Aisy has emerged from stealth with $2.3 million seed funding from Osney Capital, Flying Fish Ventures, and 6 Levels Capital along with further angel buyers.
The agency gives an AI-assisted platform designed to assist safety groups handle, prioritize, and cut back an amazing quantity of vulnerability alert tickets.
“Sensible individuals are burning out sifting via backlogs of unprioritized, low-value vulnerabilities, whereas the true vital pathways go unprotected,” says Shlomie Liberow, founder and CEO of Aisy (and previously head of hacker analysis and improvement at HackerOne).
He doesn’t see this altering for mid-tier and bigger corporations – partly due to the safety trade itself. Every vulnerability device competes with different vulnerability instruments, and every one avoids the potential of a competitor discovering extra points than it does itself. So, its DNA is to seek out the whole lot potential no matter the criticality.
Aisy operates by discovering probably the most effectual vulnerabilities (which might not be obvious from a easy listing or spreadsheet of alert tickets). It does this by trying on the system from the hacker viewpoint: from the skin first. “On the planet of bug bounty,” he explains, with the authority of seven years at HackerOne, “it’s not about ‘I went onto an internet site, and I discovered a specific route, and now out of the blue I’m leaking privileged data’. It’s extra ‘I discovered this peculiar conduct, and I additionally noticed one thing else odd close by, and I can put the 2 collectively’.”
That’s the true bug (chaining vulnerabilities), however it’s not all the time evident in a easy listing of tickets unearthed by safety merchandise. “The play with Aisy is much like hackers,” he continues. “We all know what the patterns usually result in. We all know what issues are attention-grabbing.”Commercial. Scroll to proceed studying.
At a excessive stage, that is achieved via two steps. The primary is to map the system from the skin, in order that Aisy understands the system in the identical method that an attacker would perceive it. “We map the infrastructure via the eyes of an attacker, as a result of we imagine the best way the attacker is sensible of infrastructure may be very totally different from conventional safety tooling.” That is completed day by day to accommodate all adjustments as they occur, and to constantly make sure the platform understands what an attacker would perceive.
The second step is to ingest all the prevailing tickets, whether or not produced by safety tooling, pen testing, and even bounty hunters. “We then sieve via these from the point of view of a hacker and may see the place separate tickets might mix into one thing extra extreme. You may need an IDOR [insecure direct object reference, now more usually classified as broken access control] and a separate XSS.”
The platform may discover six or extra tickets that might be chained collectively. Nevertheless it additionally understands the belongings that might be affected by this chaining, and the way essential the totally different belongings is likely to be to the corporate. On this method it will possibly floor crucial vulnerability tickets that needs to be remediated first to guard the infrastructure.
It makes use of AI so as to add ‘creativity’ to its evaluation, however Liberow is effectively conscious of the constraints and points with LLMs. “It helps with semantic understanding of various tickets from totally different sources, however doesn’t help in relating tickets to tickets and to belongings. That’s all the way down to our personal platform.”
Aisy doesn’t at present do any autonomous remediation of the vulnerabilities it highlights as pressing. Liberow is just not certain that trade is able to enable autonomous remediation but. “I feel we are able to get shut. We may give recommendation, and that’s a part of what we’re doing. However we’re not targeted on automated remediation for 2 causes, partially as a result of I don’t need to get distracted whereas we’re specializing in the extra furry issues; and partially as a result of the trade isn’t prepared to simply accept the thought of urgent a button to repair the whole lot with out panicking.”
Typically, corporations are competent in fixing their very own issues, however Aisy surfaces the why and the way and in what order remediating vulnerabilities discovered inside probably a whole lot of hundreds of alert tickets needs to be undertaken.
Associated: Cyber Insights 2026: Risk Searching in an Age of Automation and AI
Associated: AI Emerges because the Hope—and Threat—for Overloaded SOCs
Associated: APTs, Cybercriminals Broadly Exploiting WinRAR Vulnerability
Associated: Furl Raises $10 Million for Autonomous Vulnerability Remediation
