Platform/ Package risk

Stop patching by CVSS alone.

oxharden inventories every package on every Linux host, matches versions to distro advisories, and ranks package risk by real-world exploitation signals, fleet impact, and whether vulnerable code is still running.

Start free trial Explore the live demo

KEV-first

exploited CVEs prioritized

Applied ≠ live

patched hosts still running vulnerable code stay open

Linux families covered

acme-prod / packages / scan

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Package risk

Search hosts, packages, CVEs…⌘K

Package risk

347 hosts · 2,184 packages assessed · 189 CVEs matched · 2m 11s

Re-scan

Ranking

KEV-first

exploit signals over CVSS

Reboot debt

Applied ≠ live

86 hosts still vulnerable

Coverage

5 Linux families

vendor advisories matched

Top package fixesranked by exploit signals + fleet impact

Package	Fix	Hosts	KEV	Risk retired
xz-libs	5.2.5-7 → 5.2.5-8	42	KEV	86 CVEs
openssl	3.0.7-27 → 3.0.7-31	18	7.8 EPSS	24 CVEs
kernel	5.14.0-427 → 5.14.0-503	31	reboot	19 CVEs
glibc	2.34-83 → 2.34-100	78	KEV	41 CVEs
polkit	0.117-13 → 0.117-15	96	KEV	12 CVEs
curl	7.76.1-29 → 7.76.1-31	24	8.2 EPSS	9 CVEs

CVSS is not a patching strategy.
oxharden shows what is dangerous now: exploited CVEs, exposed vulnerable services, and patched hosts still running old code.

01 · Exploit-first prioritization

CVSS is context. Exploitation drives the queue.

A theoretical 9.8 and an actively exploited 7.5 should not compete equally. oxharden brings KEV and EPSS to the top, so exploited and likely-to-be-exploited CVEs drive the work queue.

KEV: confirmed exploitation from CISA's catalog

EPSS: probability of exploitation in the next 30 days

CVSS: severity and impact context for prioritization

KEV — confirmed exploited

FIX FIRST

EPSS ≥ 50% — likely

CVSS ≥ 7 — impact

139

everything else

02 · Applied ≠ live

Patching is not done until the old code stops running.

Package version checks miss the messy part after patching. oxharden shows when a host has the fixed package installed but is still running the previous kernel or stale shared libraries, so teams know exactly when a service restart or reboot is still required.

Detects processes still mapped to replaced shared libraries

Compares the running kernel with the installed kernel

Keeps findings open until the fix is active

acme-prod / hosts / detail

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Hosts

Search hosts, packages, CVEs…⌘K

ip-10-20-2-107.us-east-2.compute.internalonline

OverviewPackages410Ports4CVEs5.6kCompliance

Critical CVEs

of 3.2k total

Reboot required

kernel current

Services to restart

systemd-logind…

Pending updates

372

Vulnerable pkgs

of 410 indexed

Processes pending restart · 8 packages · 14 processesRestart all

systemd library3 procs · still map ld-linux-x86-64.so.2 +7$ sudo systemctl restart init.scope systemd-logind.service

dbus-broker library2 procs · still map ld-linux-x86-64.so.2 +4$ sudo systemctl restart dbus-broker.service

gnupg2 library2 procs · still map ld-linux-x86-64.so.2 +1$ sudo systemctl restart session-1.scope

NetworkManager library2 procs · still map libnm-device-plugin-team.so +18$ sudo systemctl restart NetworkManager-dispatcher.service

rsyslog library1 proc · still map ld-linux-x86-64.so.2 +2$ sudo systemctl restart rsyslog.service

03 · Remediation by fixability

Fix the package, not the spreadsheet.

Instead of handing you one row per CVE, oxharden shows the actual remediation units: which package needs to change, which hosts need it, and how much risk that work retires.

CVEs are findings. Package upgrades are the work. oxharden groups vulnerabilities by the remediation that closes them, then ranks each fix by how much risk it retires across the fleet.

Grouped by package upgrade and ranked by CVEs × hosts affected

Flags follow-up actions such as service restart or reboot

Copyable Bash or Ansible remediation where available

CAT IRHEL-09-255045FAIL · 142 hosts

BashAnsibleCopy

# disable SSH root logon
printf 'PermitRootLogin no\n' \
  > /etc/ssh/sshd_config.d/50-stig.conf
sshd -t && systemctl reload sshd

04 · Coverage you can trust

Unknown never counts as clean.

Missing data should not make a dashboard look better. oxharden calls out unscanned hosts, stale agents, and missing or stale vulnerability feeds so coverage gaps are visible before they become audit gaps.

Per-distro feed freshness across the fleet

Stale agents flagged instead of silently trusted

Unassessed hosts marked as blind spots

acme-prod / packages / scan

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › Package scan

Search hosts, packages, CVEs…⌘K

Package scan

Partial coverage · 339 / 347 assessed · 9 unassessed · 8 agents stale

Re-scan

Feed coverage by distroa distro with no feed is a blind spot

Distro	Hosts	Feed	Last assessed
RHEL 9	142	Current	2 min ago
RHEL 8	64	Current	2 min ago
Rocky 9	71	Current	2 min ago
Amazon Linux 2023	39	Current	6 min ago
Oracle Linux 9	22	Current	2 min ago
Ubuntu 22.04	9	No feed	never

Stale agentslast check-in > 24h

8 hosts haven't reported since the last sync — their package state is from a previous scan.

web-prod-04.use14h ago

batch-07.use22d ago

ml-gpu-train-018d ago

How it works

From installed package to prioritized fix.

Inventory

The agent inventories installed packages and versions, running processes, loaded libraries, and kernel state on each host. No network scanning, no credentials to manage.

rpmdb/prockernel

Match & Enrich

Installed versions are matched against distro security advisories and vulnerability feeds, then enriched with exploitation signals.

RHSA / ELSA / ALASNVDCISA KEVFIRST EPSS

Rank & Fix

Findings are ranked by real-world risk and grouped into the package updates, service restarts, or reboots that retire them.

BashAnsibleservice restartreboot

Under the hood

The technical details, up front.

No black box. Here's exactly what the agent reads, where vulnerability data comes from, and how findings are ranked.

Supported distros

RHEL 8 / 9 / 10RockyAlmaLinuxOracle LinuxAmazon Linux 2023

Vulnerability sources

NVD, CISA KEV, FIRST EPSS, and per-distro vendor advisories such as RHSA, ELSA, and ALAS.

Matching

Installed package versions are matched to fixed-version vendor advisories for each distro, avoiding CPE-only guesswork where distro data is available.

Applied vs live detection

Mapped shared libraries are detected through open file handles; running kernel is compared with the installed kernel per host.

Scan cadence

Runs on schedule or on demand, dispatched through agent check-in when you need a fresh view.

Agent footprint

Read-only collection with a small agent footprint. The agent checks in on schedule and does not change host configuration during evaluation.

Remediation output

Copyable Bash or Ansible guidance where available, with restart or reboot follow-up called out when required.

Export

JSON and CSV today. Additional evidence exports are planned for auditor and reporting workflows.

Deployment

SaaS today. Self-hosted and air-gapped enterprise deployment are planned for environments that require offline feeds.

The rest of the platform

One agent connects every risk view.

Get started

Launch your first scan in minutes.

Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.

Explore the live demo Start free

No signup, no agent, or book a guided demo with our team.

install.sh

curl -fsSL https://packages.executepath.dev/install.sh \
  | sudo EXPECTED_GPG_FINGERPRINT=13094D5AB037E6CD79CDFA3A51687EAC6B931A09 bash

✓ agent enrolled · ip-10-20-2-107
✓ inventory synced · 410 packages · 4 ports
✓ first scan complete · 12 critical · 19 vulnerable pkgs

FAQ

Vulnerability scanning, answered.

CVSS measures potential impact. It does not tell you whether attackers are exploiting a vulnerability today. oxharden prioritizes real-world exploitation signals like CISA KEV and FIRST EPSS, then uses severity, exposure, and fleet impact to help rank the work.

It catches cases where a fix is installed but not yet active: a kernel updated on disk but not booted, or a shared library patched on disk while long-running services still map the old copy in memory. The agent inspects /proc, running kernel state, and open file handles to find them.

No inbound access and no host credentials are required. The agent reads local package, kernel, and process state, then checks in over an outbound connection.

NVD, CISA KEV, FIRST EPSS, and per-distro vendor advisories such as RHSA, ELSA, and ALAS. Missing or stale distro coverage is flagged as a gap instead of being treated as clean.

oxharden groups findings by the remediation that closes them: package update, service restart, or reboot. That way teams can see the actual unit of work and how many CVEs and hosts it retires.

Yes. oxharden keeps findings open when the package is fixed but vulnerable code is still running, and calls out the follow-up action needed to make the fix live.

JSON and CSV exports are available today, with API access for integration workflows.

CVSS is context. Exploitation drives the queue.

Patching is not done until the old code stops running.

Fix the package, not the spreadsheet.

Unknown never counts as clean.

From installed package to prioritized fix.

Inventory

Match & Enrich

Rank & Fix

The technical details, up front.

One agent connects every risk view.

Compliance & STIG

Attack-Surface Exposure

Fleet Inventory

Launch your first scan in minutes.

Vulnerability scanning, answered.