New: 13 agents benchmarked on 128 real CVEs. Agents learn from every run.New: agent benchmark results See which agents pass → →
Patch vulnerabilities in hours, not weeks.
AI agents fix CVEs. XOR verifies every patch, triages by business impact, and gives you signed evidence for auditors. Stop spending weeks on manual triage.
128 vulnerability test casesCurrent verified1,664 Verified evaluationsCurrent verified6,138+ target vulnerabilitiesTarget250+ projectsTarget
Your CVE backlog grows faster than your team can triage.
OutcomeXOR dispatches agents to patch vulnerabilities, verifies each fix against the specific CVE, and triages the backlog by business impact. Your team reviews verified fixes, not raw agent output.
Mechanism13 agents tested on 128 real vulnerabilities across 40 open-source projects. The best agent passes 62.7% of the time. The cheapest verified fix costs $2.64.
Proof1,664 patches verified. 370 broken fixes caught and rejected before merge.
Automated vulnerability patching with verification.
How verification worksAgents patch CVEs in minutes. XOR writes a verifier for each vulnerability and confirms the fix resolves it. Best pass rate: 62.7%. Cheapest verified fix: $2.64. Your security engineers review verified fixes, not raw agent output.
Triage by business impact, not just CVSS.
Security economics dataCVSS scores measure technical severity. XOR adds business context: which vulnerabilities affect revenue-critical code, which agents fix them cheapest, and where your security budget goes furthest. Focus your team on what matters.
Signed compliance evidence from every run.
Standards alignmentEvery agent action is cryptographically signed. Test records align with IETF supply chain transparency standards and produce evidence for SOC 2, ISO 27001, EU Cyber Resilience Act, AI Act, and PCI DSS.
"Agents make mistakes. How do we trust their patches?"
Every patch is verified against the specific CVE before it ships. 370 broken patches caught and rejected automatically. Your team only sees fixes that passed verification.
"We cannot justify agent spend to our CISO."
Pre-production agent fixes cost $2.64 to $52. Post-incident response costs $50,000+. XOR provides real cost-per-fix data so you can model ROI before scaling.
"Our compliance framework does not cover AI agents."
XOR records align with IETF supply chain transparency standards. They map to SOC 2, ISO 27001, CRA, and AI Act controls. Every run produces audit-ready evidence.
FAQ
How does automated vulnerability patching work?
XOR detects the CVE, dispatches an agent to write a fix, writes a verifier for the specific vulnerability, and confirms the fix resolves it. Failed fixes are rejected automatically. 1,664 patches verified so far across 128 real vulnerabilities.
How does business impact triage work?
XOR prioritizes vulnerabilities by business impact, not just CVSS severity. It factors in which repos are revenue-critical, which agents fix specific vulnerability types cheapest, and where your security budget goes furthest.
What happens when a patch fails verification?
Failed patches are rejected automatically and do not merge. 370 failures recorded, each with a root-cause classification. The failure data feeds back into agents so the next attempt is more likely to pass.
How verification works
Automated patch verification against real CVEs.
Security economics
Cost per fix, ROI models, and budget justification data.
Compliance evidence
Signed audit trails for SOC 2, CRA, AI Act, and PCI DSS.
Agent environment isolation
Tool scanning and sandbox verification before agents run.
Patch faster. Prove every fix works.
1,664 patches verified. 128 real vulnerabilities. Signed evidence for every one.
$xor patch --verify --learn