Guide Docs API keys Start 14-day Pro trial

CVERiskPilotAPI Docs

Developer Guide API Reference Resources Release Notes

Getting Started

From first scan to audit-ready reports in minutes.

This guide walks through every step of the CVERiskPilot workflow: account creation, sample workspace loading or scan upload, AI-assisted triage, compliance impact analysis, case management, and report generation. Each section links to the relevant product page so you can follow along in the platform.

Step 1

Create Your Account

Sign up at /signup using your email address or through one of the supported OAuth providers: Google, GitHub, or Microsoft. OAuth signup is the fastest path -- one click and your account is ready.

During signup, the beta discount is applied automatically at checkout, giving you 50% off Pro during the alpha. This gives you expanded asset limits, AI triage calls, and scheduled reports at a discounted rate while the platform is in controlled alpha.

Step 2

Set Up Your Organization

Your organization is created automatically during signup -- you provide the organization name as part of the registration flow. Once inside the platform, visit /settings to configure your workspace:

Team name and display logo

Billing plan and usage overview

Invite team members with role-based access (Viewer, Analyst, Admin, Owner)

Step 3

Choose Sample Data or a Real Scan

New workspaces start empty by design. If you want to see the dashboard, findings, cases, and compliance score before uploading a real scanner export, use the onboarding checklist on the dashboard and select Load sample.

Sample data creates a small demo workspace with findings, cases, scans, and compliance snapshots.

Use sample data for evaluation, screenshots, and stakeholder walkthroughs.

Use a real scan when you are ready to test parser coverage, deduplication, and your own compliance impact.

Step 4

Upload Your First Scan

Navigate to /upload and drag-and-drop your scan file or use the file browser. CVERiskPilot accepts 11 scanner formats:

Nessus (.nessus)SARIFCSVJSONCycloneDXQualysOpenVASSPDXOSVCSAFXLSX

After upload, parsing and enrichment happen automatically. AI triage is available through explicit request paths:

Parsing -- The file is parsed into normalized findings using the appropriate scanner adapter.

Enrichment -- Each CVE is enriched with NVD severity data, EPSS exploitation probability, and KEV (Known Exploited Vulnerabilities) status.

AI-assisted triage -- Generate priority, recommended action, confidence, and reasoning while external calls remain behind spend guards.

Step 5

Review Your Findings

The /findings page displays all parsed vulnerabilities in a sortable, filterable table. Each row includes:

Severity badge -- Color-coded CRITICAL, HIGH, MEDIUM, or LOW based on CVSS score.

EPSS score -- The probability (0-100%) that the vulnerability will be exploited in the wild within the next 30 days.

KEV indicator -- A flag showing whether the vulnerability appears on CISA's Known Exploited Vulnerabilities catalog, signaling active exploitation.

Affected asset and component -- The specific package, library, or system where the vulnerability was detected.

Use the filter bar to narrow results by severity, scanner source, asset, framework, or triage status. Column headers are sortable -- click any header to reorder findings by that dimension.

Step 6

Understand AI Triage

Findings can receive AI-assisted triage through the product's explicit chat, triage, query, summary, and remediation paths. Open any finding detail view to see available triage output:

Priority -- CRITICAL, HIGH, MEDIUM, or LOW. Determined by combining CVSS severity, EPSS exploitation likelihood, KEV status, and environmental context.

Confidence score -- A percentage indicating model certainty. Auto-approval remains release-gated and only applies to explicitly allowed low-risk actions.

Reasoning -- A natural-language explanation of why the AI path assigned that priority and action.

The six recommended actions are:

Patch Now -- Immediate remediation required based on active exploitation or critical severity.

Schedule Patch -- High-priority but no active exploitation; schedule within SLA window.

Mitigate -- Apply compensating controls when a direct patch is unavailable.

Accept Risk -- Formally accept the risk with documented justification.

Investigate -- Insufficient data to decide; requires manual review.

Defer -- Low-priority finding that can be addressed in a future cycle.

You can configure the auto-approve confidence threshold in /settings under Triage Policy. Until the release gate is enabled, triage decisions remain human-review-gated before finalization.

Step 7

Explore Compliance Impact

The /compliance page shows how your vulnerabilities map to regulatory and industry frameworks. CVERiskPilot supports 13 frameworks:

NIST 800-53CMMCSOC 2FedRAMPHIPAAPCI DSSISO 27001NIST CSF 2.0ASVSSSDFGDPREU CRANIS2

Each finding is mapped to specific controls within your active frameworks. For example, an unpatched critical CVE might threaten NIST 800-53 SI-2 (Flaw Remediation), SOC 2 CC7.1 (System Monitoring), and PCI DSS 6.3.3 (Security Patches) simultaneously.

The compliance dashboard provides a posture score per framework, showing the percentage of controls that are satisfied, at risk, or failing. This is the view your auditors care about -- it answers "what will fail audit today" at a glance.

Step 8

Manage Cases

The /cases page tracks the remediation lifecycle for each finding or group of findings. Cases provide structure around the decision workflow:

Status tracking -- Open, In Progress, Awaiting Approval, Resolved, Closed, or Deferred.

Assignment -- Assign cases to specific team members with due dates tied to your SLA policy.

Approval workflow -- Cases requiring risk acceptance or compensating controls route through an approval chain before closure.

Comments and audit trail -- All actions, status changes, and decisions are logged with timestamps and user attribution.

Step 9

Generate Reports

Visit /reports to generate audit-ready documentation. Available report types include:

Executive summary -- High-level risk posture, KEV exposure, and SLA compliance metrics for leadership.

Compliance report -- Per-framework control status with evidence references and gap analysis.

Scan comparison -- Delta report showing new, resolved, and persistent findings between two scan uploads.

All reports can be exported as PDF. Reports include AI-generated risk narratives written in the language auditors expect -- not raw CVSS scores but contextualized business and compliance impact statements.

Step 10

Configure Settings

The /settings page provides full control over your workspace. Available configuration tabs:

Organization profile -- Team name, logo, and contact information.

Billing -- Current plan, usage metrics, and upgrade options.

API keys -- Generate and manage keys for CLI and API access.

Connectors and Jira -- Configure scanner/API connectors and Jira sync defaults.

Triage policy -- SLA timelines, risk tolerance thresholds, and auto-approve confidence levels.

SLA, AI prompts, IP allowlist, and retention -- Enterprise controls for remediation timelines, AI behavior, network access, and data lifecycle.

Notifications -- Email alerts for new findings, SLA breaches, and case updates.

Webhooks and delivery log -- Outbound event delivery plus delivery debugging.

SSO -- SAML/OIDC configuration for enterprise single sign-on via WorkOS.

Step 11

Use the CLI

For CI/CD pipeline integration, install the @cveriskpilot/scan CLI tool. The scanner runs dependency, secrets, and infrastructure-as-code checks locally and uploads results directly to the platform.

See the full CLI reference for installation, flags, framework presets, output formats, and exit codes.

What's next

Continue exploring the platform.

Now that you have the basics, dive deeper into the developer tools and platform capabilities.

CLI reference

All flags, presets, output formats, and exit codes for the crp-scan CLI.

View docs →

Pipeline scanning

Integrate scan ingestion and compliance mapping into your CI/CD workflows.

View docs →

Developer platform

API keys, hosted triage endpoints, webhook delivery, and platform console.

View docs →

Webhook delivery

CloudEvents envelope, HMAC verification, retries, and event payload reference.

View docs →

GitHub Action

Automated PR comments, SARIF export, and platform upload from GitHub workflows.

View docs →

Start Pro trial

Create a workspace and begin a 14-day Pro trial with full platform access.

View docs →

Developer guide Docs API keys Support

CVERiskPilot developer surface

Guide Docs API keys Start 14-day Pro trial

CVERiskPilotAPI Docs

Developer Guide API Reference Resources Release Notes

Docs