Beyond CVEs: Agentic AI for Real-World Software Vulnerability Discovery and Prioritization
DOI:
https://doi.org/10.63282/3050-9262.IJAIDSML-V7I1P124Keywords:
Agentic AI, Software Vulnerability Detection, CVE-agnostic Security Analysis, Multi-Agent Systems, Context-Aware Risk Assessment, Vulnerability Prioritization, Software Supply Chain SecurityAbstract
Software systems are increasingly built with complex configurations involving third-party libraries, cloud platforms, and continuously running deployment pipelines. These factors contribute to the continuous expansion of attack surfaces, making security a critical concern. State-of-the-art software security tools rely on predefined vulnerability identifiers, such as the Common Vulnerabilities and Exposures (CVEs), combined with static, rule-based analysis. However, such approaches are ineffective at discovering previously unknown vulnerabilities, exposed misconfigurations, and environment-dependent security issues commonly found in real-world systems. This results in suboptimal coverage, elevated false positive rates, and alert fatigue for security teams. This paper introduces an agentic artificial intelligence–centric framework for software vulnerability discovery and prioritization that operates beyond CVE-based detection. The proposed system adopts a multi-agent architecture in which specialized agents analyze proprietary and third-party source code, software dependencies, configuration artifacts, and runtime environment context. Leveraging large language models with semantic reasoning and contextual risk inference capabilities, the framework identifies security issues that lack prior classification in public vulnerability databases. Unlike traditional severity-based scoring approaches, the proposed framework prioritizes vulnerabilities based on exploit likelihood, prevalence, and operational impact. This risk-based prioritization reduces remediation effort by focusing attention on vulnerabilities that pose substantial real-world risk. Experimental evaluation on heterogeneous, production-scale software repositories demonstrates improved recall for previously unclassified vulnerabilities, along with a measurable reduction in false positives and alert fatigue when compared to conventional CVE-based scanners. These findings indicate that agentic AI represents a promising pathway for bridging academic vulnerability taxonomies with the practical security requirements of modern software supply chains.
References
[1] MITRE Corporation, “Common Vulnerabilities and Exposures (CVE),” 2024. [Online]. Available: https://cve.mitre.org
[2] FIRST Organization, “Common Vulnerability Scoring System (CVSS) v3.1: Specification Document,” 2019.
[3] S. Frei, M. May, U. Fiedler, and B. Plattner, “Large-scale vulnerability analysis,” in Proc. ACM Conf. Computer and Communications Security (CCS), 2006, pp. 131–140.
[4] L. Allodi and F. Massacci, “Comparing vulnerability severity and exploits in the wild,” in Proc. ACM Conf. Computer and Communications Security (CCS), Enna, Greece, 2012.
[5] B. Chess and G. McGraw, “Static analysis for security,” IEEE Security & Privacy, vol. 2, no. 6, pp. 76–79, Nov.–Dec. 2004.
[6] W. G. J. Halfond, J. Viegas, and A. Orso, “A classification of SQL injection attacks and countermeasures,” in Proc. IEEE Int. Symp. Software Reliability Engineering (ISSRE), 2006, pp. 65–81.
[7] S. K. Sahoo, J. Criswell, C. Geigle, and V. Adve, “Using likely invariants for automated software fault localization,” ACM SIGARCH Computer Architecture News, vol. 41, no. 1, pp. 139–152, 2013.
[8] Z. Li, D. Zou, S. Xu, Z. Chen, M. Zhu, S. Wang, and H. Jin, “VulDeePecker: A deep learning-based system for vulnerability detection,” in Proc. Network and Distributed System Security Symp. (NDSS), 2018.
[9] Y. Zhou and D. Evans, “Automated vulnerability discovery in source code using deep learning,” in Proc. IEEE Symp. Security and Privacy (S&P), 2019.
[10] R. Russell et al., “Automated vulnerability detection in source code using machine learning,” IEEE Security & Privacy, vol. 18, no. 4, pp. 66–73, 2020.
[11] T. Chen, S. Wang, and X. Li, “Explainable vulnerability detection using attention-based neural networks,” IEEE Trans. Dependable and Secure Computing, vol. 19, no. 3, pp. 1792–1806, Mar. 2022.
[12] E. K. Blum, “Software supply chain security: Threats and mitigation strategies,” IEEE Software, vol. 38, no. 4, pp. 54–62, 2021.
[13] J. Ladisa, H. Okhravi, and M. K. Reiter, “Security risks in modern software supply chains,” in Proc. IEEE European Symp. Security and Privacy (Euro S&P), 2021.
[14] N. H. Pham, T. Dang, and T. N. Nguyen, “Context-aware vulnerability prioritization for software systems,” IEEE Access, vol. 8, pp. 172345–172357, 2020.
