Cycode has added an artificial intelligence (AI) agent to its application security posture management (ASPM) platform that has been specifically trained to determine how exploitable a specific vulnerability found in an application actually is.

In addition, Cycode has made available an AI Security Return on Investment (ROI) Calculator that analyzes the impact that using AI can have on specific DevSecOps use cases.

Devin Maguire, senior product marketing manager for Cycode, said that AI Exploitability Agent developed by Cycode will make it simpler for DevSecOps teams to prioritize remediation efforts based on the level of risk a vulnerability represents to the organization.

That’s critical at a time when AI coding tools are creating more vulnerabilities than ever in the code being developed. Cycode, for example, estimates that one security flaw is created for every 10,000 lines of code written. Overall, an estimated 40% of AI-generated applications have some type of vulnerability, according to Cycode.

More troubling still, cybercriminals are becoming more adept at discovering and reverse engineering those vulnerabilities using the same AI capabilities that are now being used by DevSecOps teams.

The Cycode AI Exploitability Agent is part of a suite of AI Security Teammates that Cycode added to its platform earlier this year. Those AI agents include a Change Impact Analysis Agent that monitors code changes across pull requests to identify material changes that significantly alter risk posture and a Fix & Remediation Agent that analyzes the root cause of an issue to suggest code fixes.

Those AI agents tap directly into a Risk Intelligence Graph (RIG) developed by Cycode to surface issues involving code repositories, workflows, secrets, dependencies and cloud infrastructure assets. Support for the Model Context Protocol (MCP), an emerging de facto standard integration framework for AI agents that was originally developed by Anthropic, makes it possible for those AI agents to access and share data. Informed by those insights, it then becomes possible to correlate scans to consolidate alerts, noted Maguire.

Ultimately, the goal is to not just identify and remediate vulnerabilities faster but also to improve relations between application development and cybersecurity teams. Many of the vulnerabilities identified by legacy application security tools often turn out to be in code that is not accessible or was never loaded into memory. AI agents, in contrast, are better able to assess the level of risk by analyzing the code and the runtime environment to provide more context, said Maguire.

It’s not clear to what degree organizations are prioritizing investments in application security. A recent Futurum Group survey finds that in terms of those investments, ASPM platforms, DevSecOps automation and orchestration are at the top of issues organizations are looking to address.

The survey also noted that the source of the funding for these initiatives is becoming more of a shared responsibility, with only 21% of respondents reporting that security budgets are the sole source. In fact, half of the respondents (50%) said application development teams now own responsibility for application security.

Regardless of the approach, securing software supply chains will only become more crucial as regulations around the world become more stringent. The issue is not so much whether applications will become more secure, so much as it is how soon and at what cost.