What Perimeter is, and your first five minutes

Perimeter is continuous vulnerability + external attack-surface management for small businesses and MSPs. It finds what attackers can see, ranks the handful that actually matter, tracks the fixes, and turns the results into audit evidence.

1 · What Perimeter does, in one paragraph

Most scanners hand you a wall of hundreds of “findings” sorted by CVSS severity, most of which no attacker will ever touch. Perimeter does the opposite: it deduplicates findings to one record per (asset × check), enriches each with real-world exploitation intelligence (EPSS and the CISA KEV catalog), and sorts so the four things being exploited in the wild rise to the top while the 400 theoretical ones sink. It also suppresses likely false positives, tracks remediation with owners and SLA dates, and maps every finding to compliance controls (PCI, HIPAA, SOC 2, CMMC, NIST, ISO) so a scan becomes evidence you can hand an auditor.

2 · Local-first by default (no account needed)

The console runs entirely in your browser. There is no sign-up, no server call, and nothing leaves your machine unless you explicitly opt into the cloud tab. Your workflow edits (owners, statuses, suppressions, false-positive verdicts) are saved to your browser’s localStorage so they survive a reload.

Tier	What you get	Network calls?
Local-first (default)	The full console on seeded sample data: inventory, prioritized findings, de-noising, remediation/SLA tracking, suppression, control mapping, signed evidence export, reports.	None, except loading the static seed JSON from the same origin.
Cloud / Pro (opt-in)	Continuous hosted scanning, MSP multi-client console, publishing de-identified evidence to the shared graph, daily EPSS/KEV scheduling. Deferred / hosted	Only after you sign in on the Sign in / Cloud tab.
BYO-key AI (opt-in)	Remediation guidance from an AI provider you choose, with your own key.	Only your browser → your chosen provider, with redacted metadata. Off by default.

3 · Your first run, step by step

Open the console. Click Open app in the top nav, or browse to /app/index.html. If you’re running locally, serve the repo root (e.g. python3 -m http.server 8080) and visit http://localhost:8080/app/index.html — opening the file directly with file:// will not work because the app fetches seed JSON.
Land on the Dashboard. You’ll see eight stat cards (open / KEV / critical / high / overdue-SLA / avg-age / multi-engine-confirmed / suppressed-as-noise) and a “Fix these first” list of the top five findings.
Open the Findings tab. Filter, search, and click a finding to expand its evidence, remediation, de-noise verdict, and compliance-control mapping.
Change something. Assign an owner or flip a status — it persists locally. This is how you’d run a real remediation workflow.
Try the Ingest tab. Click “Ingest Nuclei scan” to watch a raw scan payload flow through the normalize → dedup → enrich → map-controls pipeline — the exact path a live scanner will POST to.
Export evidence. On any finding, click Signed evidence record to download a timestamped, control-referenced, HMAC-signed JSON artifact.

The demo tenant. The console is seeded as acme-clinic.com — a fictional clinic with 15 assets and 21 findings, including one deliberate false-positive case so you can see the de-noise engine work. Everything you see is sample data; no real scan has run.

4 · The eight tabs at a glance

Tab	What it’s for	Deep dive
Dashboard	The “fix these first” summary: open/KEV/critical/overdue counts + the top-5 by exploit-aware risk.	Findings & de-noising
Findings	The full table: filter by severity / KEV / status / engine / exposure / search; expand for evidence, verdict, controls, and the remediation workflow.	Findings & de-noising
Attack surface	The asset inventory + scope seeds with ownership-verification state.	Assets & scan authorization
Ingest scan	Run the deferred-engine seam against sample Nuclei/Trivy payloads.	Feeds & scheduling
Reports / export	CSV/JSON export + printable compliance report packs.	Compliance evidence
Audit log	The append-only record of every mutating action.	Security & privacy
Sign in / Cloud	Optional DosanjhLabs sign-in + Pro entitlements + evidence publishing.	Cloud & entitlements
AI / Settings	BYO-key AI remediation guidance + the transparent risk-model weights.	Security & privacy

5 · Reading a finding card

Each finding shows a risk score (0–100) on the left, then a row of chips. Here’s what they mean:

Chip / element	Meaning
Risk number	0–100 score = 0.40·CVSS + 0.30·EPSS + 0.20·KEV + 0.10·asset-criticality. Transparent and tunable — not a black box.
Act now / Prioritize / Schedule / Watch	The exploit-first action tier. KEV and high EPSS force the top tiers regardless of CVSS. See tiers.
severity chip	Raw CVSS severity (critical/high/medium/low). Kept for reference — but the tier, not severity, drives ordering.
KEV	This CVE is in the CISA Known Exploited Vulnerabilities catalog — confirmed exploited in the wild. Inherits CISA’s due date as its SLA.
likely false positive	The de-noise engine flagged this as probably not real. Hover for the reason trail. See false-positive verdicts.
✓ confirmed ×N	Found independently by N engines (multi-engine corroboration) — higher confidence, lower false-positive risk.
CVSS / EPSS / engine	The raw CVSS base score, the EPSS exploitation probability, and which engine (nuclei/trivy/openvas) reported it.
SLA / age	Days until the remediation deadline (red if overdue) and how long the finding has been open.

Next: Findings & de-noising explains exploit-first ranking in depth, or jump to the “How do I…?” recipe index.