AI brokers assist Cato slash ‘time-to-protect’ from new CVEs
Safe entry service edge (SASE) specialist Cato Networks has claimed a brand new world document for vulnerability mitigation, saying it has reduce ‘time-to-protect’ for a newly-discovered frequent vulnerability and publicity (CVE) all the way down to a mere 45 minutes utilizing agentic risk intelligence.
Conventional appliance-based safety is determined by a gradual patching cycle through which suppliers develop protections and push them stay as updates, following which clients should check them and improve or configure the property in scope. Within the incorrect circumstances, this may take weeks, and success hinges fully on the actions of the client safety group.
Cato’s cloud-native software program structure has already compressed this multi-week cycle to mere hours, however including synthetic intelligence (AI) brokers into the combination, it’s now squeezing this timescale much more tightly, within the hope of defending organisations from rising exploits at machine, relatively than human velocity.
Cato co-founder and CEO Shlomo Kramer mentioned: “Attackers transfer in minutes. Equipment-centric safety nonetheless strikes in patch cycles.
“Cato closes the hole by turning new CVE intelligence into protections deployed globally throughout our cloud service, with zero buyer effort. Within the AI period, safety structure is not a matter of effectivity. It’s a do-or-die safety determination,” mentioned Kramer.
Why it issues
When the end-of-year cyber roundups are written, one of many greater technical tales of 2026 would be the creation of frontier AI fashions from the likes of Anthropic and OpenAI, that are supposedly accelerating the size and velocity of CVE disclosure to the consternation of many.
The US’ Nationwide Institute of Requirements and Expertise (NIST) has reported that CVE submissions to its Nationwide Vulnerability Database (NVD) have ballooned by over 250% for the reason that begin of the ‘20s and had been over 33% year-on-year in the course of the first calendar quarter of 2026.
In gentle of this, again in April 2026, NIST mentioned that this surge was forcing it to revise its CVE classification methodology, with the outcome that will probably be ‘enriching’ flaws – offering detailed info to assist end-users prioritise and mitigate them – much more not often.
On this new paradigm NIST is prioritising CVEs that seem within the US’ Cybersecurity and Infrastructure Safety Company’s (Cisa’s) Recognized Exploited Vulnerabilities (Kev) catalogue or these to which the US authorities is especially uncovered. Others might be left by the wayside.
When one additionally considers that solely simply over half of edge system vulnerabilities had been fully-mitigated in 2025 – this in accordance with Verizon statistics – Cato mentioned that it was clear conventional patching methodologies are not as much as the job
Safety groups are not combating time-to-protect, it argued, they’re combating to scale back time-to-exploit.
The way it works
Over its 11-year lifespan to this point, Cato has been intently monitoring vulnerabilities, growing and validating protections, and deploying updates throughout its cloud with – so it claims – near-zero false positives.
By making use of AI brokers to its working mannequin it’s now in a position to run the total safety lifecycle beneath human supervision however with no human involvement.
Successfully, its brokers are empowered to observe and triage disclosed vulnerabilities from numerous sources, extract indicators of compromise (IoCs) and reproduce exploits inside a sandbox surroundings, develop risk signatures and check and simulate them to remove false positives or potential sources of disruption, and deploy these validated signatures to its cloud platform robotically, unburdening its buyer safety groups.
The agency mentioned that its visibility into the community to see assaults, the platform to correlate their context, and the cloud to implement safety worldwide, put it in a superb place to operationalise safety updates at machine velocity.
Extra broadly, agentic CVE mitigation could herald a broader trade shift as safety ops on the whole drift away from guide, user-run workflows to ongoing, machine-scale safety within the cloud.
“The breakthrough right here is not only velocity,” mentioned Elad Menahem, Cato senior vice chairman of analysis. “It’s that vulnerability response itself can now function repeatedly and at machine scale.”
