Skip to main content

Core Concepts

Understand the mental model that powers Plexicus: how your applications flow through our system, how findings are discovered and enriched, and how your organization maintains control through plans and entitlements.


Applications & Repositories

An application (or repository) is the unit of scanning in Plexicus. You register repositories from your source control systems (GitHub, GitLab, Bitbucket, Gitea, and others), cloud providers (AWS, Azure, GCP, OCI), or container registries.

Asset Types

Plexicus scans three primary asset categories:

  • Repositories (SCM): Codebases stored in GitHub, GitLab, Bitbucket, Gitea, Forgejo, Azure DevOps, or TFVC. When you connect an SCM provider, Plexicus discovers branches and scans them on a schedule or on-demand.
  • Cloud Infrastructure: Deployed resources across AWS, Azure, GCP, and OCI. Plexicus discovers cloud resources and evaluates them for misconfigurations, compliance violations, and entitlement risks.
  • Container Registries: Container images in Docker registries, Amazon ECR, Azure Container Registry, Google Artifact Registry, or Harbor. Plexicus scans images for vulnerabilities in dependencies and embedded secrets.

Each asset is tracked as an application in your Plexicus dashboard, and you can tag, filter, and manage them by project, team, or compliance domain.

Sandbox Repositories

New to Plexicus? Use sandbox repositories to try a scan without connecting your own source control. The platform provides public sample repositories that you can scan in minutes to explore findings, triage workflows, and AI remediation without setup friction.


Scanner Bundles

Plexicus uses bundled security scanners to detect vulnerabilities, misconfigurations, secrets, and policy violations. Scanner bundles are branded Plexicus packages that combine industry-standard tools with Plexicus's own capabilities.

Core Bundles

These bundles are included in all plans (Free and above):

  • SAST Bundle: Static Application Security Testing detects code-level vulnerabilities (SQL injection, XSS, insecure deserialization, etc.) across multiple programming languages.
  • SCA Bundle: Software Composition Analysis identifies vulnerable, outdated, or non-compliant dependencies in your applications.
  • IaC Bundle: Infrastructure-as-Code scanning checks Terraform, CloudFormation, Kubernetes manifests, and other declarative infrastructure for security and compliance violations.
  • Secrets Bundle: Detects hardcoded secrets (API keys, credentials, tokens) before they reach production or public repositories.

Optional Bundles

Available on higher plans (Starter and above):

  • DAST & AI Pentest Bundle: Dynamic Application Security Testing plus Plexicus AI Pentest for automated security assessment of live applications. Uses browser-based scanning and autonomous agent-driven penetration testing.
  • Cloud Posture (CSPM) Bundle: Discovers cloud infrastructure misconfigurations, compliance violations, and over-privileged identities across AWS, Azure, GCP, and OCI.
  • Container Workload Protection (CWPP): Protects containerized workloads with runtime vulnerability detection and policy enforcement.

Custom Scanners

Bring your own security tools or create custom scanners with the user connector framework. Custom scanners integrate into the Plexicus triage and remediation workflow like native bundles.


Findings Lifecycle

A finding is a security issue discovered in your applications. Each finding progresses through a well-defined lifecycle from discovery to resolution.

1. Discovered

When Plexicus scans an asset, scanner bundles return raw results. Each match is tagged with its severity (Critical, High, Medium, Low), type (e.g., SQL injection, hardcoded secret), and location (file, line, function). At this stage, findings are queued for AI enrichment.

2. AI-Enriched

Plexicus's AI pipeline automatically enriches every finding by:

  • Classifying false positives: The AI determines whether this issue is a genuine vulnerability or a false alarm (e.g., a commented-out credential, a benign regex pattern). High-confidence false positives are labeled and filtered by default.
  • Contextualizing risk: The AI examines the code context to assess whether a vulnerability is reachable, exploitable, or mitigated by upstream controls.
  • Prioritizing impact: Findings are scored based on severity, exploitability, and business impact. A high-severity issue in dead code ranks lower than a critical vulnerability in frequently-called functions.
  • Suggesting remediation: The AI generates actionable fix suggestions, including code samples, library updates, and configuration changes.

3. Triage States

After enrichment, security and development teams triage findings:

  • Open (default): A finding that requires attention. Findings are open until explicitly marked as mitigated, false positive, or wont-fix.
  • False Positive (FP): You verify that this is not a genuine security issue. Plexicus learns from FP markings to improve future scans and reduce noise.
  • Mitigated: You confirm this vulnerability has been fixed or the risk is accepted. Plexicus tracks the time from discovery to mitigation (MTTR).
  • Won't Fix: You acknowledge the risk but have accepted it due to business constraints. Document your reasoning for compliance audits.

4. Remediated

When a developer applies a fix (code change, library upgrade, configuration adjustment), Plexicus can verify remediation:

  • If you enable AI Remediation, Plexicus generates pull requests with fixes. Developers review and merge.
  • Plexicus re-scans the updated asset to confirm the finding no longer appears. If the vulnerability resurfaces, it is re-opened.
  • Remediation metrics (time to fix, velocity) feed your organization's security dashboard and compliance reports.

Vulnerability Exchange (VEX)

For known vulnerabilities in dependencies, you can issue VEX (Vulnerability Exchange) statements to document mitigations without requiring a code change. VEX allows you to declare:

  • Status: NOT_AFFECTED — This dependency version is not vulnerable (e.g., the vulnerable code path is not invoked).
  • Status: AFFECTED + Justification — This dependency is vulnerable, but you have a compensating control (e.g., WAF, network segmentation).
  • Status: FIXED — You have updated to a patched version.

Plexicus honors VEX statements in triage and compliance reporting, allowing you to manage risk without forcing unnecessary upgrades.


AI Pipeline

The Plexicus AI pipeline orchestrates enrichment, false positive filtering, prioritization, remediation, and fix verification.

Enrichment

After scanning, raw findings are enriched asynchronously:

  1. Semantic Analysis: The AI analyzes code context, data flow, and control flow to determine whether a vulnerability is exploitable.
  2. False Positive Detection: Distinguishes genuine issues from false alarms using code patterns and domain knowledge.
  3. Risk Scoring: Assigns a risk score (0–100) based on severity, exploitability, and business context.
  4. Metadata Extraction: Identifies affected files, functions, dependencies, and compliance controls.

FP Filtering

The AI filters out high-confidence false positives automatically to reduce triage burden. You control the FP confidence threshold (default: high confidence only). False positives are visible in the dashboard but hidden by default.

Prioritization

Findings are sorted by risk score and assigned to your team's attention based on:

  • Severity (Critical > High > Medium > Low)
  • Exploitability (Reachable > Unreachable > Unknown)
  • Business context (Findings in frequently-updated or customer-facing code rank higher)
  • Age (Older unfixed findings become higher priority)

Remediation

For open findings, Plexicus can generate AI remediation:

  1. You request a fix for one or more findings.
  2. Plexicus's AI analyzes the vulnerability and the codebase.
  3. AI generates a pull request with a fix proposal.
  4. Your development team reviews, edits, and merges the PR.
  5. Plexicus re-scans to verify the fix.

Each remediation request consumes AI Credits from your plan's monthly allowance (see your dashboard for current usage).

Fix Verification

After a fix is deployed:

  1. Plexicus re-scans the asset automatically (on your scan schedule) or on-demand.
  2. If the vulnerability no longer appears, the finding is marked as remediated.
  3. If the vulnerability reappears, Plexicus re-opens the finding and notifies your team.

This closed-loop approach ensures accountability and tracks your actual remediation velocity (MTTR).


Plans & Entitlements

Plexicus offers flexible plans designed for different team sizes and security needs. Your plan determines which features and scanner bundles you can use.

Plan Tiers

Plexicus offers four tiers tailored to team size and security maturity:

  • Free: Core scanners (SAST, SCA, IaC, Secrets), up to 5 repositories, manual remediation only
  • Starter: All core scanners + DAST & AI Pentest, unlimited repositories, 1,500 AI Credits/month, RBAC
  • Scale: Starter + Cloud Posture (CSPM), 6,000 AI Credits/month, SAML/OIDC SSO, SCIM provisioning, custom scanners, advanced compliance frameworks
  • Enterprise: Scale + CWPP, unlimited AI Credits, dedicated support, self-hosted option

Contact sales@plexicus.ai for Enterprise pricing and custom feature requests.

Feature Gates

Specific features are gated behind plan tiers:

  • AI Remediation: Starter+
  • CSPM: Scale+
  • SSO & SCIM: Scale+
  • Custom Roles: Scale+
  • Audit Logs: Scale+
  • CWPP: Enterprise

Attempting to use a gated feature shows a clear upgrade prompt so you can immediately activate it if needed.

AI Credits

AI Credits are a unified metric for API-intensive operations:

  • Remediation: 10 credits per fix request
  • FP Detection: 5 credits per deep false positive analysis
  • Report Import: 15 credits to ingest external security reports
  • Deep Enrichment: 20 credits for enhanced AI analysis on complex findings

Your plan renews AI Credits monthly on the renewal date. Unused credits do not roll over. If you exceed your monthly allowance, you can purchase credit packs (pay-as-you-go) to continue using AI features.


SaaS vs Self-Hosted

Plexicus is available as a cloud-hosted SaaS platform or as a self-hosted deployment in your own Kubernetes cluster.

Plexicus Cloud (SaaS)

Best for: Most organizations. Fast onboarding, automatic updates, no infrastructure management.

  • Hosted on Plexicus infrastructure (EU data centers)
  • Automatic updates and security patches
  • Integrated analytics and support dashboards
  • Email, Slack, and Teams integrations
  • Billable monthly or annually

Self-Hosted

Best for: Enterprises with strict data residency, compliance, or network isolation requirements.

  • Deploy to your own Kubernetes cluster (on-prem, private cloud, or isolated VPC)
  • Complete control over data location and network boundaries
  • Integration with your identity provider (SAML/OIDC)
  • Enterprise SLA and priority support
  • Licensed annually with usage-based pricing

Self-hosted deployments require a valid license key and supported Kubernetes version (1.24+). See Self-Hosted Deployment for setup and configuration.


Next Steps