Book a demo →
Research & methodology

How we score
and stop supply-chain risk.

CyberXYZ began as peer-reviewed research at Cork (CIT → MTU). This is the methodology behind the verdict: six detection signals, a cross-signal scorer, and the data that feeds them, across Java, JavaScript, Python, Go and .NET.

The academic origins Book a demo
Data sources

Every public feed.
Plus the things nobody else has.

The brain reasons over 1.1 million vulnerability records, 14,000+ malware advisories and 6.6 million dependency edges, refreshed continuously from the public feeds and our own proprietary intel: behavioral baselines, maintainer drift, and 16 hand-curated attack campaigns mapped to MITRE ATT&CK.

Data fragmentation → unified intelligence

Scattered feeds.
One connected graph.

Vulnerability data is fragmented across dozens of feeds: different schemas, different IDs, different update cadences. We ingest them all, normalize into one unified schema, deduplicate, and build a live dependency graph with 6.6 million edges.

CVE / VULN FEEDS

1.1M records

  • NVD827K CVEs
  • OSV.dev210K records
  • GitHub GHSA73K advisories
  • JVN · MSRC · Red Hat · WPVulnDBlive
  • EPSSabsorbed

Refreshed daily via Cloud Run jobs. Dedup'd, semver-normalized, indexed for sub-100ms lookup.

MALWARE INTEL

14K+ packages

  • OSV MAL corpus14K+ entries
  • XYZ-verified attacks9 + growing
  • Attack campaigns mapped16 active
  • ExploitDB · Packet Stormcross-ref'd
  • MITRE ATT&CK TTP tagsauto-applied

Coverage across npm, PyPI, Maven, NuGet. Synced after every OSV pull. The corpus CVSS doesn't see.

PROPRIETARY · XYZ ONLY

The unfair advantage

  • Behavioral baselinesTier-1 + 2
  • Maintainer-set baselines14,937 pkgs
  • Version cadence modellive
  • Dependency graph6.6M edges
  • Tier-1 watcherevery 15 min

Built in-house. Updated continuously. The reason we catch axios@1.14.1 in 18 seconds and not 6 days.

NVDNVD
GHSAGHSA
OSVOSV
MSRCMSRC
ExploitDBExploitDB
MITRE ATT&CKMITRE ATT&CK
FIRSTFIRST / EPSS
Red HatRed Hat
JavaJava
npmnpm
PyPIPyPI
MavenMaven
NuGetNuGet
GoGo
CargoCargo
RubyGemsRubyGems
ComposerComposer
DockerDocker
NVDNVD
GHSAGHSA
OSVOSV
MSRCMSRC
ExploitDBExploitDB
MITRE ATT&CKMITRE ATT&CK
FIRSTFIRST / EPSS
Red HatRed Hat
JavaJava
npmnpm
PyPIPyPI
MavenMaven
NuGetNuGet
GoGo
CargoCargo
RubyGemsRubyGems
ComposerComposer
DockerDocker
Detection signals

Six signals.
One verdict.

Every package and every commit is evaluated against six independent signals. A cross-signal scorer fuses them into a single decision: allow, alert, quarantine or block.

New dependency Version jump Known malware GHSA / OSV Commit-level Vendor breach SCORER fuse · weigh · decide ALLOW ALERT QUARANTINE BLOCK
The XYZ Risk Score

One number. Six dimensions.
Engineered for supply-chain reality.

We don't replace CVSS or EPSS. We absorb them, then add the four things they're missing: package centrality, behavioral drift, malware intel, and exploit availability. The result is a score you can act on.

XYZ Score
=
CVSS + EPSS + Centrality + Behavior + Malware Intel + Exploit Avail.
CVSS only
38 / 100
severity in a vacuum
EPSS only
12 / 100
no exploit signal yet
XYZ Risk Score
97 / 100
ship-blocker · day-0
Same package. Same day. axios@1.14.1, the day the maintainer was compromised. CVSS shrugged. EPSS hadn't caught up. XYZ blocked it.

01 CVSS severity

The classic 0–10 base score. We keep it, but we never trust it alone.

02 EPSS probability

The 30-day exploitation forecast. Folded in as an exploit-likelihood input, not the verdict.

03 Package centrality

Monthly downloads, dependent count, GitHub stars, tier (1–4). A vuln in a Tier-1 package is 1000× more dangerous than the same vuln in a leaf.

04 Behavioral drift

Maintainer-set change, file-count drift > 30%, install-script appearance, ≥3-minor version jump. Catches compromise before any CVE is filed.

05 Malware intel

14,000+ MAL-* records (OSV MAL + 9 human-verified) + 16 attack campaigns mapped to MITRE ATT&CK TTPs. The corpus CVSS doesn't see.

06 Exploit availability

ExploitDB + Packet Storm + GitHub PoCs cross-referenced. If it's weaponized, the score knows.

Package centrality

Not all packages
are created equal.

A vulnerability in a Tier-1 package, one that millions of dependent packages pull in transitively, is a thousand times more dangerous than the same vulnerability in a leaf. We rank every package on the registry by downloads, dependent count, GitHub stars and graph centrality, and we feed that into every decision the brain makes.

Tier
Population
Priority
T1
~189 packagescritical infrastructure
highest
T2
~9.7K packagesheavy hitters
high
T3
~50K packagesestablished libraries
standard
T4
~3M packagesthe long tail
on-demand