Correlens

Vulnerability Management

Actionable risk, not a wall of CVEs.

Every component in your SBOM is watched and every vulnerability enriched (exploit-aware prioritization, reachability and context re-scoring), so your team reacts to what matters, in order.

Vulnerabilities AI sample data
Risk score
3.0Low
EV Platform E-3
Resolved
1,135
of 1,245 findings
Open
154
Critical 4
High 13
Medium 5
Low 132
VulnerabilityComponentCVSSExploitationState
CVE-2026-4187gstreamer 1.14.49.8KEVunder review
CVE-2026-3350botan 2.19.58.4exploitto validate
CVE-2026-0915bluez 5.667.5PoCto validate
CVE-2026-1204libexpat 2.2.66.8nonesuppressed

How it triages

Built for what your SBOM ships.

Exploit-aware prioritizationKEV, EPSS and real exploitation evidence move the findings that are actually being used to the top.
Reachability and contextA vulnerability re-scored for the product in the field: which node, which interface, whether the code path is reachable.
Fed by your SBOMThe bill of materials is the input: one row per component, matched to advisories automatically.
A queue, not a feedWhat needs a reaction, with a state and an owner: suppressed, validated or escalated, all recorded.

Context re-scoring

One score does not fit all products.

A base CVSS score assumes the worst case everywhere. Correlens re-scores each finding for the product it actually sits in, on CVSS 3.0, 3.1 or 4.0, and records why. How the re-scoring weighs your context is part of the demo, not the website.

  • Environmental reality. A 9.8 on an isolated node without network exposure is not your first problem.
  • Recorded reasoning. Every re-score keeps the analyst, the context flags and the justification.
  • Standards-native. Scores stay valid CVSS vectors, so exports and reports keep meaning outside the platform.
Context re-scoresample data
9.8
CVE-2026-4187 · gstreamer 1.14.4CVSS 3.1 base · network attack vector assumed
5.1
Re-scored for the vehiclereachable only over the internal bus, no external path
Node context drives the score
no network accessgateway-isolateddebug port fusedread-only media path

Triage states & VEX

A decision is a record, not a status color.

Findings move through explicit states: to validate, under review, suppressed or escalated. A suppression is a VEX statement with a reason attached, so "not affected" is something you can hand an assessor, not a silent filter.

  • VEX suppression. Not-affected claims carry machine-readable justification.
  • Owned queue. Every finding has a state and a person, so nothing dies in a spreadsheet.
  • Feeds compliance. The same records serve the R155 CSMS monitoring evidence and 21434 clause 8.
Triage queuesample data
P1CVE-2026-4187 · gstreamerUNDER REVIEW · K.M.
P1CVE-2026-3350 · wolfSSLTO VALIDATE
P2CVE-2026-0915 · bluezTO VALIDATE
P3CVE-2026-2044 · u-bootVEX · not affected
states and reasons recorded per finding · exportable with the enriched SBOM

See your findings triaged the way an analyst would.

Book a demo