Cyber Threat Intelligence - CVE & Vulnerability Scanner

Unified cyber threat analysis platform combining 4 free cybersecurity APIs into a single intelligence tool. Get vulnerability data, exploitation probabilities, known exploit status, and IP threat assessments - all enriched with a composite risk score that prioritizes real-world danger over theoretical severity.

Replaces Recorded Future ($50K+/yr) for core vulnerability intelligence use cases.

What It Does

This actor aggregates data from the National Vulnerability Database (NVD), FIRST.org's Exploit Prediction Scoring System (EPSS), CISA's Known Exploited Vulnerabilities (KEV) catalog, and Shodan's InternetDB to provide actionable threat intelligence. Every vulnerability is scored using a composite risk methodology that weights actual exploitation probability higher than theoretical CVSS scores.

5 Analysis Modes

1. Vulnerability Search (vulnerability_search)

Search the NVD by keyword and get results enriched with real-world exploitation data. Unlike raw NVD searches, results are sorted by composite risk score - so the vulnerabilities most likely to be exploited appear first, not just those with the highest CVSS score.

• Default query: log4j
• Input: query (keyword), limit (1-50)
• Output: Enriched CVE list sorted by risk score, risk distribution summary, KEV overlap count

2. CVE Deep Analysis (cve_deep_analysis)

Single CVE deep dive combining all four data sources. Get the full picture: NVD technical details, EPSS exploitation probability with plain-English analysis, CISA KEV status including ransomware campaign association, and a complete list of affected products parsed from CPE data.

• Default CVE: CVE-2021-44228 (Log4Shell)
• Input: cveId (e.g., CVE-2021-44228)
• Output: Full CVE details, exploitation analysis, KEV analysis, affected products, risk score

3. Threat Landscape (threat_landscape)

See what attackers are actually exploiting right now. Fetches the top CVEs by EPSS exploitation probability and cross-references each with CISA KEV data and NVD details. Includes vendor breakdown to show which software vendors have the most actively exploited vulnerabilities.

• Input: limit (1-50)
• Output: Top exploited CVEs with full enrichment, vendor breakdown, risk distribution

4. IP Threat Check (ip_threat_check)

Check any IP address against Shodan's InternetDB for open ports, known vulnerabilities, and CPE fingerprints. Discovered vulnerabilities are then enriched with NVD severity scores, EPSS exploitation probabilities, and CISA KEV status. High-risk ports (databases, remote access, admin panels) are flagged separately.

• Default IP: 8.8.8.8
• Input: ip (IP address), limit (max vulns to enrich, 1-50)
• Output: Open ports, hostnames, CPEs, enriched vulnerabilities, threat level assessment

5. Company Exposure (company_exposure)

Assess a vendor's or product's vulnerability exposure. Searches NVD for all CVEs matching a vendor/product name, enriches each with EPSS and KEV data, and builds a risk profile. Includes product-level breakdown showing which specific products carry the most risk, plus weakness pattern analysis.

• Default vendor: microsoft
• Input: vendor (vendor or product name), limit (1-50)
• Output: Risk profile, product breakdown, weakness patterns, exposure level, enriched CVE list

Composite Risk Score (0-100)

Traditional vulnerability management relies heavily on CVSS scores, which measure theoretical severity but not real-world exploitation likelihood. A CVSS 10.0 vulnerability that nobody exploits is less urgent than a CVSS 7.5 vulnerability actively used in ransomware campaigns.

This actor calculates a Composite Risk Score for every CVE using four weighted factors:

Factor	Weight	Source	Rationale
CVSS Base Score	30%	NVD	Technical severity (0-10, normalized to 0-30)
EPSS Probability	40%	FIRST.org	Real-world exploitation likelihood (0-1, scaled to 0-40)
CISA KEV Listed	+20	CISA	Confirmed active exploitation by federal mandate
Ransomware Use	+10	CISA KEV	Known use in ransomware campaigns

Formula: (cvss/10 * 30) + (epss * 40) + (kev ? 20 : 0) + (ransomware ? 10 : 0)

Risk Levels:

• CRITICAL (80-100): Immediate action required. Active exploitation confirmed.
• HIGH (60-79): Prioritize patching. High exploitation probability.
• MEDIUM (40-59): Plan remediation. Moderate risk.
• LOW (20-39): Standard patching cycle.
• INFO (0-19): Minimal immediate risk.

This approach ensures that vulnerabilities with confirmed exploitation (KEV-listed) and high exploitation probability (high EPSS) are prioritized over those that are merely theoretically severe.

Data Sources

Source	Coverage	Rate Limit	Cost
NVD	250,000+ CVEs with CVSS scores	5 req/30sec (no key)	Free
EPSS	Daily exploitation probability for all CVEs	Generous	Free
CISA KEV	1,500+ confirmed exploited vulnerabilities	Single fetch	Free
Shodan InternetDB	IP port/vuln/CPE data	Generous	Free, no key

Input Parameters

Parameter	Type	Required	Default	Description
mode	string	Yes	vulnerability_search	Analysis mode to run
query	string	No	log4j	Search keyword (vulnerability_search)
cveId	string	No	CVE-2021-44228	CVE identifier (cve_deep_analysis)
ip	string	No	8.8.8.8	IP address (ip_threat_check)
vendor	string	No	microsoft	Vendor/product name (company_exposure)
limit	integer	No	20	Max results (1-50)

Example Use Cases

Security Operations (SOC)

• Monitor threat landscape daily for newly exploited vulnerabilities
• Check suspicious IPs from firewall logs for known threats
• Prioritize patch management using composite risk scores instead of CVSS alone

Vulnerability Management

• Assess vendor exposure before procurement decisions
• Generate risk reports for specific software stacks
• Track KEV catalog additions affecting your infrastructure

Threat Intelligence

• Deep-dive analysis of trending CVEs
• Cross-reference EPSS exploitation trends with CISA mandates
• Identify ransomware-associated vulnerabilities in your environment

Compliance

• Track CISA KEV remediation deadlines for federal compliance (BOD 22-01)
• Document risk-based prioritization methodology for auditors
• Generate evidence of vulnerability assessment activities

Output Format

All modes return a JSON object with:

• mode - The analysis mode that was run
• summary - Human-readable summary of findings
• timestamp - ISO 8601 timestamp of the analysis
• Mode-specific fields (vulnerabilities, risk profiles, threat assessments)

Each vulnerability includes:

• cveId, description, published, lastModified
• cvss - Version, base score, severity, vector string
• epss - Exploitation probability score and percentile
• cisaKev - KEV listing status, ransomware use, remediation deadline
• riskScore - Composite score (0-100)
• riskLevel - CRITICAL/HIGH/MEDIUM/LOW/INFO
• weaknesses - CWE identifiers
• references - Advisory URLs and sources
• affectedProducts - CPE-parsed vendor/product/version data

Rate Limits and Performance

• NVD requests are throttled to 1 per 7 seconds (within the 5 req/30sec free tier limit)
• CISA KEV catalog is fetched once and cached in memory for the entire run
• EPSS scores are batched (up to 30 CVEs per request) to minimize API calls
• Typical run time: 30 seconds (cve_deep_analysis) to 3 minutes (threat_landscape with limit=20)

Pricing

$0.05 per successful scan (pay-per-event). Failed scans are not charged.