The good news: last night’s CNAPP scan came back with 4,453 findings. They were ranked by CVSS score in a tidy spreadsheet, and someone on your team will spend the next two weeks slogging through them.

The bad news: you don’t really know how many of those findings reflect what's actually running in your environment right now. Not what was running when the scan started or what your manifest says should be running. What is actually executing in production, at this moment, as you read this? For most security teams, the honest answer is: “I don’t know.”

And the reason has nothing to do with team skills. It’s simply that static CNAPP scans weren't built to answer that question. They were built to find vulnerabilities in your code. AI has fundamentally changed the threat landscape. Attackers now move at AI speed. Agentic applications have introduced attack surfaces that didn't exist two years ago. AI-generated code is driving vulnerability growth at a scale no static scanner was built to handle. At the same time, the dev mantra has become "deploy first, protect second" - and static scanning was never designed for that reality, either.

In this blog, we'll walk through these tectonic shifts - and why runtime intelligence is the only way to keep up with them.

Your Environment Is Not a CVE Database and AI Is Making That Problem Worse

Here's the core of the problem: a CVSS score doesn't know your environment. And as AI-generated code floods your pipeline, the volume of potential vulnerabilities only grows - and the ones that actually matter get harder to find.

A CVSS score doesn't know whether a vulnerable library is loaded into memory or sitting dormant on a disk or in a cloud. It doesn't know whether the service running that library is internet-facing or isolated behind three layers of controls. It doesn't know whether the attack path that would make a given CVE dangerous actually exists in your infrastructure. A CVSS score can tell you how bad a vulnerability could be. It has no way of telling you how bad it is for you.

By way of illustration, a recent study examined applications and container images across thousands of cloud environments, then applied runtime context to each vulnerability identified – checking, for example, whether it was running in production or whether the application carrying it was internet-facing. Only 18% of critical CVSS-scored vulnerabilities held up as genuinely critical – the other 82% turned out to be noise.

The fact is that almost 50,000 CVEs were published in 2025 - and CISA confirmed real-world exploitation of only 245 – that’s fewer than 1%. In any case, your team cannot possibly fix the 130+ vulnerabilities emerging each day - and the data suggests they don't need to. Yet a static scan has no way of telling you which ones actually matter in your environment.

Factoring in AI-generated code only compounds the challenges. When every developer on your team is commanding an army of coding agents, the volume of code shipped into production multiplies. More code means a larger attack surface. And a static scanner that was already drowning in noise has no way to keep pace with that scale.

Why Runtime Intelligence Changes Everything

AI has given attackers capabilities that didn't exist two years ago. What used to require years of expertise - analyzing responses, adjusting attack vectors, moving laterally through complex environments - can now be executed autonomously by tools available to anyone.

According to CrowdStrike, 79% of cyber intrusions detected are now malware-free. That’s up from just 40% in 2019. Attackers are moving through your environment using stolen credentials, legitimate admin tools, and hands-on-keyboard techniques. With no malicious files to scan for, static scanning (which only knows how to match known patterns) is irrelevant. Runtime intelligence, on the other hand, watches execution behavior continuously, so deviations from normal activity get flagged even when no malicious file is involved.

What’s more, the faster attackers move, the more it matters to have accurate behavioral signals from runtime intelligence. CrowdStrike's data shows the average time between an attacker's initial foothold and their first lateral move has dropped from 79 minutes in 2022 to 48 minutes in 2024 — with the fastest recorded at just 51 seconds. A scan cycle measured in hours is useless against an attack measured in seconds. Runtime intelligence can tell you which risks are active rightnow and which movements are anomalous this minute.

The AI Agent Problem

Gartner predicts that 40% of enterprise applications will use task-specific AI agents by the end of 2026 - up from less than 5% in 2025. Gartner also found that 74% of IT leaders already view AI agents as a new attack vector – yet only 13% are convinced they have the governance mechanisms in place to manage them. Static CNAPP was built for a different era of cloud workloads - it simply cannot bridge the governance gap those numbers describe.

The reason? AI agents present a completely different security challenge from traditional workloads. A container runs code, which – as discussed above – can be scanned. An agent makes decisions: it calls APIs, accesses sensitive data, invokes other services, and acts autonomously in milliseconds. Some can even write and execute their own code. And many of these agents are already running in your environment without your security team's knowledge - shadow AI that static tools cannot discover, let alone govern.

An agent's risk profile shifts continuously - based on what it's connected to, what it retrieves, and how its behavior evolves in production. Static scanning sees none of this. Runtime intelligence does.

The Bottom Line

The static scan security model was built for a different threat landscape — one where attackers relied on malware, AI agents didn't exist, and a CVSS score was a reasonable metric for actual danger.

That landscape is gone.

Runtime CNAPPs, like Sweet Security's unified cloud and AI security platform, prove which findings actually matter. They deliver continuous runtime intelligence across cloud workloads and AI agents with the same behavioral engine and execution context - whether the workload is a container or an autonomous agent. Static snapshots tell you what existed. Runtime intelligence tells you what's actually happening.