Turning Millions of Risks Into One Actionable List

Summary

Qualys has introduced TruConfirm, a new solution designed to address the challenge of prioritizing critical vulnerabilities. The tool aims to differentiate between theoretical risks and actual exploitable threats in production environments by replicating attacker behavior with benign equivalents. This approach helps security teams focus on the less than one percent of vulnerabilities that are genuinely weaponized, reducing wasted effort on theoretical exposures.

Full text

Table of ContentsThe Problem Nobody Wanted to Say Out LoudHow TruConfirm Actually WorksAnother Core Part of the QuestionWhere Agent Val Comes InWhat the Numbers Look Like Every security leader walks into Monday morning with the same question. The findings are there. The dashboards are running. But out of the thousands of critical vulnerabilities on that list, which ones can an attacker actually use against this organization today? Not in theory. Not in a lab. In production, with the controls that are actually in place. For a long time, that question did not have a clean answer. Scanners tell you which software is present and match it against known vulnerabilities. They are almost entirely blind to whether any of those vulnerabilities can actually be reached and exploited, given everything else in the environment. A vulnerability scored critical might be sitting behind a WAF rule, a segmentation policy, or an EDR configuration that takes the real risk to near zero. Or it might be wide open. The scanner cannot tell the difference. That gap is what TruConfirm, TruLens, and Agent Val were built to close. Read MoreFind out how Qualys solutions prepare you for the post-Mythos era of risk.Read More The Problem Nobody Wanted to Say Out Loud Less than one percent of critical vulnerabilities in the average enterprise are actually weaponized. Everything else is theoretical risk — real in the abstract, unreachable in practice. That is a significant claim, and it has significant consequences. If it is true, then the vast majority of the work most security teams do — the triage, the ticketing, the remediation cycles — is being spent on exposures that were never going to result in a breach. The queue is not a prioritized list of genuine threats. It is mostly noise, and the industry has spent years learning to take that noise seriously. In 2025, around 48,000 new CVEs were disclosed. Roughly 52% of CVE exploits bypassed default web application firewall protections in independent testing — the safety net many organisations relied on was not catching what mattered. The average time-to-exploit is now at negative seven days, meaning vulnerabilities are being weaponized before patches exist. With Claude Mythos Preview now capable of chaining multiple vulnerabilities into working exploits within hours of disclosure, that window will only compress further. If less than 1% of critical vulnerabilities are weaponized, then 99% of the work the industry has been doing has been chasing things that were never going to hurt anyone. How TruConfirm Actually Works TruConfirm is built on a deceptively simple idea. Instead of running attacker payloads, it replicates the behavior of an attacker using benign equivalents. If a vulnerability allows an attacker to create an out-of-band connection back to their server, TruConfirm sends a payload that asks the target to reach a Qualys-controlled endpoint. If it reaches out, the path is proven open. Nothing malicious has been sent. The mechanism is the one an attacker would use. The risk is gone. Building safe exploit checks turned out to be the hardest engineering work in the project. Public exploits are straightforward. Safe versions are not. The threat research team had to take public exploit code, reverse-engineer it, and strip out everything that could damage a system while preserving the signal that proves the vulnerability is real. That work took two years and required hiring a team of world-class White Hat engineers dedicated to nothing else. It is, in many ways, the core intellectual property of the product. A few principles govern how TruConfirm behaves. It leaves zero footprint — no agents, no persistence. It does not escalate privileges even where the vulnerability would allow it. When testing an Outlook RCE, it spins up a separate thread so the user sees nothing. Sensitive data in target responses gets stripped immediately. The answer that comes back is binary: exploitable, blocked, or unreachable. There was one more problem nobody anticipated. Most customers allowlist their Qualys scanners — fine for vulnerability assessment, but it defeats the purpose of TruConfirm. A scan arriving from a known trusted IP is not a realistic test of whether an attacker could get through. So we built a separate scanner pool with IPs that customers have not allowlisted. From the target’s perspective, the traffic looks like it is coming from outside. For these purposes, it needs to. Another Core Part of the Question TruConfirm answers whether a vulnerability is exploitable here. TruLens answers a different question: is anyone actually trying to use it against organizations like yours? That distinction matters more than it might first appear. CVSS tells you what could happen in a worst-case scenario. It does not tell you whether anyone is attempting that worst-case scenario against your industry with the tools they currently have right now. TruLens tracks more than 700 active threat actors — when they are active, what malware they use, what initial access techniques they prefer, and which industries they target. The intelligence comes from dark web chatter, deep web forums, third-party feeds, and Qualys’s own campaign analysis. When SolarWinds happened, the team mapped the five steps that played out. When the next Lazarus campaign surfaces, the playbook is ready before most teams know to look. That changes the question security teams are actually answering. Instead of asking whether a CVE is critical, the question becomes whether anyone with the means and motive to hit this industry is actively weaponizing it today. Most of the time, the answer is no. Sometimes the answer is yes, and everything else stops. Building that intelligence hit an unexpected problem: almost every commercial threat intelligence feed is calibrated to the United States, where honeypots have historically been deployed. For customers in India and other regions, the threat picture they were getting was not their threat picture. The fix was unglamorous — deploying honeypots in each region and building geo-specific intelligence from local telemetry. It does not make headlines, but it determines whether the product is useful in multiple geographies. Threat actors themselves are harder to track than they appear. Lazarus is not one group — it splinters into 15 sub-units with different names and targets. Groups collaborate, sell access, share tooling. Tracking actors as stable identities was producing a misleading picture. The team shifted to tracing campaigns instead, working backwards through dark web claims, leaked tooling, and SEC filings to rebuild the full chain from reconnaissance through impact. Where Agent Val Comes In Everything described so far works well when a human runs it. The harder question is who has time to run it across tens of thousands of CVEs and hundreds of thousands of assets, every day. Nobody does. Agent Val is the answer to that. It is an agentic layer purpose-built for safe exploit prioritization, validation, and remediation at scale. It decides which CVEs on which assets need to be validated first, launches the TruConfirm scan, selects the right scanner pool, updates the TruRisk score based on the result, and connects to the remediation workflow to elect an optimal remediation path: patch, compensating control, or mitigate now and patch later, based on factors such as the AI-based patch reliability score drawn from telemetry across millions of managed assets. It runs in three modes. Fully automatic. Semi-automatic, where it shows what it is about to do and waits for approval — which is where most customers start. And manual, for teams that want to direct each step themselves. Agent Val does not run inside the customer environment. It runs on the FedRAMP-compliant Qualys platform and inherits the role-based access of the user running it. It cannot do anything the user could not do. That is by design. What the Numbers Look Like One Fortune 50 company came t

Entities