Security teams often find themselves boxed in. When they spot a cloud risk like a misconfiguration or a vulnerable workload, resolving it means waiting for the dev team to change the code or wait for an upgrade that isn't available. Meanwhile, the risk just sits there.
ZEST Security is giving teams a way to break that cycle.
The company’s latest update adds AWS Service Control Policies (SCPs) to its list of automated mitigation pathways. That might sound simple, but most teams don’t have a way to operationalize SCPs in response to exposures. ZEST’s platform changes that. Security teams can now deploy SCPs directly from the ZEST console, turning a policy meant for governance into an active control that blocks attacker access in real time.
Why This Matters
Vulnerability management programs typically don’t factor in existing cloud guardrails like SCPs when prioritizing or mitigating risks. “Vulnerability management programs today do not consider existing cloud guardrails for context-rich prioritization, or for mitigation when full remediation isn't immediately possible,”
Snir Ben Shimol, CEO and co-founder of ZEST told ChannelE2E.
ZEST’s platform helps address that blind spot. If a risk can’t be patched or rewritten quickly, teams can still reduce exploitability using controls already available in their cloud environment. “We’re not taking a mitigation-first approach, full remediation is always the end goal,” Ben Shimol added. “But unfortunately, it’s not always immediately possible. That’s what makes mitigation such a critical piece of the puzzle to effectively manage cloud risk exposure.”
ZEST’s latest release gives teams another lever. This one requires no code, redeployments, or waiting. It helps block common attack techniques, like unauthorized access to storage buckets or key management systems, and more advanced tactics like privilege escalation and lateral movement.
Agentic AI in Action
The engine behind all this is ZEST’s Agentic AI model, which connects the dots between detected vulnerabilities and the best path to reduce risk. That path might be a code fix. It might be a patch. Or it might be a service-level control like an SCP, a WAF rule, or a GuardDuty configuration. The platform ranks available options and applies the most effective one, even when full remediation isn’t viable.
This level of precision is possible because ZEST builds a custom graph of each client’s environment.
“For each client, the ZEST platform leverages AI agents to build a graph and structured database that represents the unique technical DNA of each environment,” Shimol explained. “It understands the relationship and context between DevOps deployments, cloud assets, and compensating controls to craft tailored resolution pathways without manual customization.”
Adding SCPs gives security teams one more lever to pull when remediation is not immediately on the table. If code changes are stuck in the queue or patches aren’t available, they can still take action without increasing exposure. It’s a practical, real-world layer of defense that meets teams where they are. The goal here is to close the gap between finding a risk and being able to fix it. SCPs help do that by offering a way to contain threats and block attacker activity while the longer-term fix is still in motion. This is about control, not perfection.
