baseline

A variant of Vulnerability Management Platform.

View the interactive variant page →

Vulnerability Management Platform

Part of the worlds-biggest-software-project initiative.

An AI-native, open-source vulnerability management platform that unifies asset discovery, scan orchestration, and risk-based prioritisation around modern signals like EPSS and attacker-path modelling.

This project aims to deliver a credible alternative to the proprietary vulnerability management stacks (Qualys, Tenable, Rapid7, Wiz, Microsoft Defender VM) that dominate the market today. It is built for vulnerability management programme managers, CISOs, DevSecOps leads, and GRC teams who need continuous, risk-ranked visibility across on-prem, cloud, and container assets without per-asset pricing that scales steeply at enterprise size.


Why Vulnerability Management Platform?

  • Incumbent per-asset subscriptions (Qualys, Tenable, Rapid7) scale steeply at large estate sizes, pushing mid-market and large enterprises toward multi-year enterprise agreements with limited negotiating leverage.
  • Open-source alternatives such as OpenVAS / Greenbone have no licensing cost but lack a risk prioritisation engine, suffer from high false-positive rates, and offer no remediation workflow integration.
  • CVSS-only prioritisation is widely recognised as inefficient; EPSS adoption is accelerating but few platforms make it the primary ranking signal.
  • NIST's April 2026 NVD enrichment policy change limits enrichment to KEV and other priority CVEs, creating dependency risk for platforms that rely on NVD alone and an opening for tools that build independent threat intelligence pipelines.
  • No surveyed solution combines LLM-generated remediation guidance, predictive exploitation forecasting, and autonomous ticket lifecycle management in a single open-source platform.

Key Features

Scanning & Asset Discovery

  • Vulnerability scanning across network and cloud workload assets
  • Asset discovery and inventory management across on-prem, cloud, and containers
  • Container and cloud-native workload scanning for AWS, Azure, and GCP
  • Agentless cloud scanning to reduce operational footprint

Risk Prioritisation

  • CVSS-based scoring as a baseline severity signal
  • EPSS integration for exploitation-probability-driven ranking
  • Combined prioritisation using EPSS, threat intelligence, and asset criticality
  • Attacker-path modelling to surface vulnerabilities on likely lateral-movement chains

Remediation Workflow

  • REST API for ticketing and SOAR integration
  • Connectors for JIRA, ServiceNow, and similar ITSM platforms
  • Patch management or infrastructure-as-code remediation guidance
  • CI/CD pipeline integration for DevSecOps workflows

Compliance & Reporting

  • Compliance reporting for PCI DSS, HIPAA, and ISO 27001
  • Dashboard with drill-down investigation capabilities
  • Real-time alerting via webhooks and email
  • Comparative risk benchmarking across environments

AI-Augmented Capabilities (Roadmap)

  • Natural-language remediation guidance generated by LLMs
  • Predictive CVE exploitation forecasting
  • Autonomous ticket lifecycle management via AI agents
  • Vulnerability-to-compliance control mapping automation

AI-Native Advantage

AI correlates vulnerability severity, asset criticality, network exposure, and real-time EPSS scores to produce a continuously self-updating remediation queue, replacing manual triage spreadsheets. LLM-based remediation guidance generates step-by-step patching instructions or infrastructure-as-code fixes tailored to the specific asset configuration. Graph-based modelling of attacker lateral movement paths prioritises vulnerabilities that lie on likely attack chains to critical assets, while predictive models trained on historical exploitation patterns flag newly published CVEs likely to be weaponised within days, enabling proactive patching before KEV listing.


Tech Stack & Deployment

The platform targets self-hosted, cloud, and hybrid deployment to match the deployment flexibility found in Tenable.sc / Tenable.io and to address gaps where cloud-native-only tools (Wiz, CyCognito) cannot reach on-prem assets. Integrations are exposed via a REST API with webhook-driven alerting, and connectors are planned for major cloud providers (AWS, Azure, GCP), container registries, ticketing systems (JIRA, ServiceNow), and CI/CD platforms (GitLab, GitHub Actions, Jenkins). The architecture aligns with established standards: CVE for vulnerability identification, CVSS v4.0 for severity, EPSS for exploitation probability, CISA KEV for known-exploited tracking, and the requirements of CIS Controls v8 (Control 7) and ISO/IEC 27001:2022 Annex A 8.8.


Market Context

The global security and vulnerability management market is estimated at USD 17–21 billion in 2026, with projections of USD 24–49 billion by 2031–2035 depending on scope, and CAGRs in the 6–10% range. Per-asset subscription pricing is the norm: Tenable and Qualys charge roughly USD 20–35 per asset per year at mid-market scale, while Wiz uses consumption-based pricing. Primary buyers are vulnerability management programme managers at mid-to-large enterprises, CISOs seeking board-level risk reporting, DevSecOps leads integrating scanning into CI/CD, and GRC teams sourcing compliance evidence.


Project Status

This project is in the research and specification phase.
Contributions, feedback, and domain expertise are welcome.


Contributing

We welcome contributions from developers, domain experts, and potential users. See CONTRIBUTING.md for guidelines.

Important: All contributions must be your own original work or clearly attributed open-source material with a compatible licence. Copyright infringement and licence violations will not be tolerated and will result in immediate removal of the offending contribution. If you are unsure whether a piece of code, text, or other material is safe to contribute, open an issue and ask before submitting.


Licence

Licence to be determined. See discussion for context.