Gomboc Expands Beyond IaC with ORL to Deliver Deterministic Remediation Cloud and Code

New Open Remediation Language powers automated, policy-aligned fixes across cloud and code via merge-ready pull requests

Gomboc announced ORL (Open Remediation Language), now generally available, extending its deterministic remediation platform beyond Infrastructure-as-Code (IaC) to automate policy-aligned fixes across cloud configuration, application code, and dependencies.

Since launch, Gomboc has focused on solving one of cloud security’s hardest problems: automatically fixing Infrastructure-as-Code in a way that is predictable, auditable, and safe for production. With ORL, that same deterministic remediation capability now extends to additional cloud and application surfaces such as dependencies and configuration, addressing a wider class of cloud and code-based vulnerabilities.

Why Now

Generative and agentic AI tools are increasingly being used to propose and even apply changes to production systems. But enterprises face a new challenge: how to execute automated remediation at scale in a way they can trust.

“AI that suggests a fix is not the same as AI that executes safely in production,” said Matthew Sweeney, Co – Founder and CTO, Gomboc AI. “The industry is moving quickly toward automated change. The real question is whether those changes are deterministic, policy-aligned, and repeatable across an enterprise. That is the problem ORL was built to solve.”

As organizations pilot AI-driven code repair and security remediation, they’re seeing the risks firsthand: incomplete fixes, inconsistent behavior, and weak policy alignment. Enterprises need deterministic execution, not probabilistic suggestions.

Also Read: AiThority Interview with Glenn Jocher, Founder & CEO, Ultralytics

From IaC to Enterprise-Wide Remediation

Gomboc was built to automate deterministic code remediation. IaC was the starting point because it’s high-impact and notoriously difficult to fix safely at scale.

With ORL, Gomboc generalizes that capability to fix code in over 35 languages.

ORL is a domain-specific language that turns security and compliance policy intent into deterministic code transformations. It enables Gomboc to:

• Detect policy violations with syntax-aware precision
• Generate repeatable, standards-aligned fixes
• Apply transformations safely across large codebases
• Validate outcomes to ensure consistent results

Unlike brittle pattern matching or probabilistic AI outputs, ORL uses explicit rule logic and controlled execution boundaries. The same input produces the same output change set, making large-scale remediation predictable and reviewable.

Deterministic AI as the Execution Layer

ORL bridges two worlds connecting generative AI reasoning and production-safe execution.

Large language models can assist with reasoning and detection, ORL anchors remediation in a deterministic execution layer. Teams define policies as rules, ORL evaluates them, and Gomboc applies governed, repeatable changes. Fixes are delivered as merge-ready pull requests through existing Git and CI/CD workflows.

This approach ensures that remediation is:

• Deterministic
• Scalable across teams and repositories
• Aligned to organizational policies
• Auditable and explainable

Real-World Expansion Beyond IaC

Gomboc is highlighting a Log4Shell case study that shows how deterministic remediation extends beyond IaC into dependency and configuration changes. In under 24 hours, the team implemented more than 20 rules to cover multiple Java dependency management patterns, applying both version upgrades and mitigation changes.

The result: the same execution machinery that powers IaC remediation scaled to a different ecosystem without sacrificing policy alignment or repeatability. As autonomous code-fixing tools gain momentum, enterprises are asking the same question: can automated remediation be trusted in production? ORL answers with governed, deterministic execution that behaves predictably across runs.