The eight-year vulnerability spreadsheet

Eight years.

That's how long we spent managing vulnerability programs in the GCC — coordinating findings across banks, utilities, and government agencies, deploying open-source scanners, and trying to herd teams toward actually fixing things.

Eight years of the same broken workflow.

The spreadsheet that ran our lives

A scanner runs. It produces 800 findings. We export them to Excel. We split them by owner. We send out tickets. Someone deletes a row by mistake — was that finding closed, or did it just disappear? We re-scan. The numbers don't match. We fight about whether the owner actually patched the server or just marked the ticket "done." We juggle four concurrent VA/PT engagements in four separate spreadsheets.

By the end of every quarter, we'd produced beautiful compliance reports — and fixed maybe 30% of what we found.

The tools weren't broken. They were aimed elsewhere.

The tools weren't broken. They were doing exactly what they were designed to do: produce reports for auditors. They just weren't designed for the people doing the actual remediation work.

Our scanners found things — that's table stakes. The gap was upstream of fixing: how do 200 findings about the same patch become one piece of work? Who actually owns it? When it's done, how do we close every related ticket without losing the audit trail? None of that was solved. So every quarter, we hand-rolled it in Excel.

2024: the AI gap

When AI tools started landing in 2024, we waited for someone to build a self-hosted version that respected our regulators' data residency rules. They didn't. The best AI security tools all required cloud connectivity, ruling them out for the regulated environments where we worked.

For a Saudi bank, an Omani utility, or a Qatari ministry, sending finding-level data to OpenAI wasn't a question of comfort — it was a non-starter on contract day one. The choice was: keep scanning the way we had since 2017, or wait indefinitely.

So we built it ourselves

So we built ctOS Blade ourselves. It's the tool we wish we'd had — a self-hosted vulnerability platform that groups findings by remediation action, runs AI analysis on your infrastructure, and treats security teams like the practitioners they are.

The AI runs locally via Ollama, or against any provider you authorize. The data stays where you deploy it. The workflow groups patches by what gets fixed, not by what gets reported. And the UI is built for the engineer closing the ticket — not the auditor reviewing it next quarter.

If any of this sounds like a workflow you recognize, you're the person we built this for.