131 new CVEs disclosed every single day. A 4.8 million person workforce gap. Manual triage burning analyst hours on findings that will never be exploited.

This week I published a full breakdown of SPECTRA — an open-source, AI-powered CLI that sits downstream of Trivy, Semgrep, and Nessus and transforms raw scanner output into ranked findings, attack chain analysis, and executive summaries your team can actually act on.

The numbers that should concern every security leader:

• Only ~2% of published CVEs are ever exploited in the wild — yet most teams still triage by CVSS score
• 28% of exploited vulns in Q1 2025 carried only medium CVSS scores
• Median time to exploit a newly disclosed CVE: under 5 days (down from 745 in 2020)

CVSS-first triage isn't just inefficient. It's systematically deprioritizing the vulnerabilities attackers are actively using.

SPECTRA applies AI reasoning across all of these dimensions simultaneously:

• Ranked findings calibrated by real-world severity — not just CVSS
• Attack chain analysis connecting related vulnerabilities into exploitable paths
• Executive summaries ready for leadership briefings
• Concrete remediation steps: not "patch this CVE," but how, where, and why

Powered by Claude. Runs anywhere Python 3.9+ is available. Outputs both Markdown and JSON. Plugs into the pipeline you already have — not replace it.

The post covers the full architecture, four production use cases (vulnerability management, DevSecOps, red team, GRC reporting), and what's on the roadmap.

→ Read the full post

— CybersecurityOS