When it comes to the vulnerability management process, where can current AI capabilities provide the most value? Have you had success with using AI-enabled tools specifically for deduplication, false positive reduction, prioritization, etc.?

While it’s not specifically AI, I want to mention the prioritization functionality we use, which is a product formerly known as Silk, now acquired by Armis. This tool does a good job of contextualizing vulnerabilities and providing additional information. It employs a proprietary prioritization engine built on AI to enhance the information provided. Although we are not using AI directly for prioritization, this solution has been very useful over the past six months or so.

We conducted a pilot using Claude to integrate with our vulnerability management tool, Tenable, aiming to facilitate communication and gain insights into remediation tasks for our team. The results were underwhelming. The tool struggled with hallucinations and lacked contextual understanding of our environment. Our engineers attempted to make it work across our manufacturing environment, OT security, and enterprise security, but the integration did not yield actionable vulnerability results. It failed to provide recommendations that an agent would actually execute. But the AI performed well in the realm of threat hunting by assisting with tasks like looking up IOCs, finding hashes, and searching within our SOC. For proactive vulnerability management (such as identifying necessary patches or available mitigations) the AI sometimes hallucinated or provided inaccurate information. We are still evaluating its capabilities, but so far, there has not been a measurable ROI to justify the investment; it remains proof of concept.