Press βΆ Run above to build the certificate heatmaps.
Every plugin with βCertificateβ in its name, ranked by distinct assets affected (live vulns query). Click a row to drill into the affected assets.
Press βΆ Run above to loadβ¦
βI trust youβ runs every tagging agent and auto-applies all proposed tags live (gated writes) β Cert (failures + cert issues by plugin), IoT, MITRE, EOL, AI, Custom apps, Identity, and Scan-eval credential failures. ACR is never run. Ownership Assignment & Software need your input, so they're skipped.
| # | Status | Category | Value | Selector | Detail | Queued | Duration | Result |
|---|---|---|---|---|---|---|---|---|
| No tag jobs yet. Apply a tag from any agent and it appears here. | ||||||||
Blank policy β risk-weighted top-N. e.g. IoT β "tag all IoT but not Dell or Intel β those are laptops"; Custom apps β "only /opt apps and jenkins matter".
The AI maps your instruction to ACR changes across the live tag list (navi explore info tags); preview them, then add them as contract rules below. No writes happen here β the contract applies them on its loop when armed. Falls back to a deterministic rule parser if on-device inference is unavailable.
When armed, the contract removes these tags first, forces a pause, runs navi update, then re-runs the tagging workflow. Add tags from the Tag removal page, or type them below.
Click Plan to preview what the contract would tag.
No cycles yet.
NSA's Commercial National Security Algorithm Suite 2.0 milestones β use to frame remediation deadlines. Verify against the latest CNSA 2.0 guidance for your sector.
| By | Milestone |
|---|---|
| 2024 | NIST finalizes PQC standards β FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA). |
| 2025 | CNSA 2.0: begin adoption; software & firmware signing should move to PQC (LMS/XMSS or ML-DSA). |
| 2027 | PQC support expected in new acquisitions; hybrid ML-KEM broadly enabled in browsers & servers. |
| 2030 | CNSA 2.0: PQC becomes the default for most National Security Systems; RSA/ECC deprecated for new systems. |
| 2033 | CNSA 2.0: exclusive use of PQC across NSS; classical RSA/ECC key-establishment & signatures disallowed. |
Turn a question into a read-only SQL over navi.db / tags β e.g. "assets with a CISA KEV and ACR over 7", "KEV added in 2025 by hostname", "which assets already carry a CISA KEV tag". Review the SQL, then run it.
Ask anything across the whole of navi.db and the model writes the joins for you. e.g. "assets in the Production tag with the highest EPSS score" Β· "critical vulns with EPSS over 0.5 on cloud assets" Β· "hosts running OpenSSL that also have an expiring certificate". Two-step: it drafts the SQL with joins, you review/refine, then execute (read-only).
The tables present in your navi.db and how they join. The advanced search uses these keys automatically.
The agent reasons over the failing certs with this prompt to triage & explain. Edit to change how it thinks.
| Expiry | Tag value | IP | Host | Common name | Days | Status | |
|---|---|---|---|---|---|---|---|
| Run the agent to load⦠| |||||||
| Type | Vendor | Product | IP | Host | Cert CN | Sig / key | Tag |
|---|---|---|---|---|---|---|---|
| Run the agent to load⦠| |||||||
Agent 1 tags each IoT : <name> (ephemeral, remove=True). Approve to queue gated writes.
| IoT name | Vendor | Assets | Confidence | Status | |
|---|---|---|---|---|---|
| Run the squad to load⦠| |||||
Agent 3 asks: promote these auto-discovered plugins to the default detection registry? Approve = persist & reuse; Reject = remembered, never re-proposed.
| IoT name | Plugin | Assets | Prevalence | Decision |
|---|---|---|---|---|
| Run the squad to load⦠| ||||
Other assets sharing the expanded plugin signatures β possible IoT Agent 1 missed. Inspect the matching plugin output to judge false positives, then tag the asset IoT:<name> (gated) or mark it a false positive.
| IoT name | IP | Host | Evidence | Decision | |
|---|---|---|---|---|---|
| Run the squad to load⦠| |||||
Describe what you want in plain English. The AI maps it to ACR changes across the live tag list; you preview every change before anything is written. (Uses on-device inference; falls back to a deterministic rule parser if unavailable.)
Live from navi explore info tags (not the tags table).
| Category | Value | Value UUID | |
|---|---|---|---|
| Load tags to populate⦠| |||
| Source | Candidate | Evidence | Example | |
|---|---|---|---|---|
| Run discovery to load⦠| ||||
Describe the app in plain English (e.g. Tag my custom app navi). The agent finds the name + searches both vuln_route (app name) and vuln_paths (path), shows what it matched, and tags Custom App : <name> only after you confirm β paths via --query, routes via --route_id.
Each row = one Mitre : <impact/technique> applied to every asset whose findings cite that CVE. Approve, then apply.
| CVE | Tag value | Status | |
|---|---|---|---|
| Build the plan to load⦠| |||
These are the crown-jewel assets behind the βMITRE techniques on assets (ACR > 7)β insight β click to drill in.
| Host | IP | ACR | Mapped CVEs |
|---|---|---|---|
| Build the plan to load⦠| |||
Assets running AI/ML software. Click a host to drill in, or β to open it in Tenable One. Use Tag to label them (rename the value first if you like).
| Host | IP | Role | AI software | Platform | |
|---|---|---|---|---|---|
| Press ⢠Run to load⦠| |||||
Each identity maps to the asset(s) it was enumerated on. Tag labels those assets; β opens the asset in Tenable One.
| Identity | Class | Flags | Hosts | Assets | Plugins | Platform | |
|---|---|---|---|---|---|---|---|
| Press ⢠Run to load⦠| |||||||
Search navi.db assets by hostname, IP, OS or network. Click a host to open its full detail.
| Host | IP | OS | ACR | Platform |
|---|---|---|---|---|
| Search to load⦠(blank = first 200) | ||||
Search findings by plugin name, plugin ID, CVE, or severity. Grouped by plugin β click to see affected assets.
| Plugin | Name | Severity | VPR | CVSS 3 | Assets |
|---|---|---|---|---|---|
| Search to load⦠| |||||
Every distinct plugin in navi.db β search by ID, name, or family. Click to see affected assets + outputs.
| Plugin ID | Name | Family | Assets |
|---|---|---|---|
| Search to load⦠| |||
Application routes from navi.db (vuln_route) β search by app name or type.
| App / route | Type | Total vulns | Plugins | |
|---|---|---|---|---|
| Search to load⦠| ||||
Filesystem paths discovered on assets (vuln_paths) β search by path text. Click a host to drill in.
| Path | Plugin | Host | IP | |
|---|---|---|---|---|
| Search to load⦠| ||||
Click a plugin to see every asset it affects.
| Plugin | Name | Output | Last found |
|---|
| Common name | Organization | Expiry | Signature | Key |
|---|
Click an asset to see all of its findings and certificates.
| Host | IP | Scan output | Last found |
|---|
Where each job naturally lives. β first-class Β· β possible Β· β not supported.
| Job | navi MCP | Tenable MCP | Recommended |
|---|
Plain-English question β one read-only SELECT over the software table, joined to assets / vulns β note software.asset_uuid is a list string, matched with LIKE, not equality. e.g. "openssl versions on assets with ACR over 8" Β· "products on hosts that have a critical CVE" Β· "most common software on cloud assets".
From navi.db tags β assets. Click a host to open its full detail.
| Host | IP | OS | ACR | Platform |
|---|