Guide Docs API keys Start 14-day Pro trial

CVERiskPilotAPI Docs

Developer Guide API Reference Resources Release Notes

User Guide

CVERiskPilot feature reference

A complete walkthrough of every major surface in the CVERiskPilot platform. Use this guide to understand how findings flow from scanner upload through AI triage, case management, compliance mapping, and audit-ready reporting.

On this page

Dashboard

Your security posture at a glance.

The dashboard is the default landing page after login. It surfaces the metrics that matter most for daily triage and audit readiness.

Overview statistics

The top row displays four primary metrics: total findings across all uploaded scans, open cases requiring attention, the current compliance posture score (weighted across all active frameworks), and a risk trend sparkline showing posture movement over the past 30 days.

Recent activity feed

A chronological feed of the latest actions across your organization: scan uploads, triage decisions, case status changes, report generation, and integration events. Each entry links directly to the relevant resource.

Quick actions

Shortcut buttons for the most common workflows: upload a new scan, view untriaged findings, generate an executive report, and open the compliance posture view. These adapt based on your RBAC role — Viewers see report and dashboard links only.

Findings

Every vulnerability, enriched and mapped.

The findings view is the primary workspace for security analysts. Filter, sort, and drill into any finding to see its full risk context.

Finding list and filters

The findings table supports filtering by severity (Critical, High, Medium, Low, Informational), status (Open, In Progress, Resolved, Accepted, Deferred), compliance framework, scanner source, and date range. Filters compose — applying multiple narrows the result set with AND logic. Column headers are sortable. Pagination handles large result sets without performance degradation.

Finding detail view

Selecting a finding opens the detail panel with full context:

CVE identifier, description, and references

CVSS base score and vector string

EPSS probability score (likelihood of exploitation in the next 30 days)

KEV status (whether CISA has listed this as a Known Exploited Vulnerability)

AI triage decision with confidence score and recommended action

Compliance control mapping across all active frameworks

Affected assets with environment context (production, staging, development)

Remediation guidance and compensating controls

Bulk actions

Select multiple findings using checkboxes to perform batch operations: assign to a team member, change status, create cases, or export the selection as CSV or PDF. Bulk actions respect RBAC — Viewer and Auditor roles cannot modify finding state.

AI Triage

AI-assisted vulnerability intelligence.

CVERiskPilot evaluates findings using CVE severity, exploit intelligence, asset context, and compliance impact to produce priority, recommended action, and review-ready reasoning through explicit AI request paths.

How AI triage works

After findings are parsed and enriched, users can invoke AI-assisted triage and remediation paths. The triage context considers CVSS base and temporal scores, EPSS exploitation probability, KEV catalog status, asset criticality and environment (production vs. staging), network reachability, and the compliance frameworks active for your organization. External AI calls run behind redaction and spend guards. The output is a priority level, a recommended action, and a confidence score.

Priority levels

Level	Meaning
P1 — Critical	Actively exploited or weaponized. Immediate remediation required. Typically triggers SLA escalation.
P2 — High	High likelihood of exploitation with significant impact. Should be scheduled within the high-severity SLA window.
P3 — Medium	Moderate risk. Exploitability or impact is limited by environment, configuration, or compensating controls.
P4 — Low	Minimal risk. Informational or requires unlikely conditions to exploit. Can be deferred or accepted.
P5 — Informational	No direct security risk. Advisory or best-practice finding. No SLA enforcement.

Recommended actions

Action	Description
PATCH_IMMEDIATELY	Critical or actively exploited vulnerability. Must be remediated within the SLA for critical findings (default: 48 hours).
SCHEDULE_PATCH	High or medium severity with no active exploitation. Schedule remediation within the standard SLA window (default: 14 days for high, 30 days for medium).
MITIGATE	Direct patch is not available or not feasible. Apply compensating controls such as WAF rules, network segmentation, or configuration changes.
ACCEPT_RISK	Risk is within organizational tolerance. Requires documented justification and approval from an Owner or Admin role.
INVESTIGATE	Insufficient context to make a triage decision. The finding needs manual review to determine asset exposure, reachability, or exploitability.
DEFER	Remediation is planned but deprioritized. Typically used for low-severity findings or those in non-production environments.

Confidence scores and auto-approve

Every triage decision includes a confidence score between 0 and 1. Your organization can configure an auto-approve threshold in Settings (default: 0.90), but automatic approval remains release-gated. It only applies after the gate is enabled and only for explicitly allowed low-risk actions. All other decisions are flagged for manual review.

Overriding AI decisions

Any Analyst, Admin, or Owner can override an AI triage decision from the finding detail view. Select a new priority level and action, then provide a justification. Overrides are recorded in the audit log with the original AI recommendation preserved for compliance evidence.

Triage policy settings

Configure triage behavior under Settings:

SLA timelines per severity level (e.g., Critical: 48h, High: 14d, Medium: 30d, Low: 90d)

Auto-approve confidence threshold (0.0 to 1.0)

Risk tolerance profile (conservative, moderate, aggressive)

Compliance framework escalation: automatically elevate priority when a finding impacts a critical compliance control

Notification preferences for triage decisions requiring review

Cases

Track remediation from finding to closure.

Cases are the operational unit for tracking remediation work. Each case groups one or more related findings with an owner, timeline, and approval workflow.

Case lifecycle

Cases follow a four-stage lifecycle: Open (created, awaiting assignment or work), In Progress (actively being remediated), Resolved (remediation applied, pending verification), and Closed (verified and archived). Status transitions are logged in the audit trail.

Assignment and ownership

Cases can be assigned to any team member with Analyst, Admin, or Owner role. The assignee receives email and in-app notifications. Unassigned cases appear in the team queue. Ownership can be transferred at any stage.

Approval workflow

Cases created from high-confidence AI triage decisions remain human-review-gated unless the release-gated auto-approve control is enabled for the specific recommended action. Cases requiring human review enter a pending state until an Admin or Owner approves the triage recommendation. Risk acceptance cases always require explicit human approval regardless of confidence score.

Comments and collaboration

Each case has a threaded comment stream for team discussion. Comments support plain text and are timestamped with the author. Use comments to document investigation findings, remediation steps, and approval rationale.

Evidence attachment

Attach evidence files (screenshots, configuration exports, scan diffs) directly to a case. Attached evidence is included in compliance evidence packages and audit exports. All attachments are stored with AES-256-GCM encryption at rest.

Compliance

Map every finding to its compliance impact.

CVERiskPilot bridges vulnerability data and compliance posture by mapping CVEs to specific compliance controls across 13 frameworks.

Supported frameworks

Framework	Scope
NIST 800-53	Federal information systems
CMMC	Defense Industrial Base contractors
SOC 2	Service organizations (trust criteria)
FedRAMP	Federal cloud service providers
OWASP ASVS	Application security verification
NIST SSDF	Secure software development
GDPR	EU data protection
HIPAA	Healthcare data privacy
PCI DSS	Payment card industry
ISO 27001	Information security management
NIST CSF 2.0	Cybersecurity risk framework
EU CRA	EU Cyber Resilience Act
NIS2	EU network and information security

Control mapping

Each finding is mapped to compliance controls through a CWE-based bridge. The platform resolves CVE → CWE → compliance control relationships automatically. For example, a SQL injection finding (CWE-89) maps to NIST 800-53 SI-10 (Information Input Validation), SOC 2 CC6.1, PCI DSS 6.5.1, and OWASP ASVS V5. The compliance detail view shows exactly which controls are threatened by open findings.

Posture scoring

The compliance posture score is a weighted percentage reflecting how well your organization's current vulnerability state aligns with each framework's control requirements. The score accounts for finding severity, asset criticality, remediation status, and whether compensating controls are documented. Scores are computed per framework and rolled up into an aggregate posture score displayed on the dashboard.

POAM generation

Generate a Plan of Action and Milestones (POAM) document directly from open findings. The POAM includes finding description, affected controls, planned remediation date, responsible party, and estimated completion timeline. POAMs can be exported as PDF or CSV for submission to auditors or authorizing officials.

Evidence collection

The platform collects and organizes audit evidence automatically: triage decisions, remediation timelines, approval records, scan history, and posture score trends. Export a complete evidence package per framework for audit engagements. All evidence entries are cryptographically signed via the Vault Protocol.

Reports

Audit-ready reports on demand.

Generate reports that translate vulnerability data into business and compliance language for executives, auditors, and technical teams.

Report types

Executive summary: High-level risk posture, KEV exposure, top threats, SLA compliance, and trend analysis. Designed for leadership and board-level communication.

Compliance posture report: Per-framework control coverage, gap analysis, and remediation progress. Maps directly to audit requirements.

Scan comparison report: Side-by-side diff between two scan uploads showing new, resolved, and persistent findings.

Scheduled reports: Configure recurring report delivery (daily, weekly, monthly) via email to specified recipients.

Export formats

All reports can be exported as PDF (formatted with professional layout suitable for audit submission) or CSV (raw data for spreadsheet analysis and further processing). PDF reports include the organization name, generation timestamp, and page numbering.

Upload & Scanners

Ingest from any scanner, any format.

Upload scan results from 11 supported formats. Each upload is parsed, deduplicated, enriched with threat intelligence, and prepared for AI-assisted triage.

Supported formats

Format	Extension	Notes
Nessus	.nessus	Tenable Nessus XML export
SARIF	.sarif	Static Analysis Results Interchange Format (v2.1.0)
CSV	.csv	Generic CSV with CVE ID, severity, and asset columns
JSON	.json	CVERiskPilot native JSON or generic vulnerability JSON
CycloneDX	.json / .xml	CycloneDX SBOM (v1.4+)
Qualys	.xml	Qualys VMDR / WAS XML export
OpenVAS	.xml	OpenVAS / Greenbone XML report
SPDX	.spdx / .json	SPDX SBOM (v2.3+)
OSV	.json	OSV (Open Source Vulnerabilities) JSON
CSAF	.json	Common Security Advisory Framework
XLSX	.xlsx	Spreadsheet with vulnerability data columns

Processing pipeline

Every upload passes through a four-stage pipeline:

Parse: The file is detected and parsed using the appropriate format parser. Invalid or unsupported files are rejected with a descriptive error.

Deduplicate: Findings are matched against existing data using CVE ID, asset, and scanner source to prevent duplicate entries across repeat scans.

Enrich: Each finding is enriched with NVD vulnerability data, EPSS exploitation probability scores, and CISA KEV catalog status.

AI-assisted triage: Explicit AI request paths can assign priority, recommended action, confidence, and reasoning while external calls remain behind spend controls.

Scanner connectors

For automated ingestion, configure direct connectors to your scanner platforms. Connectors poll for new scan results on a configurable schedule and feed them through the same processing pipeline.

Tenable (Nessus / Tenable.io)

Qualys (VMDR / WAS)

CrowdStrike (Falcon Spotlight)

Rapid7 (InsightVM)

Snyk (Open Source / Container / IaC)

CLI scanner for CI/CD

The crp-scan CLI runs dependency, secrets, and IaC scans directly in your CI/CD pipeline. Results are uploaded to CVERiskPilot automatically with your API key. See the pipeline docs and GitHub Action for integration guides.

Settings

Configure your organization.

Organization-level settings control team access, billing, triage behavior, integrations, and security configuration.

Organization profile

Set your organization name, industry vertical, and primary compliance frameworks. The industry setting influences AI prompt context and compliance weighting (a healthcare organization sees HIPAA-weighted guidance, for example). The selected frameworks determine which compliance controls appear in findings and reports.

Team management and RBAC

Invite team members by email. Each member is assigned one of five roles:

Role	Permissions
Owner	Full organization control. Manages billing, team membership, SSO configuration, and all platform settings. Can delete the organization.
Admin	Manages team members, triage policies, integrations, and API keys. Cannot change billing or delete the organization.
Analyst	Core operational role. Can upload scans, triage findings, manage cases, generate reports, and configure personal notification preferences.
Viewer	Read-only access to dashboards, findings, cases, and reports. Cannot modify data or trigger actions.
Auditor	Read-only access with full audit log visibility. Designed for external auditors who need evidence access without operational permissions.

Billing and subscription

View your current plan, usage metrics (assets, AI calls, team seats), and billing history. Upgrade or downgrade between Free, Pro, and Enterprise tiers. Manage payment methods and download invoices. The billing page connects directly to the Stripe customer portal.

API keys

Generate and manage API keys for CLI uploads, scanner connectors, and programmatic access. Keys are scoped to your organization and can be rotated or revoked at any time. Use the API key console for detailed key management.

Additional settings

Triage policy configuration: SLA timelines, auto-approve threshold, risk tolerance, framework escalation rules

Webhook configuration: delivery URLs, event types, HMAC secret, retry policy

SSO / SAML setup (Enterprise and MSSP tiers): connect your identity provider via WorkOS for SAML or OIDC single sign-on

Branding customization (MSSP tier): custom logo, colors, and domain for white-label client portals

Integrations

Push findings into your existing workflows.

CVERiskPilot integrates with ticketing, ITSM, and webhook-based systems to keep remediation work in the tools your team already uses.

Jira

Create Jira tickets directly from findings or cases. Configure the target project, issue type, priority mapping, and custom fields. Ticket status syncs bidirectionally — resolving a ticket in Jira updates the case status in CVERiskPilot.

ServiceNow

Create ServiceNow incidents or change requests from cases. Supports CMDB asset mapping and assignment group routing. Available on Enterprise and MSSP tiers.

Webhooks

Receive real-time event notifications via webhooks. Events are delivered in CloudEvents format with HMAC-SHA256 signature verification. Supported events include: finding created, triage completed, case status changed, scan completed, and SLA breached. Failed deliveries are retried with exponential backoff. See the webhook docs for payload schemas and verification examples.

API access

The CVERiskPilot REST API provides programmatic access to findings, cases, compliance data, and reports. Authenticate with your organization API key. Full API documentation is available at Developers.

Audit Log

Tamper-evident activity tracking.

Every security-relevant action in CVERiskPilot is recorded in a cryptographically verifiable audit log.

Activity tracking

The audit log captures all significant platform actions: login attempts, scan uploads, triage decisions (including AI and human), case status changes, role assignments, settings modifications, API key operations, and data exports. Each entry records the actor, timestamp, action type, affected resource, and metadata.

Vault Protocol

Audit log entries are protected by the Vault Protocol, a cryptographic integrity system. Each entry is signed with an Ed25519 digital signature and chained into a Merkle tree. This makes the log tamper-evident: any modification, deletion, or reordering of entries invalidates the tree and is detectable during verification. The Vault Protocol provides auditors with mathematical proof that the activity record has not been altered.

Filtering and search

Filter audit log entries by action type, user, date range, and affected resource. The Auditor role has full read access to the audit log without the ability to modify any platform data — designed for external auditors performing evidence review.

Next steps

Continue exploring.

Dive deeper into specific platform surfaces.

CLI Reference

Full flag reference for crp-scan, the pipeline compliance scanner.

Open

Pipeline Scanning

How to integrate CVERiskPilot into CI/CD workflows.

Open

GitHub Action

PR comments, SARIF export, and platform upload via GitHub Actions.

Open

Webhook Delivery

CloudEvents payloads, HMAC verification, and retry behavior.

Open

Developer Platform

API overview, model access, and the organization console.

Open

Start Pro Trial

Create a workspace and start a 14-day Pro trial.

Open

Developer guide Docs API keys Support

CVERiskPilot developer surface

Level

Meaning

P1 — Critical

Actively exploited or weaponized. Immediate remediation required. Typically triggers SLA escalation.

P2 — High

High likelihood of exploitation with significant impact. Should be scheduled within the high-severity SLA window.

P3 — Medium

Moderate risk. Exploitability or impact is limited by environment, configuration, or compensating controls.

P4 — Low

Minimal risk. Informational or requires unlikely conditions to exploit. Can be deferred or accepted.

P5 — Informational

No direct security risk. Advisory or best-practice finding. No SLA enforcement.

Action

Description

PATCH_IMMEDIATELY

Critical or actively exploited vulnerability. Must be remediated within the SLA for critical findings (default: 48 hours).

SCHEDULE_PATCH

High or medium severity with no active exploitation. Schedule remediation within the standard SLA window (default: 14 days for high, 30 days for medium).

MITIGATE

Direct patch is not available or not feasible. Apply compensating controls such as WAF rules, network segmentation, or configuration changes.

ACCEPT_RISK

Risk is within organizational tolerance. Requires documented justification and approval from an Owner or Admin role.

INVESTIGATE

Insufficient context to make a triage decision. The finding needs manual review to determine asset exposure, reachability, or exploitability.

DEFER

Remediation is planned but deprioritized. Typically used for low-severity findings or those in non-production environments.

Framework

Scope

NIST 800-53

Federal information systems

CMMC

Defense Industrial Base contractors

SOC 2

Service organizations (trust criteria)

FedRAMP

Federal cloud service providers

OWASP ASVS

Application security verification

NIST SSDF

Secure software development

GDPR

EU data protection

HIPAA

Healthcare data privacy

PCI DSS

Payment card industry

ISO 27001

Information security management

NIST CSF 2.0

Cybersecurity risk framework

EU CRA

EU Cyber Resilience Act

NIS2

EU network and information security

Format

Extension

Notes

Nessus

.nessus

Tenable Nessus XML export

SARIF

.sarif

Static Analysis Results Interchange Format (v2.1.0)

CSV

.csv

Generic CSV with CVE ID, severity, and asset columns

JSON

.json

CVERiskPilot native JSON or generic vulnerability JSON

CycloneDX

.json / .xml

CycloneDX SBOM (v1.4+)

Qualys

.xml

Qualys VMDR / WAS XML export

OpenVAS

.xml

OpenVAS / Greenbone XML report

SPDX

.spdx / .json

SPDX SBOM (v2.3+)

OSV

.json

OSV (Open Source Vulnerabilities) JSON

CSAF

.json

Common Security Advisory Framework

XLSX

.xlsx

Spreadsheet with vulnerability data columns

Role

Permissions

Owner

Full organization control. Manages billing, team membership, SSO configuration, and all platform settings. Can delete the organization.

Admin

Manages team members, triage policies, integrations, and API keys. Cannot change billing or delete the organization.

Analyst

Core operational role. Can upload scans, triage findings, manage cases, generate reports, and configure personal notification preferences.

Viewer

Read-only access to dashboards, findings, cases, and reports. Cannot modify data or trigger actions.

Auditor

Read-only access with full audit log visibility. Designed for external auditors who need evidence access without operational permissions.