.png)
The security teams with the most stringent requirements are often the ones forced to use the worst tools. Defense contractors, intelligence community networks, critical infrastructure operators, and classified government environments run some of the most sensitive systems on the planet, and they are largely locked out of the modern vulnerability management tooling ecosystem because every leading SaaS VM platform assumes it can phone home.
Phone-home licensing validation. Cloud-synchronized NVD data feeds. Vendor-hosted dashboards. AI remediation generation routed through external APIs. Every one of these design choices is incompatible with a network that has no path to the internet by policy, by law, or by physical design.
The irony is that the environments with the strictest security requirements are often running vulnerability management on spreadsheets and PDF exports because the modern tooling simply won't operate offline.
Where SaaS VM Tools Break in Air-Gapped Networks
The failure modes are not subtle. When you attempt to run mainstream SaaS-based vulnerability management in an air-gapped environment, you hit several hard walls immediately:
Licensing Validation
Most commercial VM tools perform license verification by contacting the vendor's licensing server on a periodic basis, often daily or weekly. In an air-gapped network, this call fails silently or loudly. Products in this category will either refuse to operate, enter a degraded mode, or eventually expire with no mechanism for renewal. Tenable, Qualys, and Rapid7 all have air-gap licensing options, but they require separate procurement and often cost-prohibitive dedicated support contracts.
NVD and CVE Data Feeds
Knowing that a piece of software is vulnerable requires knowing what vulnerabilities exist. The National Vulnerability Database, EPSS daily feeds, and the CISA KEV catalog are all internet-hosted resources. A tool that pulls these feeds at query time, or even at a nightly scheduled sync, is broken in an air-gapped environment. You need an explicit offline data transfer strategy: periodic feeds transferred via removable media, a one-way data diode, or a controlled network boundary crossing.
AI-Assisted Remediation
Modern vulnerability management increasingly depends on AI-generated remediation guidance. If that AI inference is routed to OpenAI, Anthropic, or any cloud API, it is unavailable in an air-gapped environment. The gap between a CVE disclosure and an engineer understanding how to patch it is exactly where AI can help the most, but only if the inference happens locally.
Dashboard and Reporting Access
SaaS-hosted dashboards are inaccessible by definition. If your reporting, metrics, and leadership visibility into the VM program live in a vendor cloud, your air-gapped operators have no program-level visibility at all.
SaaS VM vs. Local-First VM for Air-Gapped Use Cases
| Capability | SaaS-Based VM | Local-First VM |
|---|---|---|
| License validation | Requires cloud call; fails offline | Perpetual local license; no callbacks |
| CVE/NVD data | Live API sync; fails without internet | Offline-importable NVD data feeds |
| EPSS enrichment | Cloud fetch at scan time | Offline CSV import; updateable via media |
| KEV catalog | CISA.gov API; fails offline | Local KEV JSON, updated on controlled cycle |
| AI remediation | Cloud LLM API (OpenAI/Anthropic) | Local Ollama inference; fully air-gapped |
| Dashboard/reporting | Vendor-hosted; inaccessible | Self-hosted on internal server |
| Data sovereignty | Vulnerability data transits vendor cloud | All data stays on premise |
| Classified network deployment | Not possible | Deployable on any internal network |
Building an Offline VM Data Pipeline
Running an effective VM program in an air-gapped environment requires a controlled data transfer strategy for the feeds your program depends on. The feeds are available; getting them in is an operational discipline problem, not a technical impossibility.
NVD Data
NIST publishes the full NVD dataset as downloadable JSON feeds organized by year (e.g., nvdcve-1.1-2024.json.gz). A complete import of the NVD database currently runs to approximately 240,000 CVE records. This can be downloaded on an internet-connected machine, integrity-verified with the published checksums, and transferred to the air-gapped network via a classified media transfer process or a one-way data diode. Update frequency of once per week is typically sufficient for non-KEV findings.
EPSS Feed
FIRST publishes the full EPSS scoring file daily as a gzipped CSV (epss_scores-YYYY-MM-DD.csv.gz). At roughly 8MB compressed for 240,000+ CVEs, this is trivially transportable. Establish a weekly or bi-weekly transfer schedule aligned with your media transfer approval workflow.
CISA KEV Catalog
The KEV catalog is a JSON file published at cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json. It is under 2MB. Given that KEV entries represent active exploitation, this should transfer on the shortest cycle your process permits, ideally daily via data diode if available.
Local LLM Inference for Remediation Guidance
AI-generated remediation guidance translates CVE descriptions written for vulnerability researchers into specific patch instructions for systems engineers, and it's one of the most impactful capabilities you can add to a VM program. In an air-gapped environment, this requires local LLM inference.
Ollama is an open-source local LLM inference server that runs on commodity hardware. Models in the 7B–14B parameter range produce remediation guidance of adequate quality on CPU-only hardware, and excellent quality on machines with a mid-range GPU. The full deployment stack, Ollama server plus a fine-tuned or system-prompted model, can be transferred to the air-gapped environment on removable media as a container image or bare binary.
The key requirement is that the inference server exposes a local API endpoint. No outbound network call is required. Your VM tool queries the local Ollama instance at http://localhost:11434, the model generates the remediation guide, and nothing leaves the machine.
Compliance Implications
For DoD IL4/IL5 environments, FedRAMP Moderate/High systems, and IC networks, the local-first architecture is not just operationally preferable, it may be legally required. Sending vulnerability scan data to a cloud API to generate remediation guidance could constitute unauthorized transmission of sensitive system configuration data, depending on the classification of the network and the data it processes.
Local-first VM is not just about working offline. It is the only architecture that does not create a new exposure every time you ask for help remediating an old one.
The teams that have the hardest security requirements should not be forced to choose between running a modern vulnerability management program and complying with their network security policies. Local-first architecture makes that a false choice.
CVEasy AI is a perpetual license. You pay once. You run it on your hardware, on your network, with your data. No subscription. No true-up. No cloud.