Visa Open-Sources VVAH: AI-Powered Agentic Harness for Vulnerability Discovery and Remediation
Key Takeaways
- ▸VVAH automates the entire vulnerability pipeline from discovery through validated remediation using agentic AI, with Mean Time to Adapt (MTTA) as the primary success metric
- ▸Built on Anthropic's Project Glasswing framework, demonstrating enterprise adoption of agentic security workflows
- ▸Multi-agent deterministic voting and threat modeling before analysis are designed to reduce false positives and focus attack surface scanning
Summary
Visa has released VVAH (Visa Vulnerability Agentic Harness), an open-source tool that automates the complete vulnerability lifecycle from discovery and analysis to remediation and validation using frontier AI models. Built on learnings from Anthropic's Project Glasswing initiative for AI-assisted vulnerability research, VVAH implements a four-phase, eleven-stage pipeline designed to drastically reduce Mean Time to Adapt (MTTA)—the elapsed time from AI-discovered exploitability to a validated fix in production.
The platform employs three key design principles to maximize finding quality: threat modeling conducted before analysis to focus attack surface scanning, multi-agent deterministic voting to reduce false positives, and structured triage artifacts that compress the lifecycle from discovery to actionable findings. VVAH is intentionally multi-model, supporting Anthropic Claude, OpenAI-compatible models, or combinations via a vendor-neutral abstraction layer, though current remediation and validation capabilities require Anthropic models for full functionality.
The tool accepts standardized inputs including batch repositories, GitHub Enterprise metadata, CMDB records, and CVE feeds, while emitting structured reports, SARIF artifacts, remediation proposals, and validation reports. By default, the pipeline runs all eleven stages and can edit source files; users can halt at stage 9 for detection-only mode without code modifications. Visa notes that triage speed—not discovery speed—is the critical bottleneck in AI-assisted vulnerability management.
- Multi-model design supports Anthropic Claude, OpenAI, and hybrid configurations, though full remediation and validation require Anthropic models
- Identifies triage velocity—the speed from detection to validated fix—as the real constraint, not raw discovery capability



