AWS Launches Continuum, a Family of Autonomous Security Agents for Automated Vulnerability Remediation
AWS announced Continuum, a suite of autonomous security agents that automatically discover, prioritize, and fix vulnerabilities across cloud environments.
Amazon Web Services has entered the vulnerability remediation market with the launch of Continuum, a new family of autonomous security agents designed to help organizations manage and fix vulnerability backlogs at scale. Announced at an AWS event in New York City, Continuum aims to address the growing challenge of cloud vulnerability sprawl by providing continuous, hands-off security operations. The platform includes agents for penetration testing, code review, threat modeling, and code vulnerability identification, with a 'graduated trust' model that allows enterprises to gradually cede control to automation.
Continuum is positioned as a response to what some in the industry call the 'vulnpocalypse'—an explosion of vulnerability discoveries fueled by frontier AI models that far outpaces human defenders' ability to triage and remediate. Matt Wood, chief AI and technology officer at AWS, explained in a briefing that Continuum moves beyond token-heavy AI workflows that still require human involvement. 'Those efficiencies are great, but they usually require a human to catch the output at the other end… There's no long-term build-up of value,' Wood said. Continuum aims to provide 'agentic continuity,' learning from each interaction to reduce manual oversight over time.
New capabilities include a threat modeling agent that generates threat models from design documents or source code and runs continuously in integrated development environments (IDEs), and a code vulnerability agent that ingests an enterprise's backlog of vulnerabilities, performs its own scans, and creates a comprehensive view of attack paths. The code vulnerability agent is currently in preview. The platform supports a graduated trust framework, where organizations start in 'learn mode' and eventually move to 'enforce mode,' at which point human intervention becomes the exception rather than the rule.
Continuum enters a competitive landscape alongside Google’s CodeMender and Microsoft’s MDASH. CodeMender, originally in research preview before being folded into Google's enterprise agent platform, focuses on vulnerability discovery and patching. MDASH, a 100-agent AI bug-hunting system announced by Microsoft, has yet to become generally available. AWS's offering differentiates itself by emphasizing end-to-end autonomous remediation, from discovery to patching, and by integrating directly with its cloud ecosystem.
AWS is already testing Continuum with customers in financial services, automotive, and technology sectors. The company also updated AWS Transform, a service for modernizing legacy applications and codebases, at the same event. Transform aims to address potential vulnerabilities in old open-source code by helping organizations migrate to more secure architectures. Neha Rungta, director of applied science at AWS, told ISMG that trust in autonomous systems builds over time, comparing the approach to how autopilot systems in aviation eventually gained acceptance.
Industry experts note that the need for automated remediation is acute. The Forum of Incident Response and Security Teams (FIRST) projects that 2026 will see nearly 66,000 CVEs, driven in large part by AI agents automating vulnerability discovery. Continuum represents a bet that enterprises will embrace agent-driven remediation as a way to keep pace, provided the systems can prove their reliability and auditability. For now, AWS is positioning Continuum as the first step toward a future where security agents operate largely independently, with humans stepping in only for oversight.
The launch underscores a broader shift in cybersecurity toward autonomous tools. As AI-generated vulnerabilities become more common, hyperscalers like AWS, Google, and Microsoft are racing to offer products that can not only find flaws but also fix them without human intervention. Whether enterprises will fully trust such systems remains to be seen, but with vulnerability backlogs growing, the market for automated remediation is likely to expand rapidly.