Paper under submission — IEEE TrustCom 2026 MIT License React 19 · Node 22 · AWS ECS Fargate
🛡️

PRAVAL

Progressive Recursive Agentic Vulnerability Assessment Lifecycle

A self-hostable agentic AI framework that runs enterprise vulnerability assessment as ten sequential, context-linked phases instead of ten disconnected tools — carrying structured findings from asset discovery through continuous monitoring as one coherent analytical process.

NIST SP 800-115 aligned CVSS v4.0 scoring CISA KEV integrated ContextGuard zero-trust
10
assessment phases
4
platforms compared
$0.165
per assessment
MIT
licensed
The problem

Fragmented tooling, no cross-phase reasoning

Discovery tools map assets. Scanners identify CVEs. Risk calculators apply CVSS scoring. Compliance dashboards generate reports. Each performs its function in isolation — none carries reasoning across the full assessment. Purpose-built agentic security platforms released in 2024–2026 are each confined to one or two phases with no cross-phase context continuity.

Coverage

Ten-phase lifecycle

Every canonical VA phase, addressed by one framework, each building on the last.

PHASE 01
Asset Discovery & Inventory
PHASE 02
Asset Classification
PHASE 03
Vulnerability Scanning
PHASE 04
Credentialed Probing
PHASE 05
Risk Prioritization
PHASE 06
Remediation Planning
PHASE 07
Mitigation Controls
PHASE 08
Risk Acceptance
PHASE 09
Reporting
PHASE 10
Continuous Monitoring
Core mechanism

Progressive context chaining

Each phase receives a semantic summary of prior findings as explicit context — not just a task description. Phase 5's composite risk score combines Phase 2 criticality classification, Phase 3 CVSS findings, and Phase 4 credential-exposure data:

Composite Risk = (CVSS × Asset Weight) × Threat Intelligence Factor

Asset Weight  → Critical = 2.0 · High = 1.5 · Medium = 1.0 · Low = 0.5
Threat Intel Factor → reflects CISA KEV (Known Exploited Vulnerabilities) catalog status
Design

Architecture

Backend proxy pattern — the Anthropic API key never reaches the browser.

🖥️ React 19 SPA
  • 10-phase console UI
  • Holds zero API credentials
  • Talks only to the backend proxy
🔐 Express 5 proxy
  • /api/messages — rate-limited 30 req/min/IP
  • ANTHROPIC_API_KEY from AWS Secrets Manager
  • ECS Fargate · private subnet · internal ALB
🤖 Anthropic API
  • api.anthropic.com
  • Reached only via outbound NAT Gateway
  • No public IP on the task, ever

Every outbound LLM call additionally passes through ContextGuard's zero-trust policy engine before submission.

Economics

Cost

$0.165
per 10-phase assessment (API)
$90–110
monthly AWS hosting
30/min
rate limit per source IP
0.25 vCPU
/ 512MB Fargate task
Evaluation

Feature comparison

Against four commercial agentic AI security platforms. Y = full support, P = partial, N = none, as documented at time of writing.

CapabilityPRAVALAardvarkHexa AIMazeBeagle
Asset DiscoveryYNPYN
Asset ClassificationYNNPN
Vulnerability ScanningYYYYY
Credentialed ProbingYNYYN
Risk PrioritizationYYYYP
Remediation PlanningYPPPN
Mitigation ControlsYNPNN
Risk AcceptanceYNNNN
ReportingYPYPP
Continuous MonitoringYNPPP
Context ChainingYNNNN
Compliance-AwareYNYNN
Self-HostableYNNNY
Scanner-FreeYNNNN
Learn more

Resources