Session
I Gave My CVE Backlog to an Agent: Reachability, VEX, and Agentic Triage
Your scanner finds 400 CVEs in a container image. A handful are actually exploitable. The rest is noise your team patches anyway.
So I gave that backlog to my AI agent. Working from a Trivy scan, it:
1. reads the reachability graph onto which vulnerable functions your code actually calls
2. decides what's genuinely exploitable
3. writes the verdict as OpenVEX, signed and attested with in-toto and Sigstore
This talk is the honest report: what the agent got right, what it got dangerously wrong, and the human-in-the-loop design that keeps a confident LLM from waving through a live CVE.
We'll build the full pipeline on Kubernetes: Trivy scan, reachability, agentic triage, OpenVEX, in-toto/Sigstore signing, and a deployment gate with real before/after numbers on the noise it removes.
You'll leave with a pattern for cutting CVE noise with reachability and VEX, and a clear-eyed view of where an agent belongs in security work and where it absolutely does not.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top