vmp.one
Request a demo
New · Continuous Fix Verification

Fixed isn't fixed until proven fixed.

vmp.one is the vulnerability management platform that automatically re-tests every remediated finding — so regressions are caught in hours, not at the next quarterly scan.

Request a demo See how verification works
SSO via Keycloak · Multi-tenant · Self-hosted or managed
verification.vmp.one — fleet
live
Findings re-verified / wk
3,412
↑ 12% wk/wk
Regressions caught
27
this quarter
Avg. detection lag
4.1h
p95: 11h
Verification timeline · last 12 weeksre-verifiedheldregression
04:12CVE-2024-3094 regressed on api-gateway — re-opened, paged on-call
03:48Re-verifying 142 findings on cluster prod-eu-west-1
03:31CVE-2023-44487 fix held on 14 services (since 2024-11-08)
The problem

"Closed" tickets lie.

Every vulnerability management platform on the market closes the loop when a ticket closes. Real environments don't work that way. Dependencies update, configs drift, code rolls back, infrastructure gets recreated — and yesterday's fix is today's open hole.

01 / 03
21,500+
New CVEs · H1 2025

A record-breaking pace. Your scanners surface them. Your engineers ship fixes. Then what?

02 / 03
18 yrs
regreSSHion silently regressed

CVE-2024-6387: an OpenSSH bug fixed in 2006 reappeared in 2020 via a refactor. By 2024 it was active in 14M servers. Nobody noticed.

03 / 03
5 → −1
Days to first exploit

In 2018 attackers needed 63 days. In 2024 exploitation routinely lands before the patch ships. A fix that quietly rolls back is a wide-open door.

Continuous Fix Verification

We don't trust "fixed." We verify it.

Every remediated finding gets re-tested automatically on a schedule you set. When a fix silently rolls back, you find out in hours. Not at the next quarterly scan. Not from a customer. Not from an attacker.

Without vmp.one
  1. 1Engineer ships a fix and closes the ticket.
  2. 2A dependency update silently reintroduces the CVE.
  3. 3Months pass. The finding sits in 'resolved.'
  4. 4Next quarterly scan flags it again — or an attacker finds it first.
With vmp.one
  1. 1Engineer ships a fix and closes the ticket.
  2. 2vmp.one re-runs the original check on schedule.
  3. 3A dependency update reintroduces the CVE — verification fails.
  4. 4Slack alert fires within hours. The fix re-opens automatically.

Re-test on your schedule

Daily, weekly, or after every CI/CD deploy. Configure per asset, per finding, per tenant.

Replay the original proof

Verification reuses the scanner, payload, and check that originally surfaced the finding — no false equivalence.

Regression alerts in real time

Slack, Teams, email, webhook. The engineer who closed the ticket hears about it before the auditor does.

Evidence trail per finding

Every re-test result is timestamped and signed into the audit log. Compliance reviewers stop asking for screenshots.

See it on your data
Platform

The orchestration layer your scanners are missing

Aggregate findings from any source, prioritize with real risk signal, route them to the right engineer, and verify the fix held. One platform, scanner-agnostic.

AGGREGATE

Continuous discovery

Pipe in any scanner — Nessus, Qualys, OpenVAS, Burp, Nuclei, Trivy, Snyk — or run the agent. Findings land in one timeline, not seven tabs.

TRIAGE

Risk-aware prioritization

Rank findings with CVSS, EPSS, exploit maturity, and asset context. Engineering works the top of the queue, not the loudest finding.

SCAN

Cloud posture & supply chain

AWS, Azure, GCP misconfiguration plus dependency analysis via Trivy and OWASP Dependency-Check — alongside traditional CVEs in the same view.

ROUTE

Incident response & SLA

Typed incident state machine, on-call rotations, GitHub PR check-runs, and Slack alerts the moment an SLA is at risk.

ASSIST

AI Copilot

Powered by Claude. Drafts remediation steps, explains findings to non-security stakeholders, and assembles compliance evidence from your tenant.

ISOLATE

Multi-tenant by design

Isolated data, per-tenant branding, Keycloak SSO out of the box. Built for service providers from day one — not bolted on.

How it works

Live in days. Verifying forever.

Step 01

Connect every source

Wire up your scanners, cloud accounts, and code repos. Findings start landing the same day — no quarterly snapshot, no spreadsheet export.

Step 02

Prioritize and route

Each finding is enriched with exploit data, asset context, and your SLA. Tickets land in Jira, ServiceNow, Linear, or GitHub with the right owner attached.

Step 03

Verify the fix held

Continuous Fix Verification re-runs the original check on schedule. Regression detected? The finding re-opens itself and your team gets paged.

Who it's for

Built for security teams and the firms they hire

One platform. Two operating models. Real multi-tenancy, not customer numbers in a column.

In-house

Security teams

Mid-market and critical-infrastructure teams stuck between a $150K ITSM-bolted platform and a stack of open-source tools held together with duct tape.

  • Aggregate every scanner you already pay for — no rip-and-replace
  • NIS2 and DORA evidence packs generated automatically
  • Air-gapped on-prem deployment available on Enterprise
Service providers

MSSPs, pentest firms, audit shops

Stop managing 5–50 client engagements in spreadsheets and shared drives. Run every client in its own isolated tenant, branded as yours.

  • Per-client tenant isolation with white-label branding
  • Hand clients read-only access to their own evidence trail
  • Continuous verification doubles as proof of ongoing service value
Why now

The ground just shifted under vuln management

Regulatory

Regulators stopped accepting "we ran a scan"

NIS2 (October 2024) mandates continuous vulnerability management for critical sectors. DORA (January 2025) puts financial entities on the hook for up to 2% of global turnover. Both require evidence the fix actually held — not just that a ticket closed.

Threat

Exploit windows collapsed

Time to first exploit fell from 63 days in 2018 to 5 days in 2023, and went negative in 2024 — exploitation now lands before patches ship. A regression you find next quarter is a regression an attacker found last week.

Market

The orchestration market just consolidated

April 2025: the leading scanner-agnostic orchestration platform was acquired by a scanner vendor. Thousands of customers are now shopping for a neutral alternative — one that isn't trying to sell them more scans.

Pricing

Priced to undercut the legacy stack

Annual plans, no per-scanner add-ons, no surprise asset overages. Continuous Fix Verification is included on every tier — including Starter.

Starter

For small teams running their first real vuln program.

$8K/ year
Free 6-month pilot
  • Up to 500 assets, 5 users
  • 5 scanner integrations
  • Cloud SaaS deployment
  • Continuous Fix Verification
  • Compliance reports — ISO 27001, PCI DSS, HIPAA
  • Email support
Start free pilot
Most popular

Team

For active security teams and growing service providers.

$25–45K/ year
Monthly billing available
  • Up to 2,500 assets, 25 users
  • Unlimited scanner integrations
  • Cloud SaaS or on-prem
  • Multi-tenant for MSSP workflows
  • AI Copilot and ROI dashboards
  • API access and full integration suite
  • Priority support
Request a demo

Enterprise

For critical infrastructure, regulated finance, and large MSSPs.

Custom
Typically $80K–$150K+ / yr
  • Unlimited assets and users
  • Air-gapped / on-prem deployment
  • Dedicated Customer Success Manager
  • Custom integrations and connectors
  • SOC 2 attestation, SSO/RBAC
  • 99.9% SLA guarantee
Contact sales
FAQ

Questions, answered

01How does Continuous Fix Verification actually work?+

When a finding is marked resolved, vmp.one schedules automated re-tests using the same scanner, payload, and check that originally surfaced it. You set the cadence — daily, weekly, or after every CI/CD deploy. If the check fails, the finding re-opens itself, the original assignee gets paged, and the regression is recorded in the audit log with a timestamp. No human in the loop unless something fails.

02How is vmp.one different from a scanner?+

Scanners surface findings. vmp.one consolidates findings from many scanners, prioritizes them with risk context, routes them into your remediation workflow, and — uniquely — automatically verifies that the fix held weeks and months later. We are scanner-agnostic by design: we will never sell you a scan.

03Can we self-host or run air-gapped?+

Yes. vmp.one ships as Docker services and runs on a single server, your Kubernetes cluster, or fully air-gapped environments — available on Team (on-prem) and Enterprise (air-gapped) tiers. Cloud SaaS is the default. Many critical-infrastructure prospects and government customers run on-prem; we built for both from day one.

04How does authentication work?+

Keycloak is built in, with SSO via OIDC. Roles and tenants map cleanly onto your existing identity provider. SAML federation is on the near-term roadmap for enterprise customers.

05Do you have a free trial?+

Starter includes a free 6-month pilot. We onboard your environment, hand you a working setup, and only convert to paid when you say so. Team and Enterprise pilots are scoped during the demo.

06Which scanners and ticketing tools do you integrate with?+

Out of the box: Nessus, Qualys, OpenVAS, Burp Suite, Nuclei, Trivy, Snyk on the scanner side. Jira, ServiceNow, GitHub, GitLab, and Linear for ticketing. Slack, Teams, email, and webhooks for alerts. Splunk, Trellix, Elastic, and Sentinel for SIEM. Custom connectors typically ship in 1–2 weeks on request.

See it on your data

Find out which of your "fixed" findings aren't.

30 minutes. We connect to one scanner you already run, replay the last quarter of resolved findings, and show you what re-verification surfaces. No commitment.

  • 30-minute live walkthrough on your data
  • Pricing scoped to your environment
  • Free 6-month pilot on Starter

By submitting you agree to our privacy policy. We'll only use your info to follow up.