AgenticVM: Agentic AI for Adaptive Software Vulnerability Management

TL;DR

AgenticVM is a multi-agent framework that leverages large language models and security tools to automate vulnerability management, significantly reducing alerts and accurately predicting CVSS scores.

Contribution

The paper introduces AgenticVM, a novel multi-agent system integrating LLMs with security tools for automated vulnerability triage and assessment.

Findings

Up to 98% reduction in raw vulnerability alerts.

89.3% accuracy in predicting missing CVSS attributes.

Improved efficiency in vulnerability prioritization and analyst workload reduction.

Abstract

As software systems grow in scale and complexity, vulnerability management is increasingly strained by high alert volumes, fragmented toolchains, and manual triage processes. We introduce AgenticVM, a multi-agent framework that integrates large language models with security tools to automate vulnerability detection, assessment, prioritization, and reporting. AgenticVM combines rule-based processing, a BERT-based CVSS prediction module, and specialised LLM-driven agents, leveraging data from sources such as the National Vulnerability Database and the European Union Vulnerability Database. Across multiple evaluation scenarios, AgenticVM reduces raw scanner outputs into compact, actionable queues, achieving up to 98% alert reduction (e.g., from 3,983 findings to 82 high-priority items), while predicting missing CVSS attributes with 89.3% accuracy. These results demonstrate improved prioritisation efficiency and reduced analyst workload without compromising risk visibility. Beyond performance, the framework provides practical design insights into agent decomposition, tool-LLM integration, and human-in-the-loop governance for real-world deployment.