Hand us a domain. We run a continuous loop (discover, analyze, predict, prioritize, validate, remediate, retest, learn) against your real estate, every day. The difference from every other platform is the validate step: each confirmed exposure is sealed into a signed package your own engineer can replay on their laptop and verify offline. Continuous threat & exposure management, made verifiable.
In one paragraph
You authorise a domain. We map what's exposed, correlate it into a live picture of your attack surface, and predict where a real attacker would push next. We prioritise by what is actually exploitable, not by raw CVSS, then prove the ones that land by reproducing them inside a signed, sanitised Proof Capsule. Your team runs the capsule, ships the fix, and retests to confirm the close cryptographically. Every outcome feeds back so tomorrow's run is sharper than today's. The whole loop, from "this could be a problem" to "we have the receipts," is verifiable end-to-end.
Continuous threat & exposure management
Attack surfaces change daily; a point-in-time test goes stale the moment it ships. So we run a closed loop instead: eight stages that repeat every day, each one feeding the next.
Deep DNS enumeration, subdomains, technologies, certificates, exposed services. We surface the forgotten doors no one is monitoring, refreshed every run.
Findings are correlated into a single live graph of your estate (assets, versions, certificate expiry, relationships), not a flat list of disconnected alerts.
Threat intelligence, EPSS, patch-diff mining and active-exploitation signals project where risk is heading, so you act before the exploit is weaponised, not after.
A planner ranks by what is actually exploitable on your surface, mapped to business impact, cutting the noise that buries the findings that matter.
The differentiator. Each prioritised exposure is reproduced and sealed into a signed, replayable Proof Capsule. Two independent confirms before it reaches you.
Patch citation, remediation guidance, and the controls each finding touches, pre-mapped to SOC 2, ISO 27001, HIPAA, PCI-DSS, pushed where engineering works.
Re-run the same capsule after the fix and confirm fix-confirmed cryptographically. Wire it into CI so a regression fails the build automatically.
Every outcome, whether confirmed, false positive, or fix-confirmed, feeds back. New disclosures are tested against the catalogue overnight. The loop sharpens itself.
Learn → Discover. The loop closes and begins again the next day. Every stage emits a forensic-grade record; any chain is fully replayable; engineering can audit any decision the system made.
The same loop, in four verbs
The eight-stage loop maps to four active verbs. Each one names a real capability your team gets to run, see, and verify themselves, before, during, and after the breach window.
Continuously discover the surface a real attacker would map, correlate it into a live picture, and predict where exposure is heading next.
Loop stages: Discover · Analyze · Predict · Prioritize
Reproduce the exploit in a sealed, signed capsule. Sanitise it. Calibrate the confidence. Refuse to ship anything a second independent agent can't replay.
Loop stage: Validate, the Proof Capsule
Hand engineering the patch citation, the remediation guidance, and the controls each finding touches, pre-mapped to the frameworks your auditors cite.
Loop stage: Remediate
Re-run the same capsule after the fix and confirm the close cryptographically. Then learn from the outcome so the next run is sharper.
Loop stages: Retest · Learn
Why "verifiable" is the whole point
Every other exposure-management platform stops at a prioritised list. We go one stage further: the Proof Capsule. For each confirmed exposure we seal the reproduction (request, payload, response, decision trace) into a package signed with an Ed25519 key, anchored to a public append-only log.
Your engineer runs it on their own laptop, against your own estate, and watches the finding reproduce in front of them. Tamper a single byte and the signature breaks. The verify-only tooling is open, so your team, your auditor, and your underwriter can confirm it offline, without trusting our infrastructure, and without us in the room. That is what verifiable security means: not "trust our scanner," but "replay it yourself."
Plain-language first, technical depth second
We map every asset a real attacker would find, including the forgotten subdomains and certificates no one is watching, then correlate them into one live picture instead of a flat list of alerts. You see your estate the way an adversary sees it.
Deep DNS enumeration runs on every new engagement and weekly thereafter. Discovered assets are correlated into an asset graph keyed by subdomain, carrying technology fingerprints, software versions, and certificate-expiry windows that drive downstream prioritisation.
We don't rank by raw severity scores. We rank by what is actually exploitable on your surface, weighted by where the wider threat landscape is heading, so engineering spends its time on the issues most likely to be used against you.
A planning agent reasons over the asset graph plus a corpus of tagged tests, scoring candidates with EPSS, active-exploitation feeds, and a nightly patch-diff mining run. Reflexion-style gates decide whether to expand a test chain or close it; bounded payload mutation stays inside the documented technique class.
Before any test runs, the system builds a sandbox that can only talk to the host you authorised. Production-tagged hosts get a delay and a typed-confirmation step. We make sure the AI never makes a change it can't undo.
A scope contract bounds every scan: domain whitelist, port whitelist, request-rate ceiling, exclusion list. Out-of-scope hits are refused at the planner, not just the network layer. Destructive-action classification blocks payloads with non-reversible side-effects from generation.
Anything that looks like a finding gets re-run by an independent system before it reaches your dashboard, with two confirms required, then sealed into a Proof Capsule signed end-to-end. Anyone can verify it offline with open tools.
A separate validator agent re-executes the exploit chain with the same payload set and computes a calibrated confidence score against a per-class baseline. Confirmed findings ship as OCI images or signed shell bundles; signing is Ed25519 anchored to a public, append-only log. The capsule schema and verify-only tool ship under an open licence.
Re-run the same capsule after the fix to confirm it actually closed. Every outcome, whether a confirmed finding, a false positive, or a fix-confirmed retest, feeds back into the system, and new disclosures get tested against the catalogue overnight, so coverage moves at the speed of disclosure.
Retest is per-finding and per-capsule, wireable into CI as a build gate. A patch-mining nightly chain ingests public commits, advisories, and pull-request diffs, derives candidate test variants, validates them against the corpus, and ships the survivors into the catalogue the next day.
For the board, not just the SOC
The same continuous loop that drives engineering produces the evidence and trend lines an executive, an auditor, and an underwriter all ask for, without a translation meeting.
Because the loop runs daily, you see your risk posture move over time: new exposures opening, confirmed findings closing, retests holding. A direction of travel, not a single dated PDF that's already stale.
Every confirmed finding carries a signed Proof Capsule. When an auditor, underwriter, or enterprise customer asks for proof, the answer is a file you can hand them, not a meeting you have to schedule.
Findings are pre-mapped to SOC 2, ISO 27001, HIPAA, PCI-DSS and the control taxonomies your auditors cite, with one-click export in the language they expect.
The safety envelope
That's the hardest engineering problem in autonomous validation. It isn't "can the system find the exploit" but "can it find the exploit without breaking production." Six layers of guardrail.
Every scan is bound to a scope contract: domains, ports, request-rate ceiling, exclusion list. Out-of-scope hits are refused at the planner, before they reach the network.
The AI only generates payloads inside the documented technique class. Anything with a non-reversible side-effect, such as data writes or configuration changes, is blocked at generation. We make sure the AI never makes a change it can't undo.
Every finding is re-executed by a separate validator agent before it reaches your dashboard. Two confirms required. Single-shot exploits don't ship.
Before a Proof Capsule is built, every byte is scanned for secrets, personal data, and out-of-scope references. A hit fails the build. The dashboard previews exactly what's inside before any download.
Production-tagged hosts get a thirty-second countdown and a typed-host-name confirmation before any capsule runs. Belt-and-braces against accidentally exploiting prod.
Every request, every payload, every decision the planner made is logged with a stable identifier. Engineering can audit any chain end-to-end. Customers can request the full lineage on any finding.
Integrations
GitHub PR comments with severity and capsule link. GitLab pipeline integration. Retest webhook in pre-merge: build fails on regression. Scan-on-deploy hooks for common platforms.
Jira, Linear, Notion, Plane ticket creation with capsule attached. Slack and Microsoft Teams alerts. PagerDuty for P0/P1 escalation. Webhook for everything else.
SAML, OIDC, Okta, Azure AD, Google Workspace. SCIM provisioning for enterprise engagements. SSO required for enterprise and partner programs.
Webhook into Splunk, Datadog, Elastic, Sumo Logic. JSON event stream of scan lifecycle and findings. Capsule metadata exportable as standard threat-intel formats.
One-click export against SOC 2, ISO 27001, HIPAA, PCI-DSS, NIS2, CMMC-light. Each finding pre-mapped to controls, mapped to the standard taxonomies your auditors expect.
Default deployment is global. Canada, EU, US, APAC, or your own VPC available on request. Celvex is Canadian-built and Canadian-owned, so Canadian data residency is first-class. Your findings and Proof Capsules stay resident in Canada under PIPEDA, while US (CCPA/CPRA) and EU/UK (GDPR) customers get in-region residency with the matching addendum. Your data stays in your region. Sub-processor list and data-flow diagram on the Trust Center.
The roadmap
We tell you what we've built and what we're building. The full roadmap is documented publicly; headline milestones below.
The full continuous loop running daily. Deep DNS discovery, correlated asset graph, prioritisation by exploitability, independent validation, signed Proof Capsules, per-finding retest, and the nightly learning run. Forensic-grade observability per chain.
Verifiable today: run a free scan and replay the capsule.
Predictive risk scoring at the per-asset level. celvex retest in CI as a build gate. Browser-native capsule runner so unconfigured laptops can verify. Capsule schema open-sourced under an open licence.
Verifiable on ship date: roadmap published with quarterly milestones.
Multi-agent debate planner. Patch-diff-to-coverage transformer with single-digit-hour latency. Self-improving feedback loop with calibrated confidence at the per-finding level, audited methodology, third-party benchmark.
We won't claim it before a published benchmark validates it.
The fastest way to evaluate
Just your domain and your work email. We'll handle the rest.