Amazon Web Services (AWS) today launched a service that expands the scope of the artificial intelligence (AI) tools it provides to secure code to include an agent that discovers, validates and prioritizes vulnerabilities that are then used to surface a remediation recommendation.
Announced at the AWS New York Summit, the AWS Continuum service also adds a tool to automatically create threat models for codebases.
Additionally, AWS is now making it possible to run code reviews, generate threat models, and remediate findings directly from within an integrated development environment (IDE) or command line interface (CLI) by invoking the Model Context Protocol (MCP).
Those tools and capabilities will be added to a previously launched AI tool to automate penetration testing using an AWS Security Agent that is now generally available.
Chet Kapoor, vice president of security services and observability for AWS, told conference attendees that in the wake of more advanced AI models such as Mythos from Anthropic becoming available, AWS has accelerated the development of tools to secure codebases. Those capabilities now extend across four distinct phases of an application security workflow, he added.
The AWS Continuum vulnerability discovery and remediation workflow starts by ingesting an existing backlog of vulnerabilities that are then scanned to provide AI tools with a comprehensive view of vulnerabilities and associated attack paths. Continuum uses that context to evaluate, enrich, and prioritize every finding based on whether an affected component has actually been deployed, its reachability and the level of threat it represents to the business.
Continuum then validates findings to surface false positives before constructing examples of working exploits in a sandboxed environment to provide concrete, reproducible evidence of an issue.
Finally, Continuum assesses existing defenses around a validated issue, including blocking and compensating controls along with detection mechanisms. It then draws on its understanding of the codebase, context, and findings to recommend mitigation or remediation of the vulnerability using, for example, a network change, policy change, or code patch. The patch recommendation is validated using the same system that confirmed the vulnerability. It also includes blast radius visibility and rollback paths where feasible.
Continuum itself is AI model agnostic and was built using data and code samples drawn from AWS and Amazon.
It’s not clear to what degree cybercriminals are using AI models to compromise software supply chains, but it’s now more a question of when and how often they will, rather than if. While access to AI models such as Mythos remains limited, it’s already been shown that other AI models such as ChatGPT 5.5 from OpenAI are also very adept at discovering vulnerabilities. It is also now only a matter of time before other proprietary and open source AI models gain similar capabilities.
As such, DevSecOps teams, like it or not, are now in a race against time to remediate as many vulnerabilities as possible before malicious actors use readily available AI tools and models to discover and exploit them.