Robo8A scanner that tells you what to fix first — not a 4,000-row PDF.
Robo8's vulnerability engine is Nessus-style in spirit but exploitability-aware and glass-box in approach. It correlates your asset inventory against the live CISA Known-Exploited-Vulnerabilities catalog and NVD/CPE with version-precise matching and CVSS — then puts the handful that can actually get you breached at the top, and opens a tracked case for each one.
From inventory to a prioritized, owned fix
Feed it your inventory
Software/versions from your CMDB, an existing scanner export, or an authorized banner probe of your own hosts. No agents to deploy; the inventory stays on your side.
Correlate against exploited-in-the-wild
Every product is checked against the live CISA KEV catalog — the CVEs attackers are actually using — with ransomware-campaign-linked CVEs flagged.
Make it version-precise
NVD/CPE version-range logic confirms whether your version is in the affected range, attaches the CVSS score & vector, CWE, and the KEV remediation due-date.
Prioritize by real risk
Findings sort by ransomware → known-exploited → CVSS → severity, so the first row is the one that ends up in an incident report, not row 3,000.
Open a case automatically
Each finding becomes a tracked case with an owner, the KEV due-date as its SLA, and a push to Slack / Jira — so a vulnerability has a name against it, not just a dashboard pixel.
Prove it to the auditor
Every scan, finding, assignment and closure is written to a tamper-evident audit trail and surfaced as Prometheus metrics — defensible evidence of due diligence.
Proactive, not periodic
Quarterly scans tell you where you stood three months ago. Robo8 works the way attackers do — continuously, against today's exploited-in-the-wild list.
Re-correlates on every feed refresh
When CISA adds a CVE to the KEV catalog overnight, your existing inventory is re-scored against it the next cycle — a vulnerability you've had for a year can become a priority-one case the morning it starts being exploited.
Opens the case before you ask
A newly-exploited match doesn't wait for someone to read a report. It raises a case, assigns an owner, sets the KEV due-date as the deadline, and notifies the channel.
Closes the loop with live defense
The same platform watching your traffic knows which exposed asset is also being probed — so a "patch eventually" finding is escalated when it's under active reconnaissance.
How it plays out in a company
The Fortinet VPN that became urgent overnight
- CMDB shows
FortiOS 7.2.1on the perimeter VPN — long known, low priority. - CISA adds an authentication-bypass CVE for that version to the KEV catalog.
- Next scan cycle, Robo8 matches it version-precisely (CVSS 9.8), flags it known-exploited & ransomware-linked, and opens a case due in 14 days.
- The case lands in the SOC's Jira and Slack with the NVD link and the vendor's required action.
- Patch verified; Robo8 re-scans, the version no longer falls in the affected range, the case auto-resolves with an audit entry the examiner can read.
One Log4j morning, forty client estates
- A Log4Shell-class CVE spikes across the news cycle.
- Robo8 re-correlates every tenant's inventory and finds
log4j 2.14.1in three estates — version-precisely, not "you might run Java somewhere". - Three cases open, one per affected tenant, each scoped to that tenant's data and owner.
- The analyst answers the inevitable client email with the CVSS vector, CWE, affected hosts and remediation deadline already in hand — minutes, not a day of triage.
Cutting a 4,000-line report down to nine decisions
- An existing scanner export lists thousands of findings; nobody has time to read it.
- Robo8 ingests the inventory and keeps only what is exploited-in-the-wild and version-confirmed — nine findings, ranked.
- Each becomes a case with an SLA; the rest is captured as context, not noise.
- The security lead reports to the board on nine tracked items with deadlines, instead of a number nobody can act on.
Evidence the auditor actually accepts
- SOC 2 requires demonstrable vulnerability management with timely remediation.
- Robo8's audit trail shows every finding, who owned it, the due-date, and when it closed.
- Metrics expose mean-time-to-remediate for known-exploited CVEs.
- The control is evidenced by data, not a screenshot of a dashboard.
Scenarios are illustrative of how the engine and case workflow operate; outcomes vary by environment and inventory quality.
Why the matching is trustworthy
Version-precise, not product-vague
NVD/CPE version ranges (versionStartIncluding /
EndExcluding, pinned and wildcard CPEs) confirm whether your exact
version is affected — so "FortiOS 7.2.1" matches only the CVEs whose range covers it.
Token-aware — fewer false positives
A plain nginx asset won't be flagged by an nginx-ui
CVE, and a contradicted vendor is rejected. You can pin an exact cpe:
for an authoritative match.
Build-number aware
Marketing names like Exchange 2019 CU12 or
Windows 10 22H2 are normalized to the build version NVD actually uses,
so vendor-versioned products still match their CVE ranges instead of silently slipping
through.
Enriched for the analyst
Every finding carries the CVSS score & vector, CWE weakness IDs, NVD publication date, reference links, a stated match basis, and the KEV remediation due-date.
How it differs from a classic scanner
| Dimension | Classic vulnerability scanner | Robo8 |
|---|---|---|
| Output | Exhaustive list, severity by CVSS alone | Exploitability-ranked — known-exploited & ransomware first |
| Cadence | Scheduled scans | Continuous re-correlation against the live KEV catalog |
| What happens next | You export and triage manually | Auto-opens a tracked case with owner, SLA & Slack/Jira push |
| Context | Standalone | Shares context with live detection — exposed + under-probe escalates |
| Data & trust | Often appliance/cloud | Runs on your infra; inventory stays local; every step audited |
Comparison reflects common characteristics of scheduled scanners; evaluate against your specific tool. Robo8 complements an existing scanner — feed it the export. Third-party products are named for context only; no affiliation implied.