Evidence-bounded reachability for Kubernetes

Reachability decisions without guessing.

Reachable doesn't scan, and it doesn't guess. It reads your scanner's output, reads your cluster, and shows whether a reachable path was observed under current evidence, deterministically, with no AI model in the decision path.

Request early access See how it works
app.getreachable.dev/workloads/payments-api/CVE-2025-12345
Reachable decision detail: CVE-2025-12345, deterministic decision, evidence ledger
Kubernetes workload context
Scanner finding (Trivy)
SBOM evidence considered
Not assessed: runtime, code-path, VEX, provenance

We do not say "safe." We say "no reachable path observed under current evidence."

Scanners produce findings. Not decisions.

Every scan run adds to an already long queue of findings, ranked mostly by severity score. Severity alone doesn't say whether a workload can actually be exposed to a given vulnerability, and most teams don't have time to trace that by hand for every finding. Reachable adds a second, evidence-bounded signal: what workload context, scanner data, and SBOM composition actually show, and what they don't.

app.getreachable.dev/workloads
Reachable workloads dashboard: pipeline status, active decisions

How it works

01
Collect workload context
Kubernetes workload and topology evidence, exposure, service graph, and deployment context.
02
Ingest scanner findings
Trivy and SARIF results are ingested as-is; Reachable does not run its own scans.
03
Ingest SBOM evidence
Composition evidence from CycloneDX and SPDX.
04
Generate a decision
A deterministic engine produces a decision and an auditable evidence ledger.

Evidence basis, per workload

Every workload shows what evidence was considered, and what wasn't assessed.

app.getreachable.dev/workloads/payments-api
Reachable evidence basis: Kubernetes workload context, scanner evidence, SBOM evidence, not assessed
Kubernetes workload context
Deployments, services, and ingress topology, read directly from your cluster. This determines whether a workload is exposed.
Scanner findings, when you send them
Imported from Trivy or SARIF output. Reachable doesn't scan on its own, it reads what your scanner already found.
SBOM, shown for composition context
CycloneDX or SPDX composition data describes what is declared in an image artifact. Reachable shows it for context, not as reachability proof.
Not assessed today
Runtime library loading, code-path execution, VEX statements, and provenance/SLSA data aren't collected. A decision never claims to cover them.

This conclusion holds only over the evidence considered. Categories shown as ‘not assessed’ have no evidence ingested and do not support a negative conclusion.

Guardrails

Deterministic engine
The same evidence always produces the same decision.
Scanner-agnostic
Works with Trivy and SARIF-producing scanners you already run.
No AI model in the decision path
Decisions are rule-based over structured evidence, not model inference.
Missing evidence is "not assessed"
Absent evidence is labeled honestly, never treated as proof of absence.
Audit trail for every decision
Each decision records exactly which evidence was considered.
Collector scope is workload/topology only
No secrets, ConfigMaps, pod logs, process memory, or application code paths.
Status
Reachable is currently available for early-access demos. The platform is private while the public core strategy is being prepared.

Frequently asked

No. Reachable ingests findings from scanners you already run (Trivy, SARIF) and adds reachability context. It does not scan for vulnerabilities itself.
No. Reachable collects Kubernetes workload and topology evidence, and ingests scanner findings and SBOM evidence you provide, it does not perform vulnerability scanning.
No. Reachable does not collect runtime, process, memory, log, or code-path evidence, and does not inspect secrets, ConfigMaps, or pod logs.
No. Decisions are produced by a deterministic engine over structured evidence. There is no AI model in the decision path.
It means a given category of evidence, like runtime behavior or VEX status, was not part of this decision. Not assessed is never treated as proof that no risk exists; unknowns are reported as unknown.
SBOM composition data (CycloneDX/SPDX) helps confirm what is actually present in an image. It is one input to a decision, not proof of reachability or absence of vulnerabilities on its own.
The platform is currently private. A public core strategy is being evaluated, but no public open-source code is available yet.

Request early access

See a live walkthrough with your own cluster context, scanner findings, and SBOM evidence.

Request a demo