# CISA KEV Scraper - CVE Threat Intelligence Feed (`compute-edge/cisa-kev-scraper`) Actor Extract CISA Known Exploited Vulnerabilities (KEV) catalog data. Filter by vendor, product, date range, and ransomware flag. Includes computed remediation due-date fields. - **URL**: https://apify.com/compute-edge/cisa-kev-scraper.md - **Developed by:** [Compute Edge](https://apify.com/compute-edge) (community) - **Categories:** Lead generation, Automation - **Stats:** 2 total users, 0 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $2.00 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## CISA Known Exploited Vulnerabilities (KEV) Scraper Extract structured vulnerability data from the **CISA Known Exploited Vulnerabilities (KEV) catalog** — the authoritative list of CVEs actively exploited in the wild, maintained by the U.S. Cybersecurity and Infrastructure Security Agency. This Actor fetches the complete KEV catalog and provides powerful filtering, computed remediation fields, and clean JSON output ready for security automation pipelines. The KEV catalog is the foundation of **Binding Operational Directive (BOD) 22-01**, which requires all U.S. federal agencies to remediate listed vulnerabilities by their due dates. Security teams worldwide use it as a prioritization signal — if a CVE is in the KEV, it is being actively exploited and should be patched immediately. ### Key Features - **Complete KEV catalog extraction** — All 1,500+ actively exploited vulnerabilities in a single request - **Vendor and product filtering** — Case-insensitive partial match (e.g., "Microsoft", "Chrome", "Apache") - **Date range filtering** — Filter by date added to catalog or remediation due date - **Ransomware flag** — Isolate CVEs known to be used in ransomware campaigns - **Computed fields** — `daysSinceAdded` and `daysUntilDue` calculated at extraction time (negative = overdue) - **No authentication required** — Public CISA API, no keys or credentials needed - **Batch-optimized output** — Clean JSON ready for SIEM ingestion, ticketing systems, or RAG pipelines ### Output Data Fields | Field | Type | Description | |-------|------|-------------| | `cveID` | string | CVE identifier (e.g., CVE-2024-12345) | | `vendorProject` | string | Vendor or project name (e.g., Microsoft, Apache) | | `product` | string | Affected product (e.g., Windows, Exchange Server) | | `vulnerabilityName` | string | Human-readable vulnerability name | | `dateAdded` | string | Date the CVE was added to the KEV catalog (YYYY-MM-DD) | | `dueDate` | string | Remediation due date per BOD 22-01 (YYYY-MM-DD) | | `daysSinceAdded` | integer | Days since the CVE was added (computed at run time) | | `daysUntilDue` | integer | Days until remediation deadline (negative = overdue) | | `shortDescription` | string | Brief description of the vulnerability | | `requiredAction` | string | CISA-recommended remediation action | | `knownRansomwareCampaignUse` | boolean | Whether the CVE is known to be used in ransomware | | `notes` | string | Additional notes (may contain URLs) | | `catalogVersion` | string | KEV catalog version at time of extraction | | `catalogDateReleased` | string | KEV catalog release date | ### How to Scrape the CISA KEV Catalog 1. Navigate to the **CISA KEV Scraper** Actor page on Apify Store. 2. Click **Start** to open the input configuration form. 3. (Optional) Enter a **Vendor Filter** to narrow results to a specific vendor (e.g., "Microsoft"). 4. (Optional) Enter a **Product Filter** to narrow results to a specific product (e.g., "Exchange"). 5. (Optional) Set **Date Added After** to only retrieve recently added CVEs (e.g., "2025-01-01"). 6. (Optional) Toggle **Ransomware Only** to isolate CVEs with known ransomware exploitation. 7. Set **Max Results** to control the output size (default: 1000, set to 0 for unlimited). 8. Click **Start** to run the Actor. 9. Download results as JSON, CSV, or Excel from the **Dataset** tab. ### Input Example ```json { "vendorFilter": "Microsoft", "dateAddedAfter": "2025-01-01", "ransomwareOnly": false, "maxResults": 50 } ```` ### Output Example ```json { "cveID": "CVE-2025-21391", "vendorProject": "Microsoft", "product": "Windows", "vulnerabilityName": "Microsoft Windows Storage Link Following Vulnerability", "dateAdded": "2025-02-11", "dueDate": "2025-03-04", "daysSinceAdded": 33, "daysUntilDue": -12, "shortDescription": "Microsoft Windows Storage contains a link following vulnerability that could allow for privilege escalation.", "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "knownRansomwareCampaignUse": false, "notes": "", "catalogVersion": "2025.03.13", "catalogDateReleased": "2025-03-13" } ``` ### Pricing This Actor fetches data from a free public API in a single HTTP request. Compute costs are minimal. - **Cost per run**: ~$0.001 (single API call, no browser required) - **Actor start event**: Default platform rate - **Per-result pricing**: $0.001/result Typical run time is under 10 seconds regardless of filter settings. ### Use Cases - **Vulnerability management automation** — Feed KEV data into Jira, ServiceNow, or custom ticketing to auto-create remediation tickets for overdue CVEs - **SOC dashboards** — Integrate with Splunk, Elastic, or Sentinel to flag KEV-listed CVEs in your environment - **Compliance monitoring** — Track BOD 22-01 compliance by comparing your asset inventory against KEV due dates - **Threat intelligence enrichment** — Enrich your CVE feeds with KEV status and ransomware exploitation flags - **Security research** — Analyze trends in actively exploited vulnerabilities by vendor, product, or time period - **RAG pipeline ingestion** — Clean structured output ready for LLM-based security analysis ### FAQ #### Is it legal to scrape the CISA KEV catalog? Yes. This Actor accesses publicly available data from the CISA Known Exploited Vulnerabilities catalog, which is published as open government data. No authentication is required. The data is freely available for any use. #### How Much Does It Cost to Scrape CISA KEV Data? See the pricing table above. At $0.001 per result, fetching the full catalog of 1,500+ CVEs costs approximately $1.50 in Actor fees plus minimal Apify compute costs. #### Can I export CISA KEV data to Excel or CSV? Yes. Apify supports exporting results in JSON, CSV, Excel, XML, and other formats directly from the Dataset tab after a run completes. #### How often is the CISA KEV catalog updated? CISA updates the catalog as new actively exploited vulnerabilities are confirmed. Updates can happen multiple times per week. You can schedule this Actor to run daily to stay current. #### What does a negative daysUntilDue mean? A negative value means the remediation deadline has passed. For example, -30 means the CVE was due for remediation 30 days ago. ### Other Scrapers by SeatSignal - [NIST NVD Scraper](https://apify.com/seatsignal/nist-nvd-scraper) — Extract CVE vulnerability data from the NIST National Vulnerability Database - [CPSC Product Recalls Scraper](https://apify.com/seatsignal/cpsc-product-recalls-scraper) — Extract consumer product recall data - [NHTSA Vehicle Safety Scraper](https://apify.com/seatsignal/nhtsa-vehicle-safety-scraper) — Extract vehicle recalls and safety investigations - [OSHA Inspections Scraper](https://apify.com/seatsignal/osha-inspections-scraper) — Extract OSHA workplace safety inspection data - [FDA OpenFDA Scraper](https://apify.com/seatsignal/fda-openfda-scraper) — Extract FDA drug and device safety data ### Legal Disclaimer This Actor extracts publicly available data from the CISA Known Exploited Vulnerabilities catalog, which is published as open government data. No authentication or terms-of-service bypass is involved. Users are responsible for ensuring their use of the extracted data complies with applicable laws and regulations. For support, contact the Actor developer through the Apify Store. # Actor input Schema ## `vendorFilter` (type: `string`): Filter by vendor/project name (case-insensitive partial match). Examples: 'Microsoft', 'Apache', 'Google', 'Cisco'. ## `productFilter` (type: `string`): Filter by product name (case-insensitive partial match). Examples: 'Windows', 'Chrome', 'Exchange', 'iOS'. ## `dateAddedAfter` (type: `string`): Only include CVEs added to the KEV catalog after this date (YYYY-MM-DD format). Example: '2025-01-01'. ## `dateAddedBefore` (type: `string`): Only include CVEs added to the KEV catalog before this date (YYYY-MM-DD format). ## `dueDateAfter` (type: `string`): Only include CVEs with remediation due date after this date (YYYY-MM-DD format). ## `dueDateBefore` (type: `string`): Only include CVEs with remediation due date before this date (YYYY-MM-DD format). ## `ransomwareOnly` (type: `boolean`): If enabled, only include CVEs that are known to be used in ransomware campaigns. ## `maxResults` (type: `integer`): Maximum number of vulnerability records to return. Set to 0 for unlimited. ## Actor input object example ```json { "vendorFilter": "", "productFilter": "", "dateAddedAfter": "", "dateAddedBefore": "", "dueDateAfter": "", "dueDateBefore": "", "ransomwareOnly": false, "maxResults": 1000 } ``` # Actor output Schema ## `dataset` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("compute-edge/cisa-kev-scraper").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("compute-edge/cisa-kev-scraper").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call compute-edge/cisa-kev-scraper --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=compute-edge/cisa-kev-scraper", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "CISA KEV Scraper - CVE Threat Intelligence Feed", "description": "Extract CISA Known Exploited Vulnerabilities (KEV) catalog data. Filter by vendor, product, date range, and ransomware flag. Includes computed remediation due-date fields.", "version": "0.1", "x-build-id": "a41GK9WdPeqGQcs4o" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/compute-edge~cisa-kev-scraper/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-compute-edge-cisa-kev-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/compute-edge~cisa-kev-scraper/runs": { "post": { "operationId": "runs-sync-compute-edge-cisa-kev-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/compute-edge~cisa-kev-scraper/run-sync": { "post": { "operationId": "run-sync-compute-edge-cisa-kev-scraper", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "vendorFilter": { "title": "Vendor Filter", "type": "string", "description": "Filter by vendor/project name (case-insensitive partial match). Examples: 'Microsoft', 'Apache', 'Google', 'Cisco'.", "default": "" }, "productFilter": { "title": "Product Filter", "type": "string", "description": "Filter by product name (case-insensitive partial match). Examples: 'Windows', 'Chrome', 'Exchange', 'iOS'.", "default": "" }, "dateAddedAfter": { "title": "Date Added After", "type": "string", "description": "Only include CVEs added to the KEV catalog after this date (YYYY-MM-DD format). Example: '2025-01-01'.", "default": "" }, "dateAddedBefore": { "title": "Date Added Before", "type": "string", "description": "Only include CVEs added to the KEV catalog before this date (YYYY-MM-DD format).", "default": "" }, "dueDateAfter": { "title": "Due Date After", "type": "string", "description": "Only include CVEs with remediation due date after this date (YYYY-MM-DD format).", "default": "" }, "dueDateBefore": { "title": "Due Date Before", "type": "string", "description": "Only include CVEs with remediation due date before this date (YYYY-MM-DD format).", "default": "" }, "ransomwareOnly": { "title": "Ransomware Only", "type": "boolean", "description": "If enabled, only include CVEs that are known to be used in ransomware campaigns.", "default": false }, "maxResults": { "title": "Max Results", "minimum": 0, "maximum": 50000, "type": "integer", "description": "Maximum number of vulnerability records to return. Set to 0 for unlimited.", "default": 1000 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```