The CRA Readiness ChecklistGet the checklist →

    Agents

    Virtual patching, at machine speed

    Meet Aegis

    The Mitigation Engineer is the agent on your team that closes the exploit window. Hand it an exploitable CVE and it writes a ModSecurity or AWS WAF rule that blocks the attack path in minutes, while the Remediation Engineer works on the real fix. Built for the 0-day clock.

    Minutes, not weeks

    The Mitigation Engineer ships a virtual patch in the time it takes a developer to read the CVE, so the exploit window never opens.

    Targeted rules, not blanket blocks

    Writes precise WAF rules scoped to the exploitable code path. No alert flood, no on-call paged at 2am for false positives.

    Built for the 0-day clock

    The moment the Application Security Engineer confirms exploitability, the Mitigation Engineer ships the rule. The adversary window from Mythos-scale discovery closes before it matters.

    Retired when the fix ships

    Hands off to the Remediation Engineer. When the upgrade lands and tests pass, the WAF rule is removed automatically. No rule rot, no compensating control that quietly becomes permanent.

    How it works

    Drafts the rule, tests it, deploys it, retires it

    The Mitigation Engineer reads the exploit conditions from the Application Security Engineer, drafts a WAF rule scoped to the vulnerable code path, tests it against the known exploit signature and a sample of legitimate traffic, deploys to your ModSecurity or AWS WAF with the approval flow your team has configured, monitors blocks and false positives in production, and removes the rule when the Remediation Engineer confirms the fix is live. Every step is logged.

    Where it lives

    Inside the WAF you already run

    The Mitigation Engineer deploys to ModSecurity, AWS WAF, or Cloudflare. No new proxy in front of your traffic, no break-glass infrastructure, no new dashboard. Rules land in the WAF of record, with a change history your team can audit.

    Hand-offs

    Buys time for the Remediation Engineer

    When the Application Security Engineer confirms an exploitable finding, the Mitigation Engineer opens a containment window so the Remediation Engineer can do the real work without the clock ticking. Containment upstream, remediation downstream. The same Konvu Agents.

    Close the exploit window with the Mitigation Engineer

    Connect your WAF and your SAST or SCA tool. The Konvu Agents start shipping rules.

    Frequently asked questions