Mitigation Without Remediation: Rethinking Cloud Risk Resolution

Introduction to Cloud Security Challenges

Security teams today face a hard reality in modern cloud environments: not every vulnerability can be fixed right away. In fact, many can’t be fixed at all—at least not without breaking business-critical systems or waiting on another team’s backlog.

The Exposure We Can’t Always Fix

A growing body of research—and firsthand experience—shows that more than half of identified cloud risks go unremediated for extended periods. The reasons vary:

• No patch is available yet
• A code fix would break existing functionality
• The change requires coordination with another team
• Legacy infrastructure won’t support the upgrade
  These are relatively common scenarios. And in each case, the longer a vulnerability stays open, the more time an attacker has to find and exploit it.

“Full remediation is always the ultimate goal,” says Snir Ben Shimol, CEO of ZEST Security. “But mitigation is a key piece to a robust cloud exposure management program—especially when full remediation can’t be implemented right away.”

Why Mitigation Matters

Traditionally, security posture has been defined by how quickly teams can identify, prioritize, and patch. But when patching isn’t an option, the focus shifts to limiting what an attacker can do.
This is where mitigation comes in. Think of it as a parallel track to remediation—not a replacement, but a way to reduce exposure today while working on a longer-term fix.
Mitigation strategies might include:

• Using AWS Service Control Policies to block access to sensitive actions
• Enforcing stricter guardrails around public exposure
• Leveraging Web Application Firewalls to filter attack traffic
• Disabling high-risk permissions or services on vulnerable resources
  These options aren’t about perfect security. They’re about reducing exploitability. “Let’s take ransomware as an example,” Ben Shimol explains. “SCPs can be used to limit what an attacker is able to do, such as restricting the ability to delete or encrypt data. That buys valuable time and reduces risk while remediation efforts are underway.”

The Role of Agentic AI in Resolution

Manual mitigation is time-intensive and context-sensitive. Applying the wrong policy—or applying it in the wrong place—can break functionality or disrupt development workflows. That’s where automation and AI are starting to play a critical role.
AI-powered resolution engines now exist to analyze the environment, simulate changes, and recommend safe, high-impact actions. These systems, often built around specialized “agents,” can correlate CSPM findings and vulnerability scans to a range of viable resolutions—including both code fixes and mitigation pathways.

Ben Shimol describes ZEST’s approach as a network of AI agents “each designed to handle specific remediation tasks,” including agents that focus on mitigation using native cloud controls. “Our agents simulate every fix, mitigation, etc., on a digital twin of your environment, recursively validating the outcome before suggesting changes.”

Why SCPs Are Gaining Attention

AWS Service Control Policies are not new, but they’ve historically been viewed as administrative guardrails—static controls for limiting service access across accounts.
What’s changed is the realization that SCPs can also be dynamic mitigation tools. They can be used to enforce least privilege, restrict destructive actions, and isolate misconfigured services—all without requiring code changes.
When used with precision and context, SCPs can help prevent key stages of an attack, including:

• Unauthorized reconnaissance
• Privilege escalation
• Data exfiltration or encryption
  Skeptics sometimes view SCPs as blunt instruments, but that perception is shifting. When properly scoped and validated, they can offer a reliable, reversible, and low-friction way to reduce risk.

The Bigger Shift

Most CSPM tools and vulnerability scanners end at detection and alerting. The burden then falls on security teams to decide what to do next—and to negotiate with DevOps, engineering, or IT to implement a fix.
Mitigation pathways provide a way to break that cycle. They empower security teams to act immediately, using cloud-native controls to reduce the attack surface while waiting on the rest of the system to catch up.
ZEST Security announced it is adding AWS Service Control Policies as a core mitigation pathway in its cloud risk resolution platform. ZEST’s approach treats SCPs as real-time controls to prevent key stages of an attack—such as reconnaissance, privilege escalation, or data encryption—even when the underlying vulnerability remains unresolved.
The move highlights a broader industry trend: building smarter tooling that can help security teams take meaningful action—without having to wait for the perfect fix.
“ZEST gives security teams options,” says Ben Shimol. “We provide resolution pathways aligned to groups of related risks, offering both remediation and mitigation options—so teams can choose the best way forward based on their unique circumstances.”

Looking Ahead

As cloud complexity grows, so does the gap between risk discovery and resolution. Agentic AI systems and proactive mitigation strategies are closing that gap—not by eliminating every vulnerability, but by reducing the chances it can be used against you.
Mitigation isn’t a detour from security best practices. It’s a way to stay in the fight when perfection isn’t possible.

Conclusion

In conclusion, security teams face significant challenges in addressing cloud vulnerabilities, but mitigation strategies and tools like AWS Service Control Policies offer a viable solution. By leveraging these tools and adopting a proactive approach to security, organizations can reduce their risk exposure and stay ahead of potential threats.

FAQs

• What are the common reasons for unremediated cloud risks?
  • No patch is available yet, a code fix would break existing functionality, the change requires coordination with another team, or legacy infrastructure won’t support the upgrade.
• What is mitigation in cloud security?
  • Mitigation is a parallel track to remediation, focusing on limiting what an attacker can do when patching isn’t an option.
• How can AWS Service Control Policies be used for mitigation?
  • SCPs can be used to block access to sensitive actions, enforce least privilege, restrict destructive actions, and isolate misconfigured services.
• What role does Agentic AI play in cloud security resolution?
  • Agentic AI systems can analyze the environment, simulate changes, and recommend safe, high-impact actions, including both code fixes and mitigation pathways.