Vulnerability Management
The vulnerability management module combines network scanning, CVE intelligence from multiple feeds, AI-powered triage, patch management, and remediation tracking into a single workflow.
Dashboard
The main dashboard (/) shows a real-time security posture overview:
| Metric | Description |
|---|---|
| Total Vulnerabilities | All open findings across all scanned platforms |
| Critical Vulnerabilities | Findings rated Critical severity |
| Dependencies Tracked | Software dependencies inventoried across platforms |
| Scan Coverage % | Percentage of registered platforms with recent scan data |
| Security Posture Score | Composite 0–100 score (green ≥80, amber ≥60, red below 60) |
| 30-Day Vulnerability Trend | Bar chart of daily vuln counts by severity |
| Platform Risk Scores | Per-platform risk score with color-coded bars |
A zero-day alert banner appears at the top when a newly disclosed CVE matches your tracked dependencies.
Network Scans
Navigate to Vulnerability Management → Network Scans.
Scan Types
| Type | Description |
|---|---|
| Full | Comprehensive scan of all hosts and services in the target range |
| Quick | Faster surface-level scan; good for daily coverage checks |
| Targeted | Specific hosts or IP range |
| Custom | User-defined scope and settings |
Creating a Scan
Click New Scan and provide:
| Field | Required | Description |
|---|---|---|
| Name | Yes | Descriptive name (e.g., "Acme Corp — Internal Network") |
| Description | No | Optional notes |
| Target Range | Yes | CIDR notation or hostname (e.g., 192.168.1.0/24, 10.0.0.0/8) |
| Scan Type | Yes | Full, Quick, Targeted, or Custom |
Scan Lifecycle
Pending → Running → Completed / Failed
Click Run Scan on any pending, completed, or failed scan to trigger a new execution. Running scans show a "Running..." indicator and cannot be re-triggered until they complete.
Vulnerability Library
Navigate to Vulnerabilities to see all findings across your scanned platforms.
CVE Intelligence Sources
Vulnerability data is enriched from four background collectors that run continuously:
| Source | Data Provided |
|---|---|
| NVD (NIST National Vulnerability Database) | CVE descriptions, CVSS scores, affected products |
| OSV (Open Source Vulnerabilities) | Open source package vulnerabilities |
| GHSA (GitHub Security Advisories) | Ecosystem-specific advisories for npm, PyPI, Go, etc. |
| KEV (CISA Known Exploited Vulnerabilities) | CVEs with confirmed real-world exploitation |
| EPSS | Exploit Prediction Scoring System probability scores (0–1) |
A CVE is cached at the global level once and reused across all tenants — NVD is not queried per customer.
Severity Levels
| Severity | CVSS Range |
|---|---|
| Critical | 9.0–10.0 |
| High | 7.0–8.9 |
| Medium | 4.0–6.9 |
| Low | 0.1–3.9 |
AI Vulnerability Triage
Navigate to Vulnerability Management → AI Triage.
The AI triage engine uses Claude to analyze vulnerabilities and produce:
| Output | Description |
|---|---|
| Executive Summary | Business-impact explanation in plain language |
| Technical Analysis | Detailed attack surface, prerequisites, and exploitation details |
| Remediation Steps | Specific, actionable fix instructions |
Triage Methods
Single triage — Enter a vulnerability ID and click Triage for immediate AI analysis of that specific finding.
Batch triage — Click Batch Triage to analyze all open vulnerabilities in the background. Results appear in the "Recent Triage Results" list.
Remediation Plan — Click Generate Remediation Plan to produce a prioritized, consolidated remediation roadmap across all open vulnerabilities.
Patch Management
Navigate to Vulnerability Management → Patch Management to track the status of patches for identified vulnerabilities. Patch approval workflow and deployment status are tracked per finding.
Remediation Tracking
Navigate to Vulnerability Management → Remediation to assign remediation tasks, set due dates, upload evidence, and track progress toward closure.
Vulnerability Exceptions
Navigate to Vulnerability Management → Exceptions to manage risk acceptances:
- Accept risk on a specific CVE for a defined period
- Document business justification
- Set expiry date (vulnerability is re-assessed after expiry)
- Exception lifecycle: Open → Expired → Re-assessed
Dependencies
Navigate to Dependencies to view all software packages and libraries inventoried from connected GitHub repositories, mapped to known CVEs.