# NIST CVE Vulnerability Scanner - Free NVD API (`ntriqpro/nist-cve-vulnerability-scanner`) Actor Free API for NIST National Vulnerability Database (NVD) CVE search. No subscription. Find vulnerabilities by keyword, severity, and CVSS scores. Government data, detailed CVE info, pay-per-use. - **URL**: https://apify.com/ntriqpro/nist-cve-vulnerability-scanner.md - **Developed by:** [daehwan kim](https://apify.com/ntriqpro) (community) - **Categories:** AI, Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing $100.00 / 1,000 charged when a cyber threat intelligence scan is s This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Cyber Threat Intelligence - CVE & Vulnerability Scanner Unified cyber threat analysis platform combining 4 free cybersecurity APIs into a single intelligence tool. Get vulnerability data, exploitation probabilities, known exploit status, and IP threat assessments - all enriched with a composite risk score that prioritizes real-world danger over theoretical severity. **Replaces Recorded Future ($50K+/yr) for core vulnerability intelligence use cases.** ### What It Does This actor aggregates data from the National Vulnerability Database (NVD), FIRST.org's Exploit Prediction Scoring System (EPSS), CISA's Known Exploited Vulnerabilities (KEV) catalog, and Shodan's InternetDB to provide actionable threat intelligence. Every vulnerability is scored using a composite risk methodology that weights actual exploitation probability higher than theoretical CVSS scores. ### 5 Analysis Modes #### 1. Vulnerability Search (`vulnerability_search`) Search the NVD by keyword and get results enriched with real-world exploitation data. Unlike raw NVD searches, results are sorted by composite risk score - so the vulnerabilities most likely to be exploited appear first, not just those with the highest CVSS score. - **Default query:** `log4j` - **Input:** `query` (keyword), `limit` (1-50) - **Output:** Enriched CVE list sorted by risk score, risk distribution summary, KEV overlap count #### 2. CVE Deep Analysis (`cve_deep_analysis`) Single CVE deep dive combining all four data sources. Get the full picture: NVD technical details, EPSS exploitation probability with plain-English analysis, CISA KEV status including ransomware campaign association, and a complete list of affected products parsed from CPE data. - **Default CVE:** `CVE-2021-44228` (Log4Shell) - **Input:** `cveId` (e.g., CVE-2021-44228) - **Output:** Full CVE details, exploitation analysis, KEV analysis, affected products, risk score #### 3. Threat Landscape (`threat_landscape`) See what attackers are actually exploiting right now. Fetches the top CVEs by EPSS exploitation probability and cross-references each with CISA KEV data and NVD details. Includes vendor breakdown to show which software vendors have the most actively exploited vulnerabilities. - **Input:** `limit` (1-50) - **Output:** Top exploited CVEs with full enrichment, vendor breakdown, risk distribution #### 4. IP Threat Check (`ip_threat_check`) Check any IP address against Shodan's InternetDB for open ports, known vulnerabilities, and CPE fingerprints. Discovered vulnerabilities are then enriched with NVD severity scores, EPSS exploitation probabilities, and CISA KEV status. High-risk ports (databases, remote access, admin panels) are flagged separately. - **Default IP:** `8.8.8.8` - **Input:** `ip` (IP address), `limit` (max vulns to enrich, 1-50) - **Output:** Open ports, hostnames, CPEs, enriched vulnerabilities, threat level assessment #### 5. Company Exposure (`company_exposure`) Assess a vendor's or product's vulnerability exposure. Searches NVD for all CVEs matching a vendor/product name, enriches each with EPSS and KEV data, and builds a risk profile. Includes product-level breakdown showing which specific products carry the most risk, plus weakness pattern analysis. - **Default vendor:** `microsoft` - **Input:** `vendor` (vendor or product name), `limit` (1-50) - **Output:** Risk profile, product breakdown, weakness patterns, exposure level, enriched CVE list ### Composite Risk Score (0-100) Traditional vulnerability management relies heavily on CVSS scores, which measure theoretical severity but not real-world exploitation likelihood. A CVSS 10.0 vulnerability that nobody exploits is less urgent than a CVSS 7.5 vulnerability actively used in ransomware campaigns. This actor calculates a **Composite Risk Score** for every CVE using four weighted factors: | Factor | Weight | Source | Rationale | |--------|--------|--------|-----------| | CVSS Base Score | 30% | NVD | Technical severity (0-10, normalized to 0-30) | | EPSS Probability | 40% | FIRST.org | Real-world exploitation likelihood (0-1, scaled to 0-40) | | CISA KEV Listed | +20 | CISA | Confirmed active exploitation by federal mandate | | Ransomware Use | +10 | CISA KEV | Known use in ransomware campaigns | **Formula:** `(cvss/10 * 30) + (epss * 40) + (kev ? 20 : 0) + (ransomware ? 10 : 0)` **Risk Levels:** - **CRITICAL** (80-100): Immediate action required. Active exploitation confirmed. - **HIGH** (60-79): Prioritize patching. High exploitation probability. - **MEDIUM** (40-59): Plan remediation. Moderate risk. - **LOW** (20-39): Standard patching cycle. - **INFO** (0-19): Minimal immediate risk. This approach ensures that vulnerabilities with confirmed exploitation (KEV-listed) and high exploitation probability (high EPSS) are prioritized over those that are merely theoretically severe. ### Data Sources | Source | Coverage | Rate Limit | Cost | |--------|----------|------------|------| | [NVD](https://nvd.nist.gov/) | 250,000+ CVEs with CVSS scores | 5 req/30sec (no key) | Free | | [EPSS](https://www.first.org/epss/) | Daily exploitation probability for all CVEs | Generous | Free | | [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) | 1,500+ confirmed exploited vulnerabilities | Single fetch | Free | | [Shodan InternetDB](https://internetdb.shodan.io/) | IP port/vuln/CPE data | Generous | Free, no key | ### Input Parameters | Parameter | Type | Required | Default | Description | |-----------|------|----------|---------|-------------| | `mode` | string | Yes | `vulnerability_search` | Analysis mode to run | | `query` | string | No | `log4j` | Search keyword (vulnerability_search) | | `cveId` | string | No | `CVE-2021-44228` | CVE identifier (cve_deep_analysis) | | `ip` | string | No | `8.8.8.8` | IP address (ip_threat_check) | | `vendor` | string | No | `microsoft` | Vendor/product name (company_exposure) | | `limit` | integer | No | `20` | Max results (1-50) | ### Example Use Cases **Security Operations (SOC)** - Monitor threat landscape daily for newly exploited vulnerabilities - Check suspicious IPs from firewall logs for known threats - Prioritize patch management using composite risk scores instead of CVSS alone **Vulnerability Management** - Assess vendor exposure before procurement decisions - Generate risk reports for specific software stacks - Track KEV catalog additions affecting your infrastructure **Threat Intelligence** - Deep-dive analysis of trending CVEs - Cross-reference EPSS exploitation trends with CISA mandates - Identify ransomware-associated vulnerabilities in your environment **Compliance** - Track CISA KEV remediation deadlines for federal compliance (BOD 22-01) - Document risk-based prioritization methodology for auditors - Generate evidence of vulnerability assessment activities ### Output Format All modes return a JSON object with: - `mode` - The analysis mode that was run - `summary` - Human-readable summary of findings - `timestamp` - ISO 8601 timestamp of the analysis - Mode-specific fields (vulnerabilities, risk profiles, threat assessments) Each vulnerability includes: - `cveId`, `description`, `published`, `lastModified` - `cvss` - Version, base score, severity, vector string - `epss` - Exploitation probability score and percentile - `cisaKev` - KEV listing status, ransomware use, remediation deadline - `riskScore` - Composite score (0-100) - `riskLevel` - CRITICAL/HIGH/MEDIUM/LOW/INFO - `weaknesses` - CWE identifiers - `references` - Advisory URLs and sources - `affectedProducts` - CPE-parsed vendor/product/version data ### Rate Limits and Performance - NVD requests are throttled to 1 per 7 seconds (within the 5 req/30sec free tier limit) - CISA KEV catalog is fetched once and cached in memory for the entire run - EPSS scores are batched (up to 30 CVEs per request) to minimize API calls - Typical run time: 30 seconds (cve_deep_analysis) to 3 minutes (threat_landscape with limit=20) ### Pricing $0.05 per successful scan (pay-per-event). Failed scans are not charged. # Actor input Schema ## `mode` (type: `string`): Select the type of cyber threat analysis to perform ## `query` (type: `string`): Keyword to search vulnerabilities for. Used in vulnerability_search mode (e.g., 'log4j', 'apache', 'remote code execution'). ## `cveId` (type: `string`): Specific CVE identifier for deep analysis. Used in cve_deep_analysis mode (e.g., 'CVE-2021-44228', 'CVE-2023-44487'). ## `ip` (type: `string`): IP address to check for threats. Used in ip_threat_check mode (e.g., '8.8.8.8', '1.1.1.1'). ## `vendor` (type: `string`): Vendor or product name for exposure analysis. Used in company_exposure mode (e.g., 'microsoft', 'apache', 'cisco'). ## `limit` (type: `integer`): Maximum number of results to return (1-50). ## Actor input object example ```json { "mode": "vulnerability_search", "limit": 20 } ```` # Actor output Schema ## `results` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("ntriqpro/nist-cve-vulnerability-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("ntriqpro/nist-cve-vulnerability-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call ntriqpro/nist-cve-vulnerability-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=ntriqpro/nist-cve-vulnerability-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "NIST CVE Vulnerability Scanner - Free NVD API", "description": "Free API for NIST National Vulnerability Database (NVD) CVE search. No subscription. Find vulnerabilities by keyword, severity, and CVSS scores. Government data, detailed CVE info, pay-per-use.", "version": "1.0", "x-build-id": "ZMMg985HJ9ZJqu9Uv" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/ntriqpro~nist-cve-vulnerability-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-ntriqpro-nist-cve-vulnerability-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/ntriqpro~nist-cve-vulnerability-scanner/runs": { "post": { "operationId": "runs-sync-ntriqpro-nist-cve-vulnerability-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/ntriqpro~nist-cve-vulnerability-scanner/run-sync": { "post": { "operationId": "run-sync-ntriqpro-nist-cve-vulnerability-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "mode" ], "properties": { "mode": { "title": "Analysis Mode", "enum": [ "vulnerability_search", "cve_deep_analysis", "threat_landscape", "ip_threat_check", "company_exposure" ], "type": "string", "description": "Select the type of cyber threat analysis to perform", "default": "vulnerability_search" }, "query": { "title": "Search Query", "type": "string", "description": "Keyword to search vulnerabilities for. Used in vulnerability_search mode (e.g., 'log4j', 'apache', 'remote code execution')." }, "cveId": { "title": "CVE ID", "type": "string", "description": "Specific CVE identifier for deep analysis. Used in cve_deep_analysis mode (e.g., 'CVE-2021-44228', 'CVE-2023-44487')." }, "ip": { "title": "IP Address", "type": "string", "description": "IP address to check for threats. Used in ip_threat_check mode (e.g., '8.8.8.8', '1.1.1.1')." }, "vendor": { "title": "Vendor/Product Name", "type": "string", "description": "Vendor or product name for exposure analysis. Used in company_exposure mode (e.g., 'microsoft', 'apache', 'cisco')." }, "limit": { "title": "Result Limit", "minimum": 1, "maximum": 50, "type": "integer", "description": "Maximum number of results to return (1-50).", "default": 20 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```