What is Basirah?
It's the vulnerability remediation platform we built when we got tired of watching 'remediated' tickets that hadn't actually fixed anything. Ingestion through to auditable evidence, nothing dropped. When Basirah marks a fix verified, it re-scanned the asset, probed the API, or validated the control. It didn't read a status field.
Bassistant proposes. You confirm.
Bassistant is the execution intelligence layer. It stays page-aware across the whole workflow, grounded in your findings, SLA clocks, verification outcomes, and evidence history. Ask 'what should we fix this week?' and it ranks by financial exposure, then cites the finding, risk score, or control behind every call. It drafts the remediation brief and proposes the next move. Nothing fires until an operator confirms.
- — Structured trigger context: it reads the finding, asset, and SLA state wherever you are.
- — Governed actions carry a full source trail. Preview the blast radius, route sensitive moves through approval.
- — Every proposal, confirmation, and action lands in the evidence package.
One queue that explains itself.
Basirah ranks work by exploit signals, business criticality, internet exposure, FAIR loss, SLA pressure, and exception status. Click any row and the trace tells you why it landed there.
- — Decision traces show KEV, EPSS, asset context, FAIR P95, SLA status, and exception state.
- — Remediation briefs require owner, change window, rollback note, validation method, and evidence checklist.
- — Risk acceptance stays time-bound, approved, and tied to compensating-control proof.
Risk in dollars, not severity labels.
FAIR Monte Carlo gives you P50 and P95 annualised loss for every finding group. Drill into a single team or roll up to a board narrative. The financial clarity the audit committee expects.
- — What-if modelling forecasts the impact of remediation campaigns before you commit.
- — Side-by-side comparison: current exposure vs post-remediation projection.
- — Board-ready PDF export with executive summary and trend charts.
Auditors don't want screenshots. They want proof.
Your auditor receives a tamper-evident package — SHA-256 integrity hashes, checksum manifests, optional signed manifests for later verification. The timeline shows scan to sign-off in one read.
- — Managed deployments can use customer-controlled signing keys when enabled.
- — Control mappings for ISO 27001, SOC 2, NIST CSF, PCI DSS, NCA ECC, DORA, NIS2.
- — Attachment-safe ZIP and PDF exports with package, integrity, and delivery metadata.
- 08:14 Scan ingested qualys · run_2026_05_18
- 08:21 Owner assigned platform-data · sla 48h
- 09:02 Dispatched jira PROD-OPS-9132
- 11:47 Re-scanned independent · clean
- 11:48 Verified multi-scanner consensus
- 11:49 Signed sha-256 · 9a7f…be3d
The work between the work.
Independent verification
Source re-scan, independent scanner evidence, API probe, manual attestation, control validation. Failed verification returns to remediation with the method, actor, and evidence gap recorded.
SLA enforcement
Severity-based deadlines from the active policy contract. Breach logging with root-cause fields, exception context recorded in the SLA history.
Idempotent dispatch
Native connectors for Jira, ServiceNow, and Azure DevOps. Deduplication on (CVE × asset × scanner) so retries never spawn duplicate tickets.
Compliance mapping
Posture scoring per framework with drill-down by control. Gap analysis highlights unaddressed controls with remediation guidance.
Notes
- 1 Modelled (FAIR), sample finding set. Under 20% of programs quantify loss in dollars at all (Gartner). Basirah enforces your policy's SLA windows and verifies each fix.