Documentation

CVEsafe — Documentation

Everything about CVEsafe: how the platform is built, how to use it step by step, and the technical explanation of every feature. Also available in Portuguese and Spanish.

Overview

CVEsafe is a multi-tenant vulnerability-management platform. You point it at an asset (website, host, network range or API); the platform discovers the rest of the surface, runs the right checks, correlates each finding with its CVE and exploitation context (EPSS/KEV), prioritizes what truly matters and pushes remediation into your workflow (ServiceNow, webhooks, reports).

There are two coverage modes:

• Agentless (external): public assets are scanned from CVEsafe's infrastructure.
• With an agent (internal/LAN): a lightweight agent installed on your network scans internal assets the public scanner can't reach, inventories the LAN and audits machine posture.

Architecture & software layers

CVEsafe is made up of the following layers:

What each layer does

• Frontend — the web app (dashboard, Command Center, targets, scans, issues, posture, agents, LAN discovery, integrations). Fully internationalized (PT/EN/ES).
• API (FastAPI) — authentication (JWT + TOTP MFA), per-organization multi-tenant isolation, permissions (RBAC), per-plan scan quotas and every business endpoint. Each organization only ever sees its own data.
• Queue + Workers (Celery/Redis) — scans run asynchronously. Queues are separated (scans, email, sms, maintenance) so a backlog in one doesn't stall the others. There's a dedicated scan worker and a light worker for auxiliary tasks; you can scale horizontally by adding worker nodes.
• Scheduler (beat) — fires scheduled scans, periodically enriches issues with EPSS/KEV and syncs ServiceNow state.
• Engines — industry-standard tools, orchestrated: ZAP (daemon via REST API), Nmap, Nuclei, SSLyze and OpenVAS. Each result becomes a Finding.
• Database (PostgreSQL) — stores targets, scans, findings, (de-duplicated) issues, LAN inventory, integrations and settings. Sensitive credentials (ServiceNow, target auth) are stored encrypted.
• Agents — lightweight processes on customer machines that claim and run scans of internal targets, do LAN discovery/inventory, SNMP audits and posture audits of their own host. Only results go up — they update themselves.
• Integrations — open incidents in ServiceNow (with two-way sync) and fire signed (HMAC) webhooks to any endpoint.

Concepts

Term	Meaning
Organization	Tenant. Everything (targets, scans, team, integrations) belongs to an organization.
Target	A scannable asset: website, host/IP, CIDR range or API. Every target starts with an ownership declaration.
Group	Groups targets (by environment, team, app) with an aggregate risk score.
Scan	A single run of an engine against a target.
Finding	An observation from a scan.
Issue	The de-duplicated, stateful vulnerability (the "what to fix") that groups findings over time.
Agent	Software installed on the customer network for internal scans.

First steps

1. Create your account and verify your email

   Sign up at app.cvesafe.com. Email verification is required before running any scan.

2. Create a group

   Organize your assets by environment, team or application. Each group tracks an aggregate risk score.

3. Add a target

   Register a website, host, CIDR or API you own. You confirm asset ownership (an audit-consent record). For a domain, the platform maps its subdomains automatically.

4. Run a scan

   Choose a preset (Quick / Standard / Deep) or pick the checks manually and start. For internal targets, install an agent first (see Local agent).

5. Track & fix

   Results arrive with a risk score and an email report. Vulnerabilities flow into Issues, where you prioritize, assign an owner and follow through to the fix.

Groups & targets

Target types:

Type	Example	Use
website	https://example.com	Web apps (web tests, CVEs, TLS, subdomains).
host	scanme.example.com	A host/IP (ports/services, network vulnerabilities).
cidr	10.0.0.0/24	Network range (ports/services, LAN discovery).
api	https://api.example.com	APIs (web tests, CVEs).

A target can be external (scanned by CVEsafe's infrastructure) or internal (marked internal and pinned to an agent, scanned from inside your network).

Checks (what you choose)

You don't choose a tool — you choose what to check. Each check is delivered by our orchestrated suite (an implementation detail). Select just what you need, part of it, or everything at once.

Check	What it does
Port & service discovery (TCP)	Finds open TCP ports and each one's service/version — your exposed surface. Variants: top 100, full TCP, UDP.
CVE detection by service/version	Matches detected services and versions to known CVEs (with CVSS).
Network vulnerability tests (NVTs)	Tens of thousands of network checks mapped to CVEs.
Known CVEs & misconfigurations	Signatures for known CVEs, exposed admin panels, default credentials and technology fingerprinting.
Passive web analysis	Missing security headers, insecure cookies, information leakage — without attacking (safe in production).
Active web testing (SQLi, XSS, traversal)	Sends controlled requests to confirm SQL injection, XSS, command injection and path traversal.
TLS certificate validation	Validity, issuer, hostname, self-signed and chain issues.
Weak TLS protocols & ciphers	TLS 1.0/1.1, RC4, weak Diffie-Hellman and obsolete crypto.
Heartbleed / ROBOT	Specific checks for well-known TLS flaws.
Subdomain mapping	Enumerates the external surface via Certificate Transparency + DNS.

Each check maps to a module of the suite; you combine the ones you want in a single run. On the agent there are also lan_discovery, host_audit and snmp_audit (see the Agent sections).

Authenticated scans

To find vulnerabilities behind a login, configure a credential on the target. Under Targets → "Auth" button (websites and APIs), choose the type:

• Bearer token — injects Authorization: Bearer <token>.
• Custom header — e.g. X-API-Key: <value>.
• Session cookie — injects Cookie: ....
• Basic auth — username and password (becomes Authorization: Basic ...).

The credential is stored encrypted and, during the scan, the web-testing engine injects it into requests scoped to that target's host (safe even with concurrent scans). The agent also runs authenticated SNMP scans against LAN devices (see SNMP audit).

Scheduling

Any target can have recurring scans (daily, weekly or monthly) at the time you set. Scheduled scans run automatically and keep coverage current — useful to track posture and trigger automatic fix verification (see verify-on-rescan).

Local agent

The agent is a lightweight process (Windows/Linux) that runs on your network and executes scans the public scanner can't reach. It registers, claims jobs from the queue, runs them locally and sends back only the results.

Installation (Windows)

Under Agents, generate a key and run in PowerShell as Administrator:

PS C:\> $env:CVESAFE_KEY="sat_..."; $env:CVESAFE_API="https://api.cvesafe.com/api/v1"; irm "https://app.cvesafe.com/agent/windows/install.ps1" | iex

The installer registers a background service (runs as SYSTEM), installs a tray icon and keeps itself updated. On Linux, use the install.sh command shown on the same screen.

What the agent runs

• nmap (top 100 / full / UDP) — port and service discovery. The agent auto-provisions nmap + Npcap on first use if not already present.
• nmap_vuln — CVE detection by service/version.
• lan_discovery — network inventory (see below).
• snmp_audit — authenticated SNMP enumeration of a device.
• host_audit — posture audit of the machine itself.
• nuclei and subdomain discovery — also run locally.

LAN discovery

Under LAN discovery, pick an agent and enter a range (e.g. 192.168.0.0/24). The agent sweeps it, fingerprints each live host (OS, services, MAC vendor, SNMP description) and classifies the equipment type — router, switch, printer, IP camera, NAS, Windows/Linux host. Each device is registered as an asset in the inventory.

While the sweep runs, a progress panel shows the real-time state (queued / waiting for agent / scanning… / done with the asset count) — the screen refreshes every few seconds.

The inventory is organized by IP block (/24 subnet), with each device's type. For every asset you can:

• Promote the host to an individual CVE scan;
• Register SNMP and run the in-depth SNMP audit.

And to scan in bulk: "Scan network for CVEs" runs CVE detection across the entire range you entered, and "Scan block for CVEs" does the same for just that /24 subnet — both via the agent. Results show up in Scans / Vulnerabilities.

SNMP audit

For a discovered asset, register the SNMP credential (community, version and port) and click "SNMP audit". The agent uses that credential to enumerate the device in depth (interfaces, connections, processes, installed software and services) and also detects a weak/default community (e.g. public), which is a risk finding. The credential travels only over the agent's authenticated channel.

Host audit

On the Agents screen, the "Audit host" button runs a posture audit on the machine where the agent is installed (it runs as SYSTEM, so it sees protected configuration). It checks, among others:

• Pending Windows updates medium/high
• SMBv1 enabled (EternalBlue/WannaCry) high
• RDP without NLA (BlueKeep) high
• Firewall, Defender/antivirus and signatures, BitLocker, UAC
• Autologon with cleartext password, weak local accounts, Guest enabled

Each weakness becomes a finding and enters the Issues flow, side by side with network results.

Issues & lifecycle

Findings from all of a target's scans consolidate into de-duplicated Issues — the "what to fix". Each issue has status, owner, history and an occurrence count.

• De-duplication by organization + target + engine + fingerprint (normalized title + location).
• Verify-on-rescan — if a new scan by the same engine no longer sees the issue, it's resolved automatically. If it reappears, it reopens.
• States: open, triaged, in progress, resolved, false-positive (false-positive is "sticky" and won't reopen on its own).

Prioritization (EPSS / KEV)

Every issue with a CVE is enriched with:

• CVSS — technical severity.
• EPSS — probability (0–100%) of exploitation in the next 30 days (FIRST).
• KEV — whether the CVE is in CISA's Known Exploited Vulnerabilities catalog (actively exploited).

The combination yields a priority and an A–F grade (0–10) per asset and per group, so you can focus on the few findings that actually put you at risk — not thousands of alerts.

Posture & reports

The Posture dashboard shows open issues by severity/priority, open KEV, MTTR (mean time to remediate) and the trend over time. The Command Center gives the consolidated view by engine/surface.

Reports: at the end of a batch of scans, a consolidated report is emailed (shareable with third parties) and there's CSV export for your pipeline.

Recipes (how-to)

Ready-made flows for the most common tasks.

Scan a login-protected website

1. Add the site as a target

   Under Targets, add the URL (type website).

2. Configure authentication

   On the target, click Auth and enter the credential (bearer token, header, cookie or basic). See Authenticated scans.

3. Run the scan

   Under Run scan, select "Passive web analysis" and/or "Active web testing (SQLi, XSS)". The credential is injected automatically.

Inventory the internal network and scan for CVEs

1. Install an agent

   Under Agents, generate the key and install the agent on the network (see Local agent).

2. Run discovery

   Under LAN discovery, choose the agent and range (e.g. 192.168.0.0/24) and click Start discovery. Watch the live progress.

3. Scan for CVEs

   Use "Scan network for CVEs" (entire range) or "Scan block for CVEs" per subnet. For a specific device, register SNMP and click SNMP audit.

Validate just a host's TLS certificate

1. Add the host

   Type host or website.

2. Select the check

   Under Run scan, tick only "TLS certificate validation" (and, if you like, "Weak TLS protocols & ciphers"). Start.

Push vulnerabilities to ServiceNow

1. Connect ServiceNow

   Under Integrations, enter the URL, the user (itil role) and the password; enable and test the connection.

2. Choose the trigger

   Turn on automatic push above a severity threshold, or use the per-vulnerability "→ ServiceNow" button. See ServiceNow.

ServiceNow (ITSM)

Under Integrations, connect your ServiceNow instance (URL, a user with the itil role, password — stored encrypted). The integration is two-way:

• Push — open the vulnerability as an incident (manually per issue, or automatically above a severity threshold). Severity becomes impact/urgency; the incident number/link is stored on the issue.
• Resolve here → close there — when you resolve the issue in CVEsafe, the incident is moved to Resolved.
• Close there → resolve here — a periodic task (every 15 min) reads the incident state; if it was resolved/closed, the issue is resolved automatically in CVEsafe.

Webhooks

Outbound webhooks send a JSON POST when a vulnerability is opened or resolved — to Slack, Jira, Zendesk, n8n, SOAR or your own automations. Each endpoint has an event filter and a severity threshold.

The body is signed with HMAC-SHA256 using the endpoint secret, in the X-CVEsafe-Signature header (and the type in X-CVEsafe-Event) — verify the signature on the receiver:

# verification pseudo-code
sig = "sha256=" + hmac_sha256(secret, raw_body)
if sig == header["X-CVEsafe-Signature"]: # valid

Example payload (issue.opened):

{
  "event": "issue.opened",
  "organization_id": 1,
  "issue": {
    "id": 123, "title": "...", "severity": "high",
    "cve_id": "CVE-2021-44228", "cvss_score": 10.0,
    "epss_score": 0.97, "kev": true,
    "priority": "urgent", "target": "10.0.0.50"
  }
}

Security & privacy

• Multi-tenant isolation — each organization only accesses its own data; every query is scoped by organization.
• Encrypted credentials — the ServiceNow password and authenticated-scan credentials are stored with symmetric encryption (Fernet); they never return to the client.
• Authentication — login via JWT + MFA (TOTP) and trusted devices.
• Agent channel — machine-to-machine via an agent token; sensitive credentials (e.g. SNMP) travel only over that channel.
• Scan authorization — you must own the asset or have authorization; we record an ownership declaration for every target.
• Confidentiality commitment — we never access, analyze or share your data or scan results.

Plans & limits

The plans (Free, Basic, Premium, Professional) set the monthly scan quota, number of targets and members, data retention and which engines/features are available (e.g. internal agent and authenticated scans on higher tiers). See the details at cvesafe.com/pricing.

FAQ

Do you store my data or results?

We never access, analyze or store your data or results beyond what's needed to show them back to you in your account. Your targets and findings are yours alone.

Agent or agentless?

Public assets need no install. For assets reachable only inside your network, install the agent — it claims and runs those scans locally and returns the findings.

Is unauthorized scanning allowed?

No. You must own the asset or have written authorization; we record an ownership declaration for every target.

Can I integrate with my tools?

Yes — ServiceNow (two-way) and signed webhooks to any endpoint (Slack, Jira, Zendesk, SOAR, automations).