Security teams today face a hard reality in modern cloud environments: not every vulnerability can be fixed right away. In fact, many can’t be fixed at all—at least not without breaking business-critical systems or waiting on another team’s backlog.
That doesn’t mean organizations are helpless. It means the way we think about cloud risk has to evolve.
The Exposure We Can’t Always Fix
A growing body of research—and firsthand experience—shows that more than half of identified cloud risks go unremediated for extended periods. The reasons vary:
- No patch is available yet
- A code fix would break existing functionality
- The change requires coordination with another team
- Legacy infrastructure won’t support the upgrade
These are relatively common scenarios. And in each case, the longer a vulnerability stays open, the more time an attacker has to find and exploit it.
“Full remediation is always the ultimate goal,” says Snir Ben Shimol, CEO of ZEST Security. “But mitigation is a key piece to a robust cloud exposure management program—especially when full remediation can’t be implemented right away.”
Why Mitigation Matters
Traditionally, security posture has been defined by how quickly teams can identify, prioritize, and patch. But when patching isn’t an option, the focus shifts to limiting what an attacker can do.
This is where mitigation comes in. Think of it as a parallel track to remediation—not a replacement, but a way to reduce exposure today while working on a longer-term fix.
Mitigation strategies might include:
- Using AWS Service Control Policies to block access to sensitive actions
- Enforcing stricter guardrails around public exposure
- Leveraging Web Application Firewalls to filter attack traffic
- Disabling high-risk permissions or services on vulnerable resources
These options aren’t about perfect security. They’re about reducing exploitability. “Let’s take ransomware as an example,” Ben Shimol explains. “SCPs can be used to limit what an attacker is able to do, such as restricting the ability to delete or encrypt data. That buys valuable time and reduces risk while remediation efforts are underway.”
The Role of Agentic AI in Resolution
Manual mitigation is time-intensive and context-sensitive. Applying the wrong policy—or applying it in the wrong place—can break functionality or disrupt development workflows. That’s where automation and AI are starting to play a critical role.
AI-powered resolution engines now exist to analyze the environment, simulate changes, and recommend safe, high-impact actions. These systems, often built around specialized “agents,” can correlate CSPM findings and vulnerability scans to a range of viable resolutions—including both code fixes and mitigation pathways.
Ben Shimol describes ZEST’s approach as a network of AI agents “each designed to handle specific remediation tasks,” including agents that focus on mitigation using native cloud controls. “Our agents simulate every fix, mitigation, etc., on a digital twin of your environment, recursively validating the outcome before suggesting changes.”
Why SCPs Are Gaining Attention
AWS Service Control Policies are not new, but they’ve historically been viewed as administrative guardrails—static controls for limiting service access across accounts.
What’s changed is the realization that SCPs can also be dynamic mitigation tools. They can be used to enforce least privilege, restrict destructive actions, and isolate misconfigured services—all without requiring code changes.
When used with precision and context, SCPs can help prevent key stages of an attack, including:
- Unauthorized reconnaissance
- Privilege escalation
- Data exfiltration or encryption
Skeptics sometimes view SCPs as blunt instruments, but that perception is shifting. When properly scoped and validated, they can offer a reliable, reversible, and low-friction way to reduce risk.
The Bigger Shift
Most CSPM tools and vulnerability scanners end at detection and alerting. The burden then falls on security teams to decide what to do next—and to negotiate with DevOps, engineering, or IT to implement a fix.
Mitigation pathways provide a way to break that cycle. They empower security teams to act immediately, using cloud-native controls to reduce the attack surface while waiting on the rest of the system to catch up.
ZEST Security announced it is adding AWS Service Control Policies as a core mitigation pathway in its cloud risk resolution platform. ZEST’s approach treats SCPs as real-time controls to prevent key stages of an attack—such as reconnaissance, privilege escalation, or data encryption—even when the underlying vulnerability remains unresolved.
The move highlights a broader industry trend: building smarter tooling that can help security teams take meaningful action—without having to wait for the perfect fix.
“ZEST gives security teams options,” says Ben Shimol. “We provide resolution pathways aligned to groups of related risks, offering both remediation and mitigation options—so teams can choose the best way forward based on their unique circumstances.”
Looking Ahead
As cloud complexity grows, so does the gap between risk discovery and resolution. Agentic AI systems and proactive mitigation strategies are closing that gap—not by eliminating every vulnerability, but by reducing the chances it can be used against you.
Mitigation isn’t a detour from security best practices. It’s a way to stay in the fight when perfection isn’t possible.