CISA KEV Newly-Added Vulnerability Monitor
Pricing
from $10.00 / 1,000 kev returneds
CISA KEV Newly-Added Vulnerability Monitor
Change-detection over the CISA Known Exploited Vulnerabilities (KEV) catalog. Diffs the feed run-to-run to emit only newly-added CVEs the moment CISA publishes them, normalized (dateAdded, dueDate, ransomware flag, CWEs) with vendor/product/since filters. Keyless, CC0. Not endorsed by CISA/DHS.
Pricing
from $10.00 / 1,000 kev returneds
Rating
0.0
(0)
Developer
ByteHaven Studios
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
5 days ago
Last modified
Categories
Share
First-seen change-detection over the CISA Known Exploited Vulnerabilities (KEV) catalog.
The KEV catalog is the authoritative "actively exploited in the wild" list every patch and
vulnerability-management team tracks against BOD-mandated due dates. Farms dump the whole ~1,600-row
catalog as a static scrape; nobody sells the delta. This Actor downloads the full single-file
feed (known_exploited_vulnerabilities.json, ~1.5 MB), snapshots the seen cveID set in the
key-value store, and diffs it run-to-run to emit only newly-added CVEs the moment CISA publishes
them — normalized (dateAdded, dueDate, knownRansomwareCampaignUse, cwes[]) and filterable by
vendor/product or date-added-since. A full-file catalog becomes an operational "what's new to patch,
for my stack" alert stream.
Plain HTTPS download of one static JSON feed — no browser, no proxy, no login, no API key required. Data source: CISA KEV catalog, CC0 1.0 Universal (public-domain-equivalent).
This product uses data from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog. Use of this information does not authorize use of the CISA Logo or DHS Seal, nor should such use be interpreted as an endorsement by CISA or DHS.
Status: complete (v0.1, unpublished by design). The Actor is fully built —
.actor/(actor.json + input_schema.json + Dockerfile),package.json, the runtime layers (src/kev.js,src/diff.js,src/filters.js,src/main.js), the offline test suite (test/),COMPLIANCE.md, anddocs/PRICING.md. This Actor is built, never published — noapify push, no on-platform pricing (the intendedkev-returnedprice is documented indocs/PRICING.md, owner-gated). SeeCHANGELOG.mdfor the slice history.
What it will do
For each run it downloads the full KEV catalog, parses the JSON envelope
({title, catalogVersion, dateReleased, count, vulnerabilities[]}), normalizes every vulnerability
into one flat kev shape, loads the prior run's seen-cveID set from the Actor's key-value store,
and emits one dataset item per CVE not previously seen.
- The delta, not the blob (the moat): vuln-management teams must re-screen against the KEV catalog continuously, and the pain is spotting what's new to patch. This emits exactly the additions — first-seen CVEs — over a corpus everyone else republishes whole.
- Normalized + filterable: parsed fields (
dateAdded,dueDate,knownRansomwareCampaignUse,cwes[]); filter by vendor/project, product, ransomware-campaign use, or date-added-since. - Change monitor:
monitorNewOnlypersists the seen-cveIDset and, on the next scheduled run, emits only CVEs added since. A first run seeds the baseline (emits nothing). - No PII — the KEV catalog is a plain public vulnerability catalog keyed on
cveID; there is no personal data, so none of the snapshot/PII machinery of the LEIE monitor applies here.
Inputs
| Input | Type | Notes |
|---|---|---|
vendorProjects | string[] | Optional vendorProject exact-match (e.g. Microsoft). Empty = all |
products | string[] | Optional product substring (e.g. Windows). Empty = all |
addedSince | string | Lower bound on dateAdded for newly-added CVEs (YYYY-MM-DD). Empty = all |
knownRansomwareOnly | boolean | Emit only knownRansomwareCampaignUse = "Known". Default: all |
monitorNewOnly | boolean | Diff vs the stored seen-cveID set; emit only the delta. Default: on |
maxResults | integer | Cap total newly-added records returned (0 = no cap) |
proxyConfiguration | object | Optional; the feed is open and needs no proxy. Default: none |
Output — one record per newly-added CVE (intended shape)
{"cveID": "CVE-2026-12345","vendorProject": "Microsoft","product": "Windows","vulnerabilityName": "Microsoft Windows Privilege Escalation Vulnerability","dateAdded": "2026-07-07","shortDescription": "Microsoft Windows contains an unspecified vulnerability that allows for privilege escalation.","requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","dueDate": "2026-07-28","knownRansomwareCampaignUse": "Known","notes": "https://example.com/advisory","cwes": ["CWE-269"],"catalogVersion": "2026.07.07","attribution": "This product uses data from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog. Use of this information does not authorize use of the CISA Logo or DHS Seal, nor should such use be interpreted as an endorsement by CISA or DHS.","fetchedAt": "2026-07-10T14:00:00.000Z"}
cveID is the dedupe key (globally unique). Absent optional fields (notes, empty cwes) are null
/ [] as the source provides. Every record carries the courtesy attribution no-endorsement string.
Control records (not charged)
Three non-CVE records may be pushed to signal run state. None triggers a kev-returned charge:
| Record | When | Shape |
|---|---|---|
_baseline | First run (empty prior snapshot): the full seen-cveID set is snapshotted as the baseline and no change events are emitted | { "_baseline": true, "filters": {...}, "snapshotSize": N, "catalogVersion": "...", "message": "...", "fetchedAt": "..." } |
_noData | A subsequent run whose delta is empty (no new CVEs matched the filters) | { "_noData": true, "filters": {...}, "message": "...", "fetchedAt": "..." } |
_error | The download failed after retries, or the JSON envelope drifted / parse threw | { "_error": true, "filters": {...}, "message": "...", "fetchedAt": "..." } |
_baseline/_noData keep a zero-delta run green and auditable rather than pushing a silent empty
dataset. A first run (empty prior snapshot) seeds the baseline and reports _baseline — subsequent
runs report only true additions, or _noData when there were none.
Pricing (pay-per-event)
One kev-returned event will be charged per newly-added CVE record pushed to the dataset. Cost
scales with the size of the delta, not runtime or file size. Use vendorProjects / products /
knownRansomwareOnly / addedSince / maxResults to keep spend proportional to signal. The intended
price band and the reasoning behind the single-event model are in docs/PRICING.md —
documented-only; the live $/event value is owner-gated / DEFERRED and no on-platform pricing is
set in this build. (Live price shown on the Store page once published.)
Data source & attribution
The KEV catalog is distributed under Creative Commons CC0 1.0 Universal (public-domain-equivalent;
commercial reuse explicit). No key and no attribution are required; we carry the CISA/DHS
no-endorsement string on every record as a courtesy and a licence-condition reminder, and we do not
use the CISA Logo or DHS Seal. Full compliance record: COMPLIANCE.md.
Maintenance notes
- No query API — a full-file client-side diff. The KEV catalog has no "changes since date X"
endpoint. The whole ~1.5 MB feed is downloaded each run and diffed against the prior seen-
cveIDset in the KV store. The file is small, so the whole-file diff is cheap. - Stable dedupe key.
cveIDis globally unique — no composite-key gymnastics (unlike the LEIE monitor). New CVEs are simplycveIDs absent from the seen set. - Very stable envelope.
{title, catalogVersion, dateReleased, count, vulnerabilities[]}; the header is asserted each run and a drift throws (surfaced as an_errorcontrol record). Watch for occasional new per-entry fields (cwes[]was a later addition — tolerate unknown keys). - Add-cadence. The catalog updates on CISA's cadence (roughly weekly / on-add);
catalogVersionanddateReleasedmove together. The snapshot persists across runs and the diff tolerates a skipped run. The new snapshot is written only after a fully successful, untruncated pass so a partial download can never poison the baseline. dateAddedwatermark. In addition to the seen-set diff,addedSincefilters ondateAddedfor targeted runs;dueDateis relayed for BOD due-date tracking (informational, no parse dependency).- Courtesy
User-Agent— sent on every request (USER_AGENTconst).