SBOM / Vulnerability Overview COMPONENT VERSION WORKLOAD CVSS STATUS ! log4j-core Apache Log4j 2.14.1 prod-api-vm 10.0 CRITICAL · KEV openssl 1.1.1 3 workloads 9.8 CRITICAL requests 2.27.1 gke-cluster-prod 6.1 MEDIUM moment 2.29.1 stg-web-vm 7.5 HIGH numpy 1.21.0 data-pipeline-vm 5.3 MEDIUM boto3 1.20.0 lambda-processor 0 OK · NO CVEs Priority Queue Ranked by exposure #1 log4j-core Internet-reachable VM CVSS 10.0 · KEV #2 openssl Adjacent to prod-db CVSS 9.8 #3 moment Staging — low blast radius CVSS 7.5 #4 requests GKE — internal only CVSS 6.1 142 components · 3 critical · 8 high · Scan: 4 min ago
SBOM

Know exactly what's running — and what's exposed

Siriqo's cloud-native scanning agent snapshots your VMs, pulls container images, and discovers serverless runtimes — all without installing anything on your workloads. Every package is matched against live CVE feeds and ranked by where it sits in your network topology. Internet-reachable? It goes to the top.

  • Agentless — no agents installed on scanned workloads
  • VM, container, and serverless coverage across Azure, AWS, and GCP
  • CVE enrichment via OSV, NVD, CISA KEV, and EPSS scoring
  • Post-quantum cryptography library detection
  • Findings ranked by network reachability, not just CVSS
Request a DemoSee all features

The problem organisations face

You can't secure what you can't see. Most organisations have a fragmented picture of their software inventory — and no way to connect it to network risk.

Vulnerability lists are too long to act on

Thousands of CVEs with no network context means teams can't prioritise meaningfully. Everything looks urgent and nothing gets fixed fast enough.

Shadow workloads run unscanned

Developers spin up containers and VMs outside formal deployment processes. These shadow workloads don't appear in CMDB — but they're running and reachable.

Compliance requires software provenance

Regulations like NIS2 and US federal requirements mandate documented software bills of materials. Manual tracking is unsustainable at scale.

Zero-day response requires instant inventory

When a Log4Shell-scale zero-day lands, the first question is "do we run this?" Without a live software inventory, answering takes days you don't have.

What you get

  • VM & container scanning

    Agentless VM snapshot scanning using Syft enumerates every installed OS package, language runtime, and library. Container images are scanned directly — no sidecar required.

  • Serverless coverage

    Azure Functions, AWS Lambda, and other serverless workloads are inventoried for their runtime dependencies. Shadow workloads outside your CMDB are discovered automatically.

  • CVE enrichment pipeline

    Each component is matched against OSV (Open Source Vulnerabilities) in batch, with NVD as fallback. CISA's Known Exploited Vulnerabilities catalogue and EPSS exploit-probability scores surface what to fix first.

  • Exposure-aware prioritisation

    CVEs on internet-reachable workloads rank above identical findings on isolated resources. Siriqo's network graph is the context — CVSS alone isn't enough.

  • Post-quantum cryptography detection

    Cryptographic library inventories are analysed for quantum-vulnerable algorithms. Know which workloads rely on RSA, ECC, or pre-quantum TLS before compliance frameworks require it.

  • Change-aware rescanning

    VM OS disks are fingerprinted at scan time. Unchanged disks are skipped on subsequent runs — the same approach Wiz uses to keep scanning costs proportional to actual change.

Request a Demo