Ares Cyber
All posts
April 22, 20262 min readEngineering

Why validation beats detection (and why we built Ares around it)

Detection is a solved problem. Validation isn't. Here's what changes when you wire exploit-chaining intelligence into your security pipeline.

By Ares Engineering Team

The detection era is over

For most of the last decade, the security industry has competed on detection breadth. Whoever found the most issues won. Vendors raced to add rules, signatures, and CVE coverage; customers ranked tools by the size of their finding list.

That race is over - not because detection is unimportant, but because detection without validation is just unsorted noise. A finding that nobody can act on isn't a finding; it's overhead.

What "validation" actually means

We use the word carefully. Validation is not "running a second scanner against the first." It's not "human triage." It's the process of taking a candidate finding and producing a reproducible artifact that proves the impact: a working exploit, a transcript, a session token, an extracted record.

Three properties make a validation pipeline credible:

  1. Reproducibility - the same finding under the same conditions yields the same artifact, deterministically.
  2. Composability - primitive findings can be composed into multi-step chains.
  3. Reversibility - the system can roll back its own actions, leaving no residue.

If any of these is missing, you have detection with extra steps.

The agentic-AI angle

The reason validation has stayed expensive is that it requires the same kind of reasoning a senior pentester does: hypothesis, probe, refute, escalate. Until recently, that was strictly human work.

Modern agentic-AI systems - large models acting under a planning loop, calling tools, observing outcomes - make a different cost curve possible. We're not pretending an AI agent is a 1:1 replacement for a senior pentester. We're saying that for the bottom 80% of validation work (the part that's tedious but mechanical), an agent that can chain primitives across SAST + DAST + VA reaches credible conclusions in hours, not days.

What this changes for the buyer

If you're a CISO, the practical shift is simple: stop buying detection by the seat. Start asking your vendors for the validation rate of their findings - what percentage they will stand behind with an exploit artifact. The number is usually shockingly low.

When you have that number, severity stops being a queue and becomes a decision.

What's next

We'll be publishing more on the architecture, the dataset we trained on, and the failure modes we've seen in the wild. Follow our publications page or reach out via the free trial form.