FixOps is a Decision & Verification Engine that aligns with SSVC by mapping decisions and inputs to stakeholder‑specific outcomes.
- FixOps ALLOW → SSVC Track
- FixOps BLOCK → SSVC Act
- FixOps DEFER → SSVC Attend
- Scanner outputs: SARIF (SAST/DAST), SBOM (CycloneDX/SPDX), CSV, generic JSON
- VEX: affectedness declarations (CycloneDX VEX, SPDX VEX – stub today)
- EPSS: exploit likelihood probabilities (stub today)
- KEV: known exploited vulnerabilities (stub today)
- Business context: criticality, data classification, environment
- LLM explanations: concise narratives to improve triage
- Ingest and normalize findings
- Enrich with business context
- Map to MITRE ATT&CK techniques
- Evaluate SSVC‑aligned signals (EPSS, KEV, VEX) when available
- Run multi‑LLM analyses and compute consensus confidence
- Produce ALLOW/BLOCK/DEFER and explain rationale; persist evidence
- CSV/OTM templates to inject SSVC context early (criticality, exposure)
- Feedback loop: incorporate expert overrides to adjust future weighting
- RSS/Threat feeds parsed by a sidecar LLM into a knowledge graph
- Updates priors (Bayes/Markov) for dynamic threat evolution
- CISA SSVC guide and Vulnrichment; FIRST EPSS; CISA KEV; CycloneDX VEX minimums