Adversarial validation & remediation

ADVERSARIUS

Validate findings and produce remediation that is traceable to the exact control violated — a merge request in connected mode, a signed patch bundle in disconnected mode.

Explore the platform

The problem

Alerts without fixes don't close findings

Scanners produce alerts, and alerts age into risk acceptance — critical CVEs stay open 67 days on average in federal environments. ADVERSARIUS runs CVE scanning through Grype, STIG compliance through OpenSCAP, and configuration audits continuously. When a finding is detected, it generates the fix: the patched dependency, the hardening script, the configuration change — with the control requirement text and OSCAL evidence attached.

ADVERSARIUS exists to close findings — not file them.

Core capabilities

What it does

CVE scanning

Native Grype scanning across dependencies, filesystems, SBOMs, and container images.

·Four-stage scan lifecycle
·NVD, OSV, and GitHub Advisory data
·Offline Grype DB for air-gapped

SBOM generation

Syft-generated SBOMs, hashed and linked to every scan output.

·Per-build SBOM capture
·SBOM diff on dependency changes
·Stored as evidence

STIG scanning

OpenSCAP with DISA SCAP content against containers and VMs.

·Bash, Ansible, or PowerShell remediation scripts
·CKL files updated to PASS
·DISA guidance based

Remediation planner

Every fix is classified into a risk tier that determines testing and approval.

·Tier 1 patch: auto-merge on green
·Tier 3 major: regression + ISSO signoff
·Tier 4 image swap: CAB quorum of 3

AI provider interface

Provider-agnostic remediation generation, governed by deployment tier.

·Claude, Bedrock GovCloud, Azure OpenAI Gov
·Outcome tracked: merged, modified, rejected
·AI drafts — humans approve

Offline rule engine

Deterministic remediation when AI is not authorized or connectivity doesn't exist.

·Preloaded YAML ruleset
·Covers ~80% of findings offline
·Same evidence model as AI mode

How it works

Step-by-step lifecycle

01
Scan 1 — Pre-PR
NVD, OSV, and GitHub Advisory metadata confirm whether a proposed version actually fixes the CVE. The finding stays open.
02
Scan 2 — CI/CD
The built artifact is scanned after clean install — node_modules, built container image, the works. Still open.
03
Scan 3 — RAMPART gate
Grype scans the exact image digest about to be deployed. The production-bound artifact, not a proxy. Still open.
04
Remediation raised
The planner determines fix path, risk tier, test requirements, and approval route — then generates the MR, patch bundle, or hardening script.
05
Scan 4 — Production
The running production container is scanned continuously. Only when the vulnerability is confirmed absent does the finding close.

Example scenario

A Tier 1 dependency patch, end to end

A critical CVE lands in a transitive dependency overnight. By morning the fix is merged, deployed, and verified — with every step recorded and mapped to SI-2, RA-5, and SI-3.

Illustrative example. Not real customer data.

Demo · Illustrative only

Finding

CVE-2026-21412 · criticalDETECTED

Fix

lodash 4.17.20 → 4.17.21TIER 1

Tests

Unit + CVE re-scan + SBOM diffPASS

Approval

Auto-merge per CM-3(f)MERGED

Scan 4

Production image verified cleanCLOSED

Time to verified fix

HoursWAS 67 DAYS

Audit output

What ADVERSARIUS generates

AI-generated remediation MRs with control context
Signed patch bundles for disconnected mode
STIG remediation scripts (Bash / Ansible / PowerShell)
Updated CKL files
Four-stage CVE scan reports
Remediation outcome records (merged / modified / rejected)

The boundary

AI drafts. A human approves. The workflow executes.

AI-generated remediation cannot bypass approval. Risk tiers determine the testing and signoff every change needs before production — from auto-merged Tier 1 patches to Tier 4 image swaps requiring CAB quorum with three digital signatures and MFA.

The other engines