Azul launches free JVM risk assessment amid AI threat

Azul has launched a free JVM vulnerability risk assessment for organisations running Java environments, aimed at finding hidden security risks across managed, embedded and unmanaged Java runtimes.

The service is designed to give security and operations teams a view of all JVM instances across an organisation, identify Known Exploited Vulnerabilities, flag end-of-life Java versions and set out a prioritised remediation roadmap. It is available directly and through selected partners.

The launch comes as software suppliers and corporate security teams face growing concern over how quickly artificial intelligence tools can identify and exploit weaknesses. Azul argued that the time between vulnerability disclosure and exploitation has narrowed sharply, leaving organisations less time to patch systems before they are targeted.

The company cited Anthropic's Claude Mythos as an example of AI being used to uncover previously unknown vulnerabilities and generate exploit paths without the specialist human expertise once required. Azul said this has widened the pool of potential attackers and increased pressure on companies with large estates of older or poorly tracked Java installations.

Java remains widely used in business systems, financial platforms, public sector services and infrastructure software. In many large organisations, multiple versions of the Java runtime coexist across legacy and newer applications. Some instances also remain embedded in software packages or are deployed outside central asset registers.

Risk visibility

According to Azul, the assessment produces an executive dashboard that breaks down a Java estate by risk tier, software publisher and Java version. It also identifies which versions are linked to the highest exposure so remediation can be directed to the most urgent areas.

Another element focuses on Key Risk Indicators tied to AI-driven attacks, including whether JVMs are exposed to vulnerabilities listed in the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue. The assessment also highlights systems running unsupported versions or versions below the current patch baseline.

For companies with older systems that cannot be updated quickly, the roadmap is intended to show which workloads should be patched first, which should be moved from unsupported runtimes and where longer-term support may be needed. Azul said this would help organisations close gaps that standard asset discovery tools often miss.

The company linked the launch to the challenge of patching Java quickly enough. Java security updates are typically issued quarterly, but Azul said that pace is no longer enough on its own if AI systems can combine known software flaws into working exploits far more quickly.

Regulated sectors

The issue is particularly acute in sectors with strict compliance demands, including financial services, healthcare, utilities and government. Such organisations often run large and complex Java estates while also having to show auditors clear visibility into software versions, patch histories and vulnerability remediation processes.

Azul said frameworks such as PCI-DSS, SOX, HIPAA, DORA, NERC CIP and FedRAMP require organisations to demonstrate that they can track deployed software and respond to security issues in a timely way. In those settings, incomplete visibility into Java runtimes can create both security and compliance problems.

The announcement also underlined Azul's argument for security-only patching. The company said its Azul Core distribution provides Critical Patch Updates focused solely on security fixes, unlike broader patch releases that can include large numbers of feature and bug changes and therefore require more testing before deployment.

Azul did not provide financial terms for the assessment, which will be offered at no cost. The move appears aimed at helping companies map their Java exposure before deciding on wider security, support or migration work.

One customer cited by Azul described the operational impact of standardising its Java estate. "Through our strategic partnership with Azul, we significantly reduced our security risk level with our Java applications and Java-based infrastructure, which certainly helps me sleep better at night," said Jenny Nelson, Head of ICT & Digital, Newcastle City Council. "In addition, the benefits of switching to Azul Core as our JVM are clear. Our Java estate is now consistent, standardized, easier to maintain, and has brought a level of simplicity that's a huge benefit to our organization."

Azul's chief executive framed the launch as a direct response to the changing threat environment created by AI tools. "Anthropic's Mythos has shown that AI can now discover and weaponise vulnerabilities on its own - including flaws that survived decades of human review. That's the real lesson for every CISO: the deep expertise that used to stand between attackers and your software estate is no longer a barrier," said Scott Sellers, Co-Founder and Chief Executive Officer, Azul. "The unpatched JVM is already a growing liability, not a future one. Azul's JVM vulnerability risk assessment was created to help security leaders find and close that exposure before AI-driven attackers can exploit it."