# EPSS Vulnerability Prioritization Monitor (`orbiscribe/epss-vulnerability-prioritization-monitor`) Actor Score CVE watchlists with FIRST EPSS exploit probability, detect rising risk, and optionally enrich matches with NVD details. - **URL**: https://apify.com/orbiscribe/epss-vulnerability-prioritization-monitor.md - **Developed by:** [Orbiscribe Labs](https://apify.com/orbiscribe) (community) - **Categories:** Developer tools, Automation, Business - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing $3.00 / 1,000 epss vulnerability matches This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## EPSS Vulnerability Prioritization Monitor Turn a CVE list into a remediation queue using FIRST EPSS exploit probability. This Actor is for security teams, MSPs, vulnerability-management consultants, and platform teams that already have too many CVEs and need a simple feed of what is more likely to be exploited. It accepts CVE IDs from scanners, SBOMs, advisories, or tickets, pulls current EPSS probability and percentile scores, optionally enriches records with NVD details, and marks scores that are new, rising, falling, or unchanged across scheduled runs. ### What It Does - Scores supplied CVE IDs with the public FIRST EPSS API - Also emits CVEs above configurable EPSS and percentile thresholds - Flags `new_score`, `score_increase`, `score_decrease`, and `unchanged` - Adds NVD enrichment: CVSS, severity, description, CWE, CPE, and references - Produces dataset rows, a buyer brief, threshold-only export, and Slack-ready alert records - Works as a scheduled Apify monitor with webhooks to Slack, email, Sheets, or ticketing workflows ### Inputs ```json { "cveIds": ["CVE-2024-3094", "CVE-2023-34362", "CVE-2021-44228"], "minEpss": 0.7, "minPercentile": 0.97, "maxResults": 100, "includeBelowThresholdWatchlist": true, "enrichWithNvd": false, "compareToPreviousRun": true, "dryRun": false } ```` Leave `dryRun` enabled to preview deterministic demo output without API calls or custom event charges. ### Outputs Each dataset row includes: - CVE ID - EPSS probability and percentile - priority bucket - score change type and deltas - optional NVD severity, CVSS score, description, CWE, CPE, and references - source API URL and compliance notes Example: ```json { "recordType": "epss_vulnerability_priority_match", "cveId": "CVE-2024-3094", "changeType": "new_score", "priority": "critical", "epss": 0.84805, "percentile": 0.99352, "thresholdMatched": true, "nvdSeverity": "CRITICAL", "cvssScore": 10, "sourceUrl": "https://www.first.org/epss/data_stats#CVE-2024-3094" } ``` ### Why Use This Instead Of A Generic CVE Scraper Most CVE feeds tell you severity. That is not the same as exploit likelihood. EPSS adds a daily probability estimate that helps teams decide which vulnerabilities deserve attention first. This Actor is built around that workflow: score, threshold, compare to the last run, and emit structured events. ### Pricing Recommended Apify pricing is pay per event: - `epss-vulnerability-match`: `$0.003` per emitted vulnerability record - Dry runs are free - Free-plan users get the first 25 live records without this Actor's custom event charge ### Compliance Notes This Actor uses public FIRST EPSS and, when enabled, NVD APIs. NVD enrichment is off by default so broad threshold runs finish quickly. Without an NVD key, only the first 10 emitted records are enriched to respect public rate limits. EPSS is a prioritization signal, not a final remediation decision. Verify results against your asset inventory, vendor advisories, exposure, compensating controls, and internal policy. # Actor input Schema ## `cveIds` (type: `array`): Optional CVE watchlist to score, such as scanner output, SBOM findings, or advisory CVEs. ## `minEpss` (type: `number`): Also emit vulnerabilities whose EPSS exploit probability is at or above this value. ## `minPercentile` (type: `number`): Also emit vulnerabilities whose EPSS percentile is at or above this value. ## `maxResults` (type: `integer`): Maximum high-EPSS threshold rows to fetch from FIRST. ## `includeBelowThresholdWatchlist` (type: `boolean`): Emit supplied CVE IDs even when they do not meet the EPSS and percentile thresholds. ## `includeUnchanged` (type: `boolean`): Emit unchanged CVE score rows. Usually leave this off for scheduled alerting workflows. ## `enrichWithNvd` (type: `boolean`): Fetch CVSS, description, CWE, CPE, and references from the public NVD API. Leave off for fast threshold scans unless you provide an NVD API key or a small CVE list. ## `nvdApiKey` (type: `string`): Optional NVD API key for faster enrichment. Leave blank for no-key public API use. ## `compareToPreviousRun` (type: `boolean`): Store EPSS scores and mark new, rising, falling, or unchanged CVEs on later scheduled runs. ## `snapshotStoreName` (type: `string`): Key-value store name for previous EPSS scores. ## `dryRun` (type: `boolean`): Emit deterministic demo records without calling FIRST or charging custom pay-per-event events. ## Actor input object example ```json { "cveIds": [ "CVE-2024-3094", "CVE-2023-34362", "CVE-2021-44228" ], "minEpss": 0.7, "minPercentile": 0.97, "maxResults": 100, "includeBelowThresholdWatchlist": true, "includeUnchanged": false, "enrichWithNvd": false, "compareToPreviousRun": true, "snapshotStoreName": "epss-vulnerability-prioritization-monitor-snapshots", "dryRun": true } ``` # Actor output Schema ## `results` (type: `string`): No description ## `epssExport` (type: `string`): No description ## `thresholdMatches` (type: `string`): No description ## `buyerBrief` (type: `string`): No description ## `runSummary` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("orbiscribe/epss-vulnerability-prioritization-monitor").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("orbiscribe/epss-vulnerability-prioritization-monitor").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call orbiscribe/epss-vulnerability-prioritization-monitor --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=orbiscribe/epss-vulnerability-prioritization-monitor", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "EPSS Vulnerability Prioritization Monitor", "description": "Score CVE watchlists with FIRST EPSS exploit probability, detect rising risk, and optionally enrich matches with NVD details.", "version": "0.1", "x-build-id": "FBYByBaWQ7FYRnNQK" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/orbiscribe~epss-vulnerability-prioritization-monitor/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-orbiscribe-epss-vulnerability-prioritization-monitor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/orbiscribe~epss-vulnerability-prioritization-monitor/runs": { "post": { "operationId": "runs-sync-orbiscribe-epss-vulnerability-prioritization-monitor", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/orbiscribe~epss-vulnerability-prioritization-monitor/run-sync": { "post": { "operationId": "run-sync-orbiscribe-epss-vulnerability-prioritization-monitor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "cveIds": { "title": "CVE IDs", "type": "array", "description": "Optional CVE watchlist to score, such as scanner output, SBOM findings, or advisory CVEs.", "default": [ "CVE-2024-3094", "CVE-2023-34362", "CVE-2021-44228" ] }, "minEpss": { "title": "Minimum EPSS", "minimum": 0, "maximum": 1, "type": "number", "description": "Also emit vulnerabilities whose EPSS exploit probability is at or above this value.", "default": 0.7 }, "minPercentile": { "title": "Minimum percentile", "minimum": 0, "maximum": 1, "type": "number", "description": "Also emit vulnerabilities whose EPSS percentile is at or above this value.", "default": 0.97 }, "maxResults": { "title": "Max threshold results", "minimum": 1, "maximum": 1000, "type": "integer", "description": "Maximum high-EPSS threshold rows to fetch from FIRST.", "default": 100 }, "includeBelowThresholdWatchlist": { "title": "Include watchlist below threshold", "type": "boolean", "description": "Emit supplied CVE IDs even when they do not meet the EPSS and percentile thresholds.", "default": true }, "includeUnchanged": { "title": "Include unchanged", "type": "boolean", "description": "Emit unchanged CVE score rows. Usually leave this off for scheduled alerting workflows.", "default": false }, "enrichWithNvd": { "title": "Enrich with NVD", "type": "boolean", "description": "Fetch CVSS, description, CWE, CPE, and references from the public NVD API. Leave off for fast threshold scans unless you provide an NVD API key or a small CVE list.", "default": false }, "nvdApiKey": { "title": "NVD API key", "type": "string", "description": "Optional NVD API key for faster enrichment. Leave blank for no-key public API use." }, "compareToPreviousRun": { "title": "Compare to previous run", "type": "boolean", "description": "Store EPSS scores and mark new, rising, falling, or unchanged CVEs on later scheduled runs.", "default": true }, "snapshotStoreName": { "title": "Snapshot store name", "type": "string", "description": "Key-value store name for previous EPSS scores.", "default": "epss-vulnerability-prioritization-monitor-snapshots" }, "dryRun": { "title": "Dry run", "type": "boolean", "description": "Emit deterministic demo records without calling FIRST or charging custom pay-per-event events.", "default": true } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```