freshidea - stock.adobe.com
AI agents help Cato slash ‘time-to-protect’ from new CVEs
The application of agentic AI to vulnerability management workflows has slashed mitigation times in experimental conditions, claims Sase specialist Cato Networks.
Secure access service edge (SASE) specialist Cato Networks has claimed a new world record for vulnerability mitigation, saying it has cut ‘time-to-protect’ for a newly-discovered common vulnerability and exposure (CVE) down to a mere 45 minutes using agentic threat intelligence.
Traditional appliance-based security depends on a slow patching cycle in which suppliers develop protections and push them live as updates, following which customers must test them and upgrade or configure the assets in scope. In the wrong circumstances, this can take weeks, and success hinges entirely on the actions of the customer security team.
Cato’s cloud-native software architecture has already compressed this multi-week cycle to mere hours, but adding artificial intelligence (AI) agents into the mix, it is now squeezing this timescale even more tightly, in the hope of protecting organisations from emerging exploits at machine, rather than human speed.
Cato co-founder and CEO Shlomo Kramer said: “Attackers move in minutes. Appliance-centric security still moves in patch cycles.
“Cato closes the gap by turning new CVE intelligence into protections deployed globally across our cloud service, with zero customer effort. In the AI era, security architecture is no longer a matter of efficiency. It is a do-or-die security decision,” said Kramer.
Why it matters
When the end-of-year cyber roundups are written, one of the bigger technical stories of 2026 will be the advent of frontier AI models from the likes of Anthropic and OpenAI, which are supposedly accelerating the scale and speed of CVE disclosure to the consternation of many.
The US’ National Institute of Standards and Technology (NIST) has reported that CVE submissions to its National Vulnerability Database (NVD) have ballooned by over 250% since the start of the ‘20s and were over 33% year-on-year during the first calendar quarter of 2026.
In light of this, back in April 2026, NIST said that this surge was forcing it to revise its CVE classification methodology, with the result that it will be ‘enriching’ flaws – providing detailed information to help end-users prioritise and mitigate them – far more rarely.
In this new paradigm NIST is prioritising CVEs that appear in the US’ Cybersecurity and Infrastructure Security Agency’s (Cisa’s) Known Exploited Vulnerabilities (Kev) catalogue or those to which the US government is particularly exposed. Others will be left by the wayside.
When one also considers that only just over half of edge device vulnerabilities were fully-mitigated in 2025 – this according to Verizon statistics – Cato said that it was clear traditional patching methodologies are no longer up to the job
Security teams are no longer fighting time-to-protect, it argued, they are fighting to reduce time-to-exploit.
How it works
Over its 11-year lifespan to date, Cato has been closely monitoring vulnerabilities, developing and validating protections, and deploying updates across its cloud with – so it claims – near-zero false positives.
By applying AI agents to its operating model it is now able to run the full protection lifecycle under human supervision but with no human involvement.
Effectively, its agents are empowered to monitor and triage disclosed vulnerabilities from various sources, extract indicators of compromise (IoCs) and reproduce exploits inside a sandbox environment, develop threat signatures and test and simulate them to eliminate false positives or potential sources of disruption, and deploy these validated signatures to its cloud platform automatically, unburdening its customer security teams.
The firm said that its visibility into the network to see attacks, the platform to correlate their context, and the cloud to enforce protection worldwide, put it in an excellent position to operationalise security updates at machine speed.
More widely, agentic CVE mitigation may herald a broader industry shift as security ops in general drift away from manual, user-run workflows to ongoing, machine-scale protection in the cloud.
“The breakthrough here is not just speed,” said Elad Menahem, Cato senior vice president of research. “It’s that vulnerability response itself can now operate continuously and at machine scale.”
Read more about AI agents
- Yet more billions are being spent on agentic AI, despite warnings of its potentially extreme fallibility. Just who are governments serving when they spout the messaging of Big Tech companies?
- Telco StarHub is building a trust layer that will assign unique identities to AI agents, allowing it to monitor and block malicious agentic activity in real time.
- The growing adoption of agentic AI will require IT leaders to rebalance their CPU and GPU estates, tightly integrate data layers, and redesign human workflows, according to Dell Technologies CTO John Roese.
