Home/Resources/Agents/Vulnerability Scanner
Endpoint & Integrity

Vulnerability Scanner

Air-gap-friendly CVE correlation that catches a CISA KEV match without a single packet leaving the contractor's network.

Covered practices · NIST SP 800-171 Rev 2
3.11.2Scan for vulnerabilities periodicallyPrimary3.11.3Remediate vulnerabilitiesPrimary3.14.1Flaw remediationPrimary3.4.1Baseline configurations and inventories3.14.3Monitor security alerts and advisories
0
Outbound network calls during a scan, fully on-prem

The problem

Patch currency is the single most-asked question in a CMMC assessment. The DoD takes the CISA KEV catalog seriously, and any KEV match on a contractor system is automatically a finding, regardless of CVSS score and regardless of how recent the entry is. Log4j 2.14.0 in production in 2026 is not a debate the contractor wins.

Commercial vulnerability scanners send package inventories to a SaaS backend. For environments handling CUI, that exfiltrates exactly the kind of asset data the contractor is trying to protect under the same controls the scan is supposed to support. The on-prem alternative is to bundle the database with the scanner and update it via signed fetch on explicit invocation, no scan-time network calls, no dependency on a vendor cloud, no exfiltration risk.

CPE matching is the harder half of the problem. Package names rarely match CPE product strings exactly, since openssl, python3, log4j-core, and dozens of others all need normalization tables. The bundled database covers the common cases; mismatches surface as INFO findings rather than silent misses, so the contractor is never falsely told their fleet is clean.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.11.2Scan for vulnerabilities periodically

Performs vulnerability scanning of every installed package against current CVE data, including the CISA KEV catalog,on-prem, with no inventory exfiltration.

Read in NIST 800-171 r2
NIST 3.11.3Remediate vulnerabilities

Reports days-since-published per CVE so remediation timelines can be enforced against the 30-day window for HIGH/CRITICAL.

Read in NIST 800-171 r2
NIST 3.14.1Flaw remediation

Identifies, reports, and helps prioritize correction of system flaws via CVE matching with CVSS-based severity tiers and KEV escalation.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.4.1Baseline configurations and inventories

Produces the package inventory itself as a baseline configuration artifact,the list of installed software the SSP must accurately reflect.

Read in NIST 800-171 r2
NIST 3.14.3Monitor security alerts and advisories

Integrates the CISA KEV catalog as the primary advisory mechanism,KEV matches address 3.14.3 evidence directly.

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Enumerates packages via dpkg-query (Debian/Ubuntu), rpm -qa (RHEL/Fedora/SUSE), pip3 list --format=json (Python), npm list -g --json (Node), and ~/.cargo/registry for Rust crates. Normalizes names to CPE 2.3 format and queries a bundled SQLite database derived from the NVD JSON feeds and the CISA KEV catalog. Deduplicates per package, emitting one finding per package with the highest-severity CVE plus the total CVE count and KEV count.

Windows

Reads HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and the WOW6432 equivalent for installed programs. Queries WMI Win32_QuickFixEngineering for installed KB articles, then compares the host OS build against the cumulative-update level for that Windows release. Hosts more than one CU behind generate a HIGH finding, and missing a KEV CVE patch generates CRITICAL with the KEV due-date attached for POA&M tracking.

macOS

Reads /Library/Apple/System/Library/Receipts and /var/db/receipts for both system and Homebrew packages. Runs system_profiler SPApplicationsDataType -json for installed apps and softwareupdate --list for available Apple updates. Findings ship with version, install path, and matched CPE so remediation is unambiguous.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • CRITICAL
    CISA KEV match on installed package
    Package version matches a CISA Known Exploited Vulnerabilities entry. Active exploitation in the wild,automatic CRITICAL regardless of CVSS score.
  • CRITICAL
    CVSS 9.0+ vulnerability with no patch applied
    Installed package matches a CVE with CVSS v3 score 9.0 or higher. Days-since-published exceeds the 30-day DoD remediation window.
  • HIGH
    Windows host more than one cumulative update behind
    Host build/UBR is two or more cumulative updates behind the current release. Multiple security fixes unapplied.
  • HIGH
    End-of-life package with no upstream patches
    Installed package version is past EOL and receives no further security updates. The remediation is upgrade or removal, not patching.
  • MEDIUM
    CVSS 4.0–6.9 medium-severity match
    Package matches a medium-severity CVE. Within remediation timeline tolerance but tracked toward the SPRS POA&M deadline.
SPRS impact

3.14.1 is a 5-point control and carries the most assessor scrutiny in the SI family. A KEV match in production typically produces an automatic 5-point finding, plus 3.11.2 (3 points) for not catching it earlier and 3.11.3 (3 points) for not remediating inside the 30-day window. Patch overdue beyond 30 days compounds the deduction further with overdue-day accounting. A single Log4j 2.14.0 still in production can cost 11+ SPRS points across three controls and trigger an automatic re-assessment requirement.

How it hooks into the platform

Inventory and CVE correlation run on every discovered host on a cadence the platform sets, against the bundled NVD and CISA KEV database; no scan-time network calls. You decide whether the inventory and CVE matches stay on-prem or sync up, which keeps the agent workable in air-gapped enclaves. Inventory becomes the SSP's installed-software baseline under 3.4.1. Findings link to specific CVE IDs with CVSS vectors and KEV due dates across 3.11.2, 3.11.3, and 3.14.1. POA&M items track per-package remediation against the 30-day DoD window with overdue-day counts.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Inventories 1000+ packages per host in under 60 seconds
  • Normalizes openssl, curl, openssh, log4j, python, nodejs, nginx, apache2, and mysql to CPE
  • Flags any CISA KEV match as CRITICAL regardless of CVSS score
  • Returns CVSS score and vector with every CVE finding
  • Ships with three-plus years of NVD data bundled offline
  • Verifies SHA-256 of every database update against the NVD feed
  • Falls back to the bundled database if an updated copy is corrupt
  • Performs zero outbound network calls during the scan itself
Other agents in Endpoint & Integrity
Endpoint & Integrity

Endpoint Protection Auditor

Confirms the EDR is not just installed but actively scanning, current, and unable to be disabled by malware mid-execution.

Endpoint & Integrity

Configuration Baseline Scanner

Signs the secure baseline on first run, then catches every drift away from it on every cadence.

Endpoint & Integrity

File Integrity Monitor

Cryptographic proof a host has not been tampered with since the last scan, on a cadence the assessor cannot dispute.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →