Agentic Security in Action: Insights from 500 Real Cycode Maestro Conversations

user profileexternal writer image
Head of AI, Product Marketing Manager

The second installment of our Cycode Maestro data series, with more conversations, more tenants, and a clearer picture of how agentic security actually gets used in the wild.

When we published our analysis of the first 100 Cycode Maestro conversations, the goal was simple: look at the raw requests from a handful of early adopters, resist the urge to editorialize, and let security practitioners tell us what they actually needed from an AI agent.

The use cases surprised us, and the insights fascinated us. So we kept going.

Since that initial analysis, adoption of Maestro has exploded 750%. For this article, we analyzed 500 recent Maestro conversations across nearly 50 organizations. The data has gotten richer. Some patterns have gotten sharper. And creative use cases continue to emerge.

Maestro Stats

What the numbers show

Before we highlight some of the more interesting use cases, a few top-line numbers are worth understanding.

Maestro adoption accelerated. The customer base has grown 7.5X since the initial analysis. That’s not just more users. It’s a broader distribution of organizations at different maturity levels, asking meaningfully different questions.

Conversations are getting more complex. The average response Maestro generates runs over 1,500 characters. Nearly a quarter of all responses exceed 2,000 characters. These aren’t lookup queries. Teams are having extended working sessions: building custom queries across multiple back-and-forth answers and responses, iterating on remediation strategies, tracking an active exploit response thread from initial alert to final assessment.

adadad

Maestro is one piece of a larger Cycode AI picture. Looking at Cycode AI usage more broadly (across Maestro conversations, the Exploitability Agent, AI Remediation, the Graph Agent, and Risk Score Explainer), Maestro accounts for roughly 29% of sessions. The Exploitability Agent is close behind at 27%. That distribution matters: when security teams adopt Cycode AI, they don’t land on one agent or interface and stop. They spread across the suite. We also see where different use cases trend toward different user experiences. For example, exploitability analysis accounts for 16% of Maestro conversations; however, most exploitability analysis is done by explicitly invoking the agent, while other use cases lend themselves to extended back-and-forth conversations.

Cycode AI Donut Chart

What security teams ask Cycode Maestro

We categorized 500 conversations by the type of questions being asked and work being done. Overall, the time savings are significant. We mapped each substantive request to estimates for the equivalent manual task to estimate almost 235 hours saved. Here’s what the breakdown looks like:

Maestro task breakdown

A few things jump out.

The single largest category, platform guidance and how-to questions at 19% of all conversations, tells us something important about how user behavior is shifting with AI. Instead of reading documentation, users are asking the tool. Maestro fields “How do I configure this,” “Where do I find that setting,” and “Does Cycode support X” questions that would otherwise require a search of documentation or a message to customer success. We saw this pattern with early adopters and responded to it by building a dedicated documentation agent to handle this class of questions more effectively. We’re also exploring ways for users to perform platform actions via Maestro. That’s what a feedback loop looks like in practice.

Exploitability analysis and CVE research account for 80 conversations (16%), the second-largest category and the largest single cluster of security-specific work in the dataset. We combined CVE research and exploitability analysis because the data shows vulnerability analysis rarely exists in isolation: a CVE lands, a team asks whether they’re affected, and the conversation pivots immediately into exploitability analysis against their specific environment. They’re complementary steps in a single investigation.

Context Intelligence Graph (CIG) query building comes in third at 15%. These aren’t quick lookups. Teams are building useful CIG queries that join across repositories, CI/CD pipelines, and policy definitions via natural language conversations, iterating in real time, and saving the results as new detection policies.

Three Cycode Maestro use cases worth highlighting

The aggregate data tells one story. Individual conversations tell another. Here are three that illustrate what “agentic security” actually looks like in practice.

1. Executing an agentic triaging and remediation strategy

“We have a lot of vulnerabilities. Where do we start?”

This is one of the most common questions and the hardest to answer. It is particularly relevant given the advent of frontier AI, Mythos, and the impending influx of vulnerabilities. Prioritizing by severity is archaic. A CVSS 10 vulnerability in an archived repo you haven’t touched in two years is not your problem. A CVSS 7 vulnerability in an internet-exposed service with a known public exploit is.

One team came to Maestro sitting on over 11,000 open SCA violations. They needed a strategy to triage and fix what mattered quickly.

Maestro surfaced the subset of violations where severity was critical or high, the application was publicly exposed, and a working exploit existed in the wild. It distilled all the data into three repositories that they needed to prioritize on first. Then, in the same session, the team asked Maestro to analyze the exploitability of violations. The verdict: multiple findings mitigated by upstream security layers that prevented a real attack path.

That’s the difference between scanning and agentic security. A scanner creates a list of alerts. An agent analyzes those alerts in context to focus human effort where it matters most.

2. Responding to supply chain attacks in real time

It is the increasingly common scenario security teams dread: a critical supply chain attack lands. You have no idea how many or which of your repos are affected. You don’t have time to run a manual inventory across your dependency graph, let alone extend it to container images.

Within hours of a recent attack becoming public, multiple security teams came to Maestro with the same urgent question: Are we affected?

In each case, Maestro searched across connected repositories, identified the specific package versions in use, checked archived repos separately, and returned a clear verdict. Not reassurance, but evidence: repository names, manifest file locations, and version numbers. When one team flagged that a newer version was also being reported as vulnerable, Maestro re-ran the analysis against the updated version range and confirmed the status. Teams extended the query to cover container images as well, confirming coverage across both their code and runtime layers.

This is the exploit-response workflow that used to take all day: inventory the exposure, cross-reference the CVE, confirm or rule out exploitability, find owners, assign tasks, and report. A single Maestro conversation jumpstarts that process.

3. Building a custom compliance query and saving it as a policy

One team needed a query that would identify repositories in a specific organizational unit using GitHub Actions from non-approved sources, filtered to a particular build environment, mapped to a compliance control identifier, and named in a way their compliance team could reference in audit documentation.

This is the kind of request that typically gets routed to a platform engineer and sits in a backlog for two weeks.

In a single working session, the team described their requirements in plain language, iterated on the query structure to also flag unpinned SHA references, reviewed the final query, and saved it as a persistent policy check that now runs continuously.

adadad

What’s next for Maestro

One thing this data makes clear: conversational security investigation is a genuinely useful mode of work. The multi-turn threads in this data, where teams iterate on a query, refine a scope, and ask follow-up questions about a specific violation, are a strong signal that Maestro works well for open-ended exploration and incident response flows where the path isn’t fully known in advance.

But some security work doesn’t need a conversation. It needs immediate action.

The step from “Maestro can answer this question when asked” to “Maestro automatically runs this workflow when a condition is met” is the natural next step for agentic security. Teams that are already using Maestro conversationally are starting to ask: Can this be triggered automatically when a new critical violation appears? Can it run as part of an onboarding flow? Can it fire when an exploit drops?

The timing of that question matters. As frontier AI models like Claude Mythos and Fable 5 are made available, their abilities to discover and exploit previously unknown vulnerabilities create a daunting security challenge. When the first wave of disclosures goes public, it will produce a vulnerability backlog that teams will struggle to absorb as the pace of vulnerability discovery accelerates further and time to exploit continues to shrink.

Responding to the new AI threat landscape requires agentic security. When a frontier AI model discloses a batch of high-severity vulnerabilities, security teams need to immediately identify affected repositories, assess exploitability in context, prioritize the highest-risk findings, analyze upgrade impact, and begin remediation with minimal human dependencies or bottlenecks. That’s the automation we’re building toward: Maestro embedded in security pipelines so that agents act automatically at the right moment, grounded in the right context.

We’ll have more to share on this soon, and we expect it will significantly change usage patterns. The conversational interface will always have a place for investigations that require judgment. But for high-velocity, high-volume threat environments like the one frontier AI models create, the biggest gains could come from Maestro acting before it’s asked.

Security at AI speed is not just about moving faster. It’s about focusing human effort on things that require human judgment, and having agents handle the rest. The conversations in this dataset are a map of where that line is being drawn, right now, by real security teams.

Want to see Maestro in action within your own environment? Request a demo.