From a CVE landing in a scanner to a signed compliance evidence unit — in one trace
Mythal is a fabric of twelve specialist agents, not one chatbot. Each agent has a narrow job, a typed contract, and a signed message bus. A single finding moves through 11 stages from ingest to evidence, with a hard policy gate between every agent decision and any side-effecting tool call. Every step is logged in the reasoning trace ledger — auditor and investor both read the same thing.
Stages of one finding
tap any stage for what we read and what we emit108:00INGESTagent: Scanner Liaison
Qualys / Tenable / Wiz / Claroty pushes findings → Mythal normalizes
Mythal connects to each scanner via its REST API + webhook. Inbound payloads are deduplicated across scanners (same CVE on same asset from 3 scanners → 1 canonical finding), mapped into our canonical schema, and signed before persisting.
▸ INTEGRATIONS
Qualys VMDR
Tenable.io / Nessus
Rapid7 InsightVM
Wiz
Microsoft Defender VM
Claroty xDome (OT)
Nozomi Networks (OT)
Dragos (OT)
▸ FIELDS WE READ
• CVE
• asset hostname/IP/MAC
• OS + product + version
• CVSS v3/v4
• scanner-detection timestamp
• port/service exposure
• scanner asset_id (for round-trip)
▸ OUTPUT
canonical VulnerabilityFinding event
208:00ENRICHagent: Threat Intel Aggregator
Pull KEV, EPSS, ransomware association from NVD / KEV / vendor PSIRTs
For each finding we hit NVD, CISA KEV, EUVD, vendor PSIRT feeds (Microsoft, Cisco, Siemens, Wabtec, Hitachi Rail, Alstom, Rockwell), GitHub Security Advisories, ICS-CERT. KEV adds urgency; EPSS quantifies exploit probability; ransomware-actor lists flag ITW use.
▸ INTEGRATIONS
NVD API 2.0
CISA KEV (live)
EUVD
GitHub Security Advisories
ICS-CERT
Microsoft / Cisco / Siemens PSIRT
▸ FIELDS WE READ
• KEV listing date
• EPSS percentile
• CWE class
• ransomware-actor TTP correlation
• ATT&CK technique mapping
▸ OUTPUT
enriched finding · KEV flag · EPSS score · in-the-wild flag
308:01IMPACTagent: Impact Analyst
Join finding to CMDB → business criticality, blast radius, exposure
Looks up the affected asset in the CMDB graph: is it internet-facing? Inside the industrial DMZ? Does it sit upstream of dispatch or PTC? Does it process regulated data? Outputs a BusinessImpactProfile with a 0–1 score.
▸ INTEGRATIONS
ServiceNow CMDB
Device42
BMC Helix
Mythal-native inventory
▸ FIELDS WE READ
• network exposure (internet / DMZ / OT)
• downstream dependency count
• data sensitivity tag
• asset criticality (Critical / High / Medium / Low)
• CCS flag (TSA Critical Cyber System)
▸ OUTPUT
BusinessImpactProfile · score · exposure tier
408:01CHANGE RISKagent: Change Risk
Score deployment risk against historical change-failure rates
Looks at this asset class's historical change-failure rate, the patch's reliability score, the available maintenance windows, whether a canary peer exists. Outputs a ChangeRiskScore and recommended deployment window.
▸ INTEGRATIONS
ServiceNow Change
Jira
PagerDuty maintenance schedules
native Mythal change_windows
▸ FIELDS WE READ
• historical failure rate for asset class
• patch reliability score
• maintenance window calendar
• canary peer availability
• rollback feasibility
▸ OUTPUT
ChangeRiskScore · canary required Y/N · window recommendation
508:02PATCH LOOKUPagent: Patch Hunter
Find the vendor fix · score reliability · stage rollback
Hits the vendor advisory page, security bulletin, and tested community sources. Returns the exact KB / package / firmware version that fixes the CVE. Each patch gets a PatchReliabilityScore (vendor source × deployment-population evidence × rollback feasibility).
▸ INTEGRATIONS
Microsoft Update Catalog
Cisco PSIRT advisories
Red Hat CVE pages
Siemens ProductCERT
vendor download endpoints
▸ FIELDS WE READ
• KB / package ID
• package version
• supersedes-chain
• rollback procedure
• known-issues list
• deployment-population telemetry
▸ OUTPUT
patch artifact reference · reliability 0–1 · rollback ready
608:02PLANagent: Remediation Planner
Synthesize the closed plan: ordered steps + approvals + rollback
Combines everything above into a concrete RemediationPlan: ordered steps, tool to use for each (Ansible / SCCM / Tanium / Catalyst Center / Panorama / OT-native), approval scopes required, blast radius, and a tested rollback. Auto-apply eligibility evaluated against policy.
▸ INTEGRATIONS
OPA policy engine
tenant-specific approval matrix
▸ FIELDS WE READ
• policy bundle
• asset zone
• criticality matrix
• tenant approval rules
▸ OUTPUT
RemediationPlan (human-readable runbook + executable workflow)
708:03OT SAFETY GATEagent: OT Safety Officer
If OT or CCS → veto direct patching → propose compensating controls
OT Safety Officer holds veto rights on any asset tagged OT or Critical Cyber System. Default veto on direct firmware patch; instead deploys ACL tightening on the industrial firewall, IPS signatures, monitored isolation — and schedules the firmware update for the next maintenance window. Maps to NIST 800-82r3 + IEC 62443.
▸ INTEGRATIONS
Palo Alto Panorama
Cisco Firepower
Fortinet FortiManager
industrial IPS (Claroty CTD, Nozomi Guardian)
▸ FIELDS WE READ
• asset OT zone
• CCS tag
• PTC/CTC role
• next maintenance window
▸ OUTPUT
OT safety review · veto/allow · compensating controls list
808:04APPROVALagent: Policy gate (humans)
Security approver and (for OT) OT Operations sign in dual-key
Approval workflow runs OPA against the plan. For IT Medium-or-below auto-apply, no humans involved. Everything else requires explicit sign-off. OT and CCS plans always need dual approval (security + ot_operations) and signatures are HMAC-stored alongside the plan.
▸ INTEGRATIONS
Okta / Auth0 / Keycloak
SAML SSO
OPA bundles
▸ FIELDS WE READ
• approver role
• OPA policy decision
• tenant approval matrix
• maintenance window open
▸ OUTPUT
signed approval · plan status → APPROVED
908:05EXECUTEagent: Executor
Apply via Tanium / SCCM / Ansible / Catalyst Center / Panorama / OT-native
Executor agent dispatches each step through the appropriate patch tool. IT Windows usually Tanium or SCCM; Linux usually Ansible. Network gear: Catalyst Center, Panorama. OT firmware: vendor-native tooling under maintenance window only. Every action logged with signed result.
▸ INTEGRATIONS
Ansible / Ansible Tower
Microsoft SCCM + Intune
Tanium
IBM BigFix
Puppet / Chef
Cisco Catalyst Center
Palo Alto Panorama
Microsoft Entra
AWS Systems Manager
Azure Arc
OT-native (RUGGEDCOM Explorer, Wabtec Patch Suite, GE Predix)
▸ FIELDS WE READ
• plan steps
• target asset connection details
• patch artifact location
▸ OUTPUT
Execution records · success/failed/rolled-back · per-step
1008:08VERIFYagent: Verifier
Re-scan · health check · exploit re-test → confirm or rollback
Verifier triggers a fresh scan via the scanner used in step 1, confirms the patch landed and the CVE is no longer detected, runs a health check on the asset, and where a safe exploit re-test exists, runs it to confirm the path is now blocked. If any check fails, Verifier triggers rollback and escalates.
▸ INTEGRATIONS
Qualys VMDR (rescan)
Tenable.io (rescan)
Microsoft Defender (rescan)
asset health agents
▸ FIELDS WE READ
• post-patch scan result
• service health probes
• exploit re-test outcome
▸ OUTPUT
Verification record · rescan clean Y/N · health Y/N · plan → CLOSED or → ROLLED_BACK
1108:08EVIDENCEagent: Compliance Reporter
Pin evidence to TSA SD 1580-21-01 / NIST CSF 2.0 / IEC 62443 controls
Every closed plan emits compliance evidence units tagged to the relevant framework controls. TSA SD 1580-21-01 for Class I rail, NIST 800-82r3 for ICS, IEC 62443 for industrial cybersecurity. Auditor-ready PDF generated on demand, control-by-control.
▸ INTEGRATIONS
TSA SD 1580-21-01 control library
NIST CSF 2.0
NIST 800-82r3
IEC 62443
SOX
HIPAA
PCI
▸ FIELDS WE READ
• plan trace_id
• approval signatures
• execution + verification records
• control mapping table
▸ OUTPUT
ComplianceEvidence records · auditor PDF (<60s)
What this looks like in your console
- Open Command Center → click Run Scenario C (Siemens RTU OT veto).
- Switch to Plans → click any AWAITING_APPROVAL card.
- On the plan detail page, click Approve as security → the page reloads showing the EXECUTION TIMELINE: which tool ran, what step, what result, verifier rescan, signed.
- Jump to Compliance → export TSA SD 1580-21-01 PDF in under 60s with this plan's evidence embedded.