Agentic Workflows: Introducing Anya Agents for Security

Anya Agents are a new way for security teams to put AI to work, and they reflect a belief I have held for a long time: security teams don’t need an AI assistant. They need AI workers.

A few weeks ago, I wrote about what Anthropic’s Claude Mythos means for security, and how AI-scale vulnerability discovery makes the operational work of triage, prioritization, and remediation more important than ever. Today, I want to talk about the other side of that equation: what AI needs to look like on the defender’s side of the table if security teams are going to keep pace with what is coming. Today, we are launching Anya Agents on the ArmorCode Agentic AI Platform. This is the first phase of a framework that turns Anya from a virtual security champion into a library of specialized AI workers, each purpose-built for specific agentic workflows and grounded in the same unified risk context that powers the rest of the platform.

Let me explain why we built it this way, and why I think the rest of the industry is going to have to follow.

The real problem with AI in security today

Walk into any AppSec or vulnerability management team right now, and you will find the same scene playing out. Engineers triage findings, build remediation plans, and assess new CVEs every day. Most of them are using public LLMs off to the side of their desks, rewriting the same prompts every single time, with no way to share what works with the rest of the team.

The result is exactly what you would expect:

• Inconsistent output, because every engineer prompts a little differently
• Lost institutional knowledge, because nothing about that interaction stays inside the security program
• AI productivity gains that never compound, because the next person starts from scratch

There is a second, related problem. Generic LLMs do not know your environment. Asking a public LLM about a CVE returns a definition. Asking whether your organization is exposed to that CVE returns a guess. Without grounding in findings, assets, supply chain data, and threat intelligence, AI can only answer questions. It cannot do the actual work. This is precisely why AI agents for security teams need to be purpose-built and context-aware, not repurposed general-purpose tools bolted onto an existing workflow.

And then there is the third problem, which is more about the market than the technology. “Agentic AI” is showing up in every vendor’s messaging right now, and most of what is being labeled as agentic is conversational. A chat window is not an agent. A copilot that summarizes a dashboard is not an agent. Real agentic value comes from AI agents for security teams that are bounded, reusable, take action on real data, and govern themselves under enterprise controls.

Everything else is a chat window with a marketing label.

That is the gap Anya Agents are built to close.

What Anya Agents actually are

An Anya Agent is a purpose-built, role-aware AI worker. Each one is scoped to a single, high-value security workflow. Each one has a preconfigured system prompt, a defined context, and a minimal set of pre-approved actions. Behavior is bounded by design.

This architecture is what separates genuine agentic AI for vulnerability management from the chat-window imitations flooding the market. Rather than a general-purpose assistant you have to coax into relevance, each agent is built to execute a specific job your security team already owns.

Four agents are available, and each one maps to exactly that kind of work:

• Remediation Agent generates code-aware remediation guidance for a finding or a group of findings, using available metadata and external sources
• Zero-Day Exposure Hunting Agent assesses organizational impact of a newly disclosed CVE by pulling threat intel, identifying affected components, checking supply chain exposure, correlating existing findings, and producing a full impact report
• Finding Overview Agent summarizes a finding in plain language with the context that matters most to the security team
• Risk Analyzer Agent explains the risk score behind a finding, group, or subgroup, so leaders understand the “why” behind the number

You do not have to prompt-engineer any of them. You invoke an agent from the workflow you are already in, and it produces a transparent, predictable result, the same way for every user, every time.

That is the difference between AI as a productivity novelty and AI as a security capability.

Agentic workflows, grounded in ArmorCode’s Unified Risk Context

The hardest part of building useful AI workers for AppSec is not the model. It is the context. AI needs context, and the security context worth reasoning over is not on the public internet. It is inside your security program: findings from 350+ tools, the assets those findings live on, the software supply chain feeding into your code, the threat intelligence your team subscribes to, and the platform documentation that explains how risk is scored.

Every Anya Agent is connected to that full data graph and reasons over it natively. We call it the Context Risk Graph, and it is the same graph that powers every other AI-native capability inside the ArmorCode Platform.

A few numbers to set the scale:

• 350+ integrations across the security tool stack, feeding findings into a unified view
• 200B+ findings processed per year through the platform
• Context Risk Graph surfaces the 3% of findings that represent 80% of real business risk

A generic LLM can tell your team what a CVE is. It cannot tell you whether you are exposed. Anya Agents reason over your findings, your assets, your supply chain, and your threat intel together, in one pass.

This is the part I want every security leader to internalize. The reason your engineers cannot get useful answers out of a public LLM is not that the model is not smart enough. It is that the model does not see what your security program sees. Anya Agents, purpose-built as AI workers for AppSec teams, see exactly what the platform sees, and act on it.

Specialized, reusable, and governed

The way most enterprises consume AI today is closer to shadow IT than to a governed program. I wrote about this in my piece on Shadow AI in the Agentic Era: unsanctioned agents, unowned workflows, no record of approval, no enforcement mechanism. The same pattern is showing up inside security teams that are improvising with public LLMs.

Anya Agents are built to be the opposite of that.

• Specialized. Each agent is scoped to one workflow with a narrow, predictable behavior set. There is no open-ended chat surface to drift into hallucination.
• Reusable. An agent is built once and used across users, teams, and regions. The prompt engineering work that the best engineer on your team would have done at 11 p.m. becomes the default experience for everyone.
• Role-aware. Administrators set defaults so the right agent shows up for the right user. A developer sees the Remediation Agent in the finding details page. A CISO uses Summary-style agents for a 1000-foot view of risk. Security engineers create and trigger their own custom agents from a finding.
• Governed. Anya Agents operate inside the same RBAC model that the rest of the ArmorCode Platform uses, with administrator control over which agents run and where. AI usage stops being a side-of-desk activity and becomes a managed part of your security program.

That governance posture matters more in the AI-discovered vulnerability era than it did six months ago. As AI-scale discovery proliferates, the agents acting on what is discovered need their own controls. Anya Agents are designed to be both useful and accountable from day one.

Why the Mythos Era demands this architecture

I will be direct with security leaders here. The volume of vulnerabilities coming at your team is not going to slow down. Frontier AI model capabilities (including Claude Mythos) will be in more hands within the next twelve to eighteen months. AI-discovered exploit chains will turn collections of “low-severity” findings into legitimate, high-impact threats. The traditional severity-led approach to vulnerability management is, for practical purposes, over.

Your security team does not scale by adding headcount fast enough to match that curve. It scales by deploying agentic AI for vulnerability management, giving every member of the team a library of AI workers that can do the repetitive analytical work consistently, at speed, against your actual environment. That is not a future state. It is a present requirement.

That is the bet behind Anya Agents. It is also the bet behind the broader Anya agentic AI framework. This release delivers task-specific agents grounded in our unified risk context. We are shipping the foundation now because the foundation is what every more advanced agentic capability is going to be built on, ours and the rest of the industry’s. Context first, agents second, orchestration after that. In that order.

How ArmorCode can help

The ArmorCode Agentic AI Platform is built around the idea that risk reduction at enterprise scale is an operational discipline, and AI has to be operationalized to be useful. Anya Agents are purpose-built AI workers for AppSec and vulnerability management teams and they are the most concrete expression of that idea so far.

Here is where they fit alongside the rest of the platform:

• Operational AI inside the workflows you already use. Anya Agents are invoked from finding details pages, group views, and the Anya UI itself. You do not change how your team works to get value from them.
• Built on the same Context Risk Graph that drives the platform. Findings, groups and subgroups, assets, software supply chain, AATI threat intelligence, and platform documentation are all available to every agent natively.
• Extensible through the API and MCP Server. Customers can build custom agents and invoke them both inside the platform and outside it, in the tools where security work actually gets done.
• Governed by the same RBAC, role-based defaults, and audit trail as the rest of ArmorCode. AI becomes part of your security program, not a parallel activity running alongside it.

If you are already operating ArmorCode as your independent governance and exposure management layer for risk, Anya Agents extend that posture into how your team interacts with AI day-to-day. Every team member gets consistent, context-grounded AI workers for AppSec tasks that used to depend on whoever had the best prompt saved in a notes file.

What comes next

We are at the beginning of a multi-year shift in how security work gets done. The teams that come out ahead are the ones that stop treating AI as an external assistant and start deploying purpose-built AI agents for security teams as workers operating inside their security program, under their control, and with their data.

Anya Agents are how we are making that shift practical for ArmorCode customers, starting today. If you want to see what role-aware, context-grounded AI agents for security teams look like inside a real security workflow, I would welcome a conversation with your team.

The AI assistant era was a warm-up. The AI worker era starts now.

Key takeaways

• Security teams need AI workers, not AI assistants; purpose-built agents that take action on real data, not chat windows with a marketing label.
• Agentic AI for vulnerability management requires grounding in your actual environment: findings, assets, supply chain data, and threat intelligence; not public LLM guesswork.
• Anya Agents are specialized, reusable, and governed, delivering consistent output across every user instead of siloed prompt experiments that never compound.
• Four purpose-built agents: Remediation, Zero-Day Exposure Hunting, Finding Overview, and Risk Analyzer, each mapped to a specific, high-value security workflow your team already owns.
• Every agent reasons over ArmorCode’s unified Context Risk Graph, spanning 350+ integrations and 200B+ findings processed per year, so AI sees exactly what your security program sees.
• As AI-scale vulnerability discovery accelerates, the teams that scale fastest will be the ones deploying governed, context-grounded AI workers and not the ones adding headcount.