeral Docker container hardened with gVisor so the attack never touches the host. Every new offensive skill is backtested in the AI Gym against Vulhub, NYU CTF Bench and Cybench corpora before it is ever allowed near a production asset. That is Tier 3: the novel chain a 1,600-CVE library structurally cannot reach, executed and captured.

And it runs where the data lives. Zero Hunt is a 100% on-premise appliance — no cloud callbacks, no telemetry, no external LLM API, air-gap supported. The proof of compromise is written to a cryptographically signed, tamper-evident evidence chain with chain-of-custody, so an auditor or a court can verify what happened without taking anyone's word for it, and without your attack surface ever leaving the building to produce it. The estimate industry conceded this year that a score is not proof. The next concession — the one the cloud architecture cannot make — is that proof you had to export was never fully yours to begin with.

If you want to see executed proof generated inside your own perimeter, get in touch or read how the engine is built.