Session

I Gave My CVE Backlog to an Agent: Reachability, VEX, and Agentic Triage

Your scanner finds 400 CVEs in a container image. A handful are actually exploitable. The rest is noise your team patches anyway.

So I gave that backlog to my AI agent. Working from a Trivy scan, it:
1. reads the reachability graph onto which vulnerable functions your code actually calls
2. decides what's genuinely exploitable
3. writes the verdict as OpenVEX, signed and attested with in-toto and Sigstore

This talk is the honest report: what the agent got right, what it got dangerously wrong, and the human-in-the-loop design that keeps a confident LLM from waving through a live CVE.

We'll build the full pipeline on Kubernetes: Trivy scan, reachability, agentic triage, OpenVEX, in-toto/Sigstore signing, and a deployment gate with real before/after numbers on the noise it removes.

You'll leave with a pattern for cutting CVE noise with reachability and VEX, and a clear-eyed view of where an agent belongs in security work and where it absolutely does not.

Himanshu Sangshetti

AI Engineer @ Mem0

Pune, India

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top