CISA KEV Scraper - CVE Threat Intelligence Feed
Pricing
from $2.00 / 1,000 results
CISA KEV Scraper - CVE Threat Intelligence Feed
Extract CISA Known Exploited Vulnerabilities (KEV) catalog data. Filter by vendor, product, date range, and ransomware flag. Includes computed remediation due-date fields.
Pricing
from $2.00 / 1,000 results
Rating
0.0
(0)
Developer
Professional Edge
Actor stats
0
Bookmarked
2
Total users
1
Monthly active users
10 days ago
Last modified
Categories
Share
CISA Known Exploited Vulnerabilities (KEV) Scraper
Extract structured vulnerability data from the CISA Known Exploited Vulnerabilities (KEV) catalog — the authoritative list of CVEs actively exploited in the wild, maintained by the U.S. Cybersecurity and Infrastructure Security Agency. This Actor fetches the complete KEV catalog and provides powerful filtering, computed remediation fields, and clean JSON output ready for security automation pipelines.
The KEV catalog is the foundation of Binding Operational Directive (BOD) 22-01, which requires all U.S. federal agencies to remediate listed vulnerabilities by their due dates. Security teams worldwide use it as a prioritization signal — if a CVE is in the KEV, it is being actively exploited and should be patched immediately.
Key Features
- Complete KEV catalog extraction — All 1,500+ actively exploited vulnerabilities in a single request
- Vendor and product filtering — Case-insensitive partial match (e.g., "Microsoft", "Chrome", "Apache")
- Date range filtering — Filter by date added to catalog or remediation due date
- Ransomware flag — Isolate CVEs known to be used in ransomware campaigns
- Computed fields —
daysSinceAddedanddaysUntilDuecalculated at extraction time (negative = overdue) - No authentication required — Public CISA API, no keys or credentials needed
- Batch-optimized output — Clean JSON ready for SIEM ingestion, ticketing systems, or RAG pipelines
Output Data Fields
| Field | Type | Description |
|---|---|---|
cveID | string | CVE identifier (e.g., CVE-2024-12345) |
vendorProject | string | Vendor or project name (e.g., Microsoft, Apache) |
product | string | Affected product (e.g., Windows, Exchange Server) |
vulnerabilityName | string | Human-readable vulnerability name |
dateAdded | string | Date the CVE was added to the KEV catalog (YYYY-MM-DD) |
dueDate | string | Remediation due date per BOD 22-01 (YYYY-MM-DD) |
daysSinceAdded | integer | Days since the CVE was added (computed at run time) |
daysUntilDue | integer | Days until remediation deadline (negative = overdue) |
shortDescription | string | Brief description of the vulnerability |
requiredAction | string | CISA-recommended remediation action |
knownRansomwareCampaignUse | boolean | Whether the CVE is known to be used in ransomware |
notes | string | Additional notes (may contain URLs) |
catalogVersion | string | KEV catalog version at time of extraction |
catalogDateReleased | string | KEV catalog release date |
How to Scrape the CISA KEV Catalog
- Navigate to the CISA KEV Scraper Actor page on Apify Store.
- Click Start to open the input configuration form.
- (Optional) Enter a Vendor Filter to narrow results to a specific vendor (e.g., "Microsoft").
- (Optional) Enter a Product Filter to narrow results to a specific product (e.g., "Exchange").
- (Optional) Set Date Added After to only retrieve recently added CVEs (e.g., "2025-01-01").
- (Optional) Toggle Ransomware Only to isolate CVEs with known ransomware exploitation.
- Set Max Results to control the output size (default: 1000, set to 0 for unlimited).
- Click Start to run the Actor.
- Download results as JSON, CSV, or Excel from the Dataset tab.
Input Example
Output Example
Pricing
This Actor fetches data from a free public API in a single HTTP request. Compute costs are minimal.
- Cost per run: ~$0.001 (single API call, no browser required)
- Actor start event: Default platform rate
- Per-result pricing: $0.001/result
Typical run time is under 10 seconds regardless of filter settings.
Use Cases
- Vulnerability management automation — Feed KEV data into Jira, ServiceNow, or custom ticketing to auto-create remediation tickets for overdue CVEs
- SOC dashboards — Integrate with Splunk, Elastic, or Sentinel to flag KEV-listed CVEs in your environment
- Compliance monitoring — Track BOD 22-01 compliance by comparing your asset inventory against KEV due dates
- Threat intelligence enrichment — Enrich your CVE feeds with KEV status and ransomware exploitation flags
- Security research — Analyze trends in actively exploited vulnerabilities by vendor, product, or time period
- RAG pipeline ingestion — Clean structured output ready for LLM-based security analysis
FAQ
How often is the KEV catalog updated? CISA updates the catalog as new actively exploited vulnerabilities are confirmed. Updates can happen multiple times per week.
Do I need an API key? No. The KEV catalog is publicly available with no authentication required.
What does a negative daysUntilDue mean?
A negative value means the remediation deadline has passed. For example, -30 means the CVE was due for remediation 30 days ago.
Can I get only ransomware-related CVEs?
Yes. Set the ransomwareOnly input to true to filter exclusively for CVEs known to be exploited in ransomware campaigns.
Is this data suitable for compliance reporting? Yes. The KEV catalog is the official CISA source used for BOD 22-01 compliance. This Actor preserves all original fields and adds computed date fields.
Legal Disclaimer
This Actor extracts publicly available data from the CISA Known Exploited Vulnerabilities catalog, which is published as open government data. No authentication or terms-of-service bypass is involved. Users are responsible for ensuring their use of the extracted data complies with applicable laws and regulations. For support, contact the Actor developer through the Apify Store.
