Stop Chasing CVEs: Automate Proof of Coverage
CVEs: BlueRock EVC
Transparent Vulnerability Management
Background
Speed and agility are two major pillars of modern app development—both achieved with the help of open source/third-party libraries and components. These packages have become so important that they now account for 70–90% of typical apps and software projects.
The sheer number of packages—which can range from hundreds of thousands to millions for popular programming languages—creates an enormous challenge for organizations trying to limit exposure and manage vulnerabilities. In 2024, software supply chain risks have grown at staggering rates over the past year: Common Vulnerabilities and Exposures (CVEs) have increased 38% and malicious software packages have increased 156%, while adversaries’ average Time-to-Exploit (TTE) has plummeted from 32 to just five days.
Patching, mitigating, or neutralizing vulnerabilities is difficult at best. Most firms can’t resolve everything, everywhere all at once, so they have to prioritize. Even more frustrating is determining which vulnerabilities are already mitigated by your existing security products. This is because it takes time and effort to research the technical nature of each vulnerability in order to answer this question—time that most teams simply don’t have.
The Never Ending Jobs to Be Done
But it’s more than that because security is a process and not a destination. We’ve heard from many of our customers about the same endless cycle of time consuming tasks they have to do. For example, during an active incident, Security Operations teams have to quickly assess the technical nature of each CVE to determine which to patch first and when. Vulnerability Management teams run prioritized patching campaigns to ensure all systems are protected by a set deadline. CISOs and Heads of Security constantly reassess which of their security products can mitigate entire categories of vulnerabilities. Security Compliance teams must routinely provide evidence to auditors proving the effectiveness of each compensating control deployed, in order to meet specific compliance requirements/frameworks.
Read on to learn how BlueRock helps address these issues.
A New Approach
Introducing BlueRock Evidence of Vulnerability Coverage (EVC). It’s a generative, mixture of experts AI system that:
- Continuously tracks and monitors all CVEs published or updated in 2025 (and later)
- Focuses on which CVEs are relevant for Linux-based server or container workloads
- Then determines if BlueRock can neutralize each matching CVE and act as a compensating control
- And transparently explains how each CVE may be neutralized by which BlueRock mechanisms
Want to learn more? Contact us to access BlueRock EVC
Benefits: Fast, Detailed, & Complete
- Get Fast Answers: When a new zero-day CVE is discovered in the wild with active exploitation, the last thing a security operator wants to do is call or email their vendors asking: “Does your product block it?”. Or, wait 48 hours to 2 weeks for the vendor to blog about it.
With BlueRock EVC, operators get answers fast — in 24 hours or less.
- Get Detailed Explanations: Operators need to quickly understand how the CVE is mitigated. Are there additional settings you need to change in the product for this to work? What are the gaps or assumptions made by the vendor?
With BlueRock EVC, operators get an automatic clinical, transparent analysis of what the CVE is, what assumptions were made about it, and how BlueRock mechanisms neutralize it.
- Get The Whole Story: It’s usually never just about one CVE. Frequently, attackers use a chain of related CVEs to compromise victims. Attention is usually on the one CVE with the highest severity, but that doesn’t mean the others aren’t important. Operators are lucky to get their vendors to cover that one CVE at best.
With BlueRock EVC, operators can validate each and every CVE clinically to best understand how BlueRock can be used to neutralize their effects.
Where It Hurts Most: Known Exploited Vulnerabilities
Not every CVE is the same. Some are more painful than most. In recent years, CISA keeps track of which CVEs that usually cause the most pain for US Government organizations within their Known Exploited Vulnerabilities (KEV) catalog. These are the subset of CVEs known to be actively exploited by threat actors across numerous real-world breaches.
Using BlueRock EVC AI, here is an interactive, real-time view of which CVEs in the CISA KEV that BlueRock helps neutralize:
What Each Panel Means
- Right Panel: Shows all of the CVEs in the CISA KEV by vendor. Includes all platform types and all vendors.
- Middle Panel: Shows the subset of CVEs in the CISA KEV that pertain to Linux-based server or containerized workloads. This is the subset of CVEs relevant to BlueRock customers.
- Left Panel: Shows the subset of CVEs in the CISA KEV that can be neutralized by BlueRock.
Clickable Vendor Slices
Each vendor slice of the donut chart is clickable, giving you specifics about which CVEs are covered by BlueRock (blue checkmarks), as shown in the image below:
Clickable, Explainable CVEs
For additional detail, BlueRock customers can click further to see a deeper CVE-specific view, explaining how a covered CVE is mitigated based on specific BlueRock mechanisms:
Scrolling down on that side panel, we see detailed explanations about how BlueRock mechanisms neutralize this corresponding CVE:
5 Most Recently Neutralized CISA KEV CVEs
As a sample, below is an interactive, real-time view of the five most recently neutralized CISA KEV CVEs showing this same CVE-specific view. To see corresponding BlueRock explanations, simply scroll down on the right side panel. This list updates daily.
Big Picture: Beyond the KEV
While the KEV highlights the most painful CVEs at the moment, it’s not everything security operators need to worry about. That’s why BlueRock EVC covers more than just the CISA KEV.
Specifically, BlueRock EVC:
- Continuously tracks and monitors all CVEs published on or after 2025
(as reported through the MITRE CVE Program)
- Continuously tracks and monitors all CVEs updated by the NIST National Vulnerability Database on or after 2025
(This also includes older CVEs that have been recently updated by NIST NVD in 2025 or later)
What does BlueRock EVC coverage look like? Check it out in the interactive, real-time view shown below. These stats update daily.
On Demand CVE Analysis
Concerned about vulnerabilities for a specific vendor, product, or set of CVEs? Use this form to get a tailored analysis from BlueRock EVC.
As analysis is processing, you’ll be redirected to a page containing downloadable links for each report:
Once analysis completes, if you provided an email address, then you’ll also receive emails that look like this:
Want to learn more?
Contact us to access BlueRock EVC