Guarded AI today. Private-runtime path next.
CVERiskPilot combines vulnerability enrichment, compliance mapping, guarded external AI, human review, and the Corvus private-runtime roadmap. The current production path is explicit-request AI with spend guards; private runtime serving ships only after health checks and benchmark gates pass.
Model Versions
Built iteratively. Measured rigorously.
Each model version trains on more data, evaluates against held-out and golden checks, and stays out of production until serving, health, and quality gates are real.
- Training Data
- Thousands of labeled examples from open-source vulnerability data
- Infrastructure
- GPU training infrastructure
- Deployment
- Internal evaluation artifact
Established baseline metrics; not a production-serving endpoint.
- Training Data
- Tens of thousands of labeled examples across multiple training batches
- Infrastructure
- Enterprise GPU infrastructure
- Deployment
- Private-runtime path under release gates
Runtime artifact and model claims stay gated by smoke and golden benchmark evidence.
- Training Data
- Expanded dataset with human-validated labels from production feedback loops
- Infrastructure
- Enterprise GPU infrastructure
- Deployment
- Private cloud + on-premise evaluation path
Sector-specific fine-tuning (healthcare/HIPAA, defense/CMMC, fintech/PCI DSS).
Training Pipeline
Six phases. Real data. No shortcuts.
Every training example starts with a real CVE from a real repository. Enrichment, triage labels, and compliance mappings are generated programmatically — then validated.
Scan
Automated vulnerability data collection runs dependency audits across multiple package manager formats. Raw findings are deduplicated and normalized.
Continuous collection
Enrich
Each CVE is enriched with NVD severity data, EPSS exploit probability scores, and KEV catalog status. Asset context and CWE classifications are attached.
Multi-signal enrichment
Triage
AI-assisted review generates structured triage decisions: priority level, recommended action, reasoning, compliance impact, and confidence score. Reviewed outputs can become future training and evaluation labels.
Structured labels
Map
Every finding is mapped to affected compliance controls across 13 frameworks. CWE-to-control mappings connect technical weaknesses to audit requirements.
13 frameworks
Train
Parameter-efficient fine-tuning remains the Corvus roadmap path. Training runs and runtime artifacts are gated by repo-tracked smoke and benchmark checks before buyer-facing claims are promoted.
Release-gated
Evaluate
Golden sets and smoke checks measure control citation, triage agreement, latency, and failure modes before a private runtime can serve customer traffic.
Rigorous evaluation
Why this matters
Architecture
Hybrid routing. Not a single point of failure.
Production requests use explicit, guarded AI paths today. The private Corvus path is designed to handle routine findings once it is enabled, healthy, and benchmark-gated. Every decision path is designed for confidence scoring and auditability.
CVE Ingest
Scanner findings + NVD/EPSS/KEV enrichment
PII Redaction
7 pattern categories stripped before any AI call
Routing Engine
Severity, EPSS, KEV status, confidence threshold
Private Fast Path
Corvus Runtime
Local/private runtime
Escalation Path
Advanced AI
Deep analysis, high stakes
Structured Triage Decision
Priority + action + reasoning + confidence + compliance mapping
Hybrid Routing
Routine triage can route to the private Corvus runtime when it is enabled and healthy. Complex cases (critical severity, KEV-listed, high EPSS, or low confidence) escalate to advanced AI and human review for deeper analysis.
Routing is driven by severity, exploit signals, and confidence rather than a fixed public percentage. Corvus returns confidence scores; cases below threshold automatically escalate. Fail-closed: no silent degradation.
PII Redaction Pipeline
IP addresses, hostnames, URLs, usernames, AWS account IDs, and API keys are automatically stripped before any data reaches an AI model. Infrastructure topology never leaves your control.
Regex-based redaction engine with 7 pattern categories. Local redaction map retained for re-identification in results.
Confidence-Based Escalation
Every triage decision includes a confidence score. Low-confidence outputs are automatically flagged for human review or escalated to a more capable model. No silent failures.
Auto-approve threshold for high-confidence routine cases. Human-review queue for edge cases. Full audit trail of routing decisions.
Tenant-Isolated Feedback
Human corrections (severity overrides, false positive flags, action changes) feed back into your organization's triage model. Your AI adapts to your risk tolerance, not someone else's.
Feedback loop activates after 10+ human reviews to prevent noise from skewing early decisions. Organization-scoped at the database layer.
AI In Action
What Corvus actually says
Responses from the live demo workspace. CVERiskPilot AI sequences remediation by KEV status, exploitation signals, and exposure, not raw CVSS scores alone. Each answer is tagged with the model path that handled it.
You
Which findings are KEV-listed?
CVERiskPilot AI
Model-routedThe KEV-listed set includes XZ Utils, CitrixBleed, MOVEit Transfer, and PAN-OS command injection. Patch those first because they combine active exploitation signals with high operational impact.
You
What should the team do after the KEV items?
CVERiskPilot AI
Model-routedAfter the KEV items, focus on internet-exposed high-severity systems and remote access paths. In this workspace, that means validating the regreSSHion exposure next and then clearing any remaining externally reachable infrastructure findings.
Ask your own questions in the live demo workspace — every reply is tagged with the model that answered.
Deployment
Your infrastructure. Your rules.
Three deployment models, staged honestly: guarded cloud AI is live today; private cloud and air-gapped paths are the Corvus serving roadmap.
Cloud API
Guarded external AI via encrypted API. PII is redacted before calls and daily spend controls cap usage.
Private Cloud (VPC)
Planned private-runtime deployment inside your cloud tenant. Designed for customers that need a stricter data boundary.
On-Premise (Air-Gapped)
Corvus private-runtime roadmap for future air-gapped triage. Requires serving infrastructure and benchmark gates before production use.
AI data handling mapped to SOC 2 CC6.1 (logical access), FedRAMP AC-4 (information flow), NIST 800-53 SI-19 (de-identification), and CMMC AC.L2-3.1.3 (CUI flow control).
AI Roadmap
Where we are. Where we're going.
Model v1 Baseline
First purpose-built triage baseline trained on labeled vulnerability examples. Kept as an internal evaluation artifact rather than a production endpoint.
Model v2 — Expanded Dataset + Cloud Training
Expanded labeled examples and iterative training runs. Runtime claims remain gated by smoke tests and golden benchmark evidence.
Private Runtime Release Gate
Prepare Corvus serving infrastructure, health checks, benchmark gates, and rollback criteria before any on-prem or private-cloud deployment.
Sector-Specific Models
Healthcare (HIPAA-weighted), defense (CMMC/FedRAMP-weighted), fintech (PCI DSS-weighted) fine-tunes.
Private Triage API
Benchmark-gated private triage endpoint for CI/CD integrations where customers need a stricter data boundary.
Continuous Learning
Automated retraining pipeline triggered by feedback volume thresholds. Per-tenant model adapters.
See the model in action.
Upload a scan, watch the AI triage every finding, and see which compliance controls are affected — in minutes, not days.