CVE Scanner & KEV-Aware Vuln Mgmt

CVE Scanner & KEV-Aware Vulnerability Management

Threatstealth vulnerability scanner provides authenticated and unauthenticated scanning across hosts, web applications, containers, and source code — with CISA KEV and EPSS-based prioritisation to cut noise and focus remediation effort.

• CISA KEV prioritisation — automatically flag exploited-in-the-wild vulnerabilities requiring immediate remediation
• EPSS scoring — exploit probability scores to rank non-KEV findings by real-world risk
• Multi-target scanning — network hosts, web applications, container images, and Git repositories
• Authenticated scanning — log in as a user to discover hidden vulnerabilities behind authentication
• CVSS v3.1 scoring — standard severity scores with environmental and temporal adjustments
• Remediation tracking — assign findings to teams, track SLA compliance, and generate audit-ready evidence

Multi-Target Scanning: Hosts, Web Apps, Containers, and Code

The Threatstealth vulnerability scanner provides unified coverage across all four primary vulnerability surface areas in modern environments. Network host scanning uses credentialed and uncredentialed scan modes to identify missing patches, misconfigured services, and default credentials across servers and network devices. Web application scanning uses a DAST engine to crawl, probe, and test application endpoints for OWASP Top 10 vulnerabilities. Container image scanning analyses Docker images and OCI-compatible containers for known vulnerable packages in the base image and application layers. Source code scanning uses SAST analysis to identify security vulnerabilities in code before deployment.

• Network host scanning — credentialed scanning of servers and network devices for missing patches and misconfigurations
• Web application DAST — dynamic application security testing against live endpoints for OWASP Top 10 vulnerabilities
• Container image scanning — layer-by-layer analysis of Docker and OCI images for vulnerable package versions
• Source code SAST — static analysis of application code for security vulnerabilities before build and deployment
• Cloud configuration scanning — assessment of cloud IAM, storage, and network configurations for security misconfigurations

KEV-First Prioritisation: Cutting Scanner Backlog by 90 Percent

A default vulnerability scanner deployment against a mature enterprise environment will produce thousands of findings — a volume that exceeds any security team's remediation capacity and creates the dangerous illusion that patching is hopeless. Threatstealth's KEV-first prioritisation model eliminates this backlog problem by separating findings into four tiers: KEV-flagged findings (patch immediately, regardless of CVSS), high-EPSS non-KEV findings (patch within the sprint), lower-EPSS findings (batch quarterly), and low-priority findings (accept and document). This tiering typically reduces the immediate remediation queue from thousands of findings to fewer than 50, making vulnerability management operationally tractable.

• Tier 1 KEV findings — automatic critical-priority tagging for CISA KEV-flagged vulnerabilities requiring immediate patching
• Tier 2 high-EPSS findings — EPSS score above 0.5 triggers high-priority SLA assignment for sprint-cycle remediation
• Queue reduction outcome — typical 85–92% reduction in immediate remediation queue size using KEV+EPSS filtering
• KEV SLA enforcement — automatic SLA assignment (72h/14d) for KEV findings with overdue escalation alerts
• EPSS trend monitoring — alerts when non-KEV findings experience significant EPSS score increases week-over-week

Authenticated Scanning and Discovering Hidden Vulnerabilities

Unauthenticated scanning only discovers vulnerabilities accessible to an unauthenticated attacker — missing the much larger surface area of authenticated functionality that is exposed to any user with a valid login. Authenticated web application scanning configures the scanner with valid credentials and a login flow definition, enabling it to reach and test all authenticated application functionality. Authenticated host scanning uses SSH keys or Windows credentials to perform a deeper assessment of installed package versions, running service configurations, and applied patches than is possible through unauthenticated network probing alone. Authenticated scans consistently find 3–5x more vulnerabilities than unauthenticated scans against the same target.

• Authenticated web scanning — scanner configured with valid credentials to assess all authenticated application functionality
• Login flow definition — configurable authentication sequence including MFA handling for complex login workflows
• Credentialed host scanning — SSH and Windows credential authentication for deep package and configuration assessment
• Session management — scanner maintains authenticated session state across crawled pages without triggering lockout
• Credential vault integration — scanner credentials stored securely in the platform secrets vault, not in scan configurations

Remediation Tracking, SLA Management, and Audit Evidence

Vulnerability findings without a structured remediation workflow sit unactioned — the scanner backlog accumulates and audit findings repeat year after year. Threatstealth's remediation tracking module converts scanner findings into assigned remediation tasks with defined owners, SLA deadlines, and progress tracking. KEV findings automatically generate high-priority tasks with pre-calculated deadlines. Custom SLA policies define remediation windows for other finding tiers. Audit-ready evidence is generated continuously: every scan run, every finding, every status change, and every remediation verification is retained as timestamped evidence for SOC 2 CC4.1, ISO 27001 A.8.8, and PCI DSS Requirement 6.3 compliance audits.

• Automatic task generation — scanner findings converted to remediation tasks with assigned owner and SLA deadline
• SLA compliance tracking — real-time dashboard showing open findings, overdue items, and SLA breach rate
• Remediation verification — post-patch re-scan confirming finding resolution before task closure
• Audit evidence export — scan results, remediation history, and SLA compliance data formatted for compliance auditors
• False positive management — documented false positive workflow with reviewer approval and evidence retention