Demo build: every run replays a real captured triage (captured with Claude sonnet, replayed faster than real time). No API key, no backend. Clone the repo to run the live agent.
How to use it & glossary

Guide

Two parts. First, how to drive the agent: what to type, and how to read the verdict it streams back. Then a working glossary of the security frameworks and data sources under the hood: what each one is, why it appears in the triage output, and where to read the primary source. Useful both for running a triage and for explaining the report to a stakeholder who has not seen MITRE before.

Part 1

Driving the agent

1 · Start a triage

Open the Triage tab and describe what to assess. The agent selects the tools from the shape of the input; you never wire them by hand. Five accepted inputs:

A CVE IDCVE-2021-44228

The full NVD record plus every operational signal (KEV, EPSS, exploits, patch) fan out in parallel.

A package at a versionlog4j-core 2.14.1

OSV.dev advisories for that exact package and version: the inverse of a CVE lookup.

A natural-language questionIs my Spring app exposed to Spring4Shell?

Semantic search over a local index of recent high-severity CVEs when there is no explicit ID.

An SBOMCycloneDX / SPDX / requirements.txt

Paste it to bulk-triage the most-likely-vulnerable components in one pass.

Nmap XMLnmap -oX scan.xml

Service banners become CVE queries; parsing is XXE-safe (defusedxml, no DTD).

In this hosted demo the Triage tab replays seven real captured runs (model sonnet against the live stack, captured 2026-07-02), covering the full SSVC ladder from Act to Track. Pick one from the example gallery; free-text input matches only those seven (a CVE id from the set works too). Replay pacing is compressed so you are not waiting out the real 35-135 second runs; the waterfall durations shown are the real measured ones. Clone the repo to run the live agent on arbitrary input.

The report streams in node by node as the agent reasons; a single-CVE triage typically settles in under two minutes.

2 · Read the SSVC verdict

The verdict is the headline of the report. SSVC (Stakeholder-Specific Vulnerability Categorization) is the decision framework CISA uses for remediation urgency, built to replace sorting by CVSS score with a decision over exploitation evidence and impact. Here it is computed server-side from the collected signals, never guessed by the model, and it is SSVC-informed rather than a certified implementation: a stateless triage tool cannot know your asset criticality, so ransomware association and CVSS severity stand in for the impact axis. Four rungs, most urgent first:

  • ActRemediate now. The CVE is on CISA KEV, or associated with ransomware, or has a public exploit paired with a high EPSS probability.
  • AttendPrioritize in the fast lane of the normal cycle. A public exploit already exists, or EPSS predicts high near-term exploitation (probability >= 0.5, or percentile >= 0.95).
  • Track*Watch closely. EPSS is elevated (probability >= 0.1) but below the high band, or CVSS severity is high or critical with no exploitation signal observed yet; a pre-mortem signal, not an emergency.
  • TrackRoutine handling. No KEV listing, no known exploit, low exploitation probability.

The rationale names the driving CVE and the rule that fired, and links straight to that CVE's card.

3 · Read the rest of the report

Signal coverage

A per-feed strip: found / no entry / error / not queried. Honesty about what the agent actually reached; a feed that was down is shown, never silently skipped.

CVE cards

CVSS score and vector, CISA KEV membership and due date, EPSS probability and percentile, ransomware association, and the concrete fixed version when one exists.

ATT&CK techniques

The underlying weakness classes (CWE) mapped to MITRE ATT&CK techniques and mitigations, so the report speaks the language of detection engineering.

Reasoning waterfall

Every Pydantic AI node with its measured duration, plus token usage and cost for the run. The reasoning chain is the audit log, not a black box.

4 · Export & share

Every report exports to Markdown (for a ticket or a wiki) or raw JSON (the exact TriageReport, for downstream tooling).

Copy link encodes the whole report into a URL fragment, compressed client-side. The fragment never leaves the browser for the server, so a shared link round-trips the report through the read-only /r route with zero backend storage.

Part 2

Frameworks under the hood

CVE, NVD, CVSS and CWE
Vulnerability ID + scoring

What it is

A CVE (Common Vulnerabilities and Exposures) is a globally unique identifier for a single, publicly disclosed vulnerability, assigned by a CVE Numbering Authority (CNA). The NVD (NIST National Vulnerability Database) enriches each CVE record with CVSS (Common Vulnerability Scoring System) v3 base scores in the range 0.0-10.0, mapped to severity bands (low / medium / high / critical), one or more CWE (Common Weakness Enumeration) identifiers describing the underlying weakness class, and CPE (Common Platform Enumeration) match expressions that pinpoint affected products and versions. CVSS is a deterministic vector of base metrics (attack vector, complexity, privileges, user interaction, scope, CIA impact), not a probability of exploitation.

Why it appears here

cve_lookup pulls the full NVD 2.0 record. patch_lookup extracts fixed-version info from CPE versionEndExcluding ranges. attack_mapping turns the returned CWE IDs into ATT&CK techniques. CVSS is reported but the agent does not treat it as exploit likelihood; that is EPSS's job.

Used bycve_lookupcve_semantic_searchpatch_lookupattack_mapping
CISA KEV: Known Exploited Vulnerabilities
Patch-now signal

What it is

The CISA KEV catalog is a curated, evidence-based list maintained by the US Cybersecurity and Infrastructure Security Agency of CVEs that have been observed exploited in the wild. Federal civilian agencies are mandated by Binding Operational Directive 22-01 to remediate KEV-listed vulnerabilities by a specific due date. Each entry includes the vendor, product, vulnerability name, the due date, an optional notes field, and (since 2023) a `knownRansomwareCampaignUse` flag.

Why it appears here

kev_check is the strongest 'patch now' signal in the triage. Unlike CVSS (capability) or EPSS (prediction), KEV is observed reality. When a CVE is on KEV, the recommended_action escalates regardless of CVSS, and the ransomware flag surfaces explicitly in the report.

Used bykev_check
FIRST EPSS: Exploit Prediction Scoring System
Forward-looking probability

What it is

EPSS, maintained by FIRST.org, is a daily-updated machine-learning model that estimates the probability that a CVE will be exploited in the next 30 days, plus a percentile rank against the rest of the CVE space. Inputs include CVE metadata, public-exploit availability, vendor product data, and dark-web/threat-intel signals. The model is open and the methodology is published; the raw scores are free via API.

Why it appears here

epss_score complements KEV: KEV is binary and lagging (it requires observed exploitation), EPSS is continuous and forward-looking. A high EPSS without KEV listing is a 'pre-mortem' signal for prioritization. The agent reports both, and the dashboard counts CVEs with EPSS >= 0.5 as 'High EPSS'.

Used byepss_score
OSV.dev: package-level advisories
Package + version lookup

What it is

OSV.dev is Google's open vulnerability database keyed by package and version rather than by product. It aggregates CVE records, GitHub Security Advisories (GHSA), and ecosystem-native advisories (PyPI, npm, Go, Maven, crates.io, NuGet, RubyGems) into one schema with precise introduced / fixed version ranges. Where NVD answers 'what is CVE-2021-44228?', OSV answers 'is this package at this version affected by anything?'.

Why it appears here

osv_lookup is the inverse of cve_lookup: given a dependency at an exact version it queries OSV.dev and returns each applicable advisory with its CVE / GHSA aliases, upstream severity, and the version boundary where the fix landed. It is the fastest path from a dependency pin ('requests 2.5.0') to a grounded verdict.

Used byosv_lookup
MITRE ATT&CK
Adversary TTPs

What it is

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics (the 'why' of an attack step: Initial Access, Execution, Persistence), techniques (the 'how': Phishing, Exploitation of Remote Services), sub-techniques, and procedures, sourced from observed real-world incidents. Each technique has a stable ID (e.g. T1190, T1059) and ships with detection guidance, data sources, and mapped mitigations.

Why it appears here

attack_mapping turns the CWE IDs surfaced by cve_lookup into ATT&CK techniques + mitigations. This pivots the report from defect-class (CWE) to attacker-behavior (ATT&CK), which is the language SOC and red-team teams actually use to plan detections and exercises.

Used byattack_mapping
MITRE ATLAS: AI threat matrix
Adversary TTPs for AI

What it is

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is the ATT&CK-equivalent matrix for AI/ML systems: the same tactic-and-technique structure, extended to AI-specific attack surfaces. Tactics include ML Model Access, ML Attack Staging, Exfiltration, and Impact. Techniques cover LLM Prompt Injection (direct and indirect), LLM Jailbreak, Unsafe Plugin Output Handling, Exfiltration via ML Inference API, Cost Harvesting, and Denial of ML Service. ATLAS is the canonical taxonomy for talking about LLM-specific attacks in the same shape SOC teams already understand.

Why it appears here

The red-team battery (sec-recon-redteam) tags every prompt-injection payload with one or more ATLAS technique IDs. The drift detector reports per-technique resistance rates so a regression on Exfiltration via ML Inference API surfaces by stable identifier rather than by free-text. The repository's authoritative mapping (with the specific T-IDs that this codebase tracks) lives in docs/mitre_atlas.md; MITRE periodically renumbers techniques, so consult that file for the version actually exercised by tests.

Used bysec-recon-redteam (CLI)
SBOM: CycloneDX, SPDX, PEP 508
Software inventory

What it is

A Software Bill of Materials enumerates every component (library, container, OS package) in a piece of software, with version and an optional package URL (purl) for canonical identification. CycloneDX is the OWASP standard (JSON or XML; this codebase consumes the 1.x JSON shape only). SPDX 2.x JSON is the Linux Foundation / ISO/IEC 5962:2021 standard. The Python requirements.txt heuristic here accepts a strict subset of PEP 508 (lines of the form name==version or name>=version). US Executive Order 14028 and several EU directives push SBOM as a mandatory artifact for software supply-chain transparency.

Why it appears here

sbom_ingest parses any of the three formats in-process (no network), returning a normalized component list (name, version, purl, type). The agent then runs cve_semantic_search and cve_lookup against the most-likely-vulnerable components, batching tool calls. This is the bulk-triage entry point: paste an SBOM, get a prioritized risk list.

Used bysbom_ingestcve_semantic_searchcve_lookup
Nmap XML output
Network scan ingestion

What it is

Nmap's `-oX` flag produces a structured XML report of a network scan: hosts, open ports, detected services, version banners (when -sV is used), OS fingerprints, script results. The XML format is stable and is the canonical ingestion shape for downstream tools.

Why it appears here

nmap_parse_xml uses defusedxml with forbid_dtd=True to neutralize XXE before parsing. The structured output (host, port, service, product, version) is fed back to cve_semantic_search to surface CVEs matching the discovered service banners. Untrusted strings (banners can be attacker-controlled) are fenced as UNTRUSTED_CONTENT before reaching the LLM.

Used bynmap_parse_xmlcve_semantic_search
OWASP LLM Top 10
LLM application risks

What it is

The OWASP Top 10 for Large Language Model Applications is a curated list of the most critical risks in production LLM systems. The 2025 edition covers LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM03 Supply Chain, LLM04 Data and Model Poisoning, LLM05 Improper Output Handling, LLM06 Excessive Agency, LLM07 System Prompt Leakage, LLM08 Vector & Embedding Weaknesses, LLM09 Misinformation, LLM10 Unbounded Consumption.

Why it appears here

The mapping is documented in docs/owasp_llm_top10.md with file:line citations to the actual mitigations in the codebase. The system prompt has an explicit untrusted-content fence (LLM01), the audit trail does not persist plaintext queries unless opt-in (LLM02), and the output schema enforces structure to prevent prompt-injection effects from leaking into downstream consumers (LLM05).

Used byTriageReport schemauntrusted-content fenceaudit privacy
ISO/IEC 42001:2023
AI management system

What it is

ISO/IEC 42001:2023 is the first international standard for an AI Management System (AIMS): a Plan-Do-Check-Act framework analogous to ISO 27001 but specific to AI. Annex A enumerates 38 controls across leadership, planning, support, operation, performance evaluation, and improvement, explicitly covering responsibilities, data quality, transparency, system impact, and lifecycle management. It is certifiable, and it is the closest existing management-system scaffold for EU AI Act risk-management obligations; it is not an AI Act harmonized standard.

Why it appears here

docs/iso_42001.md maps the relevant Annex A controls to where they are implemented or explicitly out of scope. The TriageReport schema, the audit trail, the red-team battery, and the published threat-model documents satisfy the transparency, traceability, and risk-control clauses for a small portfolio-scale AIMS.

Used bydocs/iso_42001.mdaudit trailred-team battery
Pydantic AI
Typed LLM agent framework

What it is

Pydantic AI is a Python framework for building agentic systems where the LLM output is constrained by a Pydantic model. Tools are typed Python functions, the model is selected per agent, and the iteration is exposed as an async stream of nodes (UserPromptNode, ModelRequestNode, CallToolsNode, End). The framework enforces schema validation at the model boundary: an output that does not match the declared schema raises before reaching the caller.

Why it appears here

The agent is a Pydantic AI agent with TriageReport as the output type. The SSE stream emits one node event per Pydantic AI node, so the UI can render the reasoning step-by-step. Tool calls are typed by MCP contracts (see below); the LLM cannot invent arguments.

Used byagent boundary
MCP: Model Context Protocol
Tool transport protocol

What it is

MCP (Model Context Protocol) is Anthropic's open protocol for connecting LLMs to external tools and data sources. An MCP server exposes typed tools (name + JSON schema + handler), resources (read-only data), and prompts. Transports include stdio (local subprocess) and HTTP+SSE (remote). The protocol decouples the LLM agent from the tool implementation and gives tool I/O its own contract surface, separate from the LLM prompt.

Why it appears here

The 10 tools live in a separate MCP server process (FastMCP, HTTP+SSE on :8001). The agent connects via MCPToolset. This means the tools can be reused by any MCP-aware client (Claude Desktop, future agents), and the tool surface is auditable as a stable contract independent of the prompt.

Used bymcp-server :8001MCPToolset