Perimeter does both halves of the job competitors split across two SKUs: external attack-surface management from the internet, and internal authenticated scanning from inside your network — then turns the results into tracked, prioritized, audit-ready work.
Add a root domain (verify ownership by DNS TXT first — we never scan what you don't own). Passive discovery enumerates subdomains from certificate-transparency logs and passive DNS; active discovery fingerprints live hosts, ports, services and TLS certs. The Lookout agent inventories internal hosts and container images. Everything lands in one asset inventory with criticality tags.
The hosted runner runs Nuclei (CVE, exposure, misconfig, takeover templates) against external assets. The Lookout agent runs OpenVAS/Greenbone authenticated network scans, Trivy for OS-package / container-image / IaC / SBOM CVEs, and Nuclei for internal-only services. Nothing is a black box — you can read and add templates.
Findings are deduplicated to one canonical record per (asset × check), merged across engines and scans. Each is enriched daily with EPSS v4 (exploitation likelihood, from FIRST) and flagged against the CISA KEV catalog, then scored:
risk = 0.40·CVSS + 0.30·EPSS + 0.20·KEV + 0.10·asset-criticality → 0–100
A KEV-listed critical on a crown-jewel host rises to the top; an unauth low on a dev box sinks. The weights are transparent and tunable — not a proprietary black box like VPR or TruRisk.
Assign an owner, set a status (open → in progress → fixed), and track SLA due dates (KEV findings inherit CISA's due date). Suppress a false-positive or accept a risk with a reason, approver, and expiry — every suppression is audit-logged. Rescan-to-verify re-runs the exact check and auto-closes on pass.
Every finding auto-maps to control IDs across NIST CSF 2.0, SOC 2, PCI DSS 4.0, ISO 27001 and CMMC L2. Publish the de-identified posture to the DosanjhLabs evidence graph and Sightline maps it across 22+ frameworks while Bastion turns open KEV findings into POA&M items. A scan stops being a CSV and becomes a control reference with a timestamp.
The MVP console ships the full findings model — inventory, EPSS/KEV prioritization, dedup, remediation/SLA tracking, suppression, control mapping, and the scan-ingest pipeline — runnable in your browser on seeded sample data. The live scan engines (Nuclei/Trivy/OpenVAS on the hosted runner and Lookout agent) and live EPSS/KEV feeds are the next wave; the ingest interface they post to is already built.