BotBeat
...
← Back

> ▌

VisaVisa
OPEN SOURCEVisa2026-07-16

Visa Open-Sources VVAH: AI-Powered Agentic Harness for Vulnerability Discovery and Remediation

Key Takeaways

  • ▸VVAH automates the entire vulnerability pipeline from discovery through validated remediation using agentic AI, with Mean Time to Adapt (MTTA) as the primary success metric
  • ▸Built on Anthropic's Project Glasswing framework, demonstrating enterprise adoption of agentic security workflows
  • ▸Multi-agent deterministic voting and threat modeling before analysis are designed to reduce false positives and focus attack surface scanning
Source:
Hacker Newshttps://github.com/visa/visa-vulnerability-agentic-harness↗

Summary

Visa has released VVAH (Visa Vulnerability Agentic Harness), an open-source tool that automates the complete vulnerability lifecycle from discovery and analysis to remediation and validation using frontier AI models. Built on learnings from Anthropic's Project Glasswing initiative for AI-assisted vulnerability research, VVAH implements a four-phase, eleven-stage pipeline designed to drastically reduce Mean Time to Adapt (MTTA)—the elapsed time from AI-discovered exploitability to a validated fix in production.

The platform employs three key design principles to maximize finding quality: threat modeling conducted before analysis to focus attack surface scanning, multi-agent deterministic voting to reduce false positives, and structured triage artifacts that compress the lifecycle from discovery to actionable findings. VVAH is intentionally multi-model, supporting Anthropic Claude, OpenAI-compatible models, or combinations via a vendor-neutral abstraction layer, though current remediation and validation capabilities require Anthropic models for full functionality.

The tool accepts standardized inputs including batch repositories, GitHub Enterprise metadata, CMDB records, and CVE feeds, while emitting structured reports, SARIF artifacts, remediation proposals, and validation reports. By default, the pipeline runs all eleven stages and can edit source files; users can halt at stage 9 for detection-only mode without code modifications. Visa notes that triage speed—not discovery speed—is the critical bottleneck in AI-assisted vulnerability management.

  • Multi-model design supports Anthropic Claude, OpenAI, and hybrid configurations, though full remediation and validation require Anthropic models
  • Identifies triage velocity—the speed from detection to validated fix—as the real constraint, not raw discovery capability
Generative AIAI AgentsCybersecurityOpen Source

More from Visa

VisaVisa
PRODUCT LAUNCH

Visa Integrates AI to Streamline Credit Card Dispute Resolution

2026-04-02

Comments

Suggested

Google / AlphabetGoogle / Alphabet
POLICY & REGULATION

Linus Torvalds Embraces AI-Powered Code Review, Rejects Anti-AI Stance in Linux Kernel

2026-07-16
KI BundesverbandKI Bundesverband
PRODUCT LAUNCH

German Consortium Releases Soofi S, Open 30B Model Topping Benchmarks

2026-07-16
AnthropicAnthropic
RESEARCH

Bun's 11-Day Rust Migration Shows Anthropic's Fable AI Reshaping Software Rewrites

2026-07-16
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us