Features Pricing Open source Docs
Theme
Language
fr en de es pt sv nl cs ko ja zh
Sign in
FEATURES

Everything to prioritize — not to stack up CVEs.

Three layers, recomputed continuously: what’s exposed, what matters, what to fix first.

Prioritization & risk score

A score built on real exposure, not raw CVSS.

Combined risk score
CVSS severity, exploitation likelihood (EPSS) and presence in the CISA KEV catalog, recomputed together.
Ranked remediation plans
Each action (patch, migration) sorted by the real number of CVEs it clears across your fleet, not raw volume.
System or CVE view
Two entry points: what exposes a given machine the most, or where a given CVE is present.
Inventory & collection

Continuous inventory, no agent required.

SSH satellites per site
One collector deployed per site queries your machines over SSH — nothing to install everywhere.
Per-machine agents
An alternative for isolated hosts outside SSH reach: a lightweight agent reports the same inventory.
Package EOL tracking
Package versions and end-of-life tracked continuously, not just at scan time.
Sync & integrations

Sources sync themselves, in a pipeline.

Automated sync
MITRE CVE, EPSS and the CISA KEV catalog are refreshed then recomputed automatically.
National bulletins
CERT-FR, BSI and other official bulletins feed the same recompute pipeline.
External auth
LDAP, OIDC and SAML supported to plug Pennyworth into your existing directory.

See your real exposure in minutes.

Create a cloud account Try the demo →