Vulnerability Management, AI/ML, Automated penetration testing

From scanner noise to verified fixes: How NodeZero MCP powers agentic AI in RBVM

A robot pen tester sits in front of several computer screens, hoodie on, several cans of energy drinks on the desk.

In this article:

  • AI + pen-testing integration: Horizon3.ai’s NodeZero platform now includes a Model Context Protocol (MCP) server that connects to AI agents or LLMs. This lets the AI ingest pen-test results, prioritize vulnerabilities, create remediation tickets, and then re-test fixes to confirm they work.
  • Closing the loop in vulnerability management: Traditional scanning and RBVM methods often swamp security teams with alerts. By validating exploitability through rapid, automated pen-testing, NodeZero with AI integration helps "close the loop," ensuring only real threats are prioritized and remediated.
  • Toward continuous, autonomous security: Embedding NodeZero into AI-driven workflows enables a continuous find-fix-verify cycle. This automation accelerates remediation and makes offensive and defensive security complementary forces for proven resilience.

 

If you use AI, you may still be amazed by how quickly it works. For example, we just asked ChatGPT to write us a 1,000-word short story. It took 3 seconds.

While the story is a bit corny, it's not bad, maybe worth an A-minus in a creative-writing class. And it would have taken us a couple of hours to write it.

Now imagine you're doing vulnerability management in a security operations center. You spend several hours each day collecting, correlating and analyzing data from your scanners, SIEMs, EDRs and recent penetration tests; creating priority lists of discovered threats and vulnerabilities; reporting findings to your supervisors; carrying out remediation procedures; and finally verifying that the fixes took.

What if you could get most of that done in an hour or two? Better yet, what if you could do it several times a day? A SOAR tool can get you started with defensive scanning and patching, but incorporating an AI agent into your offensive-security workflow will be what really takes you there.

"Most security teams have a massive backlog of exploitable vulnerabilities to fix, and agentic remediation workflows could fundamentally change the way teams find, fix, and verify (think: the convergence of pen-testing and SOAR)," wrote Horizon3.ai CEO and Co-Founder Snehal Antani in a recent LinkedIn post.

Welcome to the machines

To that end, Horizon3.ai has added a Model Context Protocol (MCP) server to its NodeZero automated penetration-testing tool. This lets clients connect their own AI agents or large language models (LLMs) to NodeZero to access and ingest pen-testing results directly.

The AIs can then turn to ServiceNow, Jira or other project-management tools and create tickets to remediate the issues discovered through pen tests, vulnerability scans, EDR or other means. Once the fixes are made, the AI can then reconnect with NodeZero's MCP server to run spot pen tests and verify that the remediations worked.

Because NodeZero can run very quickly, sometimes completing penetration tests in less than half an hour, the automation and orchestration of the entire discovery-remediation-verification process can be run more than once per day.

"Part of the challenge is integrating between 10 tools just to understand what happened, let alone fix it!!" wrote Antani on LinkedIn. "That's why we built the NodeZero MCP Server."

Closing the loop

Penetration tests, red teaming and other forms of offensive security are an essential part of vulnerability management, but they can't directly remediate the issues they find. It takes the efforts of security personnel to install patches and update or reconfigure software.

For instance, Horizon3ai's NodeZero can assess, classify, validate and prioritize the vulnerabilities and other weaknesses it finds. Yet it doesn't have the ability to mitigate or remediate them. NodeZero can verify after the fact that a fix was made, but that still leaves a gap in the vulnerability-management cycle to be filled by other tools and procedures.

The addition of the MCP server changes the game by letting NodeZero "close the loop" with the client's own in-house AI agent or LLM. The AI can now act as a SOC staff member, ingesting and analyzing the pen-test data, assessing and prioritizing the discovered weaknesses, presenting the findings, and finally, thanks to MCP servers that connect to Jira or SOAR tools, orchestrating fixes and mitigations.

"The NodeZero MCP Server turns your AI into a security operator with the attacker's perspective," observes a Horizon3.ai blog post. "Your AI becomes a junior red team analyst."

This procedure may not remediate all the flaws that might be found by a traditional defensive vulnerability scanner. Conversely, automated pen-tests can find many flaws that regular scanners miss.

Either way, automated penetration testing, under the guidance of an AI agent or a human, can take the attacker's perspective and validate whether any flaw discovered by any offensive or defensive method poses a threat by trying to exploit it. If the exploit fails to work or has no effect, the vulnerability or other weakness may not be worth the effort to fix.

"Just because it's vulnerable does not mean it is exploitable," says Stephen Gates, Principal Security Subject-Matter Expert at Horizon3.ai. "It's all based upon how it's deployed, where it's deployed, what's protecting it."

Cutting down the noise

Fixing high-priority items while leaving the low-risk ones alone is the primary concept behind risk-based vulnerability management (RBVM). But as with all scan-based security tools, vulnerability scanners can often drown security personnel in a sea of alerts. Even RBVM is based on theoretical, not validated, risks that consider the organizational mission and network architecture, which cuts away only some of the non-exploitable vulnerabilities.

That's another reason it's important to use pen-testing to prove that a vulnerability really can be exploited by an attacker. It narrows down the focus of the security team to only those flaws that truly do pose threats.

Combining the reduced list of issues to be fixed with the automated pen-testing can be a game-changer for risk-based vulnerability management. Incorporating supervision and decision-making by AI agents into the pen-testing and remediation process can speed things up to the point where the process operates on its own around the clock.

"By embedding Find, Fix, Verify cycles into your existing agentic workflows, MCP Server operationalizes offensive testing as a continuous, autonomous process," notes a Horizon3.ai blog post. "Findings become actionable instructions for AI-driven agents that integrate with your tools, orchestrate fixes, and verify remediation in real time."

Once that happens, the find-fix-verify cycle of offensive security could almost become a "set it and forget it" process as the AI handles most of the relevant tasks in the background.

"Offensive and defensive security are not opposites — they're complementary," says another Horizon3.ai blog post. "When combined, they close the gap between assumed security and proven resilience."

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BugBuffer OverflowDisassembly

You can skip this ad in 5 seconds