AWS Continuum to Enable Agentic Code Security for Enterprises Amazon Web Services launched AWS Continuum, an integrated security platform that automates discovery, enforcement, and remediation of security issues across codebases and applications. The platform includes four agentic capabilities—penetration testing, code review, threat modeling, and code vulnerabilities—designed to address the entire vulnerability lifecycle. AWS Continuum uses a graduated trust model to allow teams to delegate varying levels of autonomy to the tool based on risk profiles. Amazon Web Services has recently introduced AWS Continuum https://aws.amazon.com/blogs/security/introducing-aws-continuum-security-at-machine-speed/ , a new integrated security platform to automate the discovery, enforcement, and remediation of security issues across codebases, dependencies, and applications. AWS Continuum launches with four agentic capabilities, aiming at the entire vulnerability lifecycle: penetration testing, code review, threat modelling, and code vulnerabilities. “Continuum is built on lessons learned from running security across AWS and Amazon.com”, claims Chet Kapoor, vice president of search, security, and observability at AWS. AWS launched penetration testing and code review capabilities as part of AWS Security Agent during AWS re:Invent 2025 https://aws.amazon.com/blogs/security/aws-launches-ai-enhanced-security-innovations-at-reinvent-2025/ . These capabilities allow teams to run penetration testing sessions, both on-demand and integrated into CI/CD workflows, and to execute on-demand code reviews of applications’ source code to identify security vulnerabilities and validate compliance with company standards. The threat-modelling capability allows developers to analyse applications’ architectures in order to identify security threats. It produces a system overview describing how the system is built and behaves, and a set of threats describing how the system could be attacked, each with a severity level, a STRIDE https://en.wikipedia.org/wiki/STRIDE model classification, and actionable recommendations. The code-vulnerabilities capability enables teams to streamline how they discover, prioritise, implement and monitor security vulnerabilities. According to the author, the service can reason over the company's full environment, including both structured and unstructured data, such as infrastructure, permissions, network topology, documents, company communications, and business priorities. It operates in four continuous phases: discovery, prioritisation, validation, and mitigation and remediation. The discovery phase evaluates a company's entire backlog and augments it with a scan of the whole environment. This creates a comprehensive list of vulnerabilities and associated attack paths that form the foundation for the next phase. In his keynote during the AWS Summit New York City 2026 https://www.youtube.com/watch?v=x0sXP4Lipqc , Kapoor shared that the team implemented this phase using a model-agnostic principle, allowing the service to adopt the latest models as soon as they are released. During the prioritisation and validation phases, the service promises to surface the most important vulnerabilities by validating whether the affected components are deployed and reachable, and assessing the business impact if those vulnerabilities were exploited. AWS claims that building fully functional exploit examples in a sandboxed environment can reduce the amount of false positives, providing real evidence of the issue. Finally, in the mitigation and remediation phase, the service recommends possible corrections for the validated vulnerabilities. These recommendations can include, for example, a network or a policy change, or a code patch. In this phase, the service can also provide visibility over the blast radius of the change and possible rollback strategies where feasible. According to the company, the capability operates using a graduated trust model. This allows security and product teams to choose the level of autonomy they are willing to delegate to the tool when analysing, remediating, and enforcing code vulnerabilities, based on user-defined categories and risk profiles. In a LinkedIn post https://www.linkedin.com/posts/theburningmonk aws-security-agent-is-a-perfectly-descriptive-activity-7474710346486751232-cMVR/ , Yan Cui https://www.linkedin.com/in/theburningmonk/ , AWS serverless hero, highlights how the newly launched capabilities overlap with services still available in the company’s portfolio. In his opinion, this risks creating more confusion in the community, which might not know which service to use on their applications. Only six months after its release, AWS Security Agent has been folded into another product line and rebranded as "Continuum pen testing" and "Continuum code scanning". But Security Agent still has its own product page, and the same capabilities still exist there. Just last week, they announced "Security Agent adds threat modelling, Kiro power and Claude Code plugin, and more". So now we have the same capabilities, two product names, and no clarity on which one you should use or whether they will diverge at some point. This is just confusing. AWS isn't the only company exploring the landscape of agentic security remediation for enterprises. Similar capabilities have already been introduced by competitors such as Google AI Threat Defense https://cloud.google.com/security/ai-threat-defense , and Microsoft's MDASH https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/?v=1 . While Google has prioritised a cloud-agnostic strategy to allow security scans on diverse cloud environments and applications, Microsoft and AWS have opted for more integrated architectures within their respective ecosystems. Penetration testing and code-review capabilities are already generally available with established pricing https://aws.amazon.com/security-agent/pricing/ , while others are still under development. The threat modelling is in preview, and the code-vulnerabilities capability is in gated preview. Users and companies interested in the code-vulnerabilities feature must sign up to request access.