Skip to content
Now taking design partners.Roadmap →

Exposure engine

Curated catalog. Semver matching. Retro-match.

The agent is thin on purpose. Every piece of intelligence lives in the exposure engine, where new campaigns light up existing fleet state without a rescan.

Ingestion

Where the catalog comes from.

OSV.dev

CVEs, semver ranges, and unfixed advisories

GitHub Advisory Database

GraphQL API, per-ecosystem

CISA KEV

Known Exploited Vulnerabilities catalog

OpenSSF malicious-packages

Community malicious-package repo

Sekeye curated catalog

Malicious extensions, MCPs, agent skills, and model backdoors. Reviewed PRs, Ed25519-signed bundles

Principles

Four things the engine does differently.

Semver-aware

Per-ecosystem version semantics, not exact-match. A CVE that says < 1.4.7 is matched properly against 1.3.9, 1.2.5, and 0.9.1.

Retro-match

When the catalog updates, matching re-runs across your current inventory. No rescan. The campaign 'lights up' existing fleet state.

Signed catalog

Match severity carries through from the source. KEV, CVSS, or the catalog verdict on curated intel. No proprietary risk score layered on top; the catalog is the ground truth and it ships Ed25519-signed.

Fresh

Freshness target: new public campaign → catalog entry + template in under four hours (SLO to be firmed up post-MVP with pilot data).