A foothold via this technique could ride a route in your twin to a crown jewel. Shown with the modeled dollar exposure across those routes.
Breach Replay — A CVE is trending. Type its ID — see if it reaches you.
Type today’s headline CVE. Does it reach your crown jewels?
Paste the CVE id and Breach Replay replays it against your twin — a verdict, a cited facts card, the routes a foothold could ride, priced. No agent, no live scan.
Everything is labeled proven or modeled. A CVE we can’t resolve gets no guess — that restraint is the point.
The one line you can forward to the board.
Every replay resolves to one of five honest verdicts. Deliberately conservative — it never says “you are vulnerable”, only whether the modeled path exists, and it shows its work underneath.
You have already proven every control that defends the technique, and no modeled route reaches a crown.
We don’t see the affected product in your uploaded artifacts — so this CVE likely doesn’t apply to you.
There’s nothing to trace to yet — declare a crown jewel (and upload your estate) and we’ll trace whether it reaches anything that matters.
The CVE can’t be resolved against the databases. We return a plain refusal instead of a fabricated technique.

Paste the CVE id
CVE-2023-27997, straight from the headline — the engine resolves it to affected products and techniques.
The twin takes the exploit
A modeled foothold lands where that product lives in YOUR twin, and the engine walks every route it could ride.
One honest line, with its work
Reaches a crown: the routes, priced, labeled modeled. Not present: it says so. Unresolvable: no guess.
One CVE, replayed end to end.
Paste CVE-2023-27997 (FortiOS, on CISA KEV since 2023-06-13). The facts card, the routes, and the dollar figure below are a modeled example for the fictional Acme Capital estate.
Printed on the card: facts from the authoritative databases, dated; routes are your twin’s modeled and proven paths a foothold could ride — not a claim that your specific box is exploitable.
For T1133, the defending controls are NIST 800-53 AC-17, SOC 2 CC6.6, and ISO 27001 A.8.20. Prove the undefended ones — upload the firewall or identity config that enforces them, and Configuration Review proves them rule-by-rule — and the same CVE stops reaching your crowns. Findings you can prove, not attest.
The restraint is the product.
Every other “does this CVE reach you” tool either runs an agent on your boxes or quietly guesses. Breach Replay does neither, and says so on the screen.
CVE facts are cited, never invented.
They come from the authoritative databases or our cited baseline — a CVE we can’t resolve gets a plain refusal, not a fabricated technique.
Applicability is modeled, not scanned.
It’s a product-name match against artifacts you already uploaded. We say “we see the affected product” or “we can’t confirm it” — never “you are vulnerable.”
The blast radius is your twin, not your live box.
The routes are modeled and proven paths a foothold could ride — not a claim the specific device is exploitable.
A defense reads PROVEN only when proof backs it.
A real artifact-tested ledger entry, from a live config parse — not a checkbox in a spreadsheet.
“That CVE isn’t in our CVE intelligence yet — we won’t guess. We resolve CVEs against the authoritative CVE databases (NVD, CISA KEV, FIRST EPSS) and our curated technique map — never a fabricated mapping.”
That single refusal is the trust signal the rest of the page is built to earn.
Not a demo skin over a language model.
Do you run an agent or scan my live boxes?
What happens when a CVE isn’t in your intelligence?
Does a verdict claim my device is exploitable?
Everything Breach Replay prints is labeled proven or modeled, and a CVE we can’t resolve gets a plain no-guess — that restraint is the point.
A CVE is trending right now. Is it a threat to you?
Included from the Assess tier up — every paid plan can replay a CVE against its twin. No add-on, no separate SKU.
26 distinct MITRE ATT&CK techniques · 15 security tools cross-stitched · 11 threat-actor categories, described by behavior — never a named group · 9,000 automated tests
Full coverage & honesty detail → /features#coverage
Decide what to do — architecture design, current-state review, and compliance scoring, board-ready.