Kai at Work: A Day in the Life of an AI AppSec Engineer

Problem: AppSec Work Breaks Down at the “So What?”

Most security tools can tell you what exists. Fewer can tell you what matters in your environment, right now. AppSec teams are under pressure as volume rises, headcount stays flat and teams need more than CVSS, rather towards contextual exploitability. That gap shows up the same way every day:

• Triage starts with noise.
• Prioritization defaults to severity labels.
• Headline CVEs trigger research marathons and fire-drills.
• Translating findings into developer-ready work becomes growing tech. debt.

Kai’s job is to close that gap operationally: turn findings into decisions and decisions into actionable work, without turning AppSec into a constant context-switching exercise.

Where Kai Fits In

Kai enhances the usability of Kodem CORE, Kodem's contextual observability and remediation engine. By sitting on top of the engine, Kai enables teams to ask plain-language questions and receive answers based on the real-world context of their environment, correlating signals across code, packages, containers and runtime.

Kai incorporates robust, enterprise-level security. Operating within a secure, isolated environment, featuring strong tenant isolation that strictly prohibits cross-tenant data access. Furthermore, your data and prompts are guaranteed not to be used for training any public AI models.

You interact with Kai in two ways:

• Ask Kai: A chat pane inside Kodem for natural-language questions scoped to what you’re viewing, whether that’s an issue, an application, or overall posture.
• Kai-assisted workflows: Embedded help directly in key flows, such as prioritization, investigation and remediation, so triage starts from clearer signal instead of a wall of alert.

A Day with Kai: Five Real Scenarios

Use Case 1: A New CVE Lands “Are We Actually Affected?”

This is the moment every AppSec team recognizes. A high-profile vulnerability hits your feed. Leadership asks for an answer. Customers ask for reassurance. Engineers ask for confirmation.

Ask Kai:

• Do we currently have any instances of CVE-2025-55182 (React2Shell) in our environment? If so, what is impacted? 
• Do we have any exposure related to the Shai Hulud 2.0 npm supply chain attack? If so, which repositories / images include the affected packages?

Optionally, enable Web Search to have Kai correlate the response with your environment’s context, including runtime evidence and enrich it with trusted public sources such as NVD, CISA, KEV and more. Kai cites the sources used, so the response stays verifiable.

Kai responds with what teams actually need:

• Whether the vulnerability exists in your environment.
• Where it exists.
• What to do next.
  

Asking Kai if React2Shell is present in the environment

Use Case 2: Triage Without The Noise

The initial chaos has subsided. You are faced with over 200 new findings from the overnight builds and a familiar level of uncertainty. Rather than manually clicking through every issue, Kai delivers a preliminary analysis directly in the Triage Issues page.

Ask Kai: 

• What should I prioritize from last night's scan results?

Kai flags individual occurrences as Confirmed or Likely False-Positive, with reasoning so triage starts from signal instead of noise. Teams can immediately label, dismiss or convert validated issues to tickets without rebuilding context in another tool.

Use Case 3: From Insight to a Concrete Fix

Knowing you’re exposed is not the same as knowing what to do next. This is where teams usually burn time:

• Finding the safest upgrade path.
• Understanding blast radius.
• Deciding what’s “smallest safe change” versus a risky refactor.
• Translating the plan into developer-ready work.

Kai is strongest when it turns investigation into a concrete next step:

• What to change.
• Where to change it.
• Whether the fix resolves the issue entirely.
• What to verify after shipping.
  

How can I fix code issues with Kai?
If Jira is connected, Kai can draft a Jira ticket from the investigation context and suggest an assignee based on repository contribution. The ticket includes a developer-ready summary, affected components, the recommended change(s) and links to relevant Kodem issues.

Use Case 4: Guardrails Developers Can Live With

AppSec often shifts from response to prevention: tuning repository guardrails that reduce risk without blocking delivery. SCM policies can enforce scans and apply protection and suppression conditions that reflect intent:

• Block merges when a new confirmed high-impact risk is introduced.
• Warn on recurring noise when contextual evidence supports a likely false-positive, so the same low-value alerts do not resurface every scan.

Use Case 5: Explaining Risk Without Starting From A Blank Page

When it comes to status updates, Kai helps teams generate clear, grounded summaries, so updates reflect what is true in the environment rather than a stitched-together narrative from multiple dashboards:

• Can you explain my posture score?
• Summarize our current exposure in one paragraph.
• Can you summarize the state of my runtime risks?

What Changes When Kai Is in the Loop

By day’s end, the transformation is not “more AI,” it’s operational clarity:

• Less time sorting and more time acting.
• Faster answers to headline risk with proof you can share.
• Remediation that’s shippable, not theoretical (Verified by Kodem Research Team).
• Guardrails that scale across teams without constant escalation.
• Clearer communication, because you’re not rebuilding context from scratch

Kai’s role is simple: be the extra pair of hands AppSec teams need, always on, always in context and always ready for the question that matters most: “What do we do next?”