Evening Star AI

Whitepaper 02

Purple Radar

Usable AI judgment for vulnerability intelligence.

By Andrew Scott Vulnerability intelligence Risk prioritization
Back to Papers

Most vulnerability tools are built to collect records, enrich them, and rank them. That is useful, but it is not enough. In real security operations, the harder problem is understanding what changed, why it matters, what evidence supports the signal, what risk it creates, and what action should happen next.

Purple Radar is built around that problem. It treats vulnerability intelligence as a living operating picture: software weakness, exploit pressure, external exposure, defensive visibility, business impact, uncertainty, and action.

Position Purple Radar is not another dashboard. It is an intelligence-to-action system.

The Problem With Vulnerability Intelligence

Modern security teams are surrounded by vulnerability disclosures, exploit intelligence, exposure data, asset inventories, scanner findings, package advisories, threat reports, SOC detections, incident notes, executive questions, and compliance pressure. The problem is not a shortage of information. The problem is that information often arrives without judgment.

Purple Radar separates the ideas that often get flattened into one number. Severity is not threat likelihood. Threat likelihood is not observed exploitation. Observed exploitation is not exposure. Exposure is not business impact. Business impact is not detection readiness. Detection readiness is not action. That separation is the beginning of usable judgment.

What Purple Radar Builds

Purple Radar is a fusion engine for vulnerability decision intelligence. It ingests multiple classes of security signals, organizes them into a common model, reasons across the evidence, and produces action-oriented output for defenders, analysts, vulnerability managers, and leaders.

  1. Context ingestion: Bring vulnerability, exploit, exposure, asset, detection, and timeline evidence into one decision object.
  2. Change detection: Notice meaningful deltas in exploit evidence, exposure, actor interest, and detection gaps.
  3. Impact reasoning: Connect technical weakness to operational consequence, business impact, and defensive readiness.
  4. Action mapping: Convert intelligence into remediation, monitoring, hunting, escalation, or executive reporting paths.
  5. Human-verifiable output: Show assumptions, reason codes, confidence, evidence, and uncertainty.

The Purple Radar Architecture

Purple Radar uses a layered intelligence pipeline. It begins with raw security signals, organizes them into a normalized vulnerability model, scores them through a multi-dimensional radar engine, enriches them with narrative reasoning, and elevates them through the Evening Star AI layer into outputs that support analyst action, SOC hunting, remediation priority, and executive clarity.

Layer Purpose
Signal lanes Vulnerability disclosures, exploit evidence, exposed-service observations, package advisories, threat indicators, reputation signals, detection context, timeline events, and operational metadata.
Normalization Common vulnerability objects with identifiers, affected products, severity metadata, exploit maturity, exposure summaries, detection readiness, references, reason stacks, and decision metadata.
Radar scoring Multi-dimensional scoring that preserves the distinction between technical severity, adversary pressure, exposure, confidence, and action.
Narrative reasoning Explains what elevated the issue, what changed, which conditions matter, what evidence supports the recommendation, and what action should follow.

Radar Scoring

Purple Radar does not rely on a single opaque number. Real-world prioritization depends on interaction. A severe vulnerability with little practical exposure may require monitoring. A moderate vulnerability with clear exploit activity and broad exposure may require urgent action. Purple Radar preserves those distinctions instead of flattening them.

Radar signal Severity + Threat Likelihood + Exploit Maturity + Exposure + Detection Readiness + Business Impact + Freshness + Confidence

Evening Star AI Inside Purple Radar

Evening Star AI is the cognitive layer that makes Purple Radar more than a scoring engine. Most AI systems are built to answer questions. Evening Star AI is built to reveal changed state. Inside Purple Radar, that philosophy becomes vulnerability intelligence.

  1. Signal compression without blindness: Large vulnerability context becomes concise operational judgment without hiding the reasons behind the summary.
  2. Change-aware reasoning: The system emphasizes deltas: new exploit evidence, sudden exposure changes, emerging actor interest, detection gaps, and unusual combinations of risk factors.
  3. Anomaly-aware prioritization: Unsupervised reasoning helps identify unexpected combinations before every future pattern has a label.
  4. Human-verifiable intelligence: The system exposes assumptions, reason codes, confidence, evidence, and uncertainty wherever possible.

Why This Matters

Security teams are not short on alerts. They are short on attention, time, and clear operating pictures. They face vulnerability scans, threat intelligence, tickets, logs, incident notes, asset inventories, compliance questions, and leadership pressure all at once.

Purple Radar turns a vulnerability signal into an enriched, prioritized, explainable risk decision. It helps defenders understand what changed, why it matters, what action should happen next, and how the process can move forward through governed automation.

Design Principles

Purple Radar should respect the operator, make uncertainty visible, reduce noise, connect intelligence to action, and automate responsibly. Agents should assist with enrichment, routing, monitoring, reporting, and escalation only where automation makes humans more effective. They should not hide judgment or bypass accountability.

Closing view Purple Radar is not merely a collection of signals. It is a decision system for vulnerability intelligence.