Everything in one place: what we're proving, every container and what it runs, exactly which parts are real versus standing in, the precise vulnerabilities involved, what happens the moment you press the button, and what to expect when it runs. No hand-waving — this is the deployed system, verified all-green.
A real scanner finds a real vulnerability in real platform software; Mythal's twelve agents enrich, plan, and — after a human approval — patch it with real Ansible and prove it's gone with a real re-scan.
The earlier demo simulated findings. CSX wanted the OS-level Microsoft-patch demo redone at the platform level on Linux, with a real scanner and real Ansible — and run in our environment, not theirs.
The whole lab runs in containers on one machine, on an isolated network. It resets in seconds and is fully repeatable. The same connectors point at CSX's real Qualys + Ansible the day they pilot inside their estate.
Twelve agents, policy gate, reasoning-trace ledger, the dashboard CSX watches.
Plus an on-demand orchestrator that can run the loop without the UI.
All on the isolated poc-net bridge. The Mythal api joins that network so the agents can reach the scanner, Ansible, ServiceNow and Qualys connectors directly.
| Container | Base / image | What it runs | Real? |
|---|---|---|---|
sentinelgrid-api | python:3.12 | FastAPI · 12 agents · policy gate · POC connectors | REAL |
sentinelgrid-console | node / Next.js 15 | The dashboard (Command Center, Findings, Plans, Activity, Integrations) | REAL |
sentinelgrid-postgres / redis | postgres:16 · redis:7 | Findings, plans, executions, traces · message bus | REAL |
poc-target-tomcat | ubuntu:20.04 + JRE | Apache Tomcat 9.0.30 (+ sshd) | REAL |
poc-target-log4shell | ubuntu:20.04 + JRE | Java app bundling log4j-core 2.14.1 (+ sshd) | REAL |
poc-target-liberty | ubuntu:20.04 + JRE | Open Liberty 21.0.0.11 (+ sshd) | REAL |
poc-target-activemq | ubuntu:20.04 + JRE | Apache ActiveMQ 5.17.3 (+ sshd) | REAL |
poc-target-jetty | ubuntu:20.04 + JRE | Eclipse Jetty 9.4.43 (+ sshd) | REAL |
poc-scanner | python:3.12 + Trivy | SSH version-probe + Trivy; serves canonical + Qualys-XML findings | REAL |
poc-ansible | python:3.12 + ansible-core | Real ansible-playbook runner over SSH | REAL |
poc-servicenow | python:3.12 / FastAPI | ServiceNow Table API — real API shape, mock backend | API SHAPE |
poc-qualys | python:3.12 / FastAPI | Qualys VMDR API — real API shape over real findings | API SHAPE |
| Host | Software | Installed | Why this one | Patched to |
|---|---|---|---|---|
target-tomcat | Apache Tomcat | 9.0.30 | The web/app server everyone runs; the famous Ghostcat flaw | 9.0.89 |
target-log4shell | Apache Log4j | 2.14.1 | The library inside everything; the CVE every CISO fears | 2.17.1 |
target-liberty | Open Liberty (WebSphere family) | 21.0.0.11 | The WebSphere-family runtime CSX named on the call | 24.0.0.3 |
target-activemq | Apache ActiveMQ | 5.17.3 | Message broker; a CVSS-10 RCE actively used by ransomware | 5.18.3 |
target-jetty | Eclipse Jetty | 9.4.43 | Embedded server in countless Java apps | 9.4.53 |
/opt, started as a service. Ansible logs in over SSH and upgrades it, just like it would a real CSX host.Read or include arbitrary files (web.xml, configs, source) via the AJP connector — often a foothold to remote code execution. → fixed in 9.0.31+.
A single crafted log string triggers remote code execution. Mass-exploited within hours of disclosure; ransomware-linked. → fixed in 2.17.1.
Unauthenticated remote code execution via the OpenWire protocol; used by HelloKitty and other ransomware crews. → fixed in 5.18.3.
Server-side request forgery — coax the server into making attacker-chosen internal requests. → fixed in 24.0.0.3.
If session persistence is enabled, a crafted session file leads to remote code execution. Cleared by the same Tomcat upgrade.
The incomplete-fix Log4j RCE/DoS, and a Jetty cookie-parsing flaw that can leak data across requests. → 2.17.1 / 9.4.53.
| Element | Status | What that means exactly |
|---|---|---|
| Vulnerable software | REAL | Genuine Tomcat / Log4j / Liberty / ActiveMQ / Jetty at real vulnerable versions. |
| Vulnerability detection | REAL | Scanner SSHes in and reads the live installed version; Trivy bundled for OS-package breadth. |
| CVE knowledge (IDs, KEV, fix) | CURATED | Real CVE IDs / severities, authored into a CVE map (not a live NVD/CISA pull in the POC path). |
| Patching | REAL | Genuine ansible-playbook over SSH upgrades the software and returns the real recap. |
| Verification | REAL | A real re-scan; the finding clears only because the version actually changed. |
| The twelve agents + policy gate | REAL | The real Mythal platform in deterministic agent mode (no external LLM key needed). |
| ServiceNow ITSM | API SHAPE | Real ServiceNow Table API path; in-memory backend. Swap base URL for a real instance. |
| Qualys scanner-of-record | API SHAPE | Real Qualys VMDR API path over the lab's real findings. Swap base URL + creds for real Qualys. |
| The rail / MCR estate (4,310 assets) | SIMULATED | The separate demo tenant; clearly tagged SIMULATED. Not part of the real POC loop. |
| Demo conveniences | SIMULATED | Root-password SSH and a one-click approver stand in for key auth and a full approval chain. |
For each host the scanner opens an SSH session and reads the actual installed version — the Tomcat symlink target, the log4j jar filename, the ActiveMQ/Jetty/Liberty install path. It compares that to a curated CVE table and reports what matches.
Because the version is read live, a finding can only clear after Ansible genuinely changes it. Nothing about "now it's fixed" is scripted. Trivy is bundled too, so OS-package CVEs are scanned by a real industry tool.
On approval, the Executor agent calls the Ansible control node, which runs a real ansible-playbook over SSH: snapshot for rollback, download the fixed version the scanner named, swap it in, restart the service. The real PLAY RECAP (ok / changed / failed) flows back into Mythal's execution timeline.
"Right now, we use Ansible" — CSX on the call. This is that, for real.
Speaks the real ServiceNow Table API (/api/now/table/change_request). When a host is remediated, Mythal opens a change, marks it approved at the gate, and closes it on verification — producing real CHG records. Point it at a real ServiceNow instance and only the URL changes.
Serves the lab's real findings on Qualys's actual API path (/api/2.0/fo/asset/host/vm/detection/) behind Basic auth. Mythal's Qualys connector talks to it identically to a real subscription.
Why not real Qualys? It's licensed cloud SaaS (agents report to Qualys' cloud) — it can't be self-hosted offline or run repeatably on a laptop. The emulator proves the integration now; the real connector is the production path.
The scanner SSHes into all five hosts, reads live versions, and reports 7 real CVEs.
Scanner Liaison ingests → Threat Intel reconciles real KEV/EPSS → Patch Hunter names the fix → Impact + Change Risk score it → Planner writes the runbook. One plan per host.
The policy gate decides what needs sign-off. Nothing executes until you approve in the Plans board.
The Executor runs the real playbook over SSH, opens a ServiceNow change, and records the real recap.
A live re-scan confirms the version changed; every CVE on that host that cleared is closed, the change record is closed, compliance evidence is emitted.
Live SSH version probe across the estate.
Small download, swap, restart, re-scan.
They download a larger fixed runtime — expect a longer bar.
In the verified run: 5 host plans, each patched once by real Ansible; the host-wide re-scan closed all 7 CVEs (including the two second-CVEs that ride the same host patch). ServiceNow shows the closed changes; the Qualys API returns an empty detection list.
Runs the FSM, routes POC plans to the real executor
Ingests real scanner findings
Reconciles real KEV / EPSS
Names the fixed version
Asset criticality + blast radius
Failure-rate + window
Runbook + rollback, one per host
Runs the real ansible-playbook
Live re-scan, closes cleared CVEs
Evidence on close
Veto rights (OT path)
EOL / sprawl / shadow IT
http://localhost:3090
7 real CVEs land; 5 host plans appear.
Watch real Ansible patch + re-scan close it. Traces in Activity.
Not a slideshow and not a simulation — real vulnerable software, a real scanner, real Ansible, and a real re-scan that proves the fix. On a laptop, repeatable in seconds.
Nothing executes without approval; the platform escalates rather than falsely closing. The OT Safety Officer holds veto rights on the OT path.
The exact tools CSX named. The connectors are a base-URL swap from pointing at CSX's real Qualys, Ansible Automation Platform, and ServiceNow when they pilot inside their estate.
| Surface | URL | Use |
|---|---|---|
| Console | http://localhost:3090 | The dashboard — Command Center, Findings, Plans, Activity, Integrations |
| Presentation portal | http://localhost:8090/presentation/ | This deck + the plan + lab internals |
| API | http://localhost:8090 | /api/poc/scan · /api/poc/health · /api/plans · /health |
| Scanner | http://localhost:8096 | POST /scan/run · /findings · /findings/qualys |
| ServiceNow (mock) | http://localhost:8097 | /api/now/table/change_request |
| Qualys (emulator) | http://localhost:8098 | /api/2.0/fo/asset/host/vm/detection/ · Basic qualys_poc |
| Ansible control | http://localhost:8099 | POST /run · /health |
| Targets (SSH) | localhost:2210-2214 | root / ansible — inspection only |
All host ports sit outside the in-use block on this machine. The lab runs entirely over its internal poc-net bridge; exposed ports are for inspection and demo convenience.