CVEsafe has been acquired by DataDike. Same platform, stronger backing — datadike.com
AI-powered CVE intelligence platform

See every vulnerability
before attackers do.

Continuous CVE scanning, real-time threat intelligence and AI-driven prioritization — for security teams operating at global scale.

Start scanning free See how it works

Trusted by security teams in 40+ countries

Windows PowerShell — CVEsafe agent
PS C:\>irm https://app.cvesafe.com/agent/install.ps1 | iex
CVEsafe Agent installed · nmap + Npcap provisioned
PS C:\>cvesafe scan 192.168.0.0/24 --discover
[LAN] 23 hosts up · classifying devices…
192.168.0.50 Windows host SMBv1 ENABLED
[+] CVE-2017-0144 EternalBlue CVSS 8.1 KEV
[+] CVE-2021-44228 Log4Shell CVSS 10.0 EPSS 97%
▸ report grade C · 6.4/10 · 23 findings · emailed
PS C:\>
Live threat feed
  • CVE-2024-3094 — backdoor in xz/liblzma CRITICAL
  • CVE-2021-44228 — Log4Shell RCE CRITICAL
  • CVE-2023-44487 — HTTP/2 Rapid Reset HIGH
  • CVE-2014-0160 — Heartbleed HIGH
350K+CVEs tracked
178K+vulnerability tests
5 enginesone consolidated report
40+countries served
Under the hood

One input. A whole scanning engine behind it.

You hand CVEsafe an asset. It fans the work across best-in-class engines, enriches every finding with live exploit intelligence, and routes the fix to your tools — automatically.

Your attack surface
Website
Host / IP
CIDR range
API
Agent · internal LAN
CVEsafe scan engine
Ports & services
CVE detection
Web app tests
TLS & certificates
Network vuln tests
Risk intelligence
CVE + CVSS
EPSS exploit %
CISA KEV
AI priority · A–F
Into your workflow
One report
ServiceNow
Signed webhooks
CSV export
See it from the other side

The attacker runs these commands. We run them first.

Whatever a real intruder probes for, CVEsafe already ran it — inside and outside your network — and opened the ticket to fix it before they got there.

root@kali — bash
┌──(root@kali)-[~]
└─#nmap -sV --script vuln 203.0.113.10
445/tcp open microsoft-ds Windows Server 2012
|_smb-vuln-ms17-010: VULNERABLE (EternalBlue)
┌──(root@kali)-[~]
└─#searchsploit eternalblue
Windows SMB RCE … windows/smb/ms17_010
[*] launching exploit against target…
└─#

An exposed, unpatched host is minutes of work for an attacker.

CVEsafe — Command Center
PS C:\>cvesafe issues --kev --open
CVE-2017-0144 EternalBlue 10.0.0.50 KEV
↳ ServiceNow INC0012345 · in_progress
↳ first seen 6 days ago · webhook → Slack sent
PS C:\>cvesafe verify 10.0.0.50
re-scan: SMBv1 disabled · issue auto-resolved
0 KEV issues left unticketed
PS C:\>

CVEsafe found it days earlier, ticketed it, and verified the fix.

Why CVEsafe

One platform for your whole attack surface

From a single domain to your internal network — discover it, scan it, and fix what actually matters.

Continuous scanning

Agentless and agent-based, everywhere

Scan public websites, hosts, APIs and CIDR ranges with no install — or drop a lightweight agent to reach assets inside your network. Schedule recurring scans so coverage never goes stale.

  • Public, agentless coverage out of the box
  • Installed agent for internal / LAN assets
  • Daily, weekly or monthly schedules
cvesafe — scan
$cvesafe scan --all
shop.acme.com grade A
api.acme.com grade C
10.0.0.0/24 [internal] grade B
vpn.acme.com scanning…
$
Live CVE intelligence

Enriched with EPSS, KEV & exploit signals

Every finding is correlated with its CVE and CVSS, then enriched with real-world exploitation data — so you see not just what's vulnerable, but what's actually being attacked right now.

  • CVE + CVSS on every finding
  • Known-exploited (KEV) and EPSS context
  • Links straight to the NVD advisory
CVE-2021-44228CRITICAL

Apache Log4j JNDI remote code execution (Log4Shell).

CVSS 10.0KEV listedEPSS 97%
AI prioritization

AI focuses you on the 3% that puts you at risk

Our AI ranks every finding by real exploitability and exposure and triages likely false positives out of the way — so you get a clean, ordered list and a clear A–F risk grade per asset and group, not thousands of raw alerts.

  • AI-ranked findings — the riskiest first
  • AI false-positive triage cuts the noise
  • A–F grade and 0–10 score per target & group
D
Attack-surface mapping

Add a domain — we map every subdomain

Enumerate your full external footprint from Certificate Transparency logs and DNS, see what's live, then scan the whole surface in one click. www, non-www, http, https — treated as one asset.

  • Subdomain discovery via CT logs + DNS
  • Live / unresolved at a glance
  • Promote & scan the surface in one click
cvesafe — discover
$cvesafe discover acme.com
[CT+DNS] enumerating subdomains…
api.acme.com 2 IPs live
mail.acme.com 1 IP live
shop.acme.com 2 IPs live
legacy.acme.com — unresolved
$
One consolidated report

Many tools. One enterprise report.

We run Nmap, Nuclei, OWASP ZAP, SSLyze and OpenVAS to validate each finding, then deliver a single, board-ready report — by email or shared with any stakeholder. You gave one input; we did the rest.

  • Consolidated, branded PDF / email report
  • Share with third parties — no account needed
  • CSV export for your own pipeline
cvesafe — report
$cvesafe report --last
▸ acme.com grade B · 6.4/10 · 23 findings
checks: ports · web · TLS · CVEs · network
consolidated PDF emailed
shareable link · CSV export ready
$
LAN discovery

Discover and inventory every device on your network

The installed agent sweeps your internal range, fingerprints each live host — OS, open services, MAC vendor and SNMP — and classifies the equipment: router, switch, printer, IP camera, NAS, Windows or Linux host. Each one is registered as an asset you can scan for CVEs.

  • Auto-classified device inventory of your LAN
  • Optional SNMP credentials for deeper detail
  • Promote any device to a CVE scan in one click
cvesafe — lan discovery
$cvesafe discover --lan 192.168.0.0/24
192.168.0.1 Router MikroTik RouterOS
192.168.0.20 Printer HP LaserJet
192.168.0.50 Windows host SMB · RDP
192.168.0.77 IP camera SNMP
[+] 23 assets inventoried
$
Host posture audit

Audit the security posture of every machine

One click runs a local hardening audit on each host the agent is installed on — missing Windows updates, SMBv1, RDP without NLA, firewall, Defender, BitLocker, UAC and weak local accounts — reported as findings right next to your network results.

  • Missing-patch & misconfiguration detection per host
  • Runs locally — no extra tooling to install
  • CVE detection on internal hosts via the agent
cvesafe — host audit
$cvesafe audit --host WIN-APP01
SMBv1 enabled HIGH
RDP without NLA HIGH
12 pending updates MEDIUM
BitLocker off MEDIUM
UAC disabled · Guest enabled
$
Integrations

Push issues straight into your workflow

Open vulnerabilities as ServiceNow incidents with two-way status sync — resolve it there and it closes here, and vice-versa — or fire signed webhooks to Slack, Jira, Zendesk, SOAR and your own automations. Create tickets automatically above a severity threshold.

  • ServiceNow incidents — bidirectional sync
  • Signed (HMAC) webhooks for any endpoint
  • Auto-create tickets above your severity threshold
cvesafe — integrations
$cvesafe integrations --status
ServiceNow INC0012345
Webhook · Slack 200 OK
Webhook · n8n signed
Jira soon
$
Power user

A powerful built-in CLI — drive everything by command

Open the console from the header (or Ctrl/⌘ + `) and run CVEsafe by typing, FortiGate-style. It runs in your browser against the same API as the UI, so it respects your role and only ever touches your own data — nothing to install.

  • Targets, scans, issues, reports & more as commands
  • Command history, tab-completion and inline help
  • Same permissions and tenant isolation as the web app
cvesafe — CLI
acme #scan run 12 --engine nmap_full
Scan #3187 queued (nmap_full)
acme #issue list --severity high --open
1423 high urgent Log4Shell
help · whoami · go issues · report 101 --pdf
acme #
Before & after

Replace the patchwork of tools

Toggle to see what changes when your scanning lives in one place.

  • Separate tools for ports, web, TLS and network — stitched together by hand
  • Findings scattered across exports; no shared risk score
  • Blind spots: forgotten subdomains never get scanned
  • Noise — thousands of low/info findings bury the real risks
  • Internal/LAN assets left out entirely
Get started in minutes

Three steps to your first scan

1

Create a group

Organize assets by environment, team or app — each group tracks an aggregate risk score.

2

Add a target

Register a website, host, CIDR or API you own. Add a domain and we map its subdomains for you.

3

Run a scan

Pick your engines and launch. Results land with a risk grade — and a report in your inbox.

Create your account
Best-in-class, unified

We run the engines — you get the outcomes

Industry-standard scanners, orchestrated into one result. Here's what each one actually finds for you.

Ports & servicesEvery exposed port & service — the doors attackers knock on
Known CVEs & misconfigKnown CVEs, exposed admin panels & default credentials
Web app testingInjection, XSS & broken authentication in your web apps
TLS & certificatesWeak TLS, expired or mis-issued certificates
Network vuln tests (NVTs)Thousands of network checks mapped to fixable CVEs
Explore all features →

Our commitment to confidentiality is unwavering

We never access, analyse, or store your data or scan results. Your targets and findings are yours alone — so keep your credentials safe. A signed commitment letter will be published right here.

Questions

Frequently asked

Do you store my data or scan results?

No. Our commitment to confidentiality is unwavering — we never access, analyse or store your data or scan results beyond what's needed to show them back to you in your account. Your targets and findings are yours alone.

What can I scan?

Websites, hosts/IPs, CIDR ranges and APIs. Add a domain and we map its subdomains automatically. Public assets are scanned agentlessly; internal/LAN assets are scanned by a lightweight agent you install.

Which scan engines do you run?

We orchestrate best-in-class tools — Nmap, Nuclei, OWASP ZAP, SSLyze and OpenVAS/Greenbone — and consolidate everything into a single report with CVE/CVSS context.

How does the AI help?

CVEsafe uses AI to prioritize your findings — ranking them by real exploitability and exposure so the riskiest surface first — and to triage likely false positives out of the list. You get clear signal instead of thousands of raw alerts.

Agent or agentless — what's the difference?

Public assets need no install (agentless). For assets only reachable inside your network, install our agent; it claims and runs those scans locally, then reports the findings back.

Is unauthorized scanning allowed?

No. You must own the asset or have written authorisation to scan it — we record an ownership declaration for every target you add, for audit.

Can I see what's on my internal network?

Yes. The agent runs LAN discovery — it sweeps your range, classifies each device (router, switch, printer, camera, NAS, host) and inventories it, and can audit the security posture of every machine it runs on (missing patches, SMBv1, RDP/NLA, firewall, Defender, BitLocker). Promote any discovered host to a full CVE scan.

Does it integrate with ServiceNow or other tools?

Yes. Open vulnerabilities as ServiceNow incidents with two-way status sync, or send signed (HMAC) webhooks to Slack, Jira, Zendesk, SOAR and your own automations — automatically above a severity threshold or on demand.

Can I start for free?

Yes. The Free plan lets you run scans with no credit card. Upgrade any time as your attack surface grows — see pricing.

Start finding vulnerabilities today

Spin up your first scan in minutes. No credit card to get started.

Start scanning free →