CVEasy AI is a local-first Continuous Threat Exposure Management (CTEM) platform that combines vulnerability management, AI-powered remediation, and attack simulation (BASzy) in a single application. It runs entirely on your hardware with no cloud dependency.

Does CVEasy AI require an internet connection?

No. CVEasy AI is designed for air-gapped environments. The core platform, local AI engine, vulnerability database, and BASzy attack simulation all run entirely on your hardware. Internet is only needed for optional NVD/EPSS feed updates and optional cloud LLM providers.

What scanners does CVEasy AI support?

CVEasy AI imports results from Nessus, Qualys, Nuclei, Burp Suite, OWASP ZAP, and Trivy. Drop in CSV or JSON exports and CVEasy normalizes findings, deduplicates across scanners, and applies TRIS scoring to everything.

How much does CVEasy AI cost?

CVEasy AI uses flat-rate licensing with no per-asset fees. Contact our sales team for pricing details. There are no tiers, no lite versions, and no feature gating. Every customer gets the full platform.

Does CVEasy AI offer an MSSP or partner program?

Yes. CVEasy AI has a dedicated MSSP partner program with multi-tenant support, white-label reporting, and volume licensing. Contact Sales to learn more about partnership opportunities.

Frequently Asked Questions

Q: What is TRIS scoring?

TRIS (Threat-Risk Intelligence Score) is CVEasy AI's proprietary 7-layer contextual risk scoring system. It weighs CVSS, EPSS, CISA KEV, exploit maturity, asset criticality, business context, and threat intelligence to produce actionable SLA bands: ACT, ATTEND, TRACK, and MONITOR.

Q: What are the system requirements?

CVEasy AI runs on macOS with 16GB RAM or more. It uses SQLite for storage, so there is no database server to manage. Setup takes under 5 minutes.

General

What is CVEasy AI?

CVEasy AI is a local-first Continuous Threat Exposure Management (CTEM) platform that combines vulnerability management, AI-powered remediation guidance, and attack simulation in a single application. It runs entirely on your hardware with zero cloud dependency.

The platform includes three core capabilities:

CVEasy AI Engine - Local AI that generates remediation guidance using on-device LLMs
TRIS Scoring - Proprietary 7-layer risk prioritization that goes beyond CVSS
BASzy AI - Built-in breach and attack simulation with 124 MITRE ATT&CK-mapped modules

Who is CVEasy AI built for?

CVEasy AI is purpose-built for security teams of all sizes that need enterprise-grade vulnerability management without the overhead of legacy platforms. Common buyers include:

Security teams at mid-market and enterprise organizations
MSSPs and MDR providers managing vulnerability programs for multiple clients
Regulated industries (finance, healthcare, government, defense) that require air-gapped or on-premises deployment
OT/ICS environments where cloud-connected tools are not permitted

What is TRIS scoring and how is it different from CVSS?

TRIS (Threat-Risk Intelligence Score) is CVEasy AI's proprietary contextual risk scoring system. While CVSS only measures theoretical vulnerability severity, TRIS weighs seven real-world factors:

CVSS base score
EPSS exploitation probability
CISA KEV catalog status
Exploit maturity and availability
Asset criticality and exposure
Business context and impact
Active threat intelligence

The result is an actionable SLA band assignment: ACT (fix immediately), ATTEND (fix within SLA), TRACK (monitor and schedule), or MONITOR (accept risk with visibility). This means your team works on what actually matters, not just what has the highest CVSS number.

What is BASzy AI?

BASzy AI is CVEasy AI's built-in Breach and Attack Simulation engine. It includes 124 attack modules mapped to the MITRE ATT&CK framework, letting you validate whether your vulnerabilities are actually exploitable before burning remediation cycles.

BASzy runs entirely locally on your hardware. No external BAS vendor required, no data leaves your network, and no agents need to be installed on target systems. It supports attack chain simulation, agentless collection, and generates interactive HTML reports with a visual attack map.

What scanners does CVEasy AI integrate with?

CVEasy AI imports scan results from six major scanners:

Nessus - CSV and .nessus XML exports
Qualys - CSV and XML exports
Nuclei - JSON output
Burp Suite - XML exports
OWASP ZAP - XML and JSON exports
Trivy - JSON output

CVEasy normalizes all findings into a unified data model, deduplicates across scanners, and applies TRIS scoring to every vulnerability regardless of source. No vendor lock-in. Use the scanners your team already knows.

How many CVEs does the database cover?

CVEasy AI ships with a local database of 330,000+ CVEs sourced from the National Vulnerability Database (NVD), complete with CVSS scores, EPSS probabilities, CISA KEV status, and exploit references. The database can be updated offline via snapshot files for air-gapped environments, or automatically via NVD feeds when an internet connection is available.

Technical

What are the system requirements?

CVEasy AI is designed to run on modest hardware:

Operating System: macOS (Apple Silicon or Intel)
RAM: 16GB minimum
Storage: SQLite-based, minimal disk footprint
Network: None required (fully air-gapped capable)

There is no database server to install, no Redis, no Elasticsearch, and no containers. One file is your entire database. Back it up with cp. Migrate it with a USB drive.

How does the local AI engine work?

CVEasy AI Engine runs large language models directly on your hardware using local inference. No API keys are required for core AI functionality. The engine generates remediation guidance that includes:

Step-by-step fix instructions tailored to your environment
Rollback procedures in case patches cause issues
Verification commands to confirm the fix worked
Compensating controls when patching is not immediately possible

Your vulnerability context never touches an external API. For teams that prefer cloud models, CVEasy AI optionally supports connecting to OpenAI or Azure OpenAI as an alternative to local inference.

Does CVEasy AI have an API?

Yes. CVEasy AI exposes a full REST API for programmatic access to all platform capabilities, including vulnerability data, TRIS scores, scan imports, remediation guidance, reporting, and BASzy simulation triggers. The API enables integration with your existing SIEM, ticketing, and automation workflows.

What compliance frameworks does CVEasy AI map to?

CVEasy AI maps vulnerabilities to major compliance frameworks including:

NIST 800-53 - Security and privacy controls
SOC 2 - Trust Services Criteria
PCI DSS - Payment card industry requirements
HIPAA - Healthcare data protection
FedRAMP - Federal cloud security
ISO 27001 - Information security management

The platform generates audit-ready evidence packages that prove your vulnerability management program meets regulatory requirements. Reports are available as interactive HTML with drill-down capability and exportable PDF for board and auditor distribution.

How does CVEasy AI handle deduplication across multiple scanners?

When you import results from multiple scanners, CVEasy AI normalizes all findings into a unified data model using CVE IDs, CPE strings, and host identifiers. Duplicate findings are automatically merged, enriched with data from all sources, and assigned a single TRIS score. This gives you a true single pane of glass across your entire scanner fleet, eliminating the spreadsheet reconciliation that plagues multi-vendor environments.

What reporting formats are available?

CVEasy AI generates reports in multiple formats:

Interactive HTML - Full drill-down reports with attack surface maps, risk trend charts, and SLA compliance metrics
PDF - Executive-ready reports with risk trend charts, MTTR metrics, and business-impact narratives for board presentation
CSV/JSON - Raw data exports for integration with other tools and custom analysis

All reports include TRIS scoring context, remediation status tracking, and can be scoped by asset group, business unit, or compliance framework.

Security

Does CVEasy AI send any data to the cloud?

No. Zero data is sent to any external service by default. CVEasy AI is air-gapped by design. There is no cloud telemetry, no phoning home, no third-party data processing. Install it, disconnect the ethernet cable, and it still works.

The only optional outbound connections are for NVD/EPSS feed updates (which can instead be done offline via snapshot files) and optional cloud LLM providers (OpenAI/Azure) if your team explicitly configures them. Both are entirely opt-in.

Can CVEasy AI run in a fully air-gapped environment?

Yes. CVEasy AI is purpose-built for air-gapped deployment. The entire platform, including the local AI engine, vulnerability database, BASzy attack simulation, and reporting, runs on your hardware with no internet dependency.

For environments that cannot connect to the internet, vulnerability database updates are delivered via offline snapshot files that can be transferred via secure media. This makes CVEasy AI ideal for classified networks, OT/ICS environments, defense installations, and any organization with strict data sovereignty requirements.

Where is vulnerability data stored?

All data is stored locally in a SQLite database on your machine. There are no external databases, no cloud storage, and no data replication to third-party infrastructure. Your vulnerability findings, asset inventory, remediation status, and reports live entirely under your control.

Backup is as simple as copying a file. Migration is as simple as moving that file to another machine. No database administration skills required.

Does CVEasy AI require any third-party data processing agreements?

No. Because CVEasy AI processes all data locally, there are no third-party data processing agreements (DPAs) to negotiate, no data residency concerns, and no sub-processor lists to review. Your security data stays on your hardware. This dramatically simplifies procurement for organizations with strict data governance requirements.

Is BASzy attack simulation safe to run on production networks?

BASzy AI runs locally and uses agentless collection methods. Attack modules are designed to validate exploitability without causing disruption. However, as with any security testing tool, we recommend running initial simulations in a staging or isolated environment and coordinating with your change management process before executing on production infrastructure.

Each module includes detailed documentation on what it tests, what traffic it generates, and what potential impact to expect.

Pricing

How is CVEasy AI priced?

CVEasy AI uses flat-rate licensing with no per-asset fees. Unlike legacy vendors (Tenable, Rapid7, Qualys) that charge per-asset per-year, CVEasy AI never punishes you for growing your infrastructure. Contact Sales for pricing details.

Are there different product tiers or feature-gated versions?

No. There are no lite, pro, or free tiers. One product, one license, everything included. Every customer gets the full platform: TRIS scoring, AI remediation, BASzy attack simulation, all scanner integrations, compliance mapping, API access, and reporting. No feature gating, no upsells.

Is there a free trial?

We do not offer free trials. Instead, we offer a personalized demo where our sales engineering team walks you through the platform with your use case in mind. Request a demo to see CVEasy AI in action with your data.

What does the license include?

Every CVEasy AI license includes the complete platform:

TRIS 7-layer risk scoring engine
Local AI remediation guidance (CVEasy AI Engine)
BASzy AI breach and attack simulation (124 modules)
All scanner integrations (Nessus, Qualys, Nuclei, Burp Suite, ZAP, Trivy)
Compliance mapping (NIST, SOC 2, PCI DSS, HIPAA, FedRAMP, ISO 27001)
Full REST API access
Executive and technical reporting
330,000+ CVE database with updates

Are there per-asset or per-scan fees?

No. There are no per-asset fees, no per-scan fees, and no per-IP charges. Flat-rate pricing means you can scan and manage as many assets as you need without worrying about surprise bills. This is one of the biggest differences between CVEasy AI and legacy platforms like Tenable, Rapid7, and Qualys, which all use per-asset pricing that scales with your infrastructure.

Deployment

How long does deployment take?

Under 5 minutes. CVEasy AI ships as a macOS application. Run the installer, and you have a fully operational vulnerability management platform. No cloud provisioning, no infrastructure setup, no database configuration, and no professional services engagement required.

Compare this to legacy platforms like Tenable, Rapid7, and Qualys, which typically require days to weeks of deployment time, dedicated infrastructure, and professional services.

Do I need to manage a database server?

No. CVEasy AI uses SQLite, which stores everything in a single file on disk. There is no Postgres cluster to manage, no Redis to tune, and no Elasticsearch to babysit. This eliminates an entire category of infrastructure overhead and makes backup/restore trivial.

How do I update the vulnerability database in an air-gapped environment?

For air-gapped environments, CVEasy AI supports offline database updates via snapshot files. Download the latest NVD/EPSS snapshot from a connected machine, transfer it to your air-gapped system via approved media (USB, secure file transfer), and import it. The platform handles the rest, including updating TRIS scores across all existing findings.

Can multiple team members use the same instance?

Yes. CVEasy AI supports multi-user access. Team members can collaborate on vulnerability triage, remediation tracking, and reporting from the same platform instance. Contact Sales to discuss deployment configurations for your team size.

Is professional services required for deployment?

No. CVEasy AI is designed to be self-service. The installer handles everything, and your team can be scanning and triaging vulnerabilities within minutes. If you need additional support for complex deployments (large MSSP environments, custom integrations), our team is available, but it is never a prerequisite for getting started.

MSSP / Partners

Does CVEasy AI have an MSSP or partner program?

Yes. CVEasy AI offers a dedicated MSSP partner program designed for managed security providers who want to build or expand their vulnerability management practice. The program includes multi-tenant support, volume licensing, and partner-specific resources. Contact Sales to learn more about partnership opportunities.

Does CVEasy AI support multi-tenant deployments?

Yes. CVEasy AI supports multi-tenant configurations that allow MSSPs to manage multiple client environments from a single platform. Each tenant's data is isolated, and reporting can be scoped and branded per client. This makes it straightforward to deliver white-labeled vulnerability management services at scale.

Can I white-label reports for my clients?

Yes. CVEasy AI supports white-label reporting for MSSP partners. Customize reports with your brand, your client's branding, and your own executive narrative. Reports include interactive HTML with attack surface maps and exportable PDF formats suitable for board-level presentation.

How does MSSP licensing work?

MSSP licensing follows the same flat-rate philosophy as our standard licensing. No per-asset fees, no per-client charges that eat into your margins. Volume licensing is available for partners managing multiple deployments. Contact Sales for MSSP-specific pricing.

What differentiates CVEasy AI from tools MSSPs already use?

Most MSSP tools require cloud infrastructure, charge per-asset (which destroys margins at scale), and lock you into a single scanner ecosystem. CVEasy AI is different:

Flat-rate licensing means predictable costs regardless of how many client assets you manage
Multi-scanner support lets you work with whatever scanners your clients already own
Local deployment means you can offer VM services to clients who refuse cloud-connected tools
Built-in BASzy lets you upsell attack validation without purchasing a separate BAS vendor
White-label reporting delivers polished client-facing deliverables without extra tooling