Start exploring
Live sandbox. Free account.
Every CVE. Every resource. Agentless. Verdicts you can audit.
Determines whether the vulnerable function, protocol, or module the CVE targets is compiled in and callable on this specific resource.
Infrastructure scanners match package versions against known CVEs. SCA and code scanners check whether the vulnerable function is called in your application dependencies. Neither covers the full stack. Version match doesn't mean the code path is active, and reachability analysis doesn't apply to OS, kernel, or infrastructure packages.
Reads the actual service configuration on each resource. If the protocol isn't enabled, the module isn't loaded, or the setting gates the exploit and it's off, the finding is filtered before it generates a ticket. The largest single factor that drives findings to zero.
Vulnerability scanners, CNAPPs, SCA tools, runtime scanners all skip this. They see the package. They can't see the config. The single largest blind spot in vulnerability management.
Evaluates whether the deployment's security controls permit what the exploit needs. If capabilities are dropped, syscalls are blocked, or runtime policies restrict the behavior, the exploit path is closed. Filtered before it becomes a ticket.
Runtime scanners and CNAPPs confirm the process is running. They don't evaluate whether the security context (capabilities, seccomp, AppArmor) permits what the exploit needs.
Combines network topology with on-resource conditions. Reachable but missing a config prerequisite? Filtered. Exploitable but unreachable? Filtered. Both must be non-zero.
CNAPPs and attack surface management tools model network topology. They flag reachable resources without checking whether exploitation conditions are met on the resource itself.
Checks which specific features within the package are actually active. If the vulnerable feature isn't running, the CVE can't fire regardless of what the scanner reported. Filters the gap between "package in use" and "feature exploitable."
eBPF-based runtime scanners confirm the package is loaded and active. But "in use" covers the whole package. It doesn't distinguish which features, protocols, or APIs within it are active.
Live sandbox. Free account.