What is CVERiskPilot?

CVERiskPilot is a cybersecurity intelligence company building purpose-built vulnerability decision models. The platform ingests scanner results, enriches findings with EPSS and CISA KEV data, classifies them with a purpose-built triage model, and maps findings to 13 compliance frameworks including NIST 800-53, SOC 2, CMMC, FedRAMP, HIPAA, PCI DSS, ISO 27001, NIST CSF 2.0, EU CRA, NIS2, ASVS, SSDF, and GDPR.

How does CVERiskPilot map vulnerabilities to compliance controls?

CVERiskPilot uses a CWE-to-compliance bridge architecture: each vulnerability is tagged with CWE IDs, which map to NIST 800-53 controls via 80+ documented mappings. NIST 800-53 acts as the canonical hub, bridging to SOC 2, CMMC, FedRAMP, HIPAA, PCI DSS, ISO 27001, NIST CSF 2.0, EU CRA, NIS2, GDPR, ASVS, and SSDF — 300+ controls total across 13 frameworks.

What is the Pipeline Compliance Scanner?

The Pipeline Compliance Scanner (@cveriskpilot/scan) is a free, zero-dependency CLI that scans your codebase for vulnerable dependencies, hardcoded secrets, and IaC misconfigurations. Free scans map to the core 6 frameworks, while paid tiers unlock the full 13-framework catalog. Run it with: npx @cveriskpilot/scan@latest --preset startup

Is CVERiskPilot suitable for government and DoD teams?

Yes. CVERiskPilot is built by a 100% Veteran Owned, Texas-registered LLC. The current platform supports FedRAMP-style POAM generation, NIST 800-53 mapping, and CMMC Level 2 self-assessment workflows, with presets designed for federal and defense teams.

Is my vulnerability data safe when CVERiskPilot uses AI?

Yes. PII (IP addresses, hostnames, usernames, API keys) is redacted before external AI calls. Uploaded scan artifacts are not used for cross-tenant model training by default, and AI feedback context is scoped to your organization. A local/private Corvus runtime path is on the roadmap for customers that require stricter data boundaries.

What AI model does CVERiskPilot use?

CVERiskPilot uses guarded external AI today for explicit chat, triage, query, summary, and remediation workflows. Corvus is the private-runtime path for routine triage once serving infrastructure, health checks, and benchmark gates are live. Buyer-facing model-quality claims are gated by repo-tracked evidence.

How much does CVERiskPilot cost?

CVERiskPilot currently exposes two public plans: Free ($0 — 25 chatbot messages and 50 triage calls/month) and Pro ($149/month — unlimited chatbot messages, 1,000 triage calls, all 13 frameworks, scheduled reports, and export-ready workflows). The public Pro path currently starts with a 14-day trial. Additional tiers remain in the pipeline but are hidden from the active public UI.

Controlled alpha

The intelligence layer between your scanners and your auditors.

Every finding mapped to 13 compliance frameworks, classified by a purpose-built AI triage model, and shipped as audit-ready POAMs and evidence — in minutes, not weeks.

Start 14-day Pro trial Get started free

No credit card required · 14-day trial · Cancel anytime

Dashboard

Critical findings

KEV-listed

Frameworks mapped

Audit-ready evidence

CRITICALCVE-2026-1234Prototype Pollution in lodash

NIST SI-2

HIGHCWE-798Hard-coded credentials in config.ts

SOC 2 CC6.1

HIGHCWE-79XSS in user input handler

CMMC SI.L2

Scanner formats

Nessus, SARIF, CycloneDX, Qualys, OpenVAS, SPDX, OSV, CSAF, CSV, JSON, XLSX

Compliance frameworks

NIST 800-53, CMMC, SOC 2, FedRAMP, HIPAA, PCI DSS, ISO 27001 + 6 more

AI deployment roadmap

Guarded cloud AI today; private cloud and air-gapped Corvus paths next

100%

Veteran-owned

SDVOSB-eligible for defense and government contracts

Live Walkthrough

See CVERiskPilot in action

A 90-second tour of the live workspace — dashboard, CVE triage with model-routed AI, compliance mapping across 13 frameworks, and audit-ready reports. No mockups, no stock footage.

cveriskpilot.com/demoLive capture · demo@cveriskpilot.com

Recorded against the live demo workspace — AI responses are tagged with the model path that generated them.

Purpose-built AI for triage. Compliance in the loop.

A fine-tuned model handles the volume. Frontier AI handles the edge cases. Compliance mapping and audit evidence are built into the same pipeline — not bolted on after.

AI Triage

Powered by Corvus, our private vulnerability triage runtime. Routine findings can be classified locally when Corvus is enabled, while critical, KEV-listed, or low-confidence cases escalate to external AI and human review. The model accelerates the workflow; people still make the final call.

Hybrid AI Routing

Routine findings use the private Corvus path when available. Complex edge cases auto-escalate to an external AI fallback, with deterministic safety floors for KEV, high-CVSS, and high-EPSS findings so high-risk issues do not get under-ranked silently.

Compliance in the Loop

Findings map through CWE into the 13-framework catalog: NIST 800-53, SOC 2, CMMC, FedRAMP, HIPAA, PCI-DSS, ISO 27001, NIST CSF, EU CRA, NIS2, ASVS, GDPR, and SSDF. 300+ controls mapped automatically.

Risk Prioritization for Operators

EPSS exploit probability, CISA KEV, CVSS, and compliance impact are combined to help teams decide what to fix first instead of working from severity alone.

Evidence Workflows for Audits

POAM generation, PDF exports, and compliance evidence workflows move teams from raw findings to audit artifacts grounded in actual scan data.

Built for Lean Security Teams

Multi-tenant architecture, team workflows, and partner delivery models with enterprise controls — SSO, RBAC, white-label, and usage-based billing.

Pipeline Compliance Scanner

Run the scanner locally or in CI to identify issues, feed the AI-first triage workflow, map compliance impact, and push evidence into the broader review pipeline.

Free · Open · No signup

Scan your repo in 30 seconds with our free CLI

Detect vulnerabilities, secrets, and infrastructure-as-code drift, then auto-map every finding to NIST 800-53, SOC 2, CMMC, FedRAMP, ASVS, and SSDF controls. Runs locally. No account, no telemetry, no upload. Use it standalone or as the on-ramp to the full platform.

View on npm →CLI documentation Quickstart guide

npmv0.1.17 downloads2.1k/moApache-2.0 licensed · Node 18+

bash

# run once, no install
$ npx @cveriskpilot/scan@latest

# or install globally
$ npm install -g @cveriskpilot/scan@latest
$ crp-scan --preset startup

# CI/CD: pin a version, output SARIF
$ npx @cveriskpilot/scan@0.1 --format sarif > report.sarif

Your CI/CD pipeline now speaks compliance

Every pull request maps vulnerabilities to NIST 800-53, SOC 2, CMMC, FedRAMP, and nine more frameworks — no spreadsheets, no quarterly mapping sprints.

Step 01

Scan

CLI, Semgrep, Trivy, or Snyk runs in your pipeline.

Step 02

Map

CWE findings route to controls across 13 frameworks.

Step 03

Triage

Auto-classify true positive, false positive, or review.

Step 04

POAM

Critical findings emit auditor-ready POAM entries.

Frameworks mapped on every scan

13 frameworks · 270+ controls · 0 spreadsheets

NIST 800-53CMMC 2.0SOC 2FedRAMPOWASP ASVSNIST SSDFISO 27001NIST CSF 2.0PCI DSS 4.0HIPAAGDPREU CRANIS2

One CWE. Every framework that cares.

When the scanner emits CWE-89 (SQL Injection), CVERiskPilot fans it out to the exact control language each auditor wants to see. No analyst interprets, no spreadsheet translates.

CriticalCWE-89SQL Injection

NIST 800-53
Information Input Validation
SI-10
SOC 2
Logical Access Controls
CC6.1
CMMC 2.0
Flaw Remediation
SI.L2-3.14.1
FedRAMP
Information Input Validation
SI-10
OWASP ASVS
Output Encoding & Injection Prevention
V5.3.4
PCI DSS 4.0
Bespoke Software Engineering Practices
6.2.4

+ 7 more frameworks mapped automatically

Drop it into GitHub Actions

One workflow file. SARIF goes straight to the GitHub Security tab, critical findings block the merge, compliance mapping runs on every PR. Same shape works in GitLab CI, CircleCI, and Jenkins.

.github/workflows/compliance.yml

name: Compliance Scan
on: [pull_request]

jobs:
  cveriskpilot:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx @cveriskpilot/scan@latest \
          --preset startup \
          --format sarif \
          --fail-on critical \
          > report.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: report.sarif

No API key required for the open-source scan · upgrade for enterprise frameworks & AI triage.

How we compare

CVERiskPilot complements your existing scanners — it adds the compliance layer they're missing.

Feature	Snyk	Sonar	GHAS
Finds vulnerabilities
Auto-triage (TP / FP / Review)	—	—	—
Maps to NIST 800-53	—	—	—
Maps to SOC 2 / CMMC / FedRAMP	—	—	—
Auto-generates POAM	—	—	—
Compliance verdict in CI/CD	—	Partial	—
AI fix guidance per finding	Partial	—	Partial

What your team sees on every pull request

A compliance-aware check, posted straight into GitHub and GitLab PR threads.

github-actions[bot] · CVERiskPilot Compliance Scan

FAIL — 3 findings at or above Critical severity.

1 Critical

1 High

1 Medium

CriticalCWE-89SQL Injection in query builder

HighCWE-79Reflected XSS in search handler

MediumCWE-327Weak crypto algorithm (MD5)

Review

48 deps · sbom, secrets, iac · 1240 msView full report →

$npx @cveriskpilot/scan --preset startup

Set up in 5 minutes View documentation

One command. 30 seconds. Compliance mapping across 13 frameworks. Free and unlimited.

Pricing

AI-powered vulnerability intelligence at every scale

Start free with 25 AI chatbot messages and 50 triage calls per month. Start a Pro trial when you need more volume, more frameworks, and export-ready workflows.

Free

$0forever

Try AI triage on your real scan data. Limited usage, no credit card.

25 AI chatbot messages / month
50 AI triage calls / month
Unlimited local CLI scans
1 workspace, 1 user
Core 6 compliance frameworks
Community support

Get started free

Pro

$149/ month

Full AI triage pipeline for individual practitioners, with a 14-day trial before your first bill.

Unlimited AI chatbot messages
1,000 AI triage calls / month
All 13 compliance frameworks
AI hybrid routing
POAM generation + PDF export
Scheduled reports
Email support

Start 14-day Pro trial

Compare plans

Every plan includes the AI chatbot, triage API, and CLI scanner.

Feature	Free	Pro
AI chatbot messages	25 / mo	Unlimited
AI triage calls	50 / mo	1,000 / mo
Compliance frameworks	6	13
AI hybrid routing
Workspace users	1	1
Assets	50	500
Scheduled reports
POAM + PDF export

All plans include unlimited local CLI scans. Free is the easiest starting point, and Pro is the active paid conversion path with a 14-day trial.

Turn scanner noise into audit-ready decisions

Start free, or begin a 14-day Pro trial when you need more triage volume, all 13 frameworks, and export-ready evidence workflows.

Start 14-day Pro trial Get started free

No credit card required · 14-day trial · 100% Veteran Owned · SDVOSB-Eligible

Scan your repo in 30 seconds with our free CLI

# run once, no install $ npx @cveriskpilot/scan@latest # or install globally $ npm install -g @cveriskpilot/scan@latest $ crp-scan --preset startup # CI/CD: pin a version, output SARIF $ npx @cveriskpilot/scan@0.1 --format sarif > report.sarif

name: Compliance Scan on: [pull_request] jobs: cveriskpilot: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: npx @cveriskpilot/scan@latest \ --preset startup \ --format sarif \ --fail-on critical \ > report.sarif - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: report.sarif

Feature

CRP

Snyk

Sonar

GHAS

Finds vulnerabilities

Auto-triage (TP / FP / Review)

—

Maps to NIST 800-53

—

Maps to SOC 2 / CMMC / FedRAMP

—

Auto-generates POAM

—

Compliance verdict in CI/CD

—

Partial

—

AI fix guidance per finding

Partial

—

Partial

Feature

Free

Pro

AI chatbot messages

25 / mo

Unlimited

AI triage calls

50 / mo

1,000 / mo

Compliance frameworks

AI hybrid routing

Workspace users

Assets

500

Scheduled reports

POAM + PDF export