Your scanner says you have hundreds of vulnerabilities. Your engineering team says most aren't real. They're both partly right — and the argument burns weeks every quarter while neither side moves forward.
We end that argument. Hand us your existing scanner output. We test each finding against your real environment and tell you which ones are actually reachable — with a short proof for every answer, yes or no. Your team gets a queue they can trust and a clear path to fix.
Just your domain and your work email. We'll handle the rest.
Why this category exists
A CVSS 9.8 in your scanner output might be unreachable in your environment — behind authentication, behind a WAF, on an isolated network segment. A CVSS 6.5 might be the keystone of an exploit chain that ends in customer-data exfiltration. Without validation, you're prioritising on a number that doesn't know your environment. With validation, you're prioritising on a Proof Capsule that does.
What it does
Tenable, Qualys, Rapid7, Wiz, Snyk, GitHub Advanced Security, Dependabot, Trivy, your homegrown scanner — we ingest the findings, normalise them, and pull them into the validation pipeline. No need to migrate; we work with what you already have.
Before we exploit anything, we determine whether the vulnerability is reachable from where an attacker would be. Network path, authentication gate, WAF posture, runtime exposure. A finding that isn't reachable gets de-prioritised; a finding that is gets queued for exploitation.
The same CVE behaves differently across deployments. We replay the exploit against your actual asset, with your actual version, your actual config, your actual data shape — not a CVE database lookup. The result is exploitable-in-this-environment or not.
Every confirmed finding ships with a calibrated probability score. We don't claim 0.99 on a class where we historically hit 0.84. The dashboard shows you the distribution: high-confidence exploitable, low-confidence requires-review, confirmed-not-exploitable.
For every finding we mark "not exploitable in this environment", we ship the evidence: the reachability test, the version mismatch, the compensating control that blocked the exploit. Engineering doesn't have to take our word for the rejection — the Proof Capsule for the negative is just as runnable as the positive.
Environment drifts. Patches roll out. New code ships. The platform re-validates open findings on a configurable cadence and flags any that change verdict — so a finding marked "blocked by WAF" gets re-tested when the WAF rule changes.
What you get
Find. Prove. Fix. Verify. — applied to validation
Take the scanner output. Determine which findings are reachable from where an attacker would be. The unreachable get parked.
For every reachable finding, the capsule replays the exploit against your asset and confirms the outcome. False positives ship the negative-proof.
Confirmed findings come with the upstream patch and the remediation path. Rejected findings come with the reason — engineering closes the ticket without arguing.
The retest replays the same exploit and confirms fix-confirmed — or flags still-vulnerable if the patch missed the actual exploitable path.
Where it fits in CTEM
CTEM's Prioritisation and Validation stages are exactly where vulnerability validation lives. Discovery (your existing scanner) gives you the universe of findings. Prioritisation should be by exploitability-in-context, not by CVSS. Validation is what makes that real. Every Proof Capsule we ship makes both stages verifiable to your auditor — the noise stops at the front door.
Start where it costs you nothing
Drop your domain. We'll quietly look at your external footprint and send a short, plain-language report — with at least one real finding your team can verify themselves. No sales pressure. No surprise calls.
Just your domain and your work email. We'll handle the rest.
CELVEX Group