How agentic AI is reshaping enterprise cyber security

Enterprise cyber security is undergoing a decisive shift. As attack surfaces expand across cloud, endpoints, identities, and applications, security teams are under pressure not just to detect vulnerabilities but to prioritise, remediate, and communicate cyber risk in business terms. Traditional vulnerability management approaches are no longer sufficient in an environment defined by speed, automation, and AI-driven threats.

In this conversation with Express Computer, Himanshu Kathpal, Vice President – Product Management, Platform and Technologies at Qualys, talks about how the industry is moving towards risk operations, the growing role of agentic AI as a digital workforce, and why enterprises must unify vulnerabilities, misconfigurations, and identities into a single, business-aligned risk language. Taking from customer engagements across BFSI, hyperscalers, manufacturing, and government, he explains how security leaders can operationalise cyber risk while aligning with board-level priorities.

Qualys has rebranded its flagship conference this year. What drove this change, and has the event met your expectations so far?

We have been hosting security conferences for nearly 20 years under the name Qualys Security Conference (QSC). This year, we rebranded our flagship annual conference to ROCon (Risk Operations Conference), reflecting the broader shift in the industry. Qualys is also evolving from being viewed purely as a vulnerability management company to becoming a risk operations company.

The idea was to align the event more closely with the business goals of cyber security teams and the priorities of C-suite leaders. That is why this year we introduced dedicated business tracks, rather than focusing only on product discussions.

We recently ran a similar event in Houston, where attendance increased by nearly 20 per cent, and we are seeing a similar trend here. What is particularly encouraging is that a majority of attendees this year are senior managers and above, which tells us that the message around risk, outcomes, and business relevance is resonating strongly.

You have unveiled an agentic AI capability at the core of the Qualys Risk Operations Centre. How does this redefine risk assessment and mitigation for enterprises?

We have always been strong at detecting vulnerabilities. However, the gap we consistently observed was that customers struggled to ingest, process, and remediate those findings at the same scale.

If vulnerabilities are detected but not remediated, risk is not actually reduced. That insight drove our decision to introduce agentic AI across Qualys workflows.

We see these agents as a digital workforce. Take a common scenario like Patch Tuesday. Instead of relying on human teams to manually analyse patch impact, the agent can prioritise patches based on risk, understand historical constraints (for example, servers that could not be patched over the last six months), and recommend alternative mitigation strategies.

The agent can also identify unnecessary software usage. For instance, if Chrome is installed on a server where it is not required, the agent will recommend uninstalling it. If a piece of software has not been used for nine months, it will suggest removing it instead of spending time and money patching it.

If a human team were to execute this entire workflow manually, it would easily take eight to ten hours. The intent behind agentic AI is to deliver this capability far more quickly and consistently, freeing security teams to focus on higher-value tasks.

From your interactions with large enterprises, what are the most pressing cyber security challenges CISOs face today?

There are two challenges we hear repeatedly from CISOs.

The first is the sheer volume of detections. As organisations deploy more software and expand their digital footprint, the attack surface grows. This naturally leads to a surge in vulnerabilities. It is simply not feasible, especially in large Indian enterprises, to patch everything.

The real challenge is understanding which risks matter most to the business.

The second challenge is the speed of remediation. Even when prioritisation is done correctly, attackers are weaponising vulnerabilities extremely quickly, sometimes within five days, according to recent Gartner reports.

In reality, remediation often takes longer due to testing cycles, operational dependencies, and governance processes. Closing that gap between detection, prioritisation, and action is where security teams struggle the most, and it is where we have focused significant innovation.

As organisations move from attack surface visibility to attack surface management, what architectural or operational gaps do enterprises still underestimate?

One of the most underestimated areas is the lack of insight around toxic combinations across vulnerabilities, misconfigurations, and identities.

Most organisations still use siloed tools for these three risk domains, with no unified understanding of how they interact. As a result, security teams lack a common view of risk across the environment.

This is where we play a key role. We are not saying customers must replace all their tools. Even if organisations continue using multiple solutions, they can feed that data into Qualys.

We apply threat intelligence consistently across vulnerabilities, misconfigurations, and identities, creating a single, common language of risk that security and business leaders can understand and act upon.

Building a unified risk view requires data integration and telemetry normalisation. What challenges do enterprises face here?

Based on our research, the average enterprise uses 70 or more cyber security tools, each producing output in a different format, some qualitative, some quantitative, and some based purely on CVSS severity.

The result is confusion. Organisations end up with 70 different top 10 risk lists, which dilutes prioritisation rather than improving it.

We ingest this data into a single platform and translate all these disparate risk signals into a unified risk score. This allows organisations to see the true top risks across their entire environment, rather than fragmented lists from individual tools.

Without this consolidation and normalisation, meaningful prioritisation is almost impossible.

CISOs are increasingly expected to communicate cyber risk in business terms. Where do you see the biggest gaps today?
Historically, CISOs reported metrics such as the number of vulnerabilities detected, patches applied, or security controls deployed. Unfortunately, these metrics mean very little to boards or CFOs.

Questions like “Are we more secure?” or “How much investment is required to reduce risk further?” were difficult to answer.

We address this by mapping cyber risk directly to financial impact. Using our platform, organisations can assign dollar values to business units and link those to their risk scores.

For example, a risk score reducing from 800 to 750 becomes a tangible outcome that boards can understand because it is expressed in the language of money, not technical jargon. This shift from vulnerability counts to financial risk communication is one of the biggest changes we are seeing across the industry.

Beyond automation, where do you see the most practical impact of agentic AI in enterprise security operations?

Time is the biggest factor. Consider a sector-specific advisory for banking. An agentic workflow can automatically map that advisory to a bank’s environment and assess impact instantly without waiting for analysts to manually correlate data and generate reports.

For tasks like prioritisation or reporting, these agents can operate autonomously. However, for actions such as patch deployment, human-in-the-loop controls remain essential to define scope and timing.

The value lies in accelerating decision-making while preserving operational stability.

How should organisations rethink remediation and prioritisation frameworks in an exploit-driven threat landscape?

We see remediation working best when it follows a three-pronged approach.

First, low-impact but critical patches such as browser or PDF reader updates should be fully automated.

Second, high-impact patches, like OS upgrades, should go through UAT validation before mass deployment.

Third, around 20 per cent of vulnerabilities often remain unresolved due to offline assets, failed deployments, or critical systems that teams hesitate to touch. In these cases, mitigation controls such as hardening, registry changes, or software removal become essential.

By combining these three approaches, customers significantly reduce their mean time to remediation (MTTR).

How do agentic AI workflows augment human teams, and can they reduce operational costs?

We see agentic AI as a digital workforce that augments human teams rather than replacing them.

Organisations can maintain the same workload with smaller operational teams, allowing skilled professionals to focus on more strategic initiatives. This naturally reduces operational costs while improving programme maturity.

Importantly, Qualys does not monetise agents based on output volume. We include them as part of the platform so customers can directly benefit from efficiency gains.

Which industries are seeing the strongest adoption of these capabilities?

We have strong traction across all major verticals. We support many of the world’s top banks, hyperscalers such as Microsoft, Amazon, Google, and Oracle, as well as major government entities and PSUs in India.

Industries with high data volumes, like BFSI and manufacturing in particular, are seeing significant value from risk-based prioritisation and automation.

Looking ahead, what should enterprises focus on as security strategies evolve rapidly?
Two areas stand out. First is security for AI by ensuring AI models are secure, not leaking data, and not introducing new risks such as hallucinations.

Second is the growing importance of identity threat management. Credential abuse continues to dominate breach statistics, and identity remains one of the most overlooked risk factors.

Organisations must address vulnerabilities, misconfigurations, and identities together, rather than in silos.

Our primary focus is to continue strengthening the Qualys Risk Operations Centre (ROC), enabling organisations to manage cyber risk end-to-end on a vendor-agnostic platform.

Enterprises will continue using best-of-breed tools, but they need a single language of risk, expressed in financial terms, to make informed decisions. Identity security will remain a core pillar of this strategy as the threat landscape continues to evolve.