Autonomous Cyber Expert · Tool Orchestrator

The cyber agent that adapts to every environment — then knows which tool to run.

CVEWatcher installs on your Linux server, understands the real environment, navigates approved security tools, builds its own schedule, and updates the dashboard with evidence — kernel, processes, ports, cron, systemd, packages, containers and logs. The scenarios shown here are examples; the agent adapts its plan to each customer environment.

Send a business inquiry See how it works
  • Adaptive by design Not fixed playbooks — environment-aware decisions
  • Self-scheduling tasks driven by server state
  • Tool-aware Lynis, osquery, Trivy, Nuclei, CSF / Imunify360 / logs
Built for
  • cPanel / WHM hosting
  • Docker app hosts
  • Database & enterprise nodes
  • VPS & dedicated Linux
  • Multi-server fleets
Positioning

CVEWatcher does not compete with another CVE database.

Public feeds tell you what exists in the world. CVEWatcher tells you what is real on your server: what is installed, what is running, what is exposed, what changed, and what should be re-checked next — with evidence.

Global Intel

What exists in the world: CVEs, exploits, KEV, EPSS, Nuclei templates, CSAF, ATT&CK.

Local Evidence

What exists on your server: running processes, open ports, installed packages, cron drift, kernel reboot gap.

AI Correlation

Is it actually dangerous here, what to re-check, who gets the alert, and what the runbook should be.

How it works

From install to evidence — in five quiet steps.

  1. 1

    Profile

    Production / staging, scan intensity, quiet hours, customer policy.

  2. 2

    Detect

    Docker? Public SSH? Exposed nginx? cron drift? cPanel hosting?

  3. 3

    Plan

    The agent builds a task plan from approved tools — never random shell.

  4. 4

    Run

    Safe / deep checks at the right time, with timeouts and resource limits.

  5. 5

    Adapt

    Adds re-checks when new KEV / change / risk shows up.

Tool catalog

The tools the agent actually understands.

Every tool has metadata: production safety, root requirement, cost, when to run, how to parse output, and what it produces. The AI requests a tool — it never writes raw shell.

Core Linux

uname, os-release, dpkg/rpm, systemctl, journalctl, ss, iptables / nftables / ufw, crontab, ps, lsof, sudoers.

Audit & Hardening

Lynis, OpenSCAP, osquery, auditd, fail2ban status, CIS-style checks.

Containers

Trivy, Grype, Syft, Docker CLI, compose inventory, privileged containers, docker.sock mounts.

Exploit Validation

Nuclei templates in controlled mode, ExploitDB / GitHub PoC metadata, Metasploit metadata — exploits are not executed in Phase 1.

Vulnerability Intel

NVD, CVEProject, CISA KEV, FIRST EPSS, OSV, GHSA, CSAF, plus optional CVE intelligence providers via REST / MCP.

Runtime Enterprise

Falco, auditd rules, osquery scheduled queries, eBPF sensors — for Enterprise tiers.

Self-scheduling

The agent creates its own tasks — safely.

We do not throw twenty cron jobs at your server. The architecture is one systemd service + timer, a PostgreSQL-backed scheduler and evidence layer, and policies that decide what runs and when. Cron is only a fallback or per-customer request.

Self-updating tasks · triggers

 Docker detected → daily Trivy + exposed-container port diff
 New public port → immediate process / package / CVE lookup
 CISA KEV match → exposure verification + recheck every 6h
 Kernel update pending reboot → maintenance reminder + aging counter
 New root cron → drift alert + permission / path check

Policies · guardrails

 Safe Mode — read-only, low-cost, production friendly
 Deep Mode — Lynis / Trivy / OpenSCAP during quiet hours
 Runtime Watch — auditd / Falco / eBPF for Enterprise
 Approval Required — Nuclei validation only if allowed
 Resource Limits — max CPU / time per scan
Dashboard

Mission Control for the agent.

Every finding is connected to a tool, a command, a timestamp, and a next check. No black boxes.

42 Scheduled tasks last run / next run / cost / tool health / failures
3 KEV exposed findings with exploit evidence and real exposure
18 Drift events new cron, new service, new port, new privileged user
96% Evidence confidence tool + command + timestamp + next check
Explainable findings

The customer understands what is happening — without being a security engineer.

Every finding answers: what happened, why it is urgent, what is the evidence, what could happen if ignored, and what to do now. Not just CVSS. Not just raw logs.

Plain summary

“Your server needs a reboot because a security kernel update was installed but is not yet loaded. The old kernel is still running.”

Why urgent

Explains urgency — KEV match, internet-exposed service, running process, public exploit, suspicious cron / systemd change.

Evidence cards

For every finding: the command / tool / log, what was checked, what was found, timestamp, confidence and a redacted raw output link.

Cyber Twin

PostgreSQL Cyber Twin — the evidence brain behind every server.

CVEWatcher stores the Cyber Twin in PostgreSQL: server profile, environment detection, allowed tools, scheduled tasks, runs, findings, evidence, timeline, logs, customer preferences and AI explanation cache. That is what makes memory, diff, audit, fleet visibility and enterprise-grade reporting possible.

What is stored locally

Environment: cPanel / Docker / DB / generic profile + confidence
Tasks:       what runs, when it ran, when it runs next, why
Findings:    severity, urgency, status, next check
Evidence:    command / tool / log summaries + redacted raw refs
Timeline:    changes, alerts, resolved events

Three view levels

Business owner: status, top 3 actions, plain explanation
Admin:          findings queue, evidence cards, runbook
Expert:         JSON, raw refs, version logic, advisory sources

Instead of “there is a CVE”, the customer sees a clear story: 02:00 package check ran → 02:03 kernel update found → 02:04 reboot required confirmed → 02:05 nginx still running an old library → 02:06 alert sent → next check in 6 hours.

Adaptive root runtime

Powerful — but always under control.

CVEWatcher must be effective even with root access. So it ships with permission modes: Safe Observer, Root Expert, Root Operator and Break-glass. The goal is not to block power — it is to make full power safe with audit, policy, reasons, timeouts and evidence.

Safe Observer

Default for cautious customers: read-only inventory, CVE correlation, drift detection, alerts — no changes.

Root Expert

For hosting companies and sysadmins: root visibility, deep scans, log access, systemd timers, strong diagnostics.

Root Operator

For customers who want action: remediation workflows, service restart, package updates, firewall changes — all with policy, approval and full audit.

Policy flow

Intent:   AI or user requests a structured action
Policy:   allowlist + customer policy + resource budget
Tool:     fixed schema + command wrapper
Parser:   normalized, redacted output
Evidence: stored in PostgreSQL, synced to dashboard

Network safety

Default:    no inbound public port
Sync:       agent initiates outbound HTTPS only
Local API:  Unix socket or 127.0.0.1 only
Dashboard:  signed policy messages, never shell
Tokens:     rotation + request signing
Security tools brain

It reads CSF, Imunify360, ModSecurity and your logs — and explains them.

If your server already has popular security tools, CVEWatcher does not replace them. It becomes the brain on top: it reads events, understands what was blocked, what is still exposed, and produces a short investigation with evidence and a customer-friendly explanation.

CSF / LFD

CSF posture, LFD blocks, brute-force, suspicious process, port scan alerts, allowed ports, testing mode, firewall posture.

Imunify360

Malware detections, quarantine / clean status, Proactive Defense, WAF incidents, reputation events, affected account / domain, last scan health.

ModSecurity / cPHulk / fail2ban

Explains WAF hits, blocked exploit attempts, failed WHM / cPanel logins, banned IPs, targeted users — and whether it is normal noise or a real incident.

Imunify360 found malware

1. Identify account / domain / path
2. Check whether the file still exists or is in quarantine
3. Inspect modified time, owner, permissions
4. Check whether the file is web-accessible
5. Create finding + evidence + follow-up recheck

CSF / LFD detected brute-force

1. Identify the service: SSH / cPanel / Exim / Dovecot
2. Count attempts over time
3. Check whether the IP is blocked
4. Inspect root login / password auth / cPHulk
5. Decide: ambient noise or urgent incident

Old antivirus says: “I found a bad file.”
CVEWatcher says: Imunify360 found a suspicious file in this account, CSF blocked related attempts, the exposed service is X, the evidence is here, the risk is still open / closed, and the next check runs in Y hours. That is detection + context + investigation + explanation + follow-up.

Auto environment detection

The agent learns the environment before it decides what to do.

cPanel / WHM is not a Docker host. A database node is not a web host. The examples below are not hard-coded limits; they show how CVEWatcher navigates reality. It detects the environment, selects a Protection Profile, adapts the schedule, chooses the right tools, and explains the configuration in plain language.

cPanel / WHM hosting

Detects cPanel, Apache / LiteSpeed, Exim, Dovecot, MySQL, DNS, PHP versions, AutoSSL, ModSecurity, cPHulk, CSF / Imunify if present — then prioritizes hosting-specific risk.

Docker app host

Detects containers, images, exposed ports, privileged containers and docker.sock mounts — then schedules container checks in the right window.

Database / Enterprise node

Detects DB services, bind addresses, firewall posture, package CVEs, users / sudo, kernel state, backup indicators and runtime signals — then adapts policy accordingly.

cPanel Protection Profile

Web:   Apache / LiteSpeed / Nginx reverse proxy
PHP:   multiple versions, handlers, EOL versions
Mail:  Exim, Dovecot, SMTP restrictions
Panel: cpsrvd, cpdavd, cPanel version / update tier
Sec:   ModSecurity, cPHulk, CSF / LFD, Imunify / ClamAV

Recommended schedule

Hourly:  ports / process diff + cron / systemd drift
2h:      CISA KEV + EPSS sync
Daily:   package security + cPanel / EA4 / PHP EOL checks
Nightly: lightweight webroot metadata scan
Weekly:  Lynis / hardening deep scan
Vision

From server agent to AI Cyber Operating System.

The next major security platform will not be defined by another vulnerability feed. It will be defined by who owns the runtime context: what is installed, what is exposed, what changed, what evidence proves it, and which workflow should happen next. CVEWatcher starts with the hardest source of truth — the server itself — and expands from local evidence into fleet intelligence, security graph, AI SOC workflows and autonomous remediation.

Category wedge

Start where urgency is highest: Linux, VPS, hosting and cPanel servers that need local evidence, not another alert queue.

Durable moat

Every run improves the system: exposure truth, tool reliability, patch outcomes, environment patterns and customer-specific risk memory.

Platform expansion

The same Cyber Twin can power fleet security, compliance evidence, SOC workflows, remediation, cloud posture and partner integrations.

Investor thesis

Wedge:          local Linux evidence where CVE noise hurts most
Moat:           real exposure data + tool outcomes + patch history
Expansion:      single server → fleet graph → AI SOC workflows
Buyer:          hosting providers, MSPs, infra teams, security teams
Category:       autonomous security runtime for infrastructure

Company-scale roadmap

Phase 1: Linux / VPS / cPanel autonomous cyber expert
Phase 2: Fleet-wide Cyber Twin + security graph
Phase 3: AI SOC workflows, tickets and executive reporting
Phase 4: Cloud, Docker, Kubernetes and compliance evidence
Phase 5: Marketplace, API, MCP and partner ecosystem

CVEWatcher is building the runtime evidence layer for modern infrastructure security. The first product is an autonomous Linux cyber expert that knows which security tool to run and when. The long-term platform is a fleet-wide AI Cyber OS that turns server reality into prioritized action, defensible evidence and automated security operations.

About

Built by an operator. Not a deck.

CVEWatcher is built and maintained by Netanel Siboni — an AI implementation expert with 19+ years of production infrastructure experience. Founder of Voxfor and Netpower, he has personally operated and secured thousands of Linux servers and applications since 2006, and now applies that operator-grade depth to autonomous cyber agents.

CVEWatcher is the security agent born inside that experience: built by someone who has been running real servers under real attack for nearly two decades. Not another CVE feed. Not another dashboard. A tool-aware, environment-adaptive cyber agent built from production reality.

CVEWatcher is a commercial product. It is not open source. To explore a partnership, investor conversation or a private walkthrough — schedule a meeting on Netanel's calendar, or reach out by email or LinkedIn.

Schedule a meeting ↗ Email Netanel LinkedIn ↗

Business inquiries and private meetings.

For investor conversations, business proposals, partnerships or a private product walkthrough, the fastest path is to grab a slot directly on Netanel's calendar. Email and LinkedIn are also welcome.

Recommended

Schedule a meeting

Open Netanel's calendar and pick a time that works for you. 30 to 60 minutes, no friction.

Open calendar ↗
Direct email

Email

Please include who you are, your company, the reason for contact, and the type of meeting or proposal.

[email protected]
Direct profile

LinkedIn

For business introductions, investor conversations, and professional follow-up.

Contact on LinkedIn ↗