Security teams have spent decades getting better at finding vulnerabilities -- but the ability to actually fix them has never kept pace. At RSAC Conference 2026, Sunil Gottumukkala of Averlon explains why the industry needs to shift from vulnerability management to remediation operations, and how agentic AI is finally making that shift practical.
The cybersecurity industry is good at finding problems. What it has struggled with -- for decades -- is fixing them. Sunil Gottumukkala, CEO and Co-Founder of Averlon, calls this the exposure window: the gap between when a vulnerability is discovered and when it is actually resolved. That gap is where real risk lives, and closing it is the founding mission of Averlon.
Speaking on location at RSAC Conference 2026, Gottumukkala draws on his experience as a security executive at Salesforce to explain why even the most well-resourced teams fall behind. More code, more acquisitions, and more attack surface means more findings -- but the capacity to remediate does not scale at the same rate. The answer, he argues, is not more people. It is better systems.
Averlon approaches the problem by ingesting findings from across a customer's security stack, applying AI-driven analysis to determine what is actually exploitable in that specific environment, and eliminating noise. From there, rather than generating a ticket, the platform generates a fix -- actual code changes for application vulnerabilities, or compensating controls for situations requiring more time. The goal is not to manage vulnerabilities. It is to eliminate them.
This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlight
GUEST
Sunil Gottumukkala, CEO & Co-Founder, Averlon
https://www.linkedin.com/in/sunilgottumukkala/
RESOURCES
Averlon: https://www.averlon.ai
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Sunil Gottumukkala, Averlon, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, vulnerability remediation, remediation operations, exposure window, cloud security, agentic AI, CVSS, vulnerability management, RSAC Conference 2026, RSAC 2026, cybersecurity
Closing the Exposure Window: From Vulnerability Management to Remediation Operations | A Brand Highlight at RSAC Conference 2026 with Sunil Gottumukkala, CEO & Co-Founder of Averlon
[00:00:10] Sean Martin: Sunil, here we are.
[00:00:12] Sunil Gottumukkala: Yes.
[00:00:13] Sean Martin: Moscone.
[00:00:14] Sunil Gottumukkala: Yes. RSAC Conference.
[00:00:16] Sean Martin: We made the pilgrimage.
[00:00:17] Sunil Gottumukkala: That's right.
[00:00:18] Sean Martin: Are you local to San Francisco?
[00:00:20] Sunil Gottumukkala: No, we are in Seattle.
[00:00:22] Sean Martin: Ah, okay. A little bit of a journey for you as well.
[00:00:24] Sunil Gottumukkala: Yeah. Not too bad.
[00:00:26] Sean Martin: Not too bad. And this is where it all happens. RSAC Conference. No lack of innovations floating around. No lack of challenges to solve as well. Give us a little overview of who you are, Sunil, and your role. And then we'll talk a little bit about Averlon.
[00:00:42] Sunil Gottumukkala: Yes. I'm Sunil, I'm the co-founder and CEO of Averlon. We've been enabling remediation operations for our customers for the past couple of years. Excited to be here, looking forward to this conversation.
[00:00:56] Sean Martin: Very good. Sunil, I've been in this space for a long time -- vulnerability management, necessary evil. People hate to do it. You have to do it. What are some of the challenges you've seen organizations struggle with as they try to transform how they do that?
[00:01:10] Sunil Gottumukkala: Yeah. As you said, people struggle to do it, but it's a necessary evil, unfortunately. At least for the last couple of decades, people have been trying to solve this problem. As an industry, we've gotten better at finding new types of vulnerabilities. A long time ago it used to be outdated software on endpoints. Then it became cloud posture security. Then it became code security issues. Now it's agent security issues. Everybody at the conference is good at finding problems. What we hadn't been good at is fixing problems. If you ask me what is the biggest challenge in vulnerability management, we need to move away from management to vulnerability remediation -- to actually fix them. The goal is not to manage them. The goal is to eliminate them. That's what we are trying to do at Averlon.
[00:02:00] Sean Martin: Got it. So what was the catalyst for you to say, I'm going to start a company that looks to solve this problem?
[00:02:08] Sunil Gottumukkala: Great question, and one I get a lot. Prior to starting this journey with Averlon, I was at Salesforce. I was one of the security execs there. At Salesforce scale, there was no shortage of budget, no shortage of security talent, no shortage of engineers who needed to fix problems. But at that scale, we had more problems than what we were capable of fixing from a practical point of view. The reason for that is your codebase just expands, whether it's through acquisitions or you're building new things, you have a lot more attack surface. So the security team doesn't scale or grow with that either.
[00:02:55] Sean Martin: Right.
[00:02:56] Sunil Gottumukkala: Yeah. We had one of the largest security teams in the industry for our size company at that time. Even then, we were struggling. It was always an uphill battle. We were always playing catch up. The reason why I started this journey is we cannot scale with people -- you need to scale with systems. So we thought there's got to be a different way of tackling this problem. Instead of finding vulnerabilities and throwing tickets to engineering, what we said is we'll build systems that look at every vulnerability finding from any of the security stack you may have deployed. We will automatically analyze and figure out how it can be exploited, if it can be exploited. What we realized when we did that exercise is most of the time not everything is relevant for the organization. Just because something has a CVSS score of 10 somewhere else doesn't mean it's applicable to Salesforce or your company or some healthcare technology company. But being able to make that determination is key.
[00:03:58] Sean Martin: Yep.
[00:04:00] Sunil Gottumukkala: Existing products didn't do it. Competent security researchers in the company can do it, but you cannot have enough of them to do that analysis at scale. So we built a system that does it automatically so that you eliminate the noise completely, and then you are left with a smaller set of issues that can practically be resolved within the organization.
[00:04:20] Sean Martin: Right. And how do you do that in a way that the remediation engineers can actually work with the solution you offer -- in a way that fits how they operate? Do they have to change the way they work?
[00:04:32] Sunil Gottumukkala: Great question. We started our journey primarily to solve the prioritization problem in the beginning. Then we realized -- okay, you've prioritized, you've eliminated the noise. It still hasn't solved the problem completely. Our goal is not to find issues, as I said, it's to fix. So if you can get to that step, all of this basically becomes security theater, not security. Given the progress in coding agents and other AI capabilities, we are taking the output of a system that actually prioritizes everything and eliminates the noise. After that happens, rather than simply filing a ticket, we are actually coming up with actual fixes. Sometimes it could be a code fix in an application. We generate the fix, we evaluate whether it has any propensity to break anything -- compatibility issues and so on. We fix all of those. And we give the code fix to the developer and say, here is the code to fix this. Please review it and check it in.
[00:05:28] Sean Martin: Is that all AI-driven?
[00:05:30] Sunil Gottumukkala: Yes, the actual code piece is exactly right. We leverage Claude Code and code security tools and others. The other thing we do is sometimes you want more time to review and make a change to the application. You want mitigation -- can I change a firewall rule, or come up with another compensating control, change a configuration that gives me more time to address the core problem but still gives me enough security in the meantime. That can also be done through LLMs. And once you understand the environment deeply, you can come up with the right fix. That's what we try to do. That's why we call ourselves remediation operations -- not vulnerability operations.
[00:06:10] Sean Martin: Is that a term that's common -- remediation operations?
[00:06:14] Sunil Gottumukkala: It's becoming more and more common and widely used these days. I don't think it's a Gartner category yet.
[00:06:20] Sean Martin: Right.
[00:06:21] Sunil Gottumukkala: But I'm sure in the near future it will be. Given the agent capabilities of AI and LLMs, it's actually making it a lot more practical. In the past, when remediation operations as a term first got started, people were more focused on process automation -- how do I file a ticket, track the ticket, compute the SLA, connect the systems to see it through. But we took a different angle and said process is important, but the actual outcome is even more important. Can we skip those steps and actually produce the outcome? That's when we are coming up with the code fixes.
[00:07:00] Sean Martin: Yeah. Well, Sunil, it's a problem I've been around for a long time. It's a problem that continues to burden security operations teams and the broader ecosystem for so much and for so long. Anything we can do to help those engineers solve this problem is certainly welcomed. Final word to CISOs and the security remediation team?
[00:07:18] Sunil Gottumukkala: To close -- over the last year, the pace of innovation across all of our customer bases has gone exponentially higher, mainly because they were able to use Claude Code, Codex, and other AI code generation tools. They're innovating faster. That means the pace at which you're developing new features is growing. Unfortunately, the pace at which you're finding and creating new security issues is also growing. The only way you can solve it is by using systems that can deeply understand your end-to-end application, deeply understand security, and solve it in an autonomous fashion. That's what remediation operations is.
[00:08:05] Sean Martin: Gets us to the close. Oh, Sunil, it's a pleasure chatting with you. Thank you. Staying here, everybody -- connect with Sunil on LinkedIn, connect with the Averlon team and ramp up your remediation options.
[00:08:18] Sunil Gottumukkala: Perfect. Thank you. Thanks for the opportunity.