# EPSS CVE Risk Enricher (`automation-lab/epss-cve-risk-enricher`) Actor Enrich CVE lists with FIRST.org EPSS scores, percentiles, risk buckets, and optional history for vulnerability prioritization. - **URL**: https://apify.com/automation-lab/epss-cve-risk-enricher.md - **Developed by:** [Stas Persiianenko](https://apify.com/automation-lab) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing Pay per event This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## EPSS CVE Risk Enricher Enrich CVE IDs with FIRST.org EPSS exploit probability scores, percentiles, risk buckets, and optional score history. Use this actor when you have vulnerability scanner exports, incident-response CVE lists, customer remediation backlogs, or scheduled patch-prioritization jobs that need exploit-likelihood context. ### What does EPSS CVE Risk Enricher do? EPSS CVE Risk Enricher takes a list of CVE identifiers and returns structured EPSS data from the public FIRST.org API. It helps you answer questions like: - Which vulnerabilities in my backlog are most likely to be exploited? - Which CVEs should be patched before the next maintenance window? - Which scanner findings deserve manual analyst review first? - Did a CVE's exploit probability change since my last scheduled run? ### Who is it for? Security operations teams use this actor to triage vulnerability queues. Managed security providers use it to enrich customer reports. Security consultants use it to prioritize findings in assessment deliverables. Product security teams use it to watch CVEs affecting their dependencies. GRC and compliance teams use it to add evidence to remediation tracking spreadsheets. ### Why use this actor? FIRST.org EPSS scores are useful, but raw API calls are awkward inside repeatable Apify workflows. This actor adds: - Clean dataset output - Input parsing for arrays and pasted text - Risk buckets for spreadsheet filters - Not-found and invalid rows for auditability - Optional time-series history - PPE charging designed for scheduled enrichment jobs ### Data source The actor uses the public FIRST.org EPSS API: `https://api.first.org/data/v1/epss` No login is required. No API key is required. No proxy is used by default. ### How it works 1. Paste or upload CVE IDs. 2. The actor normalizes and deduplicates IDs. 3. Invalid CVE IDs are emitted as `invalid` rows. 4. Valid CVE IDs are batched against FIRST.org EPSS. 5. Results are mapped into a structured Apify dataset. 6. Each row includes a status, risk bucket, source URL, and fetch timestamp. ### Output data | Field | Description | | --- | --- | | `cve` | CVE identifier. | | `epss` | EPSS exploit probability score from 0 to 1. | | `percentile` | EPSS percentile from 0 to 1. | | `date` | Score date returned by FIRST.org. | | `riskBucket` | `critical`, `high`, `medium`, `low`, or `unknown`. | | `status` | `found`, `not_found`, `invalid`, `error`, or `filtered_out`. | | `message` | Diagnostic text for non-standard rows. | | `history` | Optional time-series points when enabled. | | `historyDays` | Number of time-series points included. | | `sourceUrl` | FIRST.org API URL used for the request. | | `fetchedAt` | Timestamp when the row was fetched. | ### Example output ```json { "cve": "CVE-2023-34362", "epss": 0.99934, "percentile": 0.99968, "date": "2026-06-24", "riskBucket": "critical", "status": "found", "sourceUrl": "https://api.first.org/data/v1/epss?cve=CVE-2023-34362", "fetchedAt": "2026-06-25T00:00:00.000Z" } ```` ### Input options #### CVE IDs Use `cveIds` when you already have structured data. Example: ```json ["CVE-2023-34362", "CVE-2021-44228", "CVE-2024-3094"] ``` #### Paste CVE IDs Use `cveText` for quick copy-paste workflows. The actor accepts newline, comma, semicolon, or whitespace separated values. #### Date Set `date` to retrieve EPSS scores for a historical date in `YYYY-MM-DD` format. Leave it blank for the latest available FIRST.org score. #### Minimum EPSS Set `minEpss` to flag rows below a chosen probability threshold. Rows below the threshold are kept with `status: filtered_out` so your audit trail remains complete. #### Minimum percentile Set `minPercentile` to flag lower-ranked CVEs. This is useful when you want a small high-priority export. #### Include history Enable `includeHistory` to request FIRST.org time-series data. This can increase row size, so keep it off for basic spreadsheet enrichment. #### Maximum items Use `maxItems` to cap processing after parsing and deduplication. ### How much does it cost to enrich CVEs with EPSS scores? The actor uses pay-per-event pricing. You pay a small start charge per run plus a per-result charge for each output row. Because the actor is HTTP-only and does not use proxies by default, compute cost is low for typical vulnerability enrichment jobs. ### Recommended workflows #### Prioritize scanner exports Export CVE IDs from a scanner, paste them into `cveText`, and sort by `epss` or `percentile` in the dataset. #### Monitor recurring CVE backlogs Schedule the actor daily or weekly with the same CVE list. Compare `date`, `epss`, and `percentile` over time. #### Enrich customer reports MSPs can enrich each customer's open CVE list before delivering weekly remediation reports. #### Build alert thresholds Use `minEpss` or `minPercentile` to separate urgent rows from lower-priority backlog items. ### Risk bucket logic The actor adds a convenience `riskBucket` field: - `critical`: EPSS >= 0.8 or percentile >= 0.95 - `high`: EPSS >= 0.4 or percentile >= 0.85 - `medium`: EPSS >= 0.1 or percentile >= 0.6 - `low`: lower scored CVEs - `unknown`: no score available These buckets are not a replacement for your risk model. They are spreadsheet-friendly labels for triage. ### Integrations Use this actor with: - Apify schedules for recurring CVE monitoring - Webhooks for high-priority vulnerability notifications - Google Sheets exports for remediation trackers - SIEM/SOAR workflows that ingest JSON or CSV - BI dashboards that join on `cve` - Vulnerability scanner exports from tools that include CVE IDs ### API usage #### Node.js ```js import { ApifyClient } from 'apify-client'; const client = new ApifyClient({ token: process.env.APIFY_TOKEN }); const run = await client.actor('automation-lab/epss-cve-risk-enricher').call({ cveIds: ['CVE-2023-34362', 'CVE-2021-44228'], maxItems: 100 }); console.log(run.defaultDatasetId); ``` #### Python ```python from apify_client import ApifyClient client = ApifyClient('YOUR_APIFY_TOKEN') run = client.actor('automation-lab/epss-cve-risk-enricher').call(run_input={ 'cveIds': ['CVE-2023-34362', 'CVE-2021-44228'], 'maxItems': 100, }) print(run['defaultDatasetId']) ``` #### cURL ```bash curl -X POST 'https://api.apify.com/v2/acts/automation-lab~epss-cve-risk-enricher/runs?token=YOUR_APIFY_TOKEN' \ -H 'Content-Type: application/json' \ -d '{"cveIds":["CVE-2023-34362","CVE-2021-44228"],"maxItems":100}' ``` ### MCP usage Use this actor from Claude or other MCP-compatible clients through Apify MCP. MCP URL: `https://mcp.apify.com/?tools=automation-lab/epss-cve-risk-enricher` Claude Code setup: ```bash claude mcp add apify-epss-cve-risk-enricher "https://mcp.apify.com/?tools=automation-lab/epss-cve-risk-enricher" ``` Claude Desktop JSON configuration: ```json { "mcpServers": { "apify-epss-cve-risk-enricher": { "url": "https://mcp.apify.com/?tools=automation-lab/epss-cve-risk-enricher" } } } ``` Example prompts: - Enrich these CVEs with EPSS scores and rank them by exploit likelihood. - Check whether any CVE in this list has EPSS above 0.8. - Compare today's EPSS scores with the historical date in this input. ### Example run input ```json { "cveIds": ["CVE-2023-34362", "CVE-2021-44228", "CVE-2024-3094"], "includeHistory": false, "maxItems": 100 } ``` ### Tips for best results Normalize scanner exports to CVE IDs before running. Keep `includeHistory` disabled for simple CSV enrichment. Use `date` for reproducible reports. Keep invalid rows in your downstream checks; they often reveal scanner export formatting problems. Use `sourceUrl` and `fetchedAt` when you need evidence for audit or compliance reviews. ### Troubleshooting #### Why did a CVE return `not_found`? FIRST.org may not have an EPSS record for that CVE/date, or the CVE may be too new. Try running again with the latest date or verify the CVE identifier. #### Why is a row marked `filtered_out`? The CVE was found, but it did not meet your `minEpss` or `minPercentile` threshold. The row is preserved so scheduled jobs remain auditable. #### Why is history missing? History is only included when `includeHistory` is enabled and FIRST.org returns time-series data. ### Legality and data rights This actor uses a public API endpoint from FIRST.org. You are responsible for using the data in compliance with FIRST.org terms and your organization's policies. The actor does not bypass authentication, collect private data, or scrape logged-in pages. ### Related scrapers and actors Explore more automation-lab security and data enrichment actors on Apify: - https://apify.com/automation-lab - https://apify.com/automation-lab/website-contact-finder - https://apify.com/automation-lab/http-status-code-checker ### Changelog #### 0.1 Initial private build. ### Support If the actor fails for a valid CVE list, include your run ID and input when opening an Apify issue. ### FAQ #### Does this actor use proxies? No. The FIRST.org EPSS API is public and reachable over direct HTTP. #### Can I submit thousands of CVEs? Yes, within platform limits. Use `maxItems` to keep runs bounded. #### Can I join results back to a scanner export? Yes. Join on the `cve` field. #### Does EPSS replace CVSS? No. EPSS estimates exploit probability. CVSS estimates severity. Many teams use both. # Actor input Schema ## `cveIds` (type: `array`): List of CVE identifiers to enrich with EPSS scores. ## `cveText` (type: `string`): Optional newline, comma, semicolon, or whitespace separated CVE IDs. Values are merged with CVE IDs above and deduplicated. ## `date` (type: `string`): Optional score date in YYYY-MM-DD format. Leave empty for the latest available EPSS score. ## `minEpss` (type: `number`): Optional score filter from 0 to 1. Scored rows below this threshold are marked filtered\_out. ## `minPercentile` (type: `number`): Optional percentile filter from 0 to 1. Scored rows below this threshold are marked filtered\_out. ## `includeHistory` (type: `boolean`): When enabled, request FIRST.org time-series data for returned CVEs. This can make output rows larger. ## `maxItems` (type: `integer`): Maximum deduplicated CVE IDs to process in this run. ## Actor input object example ```json { "cveIds": [ "CVE-2023-34362", "CVE-2021-44228", "CVE-2024-3094" ], "cveText": "CVE-2023-34362\nCVE-2021-44228", "includeHistory": false, "maxItems": 10 } ``` # Actor output Schema ## `overview` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "cveIds": [ "CVE-2023-34362", "CVE-2021-44228", "CVE-2024-3094" ], "cveText": `CVE-2023-34362 CVE-2021-44228`, "includeHistory": false, "maxItems": 10 }; // Run the Actor and wait for it to finish const run = await client.actor("automation-lab/epss-cve-risk-enricher").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "cveIds": [ "CVE-2023-34362", "CVE-2021-44228", "CVE-2024-3094", ], "cveText": """CVE-2023-34362 CVE-2021-44228""", "includeHistory": False, "maxItems": 10, } # Run the Actor and wait for it to finish run = client.actor("automation-lab/epss-cve-risk-enricher").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "cveIds": [ "CVE-2023-34362", "CVE-2021-44228", "CVE-2024-3094" ], "cveText": "CVE-2023-34362\\nCVE-2021-44228", "includeHistory": false, "maxItems": 10 }' | apify call automation-lab/epss-cve-risk-enricher --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=automation-lab/epss-cve-risk-enricher", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "EPSS CVE Risk Enricher", "description": "Enrich CVE lists with FIRST.org EPSS scores, percentiles, risk buckets, and optional history for vulnerability prioritization.", "version": "0.1", "x-build-id": "q1KpFj0uto60gpZct" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/automation-lab~epss-cve-risk-enricher/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-automation-lab-epss-cve-risk-enricher", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/automation-lab~epss-cve-risk-enricher/runs": { "post": { "operationId": "runs-sync-automation-lab-epss-cve-risk-enricher", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/automation-lab~epss-cve-risk-enricher/run-sync": { "post": { "operationId": "run-sync-automation-lab-epss-cve-risk-enricher", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "cveIds": { "title": "CVE IDs", "type": "array", "description": "List of CVE identifiers to enrich with EPSS scores.", "items": { "type": "string", "pattern": "^CVE-\\d{4}-\\d{4,}$" } }, "cveText": { "title": "Paste CVE IDs", "type": "string", "description": "Optional newline, comma, semicolon, or whitespace separated CVE IDs. Values are merged with CVE IDs above and deduplicated." }, "date": { "title": "EPSS score date", "pattern": "^\\d{4}-\\d{2}-\\d{2}$", "type": "string", "description": "Optional score date in YYYY-MM-DD format. Leave empty for the latest available EPSS score." }, "minEpss": { "title": "Minimum EPSS score", "minimum": 0, "maximum": 1, "type": "number", "description": "Optional score filter from 0 to 1. Scored rows below this threshold are marked filtered_out." }, "minPercentile": { "title": "Minimum EPSS percentile", "minimum": 0, "maximum": 1, "type": "number", "description": "Optional percentile filter from 0 to 1. Scored rows below this threshold are marked filtered_out." }, "includeHistory": { "title": "Include time-series history", "type": "boolean", "description": "When enabled, request FIRST.org time-series data for returned CVEs. This can make output rows larger.", "default": false }, "maxItems": { "title": "Maximum CVEs to process", "minimum": 1, "maximum": 10000, "type": "integer", "description": "Maximum deduplicated CVE IDs to process in this run.", "default": 100 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```