Skip to content

Correlation & triage

Article 14 triggers when you become aware of an actively exploited vulnerability in your product. Correlation is what produces candidates for that awareness; triage is where a human turns a candidate into a recorded judgement.

Resilic correlates your normalized component inventory against three sources:

  • EUVD — ENISA’s European Vulnerability Database,
  • NVD — the NIST National Vulnerability Database,
  • CISA KEV — the Known Exploited Vulnerabilities catalogue, which supplies the actively exploited signal.

Each match is traced through your data: component → affected product versions → the deployments (customer, site) where those versions actually run. A vulnerability in software you never shipped, or shipped but never fielded, is visibly different from one sitting on a customer’s machine.

Match confidence — uncertainty is shown, never hidden

Section titled “Match confidence — uncertainty is shown, never hidden”

Version and identity matching from feed data is inherently imperfect, so every match carries a confidence:

  • Exact match — vendor/product and the exact component version match.
  • Strong match — vendor/product match; the version is compatible or the advisory names no version.
  • Needs review — the product matches but the version relationship is uncertain. These are included and flagged, never silently dropped — a missed trigger is the worse failure. The UI asks you to confirm the match affects your product before acting on it.

A correlation match is a signal that warrants review, not a legal determination that the Article 14 clock has started. That determination is yours.

When a new KEV-listed vulnerability matches a deployed product, Resilic raises an alert (and, if subscribed, an email — see notifications). The alert is framed exactly as what it is: an awareness trigger for you to assess, not an automatic reporting obligation.

For any correlated vulnerability you can request an AI triage: a grounded summary, a suggested action, and the sources it cites. The suggested actions are deliberately modest:

  • Monitor — low urgency, keep an eye on it.
  • Prioritise remediation — e.g. high severity with a version match.
  • Assess for Article 14 reporting — a human should assess whether this meets the reporting threshold. It does not declare that it does.

Each triage is badged AI-generated or Rule-based, and you close the loop by acknowledging or dismissing it — that decision, with its timestamp, is the recorded judgement. Triage never declares a reportable event and never starts a statutory clock; only a person can do that, in the reporting workflow.