Averlon has launched Precog, a predictive remediation tool for code and infrastructure changes designed to stop exploitable risks before they reach production.
The launch comes as security teams face a shrinking window to respond to software weaknesses. Averlon cited Google Cloud's Mandiant M-Trends 2026 report, which found mean time to exploit fell from 63 days in 2018 to an estimated minus seven days in 2025, indicating attacks can begin before a patch is available.
Precog targets the early stages of the software delivery process. It reviews proposed code and infrastructure changes before release and flags those that could create an exploitable exposure in a customer's environment.
Rather than relying on generic severity rankings, the system evaluates whether a change would be exploitable in practice. That analysis includes factors such as internet reachability, exposed services, and compensating controls already in place.
Precog integrates into continuous integration systems, including GitHub. When it identifies a risky change, it explains the attack path and provides a proposed remediation within the developer workflow.
Averlon is positioning the tool as part of a broader shift in cybersecurity operations. The company uses the term Remediation Operations, or RemOps, to describe a model in which security teams focus less on generating alerts and more on determining which issues are genuinely exploitable and should be fixed first.
That argument reflects a wider concern across the security industry: the volume of findings is outpacing teams' ability to triage them. The spread of generative AI in software development has added to that pressure by speeding up code production while also, in some cases, introducing insecure code into development pipelines.
Shift left
For security teams, the central problem is timing. Once vulnerable code reaches production, defenders must investigate, prioritise, and fix issues while attackers may already be moving to exploit them.
Averlon said its existing platform has helped customers cut remediation time by up to 90% and reduce alert noise by up to 95%, shrinking backlogs from thousands of findings to a small number requiring action. Precog pushes that model further upstream by aiming to prevent exposures from being introduced at all.
Chris Steffen, Vice President of Research at Enterprise Management Associates, commented on the direction of the market.
"AI is changing both sides of the software lifecycle. It is accelerating development while also introducing code that is often not ready for production. With AI also accelerating the discovery and exploitation of weaknesses in that software, security teams can no longer rely only on post-production detection and backlog management. Capabilities like Averlon's Precog point to where the market is headed: identifying risky changes earlier and helping developers fix them before they become production exposure," said Steffen.
The product is accompanied by Vulnerability Intelligence, Averlon's CVE research feed, which provides additional context for teams assessing newly disclosed vulnerabilities. The feed includes details such as exploitability, attacker requirements, required privileges, user interaction, and evidence of attacks in the wild.
Developer workflow
The emphasis on delivering fixes within developer tools is notable. Security vendors have long struggled with the tension between finding weaknesses and getting engineering teams to address them without slowing software releases.
By placing the alert and proposed fix in the same workflow, Averlon is seeking to reduce friction between developers and security teams. The approach also reflects a growing effort across the sector to embed security decisions earlier in software delivery rather than relying mainly on post-deployment monitoring.
Sunil Gottumukkala, Chief Executive Officer of Averlon, framed the issue as one of scale and speed.
"Security teams have relied on finding and fixing vulnerabilities after they reach production. AI has made that untenable from both directions: it is generating new vulnerabilities faster than teams can triage them, and it is collapsing the window between exposure and exploitation. You cannot remediate your way out of that. The only way to stay ahead is to prevent exploitable risk from reaching production in the first place. That is what Precog does," said Gottumukkala.