ctOS Blade Book a demo
Self-hosted vulnerability management with built-in AI

Vulnerability management
without the spreadsheet.

ctOS Blade replaces your monthly Excel-and-VLOOKUP ritual with a real platform — deduplication that preserves CVE detail, identity that survives DHCP, classification that fits your team, and dashboards your board will read.

Book a 30-minute demo See how it works
Powered by your choice of LLM
Ollama Self-hosted
OpenAI
Anthropic

Built in Muscat. Designed for regulated environments worldwide.

  • Banking
  • Government
  • Healthcare
  • Telecom
  • Utilities
The reality of vulnerability management

The vulnerability spreadsheet that ate your career

Every month, the same ritual:

  • Export CSV from the scanner
  • Manually clean duplicates — without losing CVEs, ports, or evidence
  • VLOOKUP in Excel to map findings to asset owners
  • Realize three assets have new IPs and no owner mapping
  • Email owners with “their” findings in attachments
  • Wait. Wait some more.
  • Get partial responses, in three different formats
  • Track which version of which spreadsheet is current
  • Discover someone deleted rows by accident — or “accident”
  • Re-scan. Numbers don’t match. Why?
  • Escalate via email. Then escalate again.
  • Realize you have no audit trail of any of this
  • Write the compliance report anyway

Hours. Human errors. No logs. No accuracy.

This is what most vulnerability programs actually look like — not the diagrams in the vendor presentations. ctOS Blade exists because someone got tired of the spreadsheet.

ctOS Blade: vulnerability management designed for real workflows

Pillar 01

Assets that don’t disappear when their IP changes

Your DHCP server reissued an IP last week and now your scanner thinks half your environment is brand new. ctOS Blade tracks hostnames, FQDNs, MAC addresses, and IP history together — when an IP moves, findings stay attached to the right asset. When an IP gets recycled to a different machine, we don’t merge them by mistake.

  • Hostname-first identity: hostname/FQDN takes precedence over IP
  • IP history preserved per asset across all scans
  • Recycled-IP detection: separate machines stay separate
  • Asset metadata: OS, criticality, system role, owner, location, department
  • Vulnerability summary per asset by severity
  • Direct drill-down to findings on this asset
Asset detail — IP history tracked, findings preserved across IP changes
Pillar 02

Deduplication that doesn’t lose what matters

Most VM tools deduplicate by finding title alone — losing CVE lists, port details, and evidence in the merge. ctOS Blade uses a two-pass plugin-id-rolling deduplication that preserves the full CVE list, port specifics, and proof of every finding. When the same vulnerability comes back on rescan, we mark it “recurring” instead of duplicating it.

  • Two-pass plugin-id-rolling deduplication
  • Full CVE list preserved across merges (no losing data)
  • Per-port and per-protocol detail kept intact
  • Recurring-finding detection on rescan
  • Native ingestion: Nessus CSV, Nessus XML (.nessus), more on roadmap
  • Auto-classification on import — no manual rules required
Import a Nessus .nessus or CSV file — see exactly how many findings are new, recurring, and how assets auto-classified
Pillar 03

Classification that fits how your team actually works

Different teams need different views. The infrastructure team wants assets grouped by OS. The compliance team wants findings mapped to PCI-DSS zones. ctOS Blade ships with six built-in classification profiles and lets you define your own. Switch profiles based on the question you’re answering — no permanent commitment.

  • 6 built-in profiles: 9-Group, Simple OS, Team Standard, Extended Linux, PCI-DSS Zones, plus your own
  • Per-finding classification when you need precision
  • Per-asset classification when you need simplicity
  • Multiple strategies: majority vote, highest severity, custom
  • Duplicate any profile and customize without breaking the original
  • PCI-DSS profile included for compliance reporting
Six built-in classification profiles, including PCI-DSS zones for compliance reporting
Pillar 04

Access control that scales beyond a single team

Most VM tools have one-tier access: everyone sees everything, or admins gate everything. Real organizations have departments, contractors, and vendors who each need a specific slice. ctOS Blade has four access tiers, multi-department membership with custom roles per department, and dual audit trails for vendor-managed deployments.

  • 4 access tiers: superadmin, admin, manager, analyst
  • Multi-department membership: users can belong to multiple departments
  • Department-scoped findings: analysts see only their work
  • Audited vendor support access with separate audit trail
  • Every status change, classification change, and login logged
  • Audit log exportable for compliance reviews
Access tiers, department scoping, and audit trails that satisfy auditors without slowing operators
Pillar 05

Stop emailing spreadsheets. Start tracking remediation.

Findings without a workflow are just data. ctOS Blade groups related findings into Remediation Campaigns, tracks SLA deadlines based on severity, and notifies owners when work needs attention. Status changes are logged, not lost. Comments stay on the finding, not in someone’s inbox.

  • Remediation Campaigns: group N related findings, fix once
  • Bulk-create campaigns from filtered findings
  • SLA tracking with severity-based deadlines (configurable)
  • Notification rules engine (7 default rules, customizable)
  • Per-finding action plans, owner assignment, status workflow
  • “Approaching SLA” alerts before findings go overdue
Select findings, create a campaign in one action — group remediation work that belongs together
Reporting

Dashboards your board will actually read

Severity breakdowns. SLA compliance with approaching-breach detection. Aging matrices that surface the High findings that have been sitting open for 90 days. Severity trends across scans so you can prove the program is improving — or know when it isn’t.

Filterable by department, asset group, OS type, and time range. Click any chart cell to drill down to the underlying findings. Export PDF reports for board packs, ZIP exports for audit responses.

  • 11 pre-built dashboard endpoints
  • SLA compliance with “approaching breach” warning state
  • Severity × age aging matrix with click-to-drill
  • Severity trend by scan over time
  • 3 PDF report types (executive summary, technical detail, audit)
  • Full ZIP export for offline analysis
Pillar 06

AI that runs on your infrastructure, not OpenAI’s

AI is useful — but most AI security tools require sending your findings to a SaaS provider. That’s a non-starter for regulated environments. ctOS Blade’s AI Copilot runs against any OpenAI-compatible LLM, including local Ollama for fully air-gapped deployments. Use it when it helps. Disable it when policy requires.

  • Provider-agnostic: Ollama (local), OpenAI, Anthropic
  • Per-finding analysis: risk context, remediation steps, verification, effort estimate
  • Streaming responses — first output in seconds, not minutes
  • Per-tenant kill switch: disable AI entirely if policy requires
  • API keys encrypted at rest (AES-Fernet, per-deployment secret)
  • AI plan provenance tracked — know which campaigns used AI

See an example analysis →

Per-finding AI analysis with risk context, remediation steps, verification commands, and effort estimate
Built for regulated environments

Designed for the support model regulators expect

Self-hosted security tools come with a real operational question: when something breaks, how does the vendor help without violating data residency rules or audit requirements? ctOS Blade is built so that vendor support stays accountable, branded environments stay branded, and every action — yours and ours — has its own audit trail.

  • White-label branding Your logo, your colors, your domain. Internal users see your brand, not ours. WCAG luminance gating prevents accidentally unreadable contrast combinations.
  • Vendor support with full visibility When ctOS Blade support needs access to your deployment, it happens through vendor impersonation — your team sees exactly who logged in, when, and what they did. No hidden backdoors, no shared admin accounts.
  • Dual audit trails Operator actions and vendor actions logged separately. Compliance reviewers can answer “what did our team do?” and “what did the vendor do?” with zero ambiguity.
  • Single-tenant architecture Each deployment is its own database, its own filesystem, its own configuration. No multi-tenant data leakage risk because there’s no multi-tenancy.
  • Source code escrow available Enterprise contracts can include source code escrow with a third-party agent (NCC Group, Iron Mountain). If our company changes status, your right to operate the platform is preserved.

What you get

Asset inventory & classification

Hostname-first identity that survives DHCP churn. Data-driven groups (Databases, Web Servers, Endpoints, …) editable by admins.

Finding management with team standards

Ingest Nessus and Tenable CSV exports. Hostname-first dedupe. Severity, status, asset group filters, bulk operations, evidence upload, and full audit history.

SLA tracking with severity-based deadlines

Configurable per-severity windows. Overdue, approaching, and within-SLA badges flow through dashboards and the findings table.

Department-scoped access control

Owners and department leads see only their slice. The same centralized service governs list, detail, dashboard, and export endpoints.

AI Remediation Copilot

Per-finding analysis: risk context, remediation steps, verification commands, effort estimate. Streamed live. Cached per finding with manual regenerate.

Remediation Campaigns

Group findings by remediation action. Bulk-create, track progress, mark complete when all linked findings close. Free- form plan, verification, and effort fields.

How we compare

Categories that matter for self-hosted, regulated deployments. Not every box in every column — just the ones that change the buying decision.

  ctOS Blade Tenable / Qualys DefectDojo
Self-hosted, air-gapped capable Yes No Yes
AI-native (provider-agnostic, can run locally) Yes Partial No
Asset identity survives DHCP / IP changes Yes Limited No
Two-pass dedup preserving CVE detail Yes Title-only No
Per-finding AND per-asset classification Yes No No
Built-in PCI-DSS classification profile Yes Add-on No
Multi-department access with audit trails Yes Limited No
Audited vendor support access Yes No No
Modern UI (2026) Yes No No
Pricing $$ $$$ Free
Vendor support Yes Yes No
Built by people who lived this problem

Why we built ctOS Blade

Eight years.

That's how long we spent managing vulnerability programs in the GCC — coordinating findings across banks, utilities, and government agencies, deploying open-source scanners, and trying to herd teams toward actually fixing things.

Eight years of the same broken workflow.

A scanner runs. It produces 800 findings. We export them to Excel. We split them by owner. We send out tickets. Someone deletes a row by mistake — was that finding closed, or did it just disappear? We re-scan. The numbers don't match. We fight about whether the owner actually patched the server or just marked the ticket "done." We juggle four concurrent VA/PT engagements in four separate spreadsheets.

By the end of every quarter, we'd produced beautiful compliance reports — and fixed maybe 30% of what we found.

The tools weren't broken. They were doing exactly what they were designed to do: produce reports for auditors. They just weren't designed for the people doing the actual remediation work.

When AI tools started landing in 2024, we waited for someone to build a self-hosted version that respected our regulators' data residency rules. They didn't. The best AI security tools all required cloud connectivity, ruling them out for the regulated environments where we worked.

So we built ctOS Blade ourselves. It's the tool we wish we'd had — a self-hosted vulnerability platform that groups findings by remediation action, runs AI analysis on YOUR infrastructure, and treats security teams like the practitioners they are.

Read the full story →

  • Founded2026
  • HeadquartersMuscat, Oman
  • Team experience8+ years in GCC vulnerability management
  • Contact[email protected]
Pricing

Two tiers. Annual contracts. No surprises.

ctOS Blade is sold via annual or multi-year contracts. Every plan includes a 30-day trial.

Most Popular

Team

For growing security teams managing structured vulnerability programs.

Contact for pricing Sized for organizations with 250–2,500 assets and 5–15 users
  • Unlimited findings & assets (up to 2,500)
  • Up to 15 user accounts
  • Department-scoped access control
  • SLA tracking with severity-based deadlines
  • Remediation Campaigns (group findings, fix once)
  • AI Remediation Copilot (Ollama, OpenAI, Anthropic)
  • Standard email support (business hours, GMT+4)
  • 30-day trial
  • Annual contracts
Book a demo

Enterprise

For regulated industries and large deployments requiring deep customization.

Contact for pricing Sized for organizations with 2,500+ assets and unlimited users
  • Unlimited findings, assets, and users
  • Custom team standard classifications
  • Department hierarchy & advanced RBAC
  • Custom dashboards
  • White-label branding (your logo, colors, domain)
  • Audited vendor support with dual audit trails
  • White-glove deployment included
  • Named technical account manager
  • Priority support (SLA-backed)
  • Source code escrow available
  • Annual or multi-year contracts
Talk to sales

All deployments are self-hosted on your infrastructure. We don't host any customer data. See FAQ for deployment details →

Common questions

What happens to our deployment if your company stops operating?

ctOS Blade is self-hosted. Your deployment continues operating indefinitely without any dependency on our company. For Enterprise customers, we offer source code escrow through a third-party agent (such as NCC Group or Iron Mountain), guaranteeing access to source code in defined trigger events. We can also provide a perpetual licence clause in Enterprise contracts so your right to use the software survives any business changes on our side.

Do you have SOC 2 or ISO 27001 certification?

Not yet. We're a small team focused on getting the architecture right first. The platform is designed for the controls those certifications require — encryption at rest (AES-Fernet for secrets), TLS in transit, role-based access, audit logging. Formal certification is on our roadmap for the next 12 months. We're happy to walk Enterprise prospects through our security architecture in detail and provide written attestations as needed.

How is sensitive data protected?

At rest: PostgreSQL with disk-level encryption (configured during deployment, your responsibility). LLM API keys: AES-Fernet encrypted with a per-deployment secret derived from your SECRET_KEY environment variable, never returned in API responses, never logged. In transit: TLS 1.3 for all HTTP, internal service-to-service over private networks only. We never receive, store, or have access to your deployment's data.

Can we audit your code or deployment?

Yes. Enterprise customers receive read-only access to a private GitHub repository for the code they're running. Source code review by your security team is encouraged. We also publish a public changelog with every release so you can verify what's shipping in each version.

Why should we trust a small team instead of Tenable, Qualys, or Rapid7?

Honest answer: for many organisations, you shouldn't. If you need broad scanner coverage with thousands of plugin signatures and a global support footprint, the incumbents are the right choice — and ctOS Blade complements them rather than replacing them. ctOS Blade is the right choice when (1) you can't or won't use cloud-hosted SaaS, (2) you want AI-native workflows without sending data to OpenAI, or (3) your scanners produce findings but no one has built the layer above them for actually managing remediation. We're built for that gap.

Where is my data stored?

On your infrastructure. ctOS Blade is self-hosted. We do not collect telemetry, usage data, or scan results. AI analysis can run entirely on your servers via Ollama — your findings never leave the network.

Does it work in air-gapped environments?

Yes. The complete platform — including AI features via local LLM providers — runs without internet access. Updates ship as offline bundles you stage and apply on your schedule.

What about the AI features? Do they need OpenAI?

No. ctOS Blade supports Ollama (local, free, no internet), OpenAI, and Anthropic. Switch providers via configuration. Disable AI entirely if your policy requires.

Can I import findings from existing scanners?

ctOS Blade ingests Nessus exports natively in two formats: Nessus / Tenable CSV exports and the native .nessus XML (NessusClientData_v2). We’re not a scanner ourselves — we’re the platform that turns scanner output into actionable workflow. For specifics on which scanners are supported today, see “Which scanners are supported today?” below.

Which scanners are supported today?

ctOS Blade currently ingests Nessus exports natively in two formats: Nessus CSV exports and native .nessus XML files. We have roadmap items for Qualys QualysGuard XML, OpenVAS XML, and Rapid7 InsightVM exports. If you have a specific format requirement, let us know during the demo — we may be able to prioritize.

Can we deploy ctOS Blade with our own branding?

Yes — white-label branding is available on the Enterprise tier. Configure your logo, brand colors, and domain so your internal users see your brand, not ours. WCAG luminance gating prevents accidentally unreadable color combinations. This is especially useful for regulated organizations whose users expect tooling to match the rest of their internal systems.

What kind of support do you provide?

Direct email support during business hours (GMT+4). Enterprise tier includes a dedicated Slack channel and a named technical account manager. Onboarding consultation is included with all paid tiers.

How long is deployment?

A typical deployment takes one day on the standard architecture (Docker Compose on a Linux VM with Postgres). More complex environments — strict change windows, custom integrations — may take longer.

Do you offer a trial?

Yes — every paid tier includes a 30-day trial. Book a demo and we'll set up a trial environment configured to your needs.

Ready to see it working?

30 minutes. We’ll show you a live deployment with real findings. No sales pitch — just the product.

Book a demo [email protected]