ProofwrightScenario

Scenario: responding to a new CVE in minutes

A critical vulnerability drops at 9am. Follow the trail from alert to a customer-ready answer.

A critical vulnerability drops at 9am. Follow the trail from alert to a customer-ready answer. Related demos: Scenario: when an open-source dependency goes dark and Scenario: a poisoned dependency.

A new critical CVE lands in a popular library. Across the industry, teams start a frantic manual hunt. Here's the same morning with a living SBOM.

9:02 — the alert

Monitoring against your SBOM flags the CVE automatically and lists exactly which of your products include the affected component and version.

ProductComponentAffected?
Agent[email protected]No (< affected)
PortalNot present

9:18 — the assessment

One product is affected. You check the call path: the vulnerable function isn't reachable in your usage. You record a VEX: not affected with the reason — evidence, not a verbal all-clear.

9:30 — the answer

A customer emails asking if you're exposed. Instead of a week of investigation, you reply the same morning with a documented status backed by your evidence log.

The difference isn't heroics — it's having the inventory and the trail before the alarm goes off.

Proofwright turns a fire drill into a lookup.

this is Proofwright

It's live.

See the real thing at Proofwright.