AWS puts Continuum vulnerability remediation in gated preview
The sales pitch is autonomous security; the practical test is whether teams can trust AI-generated proof, patches, and rollback paths.
TL;DR
AWS announced AWS Continuum for code vulnerabilities in gated preview, a system that ingests existing findings, scans code and AWS context, prioritizes risk, validates exploitability in a sandbox, and recommends mitigation or remediation. Security teams using AWS Security Agent will see penetration testing and code scanning folded into the Continuum brand. The useful claim is not that AI finds more bugs. It is that AWS wants the same system to rank, prove, and help fix them.
AWS is packaging the vulnerability lifecycle into one AI-driven workflow: discovery, prioritization, validation, mitigation, and remediation. Continuum for code vulnerabilities is in gated preview, so this is not yet a product that most security teams can simply turn on Monday. But the direction is clear enough. AWS is moving past “AI finds vulnerabilities” and toward “AI decides which findings matter, proves exploitability, and proposes the change.” That is more operationally interesting, and more dangerous if the guardrails are performative.
The product starts by ingesting a backlog and scanning the environment itself. It then uses AWS context, including infrastructure, permissions, network topology, code, documents, communications, and business priorities, to decide whether the affected component is deployed, reachable, on a production path, and meaningful to the business. For validation, AWS says Continuum constructs working exploit examples in a sandboxed environment. For remediation, it can recommend a network change, policy change, or code patch, then validate the patch recommendation using the same system that confirmed the vulnerability.
That is the part compliance and security leaders should read carefully. A tool that produces more findings is a queueing problem. A tool that produces exploit evidence and patch recommendations becomes part of the control environment. AWS says Continuum starts in learn mode with a human in the loop, shows its reasoning, and can later graduate into enforce mode based on categories and risk profiles the customer defines. That progression is the right shape, but it also moves the risk from “the scanner was noisy” to “the automated remediation touched policy, network, or code.”
AWS is also pulling existing Security Agent capabilities into the Continuum umbrella: penetration testing becomes Continuum penetration testing, and code scanning remains in preview under the new name. AWS’s separate announcement says Continuum threat modeling is also in preview and can generate STRIDE-format outputs from design documents or source code, and that Continuum works alongside GuardDuty and AWS Security Hub (https://aws.amazon.com/about-aws/whats-new/2026/06/aws-continuum/).
The compliance angle is evidence. If Continuum can preserve the chain from finding to exploit proof to approved mitigation to rollback, it could reduce the gap between vulnerability management theater and actual risk reduction. If it cannot, it is another fast system producing artifacts that engineers and auditors still have to distrust slowly.
Published ·Deep Fathom