Anthropic's security team finds vulnerabilities in open-source software and reports them to maintainers. We watch their public dashboard every day and match it to the software you actually run. You get a heads-up before the CVE goes public — time to pin your version and plan the patch instead of scrambling.
Most customers use the early-warning side. Software vendors also use the publish side to prove they handle vulnerabilities properly — the kind of evidence the new EU Cyber Resilience Act requires.
We check Anthropic's public list every day. When they're about to disclose something in nginx, jq, ImageMagick, mastodon, freerdp — anything you have running — it lands in your monsys dashboard with a clear next step: pin the current version and watch for the upstream release.
If you build software for the EU market, the new Cyber Resilience Act asks you to demonstrate that you handle reported vulnerabilities responsibly. Publish your own findings here, with cryptographic proof of the date you committed to them. Auditors verify it themselves — no Vanta-style closed dashboard required.
Every entry is part of a public, append-only log. An auditor — or a journalist, or a curious customer — can verify with one command that your commitment existed on the date you claim. No trust in monsys required.
Their security AI finds a vulnerability in an open-source project. They tell the maintainer privately and publish a sealed record publicly — project name, bug type, but no exploit details — so the world knows something is coming.
Every day we check Anthropic's list against the software running on your servers — OS packages, application libraries, container images. If you have nginx 1.24 installed and it just got flagged, you know about it.
An alert lands in your monsys dashboard with the project name, the bug type, and a link to the source. Pin your version, subscribe to the project's release feed, plan a maintenance window. When the public CVE drops, you move in hours instead of days.
These numbers come from today's check against our own infrastructure. They update every day as Anthropic reveals more entries — your own fleet would see different numbers depending on what you have installed.
vulnerabilities Anthropic is tracking
projects publicly named so far
matches on monsys.ai's own servers
Selling software in the EU after September 2027? The Cyber Resilience Act asks you to demonstrate that vulnerabilities reported to you get handled within a reasonable window. The usual answer — Vanta, Drata, OneTrust — is a closed dashboard you pay €2k/month for; your auditor sees a PDF. We give you something stronger: a public URL anyone can check, included in your monsys subscription.
Most tools in this space sell you a closed dashboard. We hand you a verifiable record anyone can read.
No. We download their public list once a day — the same way your browser would — and match it against your data inside our hub. Anthropic sees no traffic from your servers and no list of your packages.
It's included in monsys. €3 per server per month, first 5 servers free forever. No separate compliance subscription, no add-on fees, no per-finding charges.
No. The early-warning side is useful for anyone running Linux or Windows servers. The publish side is optional — there if you sell software and need CRA evidence, or simply want a tamper-evident record of your team's own pen-test findings.
If you're new to monsys: one install command, and the agent appears in your dashboard within a minute. The CVD feed runs in the background — your first matches typically appear within 24 hours.
Start with the free tier — 5 servers, no card required. Or just open our own live ledger to see what the public format looks like, exactly what your auditor would see.
Architecture, Trust Score formula, supply-chain pipeline, NIS2 / AI Act / CRA mapping. Free PDF after a short form.
Download whitepaper →