All services
Continuous Defense

400 "critical" findings.
Your team reviews them by hand.

Manual triage at scale is broken. Attackers iterate overnight. Your team reviews scanner output during working hours. That gap is where breaches happen.

See it in action Self-host free
Without Horus
Weekly sprint starts with 400 "critical" findings. Team spends days triaging, most are false alarms or unexploitable.
A CVE hits CISA KEV on Tuesday. Your team finds out Friday, after someone shares the tweet in Slack.
Three subdomains you forgot existed are running unpatched services. Nobody knows they exist.
Coverage depends on who's on-call and awake. Attackers operate 24/7 without that constraint.
With Horus
Pipeline runs at 02:00 UTC. Inbox has 1-3 SSVC:Act findings by morning. Zero noise.
Watchtower syncs CISA KEV at 06:30 UTC daily. If any new entry matches your stack, PagerDuty fires before you open your laptop.
CT log sweep and CIDR ping on schedule. New subdomains auto-added to the asset inventory.
Eight AI agents run every night. No tickets, no standups, no babysitting required.
How it works

Configure once. Runs every night.

Define assets and a schedule. The pipeline does the rest. Every finding that reaches you has already been correlated, enriched and SSVC-prioritized.

01 / DISCOVER

Map your attack surface

Certificate Transparency sweep finds subdomains. nmap CIDR scan finds internal hosts. New assets are auto-added to the inventory. You only configure it once.

02 / SCAN + CORRELATE

Scan, enrich, cross-reference

nmap + nuclei run per asset. Every port, service and header analyzed. Findings correlated against 338K+ CVEs, CISA KEV, EPSS scores. All deterministic, zero LLM tokens for correlation.

03 / SSVC + ALERT

Only what matters reaches you

Risk Manager runs the SSVC Deployer decision tree. Act findings trigger PagerDuty P1. Attend findings go to Slack. Track findings queue silently. You open your inbox to signal, not noise.

Live output · sorted by SSVC priority
Findings
Assets
Incidents
1 ACT 2 ATTEND
api.acmecorp.io · 12 findings sorted by SSVC priority
HTTP/2 Rapid Reset · nginx 1.18.0
CVE-2023-44487⚡ KEVHIGH 7.5
SSVC: ACTEPSS 0.94
RCE · Apache Log4j 2.14.1
CVE-2021-44228⚡ KEVCRIT 10.0
SSVC: ATTENDEPSS 0.97
Buffer Overflow · OpenSSL 1.0.2 (internal)
CVE-2022-0778CRIT 9.8not exposed · no public exploit
SSVC: TRACKEPSS 0.03
9 more findings · 0 ACT, 0 ATTEND Show all →
Full capability set

Everything in Continuous Defense.

Eight modules. All run on schedule, automatically, every night.

Auto-discovery

Asset Discovery

CT log sweep + nmap CIDR ping sweep. Configure a domain or IP range once. Everything reachable from it gets mapped, including subdomains you forgot existed.

  • CT logs via crt.sh + certspotter
  • Internal CIDR sweep with nmap -sn
  • Auto-deduplication of repeated hosts
  • Optional auto-create: discovered → scan target
Inventory

Asset Management

CRUD for domains, IPs, APIs, services. Tag assets as production / internal / third-party. Track last-detected technologies per host. Full scan history per asset.

  • Domain, IP, API, service types
  • Internal vs external classification
  • Technology inventory per asset
  • Scan history + posture trend
Scanner

Vulnerability Scanning

nmap port + service enumeration, nuclei template execution, header/SSL/TLS analysis. Multi-agent pipeline persists an executive summary per scan.

  • Port + service detection (nmap)
  • Vulnerability templates (nuclei)
  • Header, SSL, TLS config analysis
  • Executive summary per scan
Deterministic · 0 LLM tokens

SSVC Prioritization

Deterministic SSVC Deployer decision tree. No LLMs, no hallucinations, no per-query cost. Inputs: Exploitation state (KEV-active → active, EPSS > 0.9 → likely), Exposure, Technical Impact, Automatable heuristic. A CVSS 9.8 on an internal host with no public exploit → TRACK. An actively exploited 7.5 on a public API → ACT.

  • KEV-active → Exploitation: active
  • EPSS > 0.9 → Exploitation: likely
  • Internal host → Exposure: internal
  • Public API → Exposure: public
Continuous monitoring

Watchtower

Daily sync of CISA KEV + FIRST EPSS. Re-correlates your persisted software inventory without re-scanning. Detects EPSS spikes (0.2+ overnight) before KEV.

  • CISA KEV daily sync
  • EPSS spike detection
  • Zero re-scan overhead
  • ThreatFox + URLhaus IOC feeds
Case management

Incidents

Group related findings into tracked cases. Assign owners, set SLA, add timeline notes. Auto-created from SSVC:Act findings. Bidirectional links to findings.

  • States: open → in_progress → resolved
  • SLA countdown (red if overdue)
  • Auto-created from SSVC:Act
  • Timeline notes per case
Risk tracking

Posture Timeline

Deterministic risk score per org, snapshotted daily. Stacked area chart by severity. Annotated events. Trend line: improving / degrading / stable.

  • Daily snapshots + events
  • % criticals closed in 7d
  • Trend direction indicator
Automation

Schedules + Jobs

Cron jobs for recurring scans, discovery, CVE intel sync, Watchtower. Full job execution history. Auto-retry on failure. Next-run prediction in UI.

  • Cron expressions per pipeline type
  • Auto-retry on scan failure
  • Append-only job history

Configure it once.
Agents start tonight.

The live demo has 30 days of posture history and real CVE findings.

Open live demo → Self-host free