Evidence-Based Detection: A Finding Is a Claim That Needs Proof

A vulnerability finding is a claim about your environment: "this host runs this software at this version, and this CVE applies." Like any claim, it's only as good as the evidence behind it. Yet most tools present findings as bare assertions — a CVE, a severity, no provenance. When someone pushes back, you have nothing to show.

What evidence looks like

For every finding, Argus records and surfaces the chain of reasoning:

• The raw observation — the banner it read, the headers it saw, the behaviour it measured.
• The version it attributed, and how confident it is in that attribution.
• The CPE it bound the software to.
• The CVE's version range, and whether your version falls inside it.
• The threat-intel signals (KEV, EPSS, exploit availability) that shaped the priority.

When it can't be sure, it says so. An honest "medium confidence" beats a confident guess every time.

Where AI fits — and where it doesn't

Argus uses AI for what AI is good at: identifying software from messy signals and reviewing whether a match is plausible in context. It does not let the model invent findings. Every conclusion is anchored to deterministic, version-range-aware matching and shown with its evidence and confidence. The AI assists identification and relevance review — it never founds a claim.

Why it matters beyond accuracy

Evidence is what makes a finding actionable and defensible. A developer can see exactly why their service was flagged. An auditor can trace the reasoning for a SOC 2 or PCI readiness review. Leadership gets a risk picture they can trust. That's the line between an intelligence platform and a scanner that guesses.