AWS Continuum brings AI models to code vulnerability management

AWS Continuum for code vulnerabilities, a system built to handle a vulnerability across its lifecycle, from discovery through to a fix, is now available in gated preview. It reasons over a customer’s environment, confirms which findings are real, and works toward resolution. It is model agnostic and draws on multiple frontier models, assigning each to the work where it performs best. AWS designed it to take in newer models as they become available.

“We need to shift to the new world: telemetry, context, reasoning, and actions. An approach that produces outcomes. The latest cybersecurity frontier models further made this shift urgent. Models like Claude Mythos can now find software vulnerabilities and reason through complex attack paths at machine-speed, leading to an exponentially increasing backlog of vulnerabilities,” Chet Kapoor, VP of Search, Security, and Observability at AWS, explained.

Four phases of operation

Continuum for code vulnerabilities runs in four continuous phases.

In discovery, the system ingests a customer’s existing backlog and runs its own scan of the environment, producing a wider view of vulnerabilities and the attack paths tied to them.

In prioritization, it weighs each finding against context such as whether the affected component is deployed, whether it is reachable, whether it sits in a production path, and what the business impact would be if exploited. The output is an evidence-backed list of priorities.

In validation, the system filters false positives and builds working exploit examples in a sandboxed environment, giving reproducible evidence of each issue.

In mitigation and remediation, it reviews existing defenses around a confirmed issue, including blocking controls, compensating controls, and detection mechanisms. It then recommends a network change, a policy change, or a code patch. The patch recommendation passes through the same validation system that confirmed the vulnerability. The product also supplies blast radius visibility and rollback paths where feasible.

The system reasons over structured and unstructured data. Structured inputs include infrastructure, permissions, network topology, and code. Unstructured inputs include documents, communications, and business priorities that describe how an organization operates and where its risk lies.

Graduated automation and added capabilities

Continuum begins in learn mode with a human reviewing its work, and every recommendation arrives with the reasoning behind it. Customers can move it to enforce mode, where remediation becomes increasingly automated according to categories and risk profiles they define.

AWS folded several existing tools into the product. The penetration testing and code scanning functions of the AWS Security Agent now run as Continuum pen testing and Continuum code scanning, both in preview. The company also launched Continuum threat modeling in preview, which generates threat models from design documents or source code and produces output in STRIDE format. These functions feed detection and analysis into the broader Continuum loop of discovery, prioritization, validation, and remediation.

Download: Secure Foundations for AI Workloads on AWS