Compliance monitoring · Production

NVIDIA Agent Morpheus uses generative AI agents and RAG to analyze CVEs at enterprise scale

The problem

The number of reported CVEs hit a record high in 2022, with over two hundred thousand cumulative vulnerabilities by end of 2023, making traditional scanning and patching unmanageable at enterprise scale. Investigating each CVE to determine whether it is actually exploitable is a manual, tedious, and time-consuming process.

First attempt

Requiring a package-version bump for every detected CVE is unrealistic at enterprise scale because dependency chains often make upgrades infeasible and fixed versions are not always available from maintainers.

Workflow diagram · grounded in source
1
Container upload triggers workflow
trigger
“The process is triggered from a container upload event that occurs whenever a new container is pushed to the registry by a user.”
2
Traditional CVE scan
integration
“When the container is uploaded, it is immediately scanned using a traditional CVE scanner such as Anchore. The results of this scan are passed to the Agent Morpheus service.”
3
RAG intelligence retrieval
ai_action
“The workflow is connected to multiple vulnerability databases and threat intelligence sources, as well as assets and data related to the specific software project such as source code, software bill of materials (SBOMs), documentation, an…”
4
LLM generates exploitability checklist
ai_action
“This information is added to the prompt of an LLM LoRA fine-tuned for the specific task of making a unique plan or checklist that can determine if the CVE is exploitable.”
5
AI agent executes checklist
ai_action
“The checklist items are passed to an AI agent that retrieves the necessary information and performs the tasks autonomously.”
6
Summary and CVE classification output
output
“The Agent Morpheus models and agents are run, generating a final summary and classification for each CVE.”
7
Security analyst reviews findings
human_review
“Analysts review the original container scan report, improved summary, and justification from Agent Morpheus and make a final recommendation for each CVE.”
8
Peer review and VEX publication
output
“The recommendation is sent for peer review. Any changes that must be made are returned to the analyst. After the VEX document has completed peer review, the final document is published and distributed with the container.”
9
Analyst feedback retrains models
feedback_loop
“Any changes in the summary or exemptions from the analyst are compiled into a new training dataset, which is used to continually retrain the models and automatically improve the system using the analyst's output.”
Reported outcome

Agent Morpheus reduces vulnerability triage time from hours or days to seconds; parallel execution delivers a 9.3x speedup, processing 20 CVEs in 304.72 seconds versus 2842.35 seconds serially.
The human analyst is engaged only when sufficient information is available for a decision.

Reported metrics
Vulnerability triage timehours or days to seconds
Parallel processing speedup9.3x
serial processing time for 20 CVEs2842.35 seconds
parallel processing time for 20 CVEs304.72 seconds
Show all 6 reported metrics
vulnerability triage timehours or days to seconds
parallel processing speedup9.3x
serial processing time for 20 CVEs2842.35 seconds
parallel processing time for 20 CVEs304.72 seconds
LLM queries per CVEabout 41
cumulative CVEs reportedover two hundred thousand
Reported stack
Agent MorpheusNVIDIA NIMLlama3MorpheusAnchore
Source
https://developer.nvidia.com/blog/applying-generative-ai-for-cve-analysis-at-an-enterprise-scale/
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Agent Morpheus reduces vulnerability triage time from hours or days to seconds; parallel execution delivers a 9.3x speedup, processing 20 CVEs in 304.72 seconds versus 2842.35 seconds serially.

What tools did this team use?

Agent Morpheus, NVIDIA NIM, Llama3, Morpheus, Anchore.

What results were reported?

Vulnerability triage time: hours or days to seconds; Parallel processing speedup: 9.3x; serial processing time for 20 CVEs: 2842.35 seconds; parallel processing time for 20 CVEs: 304.72 seconds (source-reported, not independently verified).

What failed first in this deployment?

Requiring a package-version bump for every detected CVE is unrealistic at enterprise scale because dependency chains often make upgrades infeasible and fixed versions are not always available from maintainers.

How is this compliance monitoring AI workflow structured?

Container upload triggers workflow → Traditional CVE scan → RAG intelligence retrieval → LLM generates exploitability checklist → AI agent executes checklist → Summary and CVE classification output → Security analyst reviews findings → Peer review and VEX publication → Analyst feedback retrains models.