CISA KEV Newly-Added Vulnerability Monitor avatar

CISA KEV Newly-Added Vulnerability Monitor

Pricing

from $10.00 / 1,000 kev returneds

Go to Apify Store
CISA KEV Newly-Added Vulnerability Monitor

CISA KEV Newly-Added Vulnerability Monitor

Change-detection over the CISA Known Exploited Vulnerabilities (KEV) catalog. Diffs the feed run-to-run to emit only newly-added CVEs the moment CISA publishes them, normalized (dateAdded, dueDate, ransomware flag, CWEs) with vendor/product/since filters. Keyless, CC0. Not endorsed by CISA/DHS.

Pricing

from $10.00 / 1,000 kev returneds

Rating

0.0

(0)

Developer

ByteHaven Studios

ByteHaven Studios

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

5 days ago

Last modified

Share

First-seen change-detection over the CISA Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog is the authoritative "actively exploited in the wild" list every patch and vulnerability-management team tracks against BOD-mandated due dates. Farms dump the whole ~1,600-row catalog as a static scrape; nobody sells the delta. This Actor downloads the full single-file feed (known_exploited_vulnerabilities.json, ~1.5 MB), snapshots the seen cveID set in the key-value store, and diffs it run-to-run to emit only newly-added CVEs the moment CISA publishes them — normalized (dateAdded, dueDate, knownRansomwareCampaignUse, cwes[]) and filterable by vendor/product or date-added-since. A full-file catalog becomes an operational "what's new to patch, for my stack" alert stream.

Plain HTTPS download of one static JSON feed — no browser, no proxy, no login, no API key required. Data source: CISA KEV catalog, CC0 1.0 Universal (public-domain-equivalent).

This product uses data from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog. Use of this information does not authorize use of the CISA Logo or DHS Seal, nor should such use be interpreted as an endorsement by CISA or DHS.

Status: complete (v0.1, unpublished by design). The Actor is fully built — .actor/ (actor.json + input_schema.json + Dockerfile), package.json, the runtime layers (src/kev.js, src/diff.js, src/filters.js, src/main.js), the offline test suite (test/), COMPLIANCE.md, and docs/PRICING.md. This Actor is built, never published — no apify push, no on-platform pricing (the intended kev-returned price is documented in docs/PRICING.md, owner-gated). See CHANGELOG.md for the slice history.


What it will do

For each run it downloads the full KEV catalog, parses the JSON envelope ({title, catalogVersion, dateReleased, count, vulnerabilities[]}), normalizes every vulnerability into one flat kev shape, loads the prior run's seen-cveID set from the Actor's key-value store, and emits one dataset item per CVE not previously seen.

  • The delta, not the blob (the moat): vuln-management teams must re-screen against the KEV catalog continuously, and the pain is spotting what's new to patch. This emits exactly the additions — first-seen CVEs — over a corpus everyone else republishes whole.
  • Normalized + filterable: parsed fields (dateAdded, dueDate, knownRansomwareCampaignUse, cwes[]); filter by vendor/project, product, ransomware-campaign use, or date-added-since.
  • Change monitor: monitorNewOnly persists the seen-cveID set and, on the next scheduled run, emits only CVEs added since. A first run seeds the baseline (emits nothing).
  • No PII — the KEV catalog is a plain public vulnerability catalog keyed on cveID; there is no personal data, so none of the snapshot/PII machinery of the LEIE monitor applies here.

Inputs

InputTypeNotes
vendorProjectsstring[]Optional vendorProject exact-match (e.g. Microsoft). Empty = all
productsstring[]Optional product substring (e.g. Windows). Empty = all
addedSincestringLower bound on dateAdded for newly-added CVEs (YYYY-MM-DD). Empty = all
knownRansomwareOnlybooleanEmit only knownRansomwareCampaignUse = "Known". Default: all
monitorNewOnlybooleanDiff vs the stored seen-cveID set; emit only the delta. Default: on
maxResultsintegerCap total newly-added records returned (0 = no cap)
proxyConfigurationobjectOptional; the feed is open and needs no proxy. Default: none

Output — one record per newly-added CVE (intended shape)

{
"cveID": "CVE-2026-12345",
"vendorProject": "Microsoft",
"product": "Windows",
"vulnerabilityName": "Microsoft Windows Privilege Escalation Vulnerability",
"dateAdded": "2026-07-07",
"shortDescription": "Microsoft Windows contains an unspecified vulnerability that allows for privilege escalation.",
"requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"dueDate": "2026-07-28",
"knownRansomwareCampaignUse": "Known",
"notes": "https://example.com/advisory",
"cwes": ["CWE-269"],
"catalogVersion": "2026.07.07",
"attribution": "This product uses data from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog. Use of this information does not authorize use of the CISA Logo or DHS Seal, nor should such use be interpreted as an endorsement by CISA or DHS.",
"fetchedAt": "2026-07-10T14:00:00.000Z"
}

cveID is the dedupe key (globally unique). Absent optional fields (notes, empty cwes) are null / [] as the source provides. Every record carries the courtesy attribution no-endorsement string.

Control records (not charged)

Three non-CVE records may be pushed to signal run state. None triggers a kev-returned charge:

RecordWhenShape
_baselineFirst run (empty prior snapshot): the full seen-cveID set is snapshotted as the baseline and no change events are emitted{ "_baseline": true, "filters": {...}, "snapshotSize": N, "catalogVersion": "...", "message": "...", "fetchedAt": "..." }
_noDataA subsequent run whose delta is empty (no new CVEs matched the filters){ "_noData": true, "filters": {...}, "message": "...", "fetchedAt": "..." }
_errorThe download failed after retries, or the JSON envelope drifted / parse threw{ "_error": true, "filters": {...}, "message": "...", "fetchedAt": "..." }

_baseline/_noData keep a zero-delta run green and auditable rather than pushing a silent empty dataset. A first run (empty prior snapshot) seeds the baseline and reports _baseline — subsequent runs report only true additions, or _noData when there were none.

Pricing (pay-per-event)

One kev-returned event will be charged per newly-added CVE record pushed to the dataset. Cost scales with the size of the delta, not runtime or file size. Use vendorProjects / products / knownRansomwareOnly / addedSince / maxResults to keep spend proportional to signal. The intended price band and the reasoning behind the single-event model are in docs/PRICING.mddocumented-only; the live $/event value is owner-gated / DEFERRED and no on-platform pricing is set in this build. (Live price shown on the Store page once published.)

Data source & attribution

The KEV catalog is distributed under Creative Commons CC0 1.0 Universal (public-domain-equivalent; commercial reuse explicit). No key and no attribution are required; we carry the CISA/DHS no-endorsement string on every record as a courtesy and a licence-condition reminder, and we do not use the CISA Logo or DHS Seal. Full compliance record: COMPLIANCE.md.

Maintenance notes

  • No query API — a full-file client-side diff. The KEV catalog has no "changes since date X" endpoint. The whole ~1.5 MB feed is downloaded each run and diffed against the prior seen-cveID set in the KV store. The file is small, so the whole-file diff is cheap.
  • Stable dedupe key. cveID is globally unique — no composite-key gymnastics (unlike the LEIE monitor). New CVEs are simply cveIDs absent from the seen set.
  • Very stable envelope. {title, catalogVersion, dateReleased, count, vulnerabilities[]}; the header is asserted each run and a drift throws (surfaced as an _error control record). Watch for occasional new per-entry fields (cwes[] was a later addition — tolerate unknown keys).
  • Add-cadence. The catalog updates on CISA's cadence (roughly weekly / on-add); catalogVersion and dateReleased move together. The snapshot persists across runs and the diff tolerates a skipped run. The new snapshot is written only after a fully successful, untruncated pass so a partial download can never poison the baseline.
  • dateAdded watermark. In addition to the seen-set diff, addedSince filters on dateAdded for targeted runs; dueDate is relayed for BOD due-date tracking (informational, no parse dependency).
  • Courtesy User-Agent — sent on every request (USER_AGENT const).