Most software vulnerability discovery happens only when developers run an SCA scan. The apps that aren't in active development go months between checks — until LiveThreat. Continuous SBOM monitoring, real-time vulnerability correlation, alerts straight into your ticketing queue.
SCA tools run when developers commit code. That covers active codebases. The legacy services, the stable internal tools, the acquired-company apps — those go quiet. When a critical CVE drops on a component buried inside one of those, nobody knows until the next dev cycle. LiveThreat closes that gap.
LiveThreat polls vulnerability intelligence sources every few minutes. The clock to detection starts ticking the second a CVE is published — not at your next sprint.
SBOMs are pulled live from GitHub and JFrog Xray on a configurable schedule. No build step, no commit hook, no developer involvement required.
Findings flow directly into your ticketing system with severity baked in. Tickets get worked. Slack messages get muted.
CycloneDX (JSON + XML), SPDX (JSON + tag-value), and Syft formats — uploaded directly or pulled live from a connected source. Every component normalized to PURL across 28 ecosystems.
Every component in every SBOM is matched continuously against OSV, CISA KEV, and EPSS. Bidirectional indexing means new CVEs find existing artifacts the same minute they publish.
Findings auto-route by severity. KEV-listed CVEs fire immediately. CVSS 9+ with EPSS exposure go same-day. The rest batch into a daily digest. No noise, no missed signal.
SPDX-aware policy engine flags or blocks components by license category — copyleft, weak-copyleft, restricted, custom rules. Per-tenant or per-SBOM scope.
Ship findings to ServiceNow, Jira, GitHub Issues, PagerDuty, and Microsoft Teams via the same outbound integrations Verisq already supports. HMAC-signed webhooks for everything else.
Drill from portfolio metrics into per-SBOM component lists, per-component CVE history, and per-vulnerability affected-artifact lists. Audit trail on every triage action.
Open Source Vulnerabilities database — Google-maintained, ecosystem-aware. Refreshed every 15 minutes for fast publication-to-detection turnaround across npm, PyPI, Maven, RubyGems, crates.io, Go modules and more.
The Known Exploited Vulnerabilities catalog. Refreshed every 5 minutes. Anything that lands here gets the urgency treatment — KEV-flagged findings bypass the standard queue.
Exploit Prediction Scoring System from FIRST. Daily refresh of probability scores so you're not just looking at theoretical CVSS — you see which vulnerabilities are actually being exploited in the wild.
Every finding is classified the moment it's detected — so the right CVE reaches the right person on the right cadence.
| Tier | Trigger | Delivery | Channel |
|---|---|---|---|
| Immediate | KEV-listed CVE matched, or CVSS ≥ 9.0 with EPSS ≥ 0.5 | Within minutes | Ticket created + webhook fired |
| Standard | CVSS ≥ 7.0 (High/Critical) | Same business day | Ticket created |
| Digest | CVSS < 7.0 or low exploitation probability | Daily roll-up | Email digest + dashboard |
| Informational | License policy match, SBOM staleness, out-of-date component | Continuous | Dashboard only |
Connect a source once. LiveThreat refreshes the SBOM on a schedule, detects content changes, and re-correlates against the latest intelligence — no manual upload, no developer in the loop.
Connect a repository with a personal access token. LiveThreat polls GitHub's dependency graph SBOM API on your configured interval (6h, 24h, 7d) and ingests any updated content. Works for private and public repos.
Connect an Xray-indexed artifact with an API key or identity token. LiveThreat fetches the CycloneDX SBOM from your registry and stays in sync with new builds — covering container images, binaries, and dependency manifests.
// AWS ECR, Azure Container Registry, and more on the roadmap.
Get visibility into vulnerabilities across every shipped application — including the ones that haven't seen a commit in months. Prove continuous coverage to auditors.
Findings land in your existing ticketing workflow with severity, EPSS exposure, and remediation context. No new console to live in. No new alert source to triage by hand.
Audit trail on every finding, every triage decision, every license policy violation. Continuous evidence for SOC 2, ISO 27001, and regulator requests.
No credit card. No contract. Free vendor assessments.
Score 10 Vendors on Free Tier →