As AI accelerates the speed at which cybercriminals can weaponize newly disclosed vulnerabilities, cybersecurity vendors are shifting their focus from simply identifying risks to proving which ones can actually be exploited.
Picus Security has unveiled its new Autonomous Exposure Validation Platform, a platform designed to help security teams validate whether newly disclosed vulnerabilities are exploitable within their own environments—and automate remediation workflows.
The launch comes as organizations face an increasingly compressed threat window, with attackers often exploiting critical vulnerabilities within hours of disclosure.
From finding vulnerabilities to proving exploitability
Security teams today face a familiar problem: vulnerability scanners can identify thousands of Common Vulnerabilities and Exposures (CVEs), but they rarely answer the question executives care most about—are we actually vulnerable?
Picus says its platform addresses that gap by combining three security validation disciplines into a single workflow:
- Breach and Attack Simulation (BAS) to test how existing security controls perform against simulated attacks.
- Autonomous Penetration Testing to execute exploit chains against reachable assets.
- Exposure Validation to determine whether a newly disclosed CVE can actually be exploited in a specific environment.
Rather than relying solely on severity metrics such as CVSS scores, the platform evaluates exploit paths against an organization’s security controls to determine whether an attack would succeed or be stopped.
AI shortens the window between disclosure and attack
The announcement reflects a broader industry challenge.
According to Picus, approximately 132 new CVEs are published every day, while frontier AI models are enabling attackers to develop exploits far more quickly than in previous years.
That shift is forcing security operations teams to move beyond vulnerability prioritization toward continuous validation of defensive controls.
“Finding the exposure was never the hard part,” said Volkan Erturk, co-founder and CTO of Picus Security.
“The hard part is acting on the right issue—the defensible decision, the fix that closes the gap, and the evidence it worked.”
AI agents orchestrate security validation
At the center of the platform is Picus Swarm, a framework of AI agents coordinated by the company’s Numi AI orchestration engine.
According to Picus, the system automates tasks across discovery, exploitation, validation, remediation, and reporting while allowing organizations to choose between manual, supervised, or fully autonomous workflows with audit trails.
The goal is to help security teams cope with growing vulnerability volumes without increasing operational overhead.
Betting on validation over prioritization
Picus argues that traditional vulnerability management increasingly struggles to keep pace with modern attack speeds.
Instead of asking security teams to remediate every high-severity vulnerability, the company is positioning exposure validation as a way to identify which weaknesses represent genuine business risk based on real-world exploitability.
The company also says compensating controls can be recommended when patches are unavailable, allowing organizations to reduce exposure before software updates are released.
The bigger picture
The launch highlights an emerging shift in enterprise cybersecurity.
As AI enables attackers to move faster, organizations are placing greater emphasis on continuous security validation rather than periodic assessments or vulnerability scoring alone.
Whether through breach simulation, automated penetration testing, or exposure validation, the focus is increasingly shifting from “What vulnerabilities exist?” to “Which ones can attackers actually exploit today?”
For security teams facing expanding attack surfaces and growing vulnerability backlogs, that distinction may become one of the defining priorities of the AI era.




















