🔐 FIRST.org CSIRT Teams + EPSS Scraper

🚀 Export the global incident-response directory in seconds. Pull 854 CSIRT/SOC teams across 117 countries plus EPSS exploit-prediction scores for 334,000+ CVEs from the Forum of Incident Response and Security Teams.

🕒 Last updated: 2026-05-23 · 📊 26 fields per record · 🛰️ 854 CSIRT teams · 🌍 117 countries · 🐛 334k+ CVEs scored

The FIRST.org CSIRT Teams + EPSS Scraper exports the authoritative directory of computer security incident response teams (CSIRTs) maintained by FIRST.org, plus the EPSS (Exploit Prediction Scoring System) service that scores the likelihood of exploitation for every published CVE. It returns 26 fields per record, including team name, full name, membership type, team type, host organisation, country, contact channels, PGP keys, operating hours, and constituency description.

The directory covers 854 incident response teams across 117 countries, including national CERTs, sector-specific ISACs, vendor PSIRTs, financial-services CSIRTs, and academic teams. The EPSS mode returns daily-refreshed exploit-likelihood scores and percentiles for 334,000+ CVEs, the same model used by Fortune 500 security teams to prioritize patching.

🎯 Target Audience	💡 Primary Use Cases
Cybersecurity teams, threat intel analysts, incident responders, vulnerability managers, CISO offices, ISAC operators, security researchers	Incident coordination, CVE prioritization, threat-intel feeds, vendor PSIRT discovery, regional CERT outreach, vulnerability triage

---

📋 What the FIRST.org Scraper does

Two collection modes plus filters:

• 🛰️ CSIRT teams directory. 854 incident response teams worldwide with contact channels, PGP keys, operating hours, and constituency.
• 🐛 EPSS scores. Daily-updated exploit-prediction scores and percentiles for 334,000+ CVEs.
• 🌍 Country filter. Restrict the teams directory to one ISO-2 country code from a 117-country enum.
• 🔍 Team-name filter. Free-text substring filter on team name, full name, or host organisation (case-insensitive).
• 🆔 CVE filter. In EPSS mode, optionally narrow to one CVE ID for targeted lookups.

Each team record includes contact email, website, phone (with separate emergency number), full street address, time zone, operating hours, constituency description, PGP key ID and fingerprint, establishment date, and FIRST.org membership tenure.

💡 Why it matters: when an incident hits, knowing which CERT to contact in which country saves hours. When 1,000 new CVEs drop per week, EPSS tells you which ones attackers are actually exploiting. Both feeds are publicly available, but they live in different schemas at different endpoints. This Actor unifies them into one structured dataset.

---

🎬 Full Demo

🚧 Coming soon: a 3-minute walkthrough showing how to pull every European national CERT contact and load it into an incident-response runbook.

---

⚙️ Input

Input	Type	Default	Behavior
maxItems	integer	10	Records to return. Free plan caps at 10, paid plan at 1,000,000.
mode	string	"teams"	"teams" for CSIRT directory, "epss" for CVE scores.
country	string	""	ISO-2 country filter for teams mode (117 supported). Empty = all.
teamFilter	string	""	Substring filter on team name, full name, or host (case-insensitive).
cve	string	""	EPSS mode only. Optional CVE ID (e.g. CVE-2024-12345).

Example: every German CSIRT team with contact details.

{
    "maxItems": 50,
    "mode": "teams",
    "country": "DE"
}

Example: EPSS scores for one specific CVE.

{
    "maxItems": 1,
    "mode": "epss",
    "cve": "CVE-2024-3094"
}

⚠️ Good to Know: EPSS scores refresh daily. A score of 0.97 means the model estimates a 97% probability that this CVE will be exploited in the next 30 days. Percentile tells you where this CVE ranks against all scored CVEs. Combine both with CVSS for full risk context.

---

📊 Output

Each record contains 26 fields (team mode populates team fields, EPSS mode populates score fields; the other set is null). Download the dataset as CSV, Excel, JSON, or XML.

🧾 Schema

Field	Type	Example
🆔 id	string | null	"1234"
🛰️ team	string | null	"CERT-Bund"
📛 teamFull	string | null	"Computer Emergency Response Team for German federal agencies"
🎖️ membership	string | null	"Full Member"
🏷️ teamType	string | null	"National CSIRT"
🏢 host	string | null	"BSI - Federal Office for Information Security"
🌍 country	string | null	"DE"
📧 email	string | null	"certbund@bsi.bund.de"
🌐 website	string | null	"https://www.bsi.bund.de/CERT-Bund/"
📞 phone	string | null	"+49 228 99 9582 222"
🆘 phoneEmergency	string | null	"+49 228 99 9582 222"
📮 address	string | null	"Godesberger Allee 185-189, 53175 Bonn, Germany"
🕒 timezone	string | null	"Europe/Berlin"
⏰ operatingHours	string | null	"24x7"
👥 constituency	string | null	"German federal agencies"
📝 constituencyDescription	string | null	"All federal government agencies of Germany"
🔑 pgpId	string | null	"0x12345678"
🗝️ pgpFingerprint	string | null	"ABCD 1234 EFGH..."
📆 establishment	string | null	"1994-01-01"
🎟️ memberSince	string | null	"2000-06-15"
🕐 lastModified	ISO 8601 | null	"2024-08-12T10:23:00"
🐛 cve	string | null	"CVE-2024-3094"
📊 epssScore	number | null	0.97214
📈 epssPercentile	number | null	0.99987
📅 epssDate	string | null	"2026-05-22"
🏷️ mode	string	"teams"
🕒 scrapedAt	ISO 8601	"2026-05-23T00:00:00.000Z"

📦 Sample records

---

✨ Why choose this Actor

	Capability
🛰️	854 CSIRT teams. Every FIRST.org member team across 117 countries, with contact channels and PGP keys.
🐛	EPSS for 334k+ CVEs. Daily-refreshed exploit-prediction scores and percentiles.
🌍	Country filter. Restrict the directory to one of 117 ISO-2 codes.
🔍	Free-text search. Substring filter on team name, full name, or host.
📊	Full team metadata. Type, membership, constituency, operating hours, time zone, PGP, establishment date.
⚡	Fast. 100 teams in under 10 seconds.
🚫	No authentication. Public FIRST.org API. No login or token required.

📊 Incident response runs on phone numbers and email addresses. EPSS turns CVE noise into a triage queue. Both should be one structured pull away.

---

📈 How it compares to alternatives

Approach	Cost	Coverage	Refresh	Filters	Setup
⭐ FIRST.org CSIRT + EPSS Scraper (this Actor)	$5 free credit, then pay-per-use	854 teams, 334k+ CVEs	Live per run	mode, country, team, CVE	⚡ 2 min
FIRST.org website manual lookup	Free	Same	Live	Browser-only	🐢 One team at a time
Direct FIRST.org API code	Free	Same	Live	Custom code	🕒 Hours of code
Commercial threat-intel platforms	$500+/month	Broader	Live	Many	⏳ Onboarding required

Pick this Actor when you want the FIRST.org directory and EPSS as structured data, with country and team filters, without writing custom client code.

---

🚀 How to use

1. 📝 Sign up. Create a free account with $5 credit (takes 2 minutes).
2. 🌐 Open the Actor. Go to the FIRST.org CSIRT Teams + EPSS Scraper page on the Apify Store.
3. 🎯 Set input. Pick mode (teams or epss), optionally filter by country, team name, or CVE, and set maxItems.
4. 🚀 Run it. Click Start and let the Actor collect your data.
5. 📥 Download. Grab your results in the Dataset tab as CSV, Excel, JSON, or XML.

⏱️ Total time from signup to a downloaded dataset: 3-5 minutes. No coding required.

---

💼 Business use cases

🚨 Incident Response Teams Build a country-by-country CSIRT contact runbook 24x7 vs business-hours coverage maps PGP key directory for encrypted IR comms Vendor PSIRT lookup during product incidents	🐛 Vulnerability Management Daily EPSS refresh into your VM platform Patch-prioritization dashboards by EPSS score "Top 100 most-likely-exploited CVEs" reports Tie EPSS to your asset inventory
🛡️ Threat Intel & SOC Enrich IOCs with peer-CSIRT contacts Regional threat-intel sharing maps ISAC and sector-specific team discovery Pre-build mutual-aid agreements	🏛️ Policy & Governance National-CERT capability gap analysis Country-by-country cyber-readiness reports Sector coverage benchmarking Public-private partnership mapping

---

🔌 Automating FIRST.org Scraper

Control the scraper programmatically for scheduled runs and pipeline integrations:

• 🟢 Node.js. Install the apify-client NPM package.
• 🐍 Python. Use the apify-client PyPI package.
• 📚 See the Apify API documentation for full details.

The Apify Schedules feature lets you trigger this Actor on any cron interval. Daily EPSS refreshes and weekly CSIRT directory refreshes are both common patterns.

---

🌟 Beyond business use cases

Data like this powers more than commercial workflows. The same structured records support research, education, civic projects, and personal initiatives.

🎓 Research and academia Cybersecurity governance research CSIRT-network topology studies EPSS model-validation experiments Coursework on global incident response	🎨 Personal and creative Build a personal "CVE of the day" feed Side projects mapping cyber-defense capacity Hobbyist threat-intel dashboards CTF preparation with real CSIRT context
🤝 Non-profit and civic Cyber-capacity building in developing countries Press research on national-CERT response times Civil-society incident coordination Open-source community security teams	🧪 Experimentation Train CVE-prioritization ML models with EPSS history Build agent pipelines that route incidents to CSIRTs Prototype vulnerability-triage dashboards Test alert-fatigue reduction techniques

---

🤖 Ask an AI assistant about this scraper

Open a ready-to-send prompt about this ParseForge actor in the AI of your choice:

• 💬 ChatGPT
• 🧠 Claude
• 🔍 Perplexity
• 🅒 Copilot

---

❓ Frequently Asked Questions

🧩 How does it work?

Pick a mode (teams or EPSS), optionally narrow by country, team name, or CVE, and click Start. The Actor pages through the FIRST.org catalog and emits a clean structured record per team or CVE.

🛰️ How many CSIRT teams are listed?

854 incident response teams across 117 countries at the time of writing. The directory grows as new teams join FIRST.org.

🐛 What is EPSS?

EPSS (Exploit Prediction Scoring System) is FIRST.org's model that estimates the probability of a CVE being exploited in the next 30 days. It complements CVSS by adding real-world exploitation context. The Actor returns scores and percentiles for every published CVE.

🌍 Can I filter by country?

Yes. Set country to a two-letter ISO code (e.g. DE, US, JP, BR). The dropdown lists all 117 supported codes. Leave empty for the worldwide directory.

🔍 Can I search teams by name?

Yes. Set teamFilter to any substring of the team name, full name, or host organisation. The filter is case-insensitive.

⏰ Can I schedule regular runs?

Yes. Use Apify Schedules to run on any cron interval. Daily EPSS refreshes feed vulnerability-management dashboards. Weekly directory refreshes keep IR runbooks current.

⚖️ Is this data legal to use?

Yes. FIRST.org publishes the teams directory and EPSS scores for public use under terms that permit programmatic access.

💼 Can I use this commercially?

Yes. Incident-response platforms, vulnerability-management products, threat-intel services, and security consulting are all valid commercial use cases.

💳 Do I need a paid Apify plan?

No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you access to scheduling, higher concurrency, and larger datasets.

🔁 What happens if a run fails partway?

Apify retries transient errors automatically. The Actor pages through results deterministically, so a re-run picks up cleanly with the same input.

🆘 What if I need help?

Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below.

---

🔌 Integrate with any app

FIRST.org CSIRT Teams + EPSS Scraper connects to any cloud service via Apify integrations:

• Make - Automate multi-step workflows
• Zapier - Connect with 5,000+ apps
• Slack - Get run notifications in your channels
• Airbyte - Pipe security data into your warehouse
• GitHub - Trigger runs from repo commits
• Google Drive - Export datasets straight to Sheets

You can also use webhooks to fire downstream actions when a run finishes. Push fresh EPSS scores into your SIEM, or alert your team in Slack when a new high-risk CVE crosses a threshold.

---

🔗 Recommended Actors

• 📨 IETF Datatracker Drafts Scraper - Internet standards lifecycle
• 📐 W3C Standards Catalog Scraper - Open Web specifications
• 📚 arXiv Scraper - Open-access research papers
• 📊 OEC Economic Complexity Trade Scraper - International trade flows
• 🌐 Nominatim OSM Scraper - Geocode addresses via OpenStreetMap

💡 Pro Tip: browse the complete ParseForge collection for more reference-data scrapers.

---

🆘 Need Help? Open our contact form to request a new scraper, propose a custom data project, or report an issue.

---

⚠️ Disclaimer: this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by FIRST.org or any of its member teams. All trademarks mentioned are the property of their respective owners. Only publicly available FIRST.org directory and EPSS data is collected.