Built for the 2026 Agentic AI Hackathon
Autonomously reviews CVEs, ranks upgrade urgency, and generates patch-verification tests - so security teams patch what matters first.
Large enterprises run dozens of interconnected applications. Each month, vendors release hundreds of patches. Security teams face an impossible choice: patch everything and risk downtime, or patch selectively and risk exposure.
VulnPriority AI solves this by running a 9-stage agentic pipeline that:
- Discovers CVEs from your SBOM against ground-truth databases (OSV.dev + NVD)
- Scores each vulnerability using a deterministic, auditable formula β no black-box AI rankings
- Calculates blast radius mathematically from your dependency graph
- Generates patch regression tests on-demand via Gemini
- Assigns patches to engineers based on sprint capacity and expertise
- Schedules patches within your maintenance windows
The result: a ranked patch calendar your team can act on immediately.
Load the enterprise test dataset from test_dataset_enterprise_2026/ and run the full pipeline in under 2 minutes.
π¦ LLM-assisted Β Β π© Fully mathematical/deterministic Β Β πͺ On-demand only
Every CVE receives a deterministic priority score computed from verified data sources β not LLM opinion. Rankings are stable across repeated runs.
Priority Score = CVSS Γ PoC_Multiplier Γ Blast_Radius
βββββββββββββββββββββββββββββββββββββ Γ Tier_Weight Γ Regulatory_Flag
Patch_Complexity
| Factor | Source | Values |
|---|---|---|
| CVSS | NVD Primary score only (never CNA fallback) | 0.0 β 10.0 |
| PoC Multiplier | From exploit viability evaluation | Γ3.0 active Β· Γ1.5 medium Β· Γ1.0 none |
| Blast Radius | ceil(services Γ AV_factor Γ Scope_factor) from dependency graph |
1 β 10 |
| Patch Complexity | Derived from CVSS vector AC + PR + UI fields | 1 β 5 |
| Tier Weight | System criticality tier | Critical Γ3.0 Β· Important Γ2.0 Β· Standard Γ1.0 |
| Regulatory Flag | PCI / SOX / HIPAA / GDPR / FedRAMP exposure | Γ2.0 if present |
The pipeline prevents LLM-hallucinated CVEs (e.g., assigning a 1999 Windows CVE to an npm package) through three sequential guards:
- OSV.dev ground truth β only returns CVEs confirmed for exact
package@version - Year sanity check β npm CVEs must be β₯ 2010 (npm didn't exist in 1999)
- NVD CPE product match β CVE CPE field must match the package name (character boundary check)
- Ranked Vulnerability Table β CVEs ordered by priority score with expandable detail rows
- Patch Calendar β Patches scheduled within maintenance windows, assigned to engineers
- Kanban Board β Sprint-style tickets across Backlog / In Progress / Complete lanes
- On-Demand PoC β Click per CVE to generate a patch regression test (Python / JS / Bash)
- Dashboard β Risk score delta, effort distribution, top engineer workload
- OSV.dev β Ground-truth CVE β package mapping (no hallucination)
- NVD API β CVSS v3.1 Primary scores and vector strings (never CNA fallback)
- Gemini β CVE research, rationale, PoC generation (
gemini-2.0-flash) - Claude β Exploit evaluation, structured output, risk summaries
Upload JSON files directly from test_dataset_enterprise_2026/:
| File | Purpose |
|---|---|
package.json |
SBOM β all packages and versions to scan |
va_report_q2_2026.txt |
VA/pentest report β CVE IDs extracted automatically |
system_info.json |
System name, tier, regulatory scope, dependencies |
team_profiles.json |
Engineer skills, sprint hours, availability |
maintenance_windows.json |
Scheduled downtime windows for patch deployment |
vendor_advisories.json |
Vendor patch notices and affected packages |
internal_docs.json |
Internal threat notes and architecture context |
dependency_graph.json |
Service dependency edges for blast radius calculation |
| Layer | Technology |
|---|---|
| Backend | Python 3.11, FastAPI, Server-Sent Events (SSE streaming) |
| Frontend | React 18 (CDN, no build step), Highlight.js |
| AI β Research | Google Gemini (gemini-2.0-flash) via google-genai SDK |
| AI β Evaluation | Anthropic Claude (claude-opus-4-5) via anthropic SDK |
| CVE Data | OSV.dev API, NVD REST API v2 |
| Database | SQLite (scan history, team profiles, config persistence) |
| Deployment | Render (Python web service, static files served by FastAPI) |
- Python 3.11+
- A Gemini API key and/or Anthropic API key
git clone https://github.com/Lord2709/WhiteHat.git
cd WhiteHatcd backend
pip install -r requirements.txtCreate backend/.env:
GEMINI_API_KEY=AIza...
ANTHROPIC_API_KEY=sk-ant-...
NVD_API_KEY=your-nvd-key # optional but recommendedGet a free NVD API key at nvd.nist.gov/developers/request-an-api-key. Without it, NVD rate-limits to 5 requests/30 seconds, causing
NVD PENDINGscores on large scans.
cd backend
uvicorn main:app --reload --port 8000Open frontend/index.html directly in your browser β no build step required.
Or navigate to http://localhost:8000 (FastAPI also serves the frontend).
- Open the Configure page
- Upload
test_dataset_enterprise_2026/package.jsonin the SBOM section - Upload
test_dataset_enterprise_2026/va_report_q2_2026.txtin the VA Report section - Upload the remaining 6 JSON files in their respective sections
- Click Run Agentic Analysis
The pipeline streams progress in real time (~90 seconds with both API keys). Results appear automatically when complete.
The test_dataset_enterprise_2026/ directory simulates a real enterprise environment:
- NorthStar Payments β a fictional payment processing company
- System:
payment-api(critical tier, PCI + GDPR + SOX) - 7 downstream services: auth, settlement-worker, fraud-scoring, merchant-portal, reporting, redis, postgres
- Team: 4 engineers with varying skills and sprint capacities
- Maintenance windows: Sunday 01:30 and Wednesday 23:00
WhiteHat/
βββ backend/
β βββ main.py # FastAPI app β all pipeline logic, 2800+ lines
β βββ config.py # Environment variable loading
β βββ connectors.py # Vendor advisory / internal doc connectors
β βββ db.py # SQLite: scan history, team profiles, config
β βββ schemas.py # Pydantic request/response models
β βββ requirements.txt
β βββ .python-version # Pins Python 3.11.9 for Render
β
βββ frontend/
β βββ index.html # CSS + script tags (no build required)
β βββ js/
β βββ app-shared.js # Shared state, API_URL, helpers
β βββ app.js # Root App component, pipeline SSE handler
β βββ pages/
β βββ configure-page.js # File uploads, system config
β βββ pipeline-page.js # Live progress + results tabs
β βββ results-page.js # Ranked table, dashboard
β βββ team-page.js # Engineer profile management
β
βββ test_dataset_enterprise_2026/ # Ready-to-use enterprise scenario
β βββ package.json
β βββ va_report_q2_2026.txt
β βββ system_info.json
β βββ team_profiles.json
β βββ maintenance_windows.json
β βββ vendor_advisories.json
β βββ internal_docs.json
β βββ dependency_graph.json
β
βββ render.yaml # One-click Render deployment config
βββ START.md # Quick start guide
βββ LICENSE # MIT
The repo includes a render.yaml for one-click deployment.
- Fork or push this repo to your GitHub account
- Go to dashboard.render.com β New β Web Service
- Connect your GitHub repo
- Set these fields:
| Field | Value |
|---|---|
| Root Directory | backend |
| Build Command | pip install -r requirements.txt |
| Start Command | uvicorn main:app --host 0.0.0.0 --port $PORT |
- Add environment variables:
GEMINI_API_KEY,ANTHROPIC_API_KEY,NVD_API_KEY - Deploy
The frontend is served directly by FastAPI from ../frontend β no separate static hosting needed.
Free tier note: Render's free plan sleeps after 15 minutes of inactivity. The first request after sleep takes ~30 seconds. Upgrade to Starter ($7/mo) for always-on uptime during demos.
The backend exposes a REST + SSE API:
| Endpoint | Method | Description |
|---|---|---|
/health |
GET | Service health check |
/api/analyze |
POST | Run full pipeline (SSE stream) |
/api/generate-exploit |
POST | On-demand PoC for a single CVE |
/api/upload-report |
POST | Upload VA report, extract CVE IDs |
/api/parse-config-nl |
POST | Natural language β system config |
/api/config/save |
POST | Persist configuration to DB |
/api/config/load |
GET | Load saved configuration |
/api/scans |
GET / POST / DELETE | Scan history management |
/api/scans/{id} |
GET | Load a specific saved scan |
/api/team-profiles |
GET / POST | Team profile management |
/api/env-status |
GET | Which API keys are loaded server-side |
/api/sample-input |
GET | Load built-in demo dataset |
Built for the 2026 Agentic AI Hackathon:
Design an Agentic AI system that autonomously reviews vulnerability reports (CVEs, vendor advisories), internal system documentation, and dependency maps to prioritize software upgrades. The agent should assess business impact, technical risk, and upgrade complexity, then produce a ranked upgrade plan that minimizes overall security risk while reducing disruption to mission-critical systems.
| Requirement | Implementation |
|---|---|
| Review CVEs autonomously | OSV.dev + NVD API lookup per package@version |
| Process vendor advisories | vendor_advisories.json connector input |
| Use internal documentation | internal_docs.json enriches CVE matching |
| Map dependencies | dependency_graph.json drives blast radius |
| Assess business impact | Tier weight Γ regulatory flag multipliers |
| Assess technical risk | NVD CVSS Γ exploit viability Γ PoC multiplier |
| Assess upgrade complexity | CVSS vector fields (AC + PR + UI) β 1β5 scale |
| Produce a ranked plan | Deterministic priority score, stable across runs |
| Minimize disruption | Maintenance window scheduling + sprint capacity |
MIT License β Copyright 2026