WatersWorks

By John K. Waters

Blog archive

Azul Takes Aim at the Java Runtime Security Blind Spot

Security teams have plenty to worry about these days, and AI-assisted cyberattacks are quickly moving up the list. But Azul is using that broader concern to call attention to a more specific and very practical enterprise problem: many organizations still do not have a clear handle on which Java runtimes are running across their environments, whether those runtimes are supported, or how quickly they can be patched when a vulnerability appears.

That's the gap Azul says it's trying to close with a new free JVM vulnerability risk assessment for DevOps and security operations teams. The assessment is designed to map Java Virtual Machine exposure across an enterprise estate, including embedded, unmanaged, and otherwise overlooked runtimes that may not show up in standard asset discovery tools.

The offering gives organizations an executive dashboard, a risk breakdown by Java version, visibility into Known Exploited Vulnerabilities, end-of-life runtimes, patch baselines, and a prioritized remediation roadmap.

The timing is not accidental. Security teams are trying to understand how generative AI and agentic AI systems could change vulnerability discovery and exploitation. Azul is framing its assessment around that shift, arguing that mean time to exploit has moved from months to days, or even hours, in some cases, while many enterprises still patch non-critical vulnerabilities on a best-effort basis.

“Anthropic’s Mythos has shown that AI can now discover and weaponize vulnerabilities on its own,” Azul co-founder and Chief Executive Scott Sellers said in the company’s announcement. He added that “the deep expertise that used to stand between attackers and your software estate is no longer a barrier.”

The key point here is that Azul is not talking only about application code. The company is focusing on the runtime layer, which can be harder to inventory and manage in large organizations. Java remains deeply embedded in financial services, government, healthcare, utilities, and other regulated industries, where older applications, long-lived systems, and complex change-management processes can make patching anything but simple.

Azul says the assessment can be used as a standalone service or folded into broader security, licensing, and compliance programs delivered by Azul partners. The output is intended to help teams determine which workloads should be patched first, which runtimes should be moved off unsupported versions, and which legacy systems may require extended support.

The company is also making a broader argument about patch velocity. Java quarterly updates are the primary mechanism for remediating known vulnerabilities, but large organizations often struggle to move quickly across sprawling environments. That leaves gaps, especially when older or embedded JVMs sit outside normal asset management processes.

Azul says its Azul Core product provides security-only updates and out-of-cycle emergency fixes. Just as important, the company argues, is full-stack runtime visibility, which can help organizations identify JVM instances that might otherwise go unnoticed by security and operations teams.

“No scanner, SIEM (Security Information and Event Management), or EDR (Endpoint Detection and Response) platform can detect a vulnerability that has not yet been disclosed,” the company said. Azul’s position is that keeping Java estates current reduces the attack surface available to AI-driven tools before those tools can be turned against newly discovered flaws.

Jenny Nelson, head of ICT & Digital at Newcastle City Council, said in the release that the council’s partnership with Azul “significantly reduced our security risk level with our Java applications and Java-based infrastructure.” She said the organization’s Java estate is now “consistent, standardized, easier to maintain,” and simpler to operate.

For regulated enterprises, Azul is positioning the assessment as both a security and compliance tool. The company points to frameworks including PCI-DSS, SOX, HIPAA, DORA, NERC CIP, and FedRAMP, all of which require some combination of software version visibility, timely remediation, and documented patch history.

“The unpatched JVM is already a growing liability, not a future one,” Sellers said.

That may be the most useful way to read this announcement. The new assessment does not make the hard parts of enterprise Java management disappear. Inventory work, patch testing, legacy dependencies, and change-management bottlenecks are still very real. But Azul is putting a spotlight on a problem many organizations have quietly lived with for years: you can't patch what you can't see, and in the age of AI-assisted exploitation, that blind spot is getting harder to ignore.

Posted by John K. Waters on June 17, 2026


Most   Popular