Frequently Asked Questions
How does RapidFort reduce up to 95% of CVEs automatically?
RapidFort achieves up to 95% CVE reduction by combining RF Near Zero CVE Images with the Software Attack Surface Management (SASM) platform. This includes Instrumentation and Profiling (DevTime) to identify unused components and generate Runtime Bill of Materials (RBOM™), followed by Hardening and Defending (RunTime) to remove non-executed code and remediate vulnerabilities based on actual execution paths — all without modifying source code.
What is the Software Attack Surface Management (SASM) platform, and how does it work?
The RapidFort Software Attack Surface Management (SASM) platform analyzes containerized applications during both build-time and run-time to identify and remove unused or unreachable components. It reduces the software attack surface, remediates vulnerabilities based on actual runtime execution, and continuously protects workloads post-deployment. SASM integrates seamlessly into CI/CD workflows and plays a central role in eliminating up to 95% of CVEs without requiring source code changes.
What are RF Near Zero CVE Images?
RF Near Zero CVE Images are pre-hardened container images with minimized footprints and near-zero known vulnerabilities. They are aligned to CIS and STIG benchmarks, validated for FIPS 140-3 compliance, and designed for regulated, production-grade deployments. These images help accelerate compliance readiness for frameworks such as FedRAMP, CMMC, SOC 2, PCI DSS, HIPAA, and NIS2.
How are RF Community Images different from RF Curated Images?
RF Community Images are free, hardened container images published on RapidFort’s GitHub. They remove 60–70% of known CVEs by eliminating unused components through RapidFort’s hardening tools.
In contrast, RF Curated Images are RF Near Zero CVE Images — fully hardened, compliance-ready containers designed as a secure foundation for software development and deployment. Built and updated daily, these images are available in both Base and FIPS 140-3 validated variants, and are benchmarked to CIS and STIG security standards. They are optimized for use in FedRAMP, CMMC, SOC 2, HIPAA, PCI DSS, NIS2, and other regulated environments where a near-zero vulnerability state is required.
What is an RBOM™ and how is it different from an SBOM?
RBOM™ (Runtime Bill of Materials) includes only software components that were actually executed during application runtime. Unlike static SBOMs, which list all declared packages regardless of usage, RBOMs™ reduce false positives and enhance vulnerability triage precision.
Does RapidFort require access to source code?
No. RapidFort does not require access to source code. It operates at the binary and container level using binary scanning, DevTime profiling, and runtime behavior analysis to identify and remove unused components — enabling precise CVE remediation without modifying application code. Users can choose from multiple hardening levels, allowing for fine-grained control over which components are removed or retained based on security, performance, or operational requirements.
Can RapidFort prioritize CVEs based on risk or exploitability?
Yes. RapidFort uses execution path analysis and the RapidRisk Score to prioritize vulnerabilities that are actively present in runtime. It distinguishes between components that are executed and those that are not, allowing teams to focus remediation efforts on the vulnerabilities that truly matter to their running workloads.
Does RapidFort support CI/CD pipeline integration?
Yes — RapidFort integrates directly into your CI/CD pipelines and existing security stack.
Through native integrations with tools like Jenkins, GitHub, GitLab, Jira, Snyk, Tenable, Nessus, Splunk, and more, RapidFort automatically instruments your builds, generates RBOMs™, and applies hardening policies — all within your existing DevOps workflows.
How does RapidFort help with compliance readiness?
RapidFort accelerates compliance readiness by reducing vulnerabilities through execution-aware removal of unused and unreachable components, producing audit-ready RBOMs™, and delivering container images that are STIG/CIS hardened and FIPS 140-3 validated. It supports initiatives such as FedRAMP, CMMC, SOC 2, and cATO.
What benchmarks and standards are supported by RapidFort?
RapidFort supports STIG and CIS hardening benchmarks, FIPS 140-3 cryptographic validation, and aligns with security controls from NIST SP 800-70 — helping organizations reduce risk and prepare for security audits.
How does RapidFort secure running containers?
RapidFort profiles application behavior in production, baselines container activity, and detects runtime drift or behavioral anomalies. It filters CVEs based on what’s actually exposed and maintains protection with less than 1% compute overhead.
Can I use RapidFort on third-party or custom base images?
Yes. RapidFort’s DevTime and RunTime tools can be applied to any image — including custom or vendor-provided base images — to harden them, remove unnecessary components, and reduce CVEs at runtime.
What environments are supported by RapidFort?
RapidFort supports all major Kubernetes distributions, Docker runtimes, container registries, and cloud-native platforms. It is fully compatible with Linux LTS distributions including Alpine, Ubuntu, Debian, and Red Hat.
Does RapidFort automatically patch vulnerabilities?
RapidFort avoids conventional patching by removing unused components and unreachable code — neutralizing the majority of CVEs without introducing new packages or requiring re-baselining.
How is vulnerability data presented in RapidFort?
RapidFort produces accurate, context-aware vulnerability reports. Results include execution path visibility and can be exported in SPDX or CycloneDX formats for integration with compliance systems or SIEM tools.