Security teams have spent years and billions of dollars shifting security left. This has changed what teams can see and introduced a new level of visibility, but it has not helped with what they can control. Last year, more than 48,000 new vulnerabilities were cataloged, growing at roughly 20 percent annually. Add to that the capabilities of Mythos and even with earlier detection, the volume alone will make it impossible to keep pace with remediation.
The reality is unavoidable: vulnerabilities will reach production. Security teams cannot remediate them fast enough to prevent exploitation, especially as AI compresses attack timelines to minutes. While necessary, vulnerability management alone is not sufficient to protect customers in the age of Mythos level AI. Security teams must assume that risk is already present in production and focus on how it is controlled at runtime.
This is the foundation of autonomous runtime security. Teams need to understand how risk behaves inside running systems, quantify that risk in monetary terms and use AI to recommend actions and contain anomalous behavior.
Aqua’s newest runtime capability is built to solve this challenge. Aqua Compass, is an MCP server that enables agentic runtime security directly inside cloud native environments, along with a new suite of runtime risk dashboards that translate runtime telemetry into operational and financial insight. Together, these capabilities reflect a shift away from a prevention-first model to autonomous runtime security.
How Does Agentic Runtime Security Reduce Time from Alert to Containment?
Aqua Compass enables agentic incident response directly within the environments where security teams already work. By automating investigation, correlation, policy generation, and containment, it significantly reduces mean time to response and removes the manual effort that slows teams down during active incidents.
To understand the impact, it helps to compare how response works today versus how it works with an agentic workflow.
In a traditional environment, an alert is triggered and an analyst begins a manual investigation. They move between tools to reconstruct the process tree, identify the malicious file and determine how far the activity has spread. Eventually, they define a policy or control to isolate the workload and contain the incident. This process can take hours, days or even weeks depending on complexity and available expertise.
With Aqua Compass, the workflow follows a different path. When suspicious activity is detected inside a running workload, the agent uses deterministic runtime telemetry such as eBPF syscalls and network traffic to reconstruct the sequence of events, identify the root cause, and evaluate the scope of impact. It then generates a runtime policy designed to surgically contain the threat and presents both the context and the proposed mitigation to the security team.
What was previously a fragmented, relatively slow manual investigation becomes a structured response that unfolds in seconds. Teams can move from alert to containment almost instantly, dramatically reducing the time required to stop active threats.
This shift does more than improve speed. It changes who can respond.
By handling investigation and correlation, the agent enables junior analysts to operate with the speed and precision of more experienced practitioners. Tasks that previously required deep expertise and significant time can now be completed in seconds, without sacrificing accuracy or control. This allows security leaders to scale their SOC capabilities, reduce risk and reduce MTTR without linearly scaling their headcount.
How Does Human in the Loop Control Work in Agentic Runtime Security?
This approach is designed around human-in-the-loop automation. The agent performs investigation, correlation, and policy generation, while the final decision remains with the security team. The proposed mitigation is presented as policy as code, allowing a security lead to review and approve the action before it is enforced.
Aqua Compass is built to adapt to how organizations operate. Teams can define and extend agents to match their own workflows, environments, and response strategies. As these agents evolve, they develop domain-specific skills that allow them to perform specialized tasks aligned to each organization’s needs.
This creates a scalable model for response. Instead of forcing teams into a predefined workflow, organizations can build and refine agents that reflect their own processes, controls, and risk tolerance. The MCP server provides the structure that enables this interaction, allowing agents to securely access runtime telemetry and enforcement controls in a governed way.
How Does Runtime Telemetry Translate into Quantified Business Risk?
Security teams already have access to more data than they can act on. What they lack is a clear way to understand what that data means to business risk and what to do about it.
These dashboards convert vulnerabilities, misconfigurations, workload behavior, and enforcement controls into quantified monetary exposure. As runtime controls are applied, that exposure is continuously recalculated, allowing security teams to measure how risk is reduced in production environments.
The FAIR Risk Dashboard anchors this approach by modeling risk in financial terms. It estimates potential loss based on factors such as vulnerability exposure, likelihood of exploitation, and the impact of affected workloads, giving security teams a clear view of what their current risk posture could cost the business.
It also reflects how that exposure changes as controls are enforced, creating a direct link between security actions and measurable risk reduction.
By correlating runtime activity, vulnerabilities, and enforcement outcomes, these dashboards show where risk exists and which controls are having the greatest impact, shifting dashboards from passive reporting tools into active decision frameworks.
Watch this demo video to see how Aqua turns live production security data into decision-ready insights through purpose-built dashboards
Why Aqua Leads at Runtime
The last decade of cloud security was built on visibility, but visibility needs a complementary approach that can contain attacks with compensating controls. Vulnerabilities will reach production, whether due to operational constraints, zero days, or simple mistakes. With exploitation now outpacing remediation, security must layer in runtime capabilities, where risk must be understood, managed, and controlled.
Developed over the last eleven years, Aqua delivers this through an agent-based enforcement architecture that operates directly inside running workloads. Backed by patented innovations in runtime security and some of the largest cloud native customers in the world, only Aqua provides the level of deep runtime insight required to enforce policy that contains exploits as they happen.
This foundation is strengthened by adversary intelligence from the Nautilus research team and telemetry from millions of protected workloads. Together, this allows Aqua to convert runtime activity into meaningful risk insights through its dashboards while enabling Compass to investigate attacks and generate containment policies that can be enforced immediately in production.
Runtime is where applications execute and where attacks happen. Everything before runtime identifies potential issues, but it cannot stop exploitation once a workload is running. Attackers operate on live systems, not in scan results. Control requires the ability to detect, decide, and act inside the workload at the moment behavior occurs.
Detection without action does not reduce risk. Many teams already have strong detection but still rely on manual investigation and ticket driven workflows to respond. That delay is where attacks succeed. Agentic response collapses investigation and containment into a single step, allowing teams to act within the attack window instead of after it.
No, but it changes its role. Vulnerability management remains important for long term risk reduction, but it cannot keep pace with exploitation in production. Autonomous runtime security focuses on controlling exploitable risk while vulnerabilities are still present, reducing exposure without waiting for patch cycles.
This model is designed with human oversight. The agent performs investigation and proposes a containment policy based on real runtime behavior, but the security team approves enforcement. Over time, teams can tune agents to reflect their own policies and risk tolerance, creating a controlled path to automation rather than handing over full autonomy on day one.
