Correlation & triage
Article 14 triggers when you become aware of an actively exploited vulnerability in your product. Correlation is what produces candidates for that awareness; triage is where a human turns a candidate into a recorded judgement.
Where matches come from
Section titled “Where matches come from”Resilic correlates your normalized component inventory against three sources:
- EUVD — ENISA’s European Vulnerability Database,
- NVD — the NIST National Vulnerability Database,
- CISA KEV — the Known Exploited Vulnerabilities catalogue, which supplies the actively exploited signal.
Each match is traced through your data: component → affected product versions → the deployments (customer, site) where those versions actually run. A vulnerability in software you never shipped, or shipped but never fielded, is visibly different from one sitting on a customer’s machine.
Match confidence — uncertainty is shown, never hidden
Section titled “Match confidence — uncertainty is shown, never hidden”Version and identity matching from feed data is inherently imperfect, so every match carries a confidence:
- Exact match — vendor/product and the exact component version match.
- Strong match — vendor/product match; the version is compatible or the advisory names no version.
- Needs review — the product matches but the version relationship is uncertain. These are included and flagged, never silently dropped — a missed trigger is the worse failure. The UI asks you to confirm the match affects your product before acting on it.
A correlation match is a signal that warrants review, not a legal determination that the Article 14 clock has started. That determination is yours.
Exploited-match alerts
Section titled “Exploited-match alerts”When a new KEV-listed vulnerability matches a deployed product, Resilic raises an alert (and, if subscribed, an email — see notifications). The alert is framed exactly as what it is: an awareness trigger for you to assess, not an automatic reporting obligation.
AI triage — a suggestion you decide on
Section titled “AI triage — a suggestion you decide on”For any correlated vulnerability you can request an AI triage: a grounded summary, a suggested action, and the sources it cites. The suggested actions are deliberately modest:
- Monitor — low urgency, keep an eye on it.
- Prioritise remediation — e.g. high severity with a version match.
- Assess for Article 14 reporting — a human should assess whether this meets the reporting threshold. It does not declare that it does.
Each triage is badged AI-generated or Rule-based, and you close the loop by acknowledging or dismissing it — that decision, with its timestamp, is the recorded judgement. Triage never declares a reportable event and never starts a statutory clock; only a person can do that, in the reporting workflow.