Innovators Spotlight: Averlon

Averlon Wants to Fix the Boring, Hard Part of Security

Ask most security vendors what they do and you will hear some version of the same pitch: they help you “find more risk.” For CISOs living under a constant avalanche of alerts, dashboards, and red severity markers, that is not a selling point. It is a threat.

Averlon is betting its future on the opposite side of that equation. Instead of trying to be yet another flashlight in the dark, the company wants to be the crew that actually fixes the wiring, at scale, without burning the house down.

In a conversation at RSAC Conference 2026, co‑founder and CEO Sunil Gottumukkala laid out a vision that will resonate with any CISO who has ever stared at a backlog of vulnerabilities and thought, “There is no way we’re ever going to get through this.”

“We wanted to basically go help enterprises not just find risk, but effectively analyze the risk that’s been found from an exploitability point of view, and then help them mitigate and eliminate that risk,” he said.

That is the heart of Averlon’s pitch: remediation operations, not more detection theater.

From Building Security to Securing the Biggest SaaS Cloud

Sunil and his co‑founder did not come at this as first‑time founders chasing the latest buzzword. They earned their scars inside some of the largest and most complex environments on the planet.

“Prior to this, I was leading a large chunk of security at Salesforce,” Sunil explained. “My co‑founder Vishal was on the engineering side for cloud security at Salesforce. Before that, I was at Microsoft for a long time building security products. I was in charge of operating system security, and towards the end of my career there, I was securing Salesforce, at that time the largest enterprise SaaS cloud in the world.”

When you are responsible for security at that scale, the fantasy of infinitely sophisticated detection quickly collides with a mundane reality. You do not need more clever ways to tell you that everything is on fire. You need a reliable system to actually put the fires out, in the right order, before they spread.

“What we realized,” Sunil said, “is more than the super advanced security products that most builders really want to build, what you really need in the real world in securing large enterprises is basically getting the basics right.”

One deceptively simple question kept coming up at Salesforce and, later, in conversations with other large enterprises:

“Do we understand known risk to the company? Are we eliminating the risk in a reasonable phase and reasonable time frame? That simple question is really, really difficult to answer.”

That question became the founding thesis for Averlon.

The Industry’s Obsession with Finding Problems

If you feel like the security industry has built an entire economy on monetizing fear, Sunil would not argue with you.

“What’s been happening for the last decade or decade and a half in the cybersecurity industry,” he said, “is vendors basically became large by catering to the fear of the enterprises rather than actually reducing risk.”

The ecosystem rewarded those who could identify more issues in more places: “Hey, you have a problem in cloud.” “You have a problem in identity. “You have a problem in your crypto stack.”“You have a problem in your application security posture.”

The result is familiar to every CISO. Each new tool uncovers yet another mountain of vulnerabilities and misconfigurations. The dashboards look very sophisticated. The calendar reminders to “review exceptions” look even worse.

“As you deploy new security tools, you all of a sudden uncover a huge amount of security issues,” Sunil said. “And then engineering looks at it like, there’s no way we can practically address that risk.”

Detection is cheap. Remediation is hard. The industry optimized for the easy half.

Averlon’s Remediation‑First Model

Averlon’s approach starts with a simple promise: work with what you already have, and help you make better, faster, more accurate remediation decisions.

“We go to an enterprise, we look at their current security posture, and we ingest the data from their existing security tools that they might have already deployed,” Sunil explained. “We take a look at those findings, and we use AI to basically analyze every finding in detail and try to understand how this is presenting risk to the enterprise.”

That analysis is not just about the vulnerability ID and a CVSS score. It is about your environment.  Here are some questions to ask yourself:

• How is this application designed?
• Where is it running?
• How is it running?
• Who has access to it?
• Can it realistically be compromised in this context?
• If it is exploited, where can an attacker go from there?
• Can they reach something of real value, like customer data or high‑value internal systems?

“All of that analysis, we basically built our product to be able to analyze automatically, without having to deploy security researchers at that problem,” Sunil said.

Once Averlon runs this analysis at scale, the picture looks very different from the wall of red in your scanner dashboard.

“What we have seen is most of our customers can eliminate 90 percent of their findings as non‑exploitable in their environment,” Sunil noted. “And for the remaining ones, we can actually help them come up with the remediation actions for them.”

In other words, instead of treating every medium and high as an equal emergency, Averlon turns the problem into a prioritized set of truly exploitable paths with concrete fixes. Those fixes can range from updating application code to changing configurations in the application or infrastructure.

“We come up with those fixes in an automatic fashion, so that it is easier for the customer to go deploy that remediation,” he said.

For CISOs measured on risk reduction and not “alerts closed,” this is the kind of math that matters: 90 percent of the noise cleared out as non‑exploitable, with the remaining 10 percent turned into structured, actionable remediation work.

Attackers, AI, and the Exploitability Gap

One of the more subtle points in Sunil’s description is where Averlon focuses its intelligence. It is not trying to be a general purpose LLM with a cyber flavor. It is explicitly designed to think like an attacker looking at your environment.

“So we broke this end‑to‑end life cycle of an attack from an adversary perspective into small chunks,” he said. “We built task‑specific agents that are good at doing one thing.”

A few examples he described:

• For a new vulnerability disclosure, say a Cisco CVE, Averlon has an agent that “can investigate that CVE in depth” and determine “how can this be exploited, what are the prerequisites for exploiting this,” and all the nuances that actually matter.
• Separate agents understand the properties of the assets where your software runs. “It could be a Kubernetes cluster, it could be a virtual desktop, it could be a headless server or a virtual machine,” Sunil said. These agents collect and reason about the characteristics of those assets.

On top of these task‑specific components, Averlon uses “a large LLM that’s really good at reasoning with cybersecurity information” to figure out how everything stitches together into a realistic attack path.

In other words, instead of just asking, “Is this reachable,” Averlon asks, “Is this actually exploitable, with a meaningful impact, given the way this system is built and used?”

Sunil was blunt about how simplistic many “attack path” narratives in the industry really are.

“For a lot of people, it’s a common thing to talk about attack vectors,” he said. “They talk about whether I can reach something I can attack, but that’s a small portion of the actual challenge. You can reach it, and then what?”

He offered an example that will be familiar to anyone who has ever argued with a scanner:

“Some software vulnerabilities are only impactful if you have a desktop session on the other side where a user is interacting and you can trick that user. If it’s a headless server, it cannot be compromised the same way. Knowing that nuance is important in being able to understand exploitability.”

If you have ever tried to explain that nuanced reality to a non‑technical auditor or a board member staring at a high‑severity CVE, you can see the value in having a system that encodes that reasoning consistently.

From Reactive Remediation To “Pre‑Cognition” In The Pipeline

Up to this point, Averlon’s sweet spot has been analyzing what is already in production and helping customers remediate the risk that their existing tools uncover.

“So that’s typically after the fact,” Sunil said. “You deployed your stuff in the production environment, you’re running everything, and then some security tools are scanning, and now Averlon is analyzing and helping you fix it.”

At RSAC 2026, the company is using the stage to announce the next step in that journey: bringing the same depth of exploitability analysis into the deployment pipeline before changes ship.

“What we built is, rather than reacting after the fact, after you’ve deployed and potentially exposed yourself to an adversary, we’re actually helping customers prevent bad stuff from going into production itself,” Sunil said.

“All the analysis that we can do in your production, we’re bringing that into your deployment pipeline. Before a change goes in, we can actually analyze the change and say, ‘if this change were to go into production, this is how your risk is going to change.’ So if you take this mitigation together, you can actually make a safe change.”

The company calls this capability “pre‑cognition”. Think of it as giving your pipeline an adversary‑level code reviewer who can see how a change will reshape real attack paths, not just whether it passes a static check.

Rajiv Raghunarayan, who leads go‑to‑market and marketing at Averlon, framed why this matters now.

“When you think about the speed at which attacks are happening,” Rajiv said, “two years ago, when Mandiant published a report, they spoke about the fact that once a vulnerability is published, the time to exploit is about five days. Last year a vendor reported that within one day, 25 percent of the exploits are published.”

You do not need an AI to do the subtraction. Attacks are happening in hours and days. Remediation, for most enterprises, still takes months.

“You can’t just go and upgrade a production system and say, hey, let’s just change it,” Rajiv said. “There’s an enterprise life. There are dependencies. There are risks.”

As AI accelerates code creation, this gap is only getting wider.

“AI is going to generate a ton more code,” Rajiv warned. “That is just going to absolutely overwhelm any security teams or any engineering team. So that’s really why this becomes so crucial, that yes, we can solve your problem post‑hoc – but we can actually take it before and stop the risk.”

There is also the cost angle. As Sunil recalled from his Salesforce days, “I remember some of the reports back in my Salesforce days. We said it’s 13 times more expensive for you to act on it after the fact in production than fixing the bug earlier.”

You do not have to believe the exact multiplier to recognize the pattern. The later you discover a risky change, the more it costs to fix. Pre‑cognition is Averlon’s attempt to make that someone else’s problem.

What This Means for CISOs

If you strip away the marketing language, Averlon is tackling a problem that every CISO feels:

• Too many findings from too many tools
• Not enough context to know which issues are realistically exploitable
• Not enough engineering and security capacity to chase everything
• A widening gap between time‑to‑exploit and time‑to‑remediate

Averlon’s value proposition can be summarized in three shifts:

1. From volume to validity
   By automatically classifying roughly 90 percent of findings as non‑exploitable in a given environment, Averlon helps teams focus on real, exploitable risk, not theoretical vulnerabilities.
2. From static severity to contextual impact
   Instead of treating CVSS scores as gospel, Averlon reasons about applications, infrastructure, identity, access patterns, and post‑exploitation paths. The question becomes “What can an attacker really do from here” rather than “How scary does this look on paper.”
3. From reactive patching to preventative pipelines
   With pre‑cognition, Averlon extends this reasoning into the deployment pipeline, giving your teams a chance to redesign or remediate risky changes before they become production emergencies.

For CISOs whose boards are starting to ask harder questions about actual risk reduction, this is the kind of narrative that can translate nicely into metrics:

• Percentage of findings classified as non‑exploitable.
• Mean time to remediate truly exploitable issues.
• Number of risky changes intercepted pre‑deployment.
• Reduction in production incidents tied to known vulnerabilities.

Underneath the AI branding is a very unglamorous goal: make it boringly routine to know which risks matter, and make it much easier for engineering teams to fix them without derailing the business.

Call to Action for CISOs

If you are already drowning in alerts, the answer is not another dashboard. The answer is a system that can tell you, with defensible reasoning, what you can safely ignore, what you must fix, and how to fix it.

As you evaluate Averlon, here are some practical next steps:

• Identify a representative set of applications and infrastructure where your vulnerability and misconfiguration backlog is particularly bad.
• Ask Averlon to ingest findings from your existing tools for that slice of the environment and see how many issues it can confidently classify as non‑exploitable.
• Look closely at the remaining exploitable paths and the remediation guidance it generates. Would your teams find this credible and actionable?
• Explore how pre‑cognition could integrate with your current CI/CD pipelines and change management processes. Where in your release flow does it make the most sense to introduce this kind of analysis?

If Averlon can consistently clear out the noise and give your teams a smaller, highly curated set of exploitable issues with concrete fixes, that is not just a tooling improvement. It is a structural change in how your organization approaches cyber risk.

In a world where attackers are getting faster and AI is generating more code than humans can review – investing in remediation intelligence may be the quietest, most effective way to close your exploitability gap.

Author’s Note: The author sat down with Averlon’s leadership during the RSAC Conference 2026 in San Francisco, held March 23rd to 25th, 2026, to discuss how the company is rethinking remediation operations for modern enterprises.

For more information, please visit www.averlon.io.

About the Author

Pete Green is the CISO / CTO of Anvil Works, a ProCloud SaaS company and co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.

Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.

Pete has supported clients across numerous industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.

He holds a Master of Computer Information Systems in Information Security from Boston University, which is recognized as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS. He also holds a Master of Business Administration in Informatics.