Skip to main content

Turn vulnerability scan data into prioritized action. Runs locally. Your data never leaves your machine.

Project description

VulnPilot

Prioritize vulnerabilities using real-world exploit intelligence — not just severity scores.

Runs locally. Your data never leaves your machine.

License: MIT Python 3.10+ Status: Developer Preview Version: 0.1.0


Quick Start

pip install vulnpilot
vulnpilot update-feeds
vulnpilot analyze scan.csv

VulnPilot downloads the latest public threat intelligence, analyzes your Nessus scan locally, and shows what should be remediated first. No API keys required.


Features

  • Local-first vulnerability prioritization — scan data never leaves your machine
  • CISA KEV enrichment — flags findings confirmed exploited in the wild
  • FIRST EPSS enrichment — exploitation probability scoring
  • Composite risk scoring — KEV + EPSS + CVSS combined
  • Top vulnerable hosts ranked by aggregate risk
  • Zero cloud upload, zero telemetry, zero account required
  • GitHub Actions daily feed automation
  • Open source Community Edition — MIT licensed

The problem

Security teams often spend hours manually triaging scan results. Your Nessus export contains thousands of findings. CVSS says hundreds are Critical. The real question — which ones are actively being exploited right now?

VulnPilot automates this process in seconds on typical scan files.


Why VulnPilot?

Instead of VulnPilot
Sorting by CVSS score alone Uses KEV + EPSS + CVSS composite scoring
Manual triage taking hours Automated prioritization in seconds
Uploading scans to cloud services Local-first — data never leaves your machine
Enterprise-only platforms Developer Preview — free and open source

Why local-first?

Many organizations prohibit uploading vulnerability scan data to third-party cloud services. VulnPilot performs all analysis locally on your machine.

No customer vulnerability data is transmitted outside your environment.


Architecture

          Public Threat Intelligence
      +-------------------------------+
      |  CISA KEV      FIRST EPSS     |
      +---------------+---------------+
                      |
              vulnpilot update-feeds
                      |
          ~/.vulnpilot/feeds/ (local cache)
                      |
              vulnpilot analyze
                      |
      Nessus CSV (Local Machine Only)
                      |
         Composite Risk Engine
                      |
         Prioritized Findings

Only public threat intelligence feeds are downloaded. No API keys required. Your scan data never leaves your machine.


Install

pip install vulnpilot

Tested on Python 3.10, 3.11, and 3.12.


Usage

# Download latest KEV and EPSS feeds
vulnpilot update-feeds

# Analyze a Nessus CSV export
vulnpilot analyze scan.csv

# Show top N hosts by aggregate risk
vulnpilot analyze scan.csv --top-hosts 5

# Use local feed files
vulnpilot analyze scan.csv --kev ./kev.json --epss ./epss.csv.gz

# Disable colour output (for CI pipelines)
vulnpilot analyze scan.csv --no-colour

Example output

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  VulnPilot by PatchVex — Vulnerability Prioritization
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Total findings        : 5,482
  Unique hosts          : 47
  Critical              : 142
  KEV matches           : 19
  EPSS >= 90%           : 31
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  #    Score   Priority      Host              CVE                Finding
  ───────────────────────────────────────────────────────────────────────
  1    100.0   CRITICAL NOW  192.168.1.10      CVE-2021-44228     Log4Shell ★KEV
  2    100.0   CRITICAL NOW  192.168.1.25      CVE-2023-34362     MOVEit SQL Injection ★KEV
  3    99.8    CRITICAL NOW  192.168.1.15      CVE-2020-1472      Zerologon ★KEV
  4    99.7    CRITICAL NOW  192.168.1.11      CVE-2021-26084     Confluence RCE ★KEV
  5    11.5    LOW           192.168.1.10      N/A                SSH Weak Ciphers

  ★ KEV = CISA Known Exploited Vulnerability — highest remediation priority
        based on active exploitation in the wild.

  TOP 10 HOSTS BY AGGREGATE RISK
   1. 192.168.1.10    score=122.0 [1 KEV] [1 critical]
   2. 192.168.1.25    score=100.0 [1 KEV] [1 critical]
   3. 192.168.1.15    score=99.8  [1 KEV] [1 critical]

How scoring works

The scoring algorithm is deterministic, transparent, and fully documented.

VulnPilot uses a composite risk score that combines four signals:

Signal Weight Source
CISA KEV match 40% Known exploited in the wild
FIRST EPSS score 35% Exploitation probability
CVSS base score 15% Severity context
Scanner risk rating 10% Nessus severity label

The composite score is intentionally opinionated. Known exploited vulnerabilities receive the greatest weight because active exploitation is a stronger predictor of remediation priority than severity alone. EPSS estimates exploitation likelihood in the next 30 days, while CVSS and scanner severity provide additional context for findings without EPSS data.

Any finding confirmed in the CISA KEV catalog scores a minimum of 75 regardless of other factors. The weighting model is intentionally transparent and may evolve based on community feedback and real-world usage.

Note

VulnPilot provides prioritization guidance to assist remediation workflows. Final remediation decisions should always consider asset criticality, business context, exploit mitigations, and organizational risk tolerance.


Privacy by design

  • Scan data processed entirely on your local machine
  • No account required
  • No cloud upload, ever
  • No telemetry or analytics
  • No API keys required
  • Works air-gapped after initial feed download
  • Open source — inspect every line of code

Feed updates

VulnPilot pulls two public datasets:

  • CISA KEV — Known Exploited Vulnerabilities catalog (maintained by CISA)
  • FIRST EPSS — Exploit Prediction Scoring System (updated daily by FIRST.org)

Feeds are cached at ~/.vulnpilot/feeds/ on your machine. No API keys required.

vulnpilot update-feeds

The GitHub repository also runs an automated daily feed sync via GitHub Actions, publishing optimized feed files for the CLI to consume.


Supported scanners

Scanner Status
Nessus (.csv export) ✅ Supported
Qualys Planned
Rapid7 Planned
OpenVAS Planned
Microsoft Defender Planned
AWS Inspector Planned

Roadmap

Current — v0.1.0 (Developer Preview)

  • Nessus CSV parser
  • CISA KEV enrichment
  • FIRST EPSS enrichment
  • Composite risk scoring
  • Prioritized terminal output
  • Top hosts by aggregate risk
  • Free tier — top 20 findings
  • GitHub Actions daily feed automation

v0.2.0

  • HTML report export
  • PDF report export

v0.3.0

  • Jira integration
  • Slack notifications
  • Scheduled scans

v0.4.0

  • Qualys CSV support
  • REST API

v1.0.0

  • Rapid7 and OpenVAS support
  • Self-hosted Docker edition
  • Team features

Future development priorities will be driven by community feedback and real-world usage.


Requirements

  • Python 3.10, 3.11, or 3.12
  • pip
  • Internet connection for feed updates (air-gapped use supported after initial download)
  • Nessus .csv export file

Contributing

Issues, bug reports, and pull requests are welcome.

Good first issues are labelled good first issue in the issue tracker. Please search existing issues before opening a new one.


Acknowledgements

VulnPilot uses publicly available threat intelligence published by:

Thank you to both organizations for maintaining these community resources.


License

MIT License — see LICENSE for details.

Free to use, modify, and distribute. Commercial use permitted.


About PatchVex

VulnPilot is built and maintained by PatchVex.

PatchVex builds privacy-first workflow tools for security and DevSecOps teams. Our products help engineers spend less time managing vulnerability data and more time fixing the issues that matter.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vulnpilot-0.1.0.tar.gz (16.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vulnpilot-0.1.0-py3-none-any.whl (14.9 kB view details)

Uploaded Python 3

File details

Details for the file vulnpilot-0.1.0.tar.gz.

File metadata

  • Download URL: vulnpilot-0.1.0.tar.gz
  • Upload date:
  • Size: 16.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for vulnpilot-0.1.0.tar.gz
Algorithm Hash digest
SHA256 274c2fc89c74fa03ec977cc5d561d26f85e2e56733d626d9c00d8daf8296d7f7
MD5 c0ca2110582e8d506156f469370fe20f
BLAKE2b-256 475e69c3545285988fbc78b17bb686082c5de436cda6123d931063b4c40dc1f4

See more details on using hashes here.

File details

Details for the file vulnpilot-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: vulnpilot-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 14.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for vulnpilot-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 95de461083237c11ee920f9ae1e041b1c1d2fed8bdd0948f9ed0b5e1866b672a
MD5 615c6722ea7f9968920b0739d1c2bb47
BLAKE2b-256 beaf790a1a3c067884df9bb4eb3009cf3b43ed5203f9edd9d0102127eeabf9b1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page