OurCVEs OurCVEs
For AI Agents Sign in Register
OurCVEs
Register

Your security posture, on autopilot.

Hundreds of CVEs ship every week. Almost none of them are about you, until one is. Install our GitHub app on your repos and our sensor on your servers and we know exactly what you run everywhere, and exactly what's vulnerable.

Your coding agent and our MCP server help you switch on unattended upgrades, auto-merged dependency bumps, and scheduled reboots that clear the everyday CVEs on their own.

Then we monitor those automations to ensure that they are actually doing their job, and pull you in only when something drifts or a CVE genuinely needs a human.

Start for free Sign in
How it works

Turn Your Coding Agent into a Security Consultant

CVEs and security newsletters aren't all that useful if you don't know what you're actually running. OurCVEs takes a full inventory of everything in your stack and makes it available to your coding agent via an MCP server.

Your agent, armed with our tools, will guide you through hardening every repository and server. It will help you set up industry-standard tools and best practices to automatically patch vulnerabilities as they arise and deploy those patches safely.

Once you are automating as much of your security posture as possible, we keep an eye on those automations to ensure that they are working as expected and are sufficient to keep you safe.

When something does need your attention, we notify you and your coding agent can use our MCP server to help you get things back on track quickly.

01

Install our GitHub App

Connect the repositories you ship from. We read your package manifests and lockfiles so we know which versions of which dependencies you actually use.

02

Install our sensor on your servers

Install the OurCVEs sensor on the boxes you run in production so that we can match what you are running on your server with notices as they come in.

03

Establish Your Posture

Our MCP guides your coding agent through creating and implementing a plan to keep your entire ecosystem secure with as little ongoing attention from you as possible.

04

We Watch Your Back

We monitor your automations to ensure that the plan is working. If your posture starts to slip or a serious, imminent threat requires your immediate attention, we let you know.

What the OurCVEs sensor is — and isn't
A read-only inventory reporter, not an AI agent.

The sensor is a small program that runs on the hosts you choose. Its only job is to enumerate the packages your operating system already knows are installed — the same data you would get from running dpkg, rpm, or your language's package manager — and report that inventory back to OurCVEs over HTTPS.

Once we have that inventory, we cross-reference it against the published CVE feeds and tell you when something you actually run is affected.

What it does
  • Reads the package databases your OS already maintains.
  • Sends a list of package names and versions to OurCVEs over outbound HTTPS.
  • Re-checks on a schedule so we notice when you upgrade or patch.
What it does not do
  • It does not contain an LLM and it does not "do" anything autonomously.
  • It does not execute code we send it. There is no remote-command channel.
  • It does not read your application source, environment variables, secrets, or user data.
  • It does not open any inbound ports. Communication is outbound HTTPS only.

You can uninstall it with the same one-liner that installed it. If you ever want to see exactly what it sends, every host has a "last report" view in your dashboard so you can audit the payload yourself.
Day to day

We swallow the noise and give you the signal

Once we can see your whole stack, every new advisory gets sorted the moment it lands.

Handled on a schedule

The vast majority of identified vulnerabilities can be patched automatically using industry-standard tools like Dependabot and your server OS's automatic patch and reboot features. We make sure those automations are set up and working, and let them handle the bulk of the work.

No agent to run. No cron job to babysit.

unattended-upgrades · Dependabot auto-merge
Flagged for your attention

Occasionally, a severe vulnerability without an available patch might put your organization at immediate risk. Sometimes, one of your automations might break down and routine vulnerabilities start to linger longer than they should. When this happens, we send you an alert with a prompt to help your agent guide you to an immediate fix.

Not another inbox full of noise.

Critical · no fix yet · posture drift
Posture, not just patching

Declare your posture. We catch the drift.

Automations drift. Someone disables unattended upgrades to chase a bug, an OS slips past end-of-life, a box sits waiting on a reboot, Dependabot quietly stops merging. We continuously check what's actually running against the posture you declared and flag the moment something slips — that ongoing watch is the real work. And when you spin up a new server or repo, we nudge you to bring your agent back and put it under the same posture.

  • Auto-patching switched off
  • An OS gone end-of-life
  • A reboot left pending
  • Dependabot not keeping up
Pricing

Open Source

Audit your whole fleet — public and private repos, up to 10 servers.

Free forever
  • OurCVEs MCP
  • Unlimited Seats
  • Monitor Your Public & Private Repos
  • Monitor up to 10 Servers
  • Priority Alerts
Start for free

Team

Expert help getting set up, plus a human in the loop as you scale.

$83 / month
Billed $1000 annually · $1/server/month beyond 50
$100 / month
Includes a 1-hour onboarding call · $1/server/month beyond 50
  • Everything in Open Source
  • 1-hour onboarding call to skill up your team
  • Monitor up to 50 Servers ($1/server/month beyond)
  • A real person in the loop on your escalations
Get started
Custom

Have us do the work.

For organizations with no in-house security or DevOps team to skill up. We stand up your repos, servers, automations, and posture for you — and stay on as an ongoing engagement to keep hardening your security as your fleet grows.

  • Hands-on setup of your repos, servers, and automations
  • A declared posture, tuned to how you actually operate
  • Ongoing reviews to adapt as your fleet changes
  • A direct line to the Artisan Build team behind OurCVEs
Custom pricing
Scoped to your fleet and how much you want us to own
Talk to us
Who we are

Real people behind the agent.

OurCVEs is shipped by the small team at Artisan Build — a Delaware-based studio that has been writing Laravel for years before AI got cool. The agent does the grunt work; the people below decide what ships, answer your support emails, and own the calls that matter when an incident lands at 2am.

  • Ed Grosvenor
    Ed Grosvenor
    Co-Founder
  • Len Woodward
    Len Woodward
    Co-Founder
  • Sarah Sibert
    Sarah Sibert
    Web Developer
  • Justin Frey
    Justin Frey
    Creative Director
  • Darius Radulescu
    Darius Radulescu
    Intern
  • Peter Van Dijk
    Peter Van Dijk
    Advisor
The signal
CVE activity across ecosystems

Volume of CVEs published per week. Toggle ecosystems and time scale to explore peaks and trends.

Range

Scale

Ecosystems

PHP / Composer 1,375 JavaScript / npm 2,651 System (OS packages) 24,074
AI agent setup

Sign up without leaving your AI agent.

OurCVEs ships with an agentic onboarding workflow. Paste the prompt into Claude, Cursor, or any MCP-capable agent — it will read our setup guide at /llms.txt, send you a one-click magic link, and wire itself up to your team. After that you can ask "what are my current vulnerabilities?" right where you already work.

One browser visit (the magic link). Everything else stays in the agent.

Read the agent setup guide

Copy and paste 
Read https://ourcves.com/llms.txt and onboard me to OurCVEs. Ask me for my name and email, then walk me through the magic-link confirmation and wire up the OurCVEs MCP server in this client.

Works with Claude Code, Cursor, Claude Desktop, and any agent that speaks MCP