⌁ controlled preview · invite required

Infrastructure exposure, proven.

Infrastead turns vendor security advisories into infrastructure decisions: which devices are exposed, what the evidence says, whether the mitigation actually holds — and what leadership needs to sign off.

  1. 01

    ADVISORY

    CVE-2024-3400 · vendor feed

  2. 02

    ASSETS

    66 devices · 4 in scope

  3. 03

    EVIDENCE

    per-device facts · versioned

  4. 04

    INTEGRITY

    deterministic verdicts

  5. 05

    REPORT

    executive decision output

Advisories are not decisions.

The feed tells you a vulnerability exists. It does not know your inventory, your exposure, your HA design, or whether the workaround you applied last Tuesday still reduces risk. That gap is where incidents live.

  • Tens of thousands of CVE records a yearmost of them irrelevant to your infrastructure
  • Inventories live somewhere elseapplicability gets answered from memory
  • Teams patch — and stop therenobody proves the mitigation held
  • Leadership gets status, not evidence“we think we’re fine” is not a decision

noise / feed

CVE-2024-3400 PAN-OS GlobalProtect

CVE-2024-21762 FortiOS SSL-VPN

CVE-2023-20198 IOS-XE Web UI

CVE-2024-20399 NX-OS CLI

CVE-2023-46805 Ivanti Connect Secure

CVE-2023-4966 Citrix NetScaler

… thousands more this year

signal / your estate

▲ AFFECTED pa-edge-fw-01 exposed · GlobalProtect on

▲ AFFECTED pa-edge-fw-02 HA peer · mixed version

◆ VALIDATE pa-core-fw-01 version unknown

● CLEAR 61 devices not applicable

One advisory. Four devices that matter. Evidence for each.

fig. 02 — advisory noise vs. infrastructure signal · sample

Six steps. Advisory in, decision out.

This is the exact flow of the guided preview — not a diagram of intentions.

  1. 01

    Define advisory

    Import a vendor advisory from a URL or enter it manually — normalized products, versions, and required features.

    $ advisory import CVE-2024-3400 --vendor palo-alto ✓ normalized

  2. 02

    Scope infrastructure

    Bring your inventory: firewalls, gateways, routers, controllers. CSV in, deduplicated, versioned.

    $ inventory load estate.csv ✓ 66 devices · 4 vendors

  3. 03

    Analyze applicability

    A deterministic engine crosses the advisory against every device. No guesswork, no scoring theater.

    $ analyze → 2 affected · 1 requires_validation · 63 not_affected

  4. 04

    Attach evidence

    Per-device facts where they matter: version, feature state, workaround status. Nothing required for clean devices.

    $ evidence pa-edge-fw-01 --workaround applied --hmac enabled ✓ saved

  5. 05

    Validate mitigation integrity

    The differentiator: a deterministic verdict on whether the mitigation is trustworthy — not whether a box was ticked.

    $ integrity run → 1 mitigated · 1 unresolved_exposure

  6. 06

    Generate executive output

    The same evidence that produced the verdict becomes the report leadership can act on.

    $ report generate ✓ REPORT-2026-Q3-0042 ready

“Patched” is a claim. Integrity is a verdict.

Most tools stop at tracking whether a patch was deployed. Infrastead asks a harder question: is the mitigation trustworthy enough to support a decision? A workaround that was applied — but silently disabled by the next config push — is worse than no workaround, because everyone stopped watching.

Mitigation Integrity classifies each device from its saved evidence, with a deterministic, versioned classifier. When the evidence cannot support a verdict, the verdict is requires_validation — never a quiet downgrade to “probably fine.”

MITIGATED

Workaround applied, verified against evidence, integrity conditions hold.

PATCHED

Fixed version confirmed on-device — not assumed from a ticket.

PARTIALLY MITIGATED

Risk reduced but conditions remain: mixed HA versions, partial rollout.

REQUIRES VALIDATION

Evidence insufficient to conclude either way. Says so, out loud.

UNRESOLVED EXPOSURE

The mitigation does not hold. This is the row that pages someone.

fig. 03 — integrity verdict states · deterministic classifier · sample

Every state you report is a state you can defend.

evidence · applicability run 2026-07-06T14:02Z

pa-edge-fw-01 AFFECTED PAN-OS 11.0.2 < fixed · GlobalProtect portal exposed

pa-edge-fw-02 AFFECTED HA peer on 11.0.0 · mixed-version pair

pa-core-fw-01 REQUIRES_VALIDATION os_version missing · feature state unknown

pa-branch-fw-12 PATCHED 11.0.3 confirmed · evidence: version + commit log

pa-lab-fw-09 NOT_AFFECTED GlobalProtect not licensed · no evidence required

pa-edge-fw-02 UNRESOLVED_EXPOSURE workaround present · HMAC validation disabled

fig. 04 — evidence trail · CVE-2024-3400 · sample

Devices that are confidently not affected never demand busywork evidence. Devices that are unclear never get quietly cleared. requires_validation is a first-class state, not a rounding error.

edge-fw-01edge-fw-02core-fw-01
exposed validate clear

fig. 05 — exposure surface · sample

Not a CVE reader. Not another scanner.

generic tooling
Infrastead
Scores the CVE
Classifies your devices
Lists affected versions
Proves applicability against inventory
Tracks that a patch shipped
Verifies the mitigation held
Collapses uncertainty into “low risk”
Keeps requires_validation visible
Exports a finding list
Produces an executive decision brief

CVSS matters — and it does not know your topology, your exposure, your HA design, or whether last week's workaround survived this week's change window.

07 // controlled preview

This is not an open launch.

Infrastead is in a limited, guided preview: one advisory, your inventory, real applicability analysis, evidence, mitigation integrity, and an executive report — end to end, in one sitting. An invite code and a verified work email are required.

decision support · no automatic infrastructure changes · validate before operational action

access · invite-gated · verified work email required