sekura

Proof, not probability. The case for deterministic exploits.

CVSS scores tell you what might be exploitable. Sekura tells you what is. Here is why the proof bar matters more than the severity score, and what changes when you enforce it.

Most vulnerability scanners do not find vulnerabilities. They find signals. Things that look like they might be vulnerabilities if an attacker were in just the right position, with just the right environment, running just the right version of a library.

That is not the same thing.

The CVSS problem

CVSS was designed to communicate urgency across teams. It does that reasonably well. What it does not do is tell you whether something is exploitable in your codebase, on your stack, against your configuration.

A CVSS 9.8 score on a dependency you load but never call is not a critical vulnerability for you. It might be a critical vulnerability for someone else.

I think this is the core confusion in modern AppSec. We have built elaborate systems for triaging severity scores rather than for answering the only question that matters: can an attacker actually use this to get in?

Here is what CVSS measures and what it does not:

  1. It measures theoretical severity based on the vulnerability class.
  2. It does not measure reachability in your code.
  3. It does not account for compensating controls in your infrastructure.
  4. It does not verify whether the exploit path actually runs.
  5. It was never designed to do those things.

That is not a flaw in CVSS. It is a flaw in expecting CVSS to answer a question it was not built to answer.

What proof-first scanning actually means

We built Sekura on a single constraint: if we cannot produce a working proof-of-exploit, we do not report the finding.

This constraint is not a feature. It is the architecture.

Every finding Sekura ships includes a deterministic exploit payload that reproduces the issue. You can run it. It either works or it does not. If it does not work, the finding does not exist in our output.

A concrete example. Consider a SQL injection hypothesis in a Node.js API. Sekura's exploit synthesis phase produces a payload like this:

curl -X POST https://api.example.com/users/search \
  -H "Content-Type: application/json" \
  -d '{"query": "x OR 1=1--"}'

The response is the full user table, including admin credentials. That is not a "high severity SQL injection finding." That is a confirmed exfiltration of your user table via a specific endpoint with a specific payload. Your remediation team does not need to validate it. The work is done.

Why the proof bar changes the economics

Most security teams spend 30 to 60 percent of their time on findings that turn out to be unexploitable. That is not a scanner problem exactly. It is what happens when you build workflows around severity scores rather than confirmed exploitability.

When you move to proof-first output, three things shift:

  1. Triage time drops. Findings arrive pre-validated. Engineers fix instead of investigating.
  2. Fix prioritization becomes obvious. A confirmed exploit on a payment endpoint outranks a theoretical CVSS 9 on a cold-path utility.
  3. Compliance becomes a byproduct. Proof-backed findings map directly to control failures rather than requiring manual judgment calls.

I believe most organizations could cut their mean time to remediation in half by simply changing the input to their triage queue. Not by hiring more people. Not by buying more tools. Just by stopping the flow of unvalidated findings.

From hypothesis to finding: what the pipeline does

Sekura runs a seven-phase multi-agent pipeline. The phases are:

  1. White-box SAST: static analysis of your source code.
  2. Recon: dynamic surface enumeration.
  3. Dynamic probing: instrumented exploration of live endpoints and functions.
  4. Exploit synthesis: automated attempt to produce a working exploit for each hypothesis.
  5. Exploit-chain analysis: combining individual findings into multi-step attack paths.

Phases six and seven handle post-quantum cryptography review and reporting.

The gate between phase three and phase four is the critical one. A hypothesis that survives SAST and recon but fails exploit synthesis is dropped. It never appears in your findings feed. Your team never sees it.

That filtering step is where the triage tax gets paid or refunded. Scanners pay it forward to your engineers. Sekura pays it internally.

What this means for your team

The question worth asking when you evaluate security tooling is not about volume. It is about validation.

How many of your findings have been confirmed exploitable before they reach my team?

If the answer is "we let you filter by severity," that is not an answer to the question.

You are not looking for coverage. You are looking for accuracy. Security is not a race to find the most things. It is a discipline for finding the things that matter and fixing them before someone else finds them first.

See how Sekura's proof-first pipeline compares to traditional scanners at /vs/scanners/.