SAGE Analysis
SAGE (Sovereign AI Governance Engine) is BreachSpider's AI reasoning engine, purpose-built for ICS/OT vulnerability analysis. SAGE is protected under USPTO Provisional Patent Application 64/015,948, filed by CITED Relevance LLC.
SAGE is not a general-purpose chatbot. It does not answer questions about cooking, travel, or general knowledge. It is a domain-specific intelligence engine trained on ICS/OT vulnerability context, industrial protocols, compliance frameworks, and control system remediation strategies.
What SAGE Understands
SAGE has deep context on:
- PLC programming and patching: Why patching a PLC is different from patching a Windows server. Why firmware updates require maintenance windows, vendor coordination, and process shutdown planning.
- NERC CIP requirements: What CIP-007, CIP-010, and CIP-013 require for documented patch management, configuration monitoring, and supply chain risk management.
- Industrial protocols: How Modbus, DNP3, OPC-UA, EtherNet/IP, PROFINET, and BACnet are affected by different CVE classes. What protocol-level mitigations are available.
- OT vs IT context: The difference between a buffer overflow in a web browser (IT concern) and a buffer overflow in a PLC communication stack (operational safety concern).
- Compensating controls: What controls are realistic for OT environments where patching is not immediately feasible. Network segmentation, protocol filtering, application whitelisting, enhanced monitoring.
SAGE on CVE Detail Pages
When you view a CVE detail page, SAGE provides four analysis sections (Standard tier and above):
Executive Summary
A plain-English description of what this vulnerability does and why it matters. Written for two audiences: OT engineers who need technical detail, and plant managers who need to understand business impact.
ICS Context
What this CVE means specifically for ICS/OT environments. This section answers: "Does this affect my control systems, and if so, how?" It considers the affected vendor, product, protocol, and attack vector in the context of typical OT network architectures.
Remediation Guidance
Step-by-step actions to take, ordered by priority:
- Apply the vendor patch if available (with version details).
- Implement compensating controls if patching is not immediately feasible.
- Monitor for indicators of compromise.
- Schedule a follow-up review.
The guidance is specific to OT environments. It does not recommend "restart the service" for a PLC, because SAGE understands that restarting a PLC can have physical process impacts.
Confidence Score
A numerical confidence score with a tier classification:
| Tier | Score Range | Meaning |
|---|---|---|
| SOVEREIGN_AUDIT_PASS | 0.90+ | Highest confidence. Multiple corroborating sources. Analysis fully traceable. |
| HIGH | 0.75 - 0.89 | Strong confidence. Reliable source data. |
| MEDIUM | 0.60 - 0.74 | Moderate confidence. Verify with the vendor advisory. |
| LOW | Below 0.60 | Limited data available. Treat as directional guidance only. |
The confidence score is backed by mathematical tracing to the source data used in the analysis. This tracing is part of the SAGE patent claim and ensures that every assertion can be verified against the underlying intelligence.
Asking SAGE in Chat
The SAGE chat is available from any page via the green ASK SAGE button in the bottom right corner. Use it to ask questions about your environments, specific CVEs, remediation strategies, or compliance posture.
Example questions:
- "What are the highest priority CVEs in my Water Plant Alpha environment?"
- "Is CVE-2025-32433 relevant to my Siemens S7-1500 PLCs?"
- "What compensating controls can I use for CVE-2024-38112 if I cannot patch immediately?"
- "Summarize my NERC CIP exposure for the quarterly review."
- "Which findings in Substation Beta should I address before the maintenance window on Friday?"
- "Explain the BCS score breakdown for CVE-2025-32433."
- "What OPC-UA vulnerabilities should I watch for?"
SAGE responds with ICS-specific context. When you ask about a CVE, SAGE considers your environment assets, the CVE's affected products, exploitation intelligence, and your compliance obligations.
SAGE Tier Access
| Tier | SAGE Access |
|---|---|
| Free | Blurred summary on CVE pages. 5 chat queries/month. |
| Standard | Full analysis on CVE pages. 50 chat queries/month. |
| Professional | Full analysis. 500 chat queries/month. ElevenLabs voice mode. |
| API | Unlimited queries. Programmatic access. |
| Enterprise | Unlimited. Priority processing. Custom model tuning on request. |
Voice mode (Professional and above): SAGE can read its analysis aloud using ElevenLabs text-to-speech. Useful for plant floor operators who need to review findings hands-free, or for accessibility.
SAGE Query Logging
Every SAGE query is logged in the audit log as SAGE_QUERIED. The log records the CVE ID and query type. The response content is never logged -- only the fact that a query was made. This ensures that your SAGE usage is documented for compliance without storing potentially sensitive analysis text in the audit trail.