Perimeter does both halves of the job competitors split across two SKUs: external attack-surface management from the internet, and internal authenticated scanning from inside your network — then turns the results into tracked, prioritized, audit-ready work.
Add a root domain (verify ownership by DNS TXT first — we never scan what you don't own). Passive discovery enumerates subdomains from certificate-transparency logs and passive DNS; active discovery fingerprints live hosts, ports, services and TLS certs. The Lookout agent inventories internal hosts and container images. Everything lands in one asset inventory with criticality tags.
The hosted runner runs Nuclei (CVE, exposure, misconfig, takeover templates) against external assets. The Lookout agent runs OpenVAS/Greenbone authenticated network scans, Trivy for OS-package / container-image / IaC / SBOM CVEs, and Nuclei for internal-only services. Nothing is a black box — you can read and add templates.
Findings are deduplicated to one canonical record per (asset × check × engine), merged across engines and scans. Each is enriched with EPSS (exploitation likelihood, from FIRST) and flagged against the CISA KEV catalog. Then — and this is the point — EPSS and KEV rank above CVSS, so a KEV-listed "high" beats a theoretical "critical":
risk = 0.40·CVSS + 0.30·EPSS + 0.20·KEV + 0.10·asset-criticality → 0–100
On top of the score, every finding gets a plain-English action tier — act now / prioritize / schedule / watch — that an owner with no security analyst can act on. KEV or high EPSS forces the top tiers regardless of CVSS. The weights are transparent and tunable, not a proprietary black box like VPR or TruRisk.
Incumbent scanners are notorious for false positives (~30% the common complaint). Perimeter's de-noise engine gives each finding a verdict with a visible reason trail and flags the likely false positives — the canonical case being a lone, unauthenticated, banner-only check with very low EPSS — so they sink to the bottom instead of drowning the real work. Crucially, a finding confirmed by a second engine or listed in CISA KEV is never suppressed. When two independent engines (e.g. Nuclei and OpenVAS) flag the same issue, it's marked confirmed.
Assign an owner, set a status (open → in progress → fixed), and track SLA due dates (KEV findings inherit CISA's due date). Accept a risk with a reason, approver, and expiry — every action is audit-logged. Rescan-to-verify re-runs the exact check and auto-closes on pass.
When the engine gets a verdict wrong, teach it: Mark false positive or Confirm real. Your verdict overrides the heuristics and is remembered against the finding's stable id, so when the same finding reappears in a future scan your call is re-applied automatically — you never re-triage the same false positive twice. (In the cloud tier this suppression memory is per-tenant and follows the whole team.) Every mark is written to the audit log, so an auditor can see exactly what was suppressed and by whom.
Every finding auto-maps to control IDs across NIST CSF 2.0, SOC 2, PCI DSS 4.0, ISO 27001, CMMC L2 and 800-171. But it goes further than a mapping: expand a finding and export a per-finding evidence record — a timestamped, control-referenced, self-describing audit artifact (the assessed object, detection + corroboration, exploit intel, remediation/SLA, and the satisfied controls). Each record is wrapped in a detached HMAC-SHA256 signature over a canonical serialization with the signing time bound in, so any later edit — a single character — breaks verification. The scan output is the audit evidence.
Publish the de-identified posture to the DosanjhLabs evidence graph and Sightline maps it across 22+ frameworks while Bastion turns open KEV findings into POA&M items. Raw scan output and hostnames never leave your browser.
Exploit intelligence moves daily: a CVE's EPSS climbs, a new entry lands in CISA KEV. Perimeter registers a daily exploit-intel refresh job (06:00 UTC, just after FIRST publishes the day's EPSS) with the shared scheduled runner. When it fires, it pulls the live feeds, merges them over the existing cache (newer wins), re-enriches your findings, and reports which CVEs moved — driving "what changed this week" and new-KEV drift alerts. The merge logic runs today; the live network pull is held behind a boundary and enabled with the hosted ASM entitlement, so the local tier makes zero network calls.
The console ships the full findings model — inventory, exploit-first EPSS/KEV ranking and de-noising, the FP feedback loop, dedup, multi-engine corroboration, remediation/SLA tracking, control mapping, signed per-finding evidence records, the scan-ingest pipeline, and the scheduled-refresh job descriptor — all runnable in your browser on point-in-time seed data. The live scan engines (Nuclei/Trivy/OpenVAS on the hosted runner and Lookout agent) and the live EPSS/KEV network pull run on the hosted tier; the ingest contract they post to and the feed-merge logic are already built. The local tier makes zero network calls.