Skip to main content
For DevSecOps

Your scanner says patched.
The kernel's still running the CVE.

A package reads patched by version while the vulnerable code is still mapped into live services. oxharden tracks applied-vs-live across your whole Linux fleet — so a finding only closes when the fix is actually in effect.

oxharden — onboardinglive
Built for enterprise Linux
RHELRockyAlmaLinuxOracle LinuxAmazon Linux 2023CISDISA STIG
Why engineers switch

Most scanners hand you a list.
We show what matters, where it runs, and what to fix first.

01 · Applied ≠ live

“Patched” by version. Still running the vulnerable code.

A kernel CVE isn't closed until the box reboots. A libssl fix isn't live until every service that mapped it restarts. oxharden tracks applied-vs-live, so your dashboard tells the truth — not the package manager's.

ON DISK
openssl 3.0.7-27
package upgraded · "patched"
IN MEMORY
nginx · postgres · redis
still mapping 3.0.7-18 · 31 services
LIVE = VULNERABLErestart required · 86 hosts
02 · Exploited first

Triage by what attackers actually use.

189 CVEs is noise. Four are in CISA's KEV catalog and exploited in the wild right now. We sort KEV → EPSS likelihood → CVSS impact, so the top of your queue is always the work that moves real risk.

4
KEV — confirmed exploited
FIX FIRST
9
EPSS ≥ 50% — likely
37
CVSS ≥ 7 — impact
139
everything else
03 · Fix guidance

From finding to fix in one command.

Findings point at the actual unit of work: the package upgrade, service restart, reboot, or configuration change that closes them. When a bash or Ansible remediation is available, it is scoped to the exact hosts that need it.

CAT IRHEL-09-255045FAIL · 142 hosts
BashAnsibleCopy
# disable SSH root logon
printf 'PermitRootLogin no\n' \
  > /etc/ssh/sshd_config.d/50-stig.conf
sshd -t && systemctl reload sshd
From enrolment to ranked risk

Live before the next standup.

No appliance and no credentialed network scan window. Enroll a host and start seeing real package, port, kernel and compliance findings from local state.

STEP 01
Install the agent
One rpm command or your existing Ansible role. Read-only by default — nothing on the host changes without you.
STEP 02
See real, ranked risk
First scan in under two minutes — CVEs, STIG findings and exposed sockets, sorted by what's actually exploitable.
STEP 03
Fix the right unit of work
See whether the work is a package upgrade, restart, reboot, or config change. Apply it on your schedule, then re-scan to confirm the finding really closed.
Fits your workflow

Built to live in your pipeline.

Works with your config management
Enroll with an RPM install, cloud-init or your existing automation. No inbound ports and no host credentials to store.
API-first where it counts
Pull host, package, CVE and compliance state through the API when you need to feed another workflow or prove what changed.
Built for operational triage
Sort by KEV, EPSS, reachability, host count and applied-vs-live state, so engineers start with the findings that move risk.
Enterprise deployment path
The product is built around local collection and feed-driven evaluation, which keeps a clean path for self-hosted or offline enterprise requirements.
Compliance evidence included
Compliance findings keep expected vs actual configuration, evidence summaries and scan timestamps, with CSV/JSON exports for review.
Read-only by default
Scanning and compliance evaluation never touch the host. Every remediation is opt-in and scoped to named hosts.
<2min
to your first scan
5
Linux families supported
KEV+EPSS
exploit-first ranking
hoststate
collected once
Start free trial

Find what's actually exploitable on your fleet.

Install the agent on one host, see real findings in two minutes, then roll it out. 14-day free trial for up to 30 hosts — no card.

Running a larger or regulated estate? Talk to sales →
FAQ

The questions engineers ask first.

Deploy the lightweight agent with curl, dnf, or automation tooling like Ansible. It checks in periodically, captures package, port, and kernel posture, and evaluates compliance locally on each host. The agent is strictly read-only, so it reports findings without making changes.