FAVR

FAVR uses Bayesian risk and Monte Carlo simulation to assess and deliver optimal patching plans in 30 seconds. Stop guessing with CVSS; prioritize risk via Pareto optimization.

Comment

About the Project: FAVR

Inspiration

Security is often the "forgotten middle child" in the era of automated software development. As we move toward a world of vibe coding—where AI agents generate massive volumes of code at breakneck speed—the surface area for vulnerabilities has exploded. We realized that while development has been automated, the security response remains largely manual and reactive. FAVR was born from the need to close this gap by applying rigorous mathematical modeling to the chaos of modern codebases.

What it does

FAVR (Flexible Attack Vector Risk) is a desktop application designed to provide a "mathematically optimal patching plan in 30 seconds". It allows a user to point the tool at a local directory, where it auto-discovers services and maps dependencies across multiple languages like Node.js, Python, and Go.

Instead of simply listing vulnerabilities, FAVR runs a full analysis pipeline:

  1. Vulnerability Discovery: Queries real-time databases like OSV.dev for known CVEs.
  2. EPSS Enrichment: Fetches Exploitability Prediction Scoring System data from FIRST.org to determine the actual likelihood of an exploit being weaponized.
  3. Risk Propagation: Uses Bayesian modeling to track how a vulnerability in a deep dependency (like a logger) can propagate risk up to a customer-facing service.
  4. Simulation & Optimization: Runs Monte Carlo simulations and Pareto optimization to tell you exactly which five patches will reduce your system's risk the fastest.

How we built it

We built FAVR using a high-performance desktop stack centered on Electron, React, and TypeScript. The backend logic is powered by a custom-built 7-phase analysis engine that handles everything from codebase parsing to statistical simulation.

For the math, we implemented Bayesian risk propagation to quantify how risk flows through the system. We define the total system risk $R_{sys}$ as:

$$R_{sys} = \sum_{i=1}^{n} (P(E_i | C) \cdot I_i)$$

Where $P(E_i | C)$ is the probability of exploitation of vulnerability $i$ given the system configuration $C$, and $I_i$ is the propagated impact score. The UI uses D3.js for force-directed dependency graphs and Tailwind CSS for a clean, "mission control" dashboard aesthetic.

Challenges we ran into

The most significant hurdle was translating abstract statistical simulations into actionable business intelligence. Researching Monte Carlo simulations was technically demanding; we had to determine how to run enough iterations to achieve convergence without slowing down the "30-second scan" promise.

Furthermore, bridging the gap between "this code is vulnerable" and "this vulnerability costs the business money" required deep research into real-world cybersecurity applications. We had to account for Pareto optimization—balancing the cost of developer time and potential service downtime against the security ROI of a specific patch.

Accomplishments that we're proud of

We are particularly proud of the Organization Dashboard and the overall UI/UX. Visualizing a complex, nested dependency graph in a way that is intuitive for a developer was a major win. The interactive D3 visualizations allow users to see a "heatmap" of risk, making the abstract math behind Bayesian propagation visible and tangible.

What we learned

Building FAVR taught us the power of variable-fidelity simulations. We learned to optimize our Monte Carlo engine by dynamically altering the number of simulations $N_{sim}$ based on the size and complexity of the codebase. For a small project, $N = 1,000$ might suffice, but for enterprise-scale monorepos, we scale the iterations to maintain statistical significance.

We also gained a deep understanding of risk propagation logic. Identifying a single "root" issue that, when fixed, resolves multiple dependent vulnerabilities across the codebase changed our perspective on how to tackle technical debt.

What's next for FAVR

The immediate roadmap focuses on evolving FAVR from a hackathon project into a production-ready tool for developers and security engineers:

  • Team Collaboration: Introducing shared dashboards and organization-wide risk tracking.
  • CI/CD Integration: Building "FAVR-gate" into GitHub Actions to prevent high-risk code from ever being merged.
  • Pro Features: Implementing the BLD layer for AI-driven "self-healing" patches, where the system not only identifies the risk but writes the fix.

Built With

Share this project:

Updates