Each agent owns a narrow contract, a typed input/output, a tool registry, and a reasoning-trace emitter. They communicate over a signed message bus — never by sharing memory. Every message is persisted before any side effect runs. The reasoning trace is the product.
Receives events, dispatches work, holds per-finding FSM, emits master trace. Claude Opus 4.7 in anthropic mode.
Normalizes Qualys, Tenable, Rapid7, Wiz, Defender, Claroty, Nozomi, Dragos. Dedupes on (asset, cve).
NVD, CISA KEV, EPSS, vendor PSIRTs, ICS-CERT, GHSA, Glasswing pre-disclosure.
Locates vendor fixes / workarounds. Computes PatchReliabilityScore 0–1.
Joins finding to CMDB + dependency graph. Outputs BusinessImpactProfile.
Historical failure rates by asset class + vendor. Recommends window + canary.
Veto rights on OT / CCS. Compensating controls. Enforces NIST 800-82r3 + IEC 62443.
Synthesizes plan: steps · order · approvals · rollback · verification. Runbook + workflow.
Ansible · SCCM · Tanium · BigFix · Panorama · Firepower · Entra · AWS SSM · OT-native.
Rescan + health probe + exploit retest. Rolls back + escalates on failure.
Evidence units tagged to TSA · NIST CSF · NIST 800-82 · IEC 62443 · SOX · HIPAA · PCI.
Beyond CVE flow. EOL · sprawl · shadow IT · CCS-no-owner · identity hygiene.
Agents communicate only through a Postgres-backed signed message bus. Every message is persisted before any side effect runs — that's the audit guarantee.
class AgentMessage(BaseModel):
message_id: str # ULID
trace_id: str # groups all messages for one finding's lifecycle
parent_id: str | None
from_agent: AgentId
to_agent: AgentId | "broadcast"
intent: str # e.g. "request_patch_lookup"
payload: dict[str, Any] # schema-validated per intent
policy_context: PolicyContext
ts: datetime
signature: str # HMAC-SHA256 over canonical JSONRule-engine outputs. Zero external deps. Sub-second per step. Best for CI and demos that must not depend on a model API.
Supervisor + OT Safety on Opus 4.7. Specialists on Sonnet 4.6. JSON-schema-validated outputs.
Specialists on gpt-4o-mini. Supervisor + OT Safety on o4-mini. Falls back to deterministic on auth/rate failure.
If any model call fails the agent silently falls back to deterministic. The pipeline does not crash. Enterprise buyers cannot tolerate a platform whose availability depends on someone else's API key.
| State | Entered by | Exits to |
|---|---|---|
DISCOVERED | Scanner Liaison ingest | ENRICHED |
ENRICHED | Threat Intel + Patch Hunter | PRIORITIZED |
PRIORITIZED | Impact Analyst + Change Risk | PLANNED or veto path |
PLANNED | Remediation Planner + Policy Gate | AWAITING_APPROVAL or EXECUTING (auto-apply) |
AWAITING_APPROVAL | Policy gate (non-auto) | EXECUTING on approval |
EXECUTING | Executor | VERIFIED or ROLLED_BACK |
VERIFIED | Verifier | CLOSED |
CLOSED | Compliance Reporter | (terminal) |
ROLLED_BACK · ESCALATED | Executor failure / Verifier reject / retry budget exhausted | (terminal, paged) |
Every external string (advisory body, scanner output, ticket comment) is wrapped in <untrusted_external> tags inside agent prompts. A pre-flight classifier flags suspicious patterns. Agents are explicitly told to treat content inside those tags as data only — never as instructions.
Attackers who realize their CVE description is being read by an AI will embed prompt-injection payloads in advisory bodies — that's already happening in 2026. This wrapper is the discipline.