Agentic Vulnerability Management Orchestrator
Zero Noise. Zero Delay. Zero Missed Patches.
By Solvent CyberSecurity | v1.0.0
VulnPilot AI sits above your existing vulnerability scanners (Tenable, Qualys, Rapid7, OpenVAS, Wazuh) and uses 5 AI agents with a patented Triple-Lock safety system to autonomously triage 10,000+ CVEs down to 15-25 actionable tickets with plain-English justifications.
It replaces the broken CVSS-only workflow with VPRS (VulnPilot Priority Risk Score), which combines EPSS exploit probability, CISA KEV status, dark web activity, asset criticality, and real-world threat intelligence into a single score that reflects actual risk.
The result: 85% noise elimination, 55% CVSS-vs-VPRS flips, and zero missed actively-exploited vulnerabilities.
CVSS prioritization is wrong 96% of the time. Only 2% of CVEs are ever exploited, but CVSS flags 53% as high/critical. Security teams drown in false urgency while real threats slip through.
CVE-2024-21887 CVSS 9.1 --> VPRS 12.0 (INFO) <-- NOISE: no exploit, no KEV
CVE-2024-3400 CVSS 7.5 --> VPRS 100.0 (CRITICAL) <-- REAL: in KEV, dark web, EPSS 0.97
VulnPilot fixes this by scoring what matters: is anyone actually exploiting it?
+---------------------------+
| VulnPilot Dashboard |
| (Single-page HTML + JS) |
+-------------+-------------+
|
+-------------v-------------+
| FastAPI Backend |
| 51 API endpoints |
+---+-----+-----+-----+----+
| | | |
+--------+ +-+--+ ++-+-+ ++-------+
| Agent 1 | |Ag 2| |Ag 3| | Ag 4/5 |
| Scoring | |Lock| |Drift| | Report |
+---------+ +----+ +-----+ +--------+
| |
+-----------+-----------+-----------+
| | | |
+----v---+ +----v----+ +---v----+ +----v----+
|Tenable | | Qualys | |Rapid7 | |OpenVAS |
|Wazuh | | Nessus | |Prowler | |Custodian|
+--------+ +---------+ +--------+ +---------+
Hybrid deployment: One codebase, two modes, switched by a single .env file.
LLM_PROVIDER=ollama-- Free local dev with Llama 3.3 ($0)LLM_PROVIDER=anthropic-- Production SaaS with Claude SonnetLLM_PROVIDER=openai-- Alternative with GPT-4o
VulnPilot never trusts a single AI model. Every score passes through three independent safety locks:
Lock 1 - Hard Rules (Code, not AI) Non-negotiable overrides that no AI model can bypass. CISA KEV = always Critical. Ransomware-linked = always Critical. EPSS > 0.7 = minimum High. These are enforced in code, not prompts.
Lock 2 - Adversarial Cross-Model Debate Two different AI providers (Claude + GPT-4o, or Claude + Ollama) independently score each CVE. If they disagree by more than 15 points, the CVE is flagged for human review. Neither model can see the other's reasoning.
Lock 3 - Drift Detector Background Celery tasks recheck threat intelligence every 1-6 hours (tiered by asset criticality). If EPSS spikes, KEV adds a CVE, or dark web mentions appear, the score auto-promotes and a new ticket is created without waiting for the next scan.
Vulnerability Scoring
- VPRS scoring engine with configurable weights
- EPSS, CVSS, KEV, dark web, asset tier, internet-facing, MITRE ATT&CK inputs
- Hard rule overrides (YAML-configurable)
- 85% noise elimination rate
Scanner Integrations (6 providers)
- Tenable.io -- multi-CVE, EPSS/VPR/CVSS4, circuit breaker
- Qualys VMDR -- QID-to-CVE KB lookup
- Rapid7 InsightVM -- v4 API with cursor pagination
- OpenVAS -- native GMP XML protocol
- Wazuh -- indexer-first with REST fallback
- Nessus file import -- .nessus XML parsing (air-gapped)
Cloud Compliance (Prowler + Custodian)
- Prowler integration -- 500+ checks, 39 frameworks (CIS, SOC2, HIPAA, PCI, NIST)
- OCSF v1.1 parser -- automatic JSON Lines parsing
- Cloud Custodian -- 5 built-in YAML policies + custom policy engine
- AWS asset inventory -- EC2, RDS, S3, Lambda, ELB via boto3
- Azure asset inventory -- VMs, Storage Accounts, SQL Servers via Azure SDK
- GCP asset inventory -- Compute Instances, GCS Buckets, Cloud SQL
- Demo mode with sample data (no cloud account needed)
Threat Intelligence (8 sources)
- EPSS -- batch API (30 CVEs per call)
- CISA KEV -- cached daily download
- NVD/NIST -- rate-limited with optional API key
- AlienVault OTX -- pulse-based enrichment
- GreyNoise -- scanning/noise detection
- abuse.ch -- ThreatFox + URLhaus (Auth-Key since June 2025)
- Dark web monitor -- Shodan CVEDB, Shodan Exploits, VulDB, Recorded Future, Flashpoint
- MITRE ATT&CK -- tactic/technique mapping
AI Providers (3 + local)
- Anthropic Claude Sonnet -- primary or challenger
- OpenAI GPT-4o -- cross-model debate partner
- Ollama (local) -- Llama 3.3, Mistral, CodeLlama ($0, air-gapped)
- Hot-swap between providers without restart
Ticket Systems (4 providers)
- ServiceNow -- incident creation with SLA tracking
- Jira Cloud -- issue creation with project assignment
- PagerDuty -- Events API v2 with dedup and auto-resolve (VPRS 90+ only)
- Console -- dev mode logging
Notifications (5 channels)
- Slack webhooks with VPRS badges
- Microsoft Teams adaptive cards
- Email (SMTP/STARTTLS)
- PagerDuty alerting
- Generic webhook (SIEM, SOAR, Zapier, n8n)
Reports and Exports
- Weekly/monthly trend reports (JSON + Markdown)
- Executive, technical, compliance, and board styles
- Cloud compliance CSV and Markdown exports
- Framework mapping: PCI DSS 4.0, NIST CSF, NIST 800-53, SOC2, ISO 27001, HIPAA, CISA BOD
Authentication and RBAC
- JWT-based authentication (PyJWT + bcrypt)
- Four roles: admin, analyst, viewer, api
- User management API (create, update, delete)
AUTH_ENABLED=falsefor development (default)AUTH_ENABLED=truefor production
Security (Defense-in-Depth)
- 4-layer guardrails: input filtering, output scanning, multi-turn escalation detection, RAG poisoning defense
- Jailbreak pattern detection (DAN, evil persona, grandma trick, prefix injection)
- System prompt extraction blocking
- No credentials in logs or API responses
git clone https://gitlab.com/solventcyber/vulnpilot-ai.git
cd vulnpilot-ai
cp .env.example .env
# Edit .env with your API keys
docker compose up -d
# Dashboard: http://localhost:8000
# API docs: http://localhost:8000/docs
# Setup: http://localhost:8000/setupgit clone https://gitlab.com/solventcyber/vulnpilot-ai.git
cd vulnpilot-ai
# Backend
cd backend
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
uvicorn vulnpilot.main:app --reload --port 8000
# In another terminal: Redis + PostgreSQL
docker compose up -d redis postgresdocker compose --profile local up -d
# This starts: backend + postgres + redis + ollama (auto-pulls llama3.3)
# No API keys needed. No internet required after first pull.Create a .env file in the project root. The setup page at /setup has a Quick Paste tab that generates this for you.
# AI Provider (pick one)
LLM_PROVIDER=anthropic # or: openai, ollama
ANTHROPIC_API_KEY=sk-ant-... # if using Claude
OPENAI_API_KEY=sk-... # if using GPT-4o
OLLAMA_URL=http://ollama:11434 # if using local (auto in Docker)SCANNER_PROVIDERS=tenable,cloud # comma-separated list
# Tenable.io
TENABLE_ACCESS_KEY=your-key
TENABLE_SECRET_KEY=your-secret
# Qualys
QUALYS_API_URL=https://qualysapi.qualys.com
QUALYS_USERNAME=user
QUALYS_PASSWORD=pass
# Rapid7
RAPID7_API_KEY=your-key
RAPID7_REGION=us
# Cloud Compliance
CLOUD_DEMO_MODE=true # default: sample data, no cloud needed
AWS_ACCESS_KEY_ID=AKIA... # for live AWS scans
AWS_SECRET_ACCESS_KEY=secret
AWS_DEFAULT_REGION=us-east-1TICKET_PROVIDER=servicenow # or: jira, pagerduty, console
# ServiceNow
SERVICENOW_INSTANCE=https://dev12345.service-now.com
SERVICENOW_USERNAME=admin
SERVICENOW_PASSWORD=pass
# Jira
JIRA_URL=https://your-org.atlassian.net
JIRA_EMAIL=you@company.com
JIRA_API_TOKEN=token
JIRA_PROJECT_KEY=SEC
# PagerDuty
PAGERDUTY_ROUTING_KEY=your-routing-keySLACK_WEBHOOK_URL=https://hooks.slack.com/services/T.../B.../xxx
TEAMS_WEBHOOK_URL=https://outlook.office.com/webhook/...
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=you@gmail.com
SMTP_PASSWORD=app-passwordAUTH_ENABLED=true
AUTH_SECRET_KEY=your-random-256bit-secret
AUTH_ADMIN_PASSWORD=strong-password
AUTH_TOKEN_EXPIRY_HOURS=8vulnpilot-ai/
|
|-- backend/
| |-- vulnpilot/
| | |-- agents/ # 5 AI agents (scoring pipeline, weekly reports)
| | |-- api/ # FastAPI routes (51 endpoints)
| | |-- auth/ # JWT authentication + RBAC middleware
| | |-- cloud/ # Prowler, OCSF parser, asset collectors, Custodian
| | |-- cmdb/ # Asset inventory (ServiceNow CMDB, CSV import)
| | |-- db/ # PostgreSQL session + migrations
| | |-- llm/ # Claude, GPT-4o, Ollama providers + factory
| | |-- reports/ # Report generation (PDF, Markdown, Excel)
| | |-- safety/ # Safety enforcement layer
| | |-- scanners/ # 6 scanner providers + resilience module
| | |-- scoring/ # VPRS engine + hard rules
| | |-- threatintel/ # 8 threat intel sources + parallel enrichment
| | |-- tickets/ # ServiceNow, Jira, PagerDuty, Console
| | |-- config.py # Pydantic settings
| | |-- demo_seed.py # Demo data seeder (47 CVEs + cloud findings)
| | |-- guardrails.py # 4-layer input/output security
| | |-- models.py # SQLAlchemy ORM (7 tables)
| | |-- tasks.py # Celery background tasks (drift, SLA, reports)
| | +-- main.py # FastAPI app entry point
| |-- requirements.txt
| +-- Dockerfile
|
|-- frontend/
| |-- index.html # Dashboard (single-page, 3,900 lines)
| +-- setup.html # Setup wizard (Quick Paste + Visual Setup + Docs)
|
|-- config/
| |-- hard_rules.yaml # Lock 1 override rules
| |-- sla_tiers.yaml # SLA deadlines by severity
| |-- vprs_weights.yaml # Scoring weight configuration
| +-- custodian/ # Cloud Custodian YAML policies
|
|-- data/
| |-- prowler_sample/ # Demo Prowler OCSF output (10 findings)
| +-- cmdb_assets.csv # Sample asset inventory
|
|-- alembic/ # Database migrations
|-- tests/ # Test suite (4 files, 1,135 lines)
|-- landing/ # Marketing landing page
|-- docs/ # Gap analysis + documentation
|-- docker-compose.yml # Full stack (7 services)
+-- .env.example # Template environment file
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/health |
Health check |
| GET | /api/v1/status |
Detailed system status with provider health |
| POST | /api/v1/score |
Score a single CVE |
| POST | /api/v1/batch |
Score multiple CVEs |
| GET | /api/v1/results |
Get all scored results |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/cloud/scan |
Trigger Prowler scan |
| GET | /api/v1/cloud/findings |
Parsed compliance findings |
| GET | /api/v1/cloud/summary |
Compliance percentage and breakdown |
| GET | /api/v1/cloud/assets |
Cloud asset inventory |
| GET | /api/v1/cloud/export/csv |
Export findings as CSV |
| GET | /api/v1/cloud/export/markdown |
Export findings as Markdown |
| POST | /api/v1/cloud/credentials/validate |
Validate cloud credentials |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/auth/login |
Get JWT token |
| GET | /api/v1/auth/me |
Current user info |
| POST | /api/v1/auth/register |
Create user (admin only) |
| GET | /api/v1/auth/users |
List users (admin only) |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/report/generate |
Generate report (weekly, monthly, compliance) |
| GET | /api/v1/report/compliance |
Compliance framework mapping |
Full API documentation available at /docs (Swagger UI) and /redoc (ReDoc).
PostgreSQL with SQLAlchemy ORM. 7 tables:
vulnerabilities-- all ingested CVEs with raw scanner dataassets-- asset inventory from CMDB/scannersvprs_scores-- VPRS scores with full audit trailtickets-- created tickets with SLA trackingaudit_log-- every scoring decision loggeddrift_events-- threat intel changes detected by Lock 3cloud_findings-- Prowler/Custodian compliance results
Migrations managed by Alembic:
alembic upgrade head# Run all tests
cd backend
pytest tests/ -v
# Run specific test modules
pytest tests/test_vprs.py -v # VPRS scoring tests
pytest tests/test_cloud.py -v # Cloud module tests (22 tests)
pytest tests/run_tests.py -v # Integration scenariosservices:
backend: FastAPI + Uvicorn (port 8000)
postgres: PostgreSQL 16 (port 5432)
redis: Redis 7 (port 6379)
celery: Background task worker
beat: Celery scheduler (drift, SLA, reports)
ollama: Local LLM (profile: local)
prowler: Cloud compliance scanner (profile: cloud)Start specific profiles:
# Standard (API keys required)
docker compose up -d
# Fully local with Ollama
docker compose --profile local up -d
# With cloud compliance scanning
docker compose --profile cloud up -d
# Everything
docker compose --profile local --profile cloud up -dcvss_base: 0.25
epss_score: 0.25
asset_criticality: 0.20
threat_intel: 0.15
environmental: 0.15rules:
- name: CISA KEV
condition: in_kev == true
action: set_critical
reason: "CISA Known Exploited Vulnerability - mandatory patch"
- name: Ransomware Linked
condition: ransomware_linked == true
action: set_critical
reason: "CVE linked to active ransomware campaigns"critical: 72 # hours
high: 168 # 7 days
medium: 720 # 30 days
low: 2160 # 90 days| Category | Integrations |
|---|---|
| Scanners | Tenable.io, Qualys VMDR, Rapid7 InsightVM, OpenVAS, Wazuh, Nessus File |
| Cloud | Prowler (AWS/Azure/GCP), Cloud Custodian, AWS Inventory, Azure Inventory, GCP Inventory |
| Threat Intel | EPSS, CISA KEV, NVD, OTX, GreyNoise, abuse.ch, MITRE ATT&CK |
| Dark Web | Shodan CVEDB, Shodan Exploits, VulDB, Recorded Future, Flashpoint |
| Tickets | ServiceNow, Jira Cloud, PagerDuty |
| Notifications | Slack, Teams, Email, PagerDuty Alerts, Generic Webhook |
| AI Providers | Claude, GPT-4o, Ollama |
| CMDB | ServiceNow CMDB, CSV Import |
- Backend: Python 3.12, FastAPI, SQLAlchemy, Celery, asyncio
- Database: PostgreSQL 16 with Alembic migrations
- Cache/Queue: Redis 7
- Frontend: Vanilla HTML/JS/CSS (zero dependencies, single-page)
- Auth: PyJWT, bcrypt (SHA-256 fallback for dev)
- Cloud: boto3, Azure SDK, GCP client libraries
- Compliance: Prowler, Cloud Custodian
- Container: Docker Compose with multi-profile support
Python files: 76
Python lines: 15,327
HTML lines: 7,445
API endpoints: 51
Test files: 4 (1,135 lines)
DB tables: 7
Total files: 103
VulnPilot maps every finding to industry frameworks:
- PCI DSS 4.0 (6.3.3 patching, 11.3.1 scanning)
- NIST CSF (ID.RA-1, RS.MI-3)
- NIST 800-53 (RA-5, SI-2)
- SOC 2 (CC7.1)
- ISO 27001 (A.12.6.1)
- HIPAA (164.312)
- CISA BOD 22-01 (KEV remediation)
- CIS Benchmarks (via Prowler, 39 frameworks)
- GDPR, FedRAMP, MITRE ATT&CK (via Prowler)
- Multi-tenant isolation with tenant-scoped database
- SSO/SAML integration (Okta, Azure AD)
- Real-time WebSocket dashboard updates
- Autonomous remediation playbooks (Ansible, Terraform)
- Mobile app (React Native)
- SOC 2 Type II certification for Solvent CyberSecurity
Proprietary. Copyright 2025 Solvent CyberSecurity LLC. All rights reserved.
- Company: Solvent CyberSecurity
- Author: Adil Eskintan