How the platform works

A continuous exposure-management loop that proves itself.

Hand us a domain. We run a continuous loop (discover, analyze, predict, prioritize, validate, remediate, retest, learn) against your real estate, every day. The difference from every other platform is the validate step: each confirmed exposure is sealed into a signed package your own engineer can replay on their laptop and verify offline. Continuous threat & exposure management, made verifiable.

What actually happens when you point us at a domain?

You authorise a domain. We map what's exposed, correlate it into a live picture of your attack surface, and predict where a real attacker would push next. We prioritise by what is actually exploitable, not by raw CVSS, then prove the ones that land by reproducing them inside a signed, sanitised Proof Capsule. Your team runs the capsule, ships the fix, and retests to confirm the close cryptographically. Every outcome feeds back so tomorrow's run is sharper than today's. The whole loop, from "this could be a problem" to "we have the receipts," is verifiable end-to-end.

The loop that never stops running.

Attack surfaces change daily; a point-in-time test goes stale the moment it ships. So we run a closed loop instead: eight stages that repeat every day, each one feeding the next.

01 · Discover

Discover

Deep DNS enumeration, subdomains, technologies, certificates, exposed services. We surface the forgotten doors no one is monitoring, refreshed every run.

02 · Analyze

Analyze & correlate

Findings are correlated into a single live graph of your estate (assets, versions, certificate expiry, relationships), not a flat list of disconnected alerts.

03 · Predict

Predict

Threat intelligence, EPSS, patch-diff mining and active-exploitation signals project where risk is heading, so you act before the exploit is weaponised, not after.

04 · Prioritize

Prioritize

A planner ranks by what is actually exploitable on your surface, mapped to business impact, cutting the noise that buries the findings that matter.

05 · Validate

Validate: Proof Capsule

The differentiator. Each prioritised exposure is reproduced and sealed into a signed, replayable Proof Capsule. Two independent confirms before it reaches you.

06 · Remediate

Remediate

Patch citation, remediation guidance, and the controls each finding touches, pre-mapped to SOC 2, ISO 27001, HIPAA, PCI-DSS, pushed where engineering works.

07 · Retest

Retest

Re-run the same capsule after the fix and confirm fix-confirmed cryptographically. Wire it into CI so a regression fails the build automatically.

08 · Learn

Learn

Every outcome, whether confirmed, false positive, or fix-confirmed, feeds back. New disclosures are tested against the catalogue overnight. The loop sharpens itself.

Learn → Discover. The loop closes and begins again the next day. Every stage emits a forensic-grade record; any chain is fully replayable; engineering can audit any decision the system made.

Find. Prove. Fix. Verify.

The eight-stage loop maps to four active verbs. Each one names a real capability your team gets to run, see, and verify themselves, before, during, and after the breach window.

1. Find

Continuously discover the surface a real attacker would map, correlate it into a live picture, and predict where exposure is heading next.

Loop stages: Discover · Analyze · Predict · Prioritize

2. Prove

Reproduce the exploit in a sealed, signed capsule. Sanitise it. Calibrate the confidence. Refuse to ship anything a second independent agent can't replay.

Loop stage: Validate, the Proof Capsule

3. Fix

Hand engineering the patch citation, the remediation guidance, and the controls each finding touches, pre-mapped to the frameworks your auditors cite.

Loop stage: Remediate

4. Verify

Re-run the same capsule after the fix and confirm the close cryptographically. Then learn from the outcome so the next run is sharper.

Loop stages: Retest · Learn

A finding you can't reproduce is a claim. A finding you can replay is evidence.

Every other exposure-management platform stops at a prioritised list. We go one stage further: the Proof Capsule. For each confirmed exposure we seal the reproduction (request, payload, response, decision trace) into a package signed with an Ed25519 key, anchored to a public append-only log.

Your engineer runs it on their own laptop, against your own estate, and watches the finding reproduce in front of them. Tamper a single byte and the signature breaks. The verify-only tooling is open, so your team, your auditor, and your underwriter can confirm it offline, without trusting our infrastructure, and without us in the room. That is what verifiable security means: not "trust our scanner," but "replay it yourself."

Why each layer matters, and how we built it.

The discovery & correlation layer

We map every asset a real attacker would find, including the forgotten subdomains and certificates no one is watching, then correlate them into one live picture instead of a flat list of alerts. You see your estate the way an adversary sees it.

Deep DNS enumeration runs on every new engagement and weekly thereafter. Discovered assets are correlated into an asset graph keyed by subdomain, carrying technology fingerprints, software versions, and certificate-expiry windows that drive downstream prioritisation.

The prediction & prioritisation layer

We don't rank by raw severity scores. We rank by what is actually exploitable on your surface, weighted by where the wider threat landscape is heading, so engineering spends its time on the issues most likely to be used against you.

A planning agent reasons over the asset graph plus a corpus of tagged tests, scoring candidates with EPSS, active-exploitation feeds, and a nightly patch-diff mining run. Reflexion-style gates decide whether to expand a test chain or close it; bounded payload mutation stays inside the documented technique class.

The safety layer

Before any test runs, the system builds a sandbox that can only talk to the host you authorised. Production-tagged hosts get a delay and a typed-confirmation step. We make sure the AI never makes a change it can't undo.

A scope contract bounds every scan: domain whitelist, port whitelist, request-rate ceiling, exclusion list. Out-of-scope hits are refused at the planner, not just the network layer. Destructive-action classification blocks payloads with non-reversible side-effects from generation.

The validation & sealing layer

Anything that looks like a finding gets re-run by an independent system before it reaches your dashboard, with two confirms required, then sealed into a Proof Capsule signed end-to-end. Anyone can verify it offline with open tools.

A separate validator agent re-executes the exploit chain with the same payload set and computes a calibrated confidence score against a per-class baseline. Confirmed findings ship as OCI images or signed shell bundles; signing is Ed25519 anchored to a public, append-only log. The capsule schema and verify-only tool ship under an open licence.

The retest & learning layer

Re-run the same capsule after the fix to confirm it actually closed. Every outcome, whether a confirmed finding, a false positive, or a fix-confirmed retest, feeds back into the system, and new disclosures get tested against the catalogue overnight, so coverage moves at the speed of disclosure.

Retest is per-finding and per-capsule, wireable into CI as a build gate. A patch-mining nightly chain ingests public commits, advisories, and pull-request diffs, derives candidate test variants, validates them against the corpus, and ships the survivors into the catalogue the next day.

The loop also speaks in language a CFO understands.

The same continuous loop that drives engineering produces the evidence and trend lines an executive, an auditor, and an underwriter all ask for, without a translation meeting.

Exposure trend, not a snapshot

Because the loop runs daily, you see your risk posture move over time: new exposures opening, confirmed findings closing, retests holding. A direction of travel, not a single dated PDF that's already stale.

Evidence on demand

Every confirmed finding carries a signed Proof Capsule. When an auditor, underwriter, or enterprise customer asks for proof, the answer is a file you can hand them, not a meeting you have to schedule.

Mapped to the frameworks you report on

Findings are pre-mapped to SOC 2, ISO 27001, HIPAA, PCI-DSS and the control taxonomies your auditors cite, with one-click export in the language they expect.

Can you find the bug without breaking the customer?

That's the hardest engineering problem in autonomous validation. It isn't "can the system find the exploit" but "can it find the exploit without breaking production." Six layers of guardrail.

Layer 01

Scope contract

Every scan is bound to a scope contract: domains, ports, request-rate ceiling, exclusion list. Out-of-scope hits are refused at the planner, before they reach the network.

Layer 02

Reversible-only payloads

The AI only generates payloads inside the documented technique class. Anything with a non-reversible side-effect, such as data writes or configuration changes, is blocked at generation. We make sure the AI never makes a change it can't undo.

Layer 03

Independent validation

Every finding is re-executed by a separate validator agent before it reaches your dashboard. Two confirms required. Single-shot exploits don't ship.

Layer 04

Sanitisation gate

Before a Proof Capsule is built, every byte is scanned for secrets, personal data, and out-of-scope references. A hit fails the build. The dashboard previews exactly what's inside before any download.

Layer 05

Production confirmation

Production-tagged hosts get a thirty-second countdown and a typed-host-name confirmation before any capsule runs. Belt-and-braces against accidentally exploiting prod.

Layer 06

Forensic observability

Every request, every payload, every decision the planner made is logged with a stable identifier. Engineering can audit any chain end-to-end. Customers can request the full lineage on any finding.

Wired into the toolchain your engineering team already uses.

CI / CD

GitHub PR comments with severity and capsule link. GitLab pipeline integration. Retest webhook in pre-merge: build fails on regression. Scan-on-deploy hooks for common platforms.

Ticketing & chat

Jira, Linear, Notion, Plane ticket creation with capsule attached. Slack and Microsoft Teams alerts. PagerDuty for P0/P1 escalation. Webhook for everything else.

Identity & SSO

SAML, OIDC, Okta, Azure AD, Google Workspace. SCIM provisioning for enterprise engagements. SSO required for enterprise and partner programs.

SIEM & observability

Webhook into Splunk, Datadog, Elastic, Sumo Logic. JSON event stream of scan lifecycle and findings. Capsule metadata exportable as standard threat-intel formats.

Compliance frameworks

One-click export against SOC 2, ISO 27001, HIPAA, PCI-DSS, NIS2, CMMC-light. Each finding pre-mapped to controls, mapped to the standard taxonomies your auditors expect.

Cloud regions & data residency

Default deployment is global. Canada, EU, US, APAC, or your own VPC available on request. Celvex is Canadian-built and Canadian-owned, so Canadian data residency is first-class. Your findings and Proof Capsules stay resident in Canada under PIPEDA, while US (CCPA/CPRA) and EU/UK (GDPR) customers get in-region residency with the matching addendum. Your data stays in your region. Sub-processor list and data-flow diagram on the Trust Center.

Where we are. Where we're going. Measurable milestones, public dates.

We tell you what we've built and what we're building. The full roadmap is documented publicly; headline milestones below.

Live today

The full continuous loop running daily. Deep DNS discovery, correlated asset graph, prioritisation by exploitability, independent validation, signed Proof Capsules, per-finding retest, and the nightly learning run. Forensic-grade observability per chain.

Verifiable today: run a free scan and replay the capsule.

Shipping this year

Predictive risk scoring at the per-asset level. celvex retest in CI as a build gate. Browser-native capsule runner so unconfigured laptops can verify. Capsule schema open-sourced under an open licence.

Verifiable on ship date: roadmap published with quarterly milestones.

On the roadmap

Multi-agent debate planner. Patch-diff-to-coverage transformer with single-digit-hour latency. Self-improving feedback loop with calibrated confidence at the per-finding level, audited methodology, third-party benchmark.

We won't claim it before a published benchmark validates it.

Point us at a domain. See what comes back.

Just your domain and your work email. We'll handle the rest.