AI Meets CTEM: Boosting Efficiency in Vulnerability Scanning

AI is one of the most transformative technologies today - thanks to its potential to impact nearly every industry, from cybersecurity and finance to healthcare and entertainment. Its ability to process massive amounts of data and uncover patterns is reshaping how we work, solve problems, and innovate.

In this blog post, I’ll explore how AI can enhance Continuous Threat Exposure Management (CTEM) solutions like ULTRA RED, and share how our team is already leveraging AI to make scanning results faster, more accurate, and more actionable.

Where does AI fit into CTEM?

Context-based Result Validation: False Positive Control

At ULTRA RED, we pride ourselves on keeping our false positive rate below 1%. But just like a well-trained limbo dancer - we’re always aiming to go even lower.

Let’s take a look at how we’re using AI to push the limits of scanning efficiency and accuracy across our CTEM platform.

Use Case #1: Improving Secrets Detection 

Depending on the type of result, determining its validity could sometimes be tricky and require awareness of context and general technical information. 

Imagine the following scenario: 

A regular expression-based detection of secrets and tokens matched the string: “DB_KEY=aVeryRandomLookingValue” in the file “dbactions.js”.

Is “aVeryRandomLookingValue” a valid database key? A variable name? Who knows!  

The issue of determining the validity of keys and tokens is not new to ULTRA RED. In the past, we’ve implemented many other methods to predict the impact of such strings: better regular expressions, length checks, and most notably, entropy checks. They are meant to ensure that the expected level of “chaos” in the found strings matches typical keys and tokens. And yet, the results weren’t perfect. 

Thankfully, this is where AI comes into play. With proper fine-tuning and prompting, we were able to reliably and consistently differentiate strings representing variable names from actual tokens and keys, regardless of their format, intended service, or provider.   

Use Case #2: Validation of Boolean-based SQL Injections

Another scenario for demonstrating how AI fits into result validation is a boolean-based SQL Injections use case. 

Boolean based SQL Injections occur when SQL queries such as "is the DBMS engine used PostgreSQL?" receive different server responses depending on whether they are true or false. This way we also try to extract the user name - by using queries such as "is the first letter of the username 'k'?"

These changes could be in the response code, content of the response, content length, and so on. False positives then happen when different SQL queries with both true and false values (such as is 1+1=2? is 1<0?) get different responses - but the difference isn't caused by the SQL queries but rather another unrelated reason.

When that happens, the scanners can “think” that they received a true statement for queries such as "is the first letter of the username 'k'?", which results in usernames that are incorrect and seemingly random.

To avoid false positives, ULTRA RED has an arsenal of tools: automatically validating and testing to make sure that the results are not coincidental. But just like in the previous case, this helped significantly but did not eradicate false positives from our lives. 

Once again, AI comes to the rescue - acting as a fail-safe for our scanners when other methods fall short. It accurately identifies real database usernames and distinguishes them from random strings, helping validate injections the way a real hacker would.

Use Case 3: Automating WebSocket Vulnerability Detection

WebSocket vulnerabilities posed challenges for non-AI tools, as these scanners typically could not effectively monitor or analyze the real-time, bi-directional data flows inherent in WebSocket protocols. By contrast, AI-powered systems can rapidly analyze vast amounts of application data, identify subtle patterns, and predict exploitation paths. Recently, we’ve published a blog post that specifically dives into the topic of WebSocket security. 

Use case 4: Enhancing the detection of IDOR vulnerabilities

Before the integration of AI, traditional scanners relied heavily on static methods such as regex-based pattern matching, making them inefficient and often ineffective at detecting complex vulnerabilities such as Insecure Direct Object References (IDOR). These scanners struggled significantly to dynamically identify IDOR vulnerabilities due to their inability to simulate nuanced user interactions and contextual authorization checks. 

AI automates the detection of unauthorized access scenarios in IDOR vulnerabilities, giving offensive security teams an upper hand in proactive threat exposure management.

More AI-based enhancements are coming soon

Threat-Intel derived PoCs using AI 

By combining real-time threat intelligence with advanced AI models, ULTRA RED takes 0-day vulnerability detection a step forward. By analyzing hacker discussions, exploit proofs-of-concept (PoCs), and other intelligence sources, our AI-driven approach will help identify emerging threats early. This proactive detection will allow organizations to respond faster, mitigating risks before vulnerabilities can be widely exploited.   

Creating fuzzing lists for complex systems 

ULTRA RED currently supports detection of the IIS Shortname Information Disclosure 

by automating and optimizing the guessing process for missing characters in truncated filenames. Traditional enumeration attacks rely on brute-force techniques to infer shortnames.

With AI, we can take this a step further. Instead of using a limited and pre-determined guess list, AI models can analyze subtle server response patterns - like timing variations or HTTP behavior - and predict likely filename structures based on learned patterns from past data.

Even more powerful is the potential to dynamically refine wordlists in real time. By adapting based on ongoing scan results, AI can prioritize more promising inputs, significantly improving the speed and accuracy of discovery. This reduces manual effort and increases the chances of uncovering sensitive files on vulnerable IIS servers - making the exploitation process faster, smarter, and more effective.

The Future of CTEM Is AI-Driven 

AI has become a vital tool in refining ULTRA RED’s CTEM capabilities, helping us push the boundaries of accuracy and efficiency in vulnerability scanning. From reducing false positives in secret detection to validating complex Web Socket attack scenarios, AI-driven enhancements allow us to provide more reliable and actionable security insights.

As we continue integrating AI into our scanners, we’re exploring new areas such as leveraging AI for dynamically fitted fuzzing lists, complex attack scenarios and result validation -  areas where traditional scanning methods often fall short. By staying ahead of attackers with intelligent automation and deep contextual analysis, we ensure that organizations receive the most precise and up-to-date vulnerability status available.

The future of cybersecurity is powered by AI, and ULTRA RED is committed to leading the charge in this evolution. Stay tuned for more updates as we continue enhancing our CTEM platform with advanced AI capabilities.