How can we help?
Documentation, FAQs, and direct support for everything from your first scan upload to enterprise compliance reporting.
Private Alpha Support
Alpha technical support is monitored at support@cveriskpilot.com. We respond within one business day, and production-blocking issues are treated as same-day incidents.
Get Help
Support channels
Find answers in our docs, explore the API, or reach out directly. We respond to all emails within one business day.
Documentation
CLI setup, scanner integration, GitHub Actions, compliance frameworks, API reference, and POAM generation guides.
Browse Docs →
Developer Portal
Interactive API docs, TypeScript SDK, API playground, webhook catalog, and integration examples.
Open Portal →
Email Support
Direct technical support for uploads, scan parsing, API integration, CLI issues, or product questions. Include your org name, environment, and screenshot for faster routing.
support@cveriskpilot.com →
Security Disclosures
Report security vulnerabilities responsibly. We acknowledge all reports within 24 hours and provide remediation timelines.
security@cveriskpilot.com →
Report an Issue
Send enough context so we can reproduce it fast
For alpha support, email support@cveriskpilot.com with the items below. This is the fastest path for upload bugs, auth failures, parser issues, and unexpected product behavior.
Include these details
- Organization name and user email
- Which environment you used: prod, staging, or CLI/API only
- What you tried to do and the exact error text
- Screenshot plus approximate time and timezone
Knowledge Base
Frequently asked questions
Answers to the most common questions organized by topic.
Getting Started
How do I upload my first scan?
Log in, navigate to the Upload page, and drag-and-drop your scan file. We auto-detect the format from 11 supported scanner outputs (Nessus, SARIF, CycloneDX, Qualys, and more). Findings are enriched with EPSS, KEV, and NVD data automatically.
How do I install the CLI scanner?
No installation needed. Run npx @cveriskpilot/scan in any project directory. It scans for SBOM vulnerabilities, hardcoded secrets, IaC misconfigurations, and maps findings to the shipped framework presets (federal, defense, enterprise, startup, devsecops, healthcare, payments, international, eu-compliance). Free-tier scans use the core 6 frameworks; paid tiers unlock all 13 implemented frameworks.
What scanner formats are supported?
File upload supports 11 formats: Nessus (.nessus), SARIF, CSV, JSON, CycloneDX (SBOM), Qualys, OpenVAS, SPDX (SBOM), OSV, CSAF, and XLSX. The CLI scanner supports 13 package manager lockfile formats.
How do I set up compliance frameworks?
Compliance frameworks are reviewed in the Compliance Hub after you upload findings. The app auto-builds the readiness view from your organization data. Use the CLI presets or API scopes to choose the coverage you want for a scan; you do not manually configure frameworks on the dashboard.
CLI Scanner
Can the CLI scan for hardcoded secrets?
Yes. The secrets scanner detects 30+ credential patterns (AWS keys, Stripe keys, GitHub PATs, database connection strings, private keys, JWTs, and more) plus high-entropy string detection via Shannon entropy analysis. Run with --secrets-only to scan secrets exclusively.
What package managers does the CLI support?
13 formats: npm (package-lock.json), yarn (yarn.lock), pnpm (pnpm-lock.yaml), pip (requirements.txt), Pipfile.lock, poetry.lock, pyproject.toml, Go (go.sum), Cargo (Cargo.lock), gem (Gemfile.lock), Maven (pom.xml), Gradle (gradle.lockfile), and .NET (packages.lock.json).
How do I add the scanner to CI/CD?
Use our GitHub Action or add npx @cveriskpilot/scan --format sarif to any CI pipeline. The GitHub Action posts compliance results as PR comments. See the GitHub Action setup guide in our docs.
Can I scan a specific framework only?
Yes. Use --frameworks nist-800-53,cmmc to limit the scan to specific frameworks. Use --list-frameworks to see all available framework IDs.
API & Integrations
How do I get an API key?
Navigate to Settings > API Keys in your dashboard. Generate a new key, give it a name, and copy the key value. API keys are scoped to your organization and respect your RBAC role permissions.
What scanner connectors are available?
Five pre-built connectors: Tenable.io, Qualys VMDR, CrowdStrike Falcon Spotlight, Rapid7 InsightVM, and Snyk. Configure them in Settings > Connectors with your scanner API credentials.
Can I push findings to Jira?
Yes. Configure the Jira integration in Settings > Integrations with your Jira instance URL and API token. Cases can be pushed to Jira as issues with compliance context, risk scores, and remediation guidance included.
Is there a webhook for new findings?
Yes. Configure webhooks in Settings > Webhooks. Events include finding.created, case.status_changed, scan.completed, sla.breached, and more. Webhooks are signed with HMAC-SHA256 for verification.
Compliance & Reporting
How does compliance mapping work?
CVERiskPilot uses a CWE-to-control bridge. Each vulnerability's CWE weakness classification is mapped to specific controls across the 13 supported frameworks. For example, a SQL injection finding (CWE-89) automatically maps to NIST 800-53 SI-10, SOC 2 CC6.1, PCI DSS 6.5.1, and equivalent controls in other frameworks.
Can I generate a POAM?
Yes. Navigate to Compliance > POAM to generate a Plan of Action and Milestones document from your findings. Export as CSV or PDF for auditor handoff. POAMs include remediation timelines, risk ratings, and compliance control references.
What is the AI triage agent?
The AI triage agent uses a tool-calling loop with 7 verified tools (NVD lookup, KEV check, EPSS scoring, CVSS analysis, compliance mapping, risk scoring, and audit logging) to assess each finding. It generates risk statements in business and compliance language with source citations. Humans review and approve all AI assessments.
How are compliance scores calculated?
Scores are computed per framework based on the ratio of compliant controls to total applicable controls, weighted by finding severity and enrichment data (EPSS exploitability, KEV active exploitation status). Scores update in real-time as findings are triaged and remediated.
Billing & Account
How does pricing work now?
The active public path starts with a free workspace, then upgrades to Pro at $149/month when you need more AI triage volume, all 13 frameworks, scheduled reports, and export-ready workflows. The public Pro path currently starts with a 14-day trial during signup.
How do I upgrade to Pro?
Start from /pricing or choose Pro during signup. Existing free workspaces can upgrade from Settings > Billing, which opens the Stripe checkout flow for the workspace owner.
What are the pricing paths?
The current public product path is Free and Pro. Free is the easiest way to get started with hosted triage on real scan data, and Pro is the main paid path. Broader tiers remain in the pipeline but are intentionally hidden from the active public UI.
What happens if I stay on Free?
Your free workspace remains active with the free-tier limits in place. You keep your workspace, uploads, and local CLI usage, and you can upgrade to Pro later when you need more hosted triage capacity.
Security & Privacy
Where is my data stored?
All data is stored on Google Cloud Platform (GCP) in the US region. Database on Cloud SQL PostgreSQL with automated backups. File storage on GCS with server-side encryption. All data encrypted at rest with AES-256-GCM and in transit with TLS 1.3.
Do you have SOC 2 compliance?
CVERiskPilot is built to SOC 2 Type II standards with controls mapped and evidenced. Use our free SOC 2 Readiness Report tool to assess your own posture. Our Trust Center at /trust has full details on our security architecture.
Is my scan data shared with anyone?
No. Your vulnerability data is never shared with third parties, used for training AI models, or accessed by other tenants. Strict org-scoped tenant isolation is enforced on every query. See our Privacy Policy for full details.
What authentication options are available?
Email/password, Google OAuth, GitHub OAuth, Microsoft OAuth, enterprise SSO via WorkOS (SAML 2.0 and OIDC), and passkeys/WebAuthn. MFA is supported via TOTP authenticator apps with backup codes.
Resources
Quick links
CLI Scanner Docs
Setup, configuration, and CI/CD integration
GitHub Action
Automated PR compliance checks
API Reference
REST API, SDKs, and webhooks
Live Demo
Full product walkthrough with sample data
SOC 2 Readiness
Free gap analysis tool
Whitepapers
Technical deep-dives and ROI analysis
Pricing
Compare the free workspace and the Pro upgrade path
Trust Center
Security architecture and compliance posture
Changelog
Release notes and new features
Email response time
Scanner formats supported
Compliance frameworks
REST API endpoints
Still need help?
Reach out directly and we'll get back to you within one business day. For enterprise and government inquiries, contact our sales team.