Vulnerability management
What we scan
| Source | What we read |
|---|---|
| Volume snapshots | OS package database (Debian/Ubuntu, RHEL/Rocky, Alpine, Arch) plus language manifests (Node, Python, Go, Rust, Java, Ruby, PHP) |
| Container images | Every layer, same package extractors |
| Serverless functions | Deployed package and its dependencies |
| Kubernetes pods | Image references, fed back into the image scanner |
Output: a software inventory for every workload, refreshed on each scan.
How we match
The matching pipeline goes through several enrichment stages:
- Public vulnerability databases, refreshed regularly. Every package version is checked against the canonical vulnerability records and PURL matches.
- Distro security advisories (e.g. Ubuntu USN, Debian DSA, RHEL RHSA, Amazon Linux ALAS) override the upstream record when they have a more accurate "fixed in" version for the distribution-packaged software.
- Ecosystem feeds (npm advisory database, GitHub Security Advisories, RustSec, PyPA, Go vulnerability database, ...) cover language-specific issues that NVD misses.
- Ctadel enrichment: we maintain our own corrections for known false positives, missing fix versions, late-published CVEs, and disputed records. Our database is refreshed continuously.
The result is one finding per (package, CVE) pair, with the package version, the fixed version, the most authoritative advisory, and the enrichment metadata.
Prioritisation: not just CVSS
CVSS is the wrong starting point for cloud workloads. Ctadel surfaces three additional signals on every finding:
| Signal | What it tells you |
|---|---|
| EPSS | Probability the CVE will be exploited in the next 30 days |
| KEV | Whether the CVE is on CISA's Known Exploited Vulnerabilities list |
| Exposure | Whether the affected workload is internet-reachable, computed from the security graph |
A CRITICAL CVSS-10 on an isolated dev VM with no internet exposure ranks below
a HIGH CVSS-7.5 KEV CVE on a public-facing API server. Ctadel's risk score
captures this.
What ends up in a CVE finding
| Field | Example |
|---|---|
| CVE ID | CVE-2021-44228 |
| Severity | CRITICAL |
| CVSS | 10.0 with full vector |
| EPSS | The current EPSS score and percentile |
| KEV | Yes / No |
| Package | log4j-core 2.14.1 |
| Fixed in | 2.17.0 |
| Source | The asset (VM, image, function) the package is on |
| Is exposed | Whether the asset is internet-reachable |
| Real-world incident | Curated context for high-impact CVEs |
What's next
- The Vulnerabilities module
- Toxic combinations & attack paths, how a CVE becomes the entry point of a breach chain
- HCR, sibling detector for OS hardening